This is the story of how I woke up this morning and discovered the number of visitors to one of my sites for the past few days was a big fat zero.
This is unusual, and just a little bit scary.
Then I checked Google to see if the pages were still indexed. They were/are.
Then I checked Google to see if the site ranks for its name. The home page doesn’t but inner pages do. (This is also a little scary, and worth watching for a few days, as the site should show up.)
After these simple checks, I breathed a sigh of relief and concluded that it wasn’t a penalty.
Another indicator that reinforced this was the traffic from other search engines had also dropped to zero, so to the referring sites. If it was a Google penalty, the other search engines and referrers would still send traffic, so I’d have some numbers to look at.
The drop in traffic happened four days ago, when every URL on the site was suddenly redirected to the login page. As we enjoyed a long-weekend due to a Bank Holiday here in the UK, I only noticed today (Wednesday).
After checking Google I started thinking about the chances of a hacker gaining access. I know the site is a constant target because I run the ThreeWP Activity Monitor plugin and it records several attempts at guessing the username and password every hour.
I checked the records for the previous few days and found the approximate time the redirects kicked-in – 22:05:40 on 3rd May.
If somebody gained access through the login page at that time, ThreeWP Activity Monitor would show the details. It doesn’t.
Maybe they logged in via FTP?
I checked the logs and found one entry from May; me, uploading a custom 404.php file. So, that wasn’t the way in.
Maybe it’s some rogue code in a plugin or theme?
I concluded the point-of-entry must be a plugin.
That is, if it was the work of hacker and not something I had inadvertently done myself? I’m still not sure.
I started deleting inactive and unnecessary plugins. I also updated the two that needed updating – nothing to worry about from them as they are both very well-known and widely used: WordPress SEO and a Pinterest plugin.
Finally, I checked the .htaccess file but couldn’t find anything wrong with it. I replaced it with another one just in case, and checked the site again. Nothing. The redirects remained in place.
After going through each of these processes without success, I switched to the $5 per month solution that saved my bacon – the backup on VaultPress (a backup and restore service owned and operated by Automattic, the parent company of WordPress). I checked the date of the last published post (30th April) against the ‘hack’ date (3rd May) and opted for a restore point somewhere in between.
By the time I walked away from the computer, made a coffee and returned to my desk, the backup was ready. I hit the restore button and a few minutes later the site was back to its former-glory.
Soon afterwards, the numbers started showing again and traffic reverted to its usual level.
As it happens, I have a review of the VaultPress service brewing in my drafts. The service (controlled by a plugin) is provided by Automattic, the parent company of WordPress, and I highly recommend it.
I started using VP a few months ago as I needed a reliable backup service for my own sites and for those of a few clients.
The free backup plugins you find in the WordPress plugins directory work a treat, but restoring a site from a downloaded zip or sql file often causes problems. VaultPress takes all of the hard work out of each side of the process. I’ll complete the full review very soon and publish it.
In the meantime – thanks VaultPress!
PS I still don’t know exactly what happened, but that’s not the point of this story. The point is – prepare yourself for the worst as you never know when it’s going to happen.