Cool post from VOX.com on the runaway most-popular passwords… and therefore the ones hackers try first.
So about the title of this post: yeah, don’t choose any of these. Also, pro-tip: computers are fast and sorted lists of the thousand most popular passwords are easily obtained so when possible pick a good one that’s easy to remember but hard for computers to guess (four or more random words in one or more languages is good, for example (though just an example, “elbow Lucerne brown elegante” works well.)
From Shaun Quarton at Torque Magazine
- Backup your site
- Keep everything updated (WordPress plus themes and plugins — even the ones that aren’t in use.)
- Hide your WordPress version
- Choose secure passwords
- Use secure usernames too (do not use “Admin”)
- Move you login page
- Hide your username (your login name)
- Limit login attempts
- Use a secure host
- Disable the theme and plugin editors
- Add and configure one or more security plugins
These are all great tips. Go check out Shaun’s post. I’m always happy to answer questions as well.
Statistics site Internet Live Stats reports there are currently 1,060,822,043 websites in the world! Even if you read this only minutes after I post there will already be thousands more! Just follow that link and watch the counter fly!
ILS also reports, however, that
It must be noted that around 75% of websites today are not active, but parked domains or similar.
We’ll just add that of the remaining 250,000,000 sites an extraordinary number are live, yes, but also old, obsolete, broken, and vulnerable! Small wonder then that as operating systems become more robust hackers and spammers are breaking into and hijacking websites.
Our advice? Make sure your website software is up to date, backed up, protected with security checks and plugins, and of course regularly updated! Either do it yourself or if you don’t have time or resources find someone able to do it for you.
Nobody wants to see messages like these when they visit their website. Or their hosting company. Or their website control panel.
And the good news? Usually you don’t!
It’s even better news if you have regular, recent backups stored somewhere besides your hosting company’s servers.
That way, if bad comes to worse and your hosting company has gone dark or, nearly as bad, has an extended, intractable data center equipment failure, you’ll at least be in a position to temporarily (or permanently) relocate your website to another server, on another account, or even with another host altogether.
Yesterday the vulnerability was announced. If you’re a RealBasics maintenance client using All in One SEO Pack your site is already protected and the plugin fixed.
Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.
More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization.
Don’t get us wrong: All in One SEO Pack is a great tool backed by responsive developers so they released an update that closes the vulnerability very quickly. The risk is that current users may not get the message, log into their websites, and perform the update. Keeping your software up to date and security scanned are just two of the core benefits we offer hear at RealBasics.com.
If you’d like this kind of coverage give us a call – (206) 390-8082.
There’s so much to like about the new WordPress 3.9. If you’re a RealBasics maintenance client your site’s already been backed up, security checked, optimized, and updated to 3.9. (If you’re not a maintenance client then give us a call!)
- Much more mobile friendly interfaces!
- Improved visual editing — better format options, more mobile friendly.
- Add photos by dragging and dropping from your desktop! (No “Add Media” button required for most images!)
- Easy image editing too! (Resize just by dragging to name just one new feature!)
- Gallery previews (no more guessing what’s in the big yellow box!)
- Paste text formatted from your favorite word processors, email, even other websites! (No more “Paste from Word!”)
- Lots of behind-the-scenes features for the techies and nerds at RealBasics.com and elsewhere.
We say check it out.
On the other hand if you’re already one of our service customers your software’s already updated and your site is secure.
Here’s the warning from the good folks at WordFence
WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role. More info available on the National Cyber Awareness System: CVE-2014-0165
WordPress Vulnerability: The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. More info available on the National Cyber Awareness System: CVE-2014-0166
What to do about the above: Make sure you are running the newest version of WordPress, version 3.8.2.
The post also warns of a vulnerability in the TwitGet plugin. If you use it you’ll want to upgrade that too. Or have us do it for you.
Of course we do more than keep your website up to date. We keep it backed up, run multiple security scans, give you access to premium plugins and themes at no extra cost, keep an eye on your server and database performance, and provide up to an hour of consulting, training, and even post scheduling and gallery management! Give us a call.
Head’s up for WordPress users on rumors of a new variation on an older scam. It’s especially tricky right now because the newest versions of WordPress actually do send you email saying (truthfully!) that it’s automatically updated itself. Here’s how one person reported the issue:
USING WORDPRESS? Beware of a VERY legit looking email going around that says your site has been updated to WordPress 3.8.2. Do NOT click the link, it’s to steal your info!
I got the email and so did a friend who unfortunately clicked on it!
I manage dozens of WordPress sites but haven’t seen this specific scam yet (I expect to see them soon.) But late last year a similar message about a “required database update” was making the rounds.
The security rule of thumb in all instances of email solicitations to log in, to provide personal info, etc. is to
- Ignore the links — don’t click on them and don’t copy them down
- Close the email
- Navigate to the correct URL into your browser either from memory (if it’s a site known to you) or after finding the real URL via Google/Bing.
- Log in
If the notification was legitimate your WordPress site (or bank, or Netflix, Gmail, Amazon, etc.) will let you know. Follow those instructions, not the ones in the email.
Same as for phone calls from alleged banks, utilities, etc. by the way: scams are so prevalent that basically no legitimate company representative will ask for your personal info, login info, or credit information in a phone call they initiated.
Summary: Unless we’ve contacted you individually via phone or email your site doesn’t use security certificates and so it’s not directly affected by the widely reported Heartbleed internet-security bug.
Details: When a security bug is reported as straight news in the New York Times it’s probably pretty serious. And the newly reported OpenSSL “Heartbleed” bug, which may have compromised passwords and security certificates for more than 60% of servers hosting secured websites, definitely counts as serious!
What does this mean for RealBasics clients?
From a personal standpoint we’re likely all in the same boat. Yahoo!, Google, and numerous other major, major websites we use every day were certainly vulnerable, and those vulnerabilities may have been exploited. Keep your eye on the news for what to do about that.
From a website owner’s perspective, especially if RealBasics, LLC, built, fixed, or maintains your website the answer is… your actual site is safe. You’ll likely still want to change your passwords for your hosting company (e.g. GoDaddy, BlueHost) to keep anyone from logging into your hosting account. But your actual website is going to be fine.
If you subscribe to our Maintenance Plan then you’re further protected in the following ways:
- We regularly backup your site to the canonical “secure remote location.”
- We regularly run multiple security scans on your site.
- We regularly update your core website software, your plugins, and themes.
Again, this doesn’t mean your personal information on other sites, including possibly the company that hosts your website is safe. But, again unless we’ve contacted you directly, at least the website we’ve built, fixed, or maintained for you is secure.
Here are some other
Short version: Keep your website up to date — the older your CMS (e.g. WordPress, Drupal, etc.) the more time hackers have to reverse engineer and hack it.
Full disclosure and partial sales pitch: Our monthly maintenance plan includes timely updates to your site’s core software, plugins, and themes. It’s not all we do, but as the following article points out there are benefits beyond having the latest features, bells, and whistles.
Full technical version by ace computer security blogger Bruce Schneier here
Security Vulnerabilities of Legacy Code: An interesting research paper documents a “honeymoon effect” when it comes to software and vulnerabilities: attackers are more likely to find vulnerabilities in older and more familiar code. It’s a few years old, but I haven’t seen it before now. The paper is by Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: “Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities,” Annual Computer Security Applications Conference 2010.
Source: Schneier on Security