Subscribe to the RSS Feed.
How secure is your Webspace
In the beginning of the year my private webspace got hacked. I'm glad that it wasn't the webspace of our YWAM base for that I am also responsible. But out of this experience I learned some things and wanted to share them with you.
What happened?
I had my website monitored by www.livewatch.de and got an email, saying my domain is down. So I tested my domain by myself and it said something like domain locked. I called my provider and they told me, that they have locked down my whole webspace because of Spam activity from my domain. After paying the fee for these activities they backed up all my hacked webspace into a research directory not reachable from the internet. And gave me my cleaned webspace back to set it up again.
What did the attackers do?
I went through all the files and looked for the timestamps to find out which files were affected. This is what I found:
- I found out that they used the .htaccess files to redirect users coming from a search engine to another site in russia.
- They also put in place a PHP backdoor script to perform various actions.
- They compromised various script to send spam.
The first file was changed by them at the beginning of January 2012, but the spam scripts were put in place almost two weeks later.
How did they get in?
I don't know exactly. But I'm almost sure they used some security leaks in the installed CMS. I don't think that a password was cracked. I had done my last security updates in September 2011 - I think that was the problem. I had joomla and wordpress installed.
How do you perform updates?
At this point I would like to know how do you manage to keep your webspace up to date? On a workstation computer it easier to keep it up to date. You can enable automatic updates and perform them as soon as available. But with a CMS you can not use automatic updates. Some questions came to my mind and also some possible answers, but I would like to hear from you how you manage these things.
- How do you know if there is an update available?
Since now I was checking for updates only now and then, but I realized I shouldn't continue like this. So I subscribed to the Wordpress News Blog at http://wordpress.org/news/ (I'm not using joomla any more right now so I have no adress for security related information on joomla). I hope this helps me get to know in time when a new security update is available. I really don't want to check my websites every day for updates. - When do you upgrade if an update is available?
I can only speak for wordpress, but if a core update is available, the plugins need to be upgraded as well. Sometimes it takes weeks until the plugins you are using are compatible with the new version, too. Do I wait until every plugin is updated, or do I upgrade before and risk that some plugin don't function properly? Not easy to decide.
But what I'm doing right now is that I have a copy of the website on a local server and test the update there. So I can see how an upgrade with 'old' plugins works and if it's acceptable to do this update.
Are there other ways to secure a website besides having the newest version in place?
For wordpress I found some helpful plugins to secure a wordpress installation and check for security problems. These tools don't provide 100% security but they are a good start.
The first is http://wordpress.org/extend/plugins/bulletproof-security/ it let's you enable several security settings to guard your website.
The other one is http://wordpress.org/extend/plugins/wp-security-scan/ it checks your website for different vulnerabilities and makes suggestions how to fix them.
How to recognize an attack on the website?
This is the last question I want to share with you. I got informed by my monitoring tool, but this was to late it would be good to have the chance to act before the server is down. Are there ways to recognize an attack? I found a plugin for wordpress that scans the website every day for malware (http://wordpress.org/extend/plugins/antivirus/). But I haven't tested it yet and don't know if it will work. But it may have helped in my case because the first file was infected days before they used the domain for sending spam. Do you check websites you are responsible for on a regular basis against malware, can this be done?
I really would like to read what your thoughts and ideas are about the topics I mentioned.
WordPress Security
Thanks for the great article and reminder about the need to secure your web-sites. I run a few different ministry and personal web-sites using Wordpress and here are the security plugins that I use to secure the sites:
In addition to the security plugins I also make sure that I have automated backups set-up of my site. When backing up you need to make sure that you back up all important files including:
I explain how to set this up in another article that I wrote, Wordpress Backup in Only 8-Minutes on my DIY Blog site.
Deciding when to update Wordpress can be challenging. I find that as you use more plugins or heavily customise your theme you increase the chances of something breaking when you do an update. What I do really like about Wordpress though is how easy it is to apply the updates. It’s one of the reasons why it is my CMS of choice.
Usually the “smaller” updates (0.0.x) can be installed without any problems. The larger updates though (0.x.0) have a higher chance of breaking things, so I may wait a few weeks and check for plugin updates before moving ahead with those upgrades. Have a beta or test site is also very beneficial and I do that as well with the main ministry site that I am responsible for.
Thanks for your comment and
Thanks for your comment and the input about the other security plugins for WordPress. I will have a look at them.
I shall be the first...
...to confess.
I'm have a website which is vulnerable as can be. Not the strongest passwords, badly outdated, and no backup. OK, if the site should go down, nothing of real world value is lost. It would be sad, but nothing too dramatic.
So, it's a calculated risk, though I do not(!!!), under no circumstances, recommend playing with that type of fire.
I might have been lucky, or what ever else you want to call it, that nothing happened to that site. Right now my only hope is that usually an attack happens automated and my CMS is so outdated that no one would still run a script to target such old sites.
I know, I know. No lectures needed. I should know better myself.
Here is my attempt to find a good excuse...
As it was mentioned already, updating a website and its plug-ins can be quite annoying. Sometimes you have to wait for a plug-in to be compatible, sometimes you simply have to wait for a security fix for a known bug. And if one is responsible for multiple site with different CMS it can be quite the task to keep up with all the things going on in the developing of the CMS and all plug-ins used.
It's almost a necessity to have a duplicate of each site on a test server in order to check updates. And so it becomes a very time consuming task if you are responsible for a handful of sites.
Having never used Wordpress I don't know how it compares to something like Joomla, Drupal or a Wiki, for example. But it would be interesting to know which is the easiest to keep up-to-date, which ones are generally the fastest with updates, etc.
Doing these updates wouldn't be the annoying thing for me. But the fact that it's all a bit fragile is something I really don't like. Having to check everything manually, testing it, and then doing the real thing seems like too much work. Even though it shouldn't be too much knowing the risks of having a vulnerable website.
Considering that most attacks are happening via scripts and not by someone actively sitting at the computer and trying to break a site, my dream would be to have my own, custom built CMS. However, since I can't do that myself it wont happen any time soon.
I know, I haven't really answered anything. But that is really because I don't have a good answer on how to best keep up with updates. I would wish, though, that the updating system in future would get a bit more sophisticated. My computer wont update a piece of software if there is a dependency that isn't available in a newer version. Why can't that be done in website development, as well?
--~~~~~
Cheers,
Steve
Somebody's terminal is dropping bits. I found a pile of them over in the corner.
Cloudfare
I started looking into wordpress security especially since we want to re-design our ywamperth.org.au website in wordpress. I didn't find all these plugins so thanks for that but something that I found interesting is Cloudfare, it is a service that you sign up for and you can add multiple websites for free (don't really remember limitations.) it works as a CDN so it speeds up your website, it has security build in so it filters dangerous requests, it caches js,css and images, and it has build in analytics. You basically change your nameservers to point to cloudfare and traffic will all go trough them before going to your webserver.
I have only recently started using this and so far only on my personal website that doesn't get too many visitors but it is faster for sure. It says it has blocked some threats but of course I don't know what or how, because they have been blocked.
So far I am very pleased though, let me know what you think.
http://www.cloudflare.com/overview
Post new comment