I have three WordPress sites. One of them got hacked the other day. Someone got access to it by getting site owner verification from Google. I tried to un-verify it, but failed. Before long, I started seeing hundreds of small files being installed in the back-up for the site. They were all product related. By the end of the day, there were over 6000 of them. It was a nightmare.
Why did that particular site get hacked? I guess someone got their hands on my password and verified the site — something I had neglected to do on that site because I only keep it to redirect my more popular posts. I neglected a lot of things on that site. “Why bother?” I thought. “It only gets a few hundred visitors a month, so who would bother with hacking it?” Well, apparently, something like 30,000 websites get hacked every day. Hackers exploit vulnerabilities. If they can’t find a vulnerability quickly, they move on.
How my WordPress site got hacked
I’m not an expert on website security, but I think that site got hacked because of the things I didn’t do on it that I have done on my other websites. The most important one, I think, was not place a limit on login attempts. I had installed Wordfence on the site, but never got around to changing the default settings as I did on my other sites. That made it possible for the hacker to discover my password after numerous attempts. Had they been locked out after just a few attempts, they probably would have given up and moved on. Another recommended plugin is Login LockDown.
After the fact, I looked online and discovered other things I could have done. Some of them include:
- Removing themes you aren’t using. Hackers can exploit those themes.
- Removing unneeded plugins. Hackers can somehow gain access to them and gain access to your site.
- Update WordPress and plugins immediately. Updates include security updates, so not updating leaves your site vulnerable.
I also verified my other sites on Google, so have claimed ownership. I wish I’d taken the time to do it on the other site. It would have taken about five minutes. Now that someone has claimed ownership on Google, I have to try to find where they hid their verification in the 6000+ files they added to my site.
After receiving notification from my host that there were some malicious files on my websites, I installed an anti-virus program on them, but didn’t install it on my “discontinued” site. I feel dumb for not taking the same precautions, but I’m not alone. A cybersecurity expert did the same on one of his old websites. He did it because he wasn’t making money from the site and didn’t feel like spending money on it.
I wish hackers didn’t exist, but they do. I have no idea what these hackers are gaining from adding those thousands of products to my site. I don’t see ads appearing, but one blog tells me they can appear in the background and not be visible. Still, it seems like a waste of time on their part. The site only gets a few hundred visitors per month and it’s not likely anyone who visits it will buy one of their products even if the link is hidden somewhere in the text. Maybe they just hack sites because they can. Some people are like that. Anyway, if you have a website, keep it secure. It’s not that hard or expensive and is less of a headache than trying to deal with hackers after they’ve done their dirty work.