• Skip to primary navigation
  • Skip to main content
  • Skip to footer
WPSecurityLock – Malware removal & WordPress security services

WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

  • Facebook
  • LinkedIn
  • Twitter
  • Home
  • About
    • About Us
    • Speaker Information
    • Contact Us by Phone, Email or Live Chat
    • Testimonials
  • Security Services
    • Malware / Virus Removal
    • WordPress Security and Installation Services
    • Monthly Security Packages
    • SSL Conversion Service (HTTP to HTTPS)
  • Blog
  • Resources
  • Contact
  • SafeWP

How I Got Hacked – A True Story by Dan Morris

July 25, 2012 By Guest Post 35 Comments

A True Story of a Hacked WordPress Blog

 A guest post submitted by Dan Morris

I've got an extremely important message for you today.

I need you to know this in your heart so it never happens to you. I got hacked this week making all my sites, including my clients' sites go down and appear as having a virus. Very very bad. But I could have avoided it, had I really thought about this.

Here's what you need to know and do:

Ever buy a domain name, start setting up a site and then get distracted? Or you had a good idea but then you just didn't do anything with it? Then the year rolls around and that domain comes up for renewal and you just let it drop. “That was a good idea at the time, I guess”. Well, I did that several times. And never thought anything about it again until today.

Today is when doing that cost me my entire network.

This domain I bought a few years ago, put WordPress on and created a landing page for was long gone from memory. I no longer owned the domain, BUT. . . . .The WordPress files I had set-up for that site still existed under my hosting account. Not renewing the domain didn't make those files go away. They're still there. And they're completely out of date. The WordPress Install hadn't been upgraded, obviously. The plugins had expired. The files were totally free to be hacked – even though you couldn't get to them online. And so once they hacked into one of those old files – they got everything.

The Lesson:

If you get rid of a domain name or site, make sure you delete it in its entirety – EVERYWHERE. As long as you know that now, this will not happen to you. If you think there's a chance you did that in the past -go fix it. And if you have no idea how to know, call Regina.

Dan R MorrisDan R Morris is the founder of LettersFromDan.com, a website dedicated to improving your revenue stream from online efforts.

Dan is an infomercial producer, niche website owner, product developer, author and Mastermind leader.

Dan actively encourages marketers to take that extra step so that “Hope” doesn’t become the marketing plan.

Filed Under: I got hacked stories Tagged With: hacked stories, wordpress hacked

Reader Interactions

Comments

  1. Regina Smola says

    July 25, 2012 at 11:59 am

    Hey Dan,

    Thanks for sharing your story with us. It’s amazing how many people get hacked because they forget about those old and outdated files on their server. And many sites I’ve cleaned lately still have themes or plugins using a vulnerable timthumb script.

    Great advice to follow when you delete a domain, get rid of all those old files. When my clients ask how they should setup their multiple domains and want to use a cPanel, I always recommend not using add-on domains, instead put them on individual cPanels.

    Reply
  2. Alex Newell says

    July 25, 2012 at 12:09 pm

    O yikes, time to get busy then!

    Thank you Dan

    Reply
  3. David Perdew says

    July 25, 2012 at 11:59 am

    Thanks – Checking my old stuff now…

    David

    Reply
    • Dan R Morris says

      July 25, 2012 at 12:40 pm

      I remember doing the webinar with you about how to make $10/day from multiple sites. You said then that you didn’t use WordPress on a lot of those because of all the maintenance issues. That wisdom didn’t pass me by, but I still failed to go back and delete the old ones.

      Reply
  4. Hacker Bob says

    July 25, 2012 at 12:01 pm

    For many out there that would read this … it has absolutely NOTHING to do with DNS. This is just poor housekeeping. Keep the server (or your area on the server) clean, tidy, and up to date, use .htaccess and use it correctly. But that still isn’t going to save you all the time.

    Reply
    • Regina Smola says

      July 25, 2012 at 12:17 pm

      Hey there Hacker Bob,

      I think you missed the point. Dan is not talking about DNS. He is talking about the fact that he had poor housekeeping and if he had kept his server tidy, he may not have been hacked.

      But thanks for your security tips.

      Reply
    • Dan R Morris says

      July 25, 2012 at 12:29 pm

      What is DNS Mr. Hacker Bob? Did I explain my situation poorly? I’d certainly like to be able to describe it more clearly in the future.

      Reply
  5. Kelli Claypool says

    July 25, 2012 at 12:38 pm

    Oh Snap! Being a non-recovering domain addict, I better sit up and take notice of all those half-done projects just sitting on my server.

    Thanks Dan for your valuable reminder…time to get busy.
    Kelli

    P.S. Reg, need to know more about individual c-panel.

    Reply
    • Regina Smola says

      July 25, 2012 at 12:42 pm

      Hey Kelli,

      Loving the non-recovering domain addict comment. LOL

      For individual cPanels, upgrade your account to VPS with cPanel, then once you get it setup I’ll help you set em’ up 🙂

      Reply
  6. Glennette says

    July 25, 2012 at 12:48 pm

    Eek! I have my own dedicated server so I better check it out asap! I will also email my clients as this is something I had not really thought of.

    NOTE: I read the title in your email and thought someone was saying they had been hacked by Dan Morris. I thought “No way, Dan would never do that” LOL

    Glennette Goodbread
    Premium Web Design and Hosting

    Reply
    • Dan R Morris says

      July 25, 2012 at 12:52 pm

      Thanks for the vote of confidence. I certainly don’t have the know-how to hack something. I can barely get into my own stuff and I have the passwords. 🙂

      Reply
  7. Cathy says

    July 25, 2012 at 12:59 pm

    Wow, I never thought about deleting the wordpress files once the domain is gone. I’m assuming we delete these in out cpanel where we originally installed wordpress?
    I just went in and deleted my old ones. Anywhere else we should do this?

    Reply
    • Regina Smola says

      July 25, 2012 at 1:07 pm

      Hey Cathy,

      Great question. Yes, you can delete the files from your cPanel > File Manager or via FTP. To clean up all of your WordPress install, you can always check your wp-config.php file to see what database goes with it. But be careful in case that you’re not using that database on another site. I’ve seen others start a test site, then start the real site and use the same database.

      Reply
  8. Terry Loving says

    July 25, 2012 at 1:15 pm

    Great post Dan. I wonder just how many of us there are out there that have those unfinished, left hanging installs out there?

    One more important house cleaning task to add to my Get it Done list.

    In gratitude,
    Terry

    Reply
    • Dan R Morris says

      July 25, 2012 at 1:28 pm

      I like the term “hanging installs”.

      Reply
  9. S. Emerson says

    July 25, 2012 at 4:00 pm

    This makes a lot of sense.

    According to my stats program, I have people looking for all kinds of programming stuff they can hack even when the sites are plain HTML static sites.

    Reply
  10. Willie Crawford says

    July 25, 2012 at 6:44 pm

    I would have never considered a domain that I didn’t renew as a threat.

    Something I’d probably better go check too.

    Thanks.

    Reply
    • Dan R Morris says

      July 26, 2012 at 9:57 am

      Willie,

      I very much thought of you and Bob “the Teacher” when this happened. In fact I was just thinking about AudioRedirector the other day wondering what you did with these old landing pages once you stop promoting them.

      I hope this line of thought helps you avoid problems.

      Reply
  11. Paul B. Taubman, II says

    July 25, 2012 at 8:53 pm

    Yikes! Your article here, Dan, comes at a good time.

    My domain registrar allows me to download an excel spreadsheet of all my domains. I recently got the list and spent some time reviewing all the sites.I realize that this is different than your situation (your old site contents remained while the old site would never have shown up on the Domain List)!

    So, I need to remember to also check my HOSTING accounts and do a sort of reconciliation between the two.

    Thanks for sharing your plight… We all can learn from it!

    Be Well.
    Paul.

    Reply
    • Dan R Morris says

      July 26, 2012 at 9:58 am

      I like the idea of domain – hosting reconciliation. That needs to be on a checklist, Regina.

      Reply
  12. Carla McNeil says

    July 25, 2012 at 9:10 pm

    Thank you Dan! You have saved my butt with Twitter Glitch and now this.

    I too have never even thought about them. I have not let a domain name go where I had done any work, but I definitely have “hanging installs” 🙂

    Will have to get on it and check them out and make sure we stay safe.

    thanks so very much for the heads up!

    Reply
    • Dan R Morris says

      July 26, 2012 at 9:55 am

      I’m glad this was helpful for you. And thanks for the TwittrGlitch mention. Until you said that I didn’t realize that I’ve been in the “prevention niche” for some time now.

      Anyway I hope all is fine and look forward to speaking with you again sometime soon. 🙂

      Dan

      Reply
  13. Norma Maxwell says

    July 27, 2012 at 3:46 pm

    Holy Cow, Dan! Thanks so much for sharing this important information. Sorry you had to go through all that…what a pain. Awesome that you are using it to help others avoid the same mistake! Cheers ~N

    Reply
  14. Dr. MaryJo Wagner says

    July 28, 2012 at 3:57 pm

    Thanks for the reminder, Dan. I had a similar thing happen. Let the domain go. Didn’t get rid of the files and somebody not only hacked into it, got the domain themselves, and posted other people’s content on it. What a mess! You just have to watching this stuff all the time!

    Reply
  15. Robert Nelson says

    July 29, 2012 at 1:49 pm

    Regina,Why isn’t the hosting company responible for making sure that any non-renewed domains are completely deleted? (with at most a 30 day grace period to allow the owner to do with the site as they wish).
    Frankly it seems to me to be something that really is a hosting company’s responibilty. And/or barring that possibly WordPress could either create a plug-in to delete a Site when not renewed or add code that would do it.

    Reply
    • Angie says

      July 29, 2012 at 4:56 pm

      I’m not sure where the original replies are but how would a hosting company know if your domains are expired? Unless of course someone hosts and purchases domains in the same place which you shouldn’t by the way. Either way, it’s our responsibility as it’s our business. Right?

      Reply
    • Dan R Morris says

      July 29, 2012 at 10:39 pm

      In my case, my hosting company has no idea which domains I own and which I’ve let lapse. I wouldn’t put the onus on them in my situation.

      Reply
  16. Dan R Morris says

    July 29, 2012 at 10:38 pm

    🙂 Cheers to you, too!! It wasn’t too painful to recover, just scary and not very professional of me.

    Reply
  17. Maverick says

    July 30, 2012 at 1:28 am

    Great post. It’s so easy to forget stuff like that especially when you are managing multiple web properties, sales inquiries, the help desk and just LIFE in general. However, a hack like that can make your life hell on earth, costing you time money and relationships with your members and customers. Keep the house clean and the doors and windows locked!

    Thanks for the reminder!

    Reply
  18. Greg Whitehead says

    July 30, 2012 at 11:12 am

    Thank you for showing me another vulnerability to think of.

    Reply
  19. Ian Dunn says

    July 31, 2012 at 11:05 am

    I’m a little confused about how exactly the attacked used the inactive site to attack the active sites. Could you explain more about your hosting setup and exactly what vulnerabilities were exploited?

    * What is your hosting setup? I’m guessing you’re self-managing a VPS with multiple sites? Do you have professional experience managing LAMP servers?

    * How were the sites isolated from each other, if at all? Did each vhost on the server have a separate SFTP account? Separate file owners? Are the SFTP accounts chroot’ed to the individual web roots? Was openbase_dir set to jail scripts into their respective web root? Was Apache running under a separate user for each site? etc

    * How did the attackers access the outdated files on the inactive site? Via HTTP or SFTP? If it was HTTP, did they use the IP address, or did they modify their local hosts file to use the inactive domain name?

    * Do you have a clear and definitive trace of the attack via logs, or are you just guessing that the inactive site was the point of penetration?

    It’s hard to know without the details, but it seems like the real problem here might be a poorly configured server. A properly configured server will isolate all the domains from each other, so even if one gets hacked the others are completely safe. If you don’t have professional experience managing LAMP servers, you really should select a host that will manage it for you, or hire a consultant to set it up properly.

    Of course, it doesn’t hurt to remove old domains, but they’re not a major attack vector if your server is configured properly.

    Reply
    • Michael Schultz says

      August 7, 2012 at 1:10 pm

      Hey Ian!

      I was just reviewing your questions, we cannot explicitly answer all of them here on the blog for policy reasons – however I would be happy to set up a personal consultation with you to answer the questions you have based on how we would typically handle the situation here at WPSecurityLock.

      If you’re interested, visit this link: https://wpsecuritylock.com/services/wordpress-security-consultation/ (a one-hour session would probably be required to answer all of your questions).

      Thanks!

      Reply
      • Ian Dunn says

        August 7, 2012 at 2:59 pm

        Er, I understand you can’t reveal details of his particular setup. I should have phrased the questions more generally. I’m really just interested in the vulnerability itself, not the specific attack on Dan’s server.

        It seems to me that the premise of the article — that having inactive sites can be an attack vector — is wrong, or, at the very least, the article doesn’t present any evidence to support that claim. It’s hard to know for sure without any details, though, which is why I asked those questions.

        Are you aware of any other compromises using this vector? Are there are documented reports of it on Packet Storm or similar sites?

        If it is a legitimate method then I’d love to know more about it so I can protect my servers in the future, but so far I have to assume that the real problem in the case was that his server wasn’t properly configured to begin with.

        Reply
  20. Dan R Morris says

    July 31, 2012 at 9:52 pm

    I’m glad you guys found it useful. I hope you avoid this situation.

    Reply
  21. Trinity says

    November 16, 2012 at 6:24 pm

    Dan – this advice couldn’t have come at a better time for me. I’ve had my WP site hacked previously and I remember what a nightmare it was to deal with. I’ve just had 3-4 domains expire that I’m not longer interested in working with and there is a red-hot chance that all of those files are still sitting, helplessly, on my hosting account just waiting to be taken advantage of one day. This post could very well have saved the security of any future site I plan to put on that hosting account so, thank you! I’m sorry you had to go through this experience but I’m grateful that you’re sharing it so others don’t have to!

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s work together:

Get in touch with us and send some basic info about your project. Don't be shy, we can help with just about anything.

Contact Us!

Footer

  • Facebook
  • LinkedIn
  • Twitter

Contact

Call 815-600-7270
Contact
Mo,Tu,We,Th,Fr 9:00 am – 5:00 pm

Get WordPress Help Now

Chat With Us!
Submit A Support Ticket

Copyright © 2025 | WP Security Lock, Inc