Last year, I thought I’d had my worse day in business when I had to repackage inventory costing $2000. That seems like a walk in the park now. Without doubt, the worse moment of my 10+ years online was getting hacked.
When you get hacked it feels like you’ve got a nasty infection and no one wants to get near you. Peoples’ faces screw up when you mention it. Previously helpful online collaborators suddenly give you the cold shoulder. Having an intruder in your hosting account looks bad. You’re unprofessional, unsafe, and dangerous to know. People don’t want to associate with that.
It’s like the stigma associated with catching an STI. Because no one wants to talk about it, you can’t find out what to do when you get hacked. This lack of information sharing exacerbates the problem.
Dealing with a hack
I would rather be robbed. Dealing with a hack means finding the vulnerability that lead to the intrusion, plugging it, finding out what other malicious materials were left by the intruders on all sites on that server, painstakingly cleaning up the mess (which has been cleverly hidden away) and moving hosts or servers. It costs so much time.
Dealing with a hack is like getting divorced: You’ve got endless amounts of shit to deal with and it’s all your fault. Security professionals are just like divorce attorneys. They’ll screw you at impressively high hourly rates whilst blaming you for everything that happens before, during and after.
It’s. All. My. Fault. I know. Thanks for reminding me.
So, how did it happen? And the blame game
It’s estimated that only 44% of web traffic is from human beings. The rest is from bots, hacking tools, scrapers, scammers and spammers. An estimated 37,000 websites are hacked every day.
There’s a saying in web security circles, “there are two types of website owners: ones who know they’ve been hacked and ones who don’t yet know they’ve been hacked.”The best hacks are undetected. Just imagine, Facebook, Amazon, and Google are probably getting hacked right now. And maybe they’re losing millions and they don’t know how or how much. Maybe that’s why they don’t pay tax. 😉
How did I get hacked? Unfortunately, I don’t know exactly. But a WordPress plugin with known vulnerabilities is the most likely candidate.
A website has a lot of moving parts: there’s the host, the DNS, the CMS, the plugins, the server configuration, the content, the functionality, etc., all have to be working correctly. Behind all these moving parts are human beings creating and running them. Humans make mistakes.
I want to be honest and transparent about what happened. Some humans maybe made mistakes which I’ll document, but I really want to emphasise how this was all my fault. I will also tell you what I’ve learned and if this helps anyone secure their site then it’ll be worth writing this article.
Being hacked is no fun. It turned me to drink. OK, that’s not true. But I don’t want anyone to be hacked. Not even the hacker. No more blame.
The story starts with membership plugins
Unfortunately, when I started selling video courses, platforms like Teachable were in their infancy. So, I decided to use WordPress membership plugins to protect and sell video content. Big mistake.
In December 2016, I was on my third WordPress membership plugin, called DAP (Digital Access Pass). (The fact that I’d been through three WordPress membership plugins tells its own story.) The Google Alert I have for “Rob Cubbon” alerted me to a mention of my name that I wasn’t so pleased about.
A site called OpenBugBounty.org reported that a “researcher” called “Spam404” had identified an XSS vulnerability affecting the learn.robcubbon.com website. I found “Spam404” via a quick google and I dropped him an email. He replied:
The vulnerability was in the URLs of the buy buttons generated by DAP the membership plugin I was using. I immediately contacted DAP. They were aware of this vulnerability and were working on a new shopping cart that would cost $400. I paid the $400 and anxiously awaited the shopping cart update.
While I was waiting for the update, weird things started to happen
I first realised that something was wrong when people were telling me through social media that some of my course pages were redirecting. I tried to recreate the issue but couldn’t. However, after trying a few times, I saw this:
My heart sunk. Imagine clicking on an internal link on your site and seeing the sales page of a product you know nothing about. The above sales page is for a digital/membership access to a “life healing” product. The page was served from my site.
Looking at the site’s files on FTP, I saw where the above rogue HTML page was being served from. I immediately deleted that directory and everything I knew wasn’t “mine”. This was another of my mistakes. If you ever find files or directories on your server that shouldn’t be there, don’t delete them. Because, once the files are deleted you can’t find out who put them there (the IP) and when from the server logs. This could have provided essential information about plugging the vulnerability. I learned this from my host, Liquid Web.
I emailed The Stillpoint Foundation (see logo above) but I never heard back. It’s unlikely that they were responsible for the hack, of course. It’s more likely that they were hacked by the same hacker using the same technique and the hacker messed up. It’s pertinent that The Stillpoint Foundation site also uses DAP. This doesn’t confirm that DAP was the vulnerability that let the intruder in, but it makes it extremely likely. However, it could be that the hacker used the DAP vulnerability in a chain with other vulnerabilities to allow access to the site.
More details of the hack, and the hacker
A technician at Liquid Web did more routing around. He found that there was a publicly accessible file in /wp-includes/pomo/pomo.php that, when loaded in the browser, automatically logged you into WordPress’s backend as an administrator. This was the “backdoor into the WordPress backend”.
Using the logs, Liquid Web also tracked down another PHP injection that was likely used to create the pomo.php file: /wp-content/themes/twentyfourteen/inc/back-compat.php – another mistake of mine: I’d failed to delete unnecessary theme folders that were not out of date.
They deduced that the hacker was able to upload a malicious file that was then used to create and/or upload other files, one being a Shell script that granted access to the cPanel account as a whole, which in turn led to other compromises.
The attacker had high level access to the site and was able to duplicate sales pages in HTML with buy buttons going to his PayPal account. The sales pages would redirect to the duplicates sometimes but not always. This is to siphon off a percentage of sales but not everything. If a hack takes 100% of a site’s money, you’d notice straightaway – the best hacks lie undetected. I paid for one of my own courses through one of the hacker’s duplicate sales pages in order to identify the PayPal account.
Email used by hacker: email@example.com
Name associated with PayPal email: haichun, sheng
I notified PayPal of the hack and they froze that account and canceled that payment and three others from my site. I’m actually quite surprised and a little incredulous that the hacker would have made any money. I have very few organic sales. All the sales come during email promotions.
By this point I was hard at work to make sure that this will never happen again.
What I did about the hack
Quite a lot…
Goodbye WordPress membership plugins, hello Teachable
As soon as it became obvious that my membership site at learn.robcubbon.com was a security liability, I did what I really wish I’d done years ago: sell courses with Teachable.
Teachable is a course selling platform you can redirect your domain to. It looks like you’re selling the courses but, in fact, the video storage and delivery, course protection, courseware, payment gateways, integration with email marketing platform, etc., is all being handled off your site and on the Teachable platform.
I love this. If a course video doesn’t play properly, it’s their problem. If a customer is having trouble accessing a course, it’s their problem. If the platform gets hacked, it’s their problem. After three years of having all the above as my problems, this is welcome.
There are many other benefits: setting up affiliates, bundling courses, and creating free or reduced price coupons is a breeze on Teachable. It’s as easy to sell courses on Teachable as it is on Udemy, but it’s on your site and you get the email addresses. It’s the selling platform of choice for over 50% of these 10 course selling experts.
The hacked learn.robcubbon.com site is no more and now redirects to my Teachable site at courses.robcubbon.com. I informed everyone who’d purchased a course previously with a free coupon to the free course on the new site.
Important: if you’re reading this and you think you purchased or enrolled on any courses at learn.robcubbon.com and haven’t received an email notifying you about the shift to courses.robcubbon.com, then please contact me.
Checked all sites for further vulnerabilities and compromises
I sent 4GB of all my sites on that server to a penetration testing company to be “cleaned” of all malware.
Although I’m 99% sure that the attacker came in through the DAP vulnerability and that vulnerability would have been “plugged” by nuking the site, I wanted to make sure the attacker didn’t place a “back door” anywhere to allow further access.
The penetration testing company didn’t find one, nor did they uncover any further evidence of the hack on learn.robcubbon.com, but they did find, rather shockingly, many further vulnerabilities and evidence of past hacks. Again, most of these were all my fault:
Various back-ups and other files with old versions of WordPress were found on site roots. Back-ups should be stored elsewhere on the server. Otherwise they can be extremely helpful for an attacker and further opens the doors for phishing and social engineering attacks.
Other files that were found lying around that could be useful to potential attackers were: php.ini.bak, error logs, htaccess.bak, phpinfo.php – if you have directory listing enabled these files can be read and provide valuable information to a hacker.
The most shocking revelation came from another of my sites, buildmybrand.net, that was a suite of tools that resized and edited images for social media sites. Multiple PHP backdoors (shells) were found in the web directory allowing attackers to execute arbitrary commands on the server. Some of the shells indicated automated attacks by multiple attackers.
I had employed a freelance developer to create the image manipulation tool with the aid of the Avery Image Editor add-on for Gravity Forms. He’d told me not to update the plugin or the site would break. Yeah, I know, another of my really stupid mistakes. Buildmybrand.net was used by a lot of people for free but had never made me any money, so I have nuked this site as well.
The penetration testing company showed me how lax I’d been with my web properties. There had been so many intrusions in the past it was frightening.
I’d even found evidence of intrusions myself after the clean up, included the above HTML calling card from Zero-X. Thanks, guys!
Set the cleaned sites up on a new server
After you have successfully plugged a vulnerability and removed all malware, it’s recommended that you change servers or hosts.
I’d planned on leaving Liquid Web as I’d been unhappy with some of their support with the hack. So I’d tried joining WP Engine. Unfortunately, I found manually setting up sites there too difficult and time consuming. I also had bad experience with their support.
So, I thought, better the devil you know, and I stuck with Liquid Web. I’m pleased now as I have since learned more about website security and now realise that web hosts aren’t wholly responsible for website security.
As I’ve said before, this hack was all my fault. It’s just nice to find someone to blame sometimes.
Hardening WordPress and my server
There is so much to say here that I’m going to do another blog post on WordPress security. In the meantime here’s a video on some WordPress security hardening tasks that each take a minute that you could action right now.
And here’s a synopsis of what’s coming in my post:
- Regularly change hard to remember passwords
- Make regular back-ups stored off-site
- Update WordPress core, themes and plugins
- Delete unnecessary files and folders
- See if any files or folders have the permissions set to 777
- Disable directory browsing
- Only have your site’s administration areas only accessible by certain whitelisted IPs
- Password protect the /wp-admin/ directory
- Block scripts in /wp-includes/
- Prevent PHP execution in /uploads/ directory
- Deny access to anyone surfing for wp-config.php
- Disable file editing within the WordPress dashboard.
It’s also sensible to invest time into “webroot hygiene” and clean up your server of unnecessary files and folders. At the very least these are great places for attackers to hide malware. Look where my attacker placed one of the malicious files, in the unused Twenty Fourteen theme folder.
What have a learned from this unsavory episode
Apart from implementing basic security best practices, I’ve also concluded that WordPress is probably best used as a blogging platform. The most vulnerable websites are the ones that allow the most interaction with the user. I was trying to do too much with WordPress. For example, membership site plugins create multiple WordPress users which has security implications. And my online image editing tool allowed users to upload files. In a way, I was asking for trouble.
I also was pleased that I managed to stay quite cheerful during this unfortunate episode. When you work on your own business, it’s easy to feel isolated and stressed when things go wrong.
There were several things working in my favor:
- My business generates income from multiple sources and online platforms, selling courses from my own site is only one small part of the overall income.
- I was mostly living in Thailand (the Land of Smiles) for most of the time I was dealing with the hack.
- Whenever things got me down, I’d answer an email from someone who needed help. When other people are trying to put you down, it’s great to try to improve someone else’s life. Helping people makes you happy.
- After my worse day in business when I had to repackage inventory costing $2000 last year, I’m like: “Bring it on! Throw what you can at me!” I was more invested in my success last year and I’ve since tried to enjoy the moment rather than focussing on future events.
Time I shut up
Glad you made it to the end, my friend. I hope this article helped you in some way. And, remember, keep your WordPress plugins updated.