Stamphacks.com And The Bad Guys

As some of you probably know, I have a website called stamphacks.com. It serves one purpose in life. It provides free stamp pages for fellow stamp collectors. On a GOOD day, I get 20 visitors to the site.

And it's constantly being attacked by hackers for some reason.

The site was actually taken offline by my hosting company a few months ago because it was being hammered by bots of some kind, and my little site was causing the server it was on to come to a screeching halt.

The site was put back up with a login captcha, which seems to have slowed the bad guys down, but I still get occasional high CPU utilization warnings.

For the last two days my site has been getting hammered with attempted SQL injection attacks, which is really annoying.

The site runs Wordpress software. And I know Wordpress is a target of attack. But, come on! Go pick a site with more than 20 views a day.

Ok, rant is over.


And before anyone asks, yes I am still making stamp pages. Things have just slowed down a LOT, mostly because of work, and also because of Boy Scouts. My son is really close to getting his Eagle Scout, and we're trying to speed things along to help him get there.

So, I'm hoping to be back to my usual posting volume this summer.

Good luck with the Eagle project and congrats!! My son got his project approved last night. Going to be an exciting time!!

I feel your pain. I refuse to deal with Wordpress, it is like a magnet for those with malicious intent. Dump Wordpress and I bet much of your headache will go away.
Don

Well, he still needs to go through the approval process. But we have till February, so there's a little bit of breathing room.

I've been using Wordpress for this since 2012. I really don't feel like migrating it all to another CMS and having all the links break. I am tempted to just pay for hosting on Wordpress.com though, and let them deal with the headache, rather than Lunarpages.

Ever considered changing your domain name?

On a more serious note, a few months back I needed to put together a simple web site, I thought that it would be the ideal opportunity for me to learn Wordpress. After a day or so I concluded that this ol' dog is far too old for new tricks and reverted back to the php/css/html I know and hate.

In retrospect I am relieved, I had no idea that Wordpress site are such a target for hackers, probably as a result of its popularity. What is not clear however is what the hackers hope to gain.

Clive

Ah, the 'security through obscurity' perspective! The good news, we are secure. The bad news, we are secure because no one uses us!

WordPress is a blog out of the box; that is what it was designed for…but this means that you have to start adding stuff to make it a real CMS and add other functionality. But beyond the question of plugin security there are also questions about the way plugins integrate with WordPress. The fact that there are security plugins indicates that WordPress itself is not secure.

And I also think that the WordPress performance is also questionable; especially on lesser quality hosting services. (With no caching at the browser or server this is not a surprise.) Put together a lower quality hosting service with a less experienced developer and you are assured to end up with performance issues.

And my final pet peeve, so many of the WordPress websites look like one another. ZZZzzzzzzzzzzzzzzzz.

So I only recommend WordPress when a person wants a blog.
Don

So, what is everyone's CMS of choice? I used Drupal for a while. But I hated how I had to disable all my plugins to do an upgrade and re-enable them. The Wordpress upgrade process was so much easier than other CMS systems at them time. I've played with Drupal, Joomla (and Mambo before it), Postnuke and PHP-Nuke.

I have been using Pinegrow Pro (https://pinegrow.com/) but it's PHP support is weak.
Don

I am still looking for the silver bullet as far as web site creation goes but I don't think that it exists yet.

I periodically fire up a CMS or one of the 3rd party PHP frameworks such as Yii, Symfony, Zend etc. But despite wasting countless hours trying to get my thinking process to fit I have never really got on with any of them. Wordpress was just the latest in a long line of failed experiments.

So in the end I always resort to the old standby of a text editor and a mishmash of languages - a combination of HTML, CSS, JavaScript, PHP and SQL.
I can't say that I really enjoy it though, it is a particularity inelegant mess, only slightly mitigated by including decent CSS and JavaScript libraries, currently Foundation and jQuery.

There has to be a better way.
Clive

That's why I use a CMS. For the simple stuff I am doing, it's "good enough."

I've been using Wordpress for about 3 years now. I used ExpressionEngine before that. I don't really use the blog feature.

I went with it simply because I needed a CMS with a templating system and easy integration of a photo gallery module, and the Wordpress / NextGen Gallery combo fit the bill. It's made it simple to manage the site -- 1,162 pages and 9,412 stamp images to date.

It's worked well for me so far. IIRC, I've had 1 attack in those 3 years, and my hosting provider had me back up and running within the hour.

A large majority of the hits I am getting from hackers on my site are in Ukraine and Russia.

On a side note...

I've been debating translating my Ukrainian pages into the Ukrainian language. The only problem with that is that I speak the Western Ukrainian dialect, and a snapshot from the 1940s on top of that, because that's when my father left Ukraine to make his way eventually to the US. So, I don't think it's a good idea. When my brother went to visit Ukraine years ago, the people in Eastern Ukraine could not understand some of the words he was using. And when he went to Western Ukraine, people told him "You talk just like my grandmother!"

Maybe the word "hacks" attracts them

There are groups of hackers that just probe any domain they can find for known security holes (or "exploits" as they are called in the hacking community). It usually isn't anything personal, they are probably working from a list of millions of domains. HTTP requests are fast, and if even one-one millionth of domains don't have the known exploit patched, they can gain control.

I own a few domains and on every one I periodically get suspiciously-crafted requests from all over the world -- Russia, China, Ukraine, Finland, USA, Taiwan, etc. -- that are looking for exploits.

Don - as you likely are aware, Wordpress empowers 30% of the web including newspapers, webshops etc. So it is MUCH bigger than just blogs. And there are very good reasons why it has become so successful.

But just like any piece of program it is just a tool. Install it with defaults and you'll face issues. Spend a lot of time tweaking and mastering the system and you'll do better than most. This applies to Wordpress as well as Drupal, Joomla and ANY CMS system out there.

As far as security goes, the odds are that WordPress is more secure than most of the 'self-build' solutions. But because it empowers a third of web, a lot of effort goes into breaking into it. It is like Fort Knox of the web...

@apastuszak / Andy ... Drop me with a message and I'll give you a helping hand with hardening your website.

-k-