My Website Got Hacked, and Here’s What I Learned
I haven’t been posting a lot of new content on this site. My income strategy has changed a lot as I have taken on a lot of clients. After all, I create at least 10 pieces of content for my clients every week: often, more than that. That means I haven’t had a lot of time to work on my own content. When I logged into Google Search Console after vacation to do some keyword research, I was shocked to see thousands of new links logged.
My website had been hacked.
On July 2nd, the hacker added 1,100 or so links to my site.
Another 2,100 links on July 6th.
Then, on July 9th, they added more than 2,000 links.
These weren’t the kind of links you want on your website. It was a jumble of SEO-optimized titles, and the posts were nothing more than word salad, nonsense meant to merely fill a page, not make any kind of sense.
I was hacked, and I’m here to tell you what I learned from that experience, and share a few tips on how you can avoid being hacked too.
How I Fixed My Hacked Website
I know, I know – this is what you want to know!
Here’s the quick and dirty list of how I fixed my hacked website.
- I asked SiteGround to scan for malicious code. They told me exactly where the suspicious files were so we could nuke them.
- Restored to an older version, pre-vacation and pre-links being added.
- Deleted ALL old, unused plugins and themes. I cut it down RUTHLESSLY. If it was not necessary, I got rid of it.
- Cleared all of my website’s caches.
- Reinstalled WordPress.
- Updated or reinstalled EVERYTHING. I mean, I contacted BluChic (the maker of my theme) to ensure I had the latest updates of all the code).
Always Install Security on Your Website
Apparently, I was a dum dum, and had not installed the best security. I trusted the security measures that I had set up, and thought they would be adequate.
Security is one of those things that you never know you need it until it’s too late, and of course I learned that mine was inadequate after the fact.
For any beginning WordPress blogger, I cannot recommend Wordfence enough (that is NOT an affiliate link – it’s just the service I used).
I submitted a cleanup ticket, and it was taken care of within 18 hours – and that includes sleeping time! I’m blown away. I received a multi-page PDF detailing what they did, potential issues, etc. They also identified WHEN they believe the data breech happened….February sometime. Interesting.
Wordfence also submitted my site to Google to be crawled again, and after two weeks, the drop off of the extra links on Google is finally happening.
I would go to Google and type “site:thehollypeck.com” and see that literally 6000-8000 links would show up: most of them for spammy pharmaceuticals.
Three weeks later, I have 600 or so links showing up, and from what I can tell, most are mine, and not 404 errors. I would not be surprised to see the number drop some more, though. I’ve had some very photo-heavy posts in the past.
Wordfence notifies me when people attempt to log into my site, and it’s rather shocking how often someone tries to attack it. These attempts also come in rapid-fire succession, using every single username that has ever been associated with me site.
Random pro-tip: avoid using the username “ADMIN” for your WordPress login. That’s one of the most common usernames, and is very guess-able!
Take Action Quickly
When you’ve been hacked, you need to take quick action.
Unfortunately, I was on vacation when I was hacked. That meant that by the time I realized what was happening, it had been long enough for Google Search Console to pick up the links.
(If you’ve worked with Google Search Console, then you know it has a delay in reporting – sometimes even as late as a week).
I was horrified to see how much had happened.
When a hacker piggybacks on your site, my experience was that they did a smaller number, to test the waters….and by smaller, I mean a thousand or so.
Then, they added 2000, 3000 – it was crazy! The earlier you can catch it, the better.
What Can You Do to Prevent a Hacked Website
It’s better to be safe than sorry, right? Here are a list of things that you can do to avoid being hacked.
- Install security on your site. I HIGHLY recommend Wordfence. I currently have their premium service, as a year of it came FREE with my site clean up. No regrets over that, and I will HAPPILY pay $99 to renew after that year is over. I’ve learned my lesson and will have my site protected.
- Remove any unnecessary themes/plugins. If you aren’t using them, take them off your site! You can always add them back. I didn’t want to delete my old themes and plugins because I “might” use them again. Nah, if I really want them, I can get them back again later. Uninstalled.
- Update plugins frequently. This one is slightly debated, because once in a while, there are unstable updates. But, overall, it’s best to update plugins as soon as they have an update.
- Monitor your site via Google Search Console – because I was on vacation, I didn’t pay attention to email. That meant that I missed the email alert from Google Search Console about someone adding themselves to my property (that means they were able to upload an XML sitemap for my site, and get their links attached to my site – definitely no good!)
Have you ever been had a hacked website? How did you recover from the hacking? What new security measures did you take?
Was this helpful? Sharing is caring; pin it for later!