Lifeform

Web Design and Development | Nelson NZ

+64 27 427 5631

Security

Making History with your Out-of-Date WordPress Site

keyhole

The ‘Panama Papers’ hack has done web developers everywhere a great service.

Mossack Fonseca provided a live demonstration of what can happen when businesses ignore the most fundamental and widely advertised web security advice: keep your site software up to date.

Security Experts have linked the so called ‘Panama Papers’ hack to outdated WordPress and Drupal software.

Whether you’re entertained or infuriated by this unfolding story, its interest for many centres around the open source software used on the websites in question.

Security breaches, hacks and big leaks are not uncommon these days. But this one is making history with its size and impact.

The victims have already started to fall. No doubt there will be a good number to follow.

And why? Security experts are saying it may all have been down to neglected software. Specifically WordPress and Drupal sites which someone failed to keep maintained and updated.

As one commentator so aptly put it:

“It turns out that not updating your WordPress plugins may result in the fall of world leaders and the largest data breach to journalists in history.”

The Panamanian law firm at the centre of this storm, Mossack Fonseca, used both WordPress and Drupal software. Their WordPress site was running a version of a plugin known to have vulnerabilities that gave an attacker access to the web server.

The well-known plugin vulnerability had been fixed in subsequent versions. Those updates had not been applied. Similar vulnerabilities were exploited in their Drupal website.

WordPress and Drupal are both open source content management systems that between them power almost one third of websites on the internet. WordPress is used by major newspapers, top 100 sites and tens of thousands of businesses around the globe.

Is there a security problem with WordPress? No. The core WordPress program is sound, regularly monitored and updated. The problem lies with the thousands of plugins and themes available from a huge variety of sources that anyone has the ability to use on their WordPress site.

It comes down to knowing who to trust and keeping those carefully chosen themes and plugins updated.

Right now, websites are being hacked and exploited. All sorts of sites, everywhere. And amazingly, despite what we all see and know, a hack like the Panama Papers will happen again.

It’s a statistical reality sustained by human nature and old fashioned ignorance.

“It will never happen to me.”

“Why would anyone bother to hack my site, it has nothing of importance?”

“My website is not as important as my actual business.”

Online security is more of a human problem than a software problem. Some people will continue to click on links with unlikely promises of wealth and happiness. Some people will continue to run websites with major security problems.

Sarah Gooding of WordPress Tavern summed it up nicely:

This leak is not a measure of open source software’s reliability but rather underscores how low a priority some companies place on their tech departments and web security. With the rampant software vulnerabilities in this age, not updating software for years constitutes abject neglect of customers.

The bottom line is that software needs to be updated. This kind of routine maintenance is as foundational to a company’s business as brushing teeth or showering is for one’s health. Law firms and companies with such a lax approach to security are either ignorant or unwilling to spend the money to maintain technology that they don’t fully understand. The Panama Papers serve as a reminder that having a competent, skilled tech department is critical for any company that deals in sensitive information.

You don’t have to be a law firm to be a target. In fact, most hackers don’t care about the content on your site. They’re keen to add your site to their network for a variety of evil purposes.

They use automated bots to scour the interwebs for any sites with outdated, vulnerable software. So mostly, it’s not humans trying to break into your site – but automated programs.

Sadly, if your site gets compromised, it will be punished by the all-seeing Google. Google doesn’t like hacked sites because people don’t like hacked sites. And as those who have had a site compromised will tell you, sometimes there is no coming back from a major breach.

There’s one big takeaway from the Panama Papers – how much is your brand worth?

The second point is – act now. If you’re not sure that everything that can be done is being done to secure your online assets, find out now.

The Perils of Sourcing WordPress Plugins from the Wrong Places

wordpressIt’s an easy mistake to make. You need a plugin. You Google it, find one, download it and unknowingly install malicious code on your WordPress site. Hackers now have a ‘back door’ and can essentially do whatever they please with your site. And you will most likely be unaware that anything is wrong. For a while at least.

It’s not only inconvenient to have to get someone to clean up your hacked WordPress site, if you don’t have proper backups, it may be impossible. In either case it will cost you money and damage your online reputation.

Check out the post I’ve linked to in the tweet below.

Easy Secure Passwords

password crisis

Internet security is never far from the news these days.

In the light of recent high profile security breaches, two pieces of advice come to the fore: use different passwords on all your accounts and make sure they are strong.

This is pretty much part II of an article I wrote on good password practises earlier on this year.

In that post I mentioned the use of “passphrases” which are exactly what they sound like. Instead of a single (ideally) long and complex word, a passphrase is a phrase that is easy to remember and yet can be significantly more secure than a single password.

It seems the biggest hurdle to creating a strong password is being able to remember it. I recommend using different passwords or passphrases across all your accounts and a system like 1password to generate and remember them for you.

That being said, there are always situations where you need to create a strong password you can remember – for instance the master password for your computer or for your password manager.

The good news is strong passwords and passphrases can be pretty easy to remember. The key is the length and complexity but this doesn’t necessarily make them difficult to remember.

Longer Passwords make Stronger PasswordsTake this passphrase example the Diceware site:

Cleft cam synod lacy Yr

Not too hard to commit to memory and surprisingly very strong. The spaces are in fact counted as special characters.

According to one testing site, this would take 76.59 million trillion trillion centuries to crack in an online attack.

That’ll probably do the trick.

The key is in the length: “Longer Passwords make Stronger Passwords”.

Whatever you do, resist the urge to use a name or word followed by a numeral. Hackers know the common patterns people use and can crack passwords like that in short order.

Your passwords stand between you and disaster. It’s worth putting some effort into getting them sorted.

Here are some useful tools to help (tip – these sites seem secure and trustworthy, but don’t use them to test your actual password/passphrase):

Security Guru Steve Gibson on the Haystack concept – Test your pass phrase.

The Diceware Passphrase Home Page “This page offers a better way to create a strong, yet easy to remember passphrase for use with encryption and security programs.”

The Password Meter

Interesting article with a helpful perspective on password management from troyhunt.com

Read ‘Part I’: WordPress Security: Passwords

Two Factor Authentication for WordPress

Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. In this context, the two factors involved are sometimes spoken of as something you have and something you know. A common example of two-factor authentication is a bank card: the card itself is the physical item and the personal identification number (PIN) is the data that goes with it.

[Read more…] about Two Factor Authentication for WordPress

WordPress Security: Passwords

WordPress security

Internet security and privacy frequently makes the news these days with big name sites falling prey to hackers. We store more information online than we ever have before and we’re rightly concerned about the security of that information. If you own a website, you’re a potential target for hackers, but maybe not for the reasons you think.

As I monitor & maintain a growing number of WordPress sites, I have noticed over the years and especially of late, a gradual increase in malicious activity. Taking the steps to secure your WordPress site is a bit like backing up your data or wearing a seat belt – it’s best done before disaster strikes!

WordPress is Popular

WordPress (WP) is hugely popular and considered by many to be the number 1 open source content management system available. WP now powers around 17% of the top 1 million sites on the web and around 60 million ‘blogs’ (half of those on wordpress.com and many with ‘blogs’ as only part of the site).

This is great news as it means a solid future for the WP platform. The other side of the popularity coin is that hackers are becoming more interested in breaking into WP sites.

Why would someone want to hack into my site?

You may think that no one would be interested in your site, after all you’re a small business doing good things in the world, why would anyone want to bother you?

The short answer is money. Most hackers want to place hidden links or malware on your site which either directly or indirectly allow them to advertise (dodgy) products and will try to do so via automated programs. So it’s usually not personal – it’s all about the moolah.

Is WordPress Secure?

The short answer is yes, WP is secure but no site that’s accessible via the internet will ever be 100% secure. The core of the WP program is secure but your server and the way your WP site is installed & configured, your themes, plugins or passwords may not be.

What should I do?

Most attacks on your site are automated ‘brute force’ attacks. They attempt to guess your user name and password. Most try the old default user name ‘admin’, generate passwords and repeatedly attempt to login. Some I have noticed recently sniff out your user name and then work on your password. This is only a problem if your password is weak. There are a range of measures that can be used to secure your site, however at the top of the list is insuring that your passwords are ‘strong’. So here’s a list of recommended practises and things to avoid.

Password Do’s and Don’ts

Don’t use the same password across all your websites or accounts. If one is compromised the others may follow.
Don’t use any combination of your own real name, username, company name, or name of your website.
Don’t use a word from a dictionary, in any language.
Don’t use a short password, a numeric-only or alphabetic-only password

Do make your password at least 8 characters long, preferable 15 – think about using a ‘pass-phrase’.
Do use upper and lower-case alphabet characters as well as numbers and symbols/special characters (e.g. ^ & * # _).
Do change your passwords every month (or at least every 3 months).
Do make sure your personal computer is also secure – especially if you store your passwords on it!

Yes, a ‘strong’ password may be difficult to memorise, but there are good password managers available such as 1password (https://agilebits.com/onepassword) which make the process easier.

If you want to test the strength of different types of passwords, this site is interesting and a bit of fun: http://www.howsecureismypassword.net

Like backing up your data, it’s easy to put off sorting your passwords, but the negative impact of a compromised website (or any of your online or mail accounts) on your business and reputation means it’s something worth doing sooner rather than later.

If you have any queries about website security, are unsure about how to change your password or would like a website security audit, don’t hesitate to get in touch.

More Resource: http://codex.wordpress.org/Hardening_WordPress

This post is based on an article in the Jan 2013 newsletter – more on security in coming newsletters.

Read Part 2 of this series: Easy Secure Passwords.

The 25 Worst Passwords of 2011

a padlock graphic

Near the top of the check-list on a WordPress install is changing the default user name ‘Admin’ and choosing a ‘strong’ password. That generally means a mix of upper case and lower case letters, numerals and symbols.

I’m reminded of this every time I check logs and notice the attempts made to hack into the ‘Admin’ user accounts on WordPress sites.

Yes, it may mean you won’t be able to memorise your passwords. But WordPress has the option of remembering your password and you probably have a list of passwords stored securely somewhere anyway. And yes, it is a bad idea to have one password for all your accounts. Most modern browsers come with built in password recall functionality – which means the security of your computer is also very important.

It’s a small inconvenience compared with the nightmare of having your site hacked.

Mashable recently published this article on the Worst Passwords of 2011 with some useful advice:

Pro tip: choosing “password” as your online password is not a good idea. In fact, unless you’re hoping to be an easy target for hackers, it’s the worst password you can possibly choose.

“Password” ranks first on password management application provider SplashData’s annual list of worst internet passwords, which are ordered by how common they are. (“Passw0rd,” with a numeral zero, isn’t much smarter, ranking 18th on the list.)

The list is somewhat predictable: Sequences of adjacent numbers or letters on the keyboard, such as “qwerty” and “123456,” and popular names, such as “ashley” and “michael,” all are common choices. Other common choices, such as “monkey” and “shadow,” are harder to explain.

SEE ALSO: HOW TO: Protect Your Company’s Passwords

As some websites have begun to require passwords to include both numbers and letters, it makes sense varied choices, such as “abc123″ and “trustno1,” are popular choices.

SplashData created the rankings based on millions of stolen passwords posted online by hackers. Here is the complete list:

  • 1. password
  • 2. 123456
  • 3.12345678
  • 4. qwerty
  • 5. abc123
  • 6. monkey
  • 7. 1234567
  • 8. letmein
  • 9. trustno1
  • 10. dragon
  • 11. baseball
  • 12. 111111
  • 13. iloveyou
  • 14. master
  • 15. sunshine
  • 16. ashley
  • 17. bailey
  • 18. passw0rd
  • 19. shadow
  • 20. 123123
  • 21. 654321
  • 22. superman
  • 23. qazwsx
  • 24. michael
  • 25. football

SplashData CEO Morgan Slain urges businesses and consumers using any password on the list to change them immediately.

“Hackers can easily break into many accounts just by repeatedly trying common passwords,” Slain says. “Even though people are encouraged to select secure, strong passwords, many people continue to choose weak, easy-to-guess ones, placing themselves at risk from fraud and identity theft.”

SEE ALSO: 5 Tools for Keeping Track of Your Passwords

The company provided some tips for choosing secure passwords in a statement:

  • 1. Vary different types of characters in your passwords; include numbers, letters and special characters when possible.
  • 2. Choose passwords of eight characters or more. Separate short words with spaces or underscores.
  • 3. Don’t use the same password and username combination for multiple websites. Use an online password manager to keep track of your different accounts.

See the original article in context and Mashable’s useful resources