A fun afternoon (attacked website)

Thursday, December 15 was a day like any other until the afternoon. Then I got the notice from the Jetpack plugin for one of my WordPress sites that it was down, and couldn’t be reached.

This happens occasionally, so I wasn’t too upset. Pointing my browser to the site Home2Baja gave a Database connection error. Simple enough to fix.

So I fired up PuTTY, and logged in. I attempted to restart MySQL, the first line of fixing the issue. Weirdly, it restarted, then stopped automatically again.

What f*ckery is this?

So I restart the droplet (this is hosted on the incredibly awesome service Digital Ocean) and after a minute try to browse to the site again. Same issue.

Grrrrr.

So I once again fire up PuTTY, and log in. Now all sorts of bat-shittery is happening. I am getting BASH errors, not enough memory to fork. I can’t even log in, so I go to the Droplet service on DO, and log into the console.

… and the screen fills with Apache error codes.

A little Google-fu, and it appears that the site is getting hammered with XML-RPC requests, causing Apache to use all the memory, and essentially shutting down the droplet.

The problem was that I could power it off, and on, but before I could SSH in, the site was jacked with the cascade of XML-RPC requests.

Finally, I got in, and was able to apply a fix (also, documented well on the Digital Ocean support knowledge base), and got it back under control.

Now, I have Cloudflare running interference, so that in the future if/when I get hammered like this again, I can block it without being locked out of my own VPS.

A fun afternoon.

(Background: The “Home2Baja site is a website I created for a friend who is selling his home in San Felipe, B.C. We use Google Adwords to drive traffic to it, and it gets 30 – 50 hits a day. Clearly someone pointed their attack vector at it, and it was getting 4,000 xml-rpc queries a second. No wonder why my measly 1gb droplet was getting inundated. Yes, there is a firewall, a fairly restrictive firewall, but these queries come via HTTP, or port 80.)

So you want a website – Weebly update

After my first “So you want a website” post, one of my faithful readers, David Kendall Grant mentioned that Weebly is an awesome, free, and very flexible website creation option.

Weebly-LogoI recall hearing about them in the past, but thought nothing about it, so I thought I would give it a try.

First, a basic setup is free. Like WordPress or Blogger, you can easily get a site up that is <your cool name>.weebly.com.  I started setting up a website. It is pretty easy, and they have a huge variety of templates that you can use. You are sure to find something you like.

The creation of the site is done by dragging and dropping features. Pretty intuitive, and almost fun. You can create text/articles, picture galleries, insert advertisements, and have interactive items like Forums pretty easily. Really slick.

I didn’t see any way to really modify the template. For example, many of the templates have photos in the header area. No amount of hunting by me found a way to change those images. In a way this makes sense, that the templates have some rigor to them.

How can they do this and make money if they give you a pretty solid experience for free?

Well, say you want to have your own domain name (<your cool site>.com instead of <your cool site>weebly.com), they will register and set it up for you for a fee.  A pretty pricey option at ~ $40 a year.  (For comparison, WordPress.com will do this for $18 per year, and if you host your own, it will be about $12 a year).  So that is some revenue.

There are also upgrades, two tiers of that you can graduate to. The starter tier ($3.29 a month) adds some support options, and the ability to remove the Weebly branding from the footers. The next tier is “Pro” that gives you a lot more flexibility, and adds things like site search, slideshows, Video and Audio players (boo, I hate web audio), and the ability to have other collaborators on your site.

My impressions:

I played with it for a couple of hours. I felt frustrated by the rigidity of the formats and the templates.  Of course I am the “free” user, and I am thus limited to what they give away.

I am not sure I would want to play with it enough to go pro.

I did see that you have the option of downloading your entire website. I didn’t play with that to see if it is in a format that can be moved to blogger or wordpress.

I am also not their target demographic.  I am much more likely to roll up my sleeves and dive in to tweak the stylesheets, or the templates of my own site. But for the creative, but not very technical user, I am sure that Weebly provides a great entry point.

I am not giving up on the experience, but I think the next step will be to cough up some green and get access to the premium features.

One thing that is a turn off is the constant “hints” to get my own domain, and to upgrade. Heck, yesterday I got three different emails to find out why I didn’t finish my site, or buy a domain.

I understand that as the free user, I am not really a customer, and they are incentivized to coerce me to pay more, but the hard sell is not very effective for me. As I said, I am not their target demographic.

So you want a Website – let’s get started

I get a lot of people asking me how to create a website.  They see this page, or the site I run for the Southern Arizona Greyhound Adoption group, or my professional site, and wonder what they need to do to play. It can be confusing to a neophyte, but hopefully I can clear the confusion.

First, you need to honestly assess your technical ability. Do you view yourself as a bit of a nerd?  Are you comfortable with supporting yourself on your computer, do you like to tinker?  Then you might want to look to hosting and running a site on your own. But if you get nervous when you hear terms like FTP, SSH, linux, apache, PHP or the like, you might want to go with one of the completely managed solutions.

Second you need to decide what you want to publish to the web. Most common is the blog format. This is a series of articles that can be arranged by category, and give you flexibility on what you want to post (text? photos? videos? all of the above). Or do you want to be a bit more formal, run a site that is more of a portal or a magazine or newspaper.  The Greyhound site that I run is like this. Most of the content is static, but there are dynamic parts of the site.  Additionally, there are tools to help less skilled people contribute without giving them access to the back end. Do you want to do e-commerce?  Integrate ads to help offset your costs? It is best to get this down on paper up front.

If you are a neophyte, and you are scared of terms like FTP and PHP you can go with one of the hosted solutions. Both Blogger (a google property) or WordPress.com will be able to get you up and running very quickly. Both sites give a reasonable service for free, and are very simple to use and setup. Both can host your own domain name (your address on the web).  The wordpress service is what I am using here, and it is pretty solid.  One downside is that they will constantly try to get you to buy extra services (custom typography, custom templates).  Still, for many people, this is the best path.

If you are curious, and not afraid of computers and technology, you might decide to roll your own. Typically you buy hosting from one of the major hosting services (Hostgator, GoDaddy, MediaTemple) and then setup your site. Fortunately, it isn’t too geeky, as you can easily FTP your files over, create a database, and run the built in installer and you will be up with a basic site.

There are some terms to learn. The software that runs on the host to deliver your website to the visitors is called a CMS (content management system).  A content management system (CMS) is a package that provides the logic, the maintenance behind the scenes, and utilities for adding content. They typically have a front end (what the public sees) and a back end (where you add articles, posts, or pages).

Templates are sets of files that alter the look and feel of the website. The packages typically have a couple of default (read: ugly) templates to get you started, but you are probably going to want to use a different template. Don’t worry, you don’t have to create your own, there are tons of free and paid templates for all the major packages.

Plugins/components are additions to the web CMS that extend and enhance the experience. Things like a tag cloud, or a twitter feed, or archive access are common. But there are other plugins that can be used. Perhaps you want Disqus for comments to your posts. Or you want to have Facebook “Like” icons. You can add these and more and not have to know anything about HTML.

All the major CMS platforms have some common attributes – they store their content and settings in a database (typically MySql), they have some type of hierarchy or taxonomy to arrange and group content, and they are typically built on PHP code that creates the HTML and styles that are seen by the public.

The major CMS’s

wordpress logoWordPress: The most used CMS. It is very simple to setup (I can get a new site up in about a half hour), and straightforward to manage.  It doesn’t require a lot of skill to keep it going. There are an amazing number of plugins that gives you infinite flexibility in layout and pizzaz. Additionally there are thousands of templates to give you a site that stands out from the riff-raff. I started with WordPress.

Joomla! logoJoomla!: The second most popular CMS software, Joomla! is quite flexible.  It is what I use for my tralfaz site, and the Greyhound site. It is more of a general purpose CMS, unlike the “blog” focus that WordPress takes. There are lots of automation options for contributors, and a very rich user management environment that allows you to have many different access groups and control who sees what (I don’t really use this, but private sites, and member sites are trivial to setup in Joomla.) Joomla also has a very powerful ecommerce option, called Virtuemart that is pretty easy to setup, but very powerful.

Drupal logoDrupal: Drupal is probably the least friendly CMS that is commonly used. It is more for web professionals, and keeping it up to date is a pretty hefty job. The basics are easy to get up, and built in are things like forums, and some great content bits built in. But the major sites that use Drupal have a lot of customization, and a full IT staff to keep it going. One site that does use Drupal, is the Economist. It is a good example of what can be achieved with Drupal.  I have played with it a little, but it really is not for a hobbyist.

In the next article, I will discuss how to choose a hosting company, and the basic steps required to get online, and sharing your passions. I will also touch on maintenance and how to avoid being hacked.