Protecting my websites from hackers
For the past three weekends, my websites have been subject to attacks by hackers. I wasn’t sure what was going on at first, but then I realised that a script was gaining access to all the .htaccess files and injecting additional text.
With websites hosted on Apache-powered servers (i.e. most of the web) the .htaccess file allows rules to be defined for specific things to happen. This can be incredibly powerful and useful. For example, if you move something from a subdirectory of your personal website to its own domain, you can create an automatic redirect. There’s a million other things you can do, too.
The specific attack I’ve been subject to several times recently is where a whole batch of rules are added to the .htaccess file of each website I run. Cleverly, these are added after lots of spaces have been added, so they’re not immediately visible when you go to edit the file. They also seem to only work on mobile, which obviously isn’t how most website owners edit (or even view) their own websites. Visitors were redirected to websites dedicated to gambling, mobile gaming, and porn.
I sought advice from various quarters and updated my passwords for both my main blog and my webhosting account. I also installed the Wordfence plugin to add an additional layer of security. This, unfortunately, made no difference.
So, today I’ve done the following:
- Deleted the spam-generating rules added by the hackers’ script
- Followed the advice in this: A Comprehensive Guide to Editing .htaccess for WordPress Security
- Added the .htaccess rules from here: 6G Firewall 2016
I’m also in the process of changing all the usernames and passwords on all of my WordPress installations. This is a royal pain in the arse.