If you’ve been wondering why things were a little quiet around here lately, it’s because yesterday some of my sites were hacked. Fortunately, I’ve put Lazy Man and Money on a separate server that went unharmed. I also have backups of everything made each day to Amazon’s S3 service. So if hackers get to my server, I should be able to restore things back to working condition fairly quickly.
It turns out to have been a pretty minor hack that was easy to reverse. All my data was safe and the sites are back up today.
The disappointing thing is that my provider, Dreamhost, allowed this happen. When I reported it, they went to a cop out excuse that I was running old WordPress software or insecure plugins. It doesn’t explain why all my sites got hacked, even ones that didn’t have WordPress installed.
I had three questions immediately come to my mind. Who did it and why? How would I protect myself from it in the future? What can I learn from the experience?
Who hacked me and why?
This is very difficult to answer (other than the obvious “SecurityBus”). Was it someone who just likes to hack sites for the challenge? Quite possibly. However, I was alerted by Amthrax who, like me, tries to educate consumers in the dangers of multi-level marketing. It instantly got me thinking, “What if an MLM company hired someone to hack me because I’ve been critical of them?” It’s pure conjecture at this stage, but it would make sense.
How would I protect myself from being hacked in the future?
I think the best thing I can do is move things to my own server with more robust back-ups in place Dreamhost has back-ups as well, but I’m starting to trust them less when they are blaming me for the hack rather than investigating their own systems.
What can be learned from being hacked?
I believe hacking will forever be a risk in the digital publishing business. I need to treat it like any small business would. The corner bakery may not have hackers, but they are at risk of a riot (at least here near Oakland and San Francisco) or theft. I have a friend who owns a Subway and he’s been robbed at gun point twice. Seems to be part of the nature of running a Subway in his neck of the woods. It’s unfortunate and I fear for him, but he knows the risks and he’s an adult and wise enough to make his decisions.
I’ve got a homework assignment for every reader here. (Don’t worry, remember I’m Lazy so this will be easy.) Come up with a list of 3 top things that pose a risk to your income. Next to each one, write one or more things you can today to lower or eliminate that risk. Put the list on your bathroom mirror until you successfully put in place all those safeguards.
As Angel said near the end of the Buffy series, “I’ll go start working on the second front. Make sure I don’t have to use it.”
Extra Credit: Leave a comment with your business, risks, and steps you can take to minimize the risks.
Are you responsible for updating your WordPress software? I just checked on their front website it says “We’ll install it [wordpress], keep it up-to-date, and keep you online” so then why would it be your fault for running a version with security holes?
Good question. The answer is a little bit of both.
When I started with them back in 2006, they didn’t have the option to keep it up to date automatically (or at least it wasn’t the default). Newer websites default to that behavior. So I had most that were updated to the latest version, including the ProtandimScams.com example. A few of the older ones were not. However, everything got hacked, even sites that didn’t run WordPress at all. A WordPress-related hack should not allow access to other sites not running WordPress on the same server. That’s where I have difficulty with their explanation.
Also, the unsafe plugin can be used to excuse themselves for any security risk at all, unless you run a WordPress install without plugins, which no one does. In fact, Dreamhost recommends plugins that improve server performance (W3 Total Cache comes to mind).
Glad you got everything back. The Wife’s site is a sliver of the empire you have going on and she was hacked by a similar group…my site which also has a tiny % of visitors that you have is constantly being attacked. I doubt it was any particular company, rather, just a group that knows of one way to exploit and searched for sites with that vulnerability.
Or maybe I am a double agent trying to make you believe that
A few people have been getting hacked lately. A few of my sites had been hacked previously and it was a pain since I didn’t back the sites up. Thankfully they weren’t live yet. You just scared me into backing up my blog.
20 and Engaged. My mission is accomplished then ;-).
On the topic of risks, I’m surprised that Aldi’s doesn’t get robbed more than it does. You know that everyone is paying with cash, and there’s generally minimal staff. Maybe they drop cash into a safe really often.
Thank you lazy man. i have been wanting to back up my blog for a while now but have never got around to it. After reading this i jumped all over it lol.
I am not currently using word press. However, i have been thinking about switching over soon because everybody knows they are the best. Right now i am using yahoo sitebuilder. Word press is obviously the better choice for SEO, but i hear they are the easiest websites to hack. Is this true?
I’m not a hacker, so I don’t know what qualifies for easiest or most difficult to hack. There’s a very good reason why around 99.7% of the bloggers I know use WordPress.
My sites in Dreamhost have been hacked too.. The hackers haven´t deleted the content but they have insert spammy links inside my posts. Some of them I had to completely rewrite them due to the amount of crazy links and texts inside. It´s hard to imagine losing years of work, oh God…