I recently changed web hosts, from Bluehost to Smarterasp.net. I never had a problem on Bluehost with hacking, but I made one huge oversight that likely cost me: I didn’t change the admin password from what Smarterasp.net creates as the default.
I had changed it on my previous web host, but I let Smarterasp.net create a WordPress site for me before I imported things back in, and it just completely slipped my mind. “Who would hack a site nobody uses?”
Well, that’s not the way hacking works, and I knew that. There’s no excuse, and I’m still upset at myself for it; I practically begged to get myself hacked.
This blog gets very little traffic, and nobody depends on this page for any information, so I had no idea my site was hacked until by chance I flipped through the Spam mail on my GMail account:
Yes, Google sent its own Webmaster mail to me about my own site being hacked to the GMail spam folder.
I logged into Google Webmaster and found the news: my domain was manually edited out of Google search results. Once the security issues get taken care of, I had to request “reconsideration” to get reinstated.
That was granted today, so I’m back on Google now.
Figuring Out “What” and “What Happened”
The attackers didn’t get access to the database, since there were no WordPress pages or posts created. It actually looks like they gained access to my web host — a new folder was created on the host’s File Manager, and my host was reconfigured to point to that new folder for my site. In effect the attack setup a dummy site using copies of files from my WordPress site, in order to serve spam-filled pages to users.
It took some time to delete that entire folder and then scan the rest of my WordPress site for recently-changed files. Turns out my index.php file had been edited during the time of the hack, and thanks to Google Webmaster’s “Fetch as Google” I was able to see all of the injected code inside of it, so I restored my site from a backup.
I also changed all of the passwords to everything, and installed the Wordfence plugin so that I can track IP activity on my install.
There are bound to be things I’ve missed that are going to cost me again later, but for now, I’m just relieved that the actions I took have resolved the issue.