Developing website security is akin to a Yin-Yang relationship. The more hackers attempt to gain access, the stronger security becomes. The greater the security, the harder the criminal element tries to gain access. It’s an ongoing process where one entity constantly tries to surpass the other. Continue reading “How to Make Your CMS (Content Management System) Truly Hack-Proof”
Did you know that in 2015, the average company experienced 160 successful attacks online every week? The GreenGeeks team thought this might be a perfect time to touch upon some of the things you can do to make your own website a little more secure. GreenGeeks offers several services to help with website security. There are also other things you can do to make sure you don’t fall victim to hackers, malware or other nasty things that can happen to blogs, ecommerce websites or anything else you host with us.
Keeping an eye on the security of your website and online data is a constant chore. Just because you believe you have the best plans and platforms doesn’t mean you should relax in your safety vigilance. What worked well a year ago may be obsolete thanks to new exploits. In many cases, merely adding a new device to your network could compromise the security of everything you hold dear. With that being said, what are some of the cyber security threats you should be watching for in 2016? Continue reading “Cyber Security Threats – The Top 6 Things You Should Be Aware Of This Year”
No matter how safe you think the website is, there is always someone trying to break into it. Whether it’s to distribute spam from your site or to steal personal information, hackers and bots may continuously smash against your security protocols. Unfortunately, some of these attempts may gain a foothold of your digital real estate. What can be done to make yourself truly unhackable? That really depends on the type of website you’re operating. We recently shared the 7 most commons reasons why a website can be hacked and how to protect it. Regardless of what your site focuses on, you should implement strong online privacy protection to reduce the risks. Continue reading “4 Things You Should Do Now to Make Your Web Pages Unhackable”
Virtually any website can become the target of a hack. From little known blogs to robust eCommerce sites, cyber-vandals are always looking for easy prey. To top it all off, private information may not be the only thing that hackers are looking for. In fact, a large portion of website compromises are nothing more than vandalizing the pages. The following are some of the most common reasons why your website could become the next target. You’ll also learn how you can protect your website from hackers by reducing or eliminating exploits. Continue reading “The 7 Most Common Reasons Why Your Website Has Been Hacked (And How to Protect It)”
In the past we have seen customers contacting us confused about domain renewal letters they have received from Domain Registry of America and Domain Registry of Canada.
These letters try to trick you into renewing your domain name with a 3rd party domain registrar and is not the domain registrar where you’re currently located.
Recently, one of our customers sent us a photo of the letter they received from iDNS Canada:
How to Prevent these letters?
The data is mined using WHOIS, which contains your personal registration information. You can protect yourself from these types of letters and other spam by subscribing to WHOIS Privacy to your domain names. Here are additional reasons why you should be using WHOIS Privacy on your domain names.
GreenGeeks offers inexpensive ID Protect WHOIS Privacy Protection for domain names registered with us.
What do I do with this letter?
Turn the paper around, use it for notes then shred it and recycle it when you’re done with it!
The WHOIS database is essentially a collection of information, such as your name and email address, that registrars publish once you purchase a domain. It’s used as contact information much like a traditional phone book. As you can guess, a great deal of complications can come from this information remaining in public access. Luckily, most registrars allow you to “purchase” privacy controls when you buy a domain. This removes that information from public view and keeps your contact info private. Continue reading “7 Reasons Why You Should Be Using WHOIS Privacy On Your Domains”
Each year, millions of internet users’ data is stolen—whether it’s because of hackers, data breaches or North Korea, it’s important to keep your information safe. The following passwords are some of the worst ones you can use, and you should avoid using them at all costs.
We’ve developed an easy to use random secure password generator that you can use to ensure that you never use some of the hilariously insecure passwords for your critical information.
The overuse of 12345 dates back many years. Before the internet, before hackers and before internet data breaches, 12345 was a popular locker number, bike lock passcode, briefcase passcode and code to the Dromedia air shield in the movie “Spaceballs”. In the words of Rick Moranis, “That’s the worst passcode ever.” It still is. It’s surprising how many people actually still use this password for their email, banking and other secure online accounts. In fact, CNN reported it was the third worst passcode of 2014 that a person could choose. If 12345 is your password, change it immediately.
2. Your Social Security Number
The second worst password is a social security number. Although you may think you’re the only person with your social security number, you’re not. Thought it’s not easy to obtain this information, it’s not impossible. Think about how many times you filled this information out in the past year. Insurance companies, credit card approvals, banks, school loans and tax forms all have your social security numbers on them. When this information is submitted to a company, it sits in the database. If the information is on paper, it eventually gets sent to a warehouse for safe keeping. In 2014 alone, major companies like Target were victims of data breaches where hackers stole credit card numbers and social security numbers. Don’t make one secret number another secret number.
3. Any Password Without a Number or Symbol
The stronger your password the more secure it is. People who use one word like “hotdog” are more likely to be victims of a data breach. Using an alphanumeric code with symbols is the best way to keep your information safe. Instead of “applesauce” try @PPles@uce786. The more complex your code, the harder it is for hackers to get a hold of it. If you’re having a hard time remembering such a code yourself, use something that is personal to you—that no one else knows. For example, if you knew a girl in high school who you didn’t get along with, you hate Brussel sprouts and your childhood home was 82 Highland Park Drive, your password could be Colleen&BS82. It includes capital and lower-case letters, symbols and numbers. Who could forget Colleen? She was so mean. How could anyone forget the terrible taste of Brussel sprouts? How could you forget your childhood home? Your mom drilled that number into your head so many times.
This one is almost as bad as 12345. If you use it, it’s almost like you’re trying to dare people to hack into your account. When you type a password into the password box, and the site rejects your password because it’s too weak, do not simply type in StrongPassword. It’s shocking how many people use this password a year. If you must use StrongPassword, at least use StrongPassword12345. Try a strong password generator to find a better password.
This password also made CNN’s top list of terrible passwords for 2014. It was actually number two on the list. This one is so bad, it was number two on CNN’s list in 2013 too. Password is the most obvious password in the bunch. Usually reserved only for sites that do not use pertinent information or you only plan on using for a few minutes (but force you to create an account), “password” won’t even make it past the password minimum requirements for most websites and will be rejected as soon as you click “next”.
Come on guys, grow up. It’s laughable how many people use 696969 as their password. Who was the first person to think this number was one that would be unique that no one else would guess? 2014 was the first year it even made it on to CNN’s list of worst passwords, so it must have taken awhile to catch on. One can only wonder how many CEOs and hedge fund managers use it on their briefcases. Let’s hope they don’t use it to log on to their online accounts.
7. Your Name
Your name is one of the worst passwords you can use. It’s a no-brainer for people trying to steal your information. It’s the first thing your kid would try if he wanted to steal your password. If your name is your password, your kid is probably at home looking at god-knows-what as we speak. Along these lines fall your kids names, birthdays, your current street name and your pets names—all information others can easily access.
8. Dream Board Passcodes
Okay, so you want to win a million dollars. Don’t make it your password in hopes that it will come true if you think about it enough. Also leave off other dream board ideas, like Corvette, Lose30Pounds, BodyLikeMollySimms and other passwords that people think they’re the only ones to think up. If you’re really having a hard time coming up with password names, use a strong password generator to help get your ideas flowing.
9. The Website Name
Don’t make your password Target12345 if you’re shopping at Target.com. Don’t make it Walmart, VictoriaSecret or any other name of a website that you’re shopping at. It’s easy to guess, and if you’re using the Password Target12345, there’s a good chance you’re using Walmart1234 for your Walmart account. Now someone not only has your Target password, they have all your passwords.
10. Your Old Password
When a website asks you to change your password, change it; don’t try to use your old password again. They may have asked you to change your password for security reasons, because their system was breached or because of several other reasons—but they did it for a reason. It’s for your safety.
Over a million websites that use WordPress SEO by Yoast are at risk due to a blind SQL injection vulnerability found. WPScan Vulnerability Database released an advisory after it had disclosed the vulnerability to the plugin’s author.
“The latest version at the time of writing (184.108.40.206) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.
The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.”
Yoast quickly responded with a patch and released the version 1.7.4:
“Fixed possible CSRF and blind SQL injection vulnerabilities in bulk editor. Added strict sanitation to order_by and order params. Added extra nonce checks on requests sending additional parameters. Minimal capability needed to access the bulk editor is now Editor. Thanks Ryan Dewhurst from WPScan for discovering and responsibly disclosing this issue.”
Immediate Update Recommended
GreenGeeks real-time security scanning is already protecting our customers from this vulnerability. While GreenGeeks has real-time monitoring in place to catch such vulnerabilities and pro-actively protect our customers from exploit, we strongly urge all of our customers to update their WordPress SEO plugin by Yoast immediately to avoid any potential issues in the future. Best practice is to ensure that all of your plugins and WordPress core files are up-to-date at all times.
What is the CryptoPHP Backdoor?
CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.
Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:
- Integration into popular content management systems like WordPress, Drupal and Joomla
- Public key encryption for communication between the compromised server and the command and control (C2) server
- An extensive infrastructure in terms of C2 domains and IP’s
- Backup mechanisms in place against C2 domain takedowns in the form of email communication
- Manual control of the backdoor besides the C2 communication
- Remote updating of the list of C2 servers
- Ability to update itself
What We’ve Done For Our Customers
GreenGeeks is always working to ensure maximum security for our customers. Here’s what we’ve done since learning about the CryptoPHP backdoor.
- Checked all clients data. Affected clients were notified and we’re working with them to resolve. Only 0.001% sites on our network were affected.
- Added advanced real-time security rules to protect against new instances.
- Updated GGS real-time malware scanning tool to find out affected data more quickly
- Updated the list of known holes to check servers periodically.