snowdrops spring 2017 (1)
Firstly, I would like to apologise to all my readers for both the prolonged break in content, and for the very odd appearance of this site over the past week or so. LLG was the subject of a concerted and prolonged malware attack. Not only did it screw up the back end of the site, but the resulting site clean up resulted in a re-set of the site design, and it took a lot of work to restore LLG to its former glory. (Rest assured however that this attack did not externally affect anyone except us. Visiting LLG would not have infected anyone.)

Some people don’t like to talk about these things, but I wanted my horrific experience to be an object lesson to anyone who doesn’t have multiple layers of security on their blog or website.

The malware attack seemed like nothing too major at first, a few modified php files and a redirect to a Viagra site in the Philippines. I experienced in several ways: it stopped me from uploading images, or updating the site,  and my spam comment filter stopped working, flooding my comment inbox with hundreds of messages, but, outwardly, there was no sign to anyone visiting that anything was wrong.

I subscribe annually to Sucuri’s Malware Removal & Hack Repair service, which also comes with Continuous Malware & Hack Scanning – $199. Bargain. When I was blacklisted by Google a few years ago they dealt with the whole thing, and there is no extra charge for any sorting out.

Whilst I was filing my service ticket last night for the malware removal I was noodling around on their site and noticed that for a bargain $5 a month they offered a daily cloud backup of one site. That seemed sensible so I signed up and it started backing up my site immediately.

I was being impatient: I had several stories to post on deadline, so I decided to head over to my FTP server (hosted on GoDaddy.com – blogs like mine have all their code hosted externally) to start manually removing the malware php files. They were easy to spot as they were all inserted on the same day and when opened contained bizarre code. Three hours later, around 1am, I had removed over thirty pieces of malware, my site was working again, and I was able to finally get some work done for a client. I had started to receive a bunch of Google alerts linking my site to a Filipino Cialis site but thankfully after my deletion mission they now just went straight to LLG.

The next morning I awoke to an email saying the Sucuri back up I had paid for had been completed. I checked out LLG: there had clearly been some modifications to my theme’s php files as there were all sorts of issues with the layout. (I may well have deleted some corrupted files during the night.)

I added this issue to my ticket (Sucuri work on a 12hr notice period) and hopped off to drive my mama to hospital. When I got back after lunch I opened up LLG.

The f*cking evil malicious f*ckers had entered my site through a backdoor and deleted every single piece of content from August 2013 to February 2017 – all posts, all drafts, and my entire media library. I can only think it was revenge for shutting down their Cialis site redirects.

I lost it. I think I was sitting rocking and crying for a while but I actually can’t remember. Suffice to say it was like my life had been deleted for four years. I called my agent but I couldn’t talk for five minutes as I couldn’t breathe properly. Panic attacks are no fun.

Long story short. Sucuri did their best to try to restore the site but kept hitting brick walls; at one point we thought that the backup was a back up just to the 2013 stop off point because the site still showed only up to 2013.  It turned out that the back up couldn’t load as there were issues with the SQL database on GoDaddy. That took me and them and GoDaddy three hours to sort out, but eventually my site loaded with the 2017 version. There was more crying. This time with relief.

There were a few more coding issues left with the theme and backend as a result of the mal attack but the lovely Sucuri guy got through them all quickly. I was left with all my content intact – but the design over which I had laboured for days was lost forever.

So: the moral of my story is this – back up your site! It cost me five bucks for a back up that has saved my business. There is also a free plugin for WordPress that can back your site up to Dropbox with one click. (I use both.)

Sure I could have paid someone remotely for the next month to replicate each post, as I have all my posts emailed to me, but it would have been time-consuming and expensive. Without that cloud back up, I would have lost my Google page rank, all backlinks, every single blog comment, and every link to LLG on FB & Twitter would be broken. Over 1000 draft posts, with all the ideas they contained, representing thousands of hours of work from me and my assistants over the past four years, and every single SEO coded photo in the library were gone, I thought, for good.

If your blog or website is hosted externally  – by, say, GoDaddy, then also turn on two-step authentication, and make a habit of changing the password for your ftp server weekly. And whilst we’re there, change your blog password weekly too.

I’ve also heard that there is a vulnerability in WordPress, resulting in millions of hacks this week alone – if you haven’t updated to the recent version, it’s really important to do so as soon as possible.

I also now have reinstated my Sucuri cloud proxy firewall ($9.99 a month) which basically makes your site un-hackable. It stands between your site and the rest of the world and protects against attacks, malware infections, DDOS, brute force attempts and mostly anything that can harm it. Not only that, but your sites get cached, speeding it up quite a bit.

I had let my subscription for this drop because I got bored of having to whitelist every single IP address from which I accessed LLG and when you are in a rush to post, or you’ve got a crap signal, it’s a pain not to be able to get on LLG immediately, or use the WordPress app. (The need to whitelist means you can’t log on to the site via the app.)

But not as much of a pain as losing four years of work, hey?

https://sucuri.net

Related Posts Plugin for WordPress, Blogger...

You May Also Like

9 comments

Reply

What a truly sh*ttyThing to happen to you. So sorry to hear this but glad you’ve managed to sort it out.

Reply

What a scary story! Can I ask which Word Press plug in you use to back up? I use Back up buddy but I was wondering if there’s better put there.

Thanks!
Angie

Reply

I’m glad you got it back. What I don’t get, is why and put these re-directs in your site anyway? Your average LLG reader isn’t going to buy the Viagra! I despise anyone who targets small businesses, such as yours. I hope Karma comes knocking on their door. Glad all is sorted.

Reply

What a freaking nightmare!
Kudos to you for being proactive and knowing your stuff. I have to say though what impresses me most is that you managed to write this! I hope you are drinking a huge glass of wine right now!
Xx Otto’s human

Reply

This is bloody scary. Glad things are ok with the site now. Would like to know what’s the free plug-in that backs up to dropbox? I’d really love to start with that, if you don’t mind sharing the info.

Reply

Oh my word, this is terrifying. Glad you got there in the end despite all the trauma in between. I’ve been ignoring the pop up on WordPress asking me to back up my content but not any more! Thanks for sharing.

Reply

Do it! Vitally important; as is updating to the most recent WordPress versions as they are released LLGxx

Reply

Thanks so much for this Sasha, I have been experiencing problems over the last few days and have just emailed Sucuri. It’s a complete nightmare. aargh!

Reply

A similar thing happened to me in December. All of my hyperlinks had been changed to pharma-related things like “buy viagra now” and my search results were returning a bunch of 404 pages with pharma titles and meta-descriptions. Fortunately the pharma hack is a well-known hack and I was able to remove the offending files myself, but I got a quick lesson in why site security and back-ups are so important.

I traced the issue back to the shared server at bluehost and promptly moved hosting companies as well.

Leave a Reply

Your email address will not be published. Required fields are marked *