Have you read How to recover your Hacked WordPress Site (Part-2) yet?
Stage 6: Getting back to (almost) business as usual.
The new Mindset: As mentioned above, before you are done with this clean-up process you will need to look at security in a whole new light. Or at the very least, you had best respect the fact that your ability to keep hackers at bay rests on your ability to maintain a proper pro-security mindset. So along those lines, let’s discuss a few quick topics pertaining to Security that you can mull over now that the immediate emergency is over.
After my emergency was over, I took some time to comprehend just what had happened, and after the the initial anger died down, I realized how easily I could have avoided all of these issues with a little forewarning and planning. My biggest problem was that I had thought that my Hosting Provider would do more to protect me from the dark-side, but in reality this was a huge presumption on my part. Had I known this blogging world was really just another version of “the Wild, Wild West”, I might have been better prepared, but the reality is that some things you just have to learn on your own.
Rethinking how you approach Password Management: Since you’re already rethinking how you approach security in general, this would probably be a good time to consider changing the way that you maintain your passwords for various websites and applications. As mentioned at the beginning of the article, around the same time as I discovered the hack, I had also found a new service called LastPass. I have been just as guilty as most of using the same passwords for multiple applications or websites 15 years ago. The last 10+ years or so I had been relying on a couple of cool website to randomly generate my passwords, but then manually keeping track of all the various websites and accounts through an Excel spreadsheet, which was quite tedious.
Download and install the “LastPass Manager” service for Windows PC and your favorite Browser Plugin: LastPass, a play on words for their commitment to their users: “The last password you’ll ever need to remember”. I can certainly attest to the truthiness of this statement. There are several other password managers out there, but I have to say, I like this one best because it fulfills every requirement I had for a Password Manager in a single application. It works equally well on both websites and Windows applications, replaces the password managers in Windows & Chrome (or IE or FireFox), encrypts saved data with 256AES, both locally and in “the cloud”, the end result being that your data is always available, even when you don’t have an internet connection! And the greatest part for me is it’s ability to generate super-hard-to-crack randomized passwords with a user-defined character-length. It’s totally free to use for personal use, and buying into LastPass Premium is only $12 a year. You can’t beat that! I think you’ll agree that after using the free service, you’ll want to support the developers by buying a Premium Pass! Look for a future Product Review of LastPass!
Morals vs Ethics: Now for the less technical aspect of the fallout that you are going to have to deal with eventually. Sooner or later you will need to make a decision on whether or not to disclose to your users the fact that your website itself was hacked. You could just keep the whole thing a secret. There are some definite Pros & Cons to deciding either way: choose to disclose and your userbase might panic, but not disclosing can be even worse in the long run if someone else’s account is compromised. It’s a Moral issue, but at the same time it’s an Ethics issue as well. How are they different? Well, the nutshell version is that the Morals define the personal character of the individual, the decision you make here will help define who you are to the world. The Ethical aspect is how society in general is going to treat this same issue. Most people find their morals shaped by the ethics of their society, belief system, or religion. In light of the NSA and other government agencies running amok, society has recently taken to defining the ethical norm of disclosure as a positive thing, typically granting forgiveness to those that provide transparency on such issues. I would suggest that you take some time to discuss this issue with those in your organization who matter, and seek legal help if you think you will need it. Needless to say, this decision is entirely yours to make.
Download and install the “DISQUS” plugin: I managed to sidestep the whole issue for one big reason: I did not have a userbase that could log in (that is, I have closed the subscription process), opting instead to use Disqus for any and all comments. Since there wasn’t a user involved who could be concerned that their favorite password that they use for all websites might be compromised, it was easy to decide to publish the fact that I had been hacked. It’s also part of the ever-evolving work-in-progress topic that is security, so it at least makes good fodder for a blog “how-to” article.
Always Check yourself: Another step down the path of hardening your Personal Security is to find ways to challenge your security, test it to see how well it actually performs. Take the LastPass Security Challenge, where LastPass will rate your password key strength for each account it can find in your Vault (80%). It will also assess the number of total passwords you have in your Vault (10%), and how many utilize Multifactor Authentication Schemes (another 10%). I’m currently scoring only 87.1%, but I am slowly increasing the score a few points every month…