Over the past several months, many of you noticed that the Joplin Amateur Radio Club website, JoplinARC.com, was unavailable. I want to explain what happened and what steps were taken to fix the problem in plain language.
Late last year I received a notice that the PHP software version running behind our WordPress website had become outdated and was no longer supported. PHP is one of the main pieces of programming that helps websites function behind the scenes. When it becomes outdated, it can create security risks if it isn’t upgraded.
I contacted our longtime web expert, Erin, ND7B, about updating it. Erin has done an excellent job maintaining the site over the years, but the update process can take considerable time. At the time he was extremely busy and indicated it might take a while before he could work on it.
About a month later I followed up again, but unfortunately Erin had been involved in a serious accident after falling from a ladder and severely injuring his back. He was unable to sit comfortably and was scheduled for back surgery, which meant he would be unavailable for some time.
Not wanting the website to remain vulnerable, I contacted a professional website management company in Springfield, Missouri. After several emails explaining what needed to be done and answering their questions, they provided a quote of $4,000 to perform the PHP upgrade. Because of the high cost, I decided to wait until Erin had his surgery and check with him afterward before moving forward.
By that time, several months had passed since the PHP version had become unsupported. During that window, the website was attacked and shut down.
Although I had backups, I was unable to restore the site myself, and Erin was still recovering from surgery. Because his recovery would take some time, Erin recommended another experienced programmer and website manager he trusted: Scott, W8UFO.
Scott was available and agreed to help at a rate of $70 per hour. Within two hours, he successfully restored the site and upgraded it to the latest supported PHP version, bringing the website back online.
At first, we were unsure exactly how the attack occurred. Out of an abundance of caution—and to protect the privacy and integrity of our members—I deleted all existing website user accounts as a safety measure.
Further investigation later showed that the attack was carried out by a sophisticated automated AI hacking bot that exploited the outdated PHP software. The important thing to understand is that the website itself was not compromised, and no member data stored on the site was accessed.
It’s also important to note that the website does not store financial information. Any financial transactions are handled by secure third-party payment vendors, which is why a small processing fee is charged for online payments. Those systems were never affected by the attack.
After carefully reviewing the site and confirming that the vulnerability was fixed, JoplinARC.com is now fully operational again.
Anyone who would like to create a website login account may now register again. However, please remember that having a website account is not required to be a member of the Joplin Amateur Radio Club.
Thank you for your patience while we worked through this issue and restored the website.
Chris, N0YH, Webmaster and Club Treasurer