Preserved Lemons: Lessons from a Hacker

Spending the better part of a week cleaning up after what my hosting company called a “compromise” in this site’s security, I’ve been less than thrilled about settling down to write.  The “compromise” was a serious hacking of numerous files in Sass & Veracity, as well as a fledgling art portfolio site I gave my son for his high school graduation last summer, and for kellementology, the non-food blog I rarely spend time writing any longer.

The clean-up —  many more than the two files the hosting company found and isolated before they alerted me — involved among other things, more than 100 html files tucked into nooks and crannies like a vine creeping through a garden it doesn’t belong in.  At first, it was like looking for that needle in the haystack we so often hear about.  Part of the difficulty is obvious:  I write.  I cook.  I take photos of what I cook.  I don’t always know exactly what code is supposed to look like — especially code that is written to look similar to the real thing. And then there were the seriously creepy “Silence is Golden” comments sitting in several htaccess files.


I didn’t mind doing any of this work.  Ultimately, I enjoy learning, and without looking at the necessary cleaning up as a huge opportunity to learn, I’d have been lost.  That doesn’t mean it wasn’t eyeball-crossing, slower than molasses in January, horribly tedious work, however.  The worst thing about it was finding out the hack job involved Google searches.  I inadvertently clicked on a spelling of my URL I don’t usually apply excluding the customary spaces between Sass and Veracity.  At first I didn’t notice anything, but after scanning the page realized listings of my content contained a variety of references to prescription drugs.  Looking at them more closely, I opened the “cached” versions and an image of my front page and header appeared with all of my pages, links, and post titles actively sporting links to a site selling those drugs.

Worse?  Some of them had the Stumble Upon button posted next to them which means my site was not only being associated with bottom-dwelling scum-sucking creatures of the planet, it was helping to garner traffic to their sites — all of which I’m sure thrive on other people’s hard work.  Interesting, isn’t it?  Someone hacks a site, then submits it to Stumble Upon and makes sure it’s cycled through on a regular basis.

At first I was disgusted.  Then alarm took over when I saw the extent of the compromise, but finally I was resigned to getting it all taken care of by eliminating the infectious files, contacting Google about the spam pages, calling ANHosting to make sure the files contained what I thought they did (insert fear of deleting the wrong files here), referencing the WordPress codex, following the clean-up advice ANHosting provided, and then just waiting to see if everything was fine.

My waiting has actually been more avoidance than anything else, because the entire experience has left me feeling creepy.  Like someone has been in my house.  I’m a productive avoidance practitioner,  continuing to cook and take photos, but I’ve also done quite a bit of thinking about this business of blogging about food, the amount of time it takes, and how much it has inserted itself into the time I used to have for other interests, like gardening, or writing about something other than food.  Paying attention to world events.  Laundry?  So I’ve been outside behind our house enjoying the early Spring weather where I am slowly giving a face lift to my long neglected patio, and thinking about what context to slot this hacking experience into.  Hint:  one that isn’t about pageviews, bounce rates, SEO, ads, who is following whom or “retweeting” what.

Call me cranky.

In the meantime, I’ll share with you what I’ve learned about how to survive — or better yet — help prevent a hacking if you’re interested, and for good measure, my second or third attempt to preserve lemons, gifted to me by my sister-in-law who has a little tree behind her house.

Preserved Lemons

I first learned of preserved lemons after hosting a dinner where my friends and I all prepared dishes from the Middle East, and one of recipes I selected required preserved lemons.  It was too late to make them at that point, but I was so interested in finding out what their flavor might add to the dish, I decided to try and make my own.

17 lemons (10 for cutting & 7 for juicing)

sea salt

1 lg. cinnamon stick

2 bay leaves

1/4 tsp. or so whole black peppercorns

2 pinches coriander seeds

a pinch of whole cloves

a lidded jar large enough to hold all of it, with lemons completely submerged

6 weeks of time

a mildly warm, dark place

Pour enough salt into the bottom of the jar to cover it well.  Cut the stem end off the lemons and slice each into quarters without cutting entirely through them. Pull each open carefully and sprinkle the flesh generously with salt.  Put the lemons into the jar as your work, pressing down on them and sprinkling additional salt. Add the spices to the jar as you proceed as well.  When the jar is full, pour lemon juice over to cover.  Press on the lemons again to completely submerge them in the juice.  Allow to sit, turning the jar once a day and checking the progress.  The lemon rind is ready to use, thoroughly rinsed, pulp removed. in recipes in 6 weeks.  I’ll keep you posted.


  • I have tried one recipe for preserved lemons that was a complete fail.  The problem seemed to be in not having all the lemons completely submerged even though the recipe I followed did not say to do this.  Sounds like I’m whining, doesn’t it?  Even though my practical cook’s brain told me that food has to be IN the brine or solution it’s being preserved in, I approached the recipe very literally.  Suffice it to say that it provided an interesting moldy experiment in the recesses of my cool, dark laundry room for 2 months and wasted 6 perfectly lovely lemons.
  • Adding juice to the jar of lemons vs. simply pushing on them to extract juice seems to also be a point of contrast in the recipes I’ve looked at.  The juiciness of lemons can vary, so follow your lemons so to speak.  Add juice if necessary after pressing down on the packed jar.
  • I also tried one of the “quickie” preserved lemon recipes — many which seem to come from Mark Bittman.  I used them in one of his salad recipes and am sad to say they ruined the salad.  So much so that we weren’t able to eat it. Again — great flavor is often achieved because of the process.  When using a quickie recipe, I
  • Most sources mention keeping the jar of lemons in the refrigerator, with some saying it isn’t required.  I went with the one that said otherwise since I’m on an experimentation track.  Maybe the third time really is the charm.
  • I’ve got 4-5 weeks to go before I can try my preserved lemons in a fabulous dish.  I have my eye on quite a few.

Here are a few additional sources for how to preserve lemons:

There are many, many more sources for preserving lemons in relatively similar fashion, but making lemon confit requires sugar.  Here’s Eric Ripert’s recipe as published at Food & Wine if you’re curious about it might be used differently than Moroccan style preserved lemon.

Notes on Lessons from a Hacker:

  • Keep your WordPress installation, themes, plugins, and widgets updated (I do!).
  • If you have plugins or themes you’ve uploaded in the past, but are not being used, delete them from your files instead of simply deactivating them.  Even if your site is routinely updated, the files for the other things won’t be and you’ll have to sift through them as well to find the hacker’s work. (Ask me how I know.)
  • Your hosting company is your friend, so it’s helpful to be courteous.  They’d love to get rid of anyone who is putting other clients on the same server in jeopardy.  It’s not their responsibility to keep your site clean.  I was thanked for asking specific questions to help solve the problem instead of expecting them to find and fix it.  Think about it this way:  Is it law enforcement’s job to keep your home safe?  No.  I sound cranky, don’t I?

  • Get to know what’s available to you at Google Webmaster Tools.  You can report spam there and/or clear your site if it’s been identified as an attack site (thankfully, mine didn’t — or if it has, no one has told me).
  • Make lemonade of the lemons.  Here’s my creative depiction of some of the code I removed from my site.

lemonade out of lemons