From Craig Steffen, KPA webmaster: Thanks to the hosts for this year’s conference! Thanks for everyone who volunteered for the February 20 Zoom shakedown test. The conference is better for all of you. Thanks for everyone who’s attending.
Executive Summary: Web site got hacked again. However, our hosting company was great, and shut down the site immediately. Webmaster had to scramble a bit to get the site repopulated, to get registration set up, and then that failed, and then get a different registration set up again. People were able to register, at no point was any actual financial information in danger. The end result is the webmaster has had kind of a yucky week, but we are in a much better position website-wise then we were two weeks ago. And all the work for the virtual conference was finished and tested two weeks ago, so the conference is full speed ahead.
Long version: We got hacked. I don’t know how it happened. It’s possible that it’s because the Square (credit card payment company) library went out of support in June of 2020 and I hadn’t realized that.
When the web site got hacked a couple of years ago, it’s not not entirely clear who did what. It’s possible that the site was broken into by outside forces. It’s also possible that our host themselves was injecting the hostile traffic themselves in order to sell us expensive security services. In any case, they were super-unhelpful and wouldn’t just delete the site so that we could rebuild it. That’s why we dumped them. It’s possible there was a hostile intrusion, or also possible that the host was just scamming us. This recent hack was definitely from outside, and definitely had hostile intent. It’s not clear if they were interested in financial information we had; it’s entirely possible they just wanted to use us as a host to spread malware. The host company shut it down *really* fast; it’s possible that the site served zero malware.
Our internet hosting comany, inmotionhosting.com, was great. They pulled the site and isolated the files, and sent us an email. I don’t check the KPA email address every day, so the first I knew of it was someone pinging me over email saying they couldn’t register. Inmotionhosting’s chat support was super-helpful and responsive. We got a web site back up in a few hours, then I had to try to get registration up. To do this, we completely re-installed WordPress from scratch. While doing so we added several security features. All accounts logging into the WordPress admin now have 2-factor authentication. We have ssl on all pages. We will set all the modules to auto-update.
After getting the basic site up, I tried to put back up the old registration system (carefully checked to make sure the files didn’t contain any of the hostile code). Because Square’s library had expired last June, I pulled in the new version of their library, which I couldn’t make work, after working on it for like a day and a half. When things settle down, I’m going to spend some time making sure that they know that their current library for working with php is just broken.
After that failure, I decided I would just use a WordPress module that worked with Square payments to do the registration. I spent time and $49 to buy the forms from “WP EasyPay”. I set up a registration with that, that seemed to work, and I know one person successfully used it. Working with another programmer, I figured out a way to make the form better, so I made a couple of tweaks, and left it. Unfortunately, somehow, that made the forms not work , and credit card payment always froze and never completed. I tried to fix it several ways, including completely removing WP EasyPay form the site and reinstalling it. It never worked again. I’m going to try to get the $49 refunded.
So the week immediately proceeding the conference, I set up yet another registration form with a different form system called “wooCommerce”. That’s much more complicated, but it’s worked consistently. So that registration is up and so far it seems to be registering people successfully. While I would have rather not had to deal with all of this in a hurry right before the conference, the net result is that the web site is far more secure now, we have a lot more knowledge about registration system based on readily available components (rather than the hand-crafted registration system we’d been using before). This is good for year-to-year continuity, and for security, especially for the prospect of me handing off webmaster duties to someone in the future who’s not a programmer. That’s possible at this point, whereas it wasn’t a month ago.
The really good news amongst all of this is that more than a month ago, we’d gathered a group of people to be in charge of the sessions at the virtual conference, and we’d set up procedures, and trained people on those procedures, and had an all-up test on February 20th where we had mock sessions and everything worked as expected, and we got to tweak our instructions and documentation. Thanks to everyone who participated in the testing day. That definitely helped the conference run more smoothly. And that was all done before the web site problems, so we didn’t have to be doing final prop for the virtual conference while dealing with registration, because the prep was already done.
If you have any questions, please feel free to contact the webmaster at firstname.lastname@example.org.
We hope you have a great conference, and we hope to see you next year (hopefully in person)!