I host quite a bit of content online, and one of them is a WordPress website. I tend to dislike WordPress due to the mess of plugins, nightmarish updates, extreme bloatware, and as a result, numerous security vulnerabilities. However, at the time, I didn't have an alternative, so here I am, hosting a WordPress website. I could really learn it, but that's just not the thing I'd like to spend my free time on.
Happy New Year
The hack occurred on New Year's day/night when I was in a holiday mood and, of course, not paying much attention to the website. It had also been last updated about a month ago. Just like that, I fell victim to a quite common "Pokemon" - a redirect hack, a.k.a. the "Japanese keyword hack." Essentially, thanks to some exploit, it creates hundreds of links for the root domain, appearing in search engines and redirecting users to malicious websites instead of the original one. The alarm bell rang when, three days later, Google Search Console informed me that 638 new pages were successfully scanned and indexed, and 6249 were not indexed YET.
Cyber Cleanup on Aisle 5
The damage was already done; searches for the website were littered with fake links redirecting to a wide variety of scam websites. It seems like someone (I have IPs logged) finished their holiday early and decided to find some new victims. Unfortunately for me, their endeavor eventually succeeded, and I was left with 62 modified files and 939 new files. Without strong knowledge (and no desire) of the WordPress file structure, the obvious solution was to restore the safe backup, which did not help. Not sure why, but I had an alternative way. The second obvious solution was to discard the compromised container, create a new one, and restore the backup there, which did help.
IT Support: Me, Myself, and I
However, that's not the end. Shields up! Harden the security! Update firewall rules, update WordPress, disable a bunch of plugins, change passwords, blacklist a bunch of IPs (I know this probably won't do much, but I did it out of spite) and I'm good to go, at least until another exploit.
This hack wasn't a disaster for me; the website doesn't contain any sensitive information. It's essentially a static webpage with a single contact form. Furthermore, the server itself is isolated and relatively empty. So, while messed-up search results are certainly annoying, they are temporary. It was a healthy reality check, but the whole situation was mostly annoying because of the time spent.
Bouncing Back from a Cyber Attack
Things that went well:
- Containers! Thanks to them, I could restore the healthy version in a few minutes, and my host was not affected.
- Infrastructure. I was away from my server when I found out the webpage was hacked, so I had no physical access to the server. However, my infrastructure remained operational due to separate devices providing remote access and other services, while the server with the infected webpage was under investigation.
Things done:
- Hardened WordPress
- Enhanced firewall rules
- Improved logging
Things to do:
- Migrate the website from WordPress to a custom-written lightweight webpage.
Security is crucial; go check yours. Everything you host publicly, even if it's a small thing for very little audience, may attract some dickhead who will ruin your day.
