We’ve been hacked!

March 27, 2010

in Educational,Mind

danger: zombie attack

Image: construction sign courtesy of underbiteman

Two weeks ago I typed crazycolombian.com in my web browser, and ended up in a web site selling US mortgages. How could that be? After some investigation, I realised that a hacker had used a WordPress security gap to gain access to my web site and  install code that redirected any visitors to a different place. Having figured it out, I then spent then next few days researching how to get rid of the hacker and cut his access to my web site so he could not do it again. By the end of it, my blog was back to normal.

Or so I thought.

At 9 AM yesterday I received an email from my webhost provider. They were informing me that, due  to a breach of their Terms of Service, my hosting had been suspended. At first I freaked out. I had just paid for 2 years of renewal with them! Could they really do this? How would I reinstall by site somewhere else? This isn’t fair! Before I approached them to ask – no, demand! – that they restore my site and fix the problem, I decided I needed to calm down. And a few hours later, I realised that it is not their responsibility to ensure my web site is secure and has all the relevant upgrades to the software I use to run this blog. So I decided instead to approach them, ask for their help, and see what they said. An hour later I got an answer; and It wasn’t particularly helpful. This is what they said:

To have the account re-activated you will need to remove all malicious scripts and you will need to update and secure your own files, one you are certain that the files that are on your account are both clean and secure you will need to let us know what you have done to secure your files, once we can validate the security steps that you have taken and can no longer see a issue we will be able to re-activate the account/websites.

On the one hand, I was disappointed. Although the hosting plan I have is relatively cheap, I was expecting them to take some ownership for the problem. After all, they are recommended by WordPress (the company that makes the software for running this blog) as the best commercial host for their software. I was outraged that Bluehost was washing their hands of and putting the ball entirely in my court. I was particularly peeved because the hacker got it because of a hole in WordPress; and it was that same company who recommended Bluehost as a reliable provider! Anyhow, I rolled my sleeves, asked them to allow me access to my files, and went to work.

The good news is that I my blog is (almost) back to normal. I still have to repeat the same  work for my other web sites (Pass It Forward; the english and spanish version of “Zen and the Art of Photographic Story-telling”, and the english and spanish versions of “The other plan colombia”); but at least now I know how to fix all of them!

Besides a few late nights of work to fix it, this experience has left me with something else: four valuable lessons. Let me share you the pain of learning them the hard way, and share them with you right here, right now.

  1. Do not ignore security and backups. Proper back ups of your site are a pain to administer, but a blessing when disaster strikes. If I had been more disciplined about them, the amount of work I had to do to restore my web sites would have been cut in more than half.
  2. Carefully design your backup solution. There’s backups, and then there’s backups. Some will copy everything, and make it very easy to do a full restore. Unfortunately, a full restore will also restore the malware and backdoors that made you want to start again in the first place. On the other hand, partial backups (of your databases and image files, for example) are cleaner to restore and won’t bring malware or backdoors with them, but they will be very time consuming, as you will need to repeat any manual customisation you have made over time. Think carefully about the different scenarios that may lead you to want to do a full or partial restore, and design a backup solution that accounts for all those scenarios, with the least amount of effort.
  3. Remember that you get what you pay for. By choosing a low-price hosting plan, I elected not to pay for additional services in managing my web site, so I should not have been upset with Bluehost’s initial response. When choosing a hosting plan, think about what you need, carefully choose the one that gives you most value, and then be ready to live with your decision.
  4. Treat ohers the way you want to be treated. No, I am not going all religious on you here. I am simply flagging that when I approached Bluehost in a corteous manner after having been angry with their first response, they then treated me with the same respect. Next time you pick up the phone (or open your email client) to make a complaint, take a few deep breaths, calm down, and talk to them as you would like them to respond to you. Ask for help rather than demand explanations, and I can almost guarantee you will have a better outcome from the interaction.

On the bright side, this incident gave me an opportunity to write a new post. I am still going to hybernate for a bit longer, but have decided that until I start publishing again, I will post some new entries with recommendations from our archives.

One last thing: If you have received any old articles in your RSS feeder or your email inbox, they are probably previous articles that were mistakenly sent again by the service I use to manage subscriptions. Please accept my apologies for this inconvenience, and I hope you enjoyed today’s article anyway.

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Previous post:

Next post: