Imagine doing some routine work on your blog and suddenly realizing there’s something which should not be there. A chunk of spammy text with outgoing links to spammy sites.
This is what happened to me today. Fortunately, I managed to clean up the mess, figure out how to prevent it from happening again, and move on with creating awesome content and promoting it.
Here’s what happened
I was adding tags to posts in my gardening site today, tying together a silo where we had recently finished publishing all of the posts. I use the Ocean WP template, and one of the things I like about it is the ability to quickly create pretty tag pages, including a description. In the resulting page, I use the post title, featured image and the first bit of text in the post which serves as the excerpt (along with the obligatory “Continue Reading” link).
In fact, I use the same setup here in Yeys.com’s category pages –
The tag pages follow the same layout and I usually add a keyw0rd-rich description too, created using Yoast and displayed in this template.
So, I was sitting there, happily reviewing the pretty page that I had just created, filled to the brim with photos of flowers and casually glancing over the excerpts. When I suddenly noticed this in the sixth row –
Clearly, not about flowers and obviously, spam.
Where did that spammy text come from?
I quickly clicked through to the posts in question, worried that the hackers may have replaced the entire text we had there with their garbage. At first glance, everything seems to be alright. Floral images and relating text all over the place. I scrolled down, thinking maybe they hacked the Yoast section where you can change the page’s meta tags. Nope. All was fine there too.
Well, the text had to come from somewhere, right?
So, I switched over to text mode in the WordPress editor, and sure enough – there was an ugly hidden div in there, with tons of idiotic spammy text, littered with links to spam sites. Yikes.
How did that happen?
Technically, this was a simple case of account hacking. Someone logged into a writer’s account and edited the posts there to add the malicious code.
If you’ve been following this blog, you know that I hire writers. Each writer gets direct access to WordPress, with his or her own author-level account. That means they can create posts, and then return to edit their own posts later on. You can read more about my workflow here.
In this case, someone logged into a writer’s account and edited existing posts to add their code. As it happens, this was actually an account managed by a content agency. Which means –
- That account had dozens of posts under its name.
- The login details were shared by at least several people in that agency – and I have no clue how securely they were stored.
The very same thing could have happened to any writer. I do wonder if maybe as a content agency, they were more likely to be targeted by that kind of spam hacking.
What did I do to fix the issue?
Once I figured out where the code was hiding, it was a simple case of editing the posts in text mode, taking care to remove the hiddle div’s and their content. The whole thing took about 15 minutes to accomplish.
Begone, spam of darkness!
I then checked all of the other blogs this content agency was writing for. Thankfully, there were no spam issues in any of them. The incident seems to have been limited to just one blog. I did run searches through the blogs in general, to make sure other writer accounts were not affected. They weren’t.
How to prevent a blog from being hacked through user accounts
I also took some measures to prevent this from happening again. And I’m considering a few more. I’m going to share these now. If you can think of any others, do let me know in a comment.
1. Limit user accounts, especially those with special privileges
WordPress usually comes configured in such a way that anyone can create a user account to become a “subscriber”. I generally set up blogs so that people can’t just create user accounts. If they want to comment, they can just enter their email whenever they comment. There’s no need for them to log in.
In my experience, subscriber accounts are created for spam purposes, at least 99% of the time. With zero benefits, why let anyone the ability to login into your site, in any capacity, if you can avoid it.
2. Limit the duration for which an account has special privileges
Writers come and go. So do VA’s and other people who may be working with you on your sites. In my case, they have user accounts that can be either author, editor or even admin-level.
While I’ve been good on demoting people who get temporary admin or editor access, I neglected to do that with authors. Today, I went over all of the sites, and either deleted inactive authors, or demoted them to subscribers. That means they can no longer edit their own posts, as they had been able to do before.
Essentially, doing that regularly would have completely blocked these spammers. Lesson learned. I’ve also set up a task for myself in Clickup, to routinely scan these lists every month and demote any writer who’s no longer actively writing for that blog.
3. Watch out for accounts made for companies and agencies.
From time to time, various companies and agencies require access to blogs. This could be for SEO purposes, to tweak a very technical plug-in or otherwise fix something in the blog. I tend to allow that, as long as the company is one that I know and trust.
One way to make sure that access is self-limiting is by creating temporary login without a password link, using this plugin. I have used that in the past. The advantage here is that the link becomes void after the designated period of time, so you don’t have to worry about remembering limiting access to that account.
Again, had I used that, the problem would have been avoided.
4. Properly back up your sites.
When I saw the alien text show up as the excerpt, my first concern was that the spammers may have deleted our content and replaced it with theirs. Keeping long-term backups is essential if you want to retried old versions of your posts, in case that happens.
I use two separate backup services on my sites and they include weekly as well as daily backups. Of course, that still means you need to spot major issues within a week’s time. I will be looking into creating some form of long-term backup that gets stores indefinitely, capturing a weekly image of the site, at least as far as text is concerned and saving it for a longer period of time without running it over with a fresh weekly backup.
4. Make sure templates and plugins are up to date
This goes for WordPress itself too, of course. But WordPress knows how to update itself, whereas templates and plugins need you do press that link. Do that and don’t let hackers utilize backdoors in plugins to wreak havoc on your site.
5. Consider adding Two-Factor Authentication
Two-factor authentication means you need to enter a username and password twice. Different set at each time. At least once, you are using a username and password which you can’t simply retrieve via email. You’d either need a verified phone number or the help of the site admin.
There’s a reason why this form of authentication isn’t very popular. It’s tedious and annoying, especially if you forget your non-retrievable password. On the other hand, it does mean hackers will have to work harder at getting access to the site. I’m going to give this some thought. Maybe I’ll turn on TFA for admin-level accounts only.
Don’t let hackers and spammers deter you
This wasn’t the first time a site of mine got hacked. It wasn’t the second or third either. In twenty years of web publishing, I’ve had sites hacked multiple times, in various ways. I also experienced prolonged DDOS attacks, troll attacks, and spam attacks.
These things happen. They’re frustrating and annoying, but they’re part of owning an online business.
You can’t let them get to you and you shouldn’t let them stop you from publishing sites. Just use common sense, backup your sites and keep an eye out on things.