What to Do If Your Website Ever Gets Hacked

Last weekend, my blog was hacked. Within a few hours, everything was back to normal. But it was scary. And I didn’t know what to do.

My guess is that some bloggers are as ignorant as I was of what to do. In fact, if I weren’t fortunate enough to get some help, I would’ve been doomed. So I thought I’d share what I did, along with tips for what to do if your blog ever gets hacked.

If your site gets hacked, you gotta lock it down! Photo credit: Flickr (Creative Commons)

Tell the world

As soon as my blog was down, I let people know via Twitter and Facebook (since people were already asking why I was sending them to a loans website). This accomplishes two goals:

1. It sets reasonable expectations for readers, friends, and fans.
2. It lets people know that you need help. (I’ve found that the Twitter community can be especially resourceful when it comes to technology issues.)

Contact your host

Not quite sure what to do, I first contacted my host. The folks at Site5 responded immediately (at 11pm) and removed the line of code that was injected into my site to redirect to a loans site.

They removed it, and everything was back to normal.

Or so it seemed.

I quickly realized that while my homepage was restored, all my files (i.e. posts and pages) were corrupted.

Undo the damage

A friend on Twitter offered to help fix the problem I was having (since I was tweeting the whole experience). I really cannot say enough good things about Mitch Canter (@studionashvegas). Seriously, if you have any WordPress/website/blog needs or desires, he’s your man.

Within 15 minutes, my site was back to normal. (Thanks, Mitch — you really saved my life, or at least, my blog.

Readers: Follow Mitch, send him chocolate, and consider hiring him.

Change all your passwords

Next, I changed all three of my passwords for my blog: site admin (i.e. FTP login), WordPress login, and my “backstage” login to access my server.

I auto-generated a complicated password that I had to write down and save, so that I could remember it next time I log in to my FTP. I’m ashamed to admit that two of my passwords were the same and would have been pretty easy to guess.

Install a firewall

My friend Ryan (who once had 100 WordPress blogs crash in one day due to a hacker) recommended a WordPress firewall plugin.

This is a free program that protects your blog from attacks and injections (whatever those are). When someone tries to hack your site, it sends you an email to notify you.

Other takeaways

I learned a few takeaways from the experience:

1. Backup all your files, so that if you do lose something, it can be easily restored. (If you’re on WordPress, check out my friend Adam’s tutorial for backing up your blog.)
2. Save your drafts offline. I’m moving over all my posts to Evernote so that they’re saved in the cloud. In the terrible event that I might lose all my posts, I could then re-post them. I also now save a copy of post drafts on my computer in my “blog” folder.
3. Be ready. Every blog that I follow and respect has been hacked at some point. Plan for disaster. It will happen.

Concluding thoughts

• Having a good, customer-friendly host is essential.
• Having a friendly, neighborhood geek you can call up is really important.
• Having a great tribe and online presence in other social media outlets really helps. Within minutes of my site being down, people were notifying me. I am so grateful for the community this blog has created.

Further reading:

• My site’s been hacked – now what? [Google]
• My site was hacked [Wordpress]
• How to prevent your site from getting hacked [General]

Has your blog or website ever been hacked? What did you do? Is your site ready for an attack? Share your thoughts and best practices in the comments section. (Click here if you’re reading this via email or in RSS.)

*Photo credit: Flickr