I understand why big companies don’t like to share that their websites have been hacked. It would be far easier to brush it under the carpet. But if you’ve been following me for some time, you know that I’m always open and honest with you, and this is no exception…
What happened?
In the early hours of Tuesday morning (UK time), my website was hacked. Thanks to one of my security plug-ins, and an email from a reader (thank you Jenny!), I was quickly alerted and I immediately took the site offline to investigate. The site remained down until I was sure it had been fully checked and cleaned by security experts, even though it was during a busy sale period.
During the downtime, I posted updates on social media and personally responded to all of the emails flooding my inbox. As soon as the site was live again, I emailed my entire mailing list (which is run on Mailchimp’s secure server) to explain what had happened. I’m sorry if this worried you, but it was important to check you were safe.
The hacker had replaced the links behind two of the purchase buttons on a book purchase page with links to his own PayPal account. He used PayPal’s own secure servers, so he didn’t have access to any financial details, but he received the payments for the orders. A clever way of “earning” some extra cash! A total of 15 people were affected before I discovered the issue and shut down the site, and I’ve contacted them all personally.
Thank you for your support
It’s always worrying to hear that a site you frequent has been hacked. I’m sorry that this has happened and I’m doing everything in my power to ensure that it’s never repeated.
It’s been an incredibly stressful few days, and I’ve really appreciated the stream of encouraging emails from loyal readers. These emails have kept me going through some very long days and nights, and for that, you have my heartfelt thanks.
What now?
I would be a fool to tell you that the site is 100% secure, because that’s simply not possible in this day and age. If a kid can hack the Pentagon, and banks and large companies are hacked on a daily basis (even if they try to hide it), then nothing is completely safe. What I can do is tell you what I’m doing to make sure you’re as safe as possible…
The things I have always done to make sure you’re safe on my website:
- No financial details (past or current) pass through or are stored on my website. I can’t even access your financial details. All orders and payments are processed on secure servers run by two very well known companies, who understand website security far better than I ever could:
- e-Junkie (aka FatFreeCartPro) handles my shopping cart. When you press an Add to Cart button, this is what you should see (desktop then mobile):
- If you choose to pay by credit/debit card, the card details are collected on eJunkie’s secure servers before being securely handed over to PayPal for card processing.
- If you choose to pay by PayPal, you’re redirected to PayPal’s secure servers.
- e-Junkie (aka FatFreeCartPro) handles my shopping cart. When you press an Add to Cart button, this is what you should see (desktop then mobile):
- All software is kept up to date, as updates often include fixes for vulnerabilities that have been discovered.
- All admin/server passwords are long complex passwords and are changed frequently.
- A number of security plug-ins/services monitor the website, scan it regularly, and watch for any unusual activity.
Further changes I’m making to keep you safe on my website:
Your safety is my top priority, so I’m making some additional improvements:
- Although no financial/confidential information passes through my websites, both this Lightroom Queen website and Lightroom Forums have moved to SSL connections, as of now. You’ll recognize the http:// has changed to https:// and the lock icon appears in the address bar.
- I have upgraded my Sucuri monitoring, to more quickly pick up and defuse any possible threats. Sucuri are industry leaders in website security.
- The website firewall is also being upgraded. (Update 03:25 AM – done)
- Update 03:25 AM – two-factor authentication is now installed for administrators.
- I am reviewing all of my personal cyber security procedures and processes, for both home and work.
Making all of these changes in one go does mean you might find a few bugs over the next few weeks, but this is a worthwhile compromise. I’m working on finding and fixing any bugs, but if you spot anything that doesn’t look quite right, please just let me know.
What you can do to stay safe online
It’s scary to see all of the different ways that hackers can break into websites, and the website itself isn’t the only link in the chain. Most of us are aware of viruses and malware that can be installed on our personal computers. Hackers can also break into our home routers or take advantage of any unsecured connections we may use when we’re away from home, among other things. There are things we can do to help to protect ourselves.
The most obvious improvement is to ensure that we never use the same passwords on multiple sites. If one website gets hacked, which is inevitable in this day and age, then the hackers would have access to the other websites you visit. You don’t have to remember all these different passwords. There are some fantastic password managers available, some of which are free, and they’re safer than post-it notes covering your computer.
For more information on other things you can do to protect yourself online, visit the StaySafeOnline website.
You might also consider supporting use of [details temporarily removed – no point telling hackers which characters to test!] in your site’s password set-up.
I’d love to Curt. I’ve put that request to the developer again today.
And the developer’s working on it already! Should be in an upcoming update.
Thanks for a very clearly-written description of what happened and how you have rectified it.
FYI–on this page, quite a number of the graphics are vertically-stretched. I can’t paste one here (tried), but all of the right-hand graphics and the URL graphic above are about twice as high as they are wide.
I’ll check into that, thanks Ted. Which browser are you using?
I have the same experience as Ted. Tested with Chrome, Firefox and MS Edge on Windows 10 x64.
Hi. I have that too on Safari 10.0.1. Mac OS Sierra
Found it! A stray comma. Thanks guys. That should be fixed now, although it might be cached in your browser for a few hours.
I used Chrome and I.E. on Win 7.
Thanks for being open and honest with your readers. Way too many companies just never tell you the ugly truth about what happened.
By the way, never ever use password managers of any kind. Your best «password manager» is an old fashion paper note book where you write down your passwords and keep it in a safe place.
Website certificates are to be implemented on every website these days, especially when personal and/or sensitive data flow between servers and client browsers. Also, you should check the server’s security regularly, using tools like SSL Server Test ( http://www.ssllabs.com/ssltest/ ) from Qualys SSL Labs. It gives you very detailed information on how safe it is, or not, the server where your website is hosted. SSL Server Test rates the security from A+ to F (A+ the best, and F the worst, or not safe).
Cheers. 🙂
Better keep it in the very safe place JL, as your local burglar could have a field day! 😉
Thanks for the SSL Server Test. I’m glad to see my server’s A rated.
Thanks for the full disclosure–I wish more companies shared your perspective on that! Sorry this had to happen to you! What a rotten, stressful experience.
Some great suggestions for readers. While a paper list of passwords might sound like a paranoid-luddite suggestion, it’s certainly not the worst password manager (both Schneier and Krebs have talked about it being a reasonable approach, as long as it’s not kept in plain sight). However, most readers, will find the trade-off of security for convenience acceptable. A password manager is certainly better than using the same password for multiple websites.
If I were going to advocate for a single security behavior that people could change, it would be replacing all of their password reset secret answers with values other than your actual (e.g.) “mother’s maiden name” etc., as that is a very real way that accounts are being hacked daily–those answers often really aren’t that secret. For a very old, but still viable method of answering these, see:
http://www.zephoria.org/thoughts/archives/2007/11/15/algorithms_for.html
Though I would add that your and wrappers around the true answer to the dumb question should probably be unique per-site, as if those values are stored in clear text, and the site is hacked, the hackers know your algorithm, and can try it with your email on various popular sites (gmail, facebook, paypal). Fun times we live in. Random strings for your answers are the most secure–written down, or stored in a password manager.
That’s a great suggestion David, thanks for sharing.
Thanks and thanks for your honest efforts.
Thanks, this article has been a massive help.