Cautionary Tale for All Web Site Owners and Bloggers

Before I begin my cautionary tale, I must warn you it is lengthy but it’s a story I feel strongly I must share. Also, in my story I mention my site host, BlueHost, for whom I am an affiliate. If you should use the link provided below and decide to buy a hosting service from BlueHost, I will receive a percentage of the sales price but it in no way impacts the price you pay.

Why the Cautionary Tale?

Like most of you, I function using a self-hosted WordPress site. What this means in lay terms is:

  1. I want ownership of my site and its content.
  2. I want the flexibility of design choices.
  3. I want to depend on a site host to help me when troubles arise.

You see I’m tech savvy to a degree, but not savvy enough to handle everything related to keeping my site running. That’s where I need a site host, and I chose BlueHost.

My relationship with BlueHost has never faltered, and it continues as a solid foundation for me.

What Happened to Make Me Cautious?

I strive to keep my site safe by using backups, plugins , WordPress and BlueHost advice about security, and general suggestions to protect my site.

A few months ago BlueHost notified its users of the inclusion, at no charge, of site protection against spam, hackers, and other thefts. I was grateful for what seemed an extra layer of protection for free. At the same time, WordPress highlighted a security plugin which also protected against hacks, spam and similar threats, also free.

With both free features in place, how could I go wrong? Obviously this is an area in which I lack the knowledge to understand what features will do exactly what to protect my site and me.

My Cautionary Tale

Here is what happened first

In early May, the WordPress plugin representatives began notifying me of potential malware problems. I contacted them for instructions about what I should do. Their instructions were to send these emails to them and they would sort things out.

A little over a week ago I received an email from the company BlueHost had contracted with to give security. A scan had resulted in this service finding malware on my site. I did what any conscientious owner would do and contacted them.

Immediately, I found myself talking with a sales representative. He, of course, was intent on selling a higher level of protection. And he didn’t start with the least expensive of his software packages. His sales pitch was high pressure.

I decided to give myself at least 24 hours to think about what he had to offer. In the meantime, I decided to contact BlueHost directly.

Imagine my surprise when I filled out the topic on my inquiry with words “malware” and “security” and immediately someone answered the phone from the security company BlueHost had graciously supplied to its subscribers.

It took a couple of chats to actually get to someone at BlueHost who was able to explain the problem to me. He also apologized for the sales pitches, which he indicated BlueHost was troubled by.

And then…

The worst happened. I attempted to get access to my site only to learn BlueHost had shut my site down. It’s hard to put into words how I felt.

Did I make a mistake in calling BlueHost? Likely the answer is no. An email had also arrived while I was talking with their customer representative. So, this would likely have happened whether I had been in contact with BlueHost or not.

What to do next? I called right back to BlueHost. I certainly felt my site was being held hostage for something I didn’t do and would never do.

This time I spoke with a Terms of Service agent who explained what had been found–what is a pharma hack. That’s where someone hacks your site and then proceeds to attach ads for drugs. How was I to know?

Remember those items I contacted WordFence about? I probably should have dug a bit deeper. Likely one or more of those security breaches messed up my responsibility in complying with BlueHost’s Terms of Service Agreement. That was why my site was shut down–failure to remove the hacks.

Fortunately, the agent I talked with knew of an affordable security plan I could buy from the seller of the free security program BlueHost provides. Purchasing this program means scans are performed daily and when something is found, it is immediately removed. As my dad always said, “You get what you pay for.”

Your takeaways

Several things I’d like to point out from my rambling cautionary tale.

  1. First of all, it is important you understand what your security protection is, who is responsible for finding threats, hacks, or security breaches and seeing they are removed, and what responsibility you have in all this.
    • If you have a web design company managing your site for you, this may not apply to you. But it would be good to check to make sure your understanding of your site’s security.
    • If you have a self-hosted site, which means you own your domain and registered it through someone like BlueHost, the onus is on you to be sure you know what is going on behind the scenes with respect to security.
      • Read your host’s service documents, particularly anything about terms of use, terms of service, or something similar.
      • Determine for yourself what your role is in your site’s security.
      • Be aware of getting caught like I did and being shut down as penalty for not doing the above.
      • Whether you are responsible for the hacking, you are responsible for knowing what’s happening on your site and taking care to see that it is cleaned of any damaging materials.
  2. Always make sure any security plugins you use on your site are up-to-date. Also make certain the platform you use (i.e. WordPress, Blogger, etc.) is running its most current version.
  3. Always, always, always make sure to keep up a schedule of backups for your site. You want assurance you are able, if necessary to restore your site. For WordPress, I use a plugin which not only prepares backups but provides recovery.
  4. For reasons only you will know, these security issues should make you think twice about what you have on your site that you wouldn’t want to lose. The first thing that came to my mind were excerpts from drafts of my memoir. Would they be recovered? Yes, they were, but what if they hadn’t and it was something I needed.
  5. The last thing I want to share with you is a post I came across in my search to better understand what I can do myself with respect to any other situations like the one I’ve described. Himanshu Sharma, founder of Optimize Smart, wrote the post, Malware Removal Checklist for WordPress–DIY Security. Sharma lays out in a clear format a checklist for use immediately on becoming aware of malware on your site.


The best advice I can offer to self-hosted site owners is no matter what software you buy, which plugins you install, what security plans you have in place, and unless you have a professional site manager who works on your site daily and regularly maintains it, YOU ARE RESPONSIBLE TO YOUR SITE’S HOST FOR MAKING SURE ANY THREATS OF SPAM, HACKS, OR FRAUD ARE REMOVED.

Be safe out there,

17 thoughts on “Cautionary Tale for All Web Site Owners and Bloggers

  1. Sherrey, thank you for sharing this and the link to the post on Malware Removal. Unfortunately, we all have to be on the defensive against these invaders. I use Site Lock for my security. It’s expensive but worth it to me. I am also very pleased with Blue Host.

    1. Hello Kathy, sorry to be such a slow poke, but it’s been a tough week. Thanks for stopping by to read and comment. I now have a plan with Site Lock and hope to never have to face this again.

  2. Thank you, Sherrey. This is very important to me because I plan to set up a new website soon since my “Don’t Hang UP” site was removed when I was sick. Love, Pennie

    1. Pennie, hope this helps when you get your new site up. And so sorry to hear your site was removed. Let me know if at any time I can encourage or answer any questions about this malicious internet world we do business in. Love you too, Sherrey

      1. Sherrey, Thanks for your words. I shall have to do it before long. Just need to finish “Coronada” and start walking properly first. Probably in August.

  3. Sherrey, my hair is standing on end as I read this report! I’m so sorry this has happened to you, and thank you for the tutorial. I did use a self-hosted WordPress site for a few years, choosing InMotion as my host site. I did have a hack. Fortunately it was nothing as terrible as your experiences and the InMotion rep immediately identified the problem and fixed it.
    One security measure you failed to mention is to CHANGE YOUR PASSWORD, and change it OFTEN. When I worked for a bank twenty years ago (before we could log onto any bank functions over the web) we were required to change our internal network password once a month, and we could not recycle passwords in less than a year. Maybe designate the first (Saturday?) of each month as password changing day for everything that matters. LastPass or a similar password vault makes this easy to manage.
    I don’t want to hijack your post by explaining why I LOVE Google’s Blogger, other than to say that in eleven + years, I’ve never had a problem of any sort there, and all Google services (except expanded Google Drive capacity) have always been totally FREE. That said, I do not advise people to hop around from one site to another, a guaranteed way to shrink your mailing list.

    1. Sharon, I thought of you as I wrote this and reflected on our last phone call. As I realized what had happened, I told Bob I was “returning to Blogger.” His response? “Don’t overreact.” I haven’t done anything yet, but it seems being self-hosted at WordPress keeps getting more expensive by the day, not because of charges from WordPress but all the ancillary services you need to keep things up and running.
      I did forget the password rule: CHANGE AND CHANGE OFTEN. At the law firm where I worked, it was once a month. I’d just get used to the newest one and I’d have to change it. Perhaps I can do a short addendum to this post separately to mention your comment. OK with you?

      1. Of course. But I suspect that few people are likely to circle back and reread. Perhaps the comment is enough. You can always bring it up again in a newsletter or future post.

        1. Wise thinking. Newsletter would do the trick; so would future post. Thinking strongly where I’m going to be website-wise.

  4. Holy crap Sherrey, that was scary! I have malware protection and sitelock and lord knows what else to protect my site, but it seems these days nothing is enough. I’m sorry for your pain and will go through my protection ammo once again now that you’ve mentioned. Thanks. <3

    1. Holy crap is what it was, Debby! It seems every day I’m purchasing something else to protect myself against ID theft, hackers, etc. Thanks for being a faithful follower. And as for my share buttons? Are you thinking of the row of icons below a post? I don’t use them any more. Instead there’s a line down the right margin of the screen (pink and black). Do you see them? Let me know.

      1. I hear you Sherrey. Every time (like tomorrow) I have to call my hosting about an issue, I somehow find that I’ve spent more money on something new they alert me to. And I just noticed your ‘share buttons’ along the side. I had looked all over before, or so I thought. Perhaps you might think of moving them to under the post as I really didn’t notice them on the sidebar. I often find readers don’t look at the sidebars. So if you notice your posts aren’t being shared as much, this could definitely be why. Just trying to help from my experience. 🙂 Hope your tech issues are over! 🙂

  5. Thank you, Sherrey. I’ve sometimes thought of switching to a self-hosted site, but I remain on in part because of the security provided. I appreciate your cautionary tale.

    1. Hi April and thank you for stopping by. You know I never dug deep enough to see what the security protection was on Maybe I’d better check into that.

Comments are closed.