For any website manager, one of the most stressful moments in the job comes when the website gets hacked into. Even more so for smaller websites that don’t have a team of experts who look after such things.

As you may have read, in late August, the website started to be subjected to a series of persistent attacks.

Every time we (and there was outside support) thought we’d got rid of them, they came back again.

Not a computer bot that zooms past unthinkingly seeking out flaws to exploit, as while a pain, they are fixable, but it seemed to be a live human being personally attacking the website.

Some of the vectors being used were freely available on the web to find, but the profusion of them and the variety put this far and above the garden variety hacking attack.

I had a lot of support, and some suggestions of how to prevent it happening in the first place.

To put some of those suggestions to bed though, while well meaning, telling a website that’s under attack that you’ve run websites for years without problems isn’t helpful.

Yes, I do keep the WordPress side of the website up to date – any upgrades that need to be applied are done as soon as the message appears in the admin screen — usually when I first log in at around 6:30am.

All passwords are totally random strings and none of them are reused elsewhere.

I use LastPass to store all my passwords, and in fact, I genuinely don’t know what any of my passwords are now — either LastPass automatically logs me in if needed, or I copy/paste the password from their service into my websites.

If someone put a gun to me and asked for my online banking password — sorry, but I genuinely have no idea what it is.

To add to the security, if logging in via a remote platform I don’t look up the password, but choose to get a new one — it’s just a way of keeping passwords fresh.

Where possible, two-factor authentication is used, so not only does a hacker need my username and password, they need access to my mobile phone. Not many systems use that yet, but where it’s available, I use it.

It’s not impossible to get around two-factor authentication, but the aim is not to make it impossible to be hacked (for that is impossible), but to put up enough barriers that only the determined hacker would bother with the layers of security that needs to be overcome.

For a big website that can be worth the potential reward, but for IanVisits, it really shouldn’t have been worth it.

But for someone, it clearly was.

For all the annoyances and time wasting, and I have pretty done nothing but deal with the hacker for the past month — if that was all it was, an annoying hacker, I would be irked, but that’s all.

That they were flooding the website with Google Adsense adverts in a way that made the webpage unreadable was extremely annoying. That they kept turning the website back on if I turned it off, was extremely annoying.

So many missed opportunities from not going out and seeing things to write about, but staying indoors and fixing the website. September is usually my quiet month when I start a big project, but this year it’s been one of my busiest and for all the wrong reasons.

(and I’ve been so focused on this that I’ve only just remembered that someone is expecting a large document I haven’t warned him will be late. Erk)

The website now seems to be secure, the layers of security have been beefed up from what was already best practice, and every single file of code is being checked by hand one by one. It’s taking weeks and still about a third of the back-end code is off-line while I get around to it.

Even now, I feel worried about turning the computer off at night lest I wake up to see the hacker is back again. Waking up in the middle of the night still means pulling out a phone to check if the website is working.

It’s been the most stressful month of my life, and considering some of the things the average person of my age has done by the time they reach this age, that’s saying something.

But after I felt I had finally dealt with the issue, for them to get into the mailserver last week and send out a pishing email to the subscriber list was soul-destroying.

The mailserver was taken offline immediately, and fortunately the hacker had routed the pishing scam link via the mailserver so it was very easy to prevent anyone being fooled by it.

But last Wednesday was probably the lowest point, after all the work that had been done, for more attacks to take place. I was close to closing down the entire thing and just giving up entirely.

What’s been done to improve things.

Security has been tightened on the website, adding in some additional layers that just make things a bit harder to log-in.

The website was moved to a totally clean server and the underlying OS upgrade also tweaked so that any old code accidentally left in during in the rebuild wont work anyway.

Every single file is being checked one-by-one. That does mean some events functionality is going to take ages to come back, but the news articles are now all working, and I am taking the opportunity to clean up some bits I had planned to clean up anyway.

Some of the files have had increased security – probably not how the hacker got in, but if for example if a file should never have any variables passed to it, if any are, then it kills the request dead. Just adding a comfort blanket to the code that probably doen’t make a real difference, but right now nerves are so strained that any little improvement to the security is worth it.

The mailserver has been migrated to an external supplier (ouch on the price).

The uploaded image files for both events and news articles are now hosted by an external provider (ouch on the price), so even if a hacker finds a way of uploading something through that, it shouldn’t kill the core website.

Maybe all that’ll keep the website alive for a bit longer.

Whats's on in London: today or tomorrow or this weekend

37 comments on “When your website gets hacked – addendum
  1. Ben G says:

    All sounds incredibly stressful. Do keep at it, though, I’d hate to lose this website.

  2. Really sucks to hear this and I’m glad you finally have a handle on it. I was hacked a few years ago and someone stole my primary domain and it cost a lot of money to get it back. The most stressful period of my life. You can do everything to prevent something like this but stuff like this still happens even when you follow the best practices. Very glad you’re back!

  3. Rich says:

    Please don’t give up mate!

  4. Tim Burns says:

    Its been dispiriting to read of the hassle you have been through and my heart goes out to you. Thanks for keeping IanVisits going!

  5. John R says:

    Really sorry you’ve had to go through this — I can’t imagine how angry and stressed I would be. Have you thought of moving it all to a fully hosted solution (I assume the cost is prohibitive)? Also, is it something CloudFlare could help with?

    • ianvisits says:

      I already use a hosted provider, and Cloudflare is only good for dealing with DDOS type attacks, not exploiting a flaw buried somewhere in the tens of thousands of lines of code that make up the website.

      Somewhere there’s an error in the code, and finding it is the task.

  6. Mark Pack says:

    Thanks for battling through this all and keeping such a great site going.

  7. george says:

    Well done and thanks for keeping the site. It’s so interesting and useful. I can’t imagine the mentality of the tosser that kept picking on you.

  8. Jim says:

    As others have said, many thanks for fighting through this exasperating situation. I have been reading your posts most days for the best part of ten years now, and I very much hope that you will be able to carry on with the site until you’re ready to sign off for your own good reasons. I’m guessing that at least some of your readers might be prepared to help out with a bit of cash if that would help in dealing with the present situation?

  9. Dan says:

    I feel your pain. I’m a web manager myself and unfortunately, I’ve also been at the receiving end of delightful people that are intent on causing misery. So glad you got through this though, it would’ve been a real shame to see this blog disappear!

  10. Ray says:

    As a regular visitor to your web site I appreciate the amount of work that must go into maintaining the standard of your normal posts.

    I can only imagine how stressful the past month must have been for you.

    Thank you for persevering!

  11. John B says:

    Fingers crossed Ian that the pain is over. Off to London Thursday for my regular touring afternoon, and yours is the first place I go to see what’s on. Your work is much appreciated

  12. JP says:

    I am very happy that the worst is over and wish to add my thanks and appreciation to the growing pile.
    I just wonder if anyone is getting near to cracking the problem at source. Lots of eager beavers chasing the next absolutely essential thing in computing/mobiles but what’s needed is an end to this fallibility, not a scratch and sniff screen or whatever. If the car that you drove or the house that you live in suddenly locked you out and all you got from the manufacturer was a shrug and a platitude, you’d soon see them collapse into self-absorbed oblivion.

  13. Maurice Reed says:

    Glad it seems to be over. There are so many sites based on WordPress so hackers love nothing better than trying to hack them.

    Freaks in back rooms who have little willies so don’t have real lives!

  14. Marian Hardy says:

    Awful for you Ian especially when you provide such a wonderful service and fascinating information. Most of us are stressed by one day without basic computer access so for you this must have been horrendous. Sincerely hope that you can continue (after the last of your corrections) and it goes smoothly in the future. Have you thought of crowd funding for the external sites which are so costly – I’m sure this would succeed. All the very best.

  15. Jon Salmon says:

    Wow, that is so stressful and thanks for letting us all know what you have been going through. Would certainly give you a few pounds to make sure you keep the hacker away and let you get on with recommending amazing things to do.

  16. Andrew Gwilt says:

    This is why I hate hackers. They ruin people’s lives.

  17. Karin says:

    Thank you for all the work you’ve put into this. I love this site and your newsletters.
    Hope someone can buy you a nice pint sometime soon x

  18. GT says:

    Apart from adding my sympathies to all the above …
    It looks as though this was personally directed at you, out of pure malice or possible monetary gain.
    Any ideas as to whom might be responsible? ( And, no don’t tell us… )

  19. Jordan D says:

    Power to you for all the work you put in.

    I remember previously you provided a link for those of us who are regulars and value to the site to provide to the upkeep of it. Do kindly put the link up once more, so I (and I am sure others) can contribute to your tireless efforts to keep it going.

    • Dave Smith says:

      Agree – I’m sure there’s lots of people here who are willing to give some (unconditional) funding to support you

  20. Buzz says:

    Thanks for staying active!
    From a kiwi who hasn’t been to London for a few years but still likes to read about what’s going on and get jealous.

  21. Dave Smith says:

    All I can do is sincerely thank you for persisting – I know how stressed I get with relatively uncomplicated PC issues – hopefully all will be well from here on in.

  22. Paul says:

    Thank you so much for persevering, Ian, in the face of so much energy-snapping destructive activity. I hope the fact that you must be aware that you perform a service that means so much to so many people makes the efforts of the past couple of months seem worth-while.

  23. Sue Rowe says:

    I second (or third) Jordan D’s suggestion. I’m one of the many regulars who value your site and would greatly miss the weekly updates if you were to decide to throw in the towel after what you’ve been through. And I’m certainly more than willing to contribute again financially to help keep it up and running.

  24. Vernon Wright says:

    I can do no more than echo the comments above: commiseration and thanks.

    Most hacks have either a pecuniary or a political objective. There’s no money here and I see no evidence of a political slant: what in the name of Hades is the perpetrator’s motivation? Hatred, I assume … but of what?

    A sterling effort, Sir. London is fascinating; keep it up.

  25. kenneth peers says:

    Wotcha Ian,writing as someone with zero knowledge of IT problems i’m sorry to read of all yours.However i love reading your site, keep up the good work and please don’t jack it in .Many thanks.

  26. Steve Ehrlicher says:

    We need you! All strength to you and your determination.
    Best,
    Steve

  27. Malcolm says:

    It sounds truly awful – who are these spiteful people who spend their time creating havoc? However please Ian keep going – I depend on you for our trips to London. Best, Malcolm

  28. Nickrl says:

    Ian why someone wants to mess up your great work is beyond me but this seems to be one of the downsides of the internet. I appreciate your determination to beat them and your commitment to provide such fantastic information on a weekly basis

  29. David says:

    Thanks for keeping going, this website is a great source of information.

  30. Nigel H says:

    Well done.
    These people are insects.
    I remember many years ago a rather good idea before mobile phones came along was CB radio. It was completely ruined by pointless nerds.

  31. Annabel says:

    Oh Ian, I’m so, so sorry this has happened. I was travelling in September, and only really saw what you said on Facebook; it must have been soul-destroying for you. Nil carborundum illegitimi, though – don’t let them grind you down, and whatever you do, don’t let them win!

  32. Mark says:

    Just to echo other comments… thank you so much for all your efforts. Much appreciated.

  33. Jenny says:

    Well done Ian on winning through! Great site and we would all miss you so much.

  34. It must be doubly demoralising not knowing what was/is motivating the perpetrator (and implying motive may be giving them too undue credibility). IanVisits is an invaluable source of knowledge and I really value it. I am very glad you have persevered.

  35. ADS says:

    please don’t give up !

    Patreon seems to be the donation method of choice these days – please offer it soon before we all forget about your recent pain & expense !!

Leave a Reply

Your email address will not be published. Required fields are marked *

*