Categories
Security Wordpress

Hacked Again

My site was hacked again the other day – this is common enough for WordPress sites.  If you’re not on top of it you could have it hacked, pretty much automatically.

This part I knew.  It still got hacked, and I learned a few more things.

1 Back up your site!  This could mean a DB and files backup (plugins, themes & uploads folder) but it really should be more thorough.  Use something like UpdraftPlus to create scheduled backups.  If you’re running VestaCP, you may have daily backups of your whole user setup.  All of this is a good start!

Don’t Panic

Now at this point if something happens, there is no need to panic when something goes south!  You can definitely recover from bad stuff, even if you need to get help.  You’ve done good already and are ahead of the game.

2 Upload those backups to an offsite location – Google Drive, OneDrive, S3, a local drive on your personal system through SFTP or whatever.  It should be set-and-forget.  This is not something you want to have to remember to do.  You will have to either only backup once a week or use some technique to thin backups.  If you need daily backups, you probably don’t need daily backups going back several months!  Figure out what makes sense for your storage capacity and security.  Check it occasionally to make sure it’s working.

3 Know how to restore your backups – and know how to do it in a worst case scenario – i.e. you can’t run WordPress because it’s still hacked.  Learn how to do it from the command line or from uploading a known good set through SFTP.  VestaCP has a fantastic web-based restore tool but if you are using older backups, you might need to understand how to do it on the command line.  It’s not easy, but it’s in your hands.  Remember, don’t panic.  You’re in charge.

4 Install a security plugin.  Sucuri and Wordfence are two highly recommended ones, and they will help you get set up and harden your site against attacks.  They can help you recover after attacks as well, by restoring plugins and themes from known good sources.  The basic (and very comprehensive) plugin features are free.  Just install it and set it up.

5 Monitor.  If you have something like Jetpack (you should) it will tell you about your site being offline.  Something like Sucuri can let you know if your site has changed (e.g. if it’s been hijacked to forward to a malware/scamware site).  If you get alerts quickly, restoring to the previous day’s backup is MUCH easier and quicker than having to go back to find out exactly when the hack happened, in case you don’t see your site for weeks at a time – like me.

6 When you have a success story, write down what you did and what you wish you did.  Publish it just like I’m doing now.  Help others, especially your future self to recover from what could otherwise be disasters.


Update 1: Reinfected today – but I was instantly notified by email.  I restored via my control panel, which took about 3 minutes.  I also firewall banned the IP address I got in the security report, so it wouldn’t happen again.

Lessons:

  • #5 above is amazing.  I didn’t lose anything because I acted quickly. I was able to restore from a backup that was a few hours old because Sucuri emailed me immediately.
  • Sucuri didn’t harden my upload directory like they said it would.  It was still infected from a zip file upload and php file in that directory.  I added the following .htaccess file to my uploads directory:
<Files *.php>
Deny from all
</Files>
  • Apparently there is a decent free web app firewall called BulletProof.  It will do the next step and block attackers and brute force.  Although I haven’t had these types of attacks, (probably because I have host access and I can use fail2ban and handle my own firewall) I am investigating it.  It’s definitely ugly but maybe with some research it will be worthwhile to install.
  • Sucuri’s site scanner works pretty good, it showed a dropped infected file that hung around after cleanup.  You can click all of the files that show up and delete them (or ignore them) en masse.
  • When you do a restore, such as with VestaCP, it does not remove additional files, this is good but note that it will leave infected files in place.
Categories
Apps Browser Desktop Security

Password Keeper

I’ve been a huge fan of 1Password since the beginning. I bought several versions and upgrades for multiple machines and never regretted it.

Something happened with version 7 though, and I haven’t been as happy with the change.

What happened was subscriptions.  Now, I have a number of software subscriptions, very very few make me content.  If I stop, do I lose my stuff?  Can I stop and start again at the same price?  Do I have an option to pay up front and own my license – and more importantly, my data?

1Password makes it as hard as possible to answer those questions. They want you over a barrel.

Since I wanted a Windows version, there I was, over that barrel.  A purchase was too expensive and gave me fewer features, so I paid for a year ($35 USD) but yes, it was definitely worth it.  Fantastic integrations with everything (all browsers and mobile), online storage with browser access, and solid security.  But now something else showed up. 

That something is BitWarden.

BitWarden offers almost the same features, and is open source.  The 100% free version includes online storage, binaries for every platform (including Linux), a good browser-based interface, and amazing integration with everything.  You can even host the “online” portion yourself so you can use it in-house if you prefer, and never store your secrets on the cloud.

Some features are limited – like file attachments, one-time passwords and some other stuff require a subscription, but it’s only $10 USD a year.

File attachments I don’t really need.  One-time passwords (two factor authentication) is really important these days, and integration is… well, it’s nice.

It has undergone an independent security audit.  It’s reassuringly secure.  There is no warrant canary clause that I can see, though.

What’s missing, since you are paying less than a third of the price – if you choose to pay at all?

Vaults

1Password’s vaults are simple.  Create a bunch of them and share them as you like. 

BitWarden has a very convoluted and confusing version of this called “Organizations”.  The free version allows (just) 2 users to share access to one organization. Once you share it though, it blends all of the shared entries in with yours, with no way to filter it.  So if you have an entry called “Gmail” in both your home vault and the organization, have fun.  There is a small share icon next to the Organization one by that’s it.  It would be nice to have a search filter (to steal the VS Code syntax, something like @shared) or a smart list.

You can have “Collections” which are pretty much a security subgroup of Organizations and this allows you to… ok, no seriously… It sounds like it was designed for big companies, not family groups.  Even the terminology is frightening.

If you pay ($1/month) you can get up to 5 users.  Personally I would bump those up by 1 each level, 3 for free and 6 for personal.

1Password lets you move stuff between vaults with a right-click.  BitWarden, I have no clue.

Software Licenses

You can store license information in a secure note record, with all the details except icons, but they aren’t differentiated in any way.

Tags

There are none.  No extra filtering or grouping, one folder for each entry and that’s it.  You can mess around with an extra text field for each entry but this is all manual, nothing automatic here.

UI

There is no drag and drop! Want to put something in a folder? Open the record, edit the record, choose a folder, save. Do it again.

And those folders.  You’d think folders should be in a sidebar, kinda since that’s the default UI for folders in everything since, well, ever… nope.  They’re almost at the bottom of a list when you exit out of everything.

Favorites are at the top of that same big old list.

Super linear and clumsy, especially when you have a large screen like a tablet or desktop to work with.

Premium

Sharing and extra features are split between two different subscriptions.  It’s even split between annual and monthly payments.  When you get one you don’t get the other, you need both!

This does mean that you don’t pay for what you don’t need.  But you can end up with people in an organization some with premium some without.

Confusing.

Conclusion

Even with its many shortcomings, I can’t help but be excited about this product.  It’s more than a little confusing and lacked a little foresight but when you want to fill a password, boom it’s there. 

It’s about 80 cents a month for the full meal deal, and if you don’t want to pay that, you really don’t have to.  Security researchers even recommend that you use a separate app like Authy to maintain your passwords and 2FA information in different apps.

Maybe what I like most is that it answers those disturbing questions about subscription software.  If I stop, I don’t lose my stuff (file attachments, maybe?).  If I stop, I can restart at the same price.  I can own the license (for the basic features at least).  I can even host my own server if I want.

It’s free and it’s fantastic.  Spend some time (an hour, tops) and learn it, that will pay off many times over.