My afternoon was spent going through my blog and reverting to previous versions of my articles, as my username and/or password had been compromised, and the hacker had made subtle changes to my write-ups to add links to various business websites, which were loosely related to my write-ups.
Obviously, the first thing I did was change my password, which is kinda annoying as I had been using this password for the best part of 10 years without an issue. I have tracked the date back to early October 2018 that I got hacked, and found 29 posts had been edited to add links. Some edited posts went back as far as 2006, while others were posted more recently, as recent as just one month ago.
The only reason I noticed the hack is because I received a rare pingback, and the pingback text made no sense in relation to the post on my blog that was linked to. When I investigated, checking my blog, I found a link to a website I had never heard of before. So, I investigated further and found another post with links I did not create. Keen to find how bad the hack was, I searched for and found a plugin, which allowed for sorting by last modified date, amazingly, that’s not a stock feature of WordPress.
And once sorted by last modified date, 29 of my posts had been edited with the aforementioned links, going back roughly eight months. Thankfully WordPress has a feature that allows you to compare and restore revisions of each post, highlighting the changed content, making it easy to spot the edits. Despite this, I still spent more than 90 minutes checking and restoring posts to remove the links.
I’m not sure whether the hacker used my Email/password combo on my server, or if they got into my blog via WordPress.com, which is linked to my blog via Jetpack. The password was different on my self hosted blog and WordPress, either way, I changed both, which will hopefully stop any further intrusions.
If you’re a WordPress user, be it self hosted or otherwise, I would recommend checking your blog for these links to random businesses, especially, if the hack did originate from WordPress/Jetpack.
i implore you to get a password manager. Using a password for 10 years really should not be done. And if like most users you reuse passwords then all it takes is another site to be compromised for your non unique password to be out in the wild.
Last year I was actually able to identify and alert a service that they had been compromised as I had received an email from an extortionist claiming to have access to my pc using the password as evidence. It was clearly a single use password and I linked it back to the compromised site. After alerting them (and receiving the usual we have no evidence of a hack) and several months they eventually sent out an email to all users confirming they had been compromised. During this time however I was safe in the knowledge that password was unique and could not be used to compromise other services.
I don’t use a password manager as such, however, I do have unique, randomly generated passwords for most of my online activity, which I store in a password protected file, I used the same password on this blog for 10 years as there is no real damage to be done other than hijacking the blog like what happened, and I backup my files and database weekly.