Discours.es

Tagged: security Toggle Comment Threads | Keyboard Shortcuts

• 

  Doug Belshaw 8:32 am on February 18, 2017 Permalink | Reply
  Tags: htaccess, security, WordPress   

  Protecting my websites from hackers 

  For the past three weekends, my websites have been subject to attacks by hackers. I wasn’t sure what was going on at first, but then I realised that a script was gaining access to all the .htaccess files and injecting additional text.

  With websites hosted on Apache-powered servers (i.e. most of the web) the .htaccess file allows rules to be defined for specific things to happen. This can be incredibly powerful and useful. For example, if you move something from a subdirectory of your personal website to its own domain, you can create an automatic redirect. There’s a million other things you can do, too.

  The specific attack I’ve been subject to several times recently is where a whole batch of rules are added to the .htaccess file of each website I run. Cleverly, these are added after lots of spaces have been added, so they’re not immediately visible when you go to edit the file. They also seem to *only* work on mobile, which obviously isn’t how most website owners edit (or even view) their own websites. Visitors were redirected to websites dedicated to gambling, mobile gaming, and porn.

  I sought advice from various quarters and updated my passwords for both my main blog and my webhosting account. I also installed the [Wordfence plugin](https://www.wordfence.com/) to add an additional layer of security. This, unfortunately, made no difference.

  So, today I’ve done the following:

  • Deleted the spam-generating rules added by the hackers’ script
  • Followed the advice in this: [A Comprehensive Guide to Editing .htaccess for WordPress Security](https://premium.wpmudev.org/blog/htaccess/)
  • Added the .htaccess rules from here: [6G Firewall 2016](https://perishablepress.com/6g/)

  I’m also in the process of changing all the usernames and passwords on all of my WordPress installations. This is a royal pain in the arse.

  Read Write Respond #014 – Read Write Collect and Neil Ford are discussing. Toggle Comments

   
  • 

    Neil Ford 1:36 pm on February 18, 2017 Permalink | Reply

    If installing the Wordfence plugin didn’t help (and I’ve found it to be very good), then it’s quite possible that WordPress isn’t the way in the hackers are using. That means unfortunately adding rules to .htaccess may not resolve the issue.

    Good luck getting to the bottom of this. As you say, pain in the arse.

  Reply Cancel reply

  Required fields are marked *

  Name *

  Email *

  Website

• 

  Doug Belshaw 6:03 pm on February 13, 2017 Permalink | Reply
  Tags: privacy ( 3 ), security   

  The advice in this WIRED article about retaining your privacy when going through US customs also applies on an everyday basis 

  From the [article](https://www.wired.com/2017/02/guide-getting-past-customs-digital-privacy-intact/):

  > If customs officials do take your devices, don’t make their intrusion easy. [Encrypt your hard drive](https://theintercept.com/2015/04/27/encrypting-laptop-like-mean/) with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

  > Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too, since it requires a PIN rather than a fingerprint when first booted, resolving any ambiguity about whether border officials can compel you to unlock the device with a finger instead of a PIN—a real concern given that green card holders are required to offer their fingerprints with every border crossing.

  There’s a great example of how to be truly subversive later on in that article where it suggests that you turn on two-factor authentication on all your accounts (which you should use anyway) and then remove the SIM card from the phone you’d use to get the code you need. That way you can’t be forced to unlock your device. You can post generated backup codes to yourself, or get someone you trust to send them to you once you’ve cleared security. Genius.