Before I begin my cautionary tale, I must warn you it is lengthy but it's a story I feel strongly I must share. Also, in my story I mention my site host, BlueHost, for whom I am an affiliate. If you should use the link provided below and decide to buy a hosting service from BlueHost, I will receive a percentage of the sales price but it in no way impacts the price you pay.
Why the Cautionary Tale?
Like most of you, I function using a self-hosted WordPress site. What this means in lay terms is:
- I want ownership of my site and its content.
- I want the flexibility of design choices.
- I want to depend on a site host to help me when troubles arise.
You see I'm tech savvy to a degree, but not savvy enough to handle everything related to keeping my site running. That's where I need a site host, and I chose BlueHost.
My relationship with BlueHost has never faltered, and it continues as a solid foundation for me.
What Happened to Make Me Cautious?
I strive to keep my site safe by using backups, plugins , WordPress and BlueHost advice about security, and general suggestions to protect my site.
A few months ago BlueHost notified its users of the inclusion, at no charge, of site protection against spam, hackers, and other thefts. I was grateful for what seemed an extra layer of protection for free. At the same time, WordPress highlighted a security plugin which also protected against hacks, spam and similar threats, also free.
With both free features in place, how could I go wrong? Obviously this is an area in which I lack the knowledge to understand what features will do exactly what to protect my site and me.
My Cautionary Tale
Here is what happened first
In early May, the WordPress plugin representatives began notifying me of potential malware problems. I contacted them for instructions about what I should do. Their instructions were to send these emails to them and they would sort things out.
A little over a week ago I received an email from the company BlueHost had contracted with to give security. A scan had resulted in this service finding malware on my site. I did what any conscientious owner would do and contacted them.
Immediately, I found myself talking with a sales representative. He, of course, was intent on selling a higher level of protection. And he didn't start with the least expensive of his software packages. His sales pitch was high pressure.
I decided to give myself at least 24 hours to think about what he had to offer. In the meantime, I decided to contact BlueHost directly.
Imagine my surprise when I filled out the topic on my inquiry with words "malware" and "security" and immediately someone answered the phone from the security company BlueHost had graciously supplied to its subscribers.
It took a couple of chats to actually get to someone at BlueHost who was able to explain the problem to me. He also apologized for the sales pitches, which he indicated BlueHost was troubled by.
The worst happened. I attempted to get access to my site only to learn BlueHost had shut my site down. It's hard to put into words how I felt.
Did I make a mistake in calling BlueHost? Likely the answer is no. An email had also arrived while I was talking with their customer representative. So, this would likely have happened whether I had been in contact with BlueHost or not.
What to do next? I called right back to BlueHost. I certainly felt my site was being held hostage for something I didn't do and would never do.
This time I spoke with a Terms of Service agent who explained what had been found--what is a pharma hack. That's where someone hacks your site and then proceeds to attach ads for drugs. How was I to know?
Remember those items I contacted WordFence about? I probably should have dug a bit deeper. Likely one or more of those security breaches messed up my responsibility in complying with BlueHost's Terms of Service Agreement. That was why my site was shut down--failure to remove the hacks.
Fortunately, the agent I talked with knew of an affordable security plan I could buy from the seller of the free security program BlueHost provides. Purchasing this program means scans are performed daily and when something is found, it is immediately removed. As my dad always said, "You get what you pay for."
Several things I'd like to point out from my rambling cautionary tale.
- First of all, it is important you understand what your security protection is, who is responsible for finding threats, hacks, or security breaches and seeing they are removed, and what responsibility you have in all this.
- If you have a web design company managing your site for you, this may not apply to you. But it would be good to check to make sure your understanding of your site's security.
- If you have a self-hosted site, which means you own your domain and registered it through someone like BlueHost, the onus is on you to be sure you know what is going on behind the scenes with respect to security.
- Determine for yourself what your role is in your site's security.
- Be aware of getting caught like I did and being shut down as penalty for not doing the above.
- Whether you are responsible for the hacking, you are responsible for knowing what's happening on your site and taking care to see that it is cleaned of any damaging materials.
- Always make sure any security plugins you use on your site are up-to-date. Also make certain the platform you use (i.e. WordPress, Blogger, etc.) is running its most current version.
- Always, always, always make sure to keep up a schedule of backups for your site. You want assurance you are able, if necessary to restore your site. For WordPress, I use a plugin which not only prepares backups but provides recovery.
- For reasons only you will know, these security issues should make you think twice about what you have on your site that you wouldn't want to lose. The first thing that came to my mind were excerpts from drafts of my memoir. Would they be recovered? Yes, they were, but what if they hadn't and it was something I needed.
- The last thing I want to share with you is a post I came across in my search to better understand what I can do myself with respect to any other situations like the one I've described. Himanshu Sharma, founder of Optimize Smart, wrote the post, Malware Removal Checklist for WordPress--DIY Security. Sharma lays out in a clear format a checklist for use immediately on becoming aware of malware on your site.
The best advice I can offer to self-hosted site owners is no matter what software you buy, which plugins you install, what security plans you have in place, and unless you have a professional site manager who works on your site daily and regularly maintains it, YOU ARE RESPONSIBLE TO YOUR SITE'S HOST FOR MAKING SURE ANY THREATS OF SPAM, HACKS, OR FRAUD ARE REMOVED.
Be safe out there, Sherrey