Security Comprise


(Jonathan Langberg) #1

I recently had several sites that were hacked. Some Wordpress sites with Hype files added, some pure HTML/CSS/JS built completely with Hype. It seems the common denominator is that the hype files, but I’m not sure. Is this possible? If so, is there anything I can do to protect the hype files so they cannot be infiltrated?


#2

Typically this occurs when the hacker get access to write all files in a directory, so they just look for .html files and inject code. There’s nothing special I can recommend related to Hype, but one way to protect it better would be to isolate your Hype documents onto its own static server that does not allow code execution. Hosting a static site on Amazon S3 is one way to do this, but there are hosts that simply don’t support dynamic languages which is one of the main entry points for hackers these days.

Sometimes your web host can provide more info about what was compromised – sometimes this is the cause of a shared server that has an outdated installation of Wordpress.


(Jonathan Langberg) #3

The problem with hosting it elsewhere is that most of my sites are now https, so I can no longer add iFrames from external sources. Thank you for that info though. I think the biggest problem is identifying the source. My hosting company is not being very helpful with that. What a nightmare this is!


(Jonathan Deutsch) #4

Wordpress, and especially plugins are a huge attack vector. If you using plugins I recommend as minimal set as possible.

Hype produces static assets, so unless you’re specifically including executable files into your document or files with incorrect permissions, its output isn’t a risk (by any reasonable definition).