This is an incomplete post. I’m going to keep doing research on this, but I wanted to share what I’ve learned so far.
First of all, the story. Earlier this month my website started running slow. I’m now guessing this was the beginning of the problem, and maybe if I had approached things differently, it would have been over sooner. What I did was to call the hosting provider. They said they could find nothing wrong on my end, and then suggested moving my site to a new “faster” server. In fact, before I could say, “let me ask my web designer,” the guy went ahead and pushed the button.
They also suggested I check my plugins. Since my plugins are, by and large, what makes my site pretty, I next contacted my web designer. She said she would have her programmer look over it.
Now the site was taking 30 seconds to a minute to load. In Internet time, this is Forever. I disabled and even deleted plugins. Nothing helped. Meanwhile, the programmer found something: when I called, they had moved my site to a Windows server. Since my site is a WordPress site, Windows servers are bad news. They said to tell them to move it back as soon as possible. To my hosting service’s credit (GoDaddy) they seemed truly sorry, and moving the server, which they say can take a couple of days, was complete in a matter of hours.
The problem was not solved, though. I had to go out of town, with no Internet access, to visit my parents.
We got back to town Monday night. It was Thursday night when I found the problem … my site had been hacked, and someone was attempting to redirect my visitors to another url. Certain browsers, such as Firefox, seemed to be simply ignoring this, but others, such as Safari (btw, the most popular web browser based on my Google Analytics stats) were returning an error message.
When I looked up this problem, the first advice in the WordPress codex article was similar to the old Hitchhiker’s Guide books: DON’T PANIC. Which is just what I needed to hear, because believe you me, I was panicking. Since I had a wedding on Saturday, and a rehearsal for said wedding on Friday night, I had very little time to devote to this, so I passed it on to the web experts. Here’s what they did, copied from the email my designer sent me:
- Disabled then reenabled WordPress theme and WordPress plugins
- Deleted and recreated .htaccess file.
- Reloaded all core WordPress files for a fresh installation.
- Prior to this backed up your entire site to be safe.
The site runs fine now. But I’ve learned a few things, and I want to share for the sake of my photographer friends.
1. WordPress is going to be a target for hackers. This just stands to reason. WordPress is becoming one of the most popular platforms for web sites. Newspapers, big name brands, local businesses … so many people use WordPress. It becomes a prime target for malware and viruses, just like PCs are a bigger target for viruses because of their popularity. The people who write malicious code want to have the biggest impact possible. This doesn’t mean that you shouldn’t use WordPress, any more than it means you shouldn’t use a PC. You just need to be careful.
2. Update. Keep WordPress updated. This is one of the recommended measures for “hardening” a WordPress site, again from the WordPress codex. Update plugins as well as WordPress itself. (Before you do this, though, see Number 6!)
3. Keep an eye on your site. Of course we all check in on our sites regularly, right? Don’t assume things are running smoothly. Check. Check on different browsers, devices, and internet connections, if you can.
4. Don’t be afraid to ask for help. I called the GoDaddy people 8 or 10 times this months. That’s what they are there for. They helped me do a few things, and were very patient with me.
5. Have a good team on your side. The team at Mockingbird Creative saved my butt. I was able to go off to a wedding knowing that they were handling things. Though WordPress can be learned by the average person, I don’t advise anyone to try and do it all themselves. Who knows when disaster may strike, and your attention may be needed elsewhere? As photographers, we have to keep our primary function in mind, and be willing to go to people who are experts in their own field when necessary.
6. Back up your site often. I now have a plugin called “Backup and Move” installed on my blog, and one of my New Year’s resolutions is to back up the site regularly. I’ll also be downloading a backup to my array storage. If someone hacks your site, you want to know you have a “clean” backup somewhere that won’t contain the bad code. Also, if for some reason an update goes wrong, you haven’t lost your site.
7. As part of all this, and in an attempt to get my site running faster, I did something that all photographers and photo-heavy blogs need to do: I installed a caching plugin on my site. I used W3 Total Cache, but there are others available. I had seen this recommended on a blog post months ago, and had just neglected to do it. Photographer’s sites can get bogged down pretty fast because of the size of all the files on there. This can improve your site’s performance and even lead to higher page rank.
8. Using third-party sites for sales is very, very good. My shopping area is actually a site within a site, with a secure server for payment that is completely separate from anything that happens on my site. I can only imagine the nightmare if my clients felt their security had been compromised!
Web sites are our virtual real estate, and in today’s market, they can actually take precedence, for our clients, over brick-and-mortar stores. I found that having your website hacked is like having your business burglarized or vandalized (except without the benefit of insurance). There’s a sense of being violated, a recovery process, and frequently an investment in recovery that must be made. In the end, hopefully the lessons learned can be of benefit to me, and to others.