Tagged: security Toggle Comment Threads | Keyboard Shortcuts

  • Doug Belshaw 8:32 am on February 18, 2017 Permalink | Reply
    Tags: htaccess, security, WordPress   

    Protecting my websites from hackers 

    For the past three weekends, my websites have been subject to attacks by hackers. I wasn’t sure what was going on at first, but then I realised that a script was gaining access to all the .htaccess files and injecting additional text.

    With websites hosted on Apache-powered servers (i.e. most of the web) the .htaccess file allows rules to be defined for specific things to happen. This can be incredibly powerful and useful. For example, if you move something from a subdirectory of your personal website to its own domain, you can create an automatic redirect. There’s a million other things you can do, too.

    The specific attack I’ve been subject to several times recently is where a whole batch of rules are added to the .htaccess file of each website I run. Cleverly, these are added after lots of spaces have been added, so they’re not immediately visible when you go to edit the file. They also seem to only work on mobile, which obviously isn’t how most website owners edit (or even view) their own websites. Visitors were redirected to websites dedicated to gambling, mobile gaming, and porn.

    I sought advice from various quarters and updated my passwords for both my main blog and my webhosting account. I also installed the Wordfence plugin to add an additional layer of security. This, unfortunately, made no difference.

    So, today I’ve done the following:

    I’m also in the process of changing all the usernames and passwords on all of my WordPress installations. This is a royal pain in the arse.

     
    • Neil Ford 1:36 pm on February 18, 2017 Permalink | Reply

      If installing the Wordfence plugin didn’t help (and I’ve found it to be very good), then it’s quite possible that WordPress isn’t the way in the hackers are using. That means unfortunately adding rules to .htaccess may not resolve the issue.

      Good luck getting to the bottom of this. As you say, pain in the arse.

  • Doug Belshaw 6:03 pm on February 13, 2017 Permalink | Reply
    Tags: , security   

    The advice in this WIRED article about retaining your privacy when going through US customs also applies on an everyday basis 

    From the article:

    If customs officials do take your devices, don’t make their intrusion easy. Encrypt your hard drive with tools like BitLocker, TrueCrypt, or Apple’s Filevault, and choose a strong passphrase. On your phone—preferably an iPhone, given Apple’s track record of foiling federal cracking—set a strong PIN and disable Siri from the lockscreen by switching off “Access When Locked” under the Siri menu in Settings.

    Remember also to turn your devices off before entering customs: Hard drive encryption tools only offer full protection when a computer is fully powered down. If you use TouchID, your iPhone is safest when it’s turned off, too, since it requires a PIN rather than a fingerprint when first booted, resolving any ambiguity about whether border officials can compel you to unlock the device with a finger instead of a PIN—a real concern given that green card holders are required to offer their fingerprints with every border crossing.

    There’s a great example of how to be truly subversive later on in that article where it suggests that you turn on two-factor authentication on all your accounts (which you should use anyway) and then remove the SIM card from the phone you’d use to get the code you need. That way you can’t be forced to unlock your device. You can post generated backup codes to yourself, or get someone you trust to send them to you once you’ve cleared security. Genius.

     
c
compose new post
j
next post/next comment
k
previous post/previous comment
r
reply
e
edit
o
show/hide comments
t
go to top
l
go to login
h
show/hide help
shift + esc
cancel
css.php