I don’t usually make a habit of getting emotional in my blog postings. But for reasons I will explain shortly, the last three weeks have changed me. Although I could never be considered an overly positive person, I certainly have never been a negative one. I trust people when they earn it, and believe for the most part that the blogosphere is a safe place to learn new things and develop my skills as a writer. But recently, a person I never met decided to destroy my blog, for no other reason than his own twisted entertainment.
And now, I’m just pissed.
Without going into too much detail, I will tell you that in a matter of minutes I lost an entire year’s worth of work. Ten pages, 55 posts, 19 drafts, hundreds of tags, and over 2,000 comments were gone in an instant—replaced with nothing more than a simple redirect to a Hungarian-hosted adult website, and a nasty virus (a Trojan, actually) on my computer. Exactly how the hacker destroyed my XML data file and all of my server-side backups is a complete mystery to me; and why he did it is something I will never be able to understand.
But on the bright side, after three weeks of sleepless nights rewriting articles from memory and scouring the web for reposts, my blog is finally live again—but not before multiple (read: five) failed attempts at go-live. Since early October I have repeatedly brought my site back online, only to discover the hacker somehow worked his way back in each time. But this time, I think I’ve finally figured him out . . . because if I didn’t, you’d be looking at porn right now.
If I learned one thing during the recovery process, it is this: information on preventing a blog hack is everywhere, but good information on recovering from a blog hack is nearly impossible to find. So in the interest of helping those of you who are going through (or eventually will go through) the same thing, I would like to share my 15-step recovery strategy, in as much detail as I possibly can. I sincerely hope this article helps you in some way—even a small piece of it—and if you have any questions PLEASE do not hesitate to email me directly at eric@thesmallcompanyblog.com.
15 Steps I Took to Recover from a Blog Hack
Step #1: Shut Down Your Blog. Immediately – Trust me when I say that this process will go MUCH more smoothly if you rip the Band-Aid off in one pull. Sure, it’s painful to take your site completely offline, but compared to 3,000 people sending you nasty emails and putting you on a “high-risk website” list, it is best to bite the bullet up-front. And don’t just replace your home page with an “Under Construction” sign—unassign your domain. I shouldn’t have to remind you of this, but someone with an unlimited amount of free time has control of your blog. If you want to regain control, you need to cut off his access first.
Step #2: Clean Out Your HTDOCS Directory – As a first step in combating a hacker, some experts (e.g. Level 2 Hosting Support at Network Solutions) will recommend you uninstall your blog software. Do not listen to these idiots. The uninstall process might cripple your blog, but it won’t kill it. In WordPress especially, the uninstall process leaves dozens of files (and in some cases entire folders) completely intact. Many of these files cannot physically be un-installed, because the hacker has either hid them or modified their file permissions. If you really want to do this the right way, call your ISP and have them clean out your HTDOCS directory on the server side. But however you do it, don’t leave anything lying around.
Step #3: Run a Virus Scan On Your Primary Blogging Computer – Although all of these steps are important, Step #3 is critical when it comes to preventing re-infection. Many attacks made on blogs start with a virus on your computer—one that has very quietly picked off your FTP username and password and sent it to a third party. This step might cost you a tiny bit of money (less than $40 total) but this is not a time to start operating on a budget. Here is what you do: first, boot up in Safe mode. Run a full scan of Malwarebytes, then reboot in Safe Mode. Run a full scan of Super-Anti Spyware. Reboot in Safe Mode. Run CC Cleaner (CC Cleaner is freeware). Reboot in Safe Mode. Wash . . . rinse . . . repeat. Also, a friendly piece of advice: do not even consider using any other virus and/or Trojan-removal products. The virus on my computer not only crippled both Symantec and Windows Defender, but rewired them to give me false information.
Step #4: Change All of Your Blog-Related Passwords – Now that your computer is no longer spying on you, any logins you use for blogging-related purposes MUST be changed, with no exceptions. This includes the login for your FTP tool, the computer you use to manage your blog, your host login (Network Solutions, GoDaddy, etc.) and your blog itself—which you will be re-installing shortly. Also, a note of caution: it is important that you not perform this step too early. If you change your passwords before your blog is offline, your blog folder is empty and your virus scans have been run, you WILL be hacked again. How I know this is not relevant.
Step #5: Reinstall Your Blog Software from Scratch – While your domain is still unassigned and the hacker can’t find you, re-install your blog software from the beginning. But before you do, upgrade to the absolute latest version of whatever platform you use. Also, resist the temptation to cut your blog live as soon as the installation is done. You’ve still got a lot of work to do, and staying invisible is key.
Step #6: Re-Acquire and Re-Install Each of Your Plugins and Widgets from Scratch – If you’re anything like me, your happiness is dependent upon having at least 20 different plugins and widgets running on your blog. Unfortunately, this is where your willingness to try new things bites you right in the ass—because you need to re-download, re-install and re-configure every single one of them. Each one needs to be downloaded from a credible website, preferably the main site for your blog platform (WordPress.org, TypePad.com, etc.). And while you’re shopping, pick up a plugin or widget that regulary inspects your blog for malicious code and secret backdoors, like “AntiVirus” for WordPress.
Step #7: Re-Acquire and Re-Install Your Theme from Scratch – Similar to Step #6 above, visit the branded site that developed your blog and download your theme file again before reinstalling. Many previously uninformed people (like me) fell into the trap of acquiring a theme by typing “free blog themes” into Google, and clicked on the first few links that came up. But did you know that many of these themes are already pre-infected? Now you do. If you find a cool them on a not-so-credible website, chances are it’s been downloaded from a branded blog site and modified in some way.
Step #8: Make All of Your Theme Mods – Remember all of those really cool theme modifications you made over the last few months? I hope so, because you’re going to have to make them again. But this time, make a list of modifications as you go—a quick description of the modification and the template or CSS file you modified in each case is a great start.
Step #9: Turn Off Comments on All of Your Posts – If there is one thing blog platform developers do NOT want you to know, it is this: your blog’s XML database can be hacked and infected by simply entering the right combination of characters into the comment field of one of your posts. Even if your blog is set to not display a comment until you approve it, anything—and I mean ANYTHING—typed into your blog’s comment field is still permanently written to your XML database, and occupies the same file space as your posts, tags, cagetories and other comments. Until you see the CEO of your blog platform on MSNBC declaring that their ‘comments hole’ has been closed, turn off your comments. And leave them off.
Step #10: Turn off Your Blog’s Search Feature – In similar fashion to the Comments Field, your blog’s Search Field is just as vulnerable to a hack. This article from Network World does a great job of explaining how your blog site can be taken over via the Search field. If your blog does not have a simple “On/Off” switch for search, you may need to manually remove the code from your page templates before the field actually goes away.
Step #11: Re-Upload Your Content – If you have no idea when your blog was actually infected, do not blindly re-upload an old backup XML file of your database and assume everything will be fine. Before you load any XML data back into your blog, past the entire file into Notepad and look for phrases like “iFrame” and “redir” (redirect). Also, check all of the “http” references within the file, and make sure you know where each link in your data file is pointing. If you find too many scary things in your XML, or if you aren’t comfortable cleaning the file yourself, DO NOT UPLOAD IT. Instead, it’s time to start the painful and slow process of re-creating each post thru copy and paste. If you need to resort to this, here is a tip: start with the articles themselves, and save the comments for a day when you have less going on in your life.
Step #12: Change Your Blog’s Config File – I can’t directly speak for other platforms, but within a WordPress installation there will be a file named wp-config.php, which carries important information related to site cookies (and therefore site access). Some hackers utilize this file to gain Administrator rights to your blog, but making few quick changes to your config file will invalidate all cookies on your site, and force people to re-log in using new credentials. As someone who is not a .PHP developer, I can’t say exactly how important this step is. But I have found this tip referenced on a number of sites where security-type nerds love to hang out.
Step #13: Turn it All Back On – The moment of truth has arrived, and now it is indeed time for you to a) cross your fingers, b) say a little prayer to whatever God you believe in, and c) make your blog live again. Depending upon how long your blog was down, it may take some time for your site to actually show up on the web again after you re-assign your domain. But if it takes longer than 2 hours, contact your ISP immediately.
Step #14: Create and Upload a New Sitemap – If you’re even remotely capable of following step-by-step instructions, your sitemap should have been blown away back in Step #2. With this in mind, the search engines have likely stopped by for a visit between then and now, which means your site is sitting in the Internet penalty box known as the dreaded “unverified” bin. Creating a new sitemap and uploading is the only way to tell Google and MSN that your blog is alive and kicking again.
Step #15: Let Your Readers Know What’s Up – For various reasons, most bloggers who get hacked are embarrassed to admit it . . . which is why articles like this are so hard to find. But rest assured, there are tens of thousands of people out there who already went through the same thing, and all of them will be amazingly supportive of your efforts to recover. Once your blog has been running hacker-free for a few days, let your site members and social networking followers know what happened. Not only will this explain why you disappeared from the web, but it will encourage them to hang in there if you get hacked and have to take your site down again.
Comments? Questions? Feel free to reply to this post. Otherwise a Retweet, Facebook Share, LinkedIn Share or other type of social share (handy buttons provided) would be greatly appreciated. Thank you!