One of my sites got hacked, and it's my own fault

One of my sites got hacked, and it's my own fault

Summary: No web site can be stuck in time, even if the content is. The server software and security systems supporting a web site must be constantly updated to prevent incursion and corruption.

SHARE:

It started with a text message from my wife: "ZATZ site hijacked by nasty porn." This is not exactly the message you want to get at 6pm on July 3rd. I had been planning on beginning my holiday weekend with a prolonged sittin'-on-the-couch-watchin'-TV night, but that was not to be.

Instead I'd be doing porn removal, which took until about 2am.

Image courtesy scammers. Image sanitized for your protection.
Image sanitized for your protection.

The thing is, I know better. In fact, sometime in the middle of 2013, I made a decision that led directly to my couchless July 3rd. I pretty much knew it would reach out and bite me, and it did.

Here's what happened. In today's world, all web sites are moving targets. It's always an arms race between website operators and the spammers and scammers out there who want to use them for anything from malware distribution to automated referrals to porn sites.

Because it's an arms race, it's up to the website operators to constantly update their sites, update the server software running on their sites, and update their protection systems. Failure to do all of these leaves the chance that bad guys will find a loophole, and tunnel their way in.

That's what they did on my site. What happened is they embedded a redirect message into just the mobile version of the site. As a result, if I visited the site via my desktop browser, everything looked fine. But if you visited the site via a mobile browser (as my wife did on Thursday while at Sam's Club, when she was updating our business membership), you'd find that criminals had gotten into the site's code and replaced it with a redirect to the porn site.

This was fully preventable.

And yes, I understand the irony of a cybersecurity expert getting hacked. It's like the old story of the barber who never cuts his own hair. While I would never advise anyone to leave a site untouched, there is one difference between Mr. Highfalutin Cyberwarfare Advisor being hacked and a regular website operator: I do know how to fix it. That said, mitigation sucks, especially when it gets in the way of a planned night off.

Here's how we got to this point. The ZATZ site is no longer actively updated. It was a highly visited site back in the day, but since I've moved on with my career from entrepreneur to advisor, columnist, and educator, the thousands of ZATZ articles are really now just an archive. We don't get any advertising income (although some old ads are still running on the site), and I rarely spend any time there.

It is a WordPress site. A few years ago, I moved it from UserLand Frontier to WordPress, specifically because of the high level of support available in the WordPress world. There is one disadvantage of WordPress though: given that a huge number of sites run WordPress, it's also a very visible target for hackers.

There are a wide variety of ways to harden a WordPress site, including using a many different security plugins. The ZATZ site was hardened, and it did use the security plugins.

So where did I go wrong, and why was it my fault?

While there are many things you should do to keep a WordPress site from being hacked, there is one golden rule (and it's the one I violated): always keep WordPress up to date. This includes updating the WordPress core, any themes you use, and any plugins.

I didn't do this. Around August of last year, I made a ruthless prioritization decision: leave the websites alone and work on other stuff. I sometimes have to be ruthless about how I prioritize my time, and this was a big one. I knew there was a chance of hacking, but I just didn't want to spend a weekend every few months fiddling with the site. I had an overwhelming amount of other things going on, and this just wasn't as important.

So I let the site sit.

Updating it would have required installing a new version of WordPress and paying about $800 for updated themes and plugins. Not only did I decide to make website management a lower priority (after all, this was no longer an income-producing site), but I also didn't want to spend much more money on it.

Time went on. The WordPress developers and the various plugin and theme developers updated their offerings, many times finding and fixing exploits. My site sat stuck in time, two revisions behind. As a result, my site still had the exploits.

And so, that led to my Thursday night, where I had planned to binge watch Netflix, and instead spent the night calling in the Marines and updating my website.

Thankfully, because WordPress is so popular, there is a tremendous aftermarket of resources for it, including hack-mitigation services. I'm very familiar with some of them, having met many of the developers at WordCamp. It would take a whole lot more time for met to find the hacks and remove them than to bring in one of these services.

I chose Sucuri because the company offers a free malware scanner (which I'd advise you to run on your sites right now), as well as a 24/7 monitoring and hack mitigation service. For one site, they charge $89, but for up to five sites, they charge $189. I figured that since I had other sites as well, I might as well spring for the five site service and have them check the other sites.

Within about two hours, they found and removed the offending malware, but they were quite insistent on the one thing I'd known all along: it was time to update the site.

So that's what I've been doing, on and off, for most of the weekend. I got the ZATZ site updated by 2am on Thursday, and in-between celebratory picnics, too much smoked duck, and other fixin's, I've been fixin' my sites. I've gone down the list and updated each of the sites, so they're now all robust and up-to-date.

Most — all but the most trivial — are monitored constantly by Sucuri for breaches. I'm also considering using something like InfiniteWP, ManageWP, or MainWP to provide a centralized management console for all my sites.

I got out of this hack pretty easily. Even so, being hacked is no fun, I didn't expect to spend nearly a grand in updates and services this weekend, and I never did get to binge-watch Netflix.

The most important takeaway, however, is this. No website can be stuck in time, even if the content is. The server software and security systems supporting the site must be constantly updated to prevent incursion and corruption. That sucks, but that's the world we live in.

What do you use to harden your WordPress sites? Let me know in the TalkBack below.

By the way, I'm doing more updates on Twitter and Facebook than ever before. Be sure to follow me on Twitter at @DavidGewirtz and on Facebook at Facebook.com/DavidGewirtz.

Topics: Security, Mobility, SMBs, DIY, Web development

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • So you're self-hosting WordPress?

    I specifically decided not to do that because of potential problems like this. Let WordPress.com keep their software up to date.
    larry@...
    • Plugins

      WordPress.com won't run custom plugins. In order to post over the old markup, custom plugins were required. Watch the video at http://youtu.be/Y9iVpGBUPYs to get an idea of the scope of that migration.
      David Gewirtz
  • Why not take it down?

    If it's not generating revenue and costing you time and money it seems the reasonable thing to do is take it offline.
    ye
  • 70K+ articles

    We have a library of 70K+ articles, many of which were written by about 300 different authors. Back when I started the sites, I promised I'd keep that content up, and I still intend to do so. It's a cache of precious content about the early days of mobile computing, along with more than a decade of Lotus Notes-related content. Didn't want to bring that treasury down, just because it's not my top priority anymore.
    David Gewirtz
    • That's altruistic of you.

      But at a cost of $1K I'd have to reconsider my commitment to making this content available. At least in its present form. Perhaps you could evaluate archiving it into another format and making it available in another means which doesn't require the same level of resources. Or hand it off to someone else who has the time.
      ye
    • Good on you David!

      It's always good to see people preserving history and information.

      Around a year ago I had the very surreal experience to receive an email from a former colleague who had attended a talk on cloud deployment and been shown a web guide I had written for red hat remote installation more than 12 years earlier. He had recognised my handle as it was basically the same as one I use nowadays and got in touch.

      The person giving the talk was tracking the changing face of business deployments in the 'age of the cloud' and had googled up a bunch of former 'best practices'

      We hit google ourselves and found an old discussion site had been archived - it was like finding a time capsule in your garden.
      MarknWill
  • Wordpress security plugins

    With so many sites running on Wordpress, I hope people realize how important it is to keep their software up to date. One way to help bolster security is by using a 2fa plugin. Toopher and Duo both have free wordpress plugins, both out-of-band and easier to use than one-time passcode generators.
    alexaleigh
  • Two common Web application attacks illustrate security concerns

    Interesting article, companies are having a harder time protecting themselves from the risks of data breaches. Companies need to utilize firewalls and private networks to secure sensitive information. I work with McGladrey and there's a whitepaper on our website that offers useful information on the common security concerns for businesses and ways to mitigate them. @ http://mcgladrey.com/content/mcgladrey/en_US/what-we-do/services/risk-advisory/risk-bulletin/two-common-web-application-attacks-illustrate-security-concerns.html?cmpid=030syn
    jamescage27
    • Plugging in the comments?

      C'mon dude, spare us the sales pitches. These not-so-subtle posts in the comments of ZDNet articles are getting lame.
      ejhonda
  • WordPress

    It's a painful reminder of the issues we tech people face in an era of our company leadership plucking convenience over security or the overall big picture. WordPress is not your friend; it's a fad. People don't get this until they're hacked and even then many are still too stubborn to move away from it.

    As for letting your public facing software to stagnate - shame on you. The lax nature does more than harm -you-. It is the very foundation that supports what hacks all of us. Malware can't spread very far if malware can't be hosted. This same thought includes shaming people with infected computers who are connected to the Internet. Their infested trash hosts stuff that harms us all.

    As for an archive, sure, keep the content available, but why not drop it into a different format that's more portable? Push it out to a zip or ISO if it's that long term of an archive. PDF's make individual articles static. Pack it into a flash, unity, or other container that keeps the archive looking the same while being an easily portable format. Those formats would also let you distribute physical media too if desired. Or... if it's really a forever archive, push it out to Archive.org. Your stuff. Their problem.
    ct2193@...
  • Another thought...

    I'm not an expert in site security, or even an expert as a webmaster - so I try to make sure I've got a backup available in the event I get hacked (or do something stupid). It's incredibly easy to blow off all the files using cPanel, then reload the backup - especially for an inactive site.

    Fifteen or twenty minutes tops, and I'd be deep in a Netflix induced couch potato coma.

    Dennis
    mcneelyd@...
    • However

      You have not fixed the problem, you have applied a Band-Aid but the underlying wound is still festering waiting to be exploited again and again and again.
      schultzycom
      • Not an expert, but...

        Hey schultzycom - thanks for pointing out the missing bit of my response; my status as an amateur is showing :-)

        I should have added a bit about updating the core files, the theme, and the plugins before calling the restoration complete. I might press my twenty minute deadline a bit, but I think I could get it done and hit the couch before the final buzzer. For all its limitations, Wordpress does make updating relatively simple.

        The bottom line though... backup your sites; it could well save your bacon down the road.

        Dennis
        mcneelyd@...
  • Static file caching, maybe?

    As you commented this site is more like an archive right now, you can create a static cache copy of this site and make it available over the web.

    For hardening WordPress, besides the Codex article (http://codex.wordpress.org/Hardening_WordPress), I usually avoid to install third-party themes and plugins, check the web hosting provider (or the configuration for a virtual machine); and I have backups frequently created (yes, it's not hardening; but better safe than sorry)
    PotterSys
  • Why not simplify?

    If the site is nothing more than an archive of articles, why not remove all of the cruft and just keep the articles? Maybe you can create pages for the articles and use a simple website builder to create pages to serve the articles. You can add a Google search to search the site. Why make it more complicated than you need to?
    sbarman
  • I don't think David was looking for another project...

    Some suggestions include actual work to reformat his old web site. I think David was hoping to leave it as-is, without investing time for extensive maintenance. He (as we all) hope that malware or hacks would leave him alone, but he got burned (and is kind enough to share his story!). By keeping updated, hopefully he will avoid the most egregious problems.
    randysmith@...
  • WordPress is kind of a hacker's goldmine

    I have had WP sites hacked and I kind of rue the day I switched over. I kept some other older informative sites to pure static HTML (primitive but effective) and they have never ever been hacked. Most problems I had came from WP plugins that allow any kind of user interaction with the site. For instance, I simply disabled all commenting functionality and that has helped quite a bit. Unfortunately comments are pretty important to a lot of sites.

    It would also be nice if WP didn't do so many updates requiring the site maintainer to install. They recently have been doing minor point security updates that install automatically. At first I was kind of aghast, but considering the hands off security improvement I now think it's a good idea. If I only had to update WP manually once a year or so then I would not mind so much. But at this point it's more like every 3-4 months.
    ArtInvent
  • WordPress Hacks

    Two years ago, there were multiple WordPress hacks in W3 Total Cache and some other plugins. Wireless and Mobile News was injected with pages such as buy cheap iPhone 5 and other sales pages. I didn't find out about it until Google Webmaster Tools banned the site. My Webhost deleted most of them for me. I took over the Buy Cheap iPhone 5 page and made it better and it received many hits for a while. It's not just update WordPress but update plugins.

    I also use Anti-Malware by ELI (Get Off Malicious Scripts) which found some bad scripts and removed them.
    Wimoed
  • website hacked

    when people mentioned the word "hack", I have an idea of getting one's user name and password by a spy software like Micro Keylogger which is applied for parental control or other legitimate uses and checking if kids or employees do good online.

    One more scene I can image is that some hackers do that to show off their skills or express their anger.
    However, this is the first time I heard about "hacking is for crass robbery"!
    It's too radical! Also Domino should be punished since they didn't protect customer privacy well. If they refuse to pay the ransom or take other useful measure to keep the information secure, I think customers will be very disappointed.
    puddkle
  • I started using one of the services you mentioned and never looked back

    Hi, David

    I couldn't relate more to this decission, or the feeling behind it: "leave the websites alone and work on other stuff. I sometimes have to be ruthless about how I prioritize my time, and this was a big one. I knew there was a chance of hacking, but I just didn't want to spend a weekend every few months fiddling with the site."

    I was operating a network of 50+ blogs and having to be constantly on top of upgrades, deleting spam, doing backups etc. was taking hours and hours of my days.

    So I tried ManageWP (they were still in beta at that time, several years ago), and I have never looked back. I can now upgrade and clean my sites with a couple of clicks, and I have set up scheduled backups for an extra layer of protection.

    I haven't tried InfiniteWP or MainWP so I can't say anything about them, but I can tell you I'm extremely happy with ManageWP.
    MikelPerez