Tag Archives: site security

Protecting your website from hackers

There are a lot of bots out there on the Net, all desperate to hack into and hijack your precious little standalone blog, or e-commerce site, or whatever. Or steal your work. Or maybe they just hoover up all your bandwidth, something you certainly don’t want if you pay for it or if your hosting company severely throttles the number of simultaneous connections.

Don’t imagine that, just because yout site is tiny and has few visitors, it won’t be attacked. They’re not interested in your public; they want your diskspace. I offer this as an example:

Attacks blocked in July 2017

So, the first thing to do when setting up a site is to protect yourself against all this shit. To start with, install a spam filter. Akismet is by far the most popular and it is easy to use with Jetpack, if you have that installed.

Now you need a firewall. If you’re running a WordPress-powered blog, I advise using WordFence, generally agreed to be the best security plugin out there.  Whichever plugin you do use, don’t activate more than one, or you’ll get conflicts that can render your site unusable. So, apart from Akismet, disable all the security options in Jetpack.

If you enable your hosting service’s firewall, be careful: this may disable automatic software updates and make it impossible for visitors to access certain files, such as PDF documents. Test it carefully before using it. It’s also important to remember that you’ll still need to take other precautions to prevent unauthorised logins. Brute force attempts to log in to my site constitute the vast majority of the attacks I see.

One possibility that may make your life easier is to use a CDN service, the most popular (and cheapest – the basic plan is free) being Cloudflare. It won’t solve everything, as some hackers use IP addresses rather than domain names to bypass the Cloudflare servers, but it does take quite a bit of pressure off. The great thing about Cloudflare is that you can use it to filter (using Captcha to let humans in but keep bots out) IP ranges, entire countries, or traffic coming from a specific ISP/hosting service.

Install your firewall with care, following the instructions. You should have at least the possibility to block IP ranges and user agents. My advice is to do the following before going any further:

1. Block Datashack/Nocix (AS33387)
It’s owned by crooks as far as I can tell and their sole desire is to install malware on your site.

2. Block obsolete browsers:
They are almost always used for hacking (*=wildcard):

  • *Firefox/1* to *Firefox/4* (current version 54). I have seen *Firefox/5.* used for hacking, so block that as well
  • *Chrome/1* to *Chrome/4* (current version is 59), bearing in mind that Google use a modified Chrome/41 to check AMP pages. Way to go, Google
  • *MSIE/1* to *MSIE/10* (current version = 11)
  • *Go-http-client/1.1*
  • *curl* – This is used to upload files, nuff said
  • *ahrefs* & *XoviBot*- content-scraping, for-profit SEO sites that devour bandwidth. There are others.
  • *WinHttp.WinHttpRequest* and *commoncrawl.org* are used to download entire websites. You probably don’t want this

The list is by no means exhaustive but it’s a start. Don’t forget to block anything coming from Datashack. They can find your site and install a backdoor before WordFence has finished with “learning mode” for extended protection.

That’s it? Done all that, maybe tweaked the lockout rules for brute force log-in attempts? Excellent, well done, have a cup of tea and a biscuit. Now the good bit. You need to check on your site every single day to ensure that everything is working as planned. Do it over your morning coffee, or lunch break or home-at-last beer. It doesn’t take very long, now you’ve got the main filters up; it’s just a matter of tweaking them, maybe adding an extra filter now and then. You’ll probably see other SEO bots you want to block, more suspicious user-agent strings, and so on. Look for 404 errors, these may show you bots hunting for exploits: either weaknesses in your own software or malware that someone else has installed.

Useful links:

  • Abuse IPDB – report hacking attempts and check if anyone else has reported problems from that IP address
  • Project Honeypot – catching spammers and other scum. If you control your site, you can install their honeypot script to catch badly-behaved bots. You can also comment on IPs giving you grief
  • Gravityscan – scan your website for malware. It works well with…
  • WordFence (WordPress only)
  • Akismet – spam filtering for WordPress
  • Cloudflare can filter email traffic as well as Web