Head’s up for WordPress users on rumors of a new variation on an older scam. It’s especially tricky right now because the newest versions of WordPress actually do send you email saying (truthfully!) that it’s automatically updated itself. Here’s how one person reported the issue:
USING WORDPRESS? Beware of a VERY legit looking email going around that says your site has been updated to WordPress 3.8.2. Do NOT click the link, it’s to steal your info!
I got the email and so did a friend who unfortunately clicked on it!
I manage dozens of WordPress sites but haven’t seen this specific scam yet (I expect to see them soon.) But late last year a similar message about a “required database update” was making the rounds.
The security rule of thumb in all instances of email solicitations to log in, to provide personal info, etc. is to
- Ignore the links — don’t click on them and don’t copy them down
- Close the email
- Navigate to the correct URL into your browser either from memory (if it’s a site known to you) or after finding the real URL via Google/Bing.
- Log in
If the notification was legitimate your WordPress site (or bank, or Netflix, Gmail, Amazon, etc.) will let you know. Follow those instructions, not the ones in the email.
Same as for phone calls from alleged banks, utilities, etc. by the way: scams are so prevalent that basically no legitimate company representative will ask for your personal info, login info, or credit information in a phone call they initiated.
Summary: Unless we’ve contacted you individually via phone or email your site doesn’t use security certificates and so it’s not directly affected by the widely reported Heartbleed internet-security bug.
Details: When a security bug is reported as straight news in the New York Times it’s probably pretty serious. And the newly reported OpenSSL “Heartbleed” bug, which may have compromised passwords and security certificates for more than 60% of servers hosting secured websites, definitely counts as serious!
What does this mean for RealBasics clients?
From a personal standpoint we’re likely all in the same boat. Yahoo!, Google, and numerous other major, major websites we use every day were certainly vulnerable, and those vulnerabilities may have been exploited. Keep your eye on the news for what to do about that.
From a website owner’s perspective, especially if RealBasics, LLC, built, fixed, or maintains your website the answer is… your actual site is safe. You’ll likely still want to change your passwords for your hosting company (e.g. GoDaddy, BlueHost) to keep anyone from logging into your hosting account. But your actual website is going to be fine.
If you subscribe to our Maintenance Plan then you’re further protected in the following ways:
- We regularly backup your site to the canonical “secure remote location.”
- We regularly run multiple security scans on your site.
- We regularly update your core website software, your plugins, and themes.
Again, this doesn’t mean your personal information on other sites, including possibly the company that hosts your website is safe. But, again unless we’ve contacted you directly, at least the website we’ve built, fixed, or maintained for you is secure.
Here are some other
Short version: Keep your website up to date — the older your CMS (e.g. WordPress, Drupal, etc.) the more time hackers have to reverse engineer and hack it.
Full disclosure and partial sales pitch: Our monthly maintenance plan includes timely updates to your site’s core software, plugins, and themes. It’s not all we do, but as the following article points out there are benefits beyond having the latest features, bells, and whistles.
Full technical version by ace computer security blogger Bruce Schneier here
Security Vulnerabilities of Legacy Code: An interesting research paper documents a “honeymoon effect” when it comes to software and vulnerabilities: attackers are more likely to find vulnerabilities in older and more familiar code. It’s a few years old, but I haven’t seen it before now. The paper is by Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: “Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities,” Annual Computer Security Applications Conference 2010.
Source: Schneier on Security
Check out the Simple Strong Password Generator website.
There’s a link on the page explaining why four simple lower-case words is more secure than a shorter, harder to remember one with lots of upper case letters, numbers, and “special” characters. (Tip: for most modern systems like Google, Facebook, WordPress, and the like a spacebar is a special character anyway.)
Tip: The password in the image above is just an example — don’t use it for your own password because it won’t be random. Instead just click the link and a new password suggestion will be waiting for you. Don’t like the first one? Refresh that page and it’ll give you a new one.
Yes, you can definitely manage and update your WordPress website from your smart phone, tablet, or other mobile device!
The folks at WPBeginners have a nice tutorial the WordPress for Apple devices. The official WordPress apps for other devices work pretty similarly.
And of course if we build you a website we’ll be delighted to show you how to update it with your own mobile devices!
After years of building websites that are easy for their owners to maintain and update I’ve come to a big realization: not everybody WANTS to maintain and update their sites!
Actually the big realization came when I pulled into one of those 15-minute oil-change places. Yes, I COULD change the oil myself, and would even be relatively easy for me to change it, the maintenance shop is just better equipped and better prepared.
And it’s not just the time it takes to actually change the oil. There’s buying the oil, finding a place to drain it, changing into suitable clothes for crawling under the car, getting out the tools, and cleaning up after.
With that in mind RealBasics.com, is now offering service contracts for backups, upgrades, upgrades, and more!s
Over at the WordFence blog, Mark Maunder explains why it’s important to enforce strong passwords on your website: f someone hacks your site and downloads the user database table they can crack your encrypted passwords at their leisure We can fix that and here’s why that matters!
“Why do I care, my site has already been compromised?” you might say. The issue is that many users have the bad habit of using the same password across multiple websites and that’s why the hacker grabbed your password file and is throwing significant resources at brute-forcing it: So that they can gain access to the real treasure-trove of Gmail accounts, LinkedIn, Facebook, Hotmail, Quicken, Paypal, eBay and all the other valuable accounts out there that let them steal real money from real people who are members of your website.
This is why, even if you have brute force protection on your site, you should enforce strong passwords: To protect your customers other accounts on the Web in the worst-case-scenario of your site being compromised and your wp_users table being downloaded.
Meanwhile you might be saying “What other users? It’s just me here!” Ok, so they only have to crack one password then — yours! And if you use the same password elsewhere, or if you use an easily-recognized password pattern (e.g. hi-mom-gmail, hi-mom-twitter) then they’ll still be able to get into your other accounts.
When RealBasics builds your website we make sure your user’s password are easy to remember but hard to crack. And if you sign up for our maintenance plan one of the adjustments we can make is to make your passwords more secure.
Do you have a backup plan for your website? Is it current and ongoing? Is your site backed up to your local machine, or the cloud, or somewhere that’s not on your server’s file system.
I mention this because if your backups are stored on your server file system then if you accidentally delete all the files your backups will be deleted as well!
If you’ve got a WordPress or Drupal website, or even an old-fashioned HTML site, and you’re not absolutely positive you’ve got safe, secure, and recent backup system get in touch. I mean before you need it.
RealBasics.com consulting can do a review of your backup strategy and help make sure the system you have in place really will protect your online presence.
Unless you updated your website last decade year month week chances are it’s at least a little out of date.
Can you take advantage of the latest SEO best practices? Are you making the best use of your blog? Do you still have an old “contact us” form with no phone numbers or email address? Do you stay on top of the latest web software updates?
Hey, when was the last time you did a full site backup?
And let’s not even mention the latest behind-the-scenes trends in integration Facebook and Google Plus are pressuring us to add on the backend!
I know. I know! I’m not one to talk.
I am one to listen. And watch. And RealBasics.com can listen and watch for you.
You actually don’t have to be eternally vigilant about your website. But you do need to pay attention. Or… get someone to pay attention for you.
RealBasics would be delighted to do as much or as little assessment and maintenance as you feel comfortable with.
Give us a call or drop us a line and find out what we can offer.
I wasn’t going to complain but I was actually pretty sick last week. You know how it goes: first you think you’ve just got allergies and it turns out to be a cold, or (as in my case) you think you’re sore from moving furniture and it turns out to be stomach flu. Yeah, that! So I wasn’t going to mention it but!
I was at a business-group meeting this morning and this week a number of the regulars were out sick. Does this make me a trend setter? No, it just means it’s that time of year when colds and the flu just make the rounds.
Why am I bringing this all up? Because at the meeting one of the other attendees mentioned visiting this website and looking at my portfolio. She said she got a good impression of my work. Which I have to say, is better than the impression she’d have gotten if she’d instead called while I was moaning and groaning with a 100 degree temperature!
Point being that my website was still working for me even when I couldn’t!
Does your website work for you? Even when you can’t?
If not then let’s make it y0ur website! Give me a call! (206) 390-8082!
This week’s ideal client? You or someone you know who has a merely mortal immune system during cold or flu season.