Tag Archives: plugins

How Does the “Heartbleed” Open SSL Bug Affect Me?

by in Security

“Heartbleed” is a newly discovered security bug that affects OpenSSL encryption software across the web. This bug is estimated to have effected about 2/3 of sites on the web that encrypt data.

 

What is SSL encryption?

When you sign in to a secure site, you’ll notice a ‘lock’ icon in your address bar, or the https: (vs http:). That means that the site you’re signing in to uses SSL to secure the transmission of private information like passwords, credit card and account numbers, etc. The software the website uses to run SSL may be OpenSSL. OpenSSL is one of the most widely used SSL software programs today.

 

What does the Heartbleed bug do?

The Heartbeat bug allows an attacker to extract 64k of data from a servers working memory at a given time. The attacker doesn’t know what that 64k will include – but since these attacks are generally run by computer programs that can repeat the process over and over quickly, there’s a great potential for a lot of sensitive data to be compromised.

 

What can I do to protect myself from the Heartbleed bug?

Change your passwords. Creating strong passwords is a good habit to make – read more about how to create strong passwords you can remember. It has been reported that Apple, Google, Microsoft and major banking services have not been affected. It does appear that Yahoo has been targeted, so I advise changing any Yahoo passwords you have. To be diligent, any password you enter on any secure sites you visit should be changed over the next few days. 

Because we’re not sure when websites are patching their software to fix this bug, changing your password prematurely is possible. I recommend changing passwords to your most important secure sites ASAP, and again in about a week to allow for the possibility you may be changing passwords before the website has updated their OpenSSL software to patch the bug.

 

What about my WordPress password?

This is the kind of bug that will not directly affect your WordPress install, but it can potentially trickle down if the server has been compromised. If you’re hosting with TrekVisual, or we’re managing your website, your passwords will be changed over the course of the next week. This should not affect your normal day-to-day operation. We’ll contact you with updates as they happen.

Security Plugins Every WordPress Website Should Have Installed

by in Plugins, Security, WordPress

If you run a website, then website security is probably on your mind regularly. As technology becomes more integrated with our lives, news about security breeches, DOS attacks and hacks has become more frequent. The need for being proactive about protecting your website has never been stronger. Here are some of my favorite security plugins, most of which are free, even if the free version is limited is definitely something every WordPress website should have installed. Check back as I’ll keep this list updated as things change, plugins are added or in the case any are sadly removed!

A Simple Captcha Can Help Deter Attacks.

Brute Force Attacks occur no matter what host you’re with, and no matter how strong your password is. The first step to protecting your website from a successful brute force attack is setting up a strong user name and password.
(Helpful articles: Is my password strong enough? and How to Create a Strong Password You Can Remember)

Step two in protecting your website from brute force attacks is adding an extra layer of difficulty to the bot attempts at cracking your login is adding a Captcha, which can be as simple as a basic math question (or not so simple if it’s before coffee). I recommend the Captcha by BWS plugin, which will add a simple captcha form to your login page. You can learn more about it here: BWS Captcha plugin and download from WordPress repository, here.

Secure your Login.

Adding a captcha to your login page is good, but what’s even better is limiting the number of login attempts anyone tries making to get into your WordPress admin area. For this I highly recommend Login Security Solution. This plugin logs IP addresses of attempted logins, and will systematically slow down the login process to those IPs. The delay is a ‘survival of the fittest’ method, meant to deter attackers, steering them away from your site to move on to the next one that may be an easier target. The beauty of this plugin is, if they DO manage to break in, the plugin recognizes the user as a miscreant and kicks them out, anyway!

Stay in Control of Your Site Security.

As an added measure of security, I also recommend using the WordFence plugin. It works well especially if you set it up to work in conjunction with Login Security Solution. This plugin offers lots of options, and while it has some great pro-active features, some features come in very handy during an attack.

Proactive features I’ve found most useful are the ability to block aggressive search engine spiders like Baidu and Sogou, which can be resource hogs.

There is a live traffic tab that will allow you to see current activity on the site, and if you’re undergoing a brute force attack, you’ll be able to see the IP addresses of the attackers. Combined with the tab to manually block an IP or IP range, you can do something about it.

Scan your site for Potential Problems.

If you’re running a free theme and want to check for possible exploits in the code, you should definitely install and run the “Exploit Scanner” plugin, written and maintained by Donncha Ó Caoimh, a highly respected WordPress developer. This plugin runs a deep scan of your database and will give you a lot of detail about anything suspicious. It can be overwhelming and not every warning is an indication that you have malicious code, and may require a more trained eye to work with, but is a great and powerful tool.

Compromised Website? Get Help Sooner Rather Than Later.

Sometimes you don’t need to run a scan – you notice things like advertisements for the latest variety of Viagra or similar being prominently displayed on your site, or maybe just the mobile version of your site. If you want to run a test to be sure, here’s a site that will let you run a scan of your site to check for malicious activity or malware. Be patient, it takes awhile to complete. (It took about 5 minutes for my test to run).

Viruses, especially database injection viruses, can get evil and messy very quickly. If you suspect your site has been compromised and you don’t have the technical know-how to fix it, it’s better to get help from someone who does sooner rather than later. Every moment your site exists with a virus allows that virus to propagate through your site and make it harder to clean later on, so consider it important to treat this as an urgent matter.

To get help from TrekVisual for an infected website, visit our webmaster services page or contact us.

WordPress Security Tip: Don’t Install THAT Plugin!

by in Security, WordPress

One of the many ways you can contribute to the safety of your website is by refraining from installing that plugin – you know, the one that does that neat little thing you need it to do, but might have been developed in 1983? Just say no.

When we took a cruise this past spring, the toilet lid had a sign that asked ‘You want to flush WHAT?’ The little sign went on to explain how your thing-that-doesn’t-belong-in-a-flushing-toilet could stop up toilets for many people on the ship, including yourself…and toilet-less vacations do not make for a happy situation. (Only *I* could possibly create an analogy between flushing and website security.) That reminded me of how a ‘simple little plugin’ could cause damage on a much larger scale than might seem possible.

Just like in any profession, there are many levels of expertise in the world of PHP and WordPress developers. Even a plugin by a good-willed developer can cause major harm to a website if it’s written badly, includes outdated methods, has security holes, or all of the above by exposing your website to security vulnerabilities. It seems so small, so innocent, this nifty little plugin. It just does this one cool thing – how could it hurt? Believe me, just like a little virtual q-tip, one bad little plugin – harmless as it might seem – can quickly give you the ‘wish I hadn’t done that’ feeling.  Not only can it break your website and make it behave badly like curly hair on a rainy day, it can leave your website vulnerable to security issues. Did I forget to mention it can also make your webmaster a little richer? Yeah, that too.

TrekVisual website plugins have either been built by us, or have been purchased from reputable sources that we’ve worked with and trusted our business to for years. You won’t have to worry about finding plugins that are safe, because we take care of all that niggly stuff for you. (I decided today I love the word ‘niggly’ – it’s so much fun to say). If the plugin isn’t built by us, the TrekVisual team carefully evaluates plugins sourced from other companies, long before we make them available to you. We kick the virtual tires, if you will, so you can just enjoy the ride. If you’re building a custom website with us and will be using our website monthly plan, we’ve got you covered. You won’t have to worry about unsafe plugins.

How do you know if a Plugin is safe? That’s a difficult question to answer, in a way that would be helpful to someone who’s not a coder. The short answer is, you don’t.

You might expect a plugin listed in the WordPress repository would be safe. You might expect a plugin you have to pay for would be safe. You might expect a plugin that’s been around for a long time and has a lot of great reviews is safe. None of the above are always going to be the case.

There was a very popular script (called “TimThumb”) a number of years ago. A security hole was found and exploited, causing major havoc in the industry. The script was SO widely used by WordPress users that, as a result of the vulnerability attack, caused many people to question the security of building WordPress websites. The script itself was not malicious, by far, but an exploit was found and taken advantage of by hackers, making the script a major security risk to anyone who used it. Though it had a long history and a solid reputation, one vulnerability made it insecure.

Soon I’ll be writing about our favorite plugins here in the TrekVisual blog, so stay tuned for more!