Security

The 7 Common Fallacies About Your Website’s Security

August 26, 2016 Beth Devine

site security — “Birthday Presents” by Mike McCune, used under CC BY / Modified from original

The three things you can be sure of in this world are death, taxes, and being hacked. Were he alive today, Benjamin Franklin would add the third, I feel fairly certain.

This latest of life’s certainties comes with being connected to the internet in any way at all. Every time you’re online, you’re a potential victim. And if you own a website for a small- or medium-sized business, your vulnerability is far greater.

By taking your business online, a necessary move if you want to be competitive, you become a target to a variety of attacks. Yet if you’re like most small business owners, you believe you’re safe.

Here’s why you’re wrong.

Fallacy #1: Small businesses aren’t worth a hacker’s time of day (or night).

Why would anyone want to bother with a small- or medium-sized business like yours? Because you’re far more likely to lack security, that’s why. Hackers know you’re less likely to take all the necessary measures to protect yourself, making you the low hanging fruit that offers itself as an easy target.

The fun they can have with your site is no different than what they can do with big business sites. Their three main reasons for hacking a website is to send out spam email, gain access to your mailing list, credit card information, and other private data, and to install malicious software onto your site or your end user’s computers.

Fallacy #2: You’re doing everything right to stay off Google’s blacklist.

As long as your site is free from malware, you’re safe, right? Except for when you do something wrong, and then Google punishes you for your mistake. When you make a mistake that lands you on its blacklist, your site will be shut down from all traffic. No more business as usual.

These mistakes often involve methods to improve your SEO, but the end result is the opposite. Using clever SEO tactics that turn into the wrath of Google can happen to anyone.

Fallacy #3: Your SHA-1 site is alright with you.

SHA-what, you ask? Because if you knew what SHA-1 was, you wouldn’t be all right with it. Basically, it’s old and decrepit and if it’s not replaced, collision attacks could lead to “catastrophic effects on the security of the internet.”

Here’s an example of what SHA (Secure Hash Algorithm) does. Let’s say you sign in to a website’s login page using your password. SHA-1 might be used to verify that your username and password are authentic. Behind the scenes your password is turned into a secret checksum and compared to the checksum that’s stored on the website. You’re granted access only when the two match.

All sites are being required to update to SHA-2 by the end of 2016 due to the weakness found in its predecessor. Chances are, your site has been changed to SHA-2. Check on shaaaaaaaaaaaaa.com just to be sure.

Fallacy #4: Your site is safe because it’s WordPress.

WordPress is the largest content management system in the world, with thousands of plugins and widgets written by the community that enhance user experience. Hundreds of people all over the world are working on it, making it as safe and reliable as possible.

The problem is, they can’t make site owners take responsibility and keep their sites’ WordPress version up to date. At any given time, there are tens of thousands of WordPress sites with outdated versions, ripe for the picking by hackers.

It takes these attackers only a few minutes at most, using free automated tools, to find your site’s outdated version and exploit it. WordPress issues updates regularly for good reason. Don’t delay in making the upgrade.

Fallacy #5: I need to download all these plugins and themes because they’re so cool.

The single biggest source of vulnerability to your WordPress site is that nifty plugin you had to have. With over a thousand plugin vulnerabilities at any given time, keeping your plugins updated to their most current version is critical.

Not only that, don’t download plugins that you don’t need. Unnecessary plugins are like storing potatoes and forgetting about them until the smell of decay infests your home. Either use them and keep them updated, or throw them out.

Fallacy #6: My password is safe and known only to me.

New bruteforce cracking software is available, making 8 million guesses per second in its attempt to crack passwords. Yet the use of common passwords persists, despite the growing threat of cybercrime.

Based on the annual list of worst passwords released in 2015, people are still using passwords that don’t follow the simple formula of CLU: Complex. Long. Unique. Notice #25 on the list: Star Wars. When you think you’re being unique, think again.

Try this password checker to get an idea of how fast some of your old passwords can be cracked. As a precaution, don’t type in anything you’re currently using. You never know who’s watching even the online checkers.

Have trouble dreaming up a strong password? Use a password generator to generate strong unique passwords. A strong password in combination with a password management program like LastPass will help you secure your identity throughout the internet.

Fallacy #7: I’m the administrator of the site, so that should be my username.

Remember those brute force attacks used for cracking passwords? They are also used for getting past your username, since a hacker will need to have both to break in. Making your username “administrator” gives them exactly half of the information they need.

Making your username your actual name is another mistake. If your name is on the site anywhere as a site administrator or contributor, it’s a no-brainer to attempt hacking in using those names as hopeful admin roles.

Last year saw the largest number of cyberattacks recorded around the world, with 230,000 new malware samples produced daily, according to PandaLabs. Website security is never going to be a process of eliminating risk. It’s about reducing risk when full-proof security is unattainable.

Stop making these common mistakes and ditch the fallacies about site security. Take proactive security measures and watch for the next post on what you can do now to fix your site’s security weaknesses.

Cyber Attacks on Manufacturers

December 16, 2015 Beth Devine

Manufacturers operate using a network of systems including equipment, machines, and processes that are run in a centralized manner and are often backed up on a company owned server. The increased level of cyber attacks occurring within the industry are forcing manufacturers to strengthen security for company data and systems through security software, firewalls, and other security devices.

Manufacturers are well aware of the cyber risk of data loss and systems control. The threat of these cyber attacks comes from individual hackers or groups, organized crime rings, or under the auspices of foreign governments, with the purpose to steal trade secrets and intellectual property.

Despite all the security efforts to protect your company network and its proprietary information, manufacturers often overlook a critical security loophole — your company website.

The Cons of a Company Server

Having a company server doesn’t automatically qualify you to host your own website. Whereas the confidential company data on your server is password protected and encryption-enabled, and you continually update internal software vulnerabilities, the challenge is maintaining the same level of security with your website.

Hosting your own website leaves you open to hackers who are looking to get into your server for blueprints, your banking system, and your customer’s bank accounts. Manufacturers make attractive victims for cyber criminals due to your unique assets and the fact that you are often easy targets. In fact, believing you aren’t a target is one of the most common contributing factors to a manufacturer’s vulnerability.

A client-server model of networks has its own set of computer security vulnerabilities. Remember, your network is only as secure as your administrators and designers make it. There are many ways your server is vulnerable to cyber attacks, including the choice of server and how it’s configured and encrypted.

Here are three possible threats to a client owned server:

Data theft due to improper configuration of servers.
Misuse of user rights.
Denial of Service (DoS) attacks on a server causing it to crash and lose data.

There is no way to prevent cyber attacks, just as there’s no way you can prevent someone from attempting to rob you. However, although no one is immune, you can reduce the risks by choosing strong cyber security programs and a website hosting service who’s dedicated to maintaining a secure server and continually managing it for optimum performance.

Your web hosting company will help you keep your site up and running, giving you reliable and advanced security, uptime, and disaster recovery. The greater the cyber defense of your website, the less likely you are to attract the interest of cybercriminals, and the safer your business will be.

If you do choose to host your own website with your confidential information, there are two important elements to be aware of to maintain website security:

Keep an eye on your website analytics. If there’s something amiss, keen attention to your site’s analytics can reveal unusual activity. For example, if you see a sharp increase in unexplained visits from a foreign country, it could be a sign that you’re being targeted.
Update everything. This means your antivirus software, operating systems, and all your website software, including WordPress software, its plugins and themes. The majority of these updates are security based. Hackers will take advantage of any security hole you’ve left wide open by not updating.

Manufacturers should always plan for the worst outcome. By assuming cyber criminals will target you, you will be prepared by giving yourself the best protection to your data and systems. The best safeguard for your manufacturing company isn’t a one-time effort or expense. It’s an ongoing process that involves utilizing security at all ports of entry, including your company website.

More WordPress Security Mistakes (Yes, You’re Making Them)

August 15, 2015 Beth Devine

You’re making more WordPress security mistakes besides those updates you keep neglecting to do. Avoiding regular updates is the most common security mistake, but there are more mistakes that also put your site at risk for attack.

Because WordPress is open source, those miscreants who wish to do harm can easily obtain the source code and study it for ways to hack in. Combine this with the popularity of WordPress and it’s like you have a bulls-eye target on you.

The good news is you don’t have to do anything drastic, like change to a much less user-friendly CMS that doesn’t have all the fabulous plugins and themes, all for free. All you have to do is follow these tips to button down your site and stay safe from attacks.

Lacking a First Line of Defense: No Security Plugin

There are many security plugins to choose from with different pricing, including some free options. While it’s true that having too many plugins can be a bad idea, having one that actually protects your site is a no-brainer.

This list of the Top 10 Essential WordPress Plugins is a good place to start. It includes Wordfence, a personal favorite of mine. These give you an extra layer of security by addressing the issues most prevalent, leaving you free to run your business worry-free.

Installing Bad Plugins and Themes

If a plugin is available for free that you would normally have to pay for, consider this a giant red flag. A pirated plugin or theme may be free, but it’s also going to be potentially rife with dire consequences.

Disreputable plugins and themes come with a catch. Not only are they dishonest and often stealing from hard-working developers, they can be infected with malware that will inject malicious code into your website. Once they’ve made this connection to your site, it’s like a backdoor where they can get in and do all kinds of damage.

Beware also of WordPress themes that look totally safe. If the theme isn’t from the WordPress Theme Directory, or isn’t from a source you know and trust, then you shouldn’t install it. There are hundreds of themes available, and they all have to pass selection criteria that includes possessing no unsafe code.

Surfing In Public Wi-Fi Waters

Sure, you’ve heard it all before, but do you really avoid using your credentials and private information on the internet when using a public Wi-Fi hotspot? These places include high-density areas such as airports, libraries, hotels, cafes, and, of course, Starbucks.

The ease with which attackers can steal your information is due to the fact that, according to Public WiFi, public WiFi networks are “almost always unencrypted, which means that anyone with cheap, easily available software can listen in and access everything being sent over the network.”

The hacks in a public WiFi hotspit can include Sniffers, Evil Twin, Man-in-the-Middle Attacks, and Sidejacking. The names are almost enough to steer you away from exposing your website and other information to attack.

Using “Admin” For Your Username

Your WordPress site has an automatically generated username with the Administrator role. This role has permissions that are referred to as admin, which allow this user to do anything they want. An Administrator has total power over the website, including deleting your whole site.

The last thing you want to do is keep the original username “admin” as the name for someone who has total access. This is the first thing a hacker will use when trying to break into your site. Once they’ve figured out your username, then all they have to do is guess your password. You’re giving away half the access information with admin still intact. See the list of targeted usernames in the recent brute-force attack here. Clearly admin is a common guess.

You can do one of two things:

Don’t use or, even better, remove your admin username. But before you do this, create a new user with the admin role. Functioning under this new username, you can delete the old username of admin.
If you want to do this in C-panel, read this user-friendly post on How To Change Your Username. If I can do it, you can too.

The Wordfence plugin allows you to block any IP address you want, so if you find one is continually attempting to log in using the admin username, block it.

Using Really Obvious Passwords

The list of top passwords for 2014 contains the same weak passwords, with “123456” and “password” holding the top two spots. It appears that all the advice on the internet about using strong passwords is going unheeded.

Use your imagination when creating your passwords and follow the Google’s tips, use a password generator, or take Edward Snowden’s password advice to John Oliver and use “pass phrases” that are easy for you to remember, but difficult for computers to crack. Try one of the top five password managers to help you remember them all.

You can always sign up for a worry-free program with your web hosting company and let them take care of all your site’s security. If you’re running a small business, it’s a huge timesaver as well. Good luck — it’s a Digital Wild West out there.

Your IP Reputation and How To Protect It

July 9, 2015 Beth Devine

IP address reputation — “Lucky” by woodleywonderworks, used under CC BY / Modified from original

Your IP address can earn a bad reputation when suspicious activity is detected. Let’s say you have spam or a virus coming from your IP address. This can get you blacklisted by spam databases or banned by a country’s firewall or a content delivery network.

As a result of blacklisting, anything you email from your website won’t get delivered. Your new subscribers to your website won’t be able to get beyond the initial subscribing stage and won’t receive password approval or your welcome email.

Are You Sharing Your IP Address With a Bad Site?

If another IP address within your content delivery network is blacklisted, then your website’s IP address could also be negatively affected. The bad reputation of another website can rub off on your website.

Most hosting providers will share your IP address with hundreds of other websites. In the event that one of the sites you’re sharing your IP with engages in spam or gets a virus, or is blocked by a country or a large network, your site could also share in the negative fallout.

If you think your IP address has a bad reputation in error, or due to sharing an IP address with a hacked site, you should request an investigation. Inform your web hosting provider of your concerns.

How To Check Your IP Reputation

To find out if your IP address has a bad reputation, you can check it with a number of free online tools, including Barracuda Central, MX Toolbox, What Is My IP Address, and IP Void. For a list of ways to check for potentially malicious websites, check out Zeltser’s list.

You also want to prevent your site from being spamvertised. This is when a hacker has placed a piece of code in your site that redirects viewers to a different and often unsavory website. The hackers send out emails with your website’s redirected link because their own site has already been blacklisted as spam.

WordFence is a great plugin for preventing spamvertising from happening, and if it does find something, they will alert you that your files have changed. If you pay for the premium service, you also get an early warning system built in for spamvertising.

How To Check Who Is On Your IP Address

By doing a reverse domain lookup, you can check to see what other sites share your IP address. You Get Signal is a tool that checks for and lists other sites on your web server. The list isn’t guaranteed to be complete (and it probably isn’t). As long as none of these sites are being blocked by spam monitors, your site won’t share in their bad reputation.

Norton Safe Web or Unmask Parasites will scan a URL to see if it’s safe. If it’s been hacked, infected, or is otherwise unsafe to browse, it’s probably not a site you want to share your IP address with.

How To Deal With Suspicious Activity

In the event you discover an issue with your site’s IP reputation, let your web hosting company know. They can help you to get it sorted out. The better you know your web hosting company, the more reassured you can be that they aren’t allowing questionable sites onto the shared server.

Web hosting companies who are web savvy (particularly those with a team of superheroes) are going to be paying attention, and they will investigate suspicious activity for you. Your IP reputation matters. Make sure you know yours is good.

How to Stay Safe With WordPress Updates

April 22, 2015 Beth Devine

wordpresssecurity

WordPress is a fantastic content management system and blogging platform, but like most popular open source software it can be vulnerable to certain malicious activities–especially if your software, theme and plug-ins are not kept up to date and running the most current version.

What kind of malicious activities might occur?

Someone could install files with malicious scripts within your WordPress installation that send out SPAM. This could lead to an exceptional load on the hosting server causing it to slow down website performance and the volume of SPAM can cause the mail server to be blacklisted. The blacklist could prevent other folks from receiving your emails that you send causing you to lose business. And it can be time-consuming to get a server off a blacklist.
A malicious script redirects your site to another (SPAMMY) location causing you to lose business, damage your reputation and hurt your search engine rank.
Any number of other mean-spirited activities the hackers decide to wreak upon your site that will cause you to lose business, or your reputation or both.

It’s important to protect your website.

We’ve talked about WordPress security before (and will probably talk about it again). See No-Worries Website Security , More Password Hacking Methods and How to Stay Safe, How to Change Your WordPress Username, and How To Prevent Zombie Hack of Your WordPress Site, and 6 Ways Your Site Is Hacked and What To Do About It for some previous posts.

There are many tools and plug-ins useful for keeping you site secure, but today we’re going to talk about managing WordPress updates. Let’s get started.

How to Manage Your WordPress Updates

WordPress makes it very easy to keep your website up to date. The most important thing to ensure is that you have a current and complete backup of your database and your files.

There are many ways to backup your website, but here are the easiest and most common.

You can create a backup from your web hosting cPanel.
There are backup plug-ins that you can install in your WordPress dashboard that will automatically backup your site at set intervals.

Once you ensure that you have a current backup, it’s very easy to complete the updates from within your dashboard. All updates for plug-ins, themes and WordPress versions will be noted under WordPress updates in your dashboard. Simply click the update links and in most cases the site will begin updating.

The Order of Operations

In my experience I find it best to start with the plug-ins and update all the plug-ins that have updates available. Once those have updates have completed, move on to the theme (see theme warning below) and update it, then update WordPress itself.

Theme Warning – Why it’s important to use child themes.

Ensure that your theme hasn’t been modified or your updated theme may not display your website the way you want it to look. We usually build websites with all the style modifications made to the child theme so it’s less likely to cause a problem when updating the theme.

OOPs! Something went wrong!!!

You’ve made your updates but now…

Your website doesn’t look right – See theme warning above.
You can’t even see your website and you see a “Fatal Error” message(s) instead.

Now what do you do?

Disable Plug-ins.

Sometimes a plug-in doesn’t play well with the current versions of WordPress. If that’s the case, it might actually make your website unavailable. Instead of seeing your website, you’ll see a fatal error message. So, if you’re seeing a fatal error message, the first thing to do would be to disable all the plug-ins. Probably the easiest way to do that is to login to your cPanel and find your plug-ins directory and disable it. An easy way to disable it is just change the name on the plug-in folder. Use something like Disabled-plugins.

Did that fix it?

If yes, continue reading this section. If not, continue on to restore your website from the backup.

You’ve determined that your website works with plug-ins disabled so you know that one (or more) of the plug-ins caused the problem. You need your plug-ins so you’re going to enable them one by one to find out which plug-in caused the problem. To do that create a new folder in your cpanel called plugins (don’t get creative here – put it in the same location as the old plugins folder was located.) Copy over each plugin folder from the disabled-plugin folder to the plugin folder. Check after moving each plug-in to the active plugin folder to see if the website is still working. When the website breaks – you’ll have discovered which plug-in broke the website. Now you need to consider whether you really need that plug-in or not.

Restore your website from a backup.

Here’s where it’s important to have you backup database and files.

In your cpanel:

Overwrite or restore your WordPress files with the backup files you saved.
Restore the old database you saved or create a new database and import your backup database into the new database. Change the wp-config file to point to the corrected database.

Your website should now be restored to the state it was in prior to trying to update it. So now you’re back to square one with a working but outdated WordPress installation. Chances are during the restoration you discovered if it was a outdated plug-in or outdated theme that created the havoc during updates. It’s likely you’ll want to replace the plug-in and/or theme with something that is compatible with the current WordPress version.