By day, I’m a computer security professional. It’s nowhere near as glamorous as it sounds (unless it sounds not glamorous at all, in which case you’re spot on!). But it has its benefits, and one of those is that I get to learn about mistakes other people make — so I can avoid those mistakes myself! And also so I can share the lesson with you.
There’s safety in numbers.
What’s It Do?
I’ve written a series of posts about protecting yourself, your ani-blogging website, and your readers. The category is called Blog Safety. It’s been about a year since the last safety post (as opposed to the Safety Dance), but something has come up that I think you should all know about. It’s a very real threat that that a recent article in ZDNet called “today’s largest WordPress hacking operation.”
The attack is devastating. It installs a back door into your site, which means they get complete access to your site — and everything in it. The infection immediately replicates itself to every theme that’s installed. If your site is on the WordPress shared server, the infection will spread to other WordPress sites on that server.
The criminal group controlling the infection is called WP-VCD. They way they make money, as the article I linked to above says, “involves inserting keywords and backlinks back to their distribution sites.” They also use their infection to make your site display their advertising.
And just to make sure no one gets the wrong idea: No, WP-VCD do not look like or act like “criminals” like Revy from Black Lagoon. The are serious, seasoned professionals who are, unfortunately, very good at what they do. Not that Revy isn’t good… Capture from the Hulu stream.
A Self-Inflicted Wound
Here’s where “no free lunch” comes into play. WP-VCD appropriated many paid WordPress themes — themes that reputable vendors offer to customers like us ani-bloggers. Those vendors charge for their work, though. Internet culture being what it is, an unsuspecting blogger will come across one of these hacked themes for free, figure it’s worth the risk, and install it.
Within seconds, their site will no longer belong to them. In some cases, they might not even realize it right away.
So, the lesson to take away from this is not to use pirated or stolen themes. It’s not worth the risk. If you don’t have enough money to buy themes, stick to the free ones available in the WordPress marketplace. They are some great choices there. I’m using Editorial Plus, and it’s doing everything I want it to. At least for now.
Getting rid of the infection isn’t a task for the faint of heart. The best procedure I could find is from MalCare. It’s a clearly written approach, but it will take time. Time you could be spending writing. Note: The MalCare post mentions they have a plugin to automate removal. I’ve not tested it, so I can’t comment on how well it works. If you’ve used MalCare, please let me know in the comments — I’d love to know how it worked.
Keeping a blog running can be a lot of work. Heck, the act of writing itself can be a lot of work! You can protect yourself from even more work by not installing pirated or illegally obtained themes or plugins. It’s not really an issue of right and wrong. It’s an issue of keeping your site yours! I enjoy reading your content, and I want to do my part making sure you have the time to write it!