Hacked Off – WordCamp London presentation

If you work on the web, being hacked is a scary, frustrating and potentially costly experience. Tim, our 34SP.com WordPress Platform Lead, gave a talk at WordCamp London 2016 about some of the issues surrounding your site being hacked and how you can look to prevent and mitigate such issues.

His number one piece of advice – backup your data.

While we offer a robust backup solution, Tim and the whole team recommend clients take their own extra backups. You can never be too careful when it comes to this most important task. Taking backups is one thing – testing them is another.

Have you recently taken a backup? Then why not create a staging site (if you are on our managed WordPress Platform you can activate one in seconds the control panel) and use your backups to restore a test site, did it work as you expected?

Like any disaster recovery, knowing how to respond in advance is 90% of the battle and Tim had the following advice:

• Detection
• Isolation
• Investigation
• Restore
• Clean

All too often detection comes with a message from us, or Google saying, “Hi your sites been hacked and we have had to take action.” If it is your webhost we probably have temporarily isolated your site to protect you and your site visitors. Unfortunately isolation is exactly as bad as it sounds, we take the website contents and remove them from your httpdocs folder meaning your site appears offline and no one can access the content from the web. To get to files you would need to go through your SFTP/SCP client.

The next step is to find the hack and uncover what exactly has transpired; a hack from one vector (one hole) will often open up additional backdoors. Even if you find and deal with the first exploit, subsequent vectors can be used.

It’s no wonder many people abandon hope at this stage and simply restore from a backup (you took a backup right?) and just cross their fingers that it doesn’t happen again. Or in extreme cases, rebuild their site entirely from scratch.

Restoring from a backup is nearly always the simplest clean process, but without investigating the cause of the hack you have no way of verifying you don’t still have the potential to be hacked; and lets be clear, you almost certainly will as you just backed up to the previous state that allowed the hack in the first place.

Consequently the next step after restore is to clean. This involves updating everything possible, and if you are the person responsible for the server that’s more then just the WordPress components remember. Changing passwords, API keys and pretty much anything that allows some form of access. If you are using OAuth authentication with the REST API don’t forget to revoke the keys.

Hacked sites are scary, Tim’s talks purposefully try to instill a drop of fear to spur users into action, which is why he left folks with the final sagely advice:

“Backing up hourly is great, daily is good, weekly – you don’t have backups, you have prayers.“