web design web hosting

Winning the War Against Hackers

Written by Paul Steinbrueck

Homeland Security has one of the worst jobs in the world.

Think about it… the only time you hear about them is when they fail, when someone slips through the cracks and makes a successful attack. When they do their job well, they go unnoticed. We don’t hear about all the attacks they prevented.

The same is true for website security.

Our Recent Battle with Hackers

Earlier this week one of our servers experienced high loads a couple of mornings in a row. We discovered it was being hit with a “brute force attack.” A hacker was attempting to break into WP-EZ sites using automated software to send thousands of random passwords to the login pages in the hopes that they’ll get lucky and guess the right password.

We implemented counter measures to combat the attack which would block any IP addresses making excessive login attempts.

That worked for a bit, but then yesterday the hacker started using a “distributed attack” in which a very small number of login attempts were made from thousands of different IP addresses. The small number of login attempts prevented the IP addresses from getting blocked which drove up the load on the server so high websites on the server wouldn’t load anymore. There was no way for our counter-measures to distinguish which login attempts were a part of the attack and which were legitimate login attempts from users. So, we had to temporarily block all access to the WP-EZ login URLs.

We had to come up with another solution. We ended up modifying our WP-EZ Website Builder so that the only way to login to the WP-EZ dashboard is by going through MyOCC. That solution was implemented this morning. Everything is looking good now, sites are loading quickly, and we’ll continue to monitor things closely.

If we provide web hosting services to you, we apologize for the inconvenience and thank you for your patience.

Are You Asking the Right Questions?

We all expect our websites to be up and running 24/7. In fact, we tend to take this for granted. When people are looking for a website design company, a website builder or a web hosting company, they rarely ask questions like:

  • What measures do you have in place to combat hacking?
  • What will you do to fix my website and remove malicious files if my website gets hacked?

3 Website Services to Ask For

When you’re considering website services, here are 3 specific features/services to ask about.

1) Website updates – One of the most common ways hackers get into websites is through known security flaws. If you don’t update your website software regularly, you are almost guaranteed to get hacked eventually.  If you use our WP-EZ Website Builder or have us build you a custom-designed website, we keep everything updated for you.

2) Nightly backups – If your site does get hacked, you’re going to want to restore the site from a backup. Make sure your web hosting company provides automatic backups every night. We do this for our hosting clients and keep 30 days worth of backups.

3) Malware removal – Removing malware from a website can be a difficult and time-consuming process. Malware scans are often don’t find all the malware in an account. Deleting everything from a web hosting account and restoring it from backup works sometimes, but I’ve seen several instances where hackers placed an upload program into an account and then waited more than 30 days, so that every time we restored the account from backup, we restored the malware. We had to go into the account, check the timestamps on files, review the logs, and manually track down and remove the malware to get the account clean. Most hosting companies will not do this, so be sure to ask.

If you have any questions about website security or hacking, give us a call, send us an email or post a comment below.

About the author

Paul Steinbrueck

Paul Steinbrueck is co-founder and CEO of OurChurch.Com, husband, father of 3, blogger. You can follow him on Twitter at @PaulSteinbrueck and add him to your circles at Google+ as +Paul Steinbrueck.

4 Comments

  • Ouch! No fun. Often the limit login will handle brute force attacks.

    Backups are a lifesaver and webhosts who backup for you makes sense, esp if I can go in and click a button to go back.

    I always backup before updating WP sites. One theme had a big update, changing short codes, and not until that was done, did I see we needed to update the theme’s support to get a new code. Meanwhile the site looked horrible with broken shortcode all over the place. One click and everything was back to normal. Updated the theme’s support, put up maintenance page then went through the update process.

    Many hosts do not work at removing malicious files. That is good thing.

    • Thanks Heidi. Unfortunately, the brute force attack used against our server was doing a few login attempts from thousands of different IP addresses, so it wasn’t tripping the login limits. We had to find another solutions.

  • WOW! Great and very useful article! Thank you Paul 🙂 My site was attacked by my competitor before, very sad. Now got your great tips, thanks much for your suggestions. 🙂

Leave a Comment

What is 15 + 6 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)