Homeland Security has one of the worst jobs in the world.
Think about it… the only time you hear about them is when they fail, when someone slips through the cracks and makes a successful attack. When they do their job well, they go unnoticed. We don’t hear about all the attacks they prevented.
The same is true for website security.
Our Recent Battle with Hackers
Earlier this week one of our servers experienced high loads a couple of mornings in a row. We discovered it was being hit with a “brute force attack.” A hacker was attempting to break into WP-EZ sites using automated software to send thousands of random passwords to the login pages in the hopes that they’ll get lucky and guess the right password.
We implemented counter measures to combat the attack which would block any IP addresses making excessive login attempts.
That worked for a bit, but then yesterday the hacker started using a “distributed attack” in which a very small number of login attempts were made from thousands of different IP addresses. The small number of login attempts prevented the IP addresses from getting blocked which drove up the load on the server so high websites on the server wouldn’t load anymore. There was no way for our counter-measures to distinguish which login attempts were a part of the attack and which were legitimate login attempts from users. So, we had to temporarily block all access to the WP-EZ login URLs.
We had to come up with another solution. We ended up modifying our WP-EZ Website Builder so that the only way to login to the WP-EZ dashboard is by going through MyOCC. That solution was implemented this morning. Everything is looking good now, sites are loading quickly, and we’ll continue to monitor things closely.
If we provide web hosting services to you, we apologize for the inconvenience and thank you for your patience.
Are You Asking the Right Questions?
We all expect our websites to be up and running 24/7. In fact, we tend to take this for granted. When people are looking for a website design company, a website builder or a web hosting company, they rarely ask questions like:
- What measures do you have in place to combat hacking?
- What will you do to fix my website and remove malicious files if my website gets hacked?
3 Website Services to Ask For
When you’re considering website services, here are 3 specific features/services to ask about.
1) Website updates – One of the most common ways hackers get into websites is through known security flaws. If you don’t update your website software regularly, you are almost guaranteed to get hacked eventually. If you use our WP-EZ Website Builder or have us build you a custom-designed website, we keep everything updated for you.
2) Nightly backups – If your site does get hacked, you’re going to want to restore the site from a backup. Make sure your web hosting company provides automatic backups every night. We do this for our hosting clients and keep 30 days worth of backups.
3) Malware removal – Removing malware from a website can be a difficult and time-consuming process. Malware scans are often don’t find all the malware in an account. Deleting everything from a web hosting account and restoring it from backup works sometimes, but I’ve seen several instances where hackers placed an upload program into an account and then waited more than 30 days, so that every time we restored the account from backup, we restored the malware. We had to go into the account, check the timestamps on files, review the logs, and manually track down and remove the malware to get the account clean. Most hosting companies will not do this, so be sure to ask.
If you have any questions about website security or hacking, give us a call, send us an email or post a comment below.