It started with a text message from my wife: “ZATZ site hijacked by nasty porn.” This is not exactly the message you want to get at 6pm on July 3rd. I had been planning on beginning my holiday weekend with a prolonged sittin’-on-the-couch-watchin’-TV night, but that was not to be.
Instead I’d be doing porn removal, which took until about 2am.
Image courtesy scammers. Image sanitized for your protection.
The thing is, I know better. In fact, sometime in the middle of 2013, I made a decision which led directly to my couchless July 3rd. I pretty much knew it would reach out and bite me, and it did.
Here’s what happened. In today’s world, all Web sites are moving targets. It’s always an arms race between Web site operators and the spammers and scammers out there who want to use them for anything from malware distribution to automated referrals to porn sites.
Because it’s an arms race, it’s up to the Web site operators to constantly update their sites, update the server software running on their sites, and update their protection systems. Failure to do all of these leaves the chance that bad guys will find a loophole, and tunnel their way in.
That’s what they did on my site. What happened is they embedded a redirect message into just the mobile version of the site. As a result, if I visited the site via my desktop browser, everything looked fine. But if you visited the site via a mobile browser (as my wife did on Thursday while at Sam’s Club, when she was updating our business membership), you’d find that criminals had gotten into the site’s code and replaced it with a redirect to the porn site.
This was fully preventable.
And yes, I understand the irony of a cybersecurity expert getting hacked. It’s like the old story of the barber who never cuts his own hair. While I would never advise anyone to leave a site untouched, there is one difference between Mr. Highfalutin Cyberwarfare Advisor being hacked and a regular Web site operator: I do know how to fix it. That said, mitigation sucks, especially when it gets in the way of a planned night off.
Here’s how we got to this point. The ZATZ site is no longer actively updated. It was a highly visited site back in the day, but since I’ve moved on with my career from entrepreneur to advisor, columnist, and educator, the thousands of ZATZ articles are really now just an archive. We don’t get any advertising income (although some old ads are still running on the site), and I rarely spend any time there.
It is a WordPress site. A few years ago, I moved it from UserLand Frontier to WordPress, specifically because of the high level of support available in the WordPress world. There is one disadvantage of WordPress though: given that a huge number of sites run WordPress, it’s also a very visible target for hackers.
There are a wide variety of ways to harden a WordPress site, including using a many different security plugins. The ZATZ site was hardened, and it did use the security plugins.
So where did I go wrong, and why was it my fault?
While there are many things you should do to keep a WordPress site from being hacked, there is one golden rule (and it’s the one I violated): always keep WordPress up to date. This includes updating the WordPress core, any themes you use, and any plugins.
I didn’t do this. Around August of last year, I made a ruthless prioritization decision: leave the Web sites alone and work on other stuff. I sometimes have to be ruthless about how I prioritize my time, and this was a big one. I knew there was a chance of hacking, but I just didn’t want to spend a weekend every few months fiddling with the site. I had an overwhelming amount of other things going on, and this just wasn’t as important.