My Blog Was Hacked & What You Can Learn From It

28 January

hackI must admit…

When I see the “Upgrade” notice in WordPress, I always wait a few weeks before I upgrade.


Because I want to give developers time to ensure their plugins are compatible with the newest version.  Not to mention there are often bugs with the new release.

Well, let me just say I will be more diligent about doing updates in the future.

Last Thursday I came home and went to my blog’s homepage and noticed a strange-looking parse error. No content was loading at all and I couldn’t even login to the admin panel.


I FTP’d into my server and noticed my theme’s function.php file had been modified three hours earlier.  I knew something was up because I wasn’t even home at the time the file was changed.

So I called my host and their awesome support staffer (shout out to Robert!) was able to quickly verify that the site had been compromised.

He asked me if I had upgraded to the latest version of WordPress (3.5).  I had, but there was a smaller security update (3.5.1) released on the same day that probably addressed the exploit which impacted my blog.

Fortunately, I had a backup of my original theme files.  So I re-uploaded the Genesis Lifestyle Theme and that fixed the issue.  Thankfully it only took a few seconds to restore everything.

That led me to think…

There are always tips floating around about backing up the WordPress database, but you should also have a backup of your actual theme folder (located in wp-content/themes on your server).

Remember, your theme files and database are stored in two separate locations.

Take-Home Lessons

1. Back up both your database and theme files.  You can download your files manually through FTP or use a plugin like that backs up both. (See Online Backup for WordPress.)

If you want to learn how to manually upload/download WordPress folders and files using FTP, I have a tutorial on my static site.

2. If you’re re-uploading the original theme folder, don’t overwrite the style.css file because it may contain customizations you’ve made.

I was glad I remembered that on Thursday.  That would have been a pain to make all those modifications again.

The same goes for your favicon file.  If you’ve uploaded your own favicon, be careful not to overwrite it with the original theme favicon (if applicable).

3. Upgrade to the latest WordPress version as soon as you can.  Like a lot of you, I would wait because of potential plugin incompatibility.

Not anymore.  If I have to disable a few of them, so be it.

4. Contact your theme developer and let them know what happened in case there’s an exploit with your theme.

In my case, it was more than likely a security hole in v3.5 since it happened right before a new security patch launched.

How I Back Up My WordPress Sites

I used to use WP Database Backup which would email the file, but the database got so large, my mail server blocked it.

There is an option to store the backup on your server, but I don’t want a copy of my database just sitting on my hosting account.  Too risky.

Now, I just manually download my database through my hosting control panel, and I also manually download the theme files via FTP.

Backing up your database manually is pretty easy.  It may sound intimidating, but all you do is login to your hosting account and go to the “Database” area.

Most web hosts have phpMyAdmin installed…


If you use cPanel, just click the phpMyAdmin icon and it will take you to a screen that allows you to export your database.

Select the following options in the screenshot below, and a download of your entire database will begin.

export database

Your screen may look a bit different depending on the version of phpMyAdmin you have.  This is 3.5.5.

When it’s done, you will have an .SQL file on your computer.  This is your complete WordPress database with your posts, pages, and comments.

Yes, you can use the WordPress Export feature in the Tools menu, but I like having the entire database structure.

And I know plugins are convenient as well, but I just feel more comfortable doing the backups manually because I can physically see that it’s being done correctly.

I’ve heard stories about people using plugins, only to realize (when it was too late) that the plugin wasn’t backing up correctly or completely.

When’s the last time you did a full backup of your site?  Please share your routine.

You May Also Like…