Categories
Security Wordpress

Hacked Again

My site was hacked again the other day – this is common enough for WordPress sites.  If you’re not on top of it you could have it hacked, pretty much automatically.

This part I knew.  It still got hacked, and I learned a few more things.

1 Back up your site!  This could mean a DB and files backup (plugins, themes & uploads folder) but it really should be more thorough.  Use something like UpdraftPlus to create scheduled backups.  If you’re running VestaCP, you may have daily backups of your whole user setup.  All of this is a good start!

Don’t Panic

Now at this point if something happens, there is no need to panic when something goes south!  You can definitely recover from bad stuff, even if you need to get help.  You’ve done good already and are ahead of the game.

2 Upload those backups to an offsite location – Google Drive, OneDrive, S3, a local drive on your personal system through SFTP or whatever.  It should be set-and-forget.  This is not something you want to have to remember to do.  You will have to either only backup once a week or use some technique to thin backups.  If you need daily backups, you probably don’t need daily backups going back several months!  Figure out what makes sense for your storage capacity and security.  Check it occasionally to make sure it’s working.

3 Know how to restore your backups – and know how to do it in a worst case scenario – i.e. you can’t run WordPress because it’s still hacked.  Learn how to do it from the command line or from uploading a known good set through SFTP.  VestaCP has a fantastic web-based restore tool but if you are using older backups, you might need to understand how to do it on the command line.  It’s not easy, but it’s in your hands.  Remember, don’t panic.  You’re in charge.

4 Install a security plugin.  Sucuri and Wordfence are two highly recommended ones, and they will help you get set up and harden your site against attacks.  They can help you recover after attacks as well, by restoring plugins and themes from known good sources.  The basic (and very comprehensive) plugin features are free.  Just install it and set it up.

5 Monitor.  If you have something like Jetpack (you should) it will tell you about your site being offline.  Something like Sucuri can let you know if your site has changed (e.g. if it’s been hijacked to forward to a malware/scamware site).  If you get alerts quickly, restoring to the previous day’s backup is MUCH easier and quicker than having to go back to find out exactly when the hack happened, in case you don’t see your site for weeks at a time – like me.

6 When you have a success story, write down what you did and what you wish you did.  Publish it just like I’m doing now.  Help others, especially your future self to recover from what could otherwise be disasters.


Update 1: Reinfected today – but I was instantly notified by email.  I restored via my control panel, which took about 3 minutes.  I also firewall banned the IP address I got in the security report, so it wouldn’t happen again.

Lessons:

  • #5 above is amazing.  I didn’t lose anything because I acted quickly. I was able to restore from a backup that was a few hours old because Sucuri emailed me immediately.
  • Sucuri didn’t harden my upload directory like they said it would.  It was still infected from a zip file upload and php file in that directory.  I added the following .htaccess file to my uploads directory:
<Files *.php>
Deny from all
</Files>
  • Apparently there is a decent free web app firewall called BulletProof.  It will do the next step and block attackers and brute force.  Although I haven’t had these types of attacks, (probably because I have host access and I can use fail2ban and handle my own firewall) I am investigating it.  It’s definitely ugly but maybe with some research it will be worthwhile to install.
  • Sucuri’s site scanner works pretty good, it showed a dropped infected file that hung around after cleanup.  You can click all of the files that show up and delete them (or ignore them) en masse.
  • When you do a restore, such as with VestaCP, it does not remove additional files, this is good but note that it will leave infected files in place.
Categories
Networking Web

Canada domain name registry scam

Domain Scam
Shred this letter immediately.

I have been frustrated with this  Domain Scam for a long time now.

I have a few domain names, and I happen to be in Canada.  There is a company called “Domain Registry of Canada” that mails out official-looking envelopes (it looks like a government-issue brown windowed envelope) to everyone that has WHOIS information indicating they live in Canada.  This is an example of the letter they send.

Unless you read it quite carefully, and know what is going on, you might think you need to pay their (very expensive) domain registration fees in order to avoid losing your domain name.

This is NOT TRUE.  Consider that many people, like myself, purchase hosting from a company like 1 & 1.  Part of the package includes free domain registration for one domain.  There is very little technical know-how required to get this going.  In fact, it could be that some hotshot young web developer has set this up for you.

You need to do nothing except keep paying your web hosting amount to safely retain your domain name.  This letter conveniently omits this fact.  They do make this somewhat clear in ALL CAPS halfway through the letter, but only after the scare tactics a couple of  paragraphs above.

Is it strictly a scam?  No, I guess not, they do provide a service, and they spell out everything in this letter, but it’s very dirty.

To make this abundantly clear: There is NEVER any reason to do anything except shred this letter. 

For more information, feel free to Google “Domain Registry of Canada” and look at any link that is not their official web page (i.e. start at the second link).  Here’s a link to make it even easier.  You will find many other bloggers, most more capable than myself, that explain this quite well.

Categories
Javascript Programming Web

Backbone dynamic elements

I recently discovered Backbone’s setElement function. What it allowed me to do was dynamically create a view’s container in Javascript and transfer/assign the view and its events to the new element.

Using jQuery within the view initialize event:

this.el = $('<div id="\'newView\'"></div>'); 
this.setElement(this.el); 
$('#content').append(this.el);

I manipulated the this.el attribute directly, without using an interim variable, it seemed to work ok, but if there are side-effects I discover later, it should be easy enough to change. setElement will automatically assign its argument to this.el so nothing further needs to be done.

Categories
Programming Server Web

REST Authentication

I did some research the other day to secure my REST API using The Slim framework.

I found a tidy little way to force HTTP authentication (basic, in this case) using this article as well as the PHP manual.

I get the client to provide the user name and password, then I can look up the (hashed) password in the database. It simply causes the call to authenticate each login with their corresponding password.

In combination with forcing the page through https (a .htaccess task) and this, I can protect API access pretty simply.

I used this in VB6 (and the great Chilkat components) to authenticate a PUT command. I can now more safely allow database inserts from over the Net. It was as simple as:

Dim oHttp As New ChilkatHttp
Dim resp As String
oHttp.Login = 'userid'
oHttp.Password = 'supersecret'

resp = oHttp.PutText('http://my.apiurl.com',sXMLText, "utf-16","text/xml",0,0)

Next task is to find a more secure way to access the (read-only) API from JavaScript, without just embedding a password in the source code.  This looks like a great start.

Categories
Programming Web

New JavaScript book

Book CoverI got my new Javascript book delivered yesterday.  My first thought was that it was quite thin (it only has about 150 pages including the appendices and index)!  I took a look at the first section, and it’s quite thorough; the author himself states that it is quite information-dense, and that it will require a few readings to get it all.

I can’t say that I really like the railroad diagrams for describing the syntax of the language as much as I’d like more example code.  I suppose the diagrams are more inclusive, they just seem a little excessive for what information they provide.

Yes, this is an incredibly terse book.  Some rather hefty topics are given a few lines of discussion.  Not that this is terrible, but it makes for a slow read.  He establishes a few helper functions & methods to allow you to do certain tasks a lot easier, such as easier object creation and inheritance.  These functions are referred to later on in the book as if they were parts of the core language, so you really need to know both the book and the core language very well.

I can see how the techniques in this book would help a developer build quite complex applications in JavaScript. Many would reject that idea as foolish but considering what companies like Google have been able to provide using this language show that with some ingenuity and a whole lot of determination, you can create some remarkable things.