For any website manager, one of the most stressful moments in the job comes when the website gets hacked into. Even more so for smaller websites that don’t have a team of experts who look after such things.
As you may have read, in late August, the website started to be subjected to a series of persistent attacks.
Every time we (and there was outside support) thought we’d got rid of them, they came back again.
Not a computer bot that zooms past unthinkingly seeking out flaws to exploit, as while a pain, they are fixable, but it seemed to be a live human being personally attacking the website.
Some of the vectors being used were freely available on the web to find, but the profusion of them and the variety put this far and above the garden variety hacking attack.
I had a lot of support, and some suggestions of how to prevent it happening in the first place.
To put some of those suggestions to bed though, while well meaning, telling a website that’s under attack that you’ve run websites for years without problems isn’t helpful.
Yes, I do keep the WordPress side of the website up to date – any upgrades that need to be applied are done as soon as the message appears in the admin screen — usually when I first log in at around 6:30am.
All passwords are totally random strings and none of them are reused elsewhere.
I use LastPass to store all my passwords, and in fact, I genuinely don’t know what any of my passwords are now — either LastPass automatically logs me in if needed, or I copy/paste the password from their service into my websites.
If someone put a gun to me and asked for my online banking password — sorry, but I genuinely have no idea what it is.
To add to the security, if logging in via a remote platform I don’t look up the password, but choose to get a new one — it’s just a way of keeping passwords fresh.
Where possible, two-factor authentication is used, so not only does a hacker need my username and password, they need access to my mobile phone. Not many systems use that yet, but where it’s available, I use it.
It’s not impossible to get around two-factor authentication, but the aim is not to make it impossible to be hacked (for that is impossible), but to put up enough barriers that only the determined hacker would bother with the layers of security that needs to be overcome.
For a big website that can be worth the potential reward, but for IanVisits, it really shouldn’t have been worth it.
But for someone, it clearly was.
For all the annoyances and time wasting, and I have pretty done nothing but deal with the hacker for the past month — if that was all it was, an annoying hacker, I would be irked, but that’s all.
That they were flooding the website with Google Adsense adverts in a way that made the webpage unreadable was extremely annoying. That they kept turning the website back on if I turned it off, was extremely annoying.
So many missed opportunities from not going out and seeing things to write about, but staying indoors and fixing the website. September is usually my quiet month when I start a big project, but this year it’s been one of my busiest and for all the wrong reasons.
(and I’ve been so focused on this that I’ve only just remembered that someone is expecting a large document I haven’t warned him will be late. Erk)
The website now seems to be secure, the layers of security have been beefed up from what was already best practice, and every single file of code is being checked by hand one by one. It’s taking weeks and still about a third of the back-end code is off-line while I get around to it.
Even now, I feel worried about turning the computer off at night lest I wake up to see the hacker is back again. Waking up in the middle of the night still means pulling out a phone to check if the website is working.
It’s been the most stressful month of my life, and considering some of the things the average person of my age has done by the time they reach this age, that’s saying something.
But after I felt I had finally dealt with the issue, for them to get into the mailserver last week and send out a pishing email to the subscriber list was soul-destroying.
The mailserver was taken offline immediately, and fortunately the hacker had routed the pishing scam link via the mailserver so it was very easy to prevent anyone being fooled by it.
But last Wednesday was probably the lowest point, after all the work that had been done, for more attacks to take place. I was close to closing down the entire thing and just giving up entirely.
What’s been done to improve things.
Security has been tightened on the website, adding in some additional layers that just make things a bit harder to log-in.
The website was moved to a totally clean server and the underlying OS upgrade also tweaked so that any old code accidentally left in during in the rebuild wont work anyway.
Every single file is being checked one-by-one. That does mean some events functionality is going to take ages to come back, but the news articles are now all working, and I am taking the opportunity to clean up some bits I had planned to clean up anyway.
Some of the files have had increased security – probably not how the hacker got in, but if for example if a file should never have any variables passed to it, if any are, then it kills the request dead. Just adding a comfort blanket to the code that probably doen’t make a real difference, but right now nerves are so strained that any little improvement to the security is worth it.
The mailserver has been migrated to an external supplier (ouch on the price).
The uploaded image files for both events and news articles are now hosted by an external provider (ouch on the price), so even if a hacker finds a way of uploading something through that, it shouldn’t kill the core website.
Maybe all that’ll keep the website alive for a bit longer.