After re-branding both my websites, my blogging life seemed to be running smoothly. That is, until FineArtTips.com got hacked – again!
*I’ve written this to educate those of you who are interested in blogging and using WordPress. Maybe my tips will help prevent a malicious hack like I have endured. You might also enjoy this educational post, Just Say Not To Hackers.
When I was first hacked in August 2011, and my two WordPress blogs were down for nearly 3 weeks! I lost blog posts, tons of traffic, and my Google ranking fell. It took at least 6 months to regain my blogging momentum.
But, this hack was different. My blog was the only one on the virtual dedicated server that was hacked! Why? Lucky me, why couldn’t I win the lottery instead?
Rest assured, hackers don’t generally go after individual bloggers. Most often they target web hosts who have weak spots within their system. These vulnerabilities allow hackers to deface multiple sites, even hundreds at a time. In 2011, this is exactly what happened to my web host’s server – we were all hacked.
However this time, I was specifically targeted.
Here’s how it happened…
One evening, I tried logging into my admin page. Everything looked normal, but after numerous failed attempts, my blog wouldn’t accept my password. Reluctantly, I decided to change my password. This worked, and I was able to access my blog. However, when I visited my blog the next morning, a blue screen welcomed me with demonic music saying, “You’ve been hacked!”
The first step…
I immediately called my web host/developer who then took down my blog for repair. After that, I had terrible customer support and service. It was very stressful and disheartening. Once again, this immediately hurt my traffic and Google ranking. I was very unhappy with my webmaster and his hosting company which used GoDaddy.
My Twitter friends and readers were very supportive of me during this time. I received phone calls, emails and tweets with offers to help.
My good Twitter friend, Todd McPhetridge (a talented photographer and a popular guest post contributor) was especially helpful as he spent many hours coaching me through the ordeal. Todd encouraged me to get all my passwords so I could begin to migrate my blogs to a new hosting company.
Finally, I was able to get the phone number and passwords to speak directly with secureserver.net support. Now, I was able to get some answers.
The hosting company had backups, and they rolled my site back to the date before the hack. The security team also ‘scrubbed’ my site and determined the hacker most likely used the WP Super Cache plugin to gain access.
A week later, FineArtTips.com was back up and running. However, I was getting messages and tweets from my supportive readers. My blog visitors were being prompted by a malware pop-up to ‘download-this’ page.
The security team was concerned that malicious script was embedded, but disabling and resetting the permalinks quickly fixed the malware.
The next step, time to take control!
Fool me once, shame on you. Fool me twice, shame on me!
After two hacks with the same web host/developer, it was time for me to find a new web developer and migrate my blogs to a new host.
Bluehost.com helped clean up the mess caused by the other hosting site and got my site back up and running smoothly. I recommend BlueHost.com only for small to midsize blogs.
At this point, FineArtTips.com had grown to be 2.5 gigs. We learned that the WassUp plugin had a table that created 1 gig of useless data. But, I was unable to get my PHP password from my previous web developer, so we couldn’t delete the table to shrink my database. (*As of 2018, this blog has grown to be 19 gigs, too large for Bluehost. For more complex blogging, I HIGHLY recommend WordsRack.com for more complex blogging.)
*Here’s a note about plugins…
WordPress is versatile and customizable. There are so many plugin goodies, but many are bad for you. Plugins are not candy, they are poison! 😉 Before migrating your blog, ‘lean-out’ your unused plugins and delete them. But, make sure to clear out the plugin data before deleting the plugin. Keep your plugins up-to-date, otherwise they are a security risk.
Fellow art blogger, Barney Davey advised me during this time. I learned that GoDaddy.com and some of the other big hosting companies could only accommodate 1 gig for their shared secure server. The other option was, I would have to buy my own virtual dedicated server! This could cost around $1500, plus I didn’t want to learn Plesk – I am an artist, not a programmer.
My friend Todd, has a few blogging tips to share…
Once You’ve Been Hacked Prayer and Backups are Your Best Options
If I can give you one piece of advice that will save you a lot of heartache it’s this…make backups.Have backups of your backups and automate them so that you don’t have to even think about it. If your site is ever hacked you’ll thank me for it. Your hosting company should have backups, but if for some reason they don’t, you can quickly get back online with your own personal backup. I was hacked a few years ago and called GoDaddy and asked them to roll my site back to a few days before the hack occurred. I was back up and running in a few short hours. That was a huge sigh of relief!
Artists take heed, having backups doesn’t apply to just your site. Protect your art as well. Viruses can damage your computer and destroy all of your hard work. I have multiple external drives that I keep all of my art copies on, just in case. Another option is Google Drive, it’s free for up to 5 gigs of data and the pricing plans are very reasonable. I have some of my more important data stored there as a worst case scenario. You can learn more about Google Drive here: https://support.google.com/drive/bin/answer.py?hl=en&answer=2375123
Lastly, I try to keep my plugins to a bare minimum, because the more plugins you have, the greater your risk of being hacked. I also delete any plugins that I’m not using just to be on the safe side.
Here’s three plugins that I highly recommend to really help your site in the search engines and the overall user experience:
In a nutshell, here’s what I learned…
- Find a reputable web host with 24-hour support.
- Find someone who understands WordPress and English (or your own language).
- Own your own domain! You want to control and own your site and its intellectual property.
- Have a good working relationship with your web developer.
- Know and keep a record of your own passwords!
- This includes your admin password
- Your FTP password
- Your PHP password
- Backup your data!!! Vickey introduced me to BackupBuddy.com
- Keep your WordPress theme up-to-date. Here’s a great post about WordPress vulnerabilities and how to fix them.
- According to ESecurityPlanet.com, nearly 80 million websites in the world run on the WordPress publishing platform.
- Half of all WordPress sites are self-hosted which makes them a popular target for hackers.
- Use WordPress approved Plugins
- Keep your plugins up-to-date. Out-of-date plugins can break your site. Here’s an informative post about plugins.
- They are a security risk.
- Minimize plugins.
My hope is to educate my fellow bloggers, especially WordPress users on ways to prevent becoming a victim of a malicious hack. Honestly, I almost abandoned FineArtTips.com. I blog because I love to help others, and your kind words have kept me going. Thank you for your support. ~Lori
PS. I’d also like to thank my good friends at ArtworkArchive.com for offering their geek expertise! Please check out their brilliant artwork inventory and tracking system. If you have any other tips about hacking, please leave a comment for others!