3 months ago, my WordPress site was hacked.
Like many people, their site is run on WordPress. They got their site up with minimal setting, without any backup and survival plan in case of catastrophic event like server wipe out, or hacked.
So how did it happened? From my investigation, Yokeharn.com was not the vulnerable point, it was the other WordPress site that I helped to host on the same server. We have some project coming in and we engaged a web designer to commissioned us a corporate site powered by WordPress. He uploaded the site to my server and have it run in no time and everything was smooth for some time.
The problem is, the designer use the default username “admin” and password “admin” (OMG…), which is an easy guess for any hacker. The next two weeks after it went live, someone found that out and got the access to the wp-admin site and login into it.
Once the hacker in, he upload some php script that will read my entire hard drive, delete all my other site content (including this site you are reading) by scanning through the Apache config, and delete anything without any trace.
His purpose? Just to deface the site and some propaganda message like below.
I got 3 website defaced. Two website I can recover quickly, but not this site.
I lost my entire theme source code and style, and my uploaded photo. I try everything to recover the files but to no avail. I lost part of my site forever. Here you can see some post that are missing the image.
Fortunately, the database was still safe. But it really frustrated just to think that part of your works is completely gone forever.
So the lesson here? Just to make sure you at least take some steps to prevent hacker from easy access to your important admin area, and how to survive and quickly recover in case they got your site owned.
The advice below is mostly towards on WordPress site, but the general idea is same for other website as well.
How to prevent easy access to admin site
1. Apache Httpd Password Protected
If you are running on Apache Httpd, you can password protect the wp-admin site, so anyone to access the admin url will require additional password to access it.
The problem with this configuration it might have some issue on certain CMS like dotCMS that I used to work with. So be careful and test it out once you configure it.
You can follow the link here on how to setup it up. Just don’t use easy guessed password on this ok?
2. Remove the default ‘admin’ login or use sophisticated password
This is easy to understand. Quick and effective.
3. Changing the /wp-admin and /wp-login.php url path
By changing the default admin path, it will totally prevent the hacker from knowing how to start from the first place. I’ve checked my access log on the hacked site, and I know they use BOT to test the HTTP return code from standard admin path access, like /wp-admin, /wp-login.php, /phpmyadmin, /admin etc. So if have any other standard admin path, this step is extremely helpful.
For WordPress, there are some plugin and there are some manual changes on php code. I’ll leave it up to you for survey as there’s a lot of discussion on this topic already. Here are some discussion that are useful.
How to survive hacked by backup your site
This is a no brainer, you MUST do this regularly. I can’t stress this enough.
Even you use the most sophisticated approach to prevent hacker, smart one will always find a way in. So please have a full backup plan for your site.
And remember not to store your backup file into the same server, it’s as good as not doing backup at all.
For WordPress, there are bunch of plugin to help you do this. Below are just some that I have tried before:
- BackupBuddy - A premium backup plugin, for both your files and database. It has scheduled job to regularly backup your site, and has very easy restore procedure so it’s easy to move around your site to another new server. Cons: It cost money.
- XCloner - Free backup plugin, for both files and database. It has same functionality as BackupBuddy and does a good job in backup and easy restore. Cons: It can’t handle non MySQL default port (3306), otherwise a very good choice.
- BackWPup Free – A free backup plugin, for both files and database. It does backup really well, it has scheduled job and it has nice interface. Ain’t that all you want? Cons: No one click restore function. You have to manually copy the files to the server, and run some command to restore the database.
If you have other tips on how to survive the hacked site, please feel free to drop some line in the comment. Thanks