IWSG: Toll of trolls

Hi, all, it’s Sher today and maybe only me from now on.  It’s IWSG day, or the Insecure Writer’s Support Group day, a time to post my writing insecurities for all the world to see. Kind of scary. But not at much as what happened last year or what happened from December through most of Feb.

But wait. First, the credit for IWSG goes to Alex J. Cavanaugh.  Thanks, Alex!

Thank you to today’s cohosts as well:  Lauren Hennessy, Lisa Buie-Collard, Lidy, Christine Rains, and Mary Aalgaard!

Okay, now for today’s insecurity: nobody will ever read what I write. Thanks to the toll of trolls, that fear just came to me  —  mere seconds ago.

This isn’t an unfounded fear. For starters, take last month’s IWSG post. I posted right on time but nobody read it. Why? Because they couldn’t unless they ignored Google’s warnings or their antivirus’ warnings. My blog was hacked in December, two or three times. Hackers are like trolls hiding under a bridge. Anybody who came across  my site could have been the next victim.

The first thing I did was track down and contact the first hacker. He was sorry after he learned he’d hacked a children’s book blog when he attacked the insecure Arvixe server. He told me I needed to change permissions on my config file and add a firewall to my cpanel. Done. Of course, I removed all the spam links, thousands upon thousands.  But even though I spent about 8 hours every night trying to find the malware,  I couldn’t.

The hacking continued. So I hired a security expert to clean my site and close the back doors. He never found all the bad code either. Neither could any of the security plugins and malware scanners I added.

One small favor: changing my theme made my blog show up on my desktop. My phone, however, kept showing the “hacked by…” message. In late Jan, I got an email from the security guy when he thought he’d cleaned everything. I asked him to keep hunting because I could still see the “hacked by…” message when I previewed most themes, and my emails still had garbled titles including a “hacked by…” message. Eventually, all my sidebar widgets disappeared, so I had to log in through WordPress.com. By then, I think the security guy had given up. He didn’t respond to emails.

The hacker trolls were taking a huge toll on my time and my health, way too much after last year’s debacle when I spent 6 months throwing up after a botched surgery and almost starved to death before I could get the damage corrected. I debated whether blogging was worth the trouble. I think that’s what I posted in February’s IWSG. As a bridge to success, my blog failed. What good is a writer’s platform that keeps crashing?

I resigned myself to the fact that blogging could not possibly help my writing or editing business more than it hurt me. I was sick almost every day. Worse, my blog might hurt others who tried to read my posts by spreading the infection. Finally, I realized that the next hacker might leave porn on my site where kids would see it. This is a children’s book blog, after all.  I couldn’t just abandon it in such a state. Grrr!

Back to unhacking. WordPress forums’ advised deleting all my unessential plugins, inactive widgets, and themes, but none of those actions worked. Neither did changing my blog character-set back to UTF8 from the UTF7 that some hacker inserted.  I used online decoders for a bunch of base64 gobbledegook. I found one hacker’s file and deleted it. Woo-hoo! Too bad it wasn’t one of the new ones. Sigh.

Next up, I tried to learn the coding and sql database languages to find the formatting errors that made my email titles read: “</title>Hacked by aAn<DIV style=”DISPLAY: none”><xmp>”  short version or “+ADw-/title+AD4-Hacked by aAn+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-” one of the longer versions. At least I recognized the html, but where did my blog store the Microsoft formatting? It sure wasn’t where the old WordPress forums said it was, and I couldn’t find it in my blog options table either.

As a last ditch effort, I deleted all the database files left behind by plugins and themes I had already deleted along with every image file that had changed since December. One of those must have held the bad code. At last my email titles stopped showing garbled text. Since then, I’ve been able to see my site on desktop, tablet, and phone.

So far, so good. I messaged the first hacker via Facebook to find out if he could still get in to my site.

He said,”See your server (grin emoticon) all the sites Down

If you click the link, you’ll see a long list of website defacements reported by a hacker’s organization. That’s a lot of hacked websites.  I panicked — until I realized the ip address was for Arvixe, not my new host.  My files are visible, but they’re not my current files at Fast Comet. At first I thought I should delete the Arvixe files, but why? Any changes a hacker makes will just get deleted off the server when my contract expires. And for now, my old files are serving as decoys while I continue to harden my new files.

Bottom  line: For the near future, I’ll probably only post for IWSG, and I’ll probably blog alone to avoid the risk of my blog partners signing on in an unsecure hotspot and starting the whole cycle again.

Oh, to answer Alex’s question about how I tracked down the first hacker, I just searched the “hacked by …” message on Bing, and the hacker’s Facebook page showed up in the list. I searched for the other hackers the same way, but only the first responded to my requests for help.  He said the last hacker injected code into my database. The first hacker even sent a list of commands to deny entry to my database in the future. Of course I thanked him.

The last message he sent was: “ (heart emoticon) you will my mom (kiss emoticon)” and “you Welcome ^^”.

There you have it, the one bit of sunshine shining through the darkness.

I submitted my reconsideration report to Google to get off their blacklist. Once that’s done, I hope I’ve paid my last troll toll.  But I don’t want to step on the bridge again until I know for sure. And that might never happen. However, if this information helps even one person avoid getting hacked, it was worth the time it took to post it. One long leap for me, one small service for other writers. Can I count that as turning my insecurity into a security?







Share A Heart

Indie author-friendly freelance editor, children's book blogger for picture books through YA, kid lit, SF/fantasy lover with special fondness for middle grade, pun-loving SCBWI member, meter-maid for poetry and rhyming picture books.


  1. Wow, what you have gone through. Amazing! I am so sorry that it happened. I tried to get on your site last month and in February and kept getting thrown out. I read also one of your messages saying that you were hacked.

    I now hope all is over and that you decide to keep blogging.
    All the best.

    My IWSG post is at:

    Pat Garcia

  2. I’m sure that was not fun at all. Ugh. Hope you steer clear of those trolls, er, hackers!

  3. My IWSG is about some hack attempts I’ve gotten lately. I’ve tried to be on top of it, and Wordfence told me of a lot of attempts come my way. Wordfence blocked them, but it was still bothersome. I decided to also get BPS Security to try to help me out. Basically restricting who has access to my site. These days, you have to be on top of that, and not just have the ‘out of sight, out of mind’ approach, or else you will get hacked and deal with a serious issue that may cost you money.

    As I try to tell people, there is not such thing at 100% security on the web. Just because you haven’t had any noticeable problems, doesn’t mean people haven’t tried. Start today in securing yourself.

Leave a Reply

  • Notice

    All content is copyrighted and may not be used in any form without proper credit and links. For purposes other than charity or education, printed materials require prior written consent. Disclaimer: Most books were provided free in exchange for an honest review. All opinions are my own.