Malware

Yesterday, for the first time, one of PG’s websites (not The Passive Voice) experienced a malware infestation.

PG was very happy to have previously installed a security plugin called Wordfence to protect all his WordPress websites.

Wordfence prevented any damage or downtime for the site and, on PG’s command, automatically eliminated all but one nasty file and/or file modification.

For the single unauthorized file modification the program didn’t eliminate automatically, Wordfence provided PG with detailed instructions pointing to the modified code which allowed PG to eliminate it.

PG suggests that if you have a website you use for commercial or professional reasons (like an author website), you should protect it with an antimalware program.

Although PG isn’t an expert on all things malware, he believes a program to protect your blog will be a different/separate program from an antivirus or antimalware program that protects your computer.

Malware protection won’t protect you from damage to your site from a computer crash or a fat-fingered error on your part, however, so you should also make regular backups of your author website and put them somewhere that a computer crash of your own machine won’t destroy them.

In the ancient days of personal computing, backups were kept on physical floppy disks (remember those?) or separate external hard drives. Best practices were to store such backups at a separate location so a catastrophe affecting your office wouldn’t destroy both your computer and the backup disks sitting in your desk drawer.

Today, online cloud-based backup services allow you to securely store your backups somewhere (or several somewheres) far away. PG has used Dropbox for this purpose for a long time. For example, he keeps all his word processing files in a computer file folder sits inside his Dropbox folder and is accessible in exactly the same way as it would be if it were only stored on PG’s hard drive.

Dropbox also does an excellent job of coordinating PG’s files on the various computers and other devices he uses on a regular basis. For example, PG can access his Dropbox files on his iPhone, iPad and a couple of Android tablets he uses on occasion.

PG has created and used valuable digital files for himself and his clients for a long time. Compared to the early days of personal computers, hardware and software has become extraordinarily more powerful and reliable. The internet has opened up many more ways of safely securing computer files at locations that won’t be affected by local power interruptions, destructive power spikes or PG’s own fat-fingered mistakes.

However, PG has also witnessed myriad ways in which important documents and other records can be destroyed. One attorney friend lost all of his stored paper and backup electronic files (on disks) when the secure offsite facility where they were stored was crushed under a freeway overpass that collapsed during an earthquake.

PG always strives to have one more backup than he thinks he will need. Online cloud backup sufficient to hold electronic manuscripts for all the books you are likely to write during your lifetime is very inexpensive.

For electronic discovery purposes, attorneys generally estimate that one Gigabyte (GB) of electronic storage will contain about 50-75 thousand pages of business documents. One thousand Gigabytes equals One Terabyte (TB) of electronic storage or 50-75 million pages of documents.

Let’s turn this into paper: A ream of copy paper is 500 pages and a case holds 10 reams (5,000 pages).  So, a GB is the equivalent of 100 to 150 reams of paper (10 to 15 cases), which PG doesn’t think would fit into a typical passenger car and would require a large SUV or a pickup truck to transport.

One TB is the equivalent 100,000 to 150,000 reams of paper or 10,000 to 15,000 cases of paper.

PG did a little online checking and discovered that a typical semi truck-trailer holds 21 full pallets, 40 cases of copy paper per pallet, 840 cases per truck.

 

One Pallet of Copy Paper

.

One Semi Truck-Trailer

.
PG couldn’t find a photo of either twelve or 17 semi truck-trailers, but that’s what it would take to haul the paper equivalent of the number of typical business document pages you can store on a one-terabyte hard drive.

You can buy a one-terabyte hard drive which will hold all the books you will ever write and all the revisions of your manuscripts for those books and still have room for a bunch of selfies for $46.99 at Amazon.

Here’s a backup plan:

  1. Buy two of these hard drives.
  2. Back-up/copy all of your manuscripts, revisions, etc., to one of those hard drives and give that one to a friend to keep for you.
  3. Next week, back-up/copy all of your manuscripts, revisions, etc., to the other hard drive, give the second hard drive to your friend and retrieve the first one from your friend.
  4. Repeat. And buy your friend lunch once in a while to show your gratitude. PG doesn’t know if the lunch will be deductible as a business expense for offsite storage of valuable business files or not.

If your computer eats your manuscript, you have last week’s backup on the portable hard drive you have with you. And your friend has this week’s backup if you want that. If you use Dropbox, you’ll also have the last version of your manuscript that you saved there.

If you have a healthy level of paranoia and have two friends, PG suspects you can figure out how this backup plan could scale.

PG has never heard anyone complain because they have too many backups of their important files.

10 thoughts on “Malware”

  1. Do you know how the malware got onto the site? I’m asking because I have four websites, and always want to know more.

    I know one way is to have outdated WordPress plugins, in which hackers figure out how to exploit the code, or (worse) buy the plugin, code malware into it, and release it as an update.

  2. And if you’re really paranoid like I am, a daily backup drive goes in the safe in my office and two backups go in two different bank deposit boxes at two different banks on a weekly basis.

    I have a couple of cloud accounts but I don’t want a lot of my work product to be out there for security reasons.

    Is it extra work? Yep, but worth it for my peace of mind.

  3. There are quite a few ways to hack a WordPress site. One reason is WordPress’s popularity. Like Windows, WordPress is the favorite target for hackers because there are more juicy installations to hit. I use WordPress myself because I like its features and flexibility, but it is a target. You can buy canned WordPress attacks if you know where to look

    Basic hygiene goes a long way: use strong passwords for you wp-admin accounts, and for heaven’s sake, don’t reuse those passwords anywhere. Keep your site up to date with all the latest security patches to WordPress and all the plugins you use. (A nasty one is keeping up with the latest php security. That’s a patch to your server, not your WordPress installation. More on that below.) Backup your WordPress installation as systematically as any other critical asset. A specialized WordPress anti-malware package like PG uses may be useful. There are several, but I can’t comment on how effective or necessary they are.

    If you host your site on your own server or an unmanaged computing service, you should rigorously follow server security best practices. Server security is a job for trained professionals. Unless you have gone through security training, which usually means certification, and do the work to keep up your chops, you should not do it yourself. On occasion, I have taught security server classes and I write on personal cybersecurity, but I would not try to act as my own server security officer because I don’t put in the time to keep up with the techniques and threats. The sober fact is that most server breaches could have been prevented if the IT staff guarding the server had followed best practices promptly, but the field moves so fast, keeping up is difficult even for professionals who are paid to keep up.

    For most people, a managed hosting service is a much better choice. Not just a hosting service, like Amazon AWS, but a managed hosting service that acts as an IT department, not just a remote computing services provider. There are lots available. Some are small local shops, some national or even global. Check out their reputation. “Free” services have little incentive to keep a server secure. Right now, if I were shopping for a managed WordPress hosting provider, I’d ask them if the maintain php. If they said “No, that’s up to you,” or gave an ambiguous answer, I’d keep looking, unless you know what the question means and are prepared to take care of it yourself. Personally, I prefer to manage WordPress and plugin updates myself. WordPress is good about providing patches. But if that sort of thing daunts you, find a provider who will take care of that for you. Be sure to be clear about who is responsible for backups.

    I wish I could say more about WordPress.com hosting. I have been told that their paid commercial site hosting is excellent, but I have no personal experience with them.

    • I’ve been using managed hosting service Hostica for well over a decade, and I maintain about 18 websites. I recommend them; or at least use them as a way to price and compare relatively inexpensive alternatives. It doesn’t have to cost a fortune.

      • I have a similar relationship with HostingMatters, Karen. Their tech support team has rescued me from more than one self-inflicted wound.

  4. All good tips from PG, but there’s one other thing many people don’t think of until they have to deal with it, and that’s rebuilding your system to use those files you saved.

    While there are several programs that will help you make an ‘image’ of your hard drive(s) to restore later, there are also disk copiers for those with easy to access desktop and laptop drives. This doesn’t have to be done as often as your docs, maybe after loading a new application that you don’t want to have to reload each time. (Keeping the last several images helps when you discovered you need to ‘roll back’ from that last great thing you installed.)

    Nasty bug ate your system and you can’t be sure you got all of it? By a new drive if you can’t trust the old (there are a couple bugs that are that bad) and dump the image you made to it, and install (adding whatever fixes are needed to not have it happen again!), update your docs (yes, you still need to back those up too!), and you’re back to where you can get back to work.

    Me? My current systems are easy access to the hard drives so I got a drive copier from Amazon (under $50) and slightly larger drives (minor upgrade while I was at it 😉 ), copied the drives and the placed the original in a protective box and run the new drives. If a drive fails I can run the original while waiting for a replacement.

    MYMV and you not need it (but if you don’t – you will!) 😉

  5. I worked as a computer operator back in college. We maintained baby, father, and grandfather backups. When renewed, grandfather became baby, baby became father, and father became grandfather.

    +++++

    If you are Canadian, you can wrap a backup thumb drive in foil and post it to yourself. That’ll give you a 3 week delay. 😆

  6. I had a comment (no links) about multi-terabyte storage for photographers, but upon submission, it generated this Wordfence error message:

    403 Forbidden

    A potentially unsafe operation has been detected in your request to this site.

    Generated by Wordfence at Tue, 28 May 2019 15:26:38 GMT.
    Your computer’s time: Tue, 28 May 2019 15:26:39 GMT.

Comments are closed.