Episode 14 Jeff Brown Talks About The Hack Attempt on His Website
Show Notes
00:37
Everybody Rob Cairns, CEO and Chief Creator of Amazing Ideas at Stunning Digital Marketing. the leader in digital marketing to help your business soar, WordPress, security, and WordPress design and development. How’s everybody doing today? Today’s special guest and he’s been on the SKM interview show with people for us, my good friend, Mr. Jeff Brown. Jeff is the founder and CEO of alpha social media Inc. He’s a WordPress education trainer that specializes in training offers WordPress, and more. And Jeff is really in the know. And what we talk about today is Jeff’s experiences with how his site was attacked, what he went through, and how it was prevented. So sit back, relax, enjoy the ride, just I talked to my good friend, Mr. Jeff Brown. All right, here we go here with Jeff Brown. Today, I’m gonna talk about a little situation that happened kind of a website situation just had the unfortunate reality of having this website attacked this week. So I thought I’d share this as a case study. I know in a number of Facebook groups, we’ve talked about DDoS attacks, we’ve talked about plugin attacks. So Jeff, what kind of happened and sort of take us through it a little bit.
02:06
I started to notice some email notifications about hosts being locked out of the site. And so it started I’ve got a site there. And I started noticing around March the around March the eighth that I started to get a little bit more activity than it literally but 153, lockouts and then on the 13th 250. And then on the 18th 415, which is kind of hot, which is kind of high for the average person. I mean, you get one or two a day it’s pretty norm and then yeah, now, what software we’re using to I was using them I theme security Pro, and I’m using Walt I’ll talk about what I was using as we go through the on the weekend, the site’s the attacks really picked up, I started getting notifications, probably every 15 to 11 minutes. At the height of it, I was getting notifications every five seconds about somebody being locked out of the site, trying to log in. So literally the at the peak of it. We’re talking brute force attacks. The peak was 1750 for that day.
03:31
Now you somebody emails, in terms of brute force attacks,
03:36
was there any typical IP address or route, the strange thing is that they were rotating, there was quite a few IP addresses that you just couldn’t simply block one. At the end of the day, there was 549 banned users.
03:57
And I would bet you most IP addresses were probably coming out of either China or Russia or, or where they kind of all over the place. They were all over the
04:07
place. And with VPN, it’s kind of hard now to say really, truly where they’re coming from. It’s just I just looked at the IP addresses where they’re coming from and it just it was happening so fast.
04:21
When you think there is a lockout every five seconds. You’re just hoping that you set the site up correctly, you’ve got all the proper solutions in place so that the dam doesn’t bust and it holds. It was kind of scary.
04:36
Now with because what I find is with hack attempts, even though most of them come out of developing countries, China and kind of what causes that is a lot of machines aren’t up to date. So they get used the farmers to force bought farms and things like that, right? And what I find is of the people watched us attacks are either in mainland Europe, or believe it or not North America, even though they’re using machines overseas. So the IP address isn’t always reflective of where the culprit is. Now, let’s take us through the process. What did you do next? Once all this started,
05:19
I turn the notifications off, because you just too many of them, I began to watch the site dashboard itself. Now, the things that I had done ahead of time, which made all the difference in the world. I like to hide the back end, but they still found me. I have a strong password, I even change the password in the middle of the process. I also have two step verification. And I also have login alerts. So in other words, if someone log was able to get past all those defenses, I could say that that login if they eventually got it, I could say Yes, it’s me or No, it’s not. Yeah. And it was just all on throughout the whole evening morning. And the rest of the day. It was just the site was just getting hammered.
06:09
Yeah. So I mean, that’s the key is you can do all the preventive stuff. And of course, if I recall, right, you’re using backup buddy to do backups. So you don’t just rely on your host backups. Absolutely. Which is actually a very smart move. I mean, backup buddies. What is it now if you want just backup buddy’s hard $50 us for a year. I know, I’m an Updraft Plus guy, I have the premium version of Updraft Plus. The key is to take those backups also and send them somewhere. So don’t just leave them on the site. Send them a Dropbox, OneDrive or Google Drive account, because we know what the files get hacked. The backups can get hacked.
06:50
Yeah, I use a 123 system for my backups were one the computer, two in the cloud, and three on an external drive that never sees the light of the internet whatsoever. Yeah,
07:01
yeah. And I’m actually I know you and I’ve talked about it, I’m actually going to a model where I’m going to start backups on this Synology NAS this. I’m looking at it in the corner as we speak, because it’s out of the box. And I’m going to that approach. I’ve actually got dual Synology. So I’m going to have one off site for that exact reason. And it just simplifies the process. By the way, that’s not a solution for the people who don’t have any finances. But do it 123 strategy, no fee, you
07:33
have to have something else training. And one of the guys in the course there his computer blew up on him. And even though your course, not in the middle, of course, but just before coming to the course. So he ended up coming with a Chromebook that he forgot to have the power plug on. But at the end of the day, he did have backups. But it was scary for the first little while for him.
07:58
Yeah, yeah, I I’ve been there like I I did a couple years ago about I guess 10 years ago is in the hospital. I came home like computer hadn’t been on I was using the desktop at the time. I turned the computer on. And all I heard was the words clunk clunk which for those who don’t know is what is called the spinning hard drive dying. And and they need to say I was able to go and get new hard drive and do a restore. And I was good to go. But that’s the key. What are your in your case, and you’re pretty in the know your plugins are up to date, I assume that
08:35
plugins are always up to date. That’s one thing that I always keep attention of. And even when I train people on WordPress and these WordPress courses that I do, I tell them, update your plugins. Now, some may want to wait just a few days just to make sure everything goes smooth. But these things are not to be left on updated. Because you and I’ve had conversations about plugins. It’s hard even with legitimate plugins nowadays to stay on top of it. But you absolutely have to do your due diligence and update them when they become available. Look at what the update is for see what’s in it a lot of times is security. But these things are not to a site. You just don’t come back months later and do all the updates. You got to stay on top. Yeah, the things that keeps the wolf out of the henhouse.
09:26
Yeah, I was reading. Before we got on this call. You and I were talking offline. I was reading him one of the WordPress agency forums or developer forums and there was a lady saying my site just got hacked. I’ve got to do a rebuild. And it’s because of a plugin that wasn’t up to date. Like you know, I, it happens I mean, and even if you keep them up to date, like for example, we all know about the mess in the WordPress community with social warfare two weeks ago. We all remember the mess last November with GDPR plugin. And by the way that one took out Eight sites, including my own business site. So the only time I’ve ever had to do a restore due to a hack was because of the GDPR plugin. And that was a plugin with over a million installs. And I jumped on it within hours within two hours. And normally, the way I do plugin updates as I do them on a weekly basis for clients, unless there’s something really glaring, that says, I need this now,
10:26
that was really glaring, that GDPR plugin,
10:29
and I jumped on that and even my host, and shout out to siteground, because I’m a siteground fan. And everybody knows that and I make no bones about that. They blocked it at their firewall almost right away, and they still got hit. So you know, it happens.
10:45
So when I lost one site, I was able to get it back in 14 minutes just between deleting and restoring 14 minutes. That’s pretty darn good. That is good happened. So easy. All the other sites, I got them updated this that one, it was just too late last year,
11:03
and it does happen. So where did you go after you looked at all your logs, you monitor the site? What What did you do next?
11:12
I then approach the I submitted a ticket to my web host. And I wanted to know the condition of the server if they were noticing anything, those kind of things. Still waiting on that ticket. So I went on to the chat system. And the first chat I gone with the individual recommended that I go to cloud force. And I was more concerned about home base in all actuality, and cloud force may be a great solution. But it doesn’t take care of you know where the files are the original home base. And so I was kind of put off a bit by their suggestion that I go elsewhere. And then I got hold of another person. And they suggested going into the ht access file and putting in some line of code making it so that I can only login from one IP address. Now that was a good solution. But unfortunately, I move a lot as a trainer and I access my sites from different IP addresses.
12:16
Yeah, and I and I get, I get an even more where if I get tired of working, I work from a home office what you can do and make money on the internet. And I know I’ll go work at Starbucks if I need a break or the library. And I can guarantee you I find there I’m running a VPN software, I’d rather deal with my VPN than my ISP provider and say and buy. And so that type of solution just doesn’t work for me. I mean, one IP address I die, right. So yeah.
12:47
So in your case, we say ground up? What? If you were me, what are some things that you would have expected your host to jump up and provide for you?
12:56
Last time, I had a problem with an IP hammering me, I jumped on with siteground. And it was only one IP and they actually had Theron block that IP on the firewall. So they did that for me. What I will say is I don’t like chat support at the best of times. And the one chats for it I rave about every time is siteground. They’re based out of Bulgaria, their team is very good at answering, they get back to me with concise answers. That doesn’t take forever. They’re very helpful. And they do chats for very well. I have never, in the four years I’ve been with siteground I’ve never called them. I just there Chad, it’s that good. And it lets me multitask while I’m talking to them. I can do other things. And they are good. And then they say to me, and they’ll make suggestions and say, by the way, did you check this knowledge article? And usually I tell them beforehand, I’ve read the knowledgebase articles. And they’re smart enough, I think they actually fight their users. So they know which ones are their business type users and which ones are their developer type users. So they I don’t have the issue of being talked down to I don’t have the issue. But I don’t think senate thing is somebody go to another service to solve your problem is doing it. I’m not gonna call your host out, because I’m gonna show little restraint. I’ve been known to call a host out here and there. What I will say is it wasn’t GoDaddy and wasn’t he It wasn’t
14:33
an L honestly, though, they have been pretty good. Yeah. But lately, I’ve noticed that that their support is slipping. And that’s going to be one thing that any web developers gonna need access to, they have to have good support because sooner or later, you’re going to need help. Regardless of how good you are. You’re going to need someone that’s much smarter. than you are to fix a problem, because there’s a lot of smart people out there, and some of them are actually trying to get into your website and into your server. Now you need a really good team behind you.
15:09
And your web host is part of your solution. What I’ll tell you is from experience, for those of you who don’t believe endurance is a problem or claim money. One of the things endurance likes to do is they own a product called site locker. And so what they’ll do is they’ll say, Oh, we can help you great club, by site locker, by the way, 20 250 bucks us here, or whatever the current price is. So instead of breaking down and helping it, the first thing they do is say not our problem, not our crappy firewall problem. I know with GoDaddy, it all depends on what type of server you end up on. So if it’s an older server, the odds are it’s gonna have problems if it’s a newer server, it depends at the end of the day, who set it up. So yeah, so let’s take it through from there, the web host was kind of not much of a help and what happened.
16:03
Essentially, I ended up continuing to monitor the site and eventually Comm. Highest was on March the 29, that’s 1750. And then it went on the on the 30th, it was down to 390. And then come March the 31st, it was down to 16. And it’s it really has dissipated. So keeping an eye on it, watching, you know what they’re using for login usernames, and just keep an eye on it. And eventually, I wrote out the storm. And it’s just good. Preliminary setup, having the right tools to handle this, because it was fast and furious. And I turned my lock up notifications back on again, and, and so far, it’s been pretty tame
16:54
at the moment. Yeah. Now what I’ll say to people is, if you don’t want to necessarily buy I theme security, they do offer a free version of I theme security, it’s available on wordpress.org. I teams actually didn’t develop that product themselves. They bought a company with I believe it was bulletproof security they bought a number of years ago, and then they kind of rebranded it. What I’ll tell people is the free version, I tend to run the pro version of it, but the free version will do 90% of what you need. So go help yourself. Another product I really liked. And it seems to run well in conjunction with IBM Security, frankly, is wordfence, which kind of, you know, tells you a little bit about what plugins are out to date, what wordfence even goes so far as to tell you if something is out of date in the repository, and maybe you should find a replacement now.
17:56
I absolutely love their newsletters, the if you were to do just one thing, I would subscribe to wordfence for their newsletters because they a lot of times will break. There’ll be the breaking news to help you prepare for what’s coming. They see for some reason, they see things ahead of many others. And that’s valuable for keeping your site safe.
18:20
Yeah, and I’m not really a big fan of the GoDaddy ecosystem. But I still like what Sue curry does they fortunately have left it on its own. But you know, from a, from a cleaning standpoint, it’s really good. But wordfence is newsletters good. And by the way, for those who don’t know, wordfence does have a podcast, I think they’re on episode five or six and they kind of highlight. lately they’ve been highlighting too much because there’s been the cross scripting problems. There’s been the last three weeks in the WordPress ecosystem has been kind of a minefield, and it’s just
19:01
these things that a lot of ways we didn’t see coming. The company there that actually were the social welfare that that fiasco, right there was, I mean, we expect that people will try to take advantage of plugins and try to get in that way. We don’t expect owners of plugins to potentially go rogue. And that’s a hard thing to defend against.
19:32
Yeah, one. One thing that should teach everybody, by the way, is if you have an employee, and he’s got access to your social media website, and you terminate him or they leave, you need to change passwords, like pretty quick and remove access. I mean, I’ve got a client right now who’s in the middle of a retail change, have a part timer. It does does some of the social media and I can guarantee you as a Friday night as of Saturday Night at five o’clock, I’ll be changing passwords. form because I don’t want issues of somebody getting upset, shall we say after the fact. And I mean, that’s just the day we live in, was talking about the wordfence. podcast, the latest one they did what it’s called. Think Like a hacker. So you know, if you want to learn a little bit, you need to get that on your podcast player. It’s on mine. It’s kind of one of my must listen to junkies. They talked about the whole PIP Digg controversy. Another one that happened last week, you and I’ve talked about offline, that was after the social warfare after the WordPress strike. I mean, I chuckle but it’s been, it’s not been a fun couple weeks hasn’t
20:54
really, it has been extremely challenging to keep your site safe and running. Because at the end of the day, a lot of us the websites are important, but a lot of times our business is something else. And for the average business, it’s a real challenge to keep up with all the things that are happening. It’s a moving target, if I could say that,
21:23
I would agree. So you know, I wanted the advance that I I maintain, maintain a website for is the Ontario police Memorial. And that celebration, or remember, it’s more like it is coming up the first weekend of May shout out to our mutual friend Scott mills and all his effort working with the Memorial Foundation that helped make that a great event. And I sit, and I watch on the tablet, the attempts on that website that happen every year during the memorial. And I can almost guarantee you by the end of the two hour ceremony. So that’s reading it, the names for the hour and the ceremony, I will go over 30,000 DDoS attempts, I mean, I and the retrospective even more, I maintain a site for the Canadian police memorial and a number of years ago, there were three or four, three or four police officers that died that month. And if you remember, I remember that day of the funeral. I stood there and had the funeral on TV and my laptop on my lap watching the website and you said Why did they do that? Because all the police haters come out and I was gonna keep that slider. And fortunately, both hosted on siteground, both on their dedicated box. And I went through that one, I went through over 100,000 attempts in three hours during the
22:51
service. That’s a lot. That’s a
22:53
lot. So we’ve all been there. And the key is just to do the right things and have a backup, because your best way to least resistance is if you do get access to delete and restore. Absolutely, because you won’t.
23:07
Most of us don’t have the time or the energy to go through it line by line and try to figure out where the line of code has been injected or the in the scripts for instance. So it’s we can be up and running with restore probably 14 minutes my fastest yet while I was just puttering around at it.
23:28
I know, quick. I know with my clients. If I have to do a security fix to a site you’re probably looking at about. I don’t know $3,000. And, and I africare plans for $1,000 not that I’m trying to do is sell but the point is, sometimes you’re better off to pay up front and just deal with it, then deal with the back end and get the cost of doing business. You’re exactly right. Jeff, thanks for sharing your thoughts. If somebody wants to get a hold da, you’re an amazing trainer. And one of the best trainers I know to be honest with him. And you know, I know you do a lot of WordPress education training how they get a hold of you which
24:11
they can get ahold of me. My email is info at alpha computer. It’s not off computer but alpha social media inc.com just thinking of the my old copy before I incorporated so that’s info at alpha social media inc.com or on the phone at 902956 2600.
24:33
And by the way, if you’re bored Jeff will take a DDoS attack or two just
24:38
because
24:40
he seems to relish this stuff. I’m just kidding. I don’t want any either. So have a great day. Bye bye for now and and thanks for listening and just be safe and take the time and protect your website and you’d be better off for it. Thank you for listening to the SDM interview show. This Podcast is a production of stunning digital On marketing.com, the agency that can help you with your web design, or press security and digital marketing needs. Please subscribe to this podcast. This podcast can be found on Stitcher, radio, Spotify, Google podcasts, Apple podcasts and more. Please don’t miss the next edition. This podcast comes out every Thursday for your listening enjoyment. Until next time, please keep your feet on the ground and keep reaching for the stars. And we’ll talk to y’all soon. Have a great week everybody. Bye for now.