Website Security, 5 Tips to Secure Your Blog From Hackers

Last month several of my sites got hacked. I found a JavaScript on every file named index.html on WordPress installations as well as regular html sites. On WordPress it on index.php in the root, wp-content, and wp-admin. On HTML sites it was on every index.html going one sub-directory deep. All sites looked and worked fine and I wouldn’t have even noticed it except that there was an error in the injected HTML that broke one of the pages. When I looked I saw a JavaScript at the bottom of the file. No idea what it did or was planning to do.

This sparked a little paranoia which led to a bit of research on website security I should have done years ago. So here are a few things that I am now doing to protect my websites.

Last month several of my sites got hacked. I found a JavaScript on every file named index.html on WordPress installations as well as regular html websites. On my WordPress sites it was on index.php in the root, wp-content, and wp-admin. On my HTML sites it was on every index.html going one sub-directory deep. All sites looked and worked fine and I wouldn’t have even noticed it except that there was an error in the injected HTML that broke one of the pages. When I looked I saw a JavaScript at the bottom of the file. No idea what it did or was planning to do nor did I have any inclination to find out. I just deleted it immediately.

This sparked a little paranoia which led to a bit of research I should have done years ago. So here are a few things that I am now doing to protect my websites.

1a. Changing my username to anything but “admin.”

1b. Changing my passwords to long, meaningless strings of mixed character types. No dates or actual words, a good mix of lower and uppercase letters, numbers, and special characters. I try to make them at least 16 characters long.

2. For Wordpress installations I found a nice article on Matt Cutts site. His first piece of advice is to “lock down /wp-admin/” by blocking all IP addresses, except your own of course, with your .htaccess file. Keep in mind that some of us have dynamic IP addresses so if you find that all of a sudden you can’t log in, go to http://www.whatsmyip.org/ to find out what it is and update your .htaccess. Oh yeah, keep a copy of your .htaccess file locally.

3. In my case, since both WordPress and static HTML sites got hacked and they were all in the same shared hosting account I am pretty sure that it was a password discovery hack. I have since tried the Login Lockdown plugin. So far so good.

4. Delete the line of code in your WordPress template header.php that tells what version you have. It looks like this:
meta name=”generator” content=”WordPress ?php bloginfo(’version’); ?” / !-– leave this for stats please –

5. Always update your Wordpress installation and plugins as soon as possible. Many updates are created for the sole purpose of fixing exploitable holes in the core files. Being able to do this automatically within the admin as well as the blaring warning that shows up gives us no excuses for forgetting to do so.

Tags: , ,

IE6 Helps Communists Hack Gmail Accounts

Google has threatened to shut down its business in China. To date the big G has been censoring its data served to the global giant complying with Chinese law. However this decision has been under scrutiny due to an attack on its infrastructure that originated there in the later months of 2009.

It seems that Chinese government officials used a flaw in IE6 to hack into Gmail and other major Western company’s accounts in order to spy on citizens who were suspected of being “dissenters” who oppose the government of China, and anti-communist human rights activists. In what could be seen as a response to the attack, Gmail accounts are now HTTPS by default. Gmail has always given us the option to have our mail secured but now the option is to turn it off.

Microsoft has issued statements that urge people to upgrade to IE8. The exploited flaw in IE6 had something to do with an invalid pointer reference which could be accessed after an object was deleted under certain circumstances. In the right hands, the freed object can be used to execute remote code. Microsoft has admitted that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7. A patch was released recently which Microsoft claims will patch the hole though they also admitted that the malicious code can be hidden inside rigged MS Office documents. Still, several countries including France and Germany have urged citizens to abandon using IE altogether even though many have claimed that this could be a dangerous approach by instilling a false sense of security.

Google China is questioning employees but no details have been released. The attack was sophisticated; it involved a modification of a trojan called Hydraq. Analysts have reported that the sophistication in the attack was in knowing whom to attack, not the malware itself.

Google announced that it will no longer censor search results in China and in fact may even shut down Google.cn. The Chinese government is not backing down saying that Google must obey China’s laws and traditions. “Foreign enterprises in China need to adhere to China’s laws and regulations (and) respect the interests of the general public and cultural traditions and shoulder corresponding responsibilities. Google is no exception,” China, like most countries, uses the search engine for business and education however, they block all access to material deemed “subversive or pornographic,” including foreign sites that revolve around human rights groups. The White House supports Google’s stance but there was no indication other companies following its lead and challenging government controls. Microsoft and Intel have very large presences in China and I can definitely understand why they would not want jeopardize their relationships with the Chinese government.

Meanwhile, Google has postponed the launch of its Nexus One cell phone until this dispute concerning censorship is settled. I can’t even imagine the ramifications of a Google shut down in China. The number of businesses that rely on search, maps, and email is probably staggering and the cost of changing the way business is conducted is possibly in the billions nation wide.

Personally, as a web designer and developer, I have no choice but to love Google with all my heart. IE6 on the other hand has been a time sucking PITA for the last two years. As for the communist spies, if this exploit turns out to be the final nail in IE6’s coffin I will not complain.

Tags: ,

Dreamweaver Has Stopped Working

This is just one of those things that is so weird I had to write about it. I was working on a WordPress theme for a client using Dreamweaver CS3 as usual when all of a sudden Dreamweaver just disappears. Dreamweaver stopped working for no reason, no warning, no error window, it just went away. I try to reopen Dreamweaver and it comes up for about three seconds then just disappears again. I begin to panic a little because I am right in the middle of making a website for a regular client. I of course start thinking about the phone call I will have to make telling them that I can’t finish the project by the deadline because my software has disappeared, real professional. I also start thinking about what a drag it will be to have to start using notepad and Filezilla or spend the next three hours reinstalling Dreamweaver and losing all my site definitions.

Dreamweaver has stopped working

Dreamweaver has stopped working

An Easy Fix

First, before anyone reading this commits harikari the solution is stupid easy. One of your files is exactly a multiple of 8,192 bytes. Probably the one you were just working on. For me it was a stylesheet and it was 16,384 bytes, exactly two times 8,912.

Open the file in notepad or anything other than Dreamweaver CS3 and add a few blank lines then save. Dreamweaver will now open for you. You probably want to keep those blank lines in there until you’re done editing otherwise you might hit the magic number again.

Fortunately my first response was on target, I Googled “Dreamweaver won’t open” and hit the first result. Big thanks to Mike Padgett for his report and solution to this strange anomaly. Big thanks also to Adobe Community Expert and author David Powers who found this bug in 2007 and wrote the ever so easy solution on the Macromedia Google Group in a discussion titled Dreamweaver CS3 Crashes At Startup

Another WTF Adobe

This is the second time in one month that an Adobe product has turned on me. A few weeks ago Photoshop would not open, it would just give me the error box that said licensing for this product has stopped working, I’d click OK and the program would close. This was a bit more difficult to diagnose and though I did get around it I have heard that this happens multiple times to many people. I am not ready to fork over $400 for the CS4 just yet and dread having to uninstall the reinstall CS3. I understand the complexity of these applications is immense but Adobe is the god of design applications, I’ve never had a problem with any of their products for years. I think it was Photoshop 3 where if you had more than one file open and tried to close one using the X at the top right, the most recent file opened would go away no matter which one you clicked. That bug got fixed within a few months and was the last weirdness I ever had with one of their products until this month.

I am still on board though I may be looking into GIMP, the open source image editor. Flash, well, theres only one Flash so no alternatives there to speak of. I have tried KompoZer, Bluefish, and Notepad++ but nothing does the job and has everything under the same roof as well as Dreamweaver. Hopefully Adobe CS4 has dealt with these bugs and though someday I will break down and upgrade but not today. Dreamweaver CS3 does the job for me so I’ll just continue on my way… until the next A-bomb.

8,912 bytes, sheesh.

Tags: , , , , ,