Tag Archives: Blogging

Protecting your website from hackers

There are a lot of bots out there on the Net, all desperate to hack into and hijack your precious little standalone blog, or e-commerce site, or whatever. Or steal your work. Or maybe they just hoover up all your bandwidth, something you certainly don’t want if you pay for it or if your hosting company severely throttles the number of simultaneous connections.

Don’t imagine that, just because yout site is tiny and has few visitors, it won’t be attacked. They’re not interested in your public; they want your diskspace. I offer this as an example:

Attacks blocked in July 2017

So, the first thing to do when setting up a site is to protect yourself against all this shit. To start with, install a spam filter. Akismet is by far the most popular and it is easy to use with Jetpack, if you have that installed.

Now you need a firewall. If you’re running a WordPress-powered blog, I advise using WordFence, generally agreed to be the best security plugin out there.  Whichever plugin you do use, don’t activate more than one, or you’ll get conflicts that can render your site unusable. So, apart from Akismet, disable all the security options in Jetpack.

If you enable your hosting service’s firewall, be careful: this may disable automatic software updates and make it impossible for visitors to access certain files, such as PDF documents. Test it carefully before using it. It’s also important to remember that you’ll still need to take other precautions to prevent unauthorised logins. Brute force attempts to log in to my site constitute the vast majority of the attacks I see.

One possibility that may make your life easier is to use a CDN service, the most popular (and cheapest – the basic plan is free) being Cloudflare. It won’t solve everything, as some hackers use IP addresses rather than domain names to bypass the Cloudflare servers, but it does take quite a bit of pressure off. The great thing about Cloudflare is that you can use it to filter (using Captcha to let humans in but keep bots out) IP ranges, entire countries, or traffic coming from a specific ISP/hosting service.

Install your firewall with care, following the instructions. You should have at least the possibility to block IP ranges and user agents. My advice is to do the following before going any further:

1. Block Datashack/Nocix (AS33387)
It’s owned by crooks as far as I can tell and their sole desire is to install malware on your site.

2. Block obsolete browsers:
They are almost always used for hacking (*=wildcard):

  • *Firefox/1* to *Firefox/4* (current version 54). I have seen *Firefox/5.* used for hacking, so block that as well
  • *Chrome/1* to *Chrome/4* (current version is 59), bearing in mind that Google use a modified Chrome/41 to check AMP pages. Way to go, Google
  • *MSIE/1* to *MSIE/10* (current version = 11)
  • *Go-http-client/1.1*
  • *curl* – This is used to upload files, nuff said
  • *ahrefs* & *XoviBot*- content-scraping, for-profit SEO sites that devour bandwidth. There are others.
  • *WinHttp.WinHttpRequest* and *commoncrawl.org* are used to download entire websites. You probably don’t want this

The list is by no means exhaustive but it’s a start. Don’t forget to block anything coming from Datashack. They can find your site and install a backdoor before WordFence has finished with “learning mode” for extended protection.

That’s it? Done all that, maybe tweaked the lockout rules for brute force log-in attempts? Excellent, well done, have a cup of tea and a biscuit. Now the good bit. You need to check on your site every single day to ensure that everything is working as planned. Do it over your morning coffee, or lunch break or home-at-last beer. It doesn’t take very long, now you’ve got the main filters up; it’s just a matter of tweaking them, maybe adding an extra filter now and then. You’ll probably see other SEO bots you want to block, more suspicious user-agent strings, and so on. Look for 404 errors, these may show you bots hunting for exploits: either weaknesses in your own software or malware that someone else has installed.

Useful links:

  • Abuse IPDB – report hacking attempts and check if anyone else has reported problems from that IP address
  • Project Honeypot – catching spammers and other scum. If you control your site, you can install their honeypot script to catch badly-behaved bots. You can also comment on IPs giving you grief
  • Gravityscan – scan your website for malware. It works well with…
  • WordFence (WordPress only)
  • Akismet – spam filtering for WordPress
  • Cloudflare can filter email traffic as well as Web



Blogging 101

Example of the Comic Sans font. (Photo credit: Wikipedia)

These days, everyone has a Facebook page, a blog, a Twitter account; everyone’s a writer. That’s OK. However, if you want people to read your deathless witterings, you need to make it easy for them. There are two parts to this, both vitally important. Unfortunately, even some major bloggers don’t seem to have grasped some basic facts. I name no names, but…

1. Easily understandable text

If you do most of your writing on a tablet or smartphone, don’t post directly from there. Save the post in draft form and reread it on a full size screen before publishing: it will be easier to spot misspellings and typos.

Spelling and grammar are your friends. Remember “it’s” means “it is”; this is the only possessive that doesn’t take an apostrophe in the entire English language, so it’s easy to remember. Always reread your text, using preview, and check for stray apostrophes, wandering commas and other obstacles to readability. Use a spell checker. Reread your text. Read it out loud, as this helps find ambivalent or awkwardly phrased sentences. If you’re not sure how to punctuate a sentence so that it reads fluently, reformulate it so that it does. Then reread your text.  Look out for repeated use of the same word in consecutive sentences, try to vary the vocabulary a little and watch for overly-long sentences. Reread your text.

2. Clear presentation

Keep the layout uncluttered. Don’t try to cram in as many widgets and ad spots as possible: it’s worse than distracting. In decoration aim for elegant simplicity, not a teenager’s bedroom wall. A fixed-width template is probably best, as that way you can control how your blog looks on any size of screen. If you’re self-hosting and/or using a custom template, remember to check that results are satisfactory with most of the major browsers.

The colour scheme should not render the whole thing completely illegible. Stay away from light coloured text on medium to light backgrounds. There should be a reasonable amount of contrast; remember that both books and text-processing applications are mostly black characters on a slightly off-white background. There are good reasons for this. The final text should not be too small for your target audience to read, so check your template for this unforgivable sin as well. Oh, and although it’s fine to use a fancy(ish) font for titles and page headers, use an easy-to-read font for the body. Avoid Comic Sans. Don’t even use it ironically (sarcastically is OK, though).

After applying all the above, your prose should be pleasant to read. Of course, it’s still up to you to make it interesting, in terms both of subject and of style. And reread your text.

Rant over. Don’t let me catch you at it again.

Enhanced by Zemanta