Case study: Six things I learned from having my websites hacked

Twas the day before Christmas – and all through the house – all was not quiet – my websites were hacked and malware hidden throughout.

The first I learned of this was an email from Google that they had detected malware on one of my sites, and emails about my other websites followed.

 

As this image is a screenshot, you won’t be able to click on those links, but if you’d like to visit the Google resources for hacked sites link, it’s very helpful.

These are the sites I had at the time:

• Dutch Australian
• Culture and Kids
• Professional Parents
• Zestee Social Media School
• Zestee Photography (now deleted)
• Zestee Social Media (this website)

Here are six things I learned from having my websites hacked.

1.  Your website is a valuable asset

I built each one of my websites from scratch myself in WordPress.   Sure, I knew they were important but I didn’t realise quite how much they meant to me until they were compromised. Countless hours of love and learning have gone into layout and content, not to mention being a professional portfolio.  Thankfully at the time, I wasn’t looking for new clients and didn’t have any active students on the Zestee Social Media School site so I guess it wasn’t bad timing – but still incredibly annoying!  Also it was good that I didn’t “lose” any of the content on my sites – however they hid malware throughout and deleting this can be like finding a needle in a haystack.  But I needed that needle!

2.  It can happen to anyone

I’m a social media trainer, who teaches e-business.  In one way, it’s actually embarrassing that this could happen to me.  After all, I have written posts like this about the Zestee Social Media School Website Pyramid were I talk about making sure you backup and consider internet security.  I also work exclusively with WordPress.org and know that this can be subject to attention from hackers.  I guess this is also statistically expected as WordPress increases their marketshare of websites.  Self hosted WordPress.org sites are much more likely to get hacked than WordPress.com.  However it’s not just WordPress – any site can potentially be hacked.  The internet is becoming more innovative daily.  So are hackers.  It seems they are targeting small business owners now who may have a decent amount of traffic to their site, but not necessarily the understanding or budget to make life harder for hackers.

3.  Basic security may not be enough

Why would anyone bother hacking my site I wondered?  (and you may too).  I’m a small business and several of those sites are personal hobbies.  I was under the impression that by having a password, running back ups and installing updates regularly was enough.  It’s not. Another misunderstanding I had was that if I got hacked, my sites would just go offline and I would run a backup to restore.  Not the case.  My sites looked “normal” to those who didn’t have internet security installed, but to anyone with a Mac or a PC with a sufficient level of security, they were blocked immediately when the malware was flagged by Google.  Basically, hackers install malware on any site they can crack for several reasons, including trying to access data from those who visit your website.  This video gives a good explanation.

4.  Hacking costs you time and money

I thought that my host, Hostgator, was responsible for protecting sites from hacking.  Or at least if I were hacked, they would assist me within a day or two to fix this.  Not true.  I contacted them several times and after many WEEKS of limited assistance, I finally understood that my basic hosting package just didn’t cover this situation.  To be fair, it was a cheap package (around USD$20 per month), and there were options to upgrade to clean each site (for about USD$60 per site).  However even with this upgrade option, I didn’t feel confident with what I had to do and wasn’t sure whether paying would actually fix the problem.  So I decided to pay a company here where I live in The Hague to find and delete the malware and then move all the websites over to their more secure hosting.  This cost me a bit less than 1000 euros.  I was lucky as this is a friend’s business, and they don’t usually do this for sites they didn’t build themselves.  It was actually a good price considering this includes many hours work for them to clean up my sites, and hosting for the next year.  That doesn’t include the 20+ hours it took me personally to evaluate the situation and take some steps myself to resolve.

5.  Keep things simple

These days, it’s cheap and easy to build a website.  I enjoy doing it for fun and to develop my skills, hence six different websites.  I love WordPress and the process of web design and blogging is something I enjoy doing in my spare time.  However when you’re hacked, and as per the point above, you need to spend a significant amount of time and money on recovery.  Suddenly, my hobby got expensive.  I immediately decided to delete the Zestee Photography site, which I had spent limited time on and was less important to me.  I am in the process of merging this main Zestee.com site with the Zestee Social Media School site.  I’m likely to shift Professional Parents, which is more a personal blog now, back to a free WordPress.com site.  This means less functionality and layout options but they take care of the security, back ups and hosting.  For my Dutch Australian and Culture and Kids website, I am keeping these as self hosted WordPress.org sites as I want control over the layout.  I’ll just continue to build these when I have the time.  The entire experience of being hacked though made me reevaluate the way I approach my websites and trying to keep things simple.

6.  Learn from and share your experiences

One of the many reasons I’m passionate about the internet and social media is how easy it is for us to all learn from each other’s experiences.  I’m writing this blog post as a summary of some of the things I’ve learned from this nasty occurrence.  In turn, I have learnt a lot from others blog posts.

I hope you’re never hacked.  However it seems to be a way of life in this online world.  So if you own a website, or are considering building one, here’s a couple of things to keep in mind.  I only use WordPress so these are WordPress focussed.

• Do you really need a self-hosted website (for example, WordPress.org) or is an option like WordPress.com enough, where there is less flexibility but they hold more responsibility for security.
• Though websites are cheap and easy to build, after you put all that time and content into them, they become much more valuable, and may incur additional unexpected costs.
• Don’t just trust your hosting service to protect you from hacking.  If you are hacked, let them know immediately….they may be able to help, they may not.
• Set up an account at Google Webmaster Tools.  Though it was Google that was the “bearer of bad news” to tell me that my sites were hacked, and they also blacklisted them, it was due to their vigilance that I was able to detect the problem.  I also was able to use their robust system to learn more about solving this and get the “green light” again, knowing they were clean of malware.
• If you use WordPress, make sure you run updates regularly – I was on holidays in Australia when I was hacked and not running an update for a couple of weeks may have had an influence.
• Monitor and delete any old plug-ins on your site – it seems the hackers may have gained access via one of my initially perfectly fine plug-ins, but was sold to those with these evil intentions
• Install plugins such as BruteProtect and Wordfence Security on self hosted WordPress sites.  These free plugins can make a big difference!

I hope that’s been helpful and will perhaps help prevent you going through the same experience!  Have you ever been hacked?

Renee

 Want more free tips like this?  Sign up for the Zestee Social Media & Marketing Matters enewsletter here.