We got hacked and here’s what we learned.
Due to my human rights activism, there are enough people out there who don’t like me to warrant paying attention.
So whether it was a bot looking to use server resources or a genuinely malicious act, our sites were brought to their knees during the launch of our new Harvest presets for Lightroom i can’t say. While the site is up, secured and the ship is tighter than ever, this has been a long week. I thought I’d share a few things I learned because I know a lot of you have sites of your own and anyone could experience this.
We have a VPS server from Known Host and we’ve spent the last two days trying to sort things out. After we restored from a backup and changed every possible password we thought all was well. It wasn’t. The next morning we were down all over again. The problem is web hosting companies are not staffed with programmers and while a good one will try to help, they tend to put a lot on your shoulders, even in a managed server environment.
Here are some key points I took away from this week.
We did NOT lose anyone’s financial data.
This is something we did prepare for. Our front-end site never sees payment info. You add products to the cart from our site but the transaction happens in a separate and secure DPD payment server that has nothing to do with the files on our site. Wow, was I glad this week that we kept that separation and it’s something I’d recommend to anyone else who sells online.
Most sites have PHP data and many people have an option to back that up. But that’s only the text of your content. All the files are on the server and you need to take the time to log into your web hosting Cpanel or call your host and make sure the server is keeping a complete backup. Many are not and you should not assume you are secure. I not only keep a complete server backup automated weekly but I also download the entire thing now and then and keep a local copy so that even if my hosting company was compromised I could restore the last saved version to a new server.
We hear this a lot, but in the era of content management sites like WordPress, there’s a lock of hackers looking for an easy mark. Keep a good password or everything from your dashboard to your FTP and know who has admin access to your site.
Likely the reason we lost control this week was because of an old WordPress install or plugin that had not been updated. If you use a totally managed system like Wix or Squarespace you probably don’t need to deal with this much. But if you like control over your sites and use things like WP, outdated software will leave you open. The fallout of this event (not to mention the techs at my hosting company) reminded me this week that that is a big deal.
These phrases might not mean much if you have one site or if you are not a bit of a nerd. But if you have your own server space or account with a C panel you can probably make add-on domains having as many sites as you want within that account. I rent a VPS server which means I can have add-on domains but also make as many accounts as I like and even resell accounts to others, similar to what you might buy on common hosting providers for $10/mo ( I don’t sell hosting myself, however.)
The long and short is that if you have more than one domain in a user account that old site you barely touch anymore will mean everything is compromised. One of the big changes we made this week was to move every site into it’s own hosting (user) account. Each user account is like a sandbox and it means that even if the site in that user account gets compromised it cannot affect the sites in other user accounts on the same server. Has this been in place before, seimeffects.com probably would not have gone down. Now every site is in it’s own walled garden.
I hope what we learned this week helps save you from a frustrating mess down the road. In the meantime, our sites seem to be working well again and the new Harvest presets are as beautiful as ever.