Superhero of web management. See how he protects 180 websites against hackers

Do you think that managing 180 websites with two hands is even possible? Well it is. This is story of Davide Masserini, the website guy, who builds, manage, and host 180+ Joomla & WordPress websites. He shares his experience and gives advice on protecting against hackers. Does he have a magic wand?

No matter how popular and powerful Joomla & Wordpress are, their security has been a huge issue lately. How you as web developer managing over 180 websites deal with this issue?

My first experience with security issues in Joomla and WordPress was in 2011. About 5 websites were hacked with spammy content with links to spammy websites. The problem was a combination between the low security of the infrastructure provider, the unupdated extensions and the templates coming from a specific template provider. Eventually, I changed the infrastructure provider and the template provider and all the problems vanished. Nothing happened for more than 3 years. But couple of months ago I experienced a huge hack. The attacker placed an HTML code on some websites with Islamic propaganda video. The situation was really unpleasant, and I discovered the problem on Sunday afternoon. It took me the whole day to fix it.

Despite I made a lot of effort to keep the websites as safe as possible, about a month ago there was another incident. It was so frustrating! You do the best you can to protect customers’ websites within their budgets, but they are still getting hacked. This time, over 60 websites were infected. The hacker injected malicious JavaScript. All these websites were on unisolated environment of my infrastructure provider, as my customers wanted to limit hosting costs. The disadvantage of this solution is that when one site gets hacked it often infects other websites as well. I’ve restored all the websites, updated the core CMS and extensions and installed couple of security plugins.

I was working under high pressure with a lot of stress and I feel I wasted a lot of time. To avoid this in future I released a new policy covering important security points for website owners. I published a post on my blog and had a lot of conversations with my clients to make them understand why it’s important to have their websites updated. That’s a new attitude.

Since then I’ve started to offer ONLY isolated environments.

What steps do you recommend to avoid hacking?

In my opinion, no matter how professional you are and how much effort you make it is not possible to be secure in 100%. If your website is not up to date and haven’t been hacked even once it means you are really lucky. But, if you don’t update your core and extensions, sooner or later you will get hacked.

You mentioned that you had to restore hacked websites. What is your backup policy?

It’s good to have a hosting provider who makes the backups automatically. But, you have to keep in mind they make backups up until 30 days ago or so. If your website gets hacked and your website needs to be restored you will loose all recent changes. Moreover, backups should be checked if they are not corrupted. It is the only way to know that the website can be restored if needed. That’s why my advice is to back up websites on your own. You can help yourself with automated tools that includes integrity testing as well.

Let’s list some advice you’ve already given: it’s very important to use isolated environment, do backups regularly and test their integrity. Anything else?

In my opinion every web developer that uses one of the most popular CMS should add a maintenance clause into his agreement. It shouldn’t be only about doing websites but taking care and keeping them healthy afterwards. Client needs to understand that keeping any CMS and its plugins updated is crucial for website security. The updates aren’t an option. This is my view.

Security should never be an option, right?

Yes, exactly. Like backups.

Hacking is getting more and more automated. Like in the case of this hackers that posted these Islamic videos on infected websites, you just described. Probably, these websites weren’t precisely targeted, they were found by a malicious script that was crawling and looking for vulnerable websites that can be hacked.

Absolutely, like 90% of websites. And this is the biggest problem because no human can work on protecting websites fast enough to win with automated hacking scripts.

When the zero day comes and there is a new security patch released how long will it you take to update your 180 websites to a new version?

I don’t want to even think about this... Sometimes you can’t update online, sometimes you need to download the package, sometime the subscription for some plugin is expired and you need to renew it. So, if we want to be optimistic it should take approximately 10 minutes for each website.

Are you able to do backup during these 10 minutes?

Of course not. It’s without backups.

Do you think it would be reasonable to do an update without doing a backup first?

Of course not! You have to do the backup first.

Ok, so let’s stop to think about that. Even without backups, you say it’s 10 minutes per website. But how about testing & fixing websites afterwards?

Well, that’s very unpredictable. Sometimes even a small error can take 2 hours. Taking some average of that gives us 30 minutes. For 180 websites I manage it could take even 90 hours together.

90 hours without sleep, without any break.

Exactly. Working 8 hours a day it would take approximately 11 days. That’s quite a lot of time. Luckily I found a solution to automate the updates so I can protect all my customers in reasonable time.

You’ve described a lot of things you want to introduce in your company or you’ve already introduced to decrease the susceptibility of websites you manage. It seems you do a lot in order to protect your customers. But bad things happen to good people. How did these hacks affected your customers? What was their reaction?

They were really surprised because they were thinking that my service was impeccable. I think my customers thought that I have some sort of magic tool to protect their websites. But that magic disappeared. Suddenly I became sort of mortal. Fortunately, there’s a trust between us so I explained my clients what happened (and that there is a difference between account security and application security) and I solved the problem as soon as it was possible. Now, they are aware of security, they know how important is to keep CMS and plugins up-to-date.

How all the recent hacks affected you personally? You told me you spent the entire Sunday to fix all the things.

This situation was really overwhelming and time-consuming. Clients were opening tickets, they were calling me and sending emails. Most of my day was wasted. Moreover, it occurred during Sunday afternoon, which I usually spend with my family.

How did your infrastructure provider supported you with fixing the hacked website?

My infrastructure provider wasn’t very supportive. I had to restore and clean everything by myself, with very little help. As a result I partly changed the infrastructure provider and I stop offering multi domain accounts. Now it’s one cPanel, one domain. Period.

I had to realize I am not a web hosting company but a web administration company so I had to reconsider my pricing. I don’t just offer a web hosting space, but also all the necessary things to be efficiently on-line like security and customized performance improvements.

Can you just roughly estimate how much time did you spend on solving these problems which occurred in recent months?

About 70 hours within the last 3 months.

Quite a lot. It seems no matter how professional you are it’s difficult to avoid all dangers. No matter how hard you work on all those manual tasks required to do keep website up-to-date and secure. What would be your advice to other web developers that face similar issues?

The first advice is to stop using addon domains from cPanel.

Secondly, make sure you have backups and notifications system. I mean anything that can notify there is an update of any software starting from Joomla, WordPress, Drupal, Magento to Prestashop and others.

Then it’s good to install a security extension on your CMS, like a WAF and similar technology, as an additional security layer.

When possible it’s good to have auto updates too.

Furthermore, make sure to use a custom backend url, not the default one. And the last but not least, make sure you have a strong and unique username and password.

Any other comments you want to pass to other web developers?

Websites are in constant danger due to automated hacking. A Web developer should fight automated hacking with automated tools, not manually and implement a firm policy with their client.