Security Style

Security Style for Creatives – How Websites Work

Understanding how websites work provides the foundation through which we can understand how websites get hacked. My first goal is that you have such understandings, so that when you contract with a designer/developer, you will know what questions to ask about your website’s security. My second goal is right understanding so you don’t pull a Jay Sennett on your website. That’s where you think you know what your doing. But you don’t and get hacked.

What makes website security even more frustrating? Creatives like musicians, writers and photographers turn over website design to designers, many of whom know little about website security, too.

Would you turn over your abode’s security to your interior designer? I didn’t think so.

How a Website Works

Bluehost created this lovely little video below on how websites work. Here are they key points. In parenthesis I describe weaknesses that can allow hackers in.

How Websites Work

Websites are files contained in a series of folders. (Weaknesses are:

  • The files themselves. WordPress has known vulnerabilities in the files that can, without constant security patches, provide hacker opportunities. Third-party editions in wordpress, called plugins, are a vast treasure trove of hacking opportunities, as are the themes that make WordPress look pretty.
  • The permission settings of the files and folders. Each file and folder on the server has a read-write-execute “mode.” Some settings are very secure. Others leave your site vulnerable to attack. More in a future post.
  • The setting a person uses to upload the files to the server. Some settings are extremely secure. Other settings are not. Again I’ll explain more in a future post.
  • Passwords you use to access your files/folders/software.)

Browsers use a computer language called HTML and CSS to make or render your site on a computer. (Weaknesses are:

  • Browsers contain security vulnerabilities that have allowed hackers to create malware that you download unknowningly. This malware can then track your keystrokes, for example, and allow hackers to know your passwords, for example.)

Servers are computers used to store and serve the files to anyone’s computer who requests your website url. (Weaknesses are:

Most of us use shared hosting because it is significantly cheaper than private hosting. Shared hosting means your files and folders are stored on a server with scores of other files and folders, each of them an opportunity for hacking.(Weaknesses are:

  • In a shared hosting environment, your files become vulnerable. Very vulnerable. Your files may be very secure but that security becomes compromised because other files may not be secure. What’s even worse, is that some computer hacks actually target the server, potentially infecting thousands and thousands and thousands of servers. GoDaddy has had servers hacked. My hosting company has had servers hacked. You would think hosting companies would be expert-ninja security experts, deft at thwarting attacks, but they often aren’t. Running servers is actually a full-time job.)

Domain Name Servers (DNS) provide the addresses for your web addresses. Think of DNS as addresses books for all the web urls around the world. (Weaknesses are:

As you can see, hacking opportunities are baked right into a website’s existence. With good security style, which I’ll be discussing in the upcoming weeks, you can do a darn good job of protecting your website, even a in a shared hosting environment.

Standard
Security Style

I Got Hacked, Part 2

Getting hacked has been a tiring but rewarding experience. Absurd, yes?

Let me explain. I have spent my entire adult life learning how to be more responsible for myself, my stuff, my projects and my people. Responsibility frees me. No longer am I beholden to others. I am also no longer beholden to my own fears.

Responsibility entails knowledge and a willingness to act on that knowledge.

When I got hacked, I realized I had done something very, very, very stupid.

WordPress is a web-based system that runs through a web database system called MySQL. Structured Query Language is relational-database (data in one field can be related to data in another field through a relationship) that is about 45 years old. Without SQL (and php, but that’s another discussion) wordpress would be unable to save posts and pages and comments.

It would be like a car without an engine.

I run WordPress myself (as opposed to wordpress.com). That means I have access to the MySQL databases attached to my wordpress files.

The gold standard for web security with regard to wordpress (and any website running SQL) is to have one username per website per SQL database. That means the database attached to jaysennett.com should have one username (call it user1); the database attached to homofactuspress.com should have a second, different username (called it user2); and so on, for all my domains.

Why should this be the gold standard?

If a hacker gains access to the database information (which is quite easy to do, actually, since that information is contained in the configuration file that runs wordpress), they can only vandalize/hijack one website.

I’m sure you can see where this is going because that is not what I did. Here’s what I did. Each domain/website had the same username for the database running it. So when they hacked the jaysennett configuration file, they gained access to all three database files.

This is a really, really, really STUPID thing to do. And it is very irresponsible. Not even to my readers, however few they are, but to me! I had wasted my own time and money resources.

I was too smart to know how stupid I was. That’s how stupid I was. But I’m learning and quickly. And the reward has come from becoming responsible for my websites. Websites require responsibility. I’m still amazed that I even have to right such a sentence. Everyone knows houses require responsibility. But websites?

Yes, the website will require maintenance. Yes, security is something you will be responsible for. Yes, having a website is a responsibility.

The Impacts of a Hacked Website, Tony Perez, Sucuri Co-Founder/CEO

Are you a responsible website owner? Do you have security style?

Standard
Security Style

I Got Hacked

Do you have security style? I don’t.

Late last week I discovered my personal site here had been hacked. Because I am the dumbest website administrator ever, the hackers were then able to gain access to the site at Homofactus Press and the site at Transgender Cartoon Gallery. Homofactus Press and Transgender Cartoon Gallery were defaced.

Defacing is electronic vandalism. They destroyed image folders and my theme at Homofactus Press, and essentially destroyed every entry at Transgender Cartoon Gallery.

My personal site got hijacked by spammers sending links to bogus Tiffany websites.

I thought I could take care of it myself; clean out the infected files and restore the vandalized sites through backups I had. Which I did. Then the hacks got worse. I lost sleep and time.During one 24-hour-period I slept only 20 minutes.

But I gained a sense of how important website security it is. Without good security, I had treated my websites as if they were homes in which I left all the doors and windows unlocked. Maybe I locked a window or two and an occasional door.  Sure. The net result was the still the same, though. Open windows and doors are still open, even when two others are closed.

I had three websites which were vulnerable in toto. I was not responsible for my websites. In fact, I was completely irresponsible.

As a writer, I care deeply about how I archive my work. Backups ensure there will always be a copy of my work available to me. I care about my money and watch how I spend it. Financial responsibility gives me time freedom, something very important to me as a creative person. Marketing my brand is also important to me.

Website security? Not so much. The sad fact remains I had no security style. None.I simply did not care enough about my websites – and the hours and hours and hours of time and money I invested in them – to do the right thing for myself.

To be continued.

Standard
Artist's Responsibility

Toni Morrison & Angela Davis – The Purpose of Freedom

Toni Morrison and Angela Davis

I am reminded of the tremendous work Morrison accomplished as an editor at Random House. During her tenure she published Toni Cade Bambara and Angela Davis.

“I tell my students, ‘When you get these jobs that you have been so brilliantly trained for, just remember that your real job is that if you are free, you need to free somebody else. If you have some power, then your job is to empower somebody else. This is not just a grab-bag candy game.’”

Standard