At the start of January my blog got hacked. Someone or something hacked into the site and infected it with malware, which basically means malicious software. I was at risk of losing my entire site and it was a huge reality check and learning curve for me. At the risk of sounding a bit dramatic, it was one of the most stressful things I have ever gone through with my blog and business, so I have decided to write a blog about it to help other bloggers make sure their sites are fully protected. I know there have been a number of bloggers affected by hacks recently and I really would hate for it to happen to any more.
The hack happened because my site didn’t have sufficient security and deterrents. It’s something I felt so stupid about at the time, but I guess it’s not something that is widely talked about in the blogosphere. I was blissfully unaware that my blog was even at risk, so maybe you are too? I love all the creative elements about running a blog, but when it comes to the tech side of it, I really struggle. This is the story of my blog hack.
It was a Sunday evening and Scott and I were relaxing at home after a really chilled-out day. I try to totally switch off from emails, blogging and social media on Sundays. However, that Sunday I happened to check my Instagram direct messages. There was a message from one of my lovely followers letting me know that the Google description of my blog was all in Chinese characters. For some reason, I didn’t initially panic or connect this issue with a hack. I just calmly replied with ‘oh thanks so much for letting me know! I will definitely look into it’. I’ll do it tomorrow, I said to myself.
It wasn’t until about 30 minutes later I thought about that message again and I decided to try and log into my WordPress admin page. I entered my details as usual, but it said my username and password was not recognised. The hacker had changed both of them, so I couldn’t access my blog. This was when the first surge of stress and adrenaline hit me. I then went to look at my homepage, which was displaying nothing more than just my logo header. Had I been hacked? How do I find out? How to I get back in to my admin panel? I spent the next 30 minutes or so completely freaking out, which was incredibly unproductive. Poor Scott was trying to help out by calming me down and Googling things on his phone. The truth is, we were both pretty clueless.
Cleaning Out the Malware
It took a while to find some rationale in my head. After the initial panic, I got in touch with Blue Host (my web host at the time).
I do not recommend Blue Host and I have since changed host providers.
They confirmed that my blog had been infected with malware and that they would need to temporarily close the site down to stop it from getting any worse. Secondly, then advised that I would need to find a third party company to clean out all of the malware for me. After getting advice from fellow bloggers, I decided to use a web security company called Sucuri. I paid just shy of $300 for Sucuri to do a full malware clean up and install a 12-month firewall on my blog. They explained that because my blog had been hacked once it was now vulnerable to future attacks. I didn’t know if this was true or just sales jargon, but it seemed logical. In the stress of it, I was willing to pay any amount of money to sort the problem and protect my blog going forward. To my knowledge, Sucuri managed to clean the malware out in around 9 hours (much longer than the quoted 4 hours in the sales pitch). After a £90 phone call to their USA helpline and day later, they confirmed that they had cleaned out all the malware and installed the firewall.
The hyper-sensitive firewall then opened up a whole new can of worms as it started to block users from accessing my site and leaving comments. This means my traffic totally plummeted for the days that the firewall was active. The issues with the firewall continued for about another 10 days following the hack, which just added to the headache. In hindsight, I had implemented a firewall which was way too strict and sensitive for my website needs. Sucuri was in no-way user friendly (unless you are fluent in tech language) so it turned out to be more of a hindrance than a help. The blog had gone from not secure enough to way too secure overnight. I needed help.
I do not recommend Sucuri.
Changing My Host
I know that ultimately I am to blame for the hack as I stupidly I didn’t have sufficient security, but I was really let down by the service from Blue Host in the whole debacle. Firstly, they did not alert me in any way about the malware. I had to approach them and ask them to check my site for me. Secondly, they had not been taking backups of my site, which was a huge miscommunication in itself. Thirdly, they’re based in the US and have no direct phone line. The only way is to get customer service is via a live web chat to someone who speaks in broken English. When you’re stressed out and in need of clear advice, this can be incredibly frustrating.
I have since changed host to an independent and UK-based host provider called Fred Bradley, who is a breath of fresh air and was a total god-send at the time. When I explained the situation to Fred, he pro-actively spotted that some malware was still in my blog. By this point it felt like the issues were never going to end and I actually lost trust in Sucuri as my chosen security provider.
If you are going through a similar issue, I 100% recommend Fred.
In the end I ended up getting a refund on the Sucuri service (minus $99 for the malware clean up) and have since transferred all hosting and security services over to my UK based host. Fred has been incredibly helpful has helped to secure my entire website as well make changes to help it rank better on Google.
I don’t think that this hack was a personal attack on me. I think it was probably more of a robotic hack that was seeking credit card data or email data. Unfortunately for the robot, neither are stored on my blog so it was a bit of a waste of time for everyone involved. What scared me the most is the fact it had accessed my admin panel, as it could have deleted my entire site. In the grand scheme of life this isn’t a serious issue. Nobody died and I managed to restore everything back to how it was. But this horrible experience definitely has made me realise the importance of web security, especially when your blog is your business and you’ve spent the last 5 years of your life growing it.
Total Cost of the Malware Hack
£72 – Malware Clean up from Sucuri (Initially paid $299.99 for the Pro Website Security Platform but got a refund due to the insufficent malware clean up and over-sensitive firewall. You can’t pay Sucuri for a one-off Malware clean up which is why I don’t recommend them)
£90 – Emergency phone call to Sucuri in USA
£37- BackupBuddy Annual Subscription
£60 – Additional Malware Clean up and Support from UK Web Developer
I also paid an additional £120 to switch my web hosting to Fred so my site could sit with a UK Web Developer and host. This was optional but it has definitely given me better peace of mind about the security of my blog. If you are happy with your current hosting service, you wouldn’t need to do this.
What to do if you think your blog has been hacked or has malware
- Change all of your passwords immediately
- Do NOT do a back up if you think your site has malware as the backup will duplicate the malware. Wait until the malware has been cleaned out before backing up
- Get in touch with your web hosting provider and ask them to check for malware
- If malware is confirmed, you’ll need to pay for a web developer or security provider to clean out the malware for you
- Follow the below advice to protect your blog going forward
What You Can do to Protect Your Blog / Website
If reading this post has made you think about your own blog security, here are a few things you can do protect your site;
- Make regular backups of your website. I use a Plugin called BackupBuddy which automates daily backups and stores them online in a cloud if I ever need them.
- Enable 2-factor authentication on your admin log in page. On WordPress, this can be done via a Plugin and phone app called Authy. A unique code is sent to your phone every time you try to log in.
- If you have a self-hosted WordPress blog, you can change your generic admin log in URL to something completely unique, so hackers can’t find it
- Ensure your blog has an SSL certificate (this will benefit your SEO and security)
- Install the free Sucuri plugin for additional security measures
- Seek advice from a web developer to check that your blog has good protection
If you’re still reading this, then thanks for sticking with me! What did you think of my hack story? Have you had a similar experience or has it made you think twice about your own blog security? I would love to hear your thoughts so please leave me a comment in the box below. Jess x