Editor’s Note: I wrote this post several months ago while documenting my experience with getting hacked. I hope the lessons I’ve learned will be valuable and helpful to you.
These last 3 days have been a nightmare — undoubtedly the worst experience of my blogging career so far.
I had a list of things to do and time scheduled to make some content that I’ve been excited about. I was going to work on pitching experts to speak at my upcoming virtual summit and work on the new landing page for my blogging services.
But I had to drop everything I was doing.
These last 3 days have been a blur.
I haven’t really slept.
All I remember is it starting with me going to check something on Launch Your Dream late at night. Only to discover that it was down for some reason.
I contacted SiteGround support (my hosting provider). And they said that my site had been hacked and infected with malware.
Panic set in a little bit.
They scanned my account…
And, sure enough, there were about a dozen different infected files on my site.
#1 Do It Yourself
After discovering that the going rate was about $199 to clean up an infected website, I thought, “hey, what if I cleaned it up myself? I’m sort of tech savvy enough, right?”
So this is what I did.
I went and logged into my cPanel through SiteGround.
Went to the FTP file manager.
And then searched for each infected file. Then I edited each file and removed the malware.
Piece of cake right?
……I mean I guess the whole entire time I was sort of shaking — nervous about what potential harm I could cause if I made a mistake and wiping sweat from my forehead because I really had no idea what I was doing…
But it seemed to work out.
Still I don’t recommend going this route unless you’re either very confident that you can do it (if you were that confident you probably wouldn’t be reading this post in the first place) or if you just don’t care that much about your site — or if the risk was worth it to you.
#2 Get Help
But the next morning…
Terror struck again.
I received an email from WordFence (my security plugin) that my site had been infected with malicious content once again — super frustrating!
I was pissed.
So I contacted SiteGround again, and asked them to scan my account again.
All 6 of my sites had been hacked and infected with malware.
There must have been hundreds of lines of infected files.
My heart started pounding. My breathing got heavy. I felt like throwing my computer through the window and then running outside to beat it with my hockey stick.
I really didn’t know what to do at this point.
I started researching everything I could think of relating to WordPress, malware, hacking and websites. I looked for all the possible paid options I could find.
The lowest quote I got was $87 bucks. PER SITE!
I didn’t have that sort of cash to spend. To be honest my wife and I were just getting by. My blog was paying for itself, and I made a few bucks here and there — but I hadn’t really gotten to the monetization phase yet.
……I just couldn’t afford it.
So I went back to my cPanel and restored my sites to dates where I wouldn’t be losing any content — hoping to get rid of some of the !@$% — just trying to be proactive.
……I was about to lose it.
And then I thought, “well I guess I can figure it out myself….”
So I started to follow this tutorial.
But then once I got to the last step, “Re-upload WordPress Via FTP”, I was lost. I didn’t know how to do it.
Then I had an idea…
What about Fiverr?
…I sprang into action as quickly as I could. I searched “remove malware from WordPress”, filtered top rated sellers only, and sent out messages to the top 5 or so sellers, asking if they could help.
I think I got my first response within the hour. I went to her profile and looked at her reviews and how long she’d been removing malware as a gig. …
…She seemed credible.
So I told her what was going on and asked for help.
She said she’d do it for $30.
……I was super nervous to give so much responsibility and power over my sites to someone I didn’t even know.
……But I was broke.
This blog is incredibly important to me. I’d spent over a year tirelessly pouring my heart and soul into it. I couldn’t just give it up. I needed help.
I didn’t have a choice.
So I took the risk.
I’ll admit, I was a little annoying — asking for updates regularly. Keeping an eye on everything like a hawk.
I was just super nervous. And wanted it to be over with.
I stayed up until like 4am. But I hadn’t heard back from sachinmaster.
I let it go.
Trusted that it would work out. And went to sleep.
I double checked with SiteGround. They scanned my account again, which showed another dozen files that were still infected.
I shot the results over to sachinmaster, and she cleaned the rest up within probably 30 minutes.
I asked SiteGround to scan my account again.
I happily gave sachinmaster a five star review and a $5 tip (I would have given more if I could have afforded it).
Note: using Fiverr for anything this serious is a risk. Be warned. If you do go that route and something goes wrong… I’m not responsible.
Immediately after I got all my sites cleaned up I started researching more about how to protect WordPress sites.
I started by resetting all my admin passwords and cPanel password.
I’m still not an expert in WordPress security, but I did learn a few things.
I started doubting WordFence. I found out that it was actually one of the larger bulky security plugins out there — I did notice it slowing down my blog. So I uninstalled it. And instead chose to use Sucuri Security — which is more lightweight. It doesn’t have as good of monitoring options as WordFence, but it seems to be better at actually protecting your site.
Then I went and hardened the !@#$ out of all my sites.
(Go to the Sucuri Security settings after you install it, click on the “Harden” tab, and then choose your settings to improve your protection a little bit)
The more I researched (this is the absolute best article I found), I learned that there are basically 4 areas of WordPress security:
Your web hosting provider is responsible for a certain level of security. That’s one of the reason’s why it’s important to pick a good one. I still believe SiteGround is the best option for your first site ever. And they were helpful when I was fighting the battle for the life of my blog (cleaning the malware). But after this whole ordeal I’ve been highly considering upgrading to either WP Engine or WPX.
This is like the internet part of protecting your site. This is where hackers and the like actually come from. I haven’t done a lot of research here. Think of it like an extra layer of protection. I’m thinking of using the Sucuri Firewall.
You have an extremely critical role in the security of your site — what you download, what device you use, what you upload to your site — it’s all very important. I used Malwarebytes at least a dozen different times to scan my computer while I was cleaning up my sites — just to make sure.
- The Website
This includes things like monitoring, preventing, protecting, and cleaning. Whether you’re using paid, free, software or plugins — or whatever. WordFence is very popular. But like I said, I opted for Sucuri Security because it just seems like it has better protection. Anti-Malware Security and Brute-Force Firewall seems to be a decent free option for scanning a site for malware.
#4 Follow Up
When I finally thought everything was good to go, I got an email from Google….
They said my site was flagged…
I also noticed that whoever hacked my site created a bunch of bogus spam pages and got Google to index them. Which sucked.
Even though the pages themselves were deleted, they were still showing up in Google Search.
I didn’t have the luxury of hiring professional services to clean and protect my sites. So I had to be thorough.
I did whatever I thought might help.
And I found two. I hoped (and thought) that they had already been taken care of. But I wasn’t about to take any chances.
So I asked SiteGround to scan my account again. And it came out clear (phew!).
Then I downloaded the free version of Screaming Frog Spider to check my external links and make sure that my site wasn’t linking to any spam.
After that I used Fetch as Google to check some of my individual pages for spam or malware.
Enter the URL of the page and then click “FETCH AND RENDER”. Once it’s done, click on the link and you can see two things: how Google sees the page, and how visitors see the page.
I still didn’t find anything suspicious. Good.
Then I went to the Google URL Removal Tool, to get all those spammy pages out of Google Search.
Finally I Requested a Review. Apparently it takes anywhere from 3 – 7 weeks.
We’ll see how it goes and I’ll give you an update in the next section.
#5 Level Up
I’m still waiting on that Review Request from Google. In the meantime I thought I’d keep doing some research about WordPress security and find out what I can do to improve the protection of my sites.
One of the first things I looked into was auto updates. Old versions of WordPress, Themes, and Plugins are susceptible to being hacked. And for me (a one man show), it’s difficult to keep up with half a dozen different sites to make sure that they are always updated.
……Using auto updates is a little risky — it could potentially crash your site. But I trust the plugins that I use, I currently can’t afford to pay a web admin or WordPress manager to help me with my sites, and I’d rather my site get a temporary issue with a plugin than get infected with malware — especially because I know that I can always restore my site (it’s backed up through SiteGround) and that fixing a problem with a plugin is a lot easier than cleaning up malware.
So I did some research. Thought about using these codes. And decided to go with this plugin, so that I could quickly remove it if I end up changing my mind (note: and I eventually did change my mind).
I ticked the settings to update everything automatically.
I tested it on one of my blogs. It updated everything in a couple hours. And then I installed it on all my WordPress sites.
(Important note: I’m no longer using auto updates on most of my sites)
I just received this email from Google.
Wohoo! They approved my request. And it only took a few days. So that’s good. There’s still a hacked status in the “Manual Action Viewer” but that should update soon, and the “Security Issues” are gone. So I should be good to go! 🙂
Status update: It’s now almost a month later. And I’m looking into upgrading my hosting, and possibly getting a firewall.
Alright, I’m going to be honest here. I’ve spent way too much time — a ridiculous absurd amount of time — debating whether or not to get a WAF (firewall for my site). And it’s just not sitting right with my gut.
I can’t really find any convincing argument to get one. I did a little bit of research — read some articles, posted in forums, chatted with support teams… ……And I don’t know, it just doesn’t feel right for me at this time.
If I had the extra cash, I’d probably do it. It makes sense I guess. You can never be too safe. Just because you have a lock on your bedroom door, that doesn’t mean you don’t lock your front door.
Sucuri only charges like $10 a month — which honestly isn’t that bad. Multiply that by 5 different websites / blogs… and I’m looking at $50 a month.
I feel like I’ll probably be getting the Sucuri Firewall in the future. Who knows it could be next month. But right now, I’m gonna pass.
What do you think? Do you use a firewall on your site? Let me know in the comments.
Even though I’m not opting for the firewall right now, I’m about to upgrade my web hosting to WPX (literally as soon as I’m done typing this). Though SiteGround was very helpful with finding the malware on my sites, they’ve left a sort of lingering bad taste — sort of like throwing up a little bit in your mouth — because it was on their watch when my sites got infected. I considered upgrading my hosting with them (I’m typically a very loyal customer), but it just doesn’t feel right.
……I also thought about going with WP Engine, but WPX looks like the best bang for your buck.
……Who knows, I may be doing this a little backwards. Changing web hosts might not even make a significant difference in my security, costs more than the firewall, and the firewall would probably make a more legitimate difference.
……But I was looking to upgrade my hosting soon anyways.
Two weeks later…
I stumbled upon MaxCDN and Cloudflare, and threw my wallet at them. Between the two of them (I use Cloudflare’s free plan) they provide a package that includes both a CDN and some security protection for less than $10 a month. Deal. I followed this tutorial to set them up with W3 Total Cache.
A final update: After a couple months I’m back to using SiteGround, I’m no longer using MaxCDN, but I’m using the Cloudflare option that come with SiteGround’s hosting. It’s just a way better deal, just as fast, and exactly what I need.
Secure Your Site
Overall this experience wasn’t as dreadful as you’d think. I sort of had a panic attack at first, but stayed positive, used my best problem solving skills and figured it out.
Here are my main takeaways:
- Use premium if you can afford it
- Stay calm
- Every problem has a solution
- Stay positive
- Use sorry circumstances to create something positive — like how I used my horrible malware infection to create this blog post and hopefully help you save and protect your site 🙂
Have you ever dealt with hackers, spam or malware? What did you do? If you have any questions let me know below. I’m happy to help in any way that I can.
PS. I use and trust these tools. Some of the previous links are affiliate links. That means I’ll receive a small commission if you choose to make a purchase (at no additional cost to you). I recommend them because they have helped me incredibly, and I hope they can do the same for you.