Hacked!

Black Hat Squadron
At first I didn’t realize that my WordPress website had been hacked.

I work up one morning to find a flurry of comments had come in to my blog during the night. The warm fuzzy feeling of having so many interested readers quickly disappeared when I discovered that none of the comments were addressed to me. The first dozen or so appeared to have come from the discussion board for an online typography class. Who the students were and how their conversations got routed to my blog, I’ll never know. They stopped at about 2 a.m.

There was a lull before the spam started. The few I opened were filled with gibberish. It came in slowly at first—at a rate of one and hour—but the pace kept ticking up a notch. By mid-morning I was receiving one spam a minute.

DYI Spam Fighter

I devoted the entire weekend to figuring out how to stop the attack.

I went into the dashboard of my WordPress site and turned off the comments on every page. This did absolutely nothing. The comments continued to click in to my site from the giant cyber spam dispenser.

There were hours and hours of research. I updated WordPress, changed my all of passwords, discovered and removed malicious code hidden in several places, and rebuilt my site. None of this worked. It didn’t matter that all of my code was clean. The spam engine was controlling my contact form from outside of my website.

Once I discovered that the source was outside my site, I deleted my contact page and renamed the php file for my contact form. The spam stopped instantly. But I had disabled my blog.

Some Things are Better Left to Professionals

Why is it that my first thought is to hire an expert when there is a problem with the wiring in my house or when my car’s engine dies, but when my website was hacked I thought I could gain the knowledge to fix it in only two days?

Like many members of the WordPress community, I would rather do it myself. But that roll-up-my-sleeves attitude didn’t take into account my full-time job, graduate school, or my relationships. I also needed confidence that my site was not just sort of—but really—fixed before I started posting articles again.

Who You Gonna Call?

The results of my Google searches for “my WordPress site was hacked” and similar queries were either desperate pleas for help from WordPress owners like myself or step-by-step DIY solutions. I turned up only a handful of professionals who unhack WordPress sites. I chose JTPratt Media. Thanks to John and his team my site was scrubbed and secured in a couple of days.

John Pratt agreed to answer some of my questions about hacking. His answers are in my next post.