Hackers, Viagra and Christmas Greetings

My site got hacked, that means I’ve made it, right? Because only important, high-traffic sites get hacked.

Uhm, no. Of course not.

Forget that dramatic way of thinking. Because it’s false thinking. Sure, certain sites get specifically targeted for political or economic reasons – or for prestige like a hacking rite of passage – but AdvancingMusician does not fall into this category.

In general, hackers go for the low hanging fruit instead. They target smaller sites. The idea is to get them infected and divert resources towards sending SPAM mails, getting link juice for improved Google rankings or for installing malware like phishing scripts.

On December 11th, I got an e-mail from my hosting company. They had to take my site offline because their security mechanisms caught some malware script getting activated from one of my sub-folders.

So, despite running the latest versions of everything (WordPress, framework, theme and all plug-ins) my site was unreachable. No reason to panic. Just a quick install of a fresh WordPress instance followed by porting the database and everything is alright again.

Yes, in general that’s the procedure. But not in my case. And no, don’t think that I didn’t back-up my site.

My hosting company (who were really supportive throughout this incident – thank you) informed me that those malicious files had been injected way back in early October and had been dormant so far.

Therefore, back-ups were out of the equation. No sense installing a clean slate and then re-introducing malicious code via an infected back-up file. And going back almost 4 months to an old copy didn’t make much sense to me. So I decided to take the extra precautionary steps of going manually into my current (offline) database and pulling the content piece by piece, making sure it was safe and re-adding it to the fresh installation.

The crazy thing is that I knew about this infection from quite early on. I do have a security plug-in installed and also monitor Google Webmaster tools, where I first noticed a significant increase in Google-indexed pages.

From one day to another the numbers shot up to over 3000 pages indexed. Definitely a warning sign.

And the Wordfence security plugin also registered some changed files. It didn’t take too long to find a huge Viagra/Cialis site hidden in one of my server folders. Of course I deleted that sucker, checked to make sure my other folders were clean and considered this case closed.

To All the Hopeful Viagra/Cialis Shoppers
If you came to this site in the hopes of getting your “pharmaceutical” needs fixed and all you found is music-related articles – my apologies. 🙂

Subsequent scans returned clean results – I didn’t mind the 3000+ fake Google indexed pages and thought that Google would find out rather quickly about those pages being irrelevant and gone.

And indeed… every couple of days a bunch of those pages were removed from the index – it was only a matter of a few more days to return to the status as before.

But then the hosting company e-mail arrived. Looks like I didn’t remove everything and some bad code must have survived my initial purge. 🙁

Most likely my site got hacked via a plugin that had a security vulnerability that wasn’t patched fast enough. And the short time frame of vulnerability unfortunately was enough to get the malicious code injected.

Rethinking Security

My security practices were not bad at all. But in the process of recreating my site I re-evaluated and adapted a few things.

For instance: I upped my automatic back-up schedule from twice/week to daily. All back-ups are sent to Dropbox automatically as well. Each month during my weekly review session I’ll quickly go through last month’s folder and delete all back-up files, keeping 1 for each week. After 6 months I might prune that down so that I have only bi-weekly back-ups left. This should be enough – more seems like overkill to me.

Everytime I hit publish – I’ll copy the text/code field from my WordPress editor and paste it into a Google doc. Also, any additional source files like graphics or PDF downloadable files go into a special assets Sync folder. Worst case scenario: if the database back-up is corrupted, I can still re-compile the site because all the information is easily accessible. A quick 1 minute job leading to increased peace of mind.

Security Suggestions

If you have your own site – and as a performer/musician/teacher you really should – here are a few easy to implement suggestions:

• make your hosting/FTP/website admin username/password as strong as possible
• don’t use the same passwords
• install a security plugin a la Wordfence – if you are using WordPress
• use the Sucuri SiteCheck scanner on a regular basis
• use a back-up solution like BackWPup and have an automated job set-up
• do a weekly/monthly/quarterly/semi-yearly back-up review/purge
• keep everything up-to date – your CMS, framework, theme, plug-ins, etc…
• find the balance of necessary functionality and bloat – do you really need that plugin/script?
• putting the final text/code version of each page/post into Evernote/Google Docs and adding any source files right after you publish is a great desaster prevention policy

Remember even the best precautionary procedures are no guarantee that your site won’t be hacked. But instead of a debilitating, soul-crushing experience (because of no back-ups) it’ll be a minor nuisance that you can deal with quickly.

The Positive

Like they say, in any challenging situation there’s hidden opportunities to turn things into positives.

While I liked the old site design – I decided to get rid of the background image. It was close to 120Kb, even in compressed format. And since I also replaced the graphical site logo and tagline (and other small graphic icons) with a font generated one, this shaves off a combined 200Kb from the page load which is quite a lot. It doesn’t really matter for broadband users but for mobile this should make browsing a lot more enjoyable.

Another side effect is a more open feel, since the content area is not boxed in like in the old design.

In general, I tried to make the site even more mobile responsive. It’s far from perfect and I still have some things to fix. Especially regarding images which at the moment “break out” and don’t re-size as intended.

My apologies for that, I considered other things as a higher priority for the moment – but it’s definitely something I will fix as soon as possible.

What’s Left?

Immediate steps:

• getting images responsive
• going through existing articles and adding the remaining download attachments
• fixing the remaining broken links
• fine-tuning the aesthetics – making sure the content is easy on the eyes with appropriate spacing and padding

I also held off from re-posting some articles that either have become obsolete or where I felt like I can improve upon them.

Minimalism

In 2013 I’ve been influenced a lot by minimalism, especially Leo Babauta’s writing.

As a consequence I sold off more than 500 of my books over the last few months. I still have ca. 200-300 left and plan on getting rid of them during 2014.

I didn’t purchase as many new sound/sample libraries as in the past. No more “shiny new thing syndrome” – who hasn’t fallen for that? Instead of chasing the latest, newest, holy grail – how about using what I already have? Getting to know it in detail and squeezing the maximum out of it. What a concept, huh?

I don’t want to waste my time tinkering around on the surface level. I want to create and produce on a deeper level with added value and substance. That’s my motto for 2014.

Before this hacking incident, I already set-up a lot of things in preparation to make this happen. Things have even escalated despite this diversion. I’d go as far as saying because of this diversion. My motto became even more important to me.

Merry Christmas and a Happy New Year

Finally, a merry Christmas – have great holidays and celebrations with your families and loved-ones. And let’s make 2014 an awesome year.