The Time I Got Hacked By Algerian Anonymous: Lessons Learned
Mystery solved.
Why couldn't I log in to my website yesterday? It's because, four days ago, somebody hacked my site and replaced it with some neon green colors, misspelled alphanumeric messages of triumph, and other gibberish.
Congrats. You hacked a nearly empty site that was used for testing WordPress plugins. Total damage caused: about fifteen minutes of time spent logging in to my horridly bad web server and changing a few passwords, plus hitting the "reinstall" button on WordPress.
Yes, I was fortunate, because it was a non-business site. Your law firm's website, however, is far more important. Here are a few things I've learned from the experience:
Reputable Hosting Companies Are a Must
I'll start right out with this: do not use HostLatte, or any other insanely cheap "mom and pop" hosting company. I wrote about the time their server crashed and deleted my entire website last August. Needless to say, I was unhappy.
I still haven't switched, but only because my site was a testing sandbox -- there was no content to worry about. Still, it was a mistake to stay (see below), and tonight, I'll be spending my time searching for a new hosting company. Things I'll be looking for (and you should be too, if you go the "do it yourself" route with your website) are uptime, redundant servers (in case one crashes and, ya know, wipes out your data), and regularly scheduled backups.
Quadruple Check Every Password
I can't be too sure how the hackers got in, but I have a strong suspicion it was the password to my server. My hosting company has a password to access the members' area. (Checked. Probably not cracked). My WordPress install has another password. (Ditto) And to change settings on the server (the cPanel interface, for all you geeks out there), there was a third password, which was apparently reset when the server crashed last year. (It was temp12345.)
Yeah. "temp12345." According to HowSecureIsMyPassword.net, it'd take a mere 7 hours to crack. I'm guessing it probably took less, since that's probably nearly as common as "admin" as a default password.
North African Hackers Need Spell Check
These people who hacked my site need a proofreader. "DZ HACKERS WAS HER" pic.twitter.com/kjf4dKPXfI
-- William Peacock, esq (@PeacockEsq) April 9, 2014
Backup Regularly, Even if Your Host Does
Over the last fifteen years, I've used a lot of free and paid servers. Most did auto-backups. Only twice, both with this company, have I lost my data completely. If you're managing your own website, you should be backing up at least weekly, or whenever you do a significant update. There are also automated backup tools available through many hosting companies. They're worth the extra cost.
WordPress is Still Awesome
How long did it take to wipe out the hacked junk, and reinstall WordPress? One click. How long will it take to put up a new theme, and set up a new version of my testing site? Probably about thirty minutes.
Seriously folks, if you're setting up your own site, there is no better platform than WordPress. It's quick, intuitive, constantly updated, and there are an infinite number of plugins for automating anti-spam, search engine optimization, and other time-consuming tasks.
Got a hacking horror story? Tweet it to us @FindLawLP. And, of course, I'd be remiss to not mention that if you don't want to deal with any of this crap, whether it be fighting spam and hackers, juggling passwords, or backing up your site compusively, our Lawyer Marketing team does web design, and a lot more.
Related Resources:
- LinkedIn Sues Hackers -- Whoever They Are (FindLaw's Technologist Blog)
- $3 Billion Snapchat Was Hacked; Prepare For Self-Destroying Spam (FindLaw's Technologist Blog)
- 5 #FiveWordTechHorrors That Will Kill Your Firm's Productivity (FindLaw's Technologist Blog)