Years ago, hacker implied "very smart person" but today it's often "smart person you want to choke."
Over the last few days I've spent many hours cleaning up the mess left behind by some guy that "wanted the challenge" of erasing some useful data, then replacing it with his own.
His method of attack: Stealing/sniffing admin passwords.
What a little weasel.
Open source software like WordPress, Joomla and thousands of others all have one thing in common: They have a screen where you enter an ID and password to control your site. If weasels get hold of your login info, you too will be wanting to choke strangers many timezones aways.
When a site gets hacked, there are specific steps you take to get things back to normal.
This is the universal starting point, much like karate students use the "hee-ah" just before breaking a board. A good curse clears the mind, steadies the hand, but mustly just comes out because getting hacked almost always never comes at a convenient time.
2. Lock the site
It's a crime scene, so just like in Law and Order, get out the yellow tape and keep others from mucking up your evidence. I usually put up a message like, "We are upgrading today" followed by a smilely face. Not that he's watching, but you don't want to give the hacker the satisfaction of knowing how you really feel.
Note: If your site held important data, take the WEBSITE off line, not just the application. e.g., If you stored consumer credit info on your Wordpress, suspend the site, not just WordPress.
3. Assess damage
Sometimes the little weasels only change your home page. Another common/irritating payload: inserting Viagra and Xanax ads as posts or entries into a guest book. In addition to determining what they changed, you want to learn how they did it. Think of it as a burglary. You walk around to find out what's missing then figure out which door/window they used to gain access.
4. Fix it
If you have a pre-hacked backup of your data, then it's a simple fix. Absent that, return to Step 1. Also, keep in mind "pre-hacked backup" means the backup was before your site was compromised. In some cases, I've seen hacked sites that went on running just fine for a month ... so by the time it was discovered, every backup was a different copy of the hacked site.
My Tips For Choke Avoidance
Tip 1: Don't Use Weak Passwords
A friend called me last week with some degree of panic. Their Wordpress site had been hacked on the 29th of July at about 7AM EST. I know this because the hacker reported it. That was so polite.
I'm not really sure what happened, all I know is that the site was defaced and data deleted. The hacker logged in as the admin, entered the correct password then acted like a fully disgruntled employee by deleting all users, all comments and about half the posts. Before they left, they uploaded their own home page so it was clear they had been there.
Within a few minutes after they finished, they headed over to Zone-H to report their accomplishment. (yes, there are sites dedicated to collecting information about attacked websites, and in many cases, the hackers are the ones reporting the crimes)
The hacker that vandalized my friend's site had done six others (all Wordpress) that same day. (maybe more, but that's all he reported to Zone-H)
I'm not really sure how he gained access, but I did confirm the admin password was weak.
Tip 2: Be Careful In WiFi Coffee Shops
99% of the time, when you are logging into your website control panel, you are sending your ID and password over an unsecured http connection. If your site is important to you, and you make changes from public locations, spend the $20 and encrypt the connection by adding an SSL certificate. (So you login via https) Another way: Use a Verizon/Sprint card to connect as sniffing data there is much more difficult.
Tip 3: Cancel Accounts When Employees Leave
Kill IDs as soon as they depart. Even if they weren't disgruntled, it's a door you don't want open. If you have to terminate someone, then cancel their IDs before they're released. There are many websites where the disgruntled can anonymously publish IDs and passwords so weasels can take credit for "cracking" your security.
Tip 4: Don't use Admin as the ID
Often when software is installed, admin is the default ID. Change that. Weasels need two things to get into your site: ID and password, If you use admin, you've already given them half of what they need to make your curse.
If you want to read more about what to do if you've been hacked... click me