I made a noob mistake this week. I have a few other sites I’ve been toying with in my spare time and I had developed a few simple admin pages for them. The admin pages allowed me to modify the site and make simple changes to content. Unfortunately, there were also dynamically-generated links to delete content.

I figured since the pages were randomly named and not linked anywhere on the site, I could just leave them be and use them as needed since they weren’t advertised anywhere. As you can guess by the title of this article, I was wrong. Somehow, and I still haven’t figured out how, Alexa’s bot found my page. Bots aren’t bad by default, but they have this habit of following all the links on your site. Fortunately, they follow them randomly and usually not all at one time.

I checked my database as I often do, and saw about half of my content from one table was missing. After digging around, I remembered that admin page I had made. I started checking my logs and sure enough Alexa’s bot had crawled the page and followed many of the delete links in it. YAY!

Thankfully, I learned my lesson cheaply. All of my sites that matter had password-protected admin pages, but now my sandbox sites will too. By setting an .htaccess file and separating admin pages from content, you can maintain some simple security for your sites. Secondly, I’ll be implementing some complexity in the pages to prevent me from accidentally whacking records.