|Blmurch, via Flickr (CC license)|
|Yep, spammers are asses. And evil, in a mostly banal sense. Grumble….|
Over the last few days, and especially this morning, I’ve been wrangling with fixing a hack done to this blog by a spammer. It’s been pretty stressful, but Tom Vilot and other helpful geeks have been absolute angels in helping me figure out this server-side crap. Thanks, all!
For now, I think we’ve probably neutralized what this hacker has done. But I’ve got a contingency plan in place to rapidly relocate this blog to another server should new problems from this hack arise. If problems do arise, I’ll probably have Bluehost create a new account for me, reinstall WordPress, repopulate the blog’s database, etc. A hassle, but not unrecoverable.
Lessons learned. These mostly apply to WordPress blogs, but can have wider applicability…
- Always use secure access (https://) for any site that requires a password. Just make that the norm, whether I’m home behind a firewall or on public wifi. I am investigating getting an EVDO card for mobile web access, but I think that might not be possible for a Macbook. I might have to wait until I upgrade to a Macbook Pro for that.
- Always keep an up-to-date backup of my blog: the database as well as other content like images or audio/video. This makes a quick restore not only easier, but possible. If possible, arrange this as a chron job to secure copy (scp) the content to another server. Don’t just rely on a WordPress plugin to e-mail the backup to you. WordPress plugins can be hacked. That’s what happened to me.
- Check regularly for plug-in updates. Hackers exploit vulnerabilities in popular tools like plug-ins. Plug-in developers generally patch these vulnerabilities and release new versions of the plug-ins as these vulnerabilities are revealed. It seems like so far there’s no automated way to check for WordPress plug-in updates (but I’ll keep looking for that). However, it’s worth doing a manual check of this once a week or so.
- Just because it sucks doesn’t mean it’s personal. Most spammers and hackers are sheer opportunists. This blog hack probably wasn’t personal, even though it damn well feels personal. Just like when someone breaks into your car. It’s hard not to take it personally. I’m definitely pissed off, but I can let that go.
Most importantly, this experience shows the value of befriending geeks, and of having a generally collaborative and constructive attitude when dealing with people online. People really came to my aid here, and I am grateful.