Protecting my websites from hackers

For the past three weekends, my websites have been subject to attacks by hackers. I wasn’t sure what was going on at first, but then I realised that a script was gaining access to all the .htaccess files and injecting additional text.

With websites hosted on Apache-powered servers (i.e. most of the web) the .htaccess file allows rules to be defined for specific things to happen. This can be incredibly powerful and useful. For example, if you move something from a subdirectory of your personal website to its own domain, you can create an automatic redirect. There’s a million other things you can do, too.

The specific attack I’ve been subject to several times recently is where a whole batch of rules are added to the .htaccess file of each website I run. Cleverly, these are added after lots of spaces have been added, so they’re not immediately visible when you go to edit the file. They also seem to only work on mobile, which obviously isn’t how most website owners edit (or even view) their own websites. Visitors were redirected to websites dedicated to gambling, mobile gaming, and porn.

I sought advice from various quarters and updated my passwords for both my main blog and my webhosting account. I also installed the Wordfence plugin to add an additional layer of security. This, unfortunately, made no difference.

So, today I’ve done the following:

I’m also in the process of changing all the usernames and passwords on all of my WordPress installations. This is a royal pain in the arse.