Categories
Security Wordpress

Hacked Again

My site was hacked again the other day – this is common enough for WordPress sites.  If you’re not on top of it you could have it hacked, pretty much automatically.

This part I knew.  It still got hacked, and I learned a few more things.

1 Back up your site!  This could mean a DB and files backup (plugins, themes & uploads folder) but it really should be more thorough.  Use something like UpdraftPlus to create scheduled backups.  If you’re running VestaCP, you may have daily backups of your whole user setup.  All of this is a good start!

Don’t Panic

Now at this point if something happens, there is no need to panic when something goes south!  You can definitely recover from bad stuff, even if you need to get help.  You’ve done good already and are ahead of the game.

2 Upload those backups to an offsite location – Google Drive, OneDrive, S3, a local drive on your personal system through SFTP or whatever.  It should be set-and-forget.  This is not something you want to have to remember to do.  You will have to either only backup once a week or use some technique to thin backups.  If you need daily backups, you probably don’t need daily backups going back several months!  Figure out what makes sense for your storage capacity and security.  Check it occasionally to make sure it’s working.

3 Know how to restore your backups – and know how to do it in a worst case scenario – i.e. you can’t run WordPress because it’s still hacked.  Learn how to do it from the command line or from uploading a known good set through SFTP.  VestaCP has a fantastic web-based restore tool but if you are using older backups, you might need to understand how to do it on the command line.  It’s not easy, but it’s in your hands.  Remember, don’t panic.  You’re in charge.

4 Install a security plugin.  Sucuri and Wordfence are two highly recommended ones, and they will help you get set up and harden your site against attacks.  They can help you recover after attacks as well, by restoring plugins and themes from known good sources.  The basic (and very comprehensive) plugin features are free.  Just install it and set it up.

5 Monitor.  If you have something like Jetpack (you should) it will tell you about your site being offline.  Something like Sucuri can let you know if your site has changed (e.g. if it’s been hijacked to forward to a malware/scamware site).  If you get alerts quickly, restoring to the previous day’s backup is MUCH easier and quicker than having to go back to find out exactly when the hack happened, in case you don’t see your site for weeks at a time – like me.

6 When you have a success story, write down what you did and what you wish you did.  Publish it just like I’m doing now.  Help others, especially your future self to recover from what could otherwise be disasters.


Update 1: Reinfected today – but I was instantly notified by email.  I restored via my control panel, which took about 3 minutes.  I also firewall banned the IP address I got in the security report, so it wouldn’t happen again.

Lessons:

  • #5 above is amazing.  I didn’t lose anything because I acted quickly. I was able to restore from a backup that was a few hours old because Sucuri emailed me immediately.
  • Sucuri didn’t harden my upload directory like they said it would.  It was still infected from a zip file upload and php file in that directory.  I added the following .htaccess file to my uploads directory:
<Files *.php>
Deny from all
</Files>
  • Apparently there is a decent free web app firewall called BulletProof.  It will do the next step and block attackers and brute force.  Although I haven’t had these types of attacks, (probably because I have host access and I can use fail2ban and handle my own firewall) I am investigating it.  It’s definitely ugly but maybe with some research it will be worthwhile to install.
  • Sucuri’s site scanner works pretty good, it showed a dropped infected file that hung around after cleanup.  You can click all of the files that show up and delete them (or ignore them) en masse.
  • When you do a restore, such as with VestaCP, it does not remove additional files, this is good but note that it will leave infected files in place.
Categories
Linux Networking Server Wordpress

Great VPS Experience

I have been using shared hosting from 1 & 1 for a few years now. No big complaints (except their domain management page is terrible) but I needed a bit more flexibility. I suppose shared hosting with its inherent limitations helps you develop a certain way, but I wanted a bit more.

For one, I wanted a much more flexible IMAP server setup. I was getting something like 100 mailboxes at 2GB each, but what if I wanted to totally move off of gmail and use 5GB? Setting up one or two archive accounts seemed… Messy.

So I did some research and found lowendbox.com. It is a bit intimidating at first because you don’t know what to look up, or what questions to ask, like “what is OpenVZ, and does it matter for what I want to do?” Or “what happens when I lock myself out?” (Notice, that’s when, not if). “What about if I want to wipe it out and start fresh?”. “Do I need one of these control panel products?”. I have those answers now, if you want. 😀

Well, I didn’t have any very clear answers to any of these but I decided to try it out, with a great special from LEB for $56/year for a 2GB machine from ServerMania.

This. Stuff. Is. Cool.

If you have never done any admin work on Linux, set up your own server or anything, stay away. You will get little value out of it and very likely get hacked. But if you are confident with your admin and security chops, this is a crazy bargain. I chose Debian 6 because Debian. I have a long history with that.

I spent a good day figuring out, testing and setting up the firewall, and learned an amazing amount. I tightened up SSH, installed some IDS stuff and I was happy, even though the thing was hardly useful yet!

I used git during the setup so I would have some ability to track and undo dumb changes. I should have started this earlier, I know it!

First big task was IMAP and SMTP. I got that rolling and made sure that spammers couldn’t hitch a free ride. I got a free SSL certificate from StartSSL and it does the job. Test like crazy.

Next I got Apache rolling and a database server, and made sure those aren’t vulnerable either.

Finally, once I was happy, I pointed my domain to freedns.ws and configured its records. Let me stop for a second and state that of all the stuff I have done so far, FreeDNS.ws amazes me the most. I can’t see why anyone would pay for DNS server services when this thing is around (ok I notice certain record types are missing. I didn’t really need them though).

While waiting for the DNS switchover to happen (always an interminable wait) I discovered mydnscheck.com. A great tool to see how things are progressing and what you have set up or have forgotten to set up!

So far that’s it. I haven’t cancelled my shared hosting yet but I’m moving everything off it. I think I’ve outgrown it… Or more likely it just doesn’t suit me, as I never really used it to it’s potential.

Now I might even run a personal Minecraft server on my VPS, not sure yet. But hey, I can.

It was a lot of work, but a lot of fun. And I am happy in knowing there’s a little piece of the Net that I put together all by myself.

Categories
Posts Web Wordpress

Style tweaks

First, I want to overlay the title over top of the header image.

Next, I’d like to add a third widget column.  Why are there so few 3-column themes?

Categories
Server Wordpress

WordPress configuration

I need to figure out the following:

Is there a way to blend pages and posts together nicely on the site, so that I don’t have to configure only posts to see them on the main page?  I would like to make a menu that will show me maybe the latest five or so, but allow me to dig down further.

I know I can do it with PHP, but I want to know if there’s a configuration way to do it.

I found something.  Create a blank page and in the “Static page” section of Settings – Reading, choose the blank posts page to view the posts.