Today, as I’ve been relaunching my blog and migrating it from an Amazon EC2 cloud instance to a GoDaddy hosted wordpress account, I’ve been listening to the president elect hyperventilate over recent reports that Russia has compromising information on his business interests and peccadilloes, was at some point prepared to blackmail him, and had regular covert contact with his campaign. Crazy. Even crazier than the widespread reports that Russians used an army of hackers and trolls (especially Edward Snowden and Wikileaks) to help spread disinformation about the election and sabotage Hillary Clinton’s campaign. It’s like we’re living in a mashup of Bridge of Spies and Spies like Us.
But for me, the craziest thing of all is that I seem to have played a (tiny) role.
Let me share a bit more about why I’m moving the site. Recently my domain has been down, and I’d been struggling to figure out why, since the server seemed to be up and running. Worse, I couldn’t access WordPress or even ssh into the site, which meant I couldn’t check and see where the traffic was coming from and I couldn’t export my old posts for relaunch. Not being much of a tech wizard, I set the problem aside sometime over the summer.
Well, I finally gave up, and I’m now reconstructing the old posts by combing through the WP database backups that I was emailing to myself on a weekly basis (this is a PITA, by the way, and means I’m losing all images and documents hosted on the old site; but there’s a great tip on how to pull posts from a WordPress DB here).
Now that the site is up and running again, I thought I’d check in to Google Analytics. I hadn’t thought to look before because, since the site was down, I figured there wouldn’t be anything to track. This is what I found:
So the vast majority of visitors to the site were from Russia (and Kyrgyzstan). And their preferred language was either Russian or something called “Secret.google.com … Vote for Trump!” And the traffic spiked through election day and then collapsed in December.
Finally, if you look at the pages they were visiting, you see several pages that I never placed on the site:
Now I’m not sure what this all adds up to. They certainly couldn’t have secure shelled into the server itself (I’d done a lot to harden that). My guess is that they found some other way to exploit WordPress and take over the server, including creating content. But I am shocked. I’d be curious how much this tracks what other WordPress hosts saw over the same period. Certainly, it was the last thing I expected.
A few years ago I was complaining that maintaining your own server meant having to fend off increasingly severe and sophisticated attacks from hackers/bots located outside the US (something I’m not really equipped to do). Now it seems clear that this was more than just a hassle — it’s actually dangerous. If you don’t know what you’re doing, you’re basically opening up a channel for others to use against the world.
Sorry, democracy. ¯\_(ツ)_/¯