“You’ve Been Hacked.” These are words that nobody wants to hear. Ever. But chances are you may hear them at some point.
Without knowing anything about your website, there is a very good chance of guessing that you are running it using the popular platform, WordPress. After all, over 27% of all websites today are powered by WordPress. If you are, you are probably aware that great things happen with WordPress; there are consistent and constant updates released for it making it better and better with each upgrade.
You have heard that it is important to keep your software up to date. This goes for your desktop computer, your laptop, and even your website software! There has never been a better time to follow this advice than now! When you learn that a new version has been released, you should upgrade your website (remember to always backup your website before updating anything… Safety first)!
What is so important about the most recent upgrade to WordPress? A recent upgrade fixed a vulnerability that was discovered in a couple previous versions. Technically this update is described as:
An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.
What this means in terms that everyone can understand is this: A flaw was discovered that let hackers modify the content of any post or page within a WordPress site without the need to login or provide any credentials.
In fact, by some estimates, over 1.6 MILLION WordPress sites were attacked because of this issue!
I knew it! WordPress is NOT safe I hear you say…
The doom and gloom are out there regarding any security issue. Some past issues allowed hackers to get in and inject links to sites that were so undesirable that you would not want your grandmother to visit them. Other issues let hackers get in and leave files (or programs) that had malware or would send out emails, or do a lot of other harsh things.
What happens if you’ve Been Hacked?
The good news about this recent vulnerability is that it only allowed hackers to modify content. The extent of the ‘damage’ is that your website gets defaced; you can think of it as digital graffiti sprayed on your blog posts. While no one likes to clean up spray paint, it is certainly easier to clean up some spray paint than it is to have to rebuild an entire building.
Of course, the shame you might feel when you see that your website has been spoiled with the words, “You’ve been HaCkEd” is never a good feeling. An even worse feeling is if a client is the one to give you the phone call, “Hi there – I was visiting your website and it says that you’ve been hacked.” UGH.
Truthfully, a defaced website is embarrassing and, fortunately, it is typically easy to fix. In most cases (for this particular hack at least), you only will have to update your website to the latest version of WordPress. Once you do that, the next step is to search through your current blog posts and pages and check them to see if there is no unwanted content on them. Depending on the size of your website, this may be quick, or it may be a time-consuming process. You may want to use the search capability on your site to literally search for the word, hack, and then clean up those pages and posts.
An alternative to correcting all the abused posts and pages (if you have a lot of them) is to restore your website to how it was prior to the hack. If you have a recent backup of your website, you can always restore that version since the backup is clean. Be aware that if your most recent backup is 3 months old, your website will be put back to how it was 3 months ago. You will then need to add your content back to bring the site up to date.
The bottom line is that there are 2 lessons to learn from this: first, ALWAYS have a backup; always take a backup before updating anything on your site. Do this and it is like having insurance on your website. You will never hear someone say, “Darn, I wish I didn’t have that backup copy!”
Second, keep your software up to date! For the most part, WordPress is a very secure platform! You need to do regular maintenance (and regular backing up!) to keep it safe. When an update comes out for the WordPress software, or a plugin, or a theme, make sure you update it soon!
As Sergeant Phil Esterhaus would say on every episode of Hill Street Blues, “Let’s be careful out there.” Taking these precautions will prevent you from seeing the words, “You’ve Been Hacked” appear on your website!