A few weeks ago, I was alerted by email that someone had logged into the admin console of one of my blogs. It was around 11:30 PM, and I was getting ready to go to sleep. Since I’m the only admin on my blog, I was surprised. Surprise quickly turned to alarm as I realized it must be a hack. That realization was the beginning of nearly five days of effort to stop the attacks, restore my sites and secure them to minimize the possibility of attacks in the future.
Online security is a topic that gets a lot of media coverage. In the past few years, there have been quite a few high-profile hacks. These hacks occur for all sorts of reasons, but in most cases, some security best practice was overlooked or not executed fully. The incidents you hear about generally involve large businesses or governments, or at least high-profile individuals that have agitated a group of hackers in some way. But do the attacks you hear about in the media really make up a large portion of the online attacks that occur, or are high-profile attacks only the tip of the iceberg?
Here’s a little background. I have been in the software/tech industry for quite a few years, working for several software companies, in both large enterprise and startups. I moved to a role as a senior software market analyst and executive about 12 years ago, and to my current role as Chief Research Officer at G2 Crowd a little over two years ago. I have two blogs that I built and maintain. One is tech-focused and has been around since 2007; the other is a photography blog. Both are hosted and built on WordPress. I’m not a web developer or cybersecurity expert, but I’m certainly not a technology neophyte.
In the past, I was a little lazy when it came to personal online security. But a couple of years ago, I decided to clean up my act, at least as far as passwords were concerned. I started using a paid password manager and added multifactor authentication to every account I could. Over time, I cleaned out most of my reused and/or weak passwords. I count myself lucky that my negligence never caused any real issues. I switched to WordPress from another blogging platform about four years ago. As far as the two blogs were concerned, I had what I’d call a medium level of security: free or freemium protection that included spam filters and a firewall plugin.
As a blogger, I never considered that my sites could be targets for attack. But all that has changed now, thanks to cryptocurrency mining. After the attacks were over, I pieced together what had happened. The purpose of the assault was to take over my sites and put a crypto miner in their place, using my server account.
The initial assaults were brute force attacks on my admin pages by bots, which I shut down by systematically increasing security levels as the previous attempt to block them failed. I deleted the crypto mining script, of course, but over the next few attacks, the hackers became more aggressive; they eventually deleted both of my sites and attempted to delete all my backups. Once I stopped the brute force attacks, I thought I was out of the woods, only to find they had hidden several back doors that gave them access through the security I had put in place. After five days of sifting through every file on the server to eliminate the backdoors, restoring from a clean server backup, and setting up the best security I could find, I was finally back to a steady state.
Looking back on the experience, I felt violated, as if someone had broken into my home. The experience was a good education in how to try to protect yourself online. I say “try,” because I truly believe anything online can be hacked. I’ve used that phrase for years, and while I felt it to be true, I didn’t really heed it; I didn’t do everything I could to try to protect myself. Here are a few things the experience taught me:
- Always use the highest level of security you can afford, balancing the costs against the level of risk
- Use multifactor authentication whenever possible
- Use a password manager application. No, really. Use it. Use randomly generated passwords that are unique to each login, and do not reuse passwords.
- Use a highly rated/reviewed hosting service with 24/7 support. Look up your blogging software to see what suggestions other users have about security and support services for your particular software.
- Make login IDs and usernames hard to guess.
- Get a list of best practices for the specific backend of your website from a reputable source — or get more than one list — and do the listed actions.
- Besides doing regular online backups, store a backup offline as frequently as makes sense, based on how often your site’s content changes.
- Keep all software, including plugins and templates, updated to the current version.
- Turn notifications on, and pay attention to them. If it hadn’t been for the original admin login alert, I probably would never have known I’d been hacked.
There are always more ways to beef up security. But for the average internet user, once you’ve made the above changes, you’ve done just about all you should reasonably do to protect yourself online. You may not be able to eliminate online risks completely, but installing security monitoring tools will at least open your eyes to what actually happens online.
Thanks to my new security, I now know that my sites average over 2,000 hits a day from bots. Most are just mindless crawlers, exploring the web for traffic monitors or search engines like Google. But a few of these daily bots will have a more malicious intent — they’re poking around for vulnerabilities, seeking out another victim. Protecting yourself online isn’t so much about stopping every attack; it’s about knowing that an attack could always be coming.
Michael Fauscette is chief research officer of G2 Crowd.