Archive for the ‘Admin’ Category

Same blog, different channel

Migration done! Welcome to the new host.

After couple of days of pure hell getting things transferred and set-up, here we are. I don’t want to even think of the billable hour cost for most people making this happen. Change is traumatic.

Ended up going with siteground.com: it has cpanel, email, and WordPress. I was about theeeesclose to going with WordPress.com’s paid plan (huge huge thanks to the wonderful Jeremy Massel). In the end, there were just too many compromises. Even with siteground there were compromises, but at least it’s not Bluehost.

Thank you to everyone for your advice and recs and patience. The only thing I regret is that I forgot to get someone a referral from all this. I apologize.

If you wrote to me in the last day and it was important please try writing again just in case… There was a period of outage where the old mail hadn’t finished updating and the new mail wasn’t fully configured.

I still have to set up my mail on a bunch of different devices, so off to do that…

Fleeing Bluehost: It’s crunch time

I have under 30 days to move from Bluehost or I’ll be locked into another year. If you don’t recall, Bluehost is infuriating. It shuts down whenever I have a traffic spike. Its SSL certificates are not automatically renewed, so every 90 days or so things fail.

My email is associated with unifiedlayer, one of the worst spam providers, which means that a lot of my outgoing email never arrives. Every time I need tech support, they try to upsell me to yet another paid service. The fees have increased and increased over time.

While I’d really love to have a statically generated site, I’m not willing to give up comments. I’m sticking with WordPress as the least turbulent solution unless someone has a better idea.

I need email. I need a wordpress site. I’d like to keep a listserv going but I can probably transfer that to slack if needed. I can’t really think of any other features that I need at this time.

  • Diogene recommended SiteGround. It offers well reviewed WordPress hosting. This sounds scary though: “For migration just use IMAP for your email and synchronize all mail locally then when you move you host sync back again with IMAP”
  • Dave DeLong says FastMail is a great solution for the mail-only axis. Hank Gay, Christopher Frederick, and Dewey concur. Christopher mentions that I can set up “SPF and DKIM records” to provide more secure ownership, whatever these things are.
  • Despite the general love for FastMail, Michael Weaver says iRedMail is a good alternative as well.
  • Matt mentioned nosupportlinuxhosting.com
  • Will suggests A2Hosting. Chris likes ASPnix.com.
  • John Woolsey pitches GreenGeeks.com.
  • Nate H suggests dreamhost (also recced by Tim as a site for “people who don’t know what they’re doing”, which is pretty much me) and siteground.
  • Mark Nichols uses WebFaction, but also supports Digital Ocean.
  • Brian Anderson suggests hostagor.com.
  • Kevin likes the roll-your own AWS solution: S3 for web, EC2 for wordpress, WorkMail for mail. Any thoughts on these?
  • Simon Davies agrees on AWS but suggests hosting email with zoho.com.
  • Dan Messing and Mark Bernstein like pair.com.

I’m looking for the simplest migration with the longest shelf life and the least worries. It should remain reasonably budget affordable as well.

I want to get this done quickly and easily and it scares me to pieces. This is, admittedly, way out of my comfort zone, which explains why I’m still with Bluehost even years after identifying the problems.

Any advice and support will be greatly appreciated.

Making @KeyboardMaestro work in Mojave

Unfortunately, Apple seems to have messed up assistive apps like Keyboard Maestro in Mojave and if you depend on macros, that’s a very bad thing indeed. I upgraded to Mojave late last week (even though it is still not theoretically a GM) and found that although some actions still worked without problem like app launching others (specifically my universal Emacs key equivalents for arrow moves) did not.

I found this thread about the issue on a Keyboard Maestro forum. The hints on that thread helped me work out this solution to the Mojave problem. Note that you may have to repeat steps after rebooting your Mac.

  1. Copy /Applications/Keyboard\ Maestro.app/Contents/MacOS/Keyboard Maestro Engine.app to /Applications.
  2. In Terminal, kill the Keyboard Maestro and Engine processes.
  3. Open System Preferences > Security and Privacy > Accessibility. Grant privileges to both apps: Maestro and the copied Engine. (I also granted privileges to Finder and Safari, which probably wasn’t necessary.)
  4. Launch the Engine from /Applications. Check the process list for /Applications/Keyboard Maestro Engine.app/Contents/MacOS/Keyboard Maestro Engine and test your macros. You may have many types of macros and you’ll want to hit as many bits of the OS as possible when ensuring that each kind of macro is properly launched and executed.

 

Tap tap, hey is this thing on?

tl;dr: Erica’s site gets hacked repeatedly. Erica’s account is closed by Bluehost. Erica wails into the void. Played with DNS, with github.io, nuked wordpress install, re-installed wordpress, re-installed data, reinstalled plugins, scanned for malware, attempted to restore DNS, wailed into void, some semblance of site possibly restored. Maybe.

postscript: I’m posting this as a test to see if my site is back and alive. If so, please make sure to use https and not http to connect. Fingers crossed.

 

In which I get hacked: Part 5

Last week, it started again. Numerous people on Twitter from various sites around the world reported my site looked like this:

Nothing on my site itself indicated any changes but something was hacking my Bluehost-sourced content and replacing it with its own. I was unfamiliar (as with all things to do with web hosting) with how this was happening, and (spoilers) I never figured that out.

What I did discover, with the help of Jared Lander from Bluehost, was how to mitigate the problem.  (Thanks Jared!) Forcing the site to exclusively use https links through a WordPress plug-in bypassed the whole “evil hackers will redirect my http content” thing. “All” it took was asking everyone to clear caches, restart web browser, or wait for the changes to propagate over time. It’s been 7 days and I have not had any reports of further issues.

The plug-in in question is Really Simple SSL, which automatically configures websites to use secure links: just get an SSL certificate, install the plugin, and activate it. It’s step 1 that’s a burden in many cases.

This cleared up the non-English main page advertising (for those who saw it) and apparently something that affected my RSS feed. I’m not entirely sure what that was, but there had been some stray BOM characters leaking into that which resolved once the SSL/https problem was addressed. Dave Jones wrote me that my feed, which hadn’t been validating, began working properly after the plug-in.

Much as I hope that my issues are over, I’m assured by a number of people contacting me that it’s not possible to run a secure website anymore without the help of professionals.

I’ll do the best I can. I’ll keep backing up my content. But that’s about all I can do.

Thank you again to everyone who reached out to me with support, feedback, and information.

In which I get hacked: Part 4

My site was broken into again last night and was down until this morning. What fun.

Welcome to another day of hackage fun.

This morning, the odd “consig.php” with its Base 64 contents and eval was back, along with an updated “.htaccess” file. I called up Bluehost support. They restored a safe version of “.htaccess” and suggested I talk with their “security people”. I said sure.

After a longish hold, they transferred me…to an entirely different company, who for starting at just $40 or so a month (and up), would provide me with a fire wall. The sales pitch was strong, as was their disdain and pricing structure. I thanked them for their time and hung up.

It was time to call back Bluehost again and yell at them a little. This time, they offered to set up an SSL certificate for 90 days at a time.

This might be even more exciting if their own certificate didn’t seem to be wonky:

I also deinstalled and re-installed my plugins, and generally followed the advice passed to me this morning by Jan Östlund in his helpful tweet.

Frankly, it’s been a pretty dreadful day. Of course, the kind words of support from everyone have been a lovely counterpart to the misery of doing sys admin work. I’m surprised so many people have had to deal with this exact situation before. At least I’m not alone.

In which I get hacked: Part 3

This morning, Google issued me an alert that a lot of my pages were 404’ing:

How interesting. So I hopped into my webmaster console to see what was going on.

Lots of 404’s were firing, and the crawl errors were all tied to those image files uploaded to my system by the hack:

I decided it was time to restore the site from backup.

Thanks to UpdraftPlus, I moved the clock back to Mar 20th, and re-created my first two posts in the “In which I get hacked” series.

I also restored my previous authentication, which I quickly updated to a new password. Interestingly, the hack introduced a different login name to my system “zerobyte”. I’m back to my original wordpress names now.

Stuff is still a little messed up on my end as I can no longer upload pictures. The upload process gets the data to the site but the media browser is borked. I have to enter <img src="" /> tags by hand, which is super annoying.

I have my plugins mostly disabled, and will attempt to re-install each of them as well.

Again, any advice and support is greatly welcome. I apologize for losing all my previous comments after restoring from backup. I will particularly miss this gem:

Bless him.

I’ll keep updating if I learn more.

In which I get hacked: Part 2 (restored after backup)

So I’m now working through Google’s Hacked Sites Troubleshooter: https://support.google.com/webmasters/troubleshooter/6155978.

I did not know about the site: search operator, so I followed their instructions, first looking using a site:ericasadun.com websearch, and then moving on to “fetch as google”:

Sure enough I found all those malicious sitemaps that were added this morning:

I returned to my search console and deleted them:

Damn right Skippy, I do. They’re gone now.

I then returned to the troubleshooting page and requested re-indexing. It still shows one of the sitemaps that doesn’t exist anymore (and yes I checked).

I’ll check back in tomorrow and see if the hacked sitemap is gone. I also requested the “reconsideration request” from https://www.google.com/webmasters/tools/manual-action

Yeeps.

In which I get hacked: Part 1 (restored after backup)

Note: This post has been recreating after restoring my site from backup.

This morning, I woke up to a message from Google. Normally I’m very hesitant to open or click these. So I checked the full message headers (View > Message > All Headers), copy pasted the URL it was asking me to click into TextEdit, and looked at it letter by letter. It appeared legit. Someone had added themselves as a new owner for my website:

I went ahead and manually visited https://www.google.com/webmasters/tools/user-admin, selected my account, and sure enough there was a new “owner” listed as of today.  To unverify the hacker, I had to go to my website and remove the Google-specific verification file from my system:

I did that. They could just have as easily unverified me the same way.

I should point out that I not only use four-word passwords but each four-word password has additional strings of numbers and symbols following or interspersed within it. I’m not sure how my security was compromised but it was. I have of course updated my password for the site.

Next, I tried to get in to start finding files modified within the timeframe of the hack. And then, I immediately discovered that Apple has removed telnet from macOS 10.13. (update: turns out I was thinking of the wrong tool. I needed ssh, which I later used to go in to a command line.) So I went in instead using CyberDuck, an ftp client. It wasn’t nearly as easy to track through many  hundreds (thousands?) of files as it would have been at the command line but I think I got ?most? of the problem fixed.

What I found was an incomprehensible “consig.php” file, about 500 image files — each one about 4-8 bytes in size, and masses of items added to sitemap files.

If you’ve had experience with this kind of hack, I would greatly appreciate any additional advice you have. Thanks in advance.

Here’s Google’s help page about when you don’t recognize a new owner: https://support.google.com/webmasters/answer/7281924

Writing updates and asking “Is Github my new Dropbox?”

I’m testing the waters for the first time in using Github rather than Dropbox to coordinate a private project. I’ve used private repos before for material that wasn’t meant for public consumption or to stage material that would then later be released openly but this is the first time I’m testing it out for material that’s substantially not code.

I’ve been meaning to give this a go ever since Github changed its policy to allow unlimited private repositories. I used to be limited to just five in total and I guarded those slots carefully. Under the new policy, I have repos to burn. Today was the first time that I set one up to use in this way.

It feels odd using Github instead of Dropbox as I’m so used to my Github content being primarily open, and Dropbox requiring explicit permissions. Have you tried using Github this way? And how have your experiences been?

The reason I’m testing out Github is that I’m updating iOS Drawing for Swift. I have a week or so to burn while I’m waiting on editorial feedback and tech review on my Swift Style title from Pragmatic. It will take another 4-6 weeks for Addison Wesley to release iOS Drawing rights back to me but I figured I’d get a head start writing some test chapters and get some early feedback about the project while I had some downtime.

I’ve used Dropbox for years to provide material to beta readers and gather their feedback as well as to coordinate material on multiple machines. In testing out Github, I was inspired by Pragmatic’s workflow.

Pragmatic uses a delightfully retro SVN version controlled interactions between editors and authors. (I’ve had to create an SVN/git cheatsheet to remind myself how to SVN all the things.) Pearson/AW in contrast uses Basecamp to manage projects. Basecamp offers a lot of great team features including messaging, calendars, email updates, and so forth, and I’ve been quite happy with it.

Book projects tend to be hefty, especially those with lots of illustrations and sample code but Github has generous file policies. It imposes a 1GB repo limit, 50 MB file warnings, and 100MB file limits.  These are far beyond what I’d need.

I’ve recently changed my overall personal workflow, having been inspired by conversations with editors at O’Reilly. O’Reilly has been pioneering modern, flexible content using markup source. I took my lead from them. (I’m personally using CommonMark instead of AsciiDoc and pandoc instead of Atlas, but the ideas are similar.)

Pandoc has been a pure delight. Even if CommonMark offers less nuance and control than Microsoft Word (however ugly MS Word is, it has power and all the ugly but practical features you need for professional publishing), pandoc allows me to push from manuscript to book in seconds.

I don’t have to use Calibre to build epub, pdf, and mobi output. My code examples are readable and my tables of contents are perfect. I’ve written a bunch of command-line utilities that automate the process of building the ebooks, zipping up archives, and storing copies in a Dropbox beta folder. I still use Dropbox to provide early reader access.

I built Swift Style‘s first draft using this workflow, writing in MacDown, an open source macOS Markdown editor. I like MacDown’s side-by-side display but, to be honest, for material of any size, it has no way to keep the text and output in sync, especially once you introduce illustrations.

If I find some time, I’ll probably try to mess with the source to add this functionality because once you drop the ability to see your edits as you add them, the utility loses a lot of its charm but that’s a project for another day.

In the meantime, I’m just getting settled into Github for this project. A lot of my work steps are similar: I start by pulling and wrap up by pushing but now it’s to the repo, and not to Dropbox. Github offers more version control than Dropbox’s undelete functionality and I don’t have the same worries about filling up my quota.

I’m curious: Are you using Github for non-coding projects? And how has that worked out for you? Did the DNS incident a few days ago make you rethink? Or are you committed to this kind of collaborative tool? Let me know. Thanks!