Dear TIWWA members and visitors,
Nothing to be alarmed about, but I would to extend apologies for any inconvenience you may have experienced with slow responses or speed with the website in the last few days.
Unfortunately we have intermittently been receiving a high amount of illegitimate web traffic, effectively hammering away at the server in what appears to be a crude attempt to knock our server or website offline.
As you may know such is the nature of DDoS or 'Distributed Denial of Service' attacks, the hackers (possibly someone who has watched too many episode of Mr Robot) often use a one or more, sometimes a whole network of compromised computers or devices to try and take random or specific servers down by bombarding their firewall and server software with traffic or hits.
Initially it was coming from Italy, then the US, then South America.
We can manually kill off the Apache server process each time and restart it, but after a while it starts up again, sometimes soon or after a few hours. Eventually they will get bored with door rattling and move on, especially since we're not a big company website, power station etc.
Our web-hosting company has elevated the issue to a more senior tier of support staff who have been working hard to resolve the issues, however we may start using Cloudflare and routing through their network behind the scenes for extra protection, as they provide a network service to assist with this sort of issue. If so, the website may be inaccessible for a short while.
We may also have to enable additional firewall rules, which potentially could cause you to receive a blocked or forbidden error messages in your browser if your use or visit to the site triggers a false positive. Such advanced rules are very sensitive, and require a lot of fine tuning and extra time to configure, so are best avoided if possible.
I want to reassure you that we have no reason to believe the website or server has been compromised or hacked in any way, or personal information taken.
We take security seriously. We also have automatic backups available, and all non-public user account related personal information such as e-mail addresses, passwords etc are fully encrypted, as you would rightly expect. This is one reason why we licence use of professional community software with regular updates rather than use free software, and we also automatically encrypt all traffic between our server and your browser when you visit our site.
We also use another company to probe our server infrastructure, encryption levels and website each week for potential security issues.
Thank you bearing with us.
Handy to know tips
Remember in general to always use ideally single use, strong passwords on your websites and devices, in particular your Google or other email accounts which if compromised could be used to change or hack your social media and website accounts. Password managers are well recommended, in particular LastPass and 1Pass are recommended.
Always use a good, up to date Antivirus software, ideally combined with separate anti-malware software such as Malwarebytes. These days, on Windows 10, Microsoft's built-in antivirus is regarded as very good. Avast is excellent for free software, I used it for over 10 years, but tends to nag with somewhat, scaremongering pop ups to buy the full version. Kapaskey, Mcaffee and Symantec are probably best avoided.
Should you have any concerns about account security in general, you may be unaware but we also support so-called 'two factor' account protection.
Did you know we support Google Authenticator!
If would like to make use of the popular Google Authenticator service which you can configure in your user account settings, it is free and optional for non-staff members. Very handy if you don't use a password manager service or tend to read-use the same password for multiple sites.
Once activated, it allows you to require anyone accessing your account from a new device or browser for the first time or after you sign out, to enter a one time code sent to your phone or mobile device by Google, either by text message or via the Google Authenticator app (if you have it installed on your mobile devices).
If the code is not correctly entered before it expires, access is denied, so without access to your device, nobody can in theory access your account.
I can't stress this enough to everyone with a Google Account these days, I very strongly recommended activating Google 2FA/Google Authenticator to access your Google Account, but you can also use it here if you want and on many other websites and apps too.
Adding an extra layer...
We also have the optional 3 Security Question/Answers option if you prefer, or you can use both. You can set up questions and answers that hopefully only you would know the correct answers to (don't share too much info on social media!),
Either of these options are are available in your Account Security settings and are useful if you feel you would like to add an extra layer of protection to your account.
You may also have noticed a new section after our last big update that provides device and browser usage history (Recently Used Devices). If you also use a VPN service however, the info will obviously be incorrect.
The Old Man
View the blog entry & optionally add your comments.