A few days ago a long-term client received a suspicious email which threatened to remove their inactive email accounts. Naturally the first thing they did was notify us. We immediately smelled a rat and asked them to forward the email to us for further investigation.
Every so often something new is introduced designed to make things easier. But sometimes it also accidentally making things a bit harder. This is one of those times.
cPanel v58 introduced AutoSSL which automatically installs and renews SSL Certificates. All websites can use a Domain Validated SSL Certificate but AutoSSL can also be used to work with Let’s Encrypt. As a quick primer, SSL certificates allow a website to encrypt the communication between the web host and website visitors which is particularly important when you’re sending sensitive information like passwords and Credit Card details. Google also appears to be moving in the direction of recommending websites that use SSL. So if your webhost is using cPanel they can easily offer automated SSL Certificates to all their customers costing them practically nothing.
Great, right? Well, if you’re using a Content Distribution Network (CDN) or third-party Website Firewall, things may not be so great.
We were doing routine maintenance on a client’s WordPress website when we noticed that they’d installed a plugin. Installing plugins is something we don’t normally encourage (or even allow) our clients to do but there are of course exceptions to the rule. We wanted to learn more about the plugin so we could determine if it could safely be removed and to cut a long story short we ended up going through the code itself only to find the plugin displays, without permission, a hyperlink to an external website. This was ad injection.
Google has started notifying webmasters (via their Search Console) that starting in October 2017
Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode. This is in line with their efforts to move everyone towards a more secure web.
Is your website using secure communications with HTTPS/SSL?
In this tutorial I will show you how to use DreamHosts Let’s Encrypt with CloudFlare on your website. This will encrypt the connection between CloudFlare and your website visitors as well as the connection between CloudFlare and Dreamhost. CloudFlare calls this Full SSL (Strict) and is available under their free plan. We will also set up a CloudFlare Page Rule to redirect all HTTP requests to HTTPS.
If you’re a DreamHost user you probably know that you now have access to a free SSL certificate courtesy of Let’s Encrypt. This allows you to serve your website over HTTPS (as opposed to plain old HTTP) encrypting the connection and boosting your Google page rank.
You probably also know about CloudFlare and their free plan which provides caching, optimization and security boosts. So why not use both, eh?
You’ve probably heard the news already that WordPress websites are facing an XML-RPC Brute Force Amplification Attacks. But did you also know that Sucuri, iThemes and Wordfence already have you protected?
If you use Sucuri’s Website Application Firewall (WAF), the company has you covered:
Note that users of our WAF are already protected against this attack, so if you are on CloudProxy you are safe.
Similarly, the Wordfence Security Plugin has login protection that takes into account XML-RPC. Just remember to enable Login Security in the Wordfence Options.
Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call
Finally, the iThemes Security Plugin protects against XML-RPC Brute Force attacks (even the free version):
Brute Force Protection in iThemes Security just got more robust. Now when you enable Brute Force Protection this feature includes protection from XML-RPC attacks
Make sure your websites are protected!
Edit (16th October 2015): iThemes Security v5.1.0 and iThemes Security Pro v2.0.0 protect against the XML-RPC Brute Force Amplification Attacks.
New Feature: Added “Multiple Authentication Attempts per XML-RPC Request” setting to the WordPress Tweaks section. When this setting is set to “Block”, iThemes Security will block brute force login attacks against XML-RPC
Edit (15th October 2015): If you have Jetpack installed, the Protect Module also stops XML-RPC attacks.
A while back iThemes reported they had to remove VirusTotal Malware Scanning from their iThemes Security WordPress plugin. They have just announced that the plugin will now use Sucuri’s SiteCheck Malware Scanner.
While Sucuri’s SiteCheck is available in both the free and Pro versions of iThemes Security, the Pro version allows for daily automated scanning. That’s a nice add-on, if you ask me.
This is a great addition to the iThemes Security plugin. However, my websites already use the Sucuri Security WordPress Plugin which incorporates Sucuri’s SiteCheck (albeit scans have to be done manually) so this is a bit redundant for my needs. Having a different malware scanner would help cover more bases.
For alternative malware scanners, there’s always StopTheHacker. That service was StopTheHacker was acquired by CloudFlare last year so perhaps more integration is in the works.
According to iThemes, version 4.8.0 of iThemes Security WordPress plugin removed the malware scanning feature that relied on VirusTotal. It’s not iThemes fault; VirusTotal discontinued the service to all WordPress plugins. Well, darn.
iThemes suggests using VirusTotal’s URL scanner or Sucuri’s SiteCheck, both of which require you to scan each website manually. Sucuri also offers automated server-side scanning as part of their paid plans.
One other option that wasn’t mentioned by iThemes is the Sucuri Security WordPress Plugin which allows you to initiate a scan from your WordPress admin. The scan needs to be initiated manually though.
It goes without saying but if you are using the ever popular WordPress SEO by Yoast (and why wouldn’t you be? It’s an amazing SEO plugin for WordPress) then you need to update to version 1.7.4 immediately. A security vulnerability was discovered in the plugin which would allow bad things to happen.