As you may know, when I am not writing my blog, I am running the Internet Marketing and Web Design and Development company I started in 1994 (AIMG.com). I stay focused on my clients and when I wanted to start a blog I toyed with the idea of having my folks “make” me one. After all, that is what we do.
But then I thought about it some more and decided it might be a good idea to embrace WordPress, as it is a tool that is insanely popular and I get more and more people every day telling me that they have no issue whatsoever with using it as “their website”. Now. I am not here to bash WordPress. Seriously, it would be sort of hypocritical for me to use WordPress to do so. But as a result of what happened to me in April, 2012 I will never consider recommending WordPress to a business owner as their main website and method or corporate communication. After the jump, I’ll tell you why. Warning: post may contain expressions of frustration and some of these sad face things: :(
Earlier this month, DeMicco.com was hacked. HACKED! We were minding our own business and out of nowhere we got hacked. It wasn’t like someone was targeting me specifically, we were just using WordPress (and WordPress is a great tool, I am not blaming WordPress…kind of). As it turned out (many man hours later) we had actually been hacked months before that but they were so sneaky that they didn’t do anything for a long time. They were hacker sleeper agents…
How did I find out? Well, someone I had been speaking to (a potential business associate) said to me casually: “Oh, Google wouldn’t let me go to your site last night when I went to look at it, and when I typed it in I got an error.”
I said: “wha?” and my face looked like this: o_O
So I googled myself and sure enough it said my site had malware on it. How did I not know this seeing as I went to the blog at least once a week to do a post (and usually more)? Because I have a Mac. Who knew? Well, my potential customers now knew, and I was angry and confused and ashamed and I needed to get it fixed. Which brings me to the first reason that a blog is not a website:
People’s expectations seemed to be lower because it was “just” my blog. I was having palpitations but everyone else I spoke to took it in stride. I don’t think that’s a good thing.
So then I had a dilemma. Did I work on it myself (remember, that WordPress is designed for people to “do it themselves” or do I have some people from my company look into it? I decided to split the difference and have one of my project managers who has a personal blog work on it with me. I needed to see what could happen to the people who tell me that “WordPress is fine for what we’re doing”. Here is a sad sad rundown:
- Find out there are services that will “clean” your site for you if you are hacked. For money.
- Pay money
- Be informed that it is fixed but that we should pay more money for a “blog hardening” service so it is “harder” (not impossible) to hack in the future.
- Ask Google to reconsider our malware status.
- Get forgiven by Google (hooray!)
- Think about what to do with the blog (we were nervous at that point and didn’t know if we should continue it)
- Find out a week and a half later that it WAS STILL HACKED!!! :(
- Suspect that the people who fixed it didn’t really fix it. Don’t want to waste time proving it.
- Perform queries on the database to see if there are links injected into the posts
- Export database
- Download all the images and files I have uploaded over the years
- Wipe out the entire site
- Reinstall WordPress
- Import database
- Redo all the configuration I had
- Install all the security plugins we spent hours gathering information on.
- Redo the styling
- Hope that everything was fixed
So there you have it. In just eighteen miserable steps and a LOT of hours I got the site back to where it was before this ever happened… So let’s go to part two of why a blog shoud not be your website.
WordPress (and other popular blog software) is hacked for the same reason that Windows gets viruses. EVERYONE uses it. Which means if you figure out how to hack one thing, there are 390908243902 blogs you can do it to. It pays for them to try as the potential gains are enormous. Add to that the fact that (also like Windows) it is built to be flexible and accomodate change (like plugins) and you see that the doors to the house are sort of open. Not that WordPress does not work to keep itseld secure. It does. But there are plenty of people trying to break in.
So I went through all of that and it killed all the Momentun for Momentum Mondays and it had me down until I realized that this was a lesson. Blogging software is for blogs. It is designed to let you express yourself. But your business website is where you make your money. It needs to have different criteria. Can you use WordPress to make a website? Technically, yes. But it still has all the same challenges. And if your business website is hacked, AND if you worked on it yourself. Do you have time to do those 18 steps?
Here is the last reason (to me) as to why a blog is not a website.
If aimg.com had shown up in Google as containing malware, would YOU want to do business with me? Would you want your website to be in that boat?
Having taken our lumps, I feel great about talking to people about their blogs, making them safer, faster, better looking, etc. But I won’t let my company use WordPress to create a client corporate site. If something goes wrong with a site my company makes I can go to ther person who built it and find out what happened. But if something goes wrong with a WordPress site because a client installed a plugin that gets them hacked, I know I might have 18 steps to go through. That’s no good. Not when it is someone’s business.
So that’s my sad story. We learned from it and I love my blog. Stay tuned for more great posts and have some fun. But if you want to get to work, head over to aimg.com :)