I've been volunteering for my church for about a year, helping with their website and social media. They did a big redesign last summer and I helped get the content in shape and over in the new template. (I am a content person and writer, and there were designers in charge of coding) Then the site went live and the web design firm went MIA, and I was basically left on my own to sort out different issues.
The site is built on WordPress. I am not a WordPress expert, but I can figure things out and follow online tutorials, etc. But I was panicky about doing any updates without clear instructions from the web firm about backups, even just as part of a hand off of responsibilities to me, but no instructions ever came. No matter how many times I asked.
So what happened IS my fault, in that I wasn't more vigilant in updating WordPress myself. Things seemed to be OK so I just let it lie. Bad idea.
I'd noticed the site coming up as "potentially dangerous" in my browser's security bar, but I didn't look into it until the church accountant got a message from a member to that effect. I first updated WordPress (and it didn't break anything!), and then I contacted our host.
The host flagged our site as suspicious and said they would shut down our account if we didn't delete a certain file in 24 hours. Ruh, roh!
But since they told me the file I could go in and clean out the malicious code. I also updated all of the themes, plug ins, etc. and changed all the passwords as directed. BUT when I updated the theme ... POOF! Goodbye theme customizations.
*SOB SOB SOB*
The host does backups of the site and keeps them for a few days, so since I caught it soon enough I knew I could get an old one and then upload an old version of the theme via FTP. Well I didn't know that at first, but after I took Jane to the park and thought about it for a while the idea came to me -- and it actually worked, and the site went back to looking right with the customizations.
But that means our theme is not the latest version, leaving us vulnerable to hacks, and I'm not sure I've completely cleaned the site, and I'm especially worried that there's still a backdoor into the site and we'll just keep getting hacked and flagged.
I finally got a response from the web design firm. We're not active clients, and our contact there seems to have left the firm. But someone wrote back and said they'd look into it. I don't know what to expect (this firm also left tons of broken images and links throughout the site when they pushed it live from their testing server, among other unprofessional, frustrating things).
So I was feeling OK, thinking that at least we were stable for now. And then I tried to add a link to a post -- just updating it. And I couldn't edit the HTML and clicking "add link" icon did nothing. On top of everything else it made me want to beat my head against the wall. I googled, googled, googled and found directions to add a line of code to one of the files. And it appeared in enough of the WP help forums that it seemed legit. So I did that and it worked. I can edit the posts again. I still need to get used to the new version of WordPress and figure out if anything else got broken during the update.
I also don't know if maybe my computer is involved at all. There's only one other person who really updates the site, so I assume something could have gotten in through her computer. Or perhaps it was just through the site itself and a security breach within the theme.
My pulse has raced more times today than it has anytime since I haven't been working. I care SO much when I work and have projects/responsibilities like this. It's fun to figure things out and fulfilling to end up with a good end product that people like and use. But the process to get to that is so full of angst I can hardly stand it.
**I didn't really cry, but man I was a TERRIBLE mama to Jane during this ordeal ... which is still ongoing.