Category Archives: Computer Security

cyber security symbol

Safeguarding Your Blog from Hack Attacks

What preventive measures are you taking to protect your blog from hack attacks? Blogs are often targeted by hackers because of their use of content management systems (CMS). CMS platforms like WordPress, Joomla and Drupal are inherently prone to hacking because they contain backdoor logins. The good news is that you can safeguard your blog from hack attacks by following some simple steps.

Use Dedicated Web Hosting

Many bloggers used shared web hosting, simply because it’s the least expensive option available. You have to remember, though, that shared web hosting means your blog is hosted on the same server as hundreds or even thousands of other websites. As a result, it’s easier for hackers to target websites on shared hosting, simply because the servers are more easily accessible. If you want to safeguard your blog from hack attacks, choose dedicated web hosting. Unlike shared hosting, dedicated hosting provides you with your own dedicated server (hence the name). Want to know more about the difference — click here.

Use a Strong Password

Your blog’s first line of defense against hack attacks is a strong, unique password. You shouldn’t use the same password for your blog’s login that’s used on other online accounts or services, nor should you use an easy-to-remember password such as your mother’s maiden name plus birth date. Instead, choose a password that consists of a combination of upper-case letters, lower-case letters, numbers (non-sequential order), and special characters.

Here’s a simple tip — use the first letter of each word of a favorite song title or lyric, mix up the upper and lower case letters and add some numbers / special characters. You’ll be able to more easily remember it than a random set of letters and numbers. Following this simple formula will ensure that your blog has an iron-clad password that’s difficult for hackers to crack.

Disable Visitor File Uploading

Are visitors allowed to upload files to your blog? Enabling this feature is just asking for trouble, as anyone can upload a virus or malicious software to your blog. Furthermore, don’t assume that restricting file uploads to JPEGs, GIFs or other commonly used media formats is safe. File extensions can be spoofed with relative ease, meaning a hacker may still be able to upload a virus without your knowledge. To be on the safe side, it’s recommended that you disable all visitor file uploading on your blog.

Update, Update, Update!

Arguably, one of the most important steps in safeguarding a blog from hack attacks is to keep it updated. Each time a new version of your blog’s CMS is released, be sure to update it in a timely manner. New versions are often released for the sole purpose of plugging up security vulnerabilities and exploits.

Back Up Your Blog

Hopefully it will never occur, but if your blog is ever critically compromised you need a backup copy ready so you can restore it to working order. Assuming you are using a CMS, you’ll likely need to back up both your core HTML files as well as your blog’s database. Downloading one without the other may prevent you from being able to restore your blog, so make sure you download both the HTML files AND database.

Have you ever been the victim of a hack attack? Let us know in the comments section below!

Image attribution: https://www.flickr.com/photos/110751683@N02/

Zero Day Vulnerability Discovered In WordPress

OLYMPUS DIGITAL CAMERAMost WordPress vulnerabilities are minor, involving the use of outdated themes, plugins or other third-party software. However, a team of Finnish researchers has recently discovered a new zero-day vulnerability that allows hackers to execute code remotely on WordPress servers.

Juoko Pynnonen first reported the bug on Klikki Oy, describing it as a javascript injection vulnerability. According to Pynnonen’s report, hackers can use this vulnerability in websites running WordPress 4.2 or earlier to inject malicious JavaScript code into the site’s comment field. Assuming the comment is a minimum of 66,000 characters long, the JavaScript will be executed when someone views the comment.

An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” said Pynnonen. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts.”

Surprisingly, this isn’t the first cross-site scripting vulnerability identified in WordPress. Earlier this month, WP developers released a new update to patch a similar vulnerability. While each of these vulnerabilities are unique, they both rely on code injects to harm websites.

Video: WordPress 4.2 stored XSS

You can click on the play button above to see a demonstration of how the most recent zero-day WordPress vulnerability works. It’s a rather simple bug that wreaks havoc on websites running the WordPress content management system (CMS).

So, how can you protect your website against this vulnerability? The only viable solution as of now is to disable commenting. This can be done by logging into your site’s dashboard and choosing Settings > Discussion > and unticking the box that allows visitor commenting. Of course, WordPress developers should be patching this vulnerability in the upcoming days, so make sure your site is running the latest version.

How To Secure a WordPress Site

encryption-03Powering over 77 million websites, WordPress is the world’s most popular content management system (CMS). The free-to-use platform supports a massive library of “plugins” and “themes,” allowing webmasters to change elements of their site without messing with complicated code. But like all content management systems, WordPress is vulnerable to hacking and malicious attacks. To protect your site from these attacks, it’s recommended that you implement the following security measures.

Create a Complex Password

Your first line of defense against malicious attacks is a strong password. Using easy-to-remember passwords like “Myspace123” is just asking for trouble. Instead, choose a random password consisting of upper-case letters, lower-case letters, non-sequential numbers, and special characters. Of course, it should go without saying that you should never email or store this password in plain text format.

Avoid Using The ‘Admin’ Username

Hackers often attempt to infiltrate WordPress sites by using the admin username. Therefore, it’s recommended that you create a unique username for your website. During the initial installation/setup, WordPress will ask you to specify a username. In the event that your site is already set up with the admin username, you can change it by adding a new user in the dashboard (Users > Add New), giving it admin privileges, and deleting the old Admin user.

Block Admin Directory Access

A third tip to safeguard your WordPress site from attacks is to block access to the WP-Admin directory. Basically, this prevents anyone other than you (or anyone using your IP address) from logging into your site as the administrator. Simply add the following lines of code to your site’s .htaccess file:

“AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny,allow

deny from all

allow from xxx.xxx.xxx.xxx (enter your IP address here)

Update Your Files

Arguably, the single most important WordPress security tip is to keep your files updated. WordPress introduced automatic background updates several months ago, but this only affects major updates. Outdated WordPress installations, themes and plugins pose a serious security risk to your site, so make sure they are updated to the latest version.

Limit Login Attempts

Brute force attacks occur when hackers use automated programs or software to blast thousands of different usernames and combinations in an attempt to find the right one. This type of attack is easily prevented, however, by using the Limit Login Attempts plugin.

Have any other WordPress security tips that you would like to share with our readers? Let us know in the comments section below!