Category Archives: Online Safety

Security Notes – Recent Happenings

Security Alert! Security Alert!

Five million gmail account usernames and passwords leaked by Russian hackers!
Facebook Poker lottery scam!
iThemes membership database compromised!

If you are online at all (have an email address? visit websites? have a smartphone?) you are vulnerable to hacking, scams, and identity theft. I see more than my share of the results of lax security. I feel as though I take adequate precautions and security measures, and yet all three of the above headlines directly impacted my workflow in the past week.

Gmail password security breachMy gmail address was one of the 5 million that was leaked, lucky me! I was informed by LifeLock of the address/password combination that had been leaked, and fortunately, it was an old password. I had changed it recently, and I changed my gmail password again. However, since I use the gmail address as my “username” or login name on several accounts, that old username/password combination was still in use, and I spent a considerable amount of time changing a lot of passwords!

LastPass password SecurityLastPass, a password generator and keeper, has been invaluable in the process. Not only does it keep all your passwords, it can tell you which sites use the same username/password combination, and gives you a security “score” with ways to fix a low score and increase your level of security. It will generate secure passwords, and enter them automatically for you, if you choose to have it do so. There is an add-on for mobile devices (an astoundingly reasonable $12 a year). LastPass definitely made a tedious task a bit less time consuming, a lot more secure, and will continue to provide peace of mind going forward.

Facebook security issuesFacebook, ah, Facebook! The scam I was exposed to has been around for awhile, but it was my first brush with it. I received a “friend” request from a gal that I thought was already a friend. I accepted the request, thinking she had cleaned her friend list, or somehow redone her account – the request has her picture, her name… a little bit later I got a chat notification, I replied, but the conversation seemed … off. It didn’t sound like my friend. It was a CLASSIC example of the Poker Lottery scam. I texted her on her phone, and she was NOT chatting with me on Facebook. I closed the Facebook chat, and saw I had TWO friends with the same name. I “unfriended” the fake (the profile was nearly empty, unlike the “real” friend) and advised her to report the duplicate.

iThemes is a suite of software tools I use as I develop websites. There are a host of plugins that add functionality, backup options, cloud storage, and a security suite. I use those tools extensively, I pay a good sum of money each year to iThemes to maintain my software licenses to their products, and learning that their database, usernames, and password storage had been compromised was unsettling to say the least. Yes, they took immediate steps to rectify the problem, and reset all our passwords, and required us to change them all again, but it’s unsettling all the same.

As I said in the first sentence, I feel as though I, personally, am doing what I can to protect my online “stuff” – I use LastPass to generate secure, strong, unique passwords. I am eliminating the use of the same username/password combination for multiple sites. Many sites use an email address as the username, and it’s tempting to use the same password that you associate with that email address; I’ve done it. It’s not good practice!! Even with all the steps I am taking, I can’t control what happens to my information that is in the hands of other companies.

I didn’t intend for this to end on such a negative note, but it is what it is. Have a wonderful week!

WordPress, Attacks, Reactions

Recent news of a “brute force” attack on WordPress sites world wide left many scrambling to protect their sites. While I kept a close eye on the sites I manage (this one included!) none of those sites were significantly impacted. Yes, hundreds, and even thousands of attempts to gain access were made on some sites, and some websites were sluggish for users at times, but that seems to have been the extent of the attack on “my” sites! I am happy to report that none of the sites I manage were “hacked” and the attempts were limited to just that – attempts.

I’ve added the Limit Login Attempts plugin to my basic arsenal. While the Bad Behavior plugin blocks the attempts, and logs the numbers, IP addresses, and other information, it does not STOP the attempts. A site being overrun with login attempts will run sluggishly or be shut down by the server. Limit Login works to lock out an IP address after a set number of unsuccessful login attempts so no repeated attempts can be made, so it reduces the number of access attempts and lessens the traffic. I have installed this on all my sites and now include it as “standard”.

Just for your information, the following is a list of plugins that I typically install on websites as part of my standard setup:

  • All in One SEO/WordPress SEO
  • BackupBuddy/BackWPup
  • Bad Behavior
  • *Limit Login Attempts
  • Spam Free WordPress
  • Tailored Login
  • wp-jquery-lightbox

* added as a result of the recent attacks, as recommended by several WP gurus

Other plugins may be (and most likely WILL be) added to accomplish specific goals on your site. The above listed plugins provide security and functions I feel are necessary on ANY website and I consider them “standard”.

Additional steps I have taken since the “attacks”:

  1. Implemented strong, randomly generated passwords for all my Administrator logins on WordPress sites
  2. Put my site on CloudFlare CDN to improve both security and efficiency of website performance – I will be adding client sites if this works as I expect
  3. More frequent site checks to ensure sites are functioning properly (twice or more weekly rather than just weekly)

It’s been an interesting month, and I have learned a few things, and made my site(s) and yours safer and more secure. And that’s a good thing!

Recent WordPress happenings

On April 11 I became aware of “brute force” login attempts on WordPress sites world-wide – I read of it on a few LinkedIn discussions, followed some of the links, and realized this was a major assault on WP sites. The focus of the attack was on sites that use “admin” as the username and easily guessed passwords for the password for the Administrator account(s). One of the first things I learned when working with WordPress is that you should NEVER use “admin” as a username and use SECURE passwords. I have never used “admin”, but have been inconsistent in using truly strong passwords.

I did a quick check of the multiple WP sites I manage (on Thursday afternoon/evening). They are on a variety of hosting services, including GoDaddy, which seemed to be one of the primary targets. Yes, there was evidence that the sites were under attack. My basic WP setup includes a plugin called Bad Behavior, and it was logging (in some cases) hundreds of attempts to log in to sites using “admin” and passwords such as 123456789, aaaaaa, a1b2c3b4, password, etc. But that’s all these were, attempts. In some cases, the sites had slowed to a crawl for visitors. None of the sites were “down”, just slow, and none of the sites were compromised.

I read voraciously to find out what else I could do to protect the sites, and one plugin was highly recommended – Limit Logins. It would lock out the IP someone attempting to login after 3 unsuccessful tries, and log the IP, thereby halting repeat attempts from that particular IP. I installed that plugin on sites also, on April 12-13. Reviewing the logs over the next few days, several of the sites have had IP’s locked, which means less spam traffic trying to log in, and site performance improvement in spite of the “attack”.

Not all, but several of the WP administrator accounts were inaccessible for a few hours on Friday morning, April 12, due to hosting providers blocking backend access to everyone. Access was restored by afternoon, and no sites actually went down.

Over the weekend I continued to read and follow the news and monitor the websites under my control – the attack continues, as evidenced by the Bad Behavior logs and lockout stats on multiple sites.
During the first few days of this week I have taken two more steps to further secure my own computer and sites – LastPass and CloudFlare. If successful, I will be contacting clients and recommending actions.

LastPass is a random password generator that creates very strong, very secure passwords, and remembers them so you don’t have to. All you need is ONE password (the “last” password you’ll need to remember!) to access and activate LastPass and it does the rest. I’ve actually had it on my computer and started to use it on a couple of sites some time ago, but did not use it consistently. I am making a determined effort to get ALL my passwords secure and safe in LastPass. The Premium version syncs across your mobile devices (tablets and smartphones) and is only $12 a year (that’s $1 a month!!) http://lastpass.com

CloudFlare is a CDN (Content Delivery Network) that filters out bad traffic, and optimizes the delivery of your website to legitimate visitors. A simple DNS change routes visitors through CloudFlare’s network, with a significant improvement in performance and a decrease in spam and other attacks. Of interest – sites on CloudFlare were protected from the recent brute force attacks and have little to no “attempts” or lockouts. I added my business site today (April 17) and look forward to improved speed on the site and lower stats on Bad Behavior and Limit Logins. http://cloudflare.com

Security of any website, WordPress or otherwise, is an ongoing battle. Because WordPress is so widely used, it’s a frequent target for spammers and hackers, but there are steps you can take to make your WordPress installation unique, less susceptible to spam, and more difficult to “hack”. Using CloudFlare’s CDN adds a layer of protection to whatever steps you choose to implement in your WordPress installation.

I will be following up with each of my clients and providing a report on how sites were affected (or not affected) by this recent activity, and recommending steps to improve security. It’s “all in a day’s work”, but one part of my workday that could be eliminated and I would not miss it one bit.

Google Two-Step Verification

What is it and why do I need it?

Two-step verification adds an extra layer of security to your Google Account, so if you do not use Google for email, a calendar, web developer tools, analytics, or any of the other services Google offers, then you don’t need 2-step verification.

On the other hand, it’s likely that you DO use one or more of Google’s services, and have one or more Google accounts. Here’s how it works – in addition to your username and password, you’ll be asked to enter a code that Google will send you via text or voice message to a phone number YOU specify. You have the option to make the device (laptop, phone, etc) that you are using to access your account a “trusted” device or location. When you log in from the same location or device you will not have to provide the additional code each time.

If you, or someone else, tries to access your Google account from anywhere else, it will ask for the authorization code. Unless someone also has your phone, and is savvy enough to realize what the 2-step authorization is, your account will be secure from someone randomly guessing your password.

To set up 2-step verification, read and follow the links in this article: How Two-Step Verification Works

If you still think you don’t need the additional security, read how one person was hacked, and how 2-step would have prevented most of the damage: My Epic Hacking. Then think of how much of your online presence is linked to your gmail address or Google account. It’s worth a little extra time and inconvenience now to avoid, potentially, much more inconvenience and harm in the future.

October is National Cyber Security Awareness Month!!

And a good time to review a few ways to remain safe online…both personally and in your online business presence. (I posted this last year, and the information is still good! So I am re-posting again this year!)

Here are a few websites full of good information and some tools that will aid in keeping you and your website safe:

Email scams and “phishing” are ways that unscrupulous people can get your personal information without you suspecting that is what is happening.  Being aware of their methods is the first step in protecting yourself so that you are not taken in by their schemes.

Be suspicious of any e-mail, text message, or phone call with urgent requests for personal financial information.  Don’t use links in an e-mail, instant message, or chat to get to any Web page if you suspect the message might not be authentic or you don’t know the sender. Call the company, or log on to the website directly by typing the address in your browser.

Avoid filling out forms in e-mail messages that ask for personal financial information.  Communicate information such as credit card numbers or account information only via a secure website or a known telephone number.   Enter the address of any banking, shopping, auction, or financial transaction website yourself, and do not depend on links. Phishers can forge the yellow lock icon you see near the bottom of your screen on a secure site. When doubleclicked, the lock should display the security certificate for the site. If you get a warning that the address of the site does not match the certificate, do not continue.

Look at the address/status line. Scam sites may show “https://” and/or the security lock icon.   A variation of the URL, i.e., bankname-verify.com, usually denotes a scam site.

Regularly log into your online accounts. This will not only keep you familiar with what they look like and the security procedures they have in place, it will also make it much easier to spot a fraudulent or spoofed site.  Check bank, credit card and debit card statements for suspicious transactions. Ensure that your browser is up-to-date and security patches are applied.

Forward phishing or “spoof” e-mails to:

Be safe!