Over the weekend, some crazy-ass hackers got their paws on my hosting account and wreaked havoc for a little bit. I’ve been creating websites for just over ten years and I’ve never had anything like this happen to me before. (Happy new year!)
HOW. RUDE.
I always thought of hackers as one of those “it couldn’t happen to me” deals. I was wrong. And I’m a professional! So, let’s talk about how to co-exist in a world with these menaces.
How to deal with an attack
First things first, you need to submit a ticket to your hosting provider. They will be able to tell you if the attack was on the server or to your website specifically. If they’re a good hosting provider, they will also have clean backups of your files and databases so that they can clean out the bad stuff and replace it with an earlier version that hasn’t been tarnished.
This is one of those times you’ll really appreciate having a good hosting provider instead of a cheap fly-by-night pseudo-solution. If you’ve never had to submit a ticket to your hosting account, I’d do it just for fun. Just make something up. Submit a ticket saying you need to know how to change your billing information and see how long it takes them to get back to you. If you haven’t heard back in an hour, you need to consider changing providers. I’m serious. Your website is serious business and they should be treating it as such. If you decide to change, Noah and I use and recommend Super Green Hosting and Blue Host. (Feel free to e-mail me if you have any concerns about your provider and want an opinion.)
You should keep regular backups of your files and content as well. If you’re using a CMS, I would recommend periodically doing an export of your content — that way, worst case scenario, at least you haven’t lost your entire blog.
Friendly tip: Compose your entries outside of your CMS so that you always have an up-to-date backup of everything you’ve written.
Friendlier tip: Use Google Docs. It auto-saves every ten seconds and you can access it anywhere. I write almost everything in either a GMail draft or a Google Doc. (I learned this trick about halfway through my first semester back to college. Hey, it sucks when you lose half a research paper because your computer decides to poop a puppy.)
Okay, once your site is fixed (or in the process of being fixed), change your passwords. All of them. Hosting, FTP, mySQL, your CMS, everything. And pick a great password. You probably already know that ‘password’ isn’t a good password. Neither is “ilovekittens” or “tomatosoup123″. You probably also already know that you shouldn’t be using any dictionary words, and you SHOULD be using a combination of numbers and both uppercase & lowercase letters.
It may not be a terrible idea to just uninstall and re-install everything. I resorted to this yesterday. I first uninstalled all of my WP plugins and downloaded new, updated versions… but things still seemed a little wonky to me, and I just wasn’t comfortable with that. Clean slate for me, yes please.
One more thing – have your anti-virus software of choice do a scan of your computer to make sure that nothing was downloaded to your local machine. Yeah, they can do that too, those little whippersnappers.
How to prevent an attack
Not being attacked in the first place is preferable over cleaning up after a mess, right?
You already know that good passwords are important. It’s also important that your site is up to date. This means keeping up with upgrades to your CMS and to any plugins or modules your sites may be running. If you’re using a blog site (like blogspot or wordpress.com), these updates happen automatically. If you’re running a self-hosted version, though, you’ll need to do these updates yourself (or pay someone to do them). Never fear, however. This isn’t as difficult or time-consuming as it sounds. If you’re running a self-hosted wordpress.org install, you should check out the Auto Upgrade plugin.
You should also make sure that all of your files are set to their appropriate permissions. These vary depending on the file and folder, but as a rule, you should never have anything set to 777. Just don’t do it. If a plugin requires that it be set to 777 to work, find a different plugin.
So, keep your stuff up to date, set your permissions appropriately, what else? Lastly, don’t allow anonymous comments on your blog. SQL injection can occur this way, and it’s dangerous. You can either set all comments to require approval or (as I do), require that the first comment by an author be approved before they can leave comments freely.
In closing…
Forgive the dry boringness of this post. I promise it’s worth it. I can’t tell you how frustrating it was to deal with hackers over the weekend — this site is my business, and when people load it and see an image like the one above, it’s bad for my reputation. The reality is that it can happen to anybody (those hacker kids – they are smart), but the other reality is that I was a bit lax in keeping my stuff up to date, and I paid the price.
» Filed Under cyberculture
4 Responses to “How to co-exist in a Hacker-y world”
Leave a Reply
Hi Leah, i came to your blog via a comment you left on Skellies and prior to that via darren’s problogger newsletter…
There is a lot of practical advice here, thanks.
just a couple of questions if you have time, though i will do some research on my own too.
what is CMS (i think i may be a little less professional than you) and how does Google Doc’s work, is there an advantage to saving as you write?
ps happy new year.
[Reply]
leah Reply:
January 8th, 2010 at 8:41 am
Hi Chris,
CMS stands for “content management system” — for example, wordpress, drupal, and joomla are each a CMS.
Google Docs is pretty self-explanatory – it has a big area for composing your document, and little buttons near the top for formatting and other tools.
The advantage to saving as you write is, of course, that it minimizes your risk of losing your work. Say you’ve been writing away in Word for an hour and the wind suddenly knocks the power out – computer is off, so the Word document is gone. (Word auto-saves too, but it’s not as reliable as Google Docs.)
It really just comes down to personal preference.
[Reply]
Thanks – clear and precis, a help too.
so i guess Blogger is a CMS too.
[Reply]
very helpful, i remembered hackers playing on with governement websites.
[Reply]