A few months ago I was out of town visiting a client. On my route home my faithful iPhone popped up an email from another client. The client said “something strange” was appearing on their website. Peculiar I thought, because I’m the only one with admin access and I haven’t changed anything. I thought an investigation was in order, but didn’t go much past that initial thought.
Following the Clues
When I could get my hands on my Mac, I checked out the website. Sure enough, there was bizarre language or code across the header. It referenced the WP e-Commerce plugin. At first I thought the plugin broke, but was not sure how it happened or even why it happened. I checked out the website for unknown client changes and nothing seemed out of order. I soon called my trusted WordPress consulting peep Chris and he was also perplexed. We both we dug around, although I’ll admit, he dug much farther in the PHP files than my newbie self could.
The events are now somewhat fuzzy, because the three days of chaos run together in my head. Chris, the king of PHP and CSS, dug deep into code while I searched Google. I don’t know PHP very well, but I can match Chris’ PHP skills with my search capabilities. Of course, Google being the search engine I love, headed us down the right path. With my minor search help and Chris’ expertise, we solved the mystery. But not before Chris fixed the website three times.
Locating the Nasty Villain
Each time Chris fixed the website, it broke. He knew something was hidden deep and I knew he would find it, which he did. After Chris found the nasty beast hidden within our code, I wanted to scream. A month before this all occurred I had hired a consultant I found through the WP e-Commerce plugin website. He was on their list of preferred developers. I needed a little help customizing this plugin and he appeared to be a reputable consultant. He had installed a plugin called WP-phpMyAdmin. He didn’t tell me he had done so, and like a trusting idiot, I didn’t check. He left the plugin active when his code changes were complete and went merrily on his way.
Well, that my friend, was the villain. And the villain was ugly.
That code was a backdoor and that backdoor not only corrupted my client’s website, it costs me a lot of time, money, and it made me very angry. For the record, it takes a lot to make me angry.
The plugin has been removed from the WordPress plugin repository and Sucuri (a company of hacking pros) posted a blog post about this nasty plugin in late June. Sucuri was also the company I used to validate the hacking and to double check that we had indeed gotten rid of the villain.
Protecting Against the WordPress Villains
How can you protect against such events happening to your website or blog? Similar to that of your children, you can put safety protocols into place and you can try and baby proof your house, but you can never completely protect them. But you do try and you stay vigilant.
My recommendations for keeping your WordPress website safe:
- Keep Your Software Up to Date – Always make sure your WordPress core and plugins are up to date. Don’t fall behind on release versions. If you don’t know who to update WordPress, then ask a professional who offers WordPress support and maintenance to help. Please note this process is more than just clicking a button.
- Keep Strangers Out of Your Code – I thought I had done this, since I did locate the consultant off the plugin developers’ website. I had even reviewed him online and spoke with him a number of times. But quite frankly, he isn’t Chris, my long-term WP peep who I know I can trust.
- Keep a Clean House – Deactivate and delete any plugins that are not used. That way you won’t have to worry about updating them.
- Keep a Back Up – I had a complete backup of my client’s website and this was great for us. We could bring over clean files and we could double check data where and when needed.
- Keep a Guru on Call – My clients keep me on retainer and I keep people like Chris close. I have my strengths, but I can’t be the superwoman of all things internet. You have to have a core set of resources or team members who can back you up when things go crazy.
Thanking Your Ultra Cool Clients
When my client’s website was hacked, she remained calm. Her only comment to me was “Rebecca you seem hassled” and then she made mention of good weather in Michigan and said everything was good. God bless Deborah and her wisdom. As Chris and I were losing it, she was calm. She knew I was working on the issue and she let me be. She never yelled, scolded, or did anything to make the situation worse. For that I was so very thankful.
You could not ask for a better client than Deborah and you could not ask for a better WordPress peep than Chris. I have been blessed with both. I’ve known “virtual Chris” for years and “physical Deborah” entered my life this year. Chris and I work closely together and Deborah is moving onto website two and three with me. I am thankful to have and to keep both.