The Sorry Tale Of A Hacked Website – Or How I’ve Wasted Three Days And Counting Trying To Sort It Out!

facebook ads social media training

Just a starting point, this isn’t this particular website, it’s about another one of my sites. Now sadly just a holding page, until I’ve stopped being cross about it!

I’m writing this so that hopefully you won’t experience the same.

I’m writing about a WordPress site, with an SSL Certificate, hosted by Bluehost with a product called ‘Sitelock’ Some of this blog is a rant about Bluehost – honestly, think twice about going with them. You might also read it and think ” surely she should have known that?” Well, I’m pretty IT literate and not complacent about data security in any way. It still happened to me though. I also have top level security on my Mac, so knew I hadn’t been hacked in that way either.

Last week, I received what I thought was a phishing email from an IT security company. It said that my site was being used to scam people in the Philippines. It was essentially hosting a fake bank login page. My initial thought was ” b*llshit” and I promptly deleted the email.

A couple of hours later, I received an email from Bluehost, saying that my website appeared to have been hacked and I needed to deal with it quickly. Surely not I thought. I have ‘ Sitelock’ to protect it, Jetpack on WordPress and also an SSL certificate as an added bonus. I then started my first of many online chats with Bluehost. No exaggeration, I’ve spent 8-10 hours on online chats with them since it happened. Most of them making little sense, being full of misinformation. The initial email told me that my Bluehost hosting account was suspended.

So, chat number one, Bluehost confirmed that my site had been hacked and had a load of malware on it. They couldn’t tell me how or when it had happened. I asked them what to do, they said they’d put a file in my file manager called ” malware.txt” and that I needed to delete the files. I asked them if everything would be ” ok” once I’d done that, they said “yes”

In I went and deleted the files. Now, as I said, I’m ok with technology but it wasn’t crystal clear what I needed to do. The malware.txt file was difficult to read and I then had to locate every file on the document, within the directories and delete them. I did it. But, it wasn’t easy.

Having deleted the files, I had another torturous online chat with Bluehost where they confirmed that all was well and my account was now active.

Woo-hoo! Only it wasn’t….. That afternoon, I’d been sending emails via the connected email account. I was receiving emails and my outbox was clear. All looked fine. But guess what, despite showing as ‘ sent’ my emails weren’t sending at all! Cue a rather miffed potential new client who was waiting for a proposal and even more hassle for me. Another online chat with Bluehost showed that yet more malware was on the website. I said, ” more since this morning?” Apparently so. I’ve missed a bit here. I’d gone and changed all my passwords in the meantime, so I can only think that it was always there or the hackers were pretty efficient.

So, I went through the deleting files process again. Only this time, Bluehost had a solution. It seems that the ‘ Sitelock’ that I’d purchased in good faith last year, is pretty useless. The only way to protect my site properly was to upgrade. To their ‘ Prevent’ package – at a whopping £500 a year. Having just renewed my hosting with Bluehost (mistake) there was no way I was paying that. So, I asked what my other options where. Just Sitelock apparently…. The Bluehost chat person advised that I’d be ok with Sitelock ‘ Fix’ at still a hefty £100, which I paid.

Fast-forward a few days and lo and behold, I get an email from Sitelock saying my site isn’t secure. I query it and they tell me that according to their records, I only had the very basic protection. Hmmm, ” you’re mistaken” I told them. I’ve paid for ” Fix” via Bluehost. Apparently not….. Then, and this is no exaggeration, I spent an hour chatting with Bluehost who said I had paid, then another chat with Sitelock, who said I hadn’t. At which point, I lost my sh*t with them both via a series of social media direct messages! Ultimately, it was agreed I had paid. Sitelock ” Fix” however is also not a full solution. It doesn’t include a firewall for the website. I have one by the way, from another source. I asked Bluehost why they were insisting on pushing a solution that isn’t really a solution? They weren’t up for answering that.

I take responsibility for not having a 100% secure website. I honestly thought I did though. I also thought I’d been super careful with my security. I then remembered giving my WordPress login to someone once. Did I change my password after? I’m not 100% sure I did. Have they lost my data somehow? Did it fall into the wrong hands? I’m so careful with other people’s data. Have I been lazy with my own?

So, the moral of this story is: if like me, you do your own websites, check and double-check that you’re as secure as can be. Also, if you’re looking for hosting, please think twice about Bluehost. They’ve driven me crazy over these last few days and they’re keen to push Sitelock as the only security solution available.

Blimey, now to get back to work!