A True Story of a Hacked WordPress Blog
A guest post submitted by Dan Morris
I've got an extremely important message for you today.
I need you to know this in your heart so it never happens to you. I got hacked this week making all my sites, including my clients' sites go down and appear as having a virus. Very very bad. But I could have avoided it, had I really thought about this.
Here's what you need to know and do:
Ever buy a domain name, start setting up a site and then get distracted? Or you had a good idea but then you just didn't do anything with it? Then the year rolls around and that domain comes up for renewal and you just let it drop. “That was a good idea at the time, I guess”. Well, I did that several times. And never thought anything about it again until today.
Today is when doing that cost me my entire network.
This domain I bought a few years ago, put WordPress on and created a landing page for was long gone from memory. I no longer owned the domain, BUT. . . . .The WordPress files I had set-up for that site still existed under my hosting account. Not renewing the domain didn't make those files go away. They're still there. And they're completely out of date. The WordPress Install hadn't been upgraded, obviously. The plugins had expired. The files were totally free to be hacked – even though you couldn't get to them online. And so once they hacked into one of those old files – they got everything.
The Lesson:
If you get rid of a domain name or site, make sure you delete it in its entirety – EVERYWHERE. As long as you know that now, this will not happen to you. If you think there's a chance you did that in the past -go fix it. And if you have no idea how to know, call Regina.
Dan R Morris is the founder of LettersFromDan.com, a website dedicated to improving your revenue stream from online efforts.
Dan is an infomercial producer, niche website owner, product developer, author and Mastermind leader.
Dan actively encourages marketers to take that extra step so that “Hope” doesn’t become the marketing plan.
Hey Dan,
Thanks for sharing your story with us. It’s amazing how many people get hacked because they forget about those old and outdated files on their server. And many sites I’ve cleaned lately still have themes or plugins using a vulnerable timthumb script.
Great advice to follow when you delete a domain, get rid of all those old files. When my clients ask how they should setup their multiple domains and want to use a cPanel, I always recommend not using add-on domains, instead put them on individual cPanels.
O yikes, time to get busy then!
Thank you Dan
Thanks – Checking my old stuff now…
David
I remember doing the webinar with you about how to make $10/day from multiple sites. You said then that you didn’t use WordPress on a lot of those because of all the maintenance issues. That wisdom didn’t pass me by, but I still failed to go back and delete the old ones.
For many out there that would read this … it has absolutely NOTHING to do with DNS. This is just poor housekeeping. Keep the server (or your area on the server) clean, tidy, and up to date, use .htaccess and use it correctly. But that still isn’t going to save you all the time.
Hey there Hacker Bob,
I think you missed the point. Dan is not talking about DNS. He is talking about the fact that he had poor housekeeping and if he had kept his server tidy, he may not have been hacked.
But thanks for your security tips.
What is DNS Mr. Hacker Bob? Did I explain my situation poorly? I’d certainly like to be able to describe it more clearly in the future.
Oh Snap! Being a non-recovering domain addict, I better sit up and take notice of all those half-done projects just sitting on my server.
Thanks Dan for your valuable reminder…time to get busy.
Kelli
P.S. Reg, need to know more about individual c-panel.
Hey Kelli,
Loving the non-recovering domain addict comment. LOL
For individual cPanels, upgrade your account to VPS with cPanel, then once you get it setup I’ll help you set em’ up 🙂
Eek! I have my own dedicated server so I better check it out asap! I will also email my clients as this is something I had not really thought of.
NOTE: I read the title in your email and thought someone was saying they had been hacked by Dan Morris. I thought “No way, Dan would never do that” LOL
Glennette Goodbread
Premium Web Design and Hosting
Thanks for the vote of confidence. I certainly don’t have the know-how to hack something. I can barely get into my own stuff and I have the passwords. 🙂
Wow, I never thought about deleting the wordpress files once the domain is gone. I’m assuming we delete these in out cpanel where we originally installed wordpress?
I just went in and deleted my old ones. Anywhere else we should do this?
Hey Cathy,
Great question. Yes, you can delete the files from your cPanel > File Manager or via FTP. To clean up all of your WordPress install, you can always check your wp-config.php file to see what database goes with it. But be careful in case that you’re not using that database on another site. I’ve seen others start a test site, then start the real site and use the same database.
Great post Dan. I wonder just how many of us there are out there that have those unfinished, left hanging installs out there?
One more important house cleaning task to add to my Get it Done list.
In gratitude,
Terry
I like the term “hanging installs”.
This makes a lot of sense.
According to my stats program, I have people looking for all kinds of programming stuff they can hack even when the sites are plain HTML static sites.
I would have never considered a domain that I didn’t renew as a threat.
Something I’d probably better go check too.
Thanks.
Willie,
I very much thought of you and Bob “the Teacher” when this happened. In fact I was just thinking about AudioRedirector the other day wondering what you did with these old landing pages once you stop promoting them.
I hope this line of thought helps you avoid problems.
Yikes! Your article here, Dan, comes at a good time.
My domain registrar allows me to download an excel spreadsheet of all my domains. I recently got the list and spent some time reviewing all the sites.I realize that this is different than your situation (your old site contents remained while the old site would never have shown up on the Domain List)!
So, I need to remember to also check my HOSTING accounts and do a sort of reconciliation between the two.
Thanks for sharing your plight… We all can learn from it!
Be Well.
Paul.
I like the idea of domain – hosting reconciliation. That needs to be on a checklist, Regina.
Thank you Dan! You have saved my butt with Twitter Glitch and now this.
I too have never even thought about them. I have not let a domain name go where I had done any work, but I definitely have “hanging installs” 🙂
Will have to get on it and check them out and make sure we stay safe.
thanks so very much for the heads up!
I’m glad this was helpful for you. And thanks for the TwittrGlitch mention. Until you said that I didn’t realize that I’ve been in the “prevention niche” for some time now.
Anyway I hope all is fine and look forward to speaking with you again sometime soon. 🙂
Dan
Holy Cow, Dan! Thanks so much for sharing this important information. Sorry you had to go through all that…what a pain. Awesome that you are using it to help others avoid the same mistake! Cheers ~N
Thanks for the reminder, Dan. I had a similar thing happen. Let the domain go. Didn’t get rid of the files and somebody not only hacked into it, got the domain themselves, and posted other people’s content on it. What a mess! You just have to watching this stuff all the time!
Regina,Why isn’t the hosting company responible for making sure that any non-renewed domains are completely deleted? (with at most a 30 day grace period to allow the owner to do with the site as they wish).
Frankly it seems to me to be something that really is a hosting company’s responibilty. And/or barring that possibly WordPress could either create a plug-in to delete a Site when not renewed or add code that would do it.
I’m not sure where the original replies are but how would a hosting company know if your domains are expired? Unless of course someone hosts and purchases domains in the same place which you shouldn’t by the way. Either way, it’s our responsibility as it’s our business. Right?
In my case, my hosting company has no idea which domains I own and which I’ve let lapse. I wouldn’t put the onus on them in my situation.
🙂 Cheers to you, too!! It wasn’t too painful to recover, just scary and not very professional of me.
Great post. It’s so easy to forget stuff like that especially when you are managing multiple web properties, sales inquiries, the help desk and just LIFE in general. However, a hack like that can make your life hell on earth, costing you time money and relationships with your members and customers. Keep the house clean and the doors and windows locked!
Thanks for the reminder!
Thank you for showing me another vulnerability to think of.
I’m a little confused about how exactly the attacked used the inactive site to attack the active sites. Could you explain more about your hosting setup and exactly what vulnerabilities were exploited?
* What is your hosting setup? I’m guessing you’re self-managing a VPS with multiple sites? Do you have professional experience managing LAMP servers?
* How were the sites isolated from each other, if at all? Did each vhost on the server have a separate SFTP account? Separate file owners? Are the SFTP accounts chroot’ed to the individual web roots? Was openbase_dir set to jail scripts into their respective web root? Was Apache running under a separate user for each site? etc
* How did the attackers access the outdated files on the inactive site? Via HTTP or SFTP? If it was HTTP, did they use the IP address, or did they modify their local hosts file to use the inactive domain name?
* Do you have a clear and definitive trace of the attack via logs, or are you just guessing that the inactive site was the point of penetration?
It’s hard to know without the details, but it seems like the real problem here might be a poorly configured server. A properly configured server will isolate all the domains from each other, so even if one gets hacked the others are completely safe. If you don’t have professional experience managing LAMP servers, you really should select a host that will manage it for you, or hire a consultant to set it up properly.
Of course, it doesn’t hurt to remove old domains, but they’re not a major attack vector if your server is configured properly.
Hey Ian!
I was just reviewing your questions, we cannot explicitly answer all of them here on the blog for policy reasons – however I would be happy to set up a personal consultation with you to answer the questions you have based on how we would typically handle the situation here at WPSecurityLock.
If you’re interested, visit this link: https://wpsecuritylock.com/services/wordpress-security-consultation/ (a one-hour session would probably be required to answer all of your questions).
Thanks!
Er, I understand you can’t reveal details of his particular setup. I should have phrased the questions more generally. I’m really just interested in the vulnerability itself, not the specific attack on Dan’s server.
It seems to me that the premise of the article — that having inactive sites can be an attack vector — is wrong, or, at the very least, the article doesn’t present any evidence to support that claim. It’s hard to know for sure without any details, though, which is why I asked those questions.
Are you aware of any other compromises using this vector? Are there are documented reports of it on Packet Storm or similar sites?
If it is a legitimate method then I’d love to know more about it so I can protect my servers in the future, but so far I have to assume that the real problem in the case was that his server wasn’t properly configured to begin with.
I’m glad you guys found it useful. I hope you avoid this situation.
Dan – this advice couldn’t have come at a better time for me. I’ve had my WP site hacked previously and I remember what a nightmare it was to deal with. I’ve just had 3-4 domains expire that I’m not longer interested in working with and there is a red-hot chance that all of those files are still sitting, helplessly, on my hosting account just waiting to be taken advantage of one day. This post could very well have saved the security of any future site I plan to put on that hosting account so, thank you! I’m sorry you had to go through this experience but I’m grateful that you’re sharing it so others don’t have to!