Category Archives: Web Hosting

My WordPress Test Site Got Hacked

I am sure you’ve heard about the “scandal” in which millions of WordPress sites got “defaced” by those pesky hackers. As it turns out, according to reports from leading security companies, it wasn’t particularly hard to pull off either.

WordPress introduces a REST API which allows you (and others) to do all kinds of wizardry remotely. Apparently, that included the option to edit all your posts and pages without providing any kind of credentials. Great job, WordPress!

With millions of people being “hacked”, of course my test website couldn’t miss out. You see, I have WordPress sites in all sorts and shapes that I keep up to date. Personal blog. Work websites. Fun blogs. However, there are also my “test blogs”, which I use to test plugins for WordPress. I also have those kind of sites for Joomla, but that’s another story.

Most of those sites are hosted on Siteground, but one is hosted on a server I shall not name. One where updates don’t happen automatically, and WAF’s are non-existent.

Well, my friends, that website got “hacked”. The reason I keep writing “hacked” is because alledgedly it takes nearly zero knowledge or effort to pull it off. You just need to know about the exploit, do two minutes of work and you can go crazy.

Which they did. The nice Syrian Peshmerga message left a message stating that ISIS sucks and that they’re going to do stuff. I’m guessing it’s related to shooting them. There was also the online pharmacy that wanted to promote some sort of products.

In my case, no damage was done. This is a test site. I don’t update it, because the site is a “throwaway” site. If something is broken, I’ll just start over. There’s the fair expectation that something WILL go wrong. Seeing the REST API hack in action on that site wasn’t scary, it was more of a “Ahah, it’s that easty?” moment.

However, can the same be said about those other sites? How about your sites? Can you afford to have your website defaced? Probably not. It would be bad for business.

That’s why you need to make sure your websites are up to date. And educate yourself on what to do when you DO get hacked. To help you with that, here’s a short and sweet strategy guide.

How not to get hacked

  1. Keep Your WordPress site up to date. Or, have someone else do it for you. Our friends over at Siteground allow you to enable automatic updates. If I’m not wrong – and I often am – they offer to enable this by default. The feature is super easy – once a new version is released Siteground will roll it out for you. Alternatively, some “Installers” like Installatron also roll out automatic updates. Of course, you could do it all manually. Assuming you’ve picked up on the news that an update is released. Unlike Joomla, WordPress doesn’t send reminders that a new version is available.
  2. Make sure you’re using quality web hosting. It’ll prevent you from most server side exploits. And if your hosting company is *really* good they’ll have rules and checks in place to prevent common exploits, like (again) our friends over at Siteground have in place.
  3. Don’t install shady plugins. Or themes. That’s an open invitation to be hacked. And those “cracked” versions of ExpensivePlugin? Yeah, that’s not a good idea either.
  4. If your website is technically sound, make sure that *you* aren’t the weakness. If your password is easy to crack, change it. Websites like HaveIBeenPwned can tell you if you’ve been part of security breaches. That can lead to a big “Oh, shit” moment when you were using the same password everywhere. Also, make sure to enable two-factor authentication.

How to recover from being hacked

  1. Restore your back-ups. What’s that? You didn’t make any, and assume your host is making them for you? While that might be true in some cases, that is NOT a safe bet to make. Setup your own backup tool, like Akeeba Backup or Vaultpress, an configure it. Make backups to more than one location. AND TEST YOUR BACKUPS
  2. Audit your website. Do you know how they got in your website? Then you probably have no idea how big the damage really is. If your website is used professionally, and your income depends on it, consider hiring an expert who knows what he’s doing. Unfortunately, that excludes  most of the $5 freelancers from a certain continent that “claim to be expert in Joomla, WordPress, Drupal, Magento, Grav, Prestashop, OsCommerce, Ghost, Facebook and Microsoft Word.”

    If you are using Joomla, a tool like MyJoomla can help you audit your website. I’m sure similar websites for WordPress exist as well.

  3. Patch your security holes. Don’t just restore your website, and assume you’re not going to get hacked again. You’d be wrong, and stupid to assume that you were just unlucky.

Of course, some people would suggest that my list is missing “Migrate away from WordPress, lol.” I mean, yes. That can be an option if the security holes in WordPress concern you. Just keep in mind that no CMS is perfect, and prone to security problems. Yes, even the one you built yourself. Especially the one you built yourself.

Do you have tips or suggestions to update our list? Questions and being hacked? Use the comments below to be heard. Please keep the “WordPress sucks lol get gud noob” jokes to a minimum.

 

Advertisements

Why I Don’t Host My Blogs Myself

Today was one of those days. As I got to the office, I received a notification that a server was down. Fixing this web server put a claim on all of my time that day, and even bit a chunk out of my free time as I got hime.

Web servers are complicated beasts. In principle, setting up your own hosting is very simple. You lease a server or VPS, install MySQL, PHP and Apache and get started. However, the devil is in the many details. You need to set up all those different modules, and so on. It’s like you are opening a puzzle box, and not all the pieces are marked properly.

In theory, I could setup my own web server. It sounds tempting: spend 10 to 20 dollars a month on a VPS, quickly setup LAMP and host as many sites as I want. Or, in reality, as many sites as my server can handle.

Because that’s the problem, isn’t it? It’s all simple in theory. But in reality, dealing with web servers is often a frustrating venture. You can run into all sorts of problems just to set them up. And when the time comes to keep your server secure, you need to spend the time updating the different parts and hoping that you don’t somehow break something in the process.

I admire the people that can setup their own server. They are probably saving money in the long run. However, if I were to follow their lead I’d have to invest a lot of time into the ordeal. Time that I’d rather use on things I’d rather be doing: writing blog posts, looking into interesting technology or making videos.

Why I benefit from shared hosting

For me, shared hosting is simply a better match. I pay roughly the same what I’d pay for a VPS, but I don’t need to invest any time in setting up the server.  There is no need to do updates of the server. Maintenance wise, shared hosting couldn’t be easier for me.

There’s also a big set of tools that you can use that’ll make your life easier. Installers for WordPress and Joomla, setting up a new database with just a few clicks, monitoring tools built straight into Cpanel. When you want to dig deeper into your websites and start tuning and optimizing things, the options are there. But they’re strictly optional.

Of course, there is a dark side to shared hosting. You are sharing resources on a server. Depending on your hoster, this might lead to poor site performance.

Fortunately, the Joomla community pointed me into the way of Siteground. I had my doubts at first, but after using them for three years I can say that their shared hosting is top notch. Websites hosted on their server are fast, responsive and have an extremely good uptime. Combine that with the usual tools and some very cool WordPress and Joomla tools that the guys at Siteground have built themselves, and some features you don’t find in other shared hosting solutions and you’ve got a winning solution if, like me, you don’t want to host your sites yourself.

When using Siteground, even managing updates is taken out of your hand. Joomla and WordPress will be updated automatically for you, which means you’re always up to date. All you need to look after, are the plugins you’ve installed on your website.

Another upside of shared hosting, and using Siteground specifically, is the support. Now, I rarely need or use their support options. But on the rare occasion that I did, their support was fast, knowledgeable and more than willing to solve my problem.

The fact that I can just sit back and relax thanks to Siteground is a big reason why I prefer not to host my websites on myself. If you’re wondering ‘Should I host my own websites’, then the answer is ‘It depends’. Are you willing to commit the time, or are you more interested in taking care of your website yourself?

If you are looking for a hosting solution where they take the hard work out of your hands, then give Siteground a try.

Let’s help each other out

Are you looking to sign up for quality hosting? Cool! Consider giving Siteground a try. In the process, we can help each other out. If you sign up through my affiliate link, you

  • Get an optional free site transfer
  • Get a big discount on your 1st year of hosting
  • Might be eligible for a discount, if you’re coming from another hosting company.

Of course, there’s also something in it for me. If you sign up, I get up to three months of hosting for free. That’d be an awesome gift, allowing me to focus on my writing.

You can sign up for this deal right here!

Or, if you want to check out what Siteground has in store first, you can click the banner below and decide later.

Web Hosting

Problem with your .htacces on Hetzner in Admintools 3.6.5 ?

Update: After checking on a semi-new installation we noticed that the conflicting option isn’t enabled by default. The article below is still interesting if you foolishly set all options to “yes” like I did.

If you’re a customer of Hetzner, and you’re using the latest version of Admintools you might have run into a slight problem when using the htaccess maker. Not because there’s something wrong with the wonderful piece of software thta makes our lives easier and our sites more secure, but because new features have been added recently.

And one of these features just so happens to be incompatible with your server setup at Hetzner.

The conflicting option can be found under “Optimization and Utility” and is labeled “Disable http methods TRACE and TRACK”. Enabling this option and saving the htaccess file will likely “break” your site – which is easily fixed since all you need to do is delete the .htaccess file, set the option to “No” and save the file again.

Enabling this option could be done by installing a new version and using the .htaccess maker for the first time. If you’ve installed the latest version of Admintools (and if you’re running a Joomla site, why haven’t you done this yet?) and run the .htaccess maker make sure to double-check if this option is disabled.

External Mail & Hetzner Managed Servers

People with a Managed Web Server with Hetzner might notice that their site has problems e-mailing to their own e-mail addresses when they’re having their e-mail hosted elsewhere.

The reason for this “problem” is likely that you’ve still got Hetzners’ Mail service enabled for your domain. You need to disable this service, so your site can send e-mails to the proper address. Otherwise, the Managed Server will think it’s in “control” of your mailboxes and will try to deliver the mail to the “internal” mailbox. Continue reading External Mail & Hetzner Managed Servers

Two scripts to configure SSH and create SSH users

Lately, I’ve been working with Tuxlite for a bit. It is, by far, the easiest method of setting up a LAMP or LNMP server. All you need, is a bit of knowledge of command line Linux and you can set up your own server. The scripts take care of 95% of what you need to get up and running which makes Tuxlite awesome.

The missing part

However, Tuxlite is “missing” something which might give new users some head aches. Tuxlite assumes you know how to create users with SSH privileges; which is required when you want to FTP.

I’ve created my own script(s) to solve this problem, which I’ve decided to share with whoever finds them useful. There’s two scripts:

  • sshconfig.ssh : Creates a group, sshusers, and gives it permission to SSH (and thus use SFTP)
  • sshuser.ssh : Creates a user, and ads it to the sshusers group, to give the user SSH permissions. It then runs the Tuxlite domains.sh script, using the user you just chose.

Instructions

The script(s) have only been tested under Ubuntu 13.04. They might (or might not) run under other versions which Tuxlite supports.

  1. Put both files in your Tuxlite folder
  2. Run the files, using ./nameofscript
  3. Follow the on-screen instructions

You can download the files in a zip file here.