The hacker wormed his way through an obvious hole left open by my lack of attention. Yes, it hurts to say it but I was negligent.
From there he set up a sophisticated program that used my server to mail out thousands of spam emails. Since I normally email thousands of emails a day, his Viagra promoting emails went undiscovered.
This is where it get’s diabolical.
The poor folks who received those emails, clicked on links that drove them back to Pushing Social. No, I’m not selling illicit pharmaceuticals. But, Pushing Social had become a zombie host for over 20 WordPress blogs pumping this garbage.
I was totally unaware that Pushing Social had become a cog in a vast botnet meticulously constructed by criminals and misfits.
Getting to the Bottom Of It…
On April 12th, I received the first warning sign. Pushing Social went down. I use Chartbeat to watch Pushing Social’s traffic and alert me when the blog is offline.
I did all of my normal tricks. Restart the my database server, Reboot the server and pray. It worked for 10 minutes, and then my baby coughed, stumbled and went offline again.
No problem…I sent a support ticket to my (ex)host.
I explained the problem and soon received a response that the smart kids were on the job.
Two hours later they sent me an email that everything was fixed. Ten minutes later, the blog went down again. Another irate help ticket winged its way to Texas. Another hour later, I received an a totally unhelpful note that I had been “exploited”.
Folks, that is exactly how I felt.
During the time I waited for tech support to get to the bottom of the problem, I was able to figure out what the hacker had done. I saw the extent of his mischief and tried to fix the problem myself.
I erased files that were critical to WordPress. I inadvertently changed something called a “nameserver” that tricked Aweber into resetting my RSS Feed. Confused, Aweber sent out five emails to each of my 3000+ subscribers.
Within 10 minutes, I lost over 150 subscribers. Some took the opportunity to send me a nasty note. That sucked but I’m a big boy.
Quick aside: I consider Brian Clark to be Pushing Social’s Godfather. He’s always been there to give me help, a mention, or advice whenever I needed it. On Friday, I realized that I should have listened to the Don eight months ago.
I immediately went to Synthesis, took out the credit card, and did the right thing.
Within 15 minutes, they made me feel like a million bucks. Pushing Social was quarantined, cleaned, and shifted to their managed hosting service in about 12 hours (not bad since it was the weekend!).
Unlike my old host, Web Synthesis is a managed hosting service dedicated to WordPress.
Managed Hosting means that they take care of protecting my site from hackers and….myself. They close security holes. They tweak settings to turn your blog into a speed demon. Before shifting to Synthesis, Pushing Social loaded a page in 12 seconds. Now it serves the goods in under 3 seconds.
Happily Ever After?
On Monday, I got a weird error that indicated that Pushing Social was DOWN! I freaked.
I sent a note to my new “brothers from another mother.”
Cody at Synthesis told me that Pushing Social’s checkered past was coming back to haunt me. Remember all those spam emails that were sent out? Well it seems that folks were still trying to visit the site momentarily swamping the servers.
No problem though. Cody’s team blocked the bad traffic and I was back on my feet in no time. (Cody’s getting a Tupperware dish of my famous collard greens – shh… don’t tell him)
That’s the gory details. Here’s how to avoid this nightmare for yourself.
1. Get a Real WordPress Host. All hosts aren’t created equal. WordPress-dedicated hosts understand how to optimize their servers for WordPress blogs. They also know all the bad tricks the hackers love to play. My ex-host didn’t have a clue about WordPress and didn’t know how to help me. Save yourself the pain and host your blog with a WordPress-dedicated host like Web Synthesis.
2. Be Careful with WordPress Code. There are a million and one ways to leave the door unlocked with WordPress. I love to tinker and mistakenly left myself vulnerable for exploitation. If you aren’t absolutely confident in your technical savvy then leave WordPress’s “code” alone.
3. 777 is Never Ok. Each of the files on your server have permission rights attached to them. 644 means that the file is off-limits to everyone. 777 means that the door is left wide open. There should never be an occasion where you should leave a directory or file with 777 rights. I did and you see what happened. (By the way, if you have no clue about what I just said then don’t touch your WordPress files without help)
4. Be Careful With Plugins. “Hi I’m Stan and I’m a plugin addict”. I rarely meet a plugin I don’t love. Although plugins didn’t lead me to getting hacked, all the little tweaks I made to the “code” to make some of them work left me open to mischief.
5. Get Help Immediately. Like a Nigerian Scam victim, I was embarrassed about my hacking problem. I thought I could fix it myself with a little help from my old host. All I did was extend my suffering. If you detect a problem with your host then get professional help immediately. If you are using a host like Web Synthesis, they can nail down the problem immediately. If you suspect that you’ve been hacked, consider getting a security scan from a blog security and decontamination expert like Sucuri.
One More Thing…
I sent a love note to my subscribers yesterday. They put up with some irritating stuff last week. I discovered that a sincere apology goes a long way. Your readers will be patient too if you are straight with them. Hopefully you never experience the drama I went through last week. But, if you do keep your readers in the loop.
A WordPress Blog Hacking Nightmare - The Gory Details... by Stan