3 min read

Random thoughts about our hacking situation

At the desk, 8:19 a.m.

What does it really mean to have your websites hacked?

About six days of work with four of those days being filled with panic and despair followed by a nagging sensation that things are still not right.

That's to say it's been a little crazy around here.

Here are a few things we know:

1. Our store was not compromised. Because we keep the store on a different URL under a different user, the store was a kind of safe island in the sea. This is a really good thing as the hackers didn't get people's email addresses or addresses.

2. We had a plugin failure. It wasn't actually the hacking that caught our attention. It was Backup Buddy. For some random reason, even if you uninstall and delete the plugin, the plugin will still go. If you move it to a folder so it's not accessible to your current configuration, it will still run. In some cases, Back up Buddy created 20 and 30 copies of the sites. This is what blew up our CPU usage and caught our attention. If the plugin hadn't been so stupid, we would have never noticed the hacking.

3. The sites were hacked through Headway Theme: Not the current configuration, but an old configuration of Headway theme that lived on our server at some point. This is another thing that was deleted but now continues to live on. Over the course of the next few months, I will remove all the Headway themes and any of their products. (For the record, Headway recommends Backup Buddy - go figure.)

4. Tech support is both awesome and sucks: Our hosting companies tech support was really wonderful once they had a small concrete problem to work with, but completely sucked in attempting to solve our problems. Thursday and Friday, we begged them for help and they sent up links to wiki articles, often the same articles. They were much more interested in getting our ticket off their plate than actually helping us. I even switched over to phone service, begged them to call, and got nothing. Once we were moved to the Hacking department, and they got back from their long weekend, we received some specific help. There's a couple things to learn here: 1) if you're looking to start a business, problem solving Wordpress sites might be a good one and 2) When talking to tech support, it's better to narrow your problem down to miniscule so you can get some actual help with this tiny edge, and then maybe the next tiny edge. I could not have been more grateful for Super Steve. He really saved the day.

5. No matter who you have helping you, and their competence level, at the end of the day, if it's your site/business, it's your problem. This means that if you own a website, you'd better know how to work with it and deal with it, because at some point, you're going to have to.

6. People who say they are experts often are not. Last year, I hired someone who claims to be an expert at Wordpress. Besides screwing up a bunch of stuff, lying about it, telling me it was my fault, then refusing to return $122, she is one of the major reasons all of this happened. She convinced me that I needed a few plugins that weren't secure. I trusted her - after all she was supposed to be a Wordpress expert. Right? She's a complete fraud. Worse than that, she left the window open for these hackers to waltz right into the sites and take what they wanted. The sad thing is that there's no way to know who's an expert and who's not. This woman had great references from people I knew. Turns out, they just didn't know what they were talking about.

Anyway, once again, I believe we've solved most of our problem. At least I hope so.

I'll keep you posted.

-----