Waking up on Christmas morning I didn’t expect nor want to see one of my sites down, but I ran into just that exact problem. But it wasn’t just server downtime or some other minor problem, but a much bigger one. My site had been hacked.
Now no matter what time of year it was, this would have been extremely annoying. A hacked site can lead to a hell lot more than annoyance, especially depending on how popular your site is, in which case it can sometimes lead to the end of many visitors. Even at a place like this, a hacker would either take the site down completely or post a high number of spam posts, in turn flooding peoples feed readers causing them to unsubscribe. Yes, hackers can be a true pain in the ass.
So while it took Astereo a few days to get restored (it turns out it was a server attack, not an attack directly on astereo), I thought about various ways to overcome a few days of downtime, and some precautions to take in the future.
Ways to Prevent Hacks
While some hacks can not be prevented because they are attacks on the servers themselves, sometimes hackers will single out one specific site in which they plan to target. While hackers can be in the drivers seat in terms of what they can do to your site, their are precautions you can take to eliminate or potentially stop the damage.
Make sure you’re backed up
If you don’t have a host that provides daily backups, it may be time to find a new host. Some hosts do this for you automatically, and others don’t offer it at all. In some cases, you may be asked to pay a fee for daily backups, but it’s totally worth it, especially if your site is well built up.
If you run a simple static site, you can probably handle making your own personal backups to your computer whenever you make changes. Hackers like messing with MySQL databases, which could really destroy a site that runs a lot of mysql based scripts.
If you’re host doesn’t offer backups, there are a few alternatives. First there’s Automysqlbackup, a script that can take daily, weekly, or monthly backups of all your databases on a server. It is free and available from sourceforge. If you’re looking to go the paid root for entire site backup, their are numerous services out there, one of them being Sitevault, which is available for $99.
Keep your scripts fresh and secure
Hackers search for ways to get into your site, and it means any way possible. Scripts can have security holes which get patched in minor updates, and it’s important to watch for new releases and update your scripts whenever possible. Even if the changelog shows nothing major, don’t simply say “I don’ need to update, there’s nothing new!”, because even the smallest changes can provide big security gains for your site.
Another thing to keep in mind is keeping your files locked. Only give “777” permissions to files that require you to do so, because simply giving full permissions like that to all your files can screw you over in the long run. Some files (like the phpadsnew config) require that you give some files 777 permissions and then lower the permissions so the file is “locked” before use of the script. Try using this practice on more of your scripts to keep them away from the prying eyes of hackers.
Safer, stronger (and longer) passwords
Using your birthday isn’t the smartest way to protect your files. Passwords have to be thought out and tough to crack. Using simple words or phrases doesn’t cut it anymore, because their can be someone who will figure it out. The best passwords are those that are made with an entirely random combination of letters and numbers of all different sizes. And of course, the longer the password length the more secure it will be. There are generators out there that can put together some pretty secure passwords if you don’t feel like putting together your own random mess.
Ways of Recovering
After a site hack, especially a prolongated one that lasts a few days, it’s nice to come back strong. You can do that in a variety of ways, and depending on the type of site you have, you could try doing different things.
Update the design
I used Astereo’s downtime to update the index and refresh some graphics, something I probably wouldn’t have done because I didn’t have the motivation to do it prior to the hack.
You can also use the time to put together an entirely fresh design, so you don’t just return, but you return with a bang. This lets people forget about the fact that your site may have been down for a few days.
Release new content
Some of you long time readers might remember Devlounge being hacked very early on, in May of 2006. Luckily, DL was still just getting started, so it didn’t have a major impact, and the hacker only changed posts and the page title, as well as deleted the stylesheet. To get our readers off of the dummy content that had been posted, I made sure it was all deleted and wrote as many new things as I could. I didn’t want to see feedreaders of our visitors swamped with the dummy posts of an inconsiderate hacker. It also helps clear the minds of visitors who might have been losing their patience when the site was a wreck.
Be Prepared
Hacks can occur at any time. The best prevention is to just be prepared for the worst, and make sure you have a host who is on top of the game to help you get your site back online and in its original condition as fast as possible. Time is money, and it’s also patience.
