On Friday December 10, 2021, all four of our production websites, adultchildren.org, acawso.org, acaworldconvention.org, and acawsoec.org experienced an injection hack. An injection hack consists of redirecting our websites to another website. This redirection was done to send our website users to a site where the hacker has an affiliation, or a pay per click agreement. By redirecting our traffic to their affiliate sites, they make money.
During the hack, our IT group was locked out of our websites. Consequently, we contacted our host, A2 Hosting, to investigate the issue. The code injection was so pervasive throughout the sites that a decision was made to restore our server rather than attempt to clean it up. Unfortunately, each time we restored the server to an earlier date, we found that it was still infected. This indicated that the hack had been implanted many days before it was activated. These restores of the whole server had to be completed by A2 Hosting and took some time to complete. The farther back we restored, the more data we would lose. Initially restores were done one day at a time, but after doing this 5 times without solving the problem, we decided to roll back to 10 days earlier to expedite the servers coming back online. By mid-morning Saturday, December 11, 2021, all servers were functioning normally.
Members of our volunteer IT team can be lauded for working diligently throughout the night until restoration was complete. We did, however, learn some very valuable lessons during the restoration. Specifically, we did not redirect the hacked sites to different pages early enough. Also, we were so involved in doing the work that we didn’t keep the Fellowship as promptly informed of the situation as we would have liked.
We ultimately found that the hackers likely accessed our sites through a vulnerability in a plugin (an add-on to WordPress, our website software.) A patch had been released by the plugin author within the previous week but had not yet been applied.
Since the hack, the IT team met with a WordPress cybersecurity expert and the following changes were made to harden our servers against future attacks.
- Plugin updates that do not need to be manually tested were set to auto update.
- A scanning service of our servers was engaged to alert us if any versions of our software have known vulnerabilities.
- A Web Application Firewall (WAF) was added. This is a barrier that traffic goes through before entering our server.
- An Endpoint Application Firewall (EAF) was added. This is a second barrier that resides on our servers.
- Server administrators now use two-factor authentication that utilize authenticator codes. This makes it harder for outsiders to access our sites.
The cyber security expert tells us that it is very unlikely that any data was compromised, as the purpose of the injection hack is to make money with redirects.
In ACA, we learn that we are allowed to make mistakes and to respond with compassion rather than shame. In that spirit, we appreciate the encouragement that the Fellowship has shown the IT Committee throughout this process. Just like in our recovery work, we learn from our mistakes. We continue to make security a priority to protect our servers from hackers.
In Service,
The WSO IT Committee
