How the Site Was Hacked, and Fixed
The Purple Crayon Blog December 2009
Next | Blog index page | Previous
In December, I had an "interesting" experience, when The Purple Crayon was hacked--fortunately, not extensively, and in a way that was fairly easy to fix--and having now cleaned up the mess and put some things in place that should prevent this happening again, I thought I should say something about what happened. I've got two reasons for writing about this: so that regular visitors will know what happened, and how it affected them; and so that people with similar sites can learn from my experience.
Some time in the fall, someone got their hands on the password needed to upload files to the site. I don't know for sure, but I believe this happened while I was traveling, and using a public WiFi network in an airport or hotel to FTP files to my site. My computer was not hacked, but it didn't need to be. The communication between my computer and my web host was not secure.
Later in the fall, probably in early December, the hackers used my password to place modified versions of my home page and my .htaccess file (which controls access to the site from search engines and the like) in my site, and also uploaded a few other files.
The effect of this was to present a page laden with keywords related to Cialis and Canadian pharmacies to the search engines instead of my home page. No other pages were affected, and people visiting the home page from links or bookmarks, or just typing in the address, saw nothing amiss. The hackers did not take over my site and were not trying to take my traffic--I believe they were intending to redirect some of its "page rank" in Google to their own Cialis-related site(s). Imagine the difficulties involved in being a seller of such stuff! There must be thousands of such sites on the Internet. How do you get people to come to yours? Well, maybe you can rank higher in Google if you can siphon off page rank from other sites.
The hackers also seemed to be trying to keep the hack running as long as possible. It reduced my traffic some--because people who searched for "publishing children's books" on Google got the Cialis page instead of my real home page--but not drastically, because other pages weren't affected. Also, traffic was dropping due to the holidays anyway.
How I Detected the Hack and Fixed It
I think I would have noticed the traffic drop fairly soon anyway, but coincidentally I did some work on my site just a few days after the hack, and noticed some strange things in the directory for it. There was a file called "blogger.php"--but I don't use blogger. There was another called "1.htm"--which I certainly hadn't created. And both my home page and .htaccess file had increased greatly in size.
With the help of my web host, who found a couple of files I had missed, I deleted the hacker's files, and uploaded clean versions of the files they had messed with. I changed my password. And then I had to wait for Google to revisit the site, because they had the junk file in their cache, and so though my site was clean, it didn't seem to be via Google. I was able to hurry this along by creating and uploading a sitemap to Google, which caused them to reindex it more rapidly than they might have usually.
How You Can Prevent/Detect this Kind of Hack
The following advice may not apply to you. If you use blogging software to run your site, for example, there are security issues, but they are different from the ones I faced; you should look into them. If your site is very small and personal, it may not be targeted. And if you work with a webmaster, well, this stuff is up to them. But if you have a small-to-midsized site like The Purple Crayon, and run it yourself, then here are my lessons learned.
First, if you don't have features set up (more on this below) to keep your communications safe while on the road, refrain from using FTP software on a public network.
Second, change your site password regularly, at least once a month, and make sure it follows the rules for creating an effective password.
Third, monitor your site. Visit it by doing searches, not just directly, to see if it comes up as expected. Eyeball the files in your home directory for changes in size, or the presence of files you didn't put there.
Fourth, ask your host about security features. I hadn't asked, but now I have. It turns out that I can use FTPS, which is like the "secure" version of HTTP--called HTTPS--used by banks on their websites, to access my site. This wasn't hard to set up. Now that I have set it up, when I use my FTP software to upload and modify files, my communications are secure. They also have a special feature they created that allows me to limit access to my site's home directory by IP address.
Hacks happen, but if you keep your eyes open and use the tools available, you can both prevent them and get your site back up again.
Comments are welcome.
I hope you have found this page and this site useful. Please visit The Purple Crayon Bookstores page to find some recommended bookstores and to learn how to support this site while doing your usual online shopping. Thank you.