So, imagine me sitting in a circle with other people wearing super hero T-shirts like me. I clear my throat and say meekly “I’ve been hacked”.
I’m at an imaginary meeting of TA (techies anonymous) where we confess our technical transgressions.
I’m so embarrassed, I preach security on this blog and I’ve made a rookie mistake and I’ve been hacked. Here are some of the many security relatd posts I’ve written
- This Two Minute Security Fix Could Save Your Site
- Case Study: Security Hardening WordPress
- Refreshing The Google Index After Pharma Hack
- The WordPress Pharma Hack
None Of My Live Sites Were affected
My ego is so fragile I have to jump into the defensive and say none of my main sites were affected.
The hack happened in a sub area not a main area, I really am that insecure I need to point this out 🙂
So I was Scrolling Through FTP On My Dev Sites …
I have a sub domain on my hosting called dev.wpdude.com. This is where I clone client sites and do any development work so I don’t impact their live sites
I was browsing through the directories trying to get to the theme directory of a site I was working in when I noticed a weird files called ads.txt in the root of dev.wpdude.com that I did not recognise.
I opened the file and realised it was malware … shite.
I began an investigation and, long story short, it turns out a backdoor was opened in my security from an old site that had been sitting on my server for some time that had out of date plugins. Those plugins had a vulnerability that allowed the hackers in.
If I had of kept those plugins up to date none of this would have happened and an embarrassing blog post would never have had the publish button cilcked.
The hackers scanned for the vulnerability across the interwebs found my dev site and set about their work. They were trying to inject some ads to make a bit of cash, low end hacking and nothing major, but still very, very embarrassing to me.
Why Was I Not Alerted
Your host probably say they are scanning, this has been there for days, and I’d had no alert from my host. Don’t beliver their hype
I had not installed my usual malware scanning plugins on my dev area so I was not actively scanning the sub domain.
Clean Up And Paranoia
Then came a couple of days of effort and paranoia to make sure all the malware was removed from my hosting.
Deleting All But Required Sites
I then deleted all sites except live ones and ones I was actively developing.
I had WordPress installs for old domains that were going to change the world and make me millions 🙂 they were removed and the domain names parked.
I archives all old development sites and removed the WordPress installs..
Segregation Of Duties
Here’s where my confession gets even worse, I used to be a computer audit and security consultant for one of the big five accounting firms Price Waterhouse (now big four and they are called Price Waterhouse Coopers after their merger),
One thing we were always looking for was segregation of duties. That developers only had access to development servers and there was a formal change control procedure to push development code live.
Development code should never be on the same servers as live code. Even if it’s just me I should segregate my own duties as developer of my own and clients sites and as webmaster of my live sites.
I’m in the process of setting up two hosting accounts so I never have to say “I’ve been hacked” on my live sites.
I’ve learned some lessons that I want to pass on to you:
- Scan all sites when I clone them over to your hosting, don’t assume they are secure
- Keep dev and live sites separate so if I do introduce malware to dev it will not impact a live site.
- Don’t; allow google to index dev sites so they can be scanned in the first place
Wrap Up – I’ve Been Hacked
Just because you know how to protect your site against hackers doesn’t mean squat if you are not rigorously following the correct security protocol across ALL sites on your hosting server, not just your main live sites.
I want you to go, right not, and check for out of date plugins on your WordPress site and get them updated if you have any,
Here’s where I meekly try and upsell you, the good reader of this blog, on my security monitoring and hack prevention maintenance plan, no, not interested in that 🙂 I’ll get my coat.