Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
So, I woke up this morning to find out that my website was hacked. I have written to the hosting company to ask for help and hopefully they can get things back on track.
My question is, since I'm not quite a novice but certainly in no way an expert, how do I prevent this in the future?
For my public_html files, what permissions do I set them at? Obviously 777 leaves it open for the world but what do I put them at so that I can go in and make changes but no one else can yet everyone can still see the site?
Also, what does it mean when it's hacked? I know that I can't see my site and there is some lame page up there right now...but is that all they have done? They relished in the fact that they hacked it, the page they put up in place of my site proudly boasts that they hacked it...was it just to be a jerk weed or are there other things I need to check?
And wth is wrong with people that they have nothing better to do than just go to someone's site and screw with it? Seriously.
For the most part - you either had your server account breached, the server was exploited, or your site had some vulnerable code that was exploited. So I'd change your account password, and have your scripting/code checked (unless you just have static pages). My guess is that if the server was exploited - the hosting company would/should have told you (and the attackers would have done much more than just put up a banner). They should at least be able to tell you when your account was used to log on - and that may confirm if your credential was compromised.
I'd also check the computer that you use to work on the website.... if it was an account breach, could they have gotten that info from your computer?
Word of advice - change hosting companies. Much, if not most of this stuff is from problems are their end. I had one of mine hacked years ago, contacted the hosting company, they fixed it and then it was hacked again, and within six months the hosting company was out of business.
They fixed it, wasn't too hard for them because of back up, thankfully. They said the hackers had gotten in to my index file. I checked everything and don't see anything else that they did but I went ahead and changed my password, (hosting company recommended this as well).
I really think it was because my permissions were set wrong. I have had to open them up to make changes due to the publishing tool that I use, (which I'm not really liking because I like to do things by hand, old school), and when I went to change them back, I think I did not set them appropriately.
So, again, what is the LOWEST permissions I can give to my public_html that allows ME to work within my site, no one else can have access and still allows the page to show to the public?
Are you running any server side scripts, PHP, ASP, etc? Wordpress?
For this particular site, it's Wordpress. (I have another site that is PHP and I've never had issues, plus, I do everything by hand, which I prefer, I feel I have more freedom that way.)
Wordpress is kind of a pain in the hind quarters because it's like for the beginner user and I never learned how to have a publishing tool do everything for me. So, it's actually more difficult for me than my other site which I add and write everything manually.
Wordpress does not have the greatest track record where exploits are concerned, is it up to date with the latest version? It's essential that you install updates when they are released because 9 times out of 10 they are security/bug fixes.
If you're running an out of date version there is a very good chance they used an exploit in one of the scripts. The same thing can be true if you're running any mods.
So, again, what is the LOWEST permissions I can give to my public_html that allows ME to work within my site, no one else can have access and still allows the page to show to the public?
644. But depending on how your hosting company has the server set up, even that may not be good enough. If the web server process is running under your id, then 644 won't matter - you'd have to go 444, and manually tweak permissions every time you wanted to do ANYTHING with the site.
Wordpress is well supported, so as long as you're on top of the updates, you shouldn't have any problems running on the default config. More important than the core program, though, you need to stay current with the plugins, too, and only use the ones you HAVE to use. If you don't really need whatever functionality a plugin provides, don't install it. Every additional piece of code you add introduces another potential vector for exploitation.
644. But depending on how your hosting company has the server set up, even that may not be good enough. If the web server process is running under your id, then 644 won't matter - you'd have to go 444, and manually tweak permissions every time you wanted to do ANYTHING with the site.
Wordpress is well supported, so as long as you're on top of the updates, you shouldn't have any problems running on the default config. More important than the core program, though, you need to stay current with the plugins, too, and only use the ones you HAVE to use. If you don't really need whatever functionality a plugin provides, don't install it. Every additional piece of code you add introduces another potential vector for exploitation.
Ah, 644 for index public_html? Almost all of my files are set at 644 but I didn't know I could do that with the index file. (Is what I meant to say, by the way.)
And no, the hosting company is not running under my ID. In fact, this hosting company is top notch, I've had them for years with my other site, (the one I can do everything by hand, which I prefer), and chose to have them host this new site.
There's nothing to "take" on the new site, it's just the matter of someone doing anything to it that ticks me off. And yes, I keep up on the updates. Which is WHY I have had to go in and change the permissions to 777 in some areas and when I went to put it back, I apparently did not put it back low enough.
I have a few plug ins which are relevant to the site and what the site is for. I'm not very plug in happy, just the ones I think would benefit the site. Which, frankly, I'm not thrilled with plug ins..again, I'd rather be able to build what I want myself, by hand, not have to use something someone else wrote.
But, I just wanted to get the site up and see if the idea would be successful. So far it's doing fairly well. In time, should it get bigger, I will definitely get OFF of WordPress.
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
