Security Notes – Recent Happenings

Security Alert! Security Alert!

Five million gmail account usernames and passwords leaked by Russian hackers!
Facebook Poker lottery scam!
iThemes membership database compromised!

If you are online at all (have an email address? visit websites? have a smartphone?) you are vulnerable to hacking, scams, and identity theft. I see more than my share of the results of lax security. I feel as though I take adequate precautions and security measures, and yet all three of the above headlines directly impacted my workflow in the past week.

Gmail password security breachMy gmail address was one of the 5 million that was leaked, lucky me! I was informed by LifeLock of the address/password combination that had been leaked, and fortunately, it was an old password. I had changed it recently, and I changed my gmail password again. However, since I use the gmail address as my “username” or login name on several accounts, that old username/password combination was still in use, and I spent a considerable amount of time changing a lot of passwords!

LastPass password SecurityLastPass, a password generator and keeper, has been invaluable in the process. Not only does it keep all your passwords, it can tell you which sites use the same username/password combination, and gives you a security “score” with ways to fix a low score and increase your level of security. It will generate secure passwords, and enter them automatically for you, if you choose to have it do so. There is an add-on for mobile devices (an astoundingly reasonable $12 a year). LastPass definitely made a tedious task a bit less time consuming, a lot more secure, and will continue to provide peace of mind going forward.

Facebook security issuesFacebook, ah, Facebook! The scam I was exposed to has been around for awhile, but it was my first brush with it. I received a “friend” request from a gal that I thought was already a friend. I accepted the request, thinking she had cleaned her friend list, or somehow redone her account – the request has her picture, her name… a little bit later I got a chat notification, I replied, but the conversation seemed … off. It didn’t sound like my friend. It was a CLASSIC example of the Poker Lottery scam. I texted her on her phone, and she was NOT chatting with me on Facebook. I closed the Facebook chat, and saw I had TWO friends with the same name. I “unfriended” the fake (the profile was nearly empty, unlike the “real” friend) and advised her to report the duplicate.

iThemes is a suite of software tools I use as I develop websites. There are a host of plugins that add functionality, backup options, cloud storage, and a security suite. I use those tools extensively, I pay a good sum of money each year to iThemes to maintain my software licenses to their products, and learning that their database, usernames, and password storage had been compromised was unsettling to say the least. Yes, they took immediate steps to rectify the problem, and reset all our passwords, and required us to change them all again, but it’s unsettling all the same.

As I said in the first sentence, I feel as though I, personally, am doing what I can to protect my online “stuff” – I use LastPass to generate secure, strong, unique passwords. I am eliminating the use of the same username/password combination for multiple sites. Many sites use an email address as the username, and it’s tempting to use the same password that you associate with that email address; I’ve done it. It’s not good practice!! Even with all the steps I am taking, I can’t control what happens to my information that is in the hands of other companies.

I didn’t intend for this to end on such a negative note, but it is what it is. Have a wonderful week!

I’m back!

I’ve been writing, just not on THIS blog! I was invited to write articles for TorqueMag.io and have written several over the past few months. I’ve also been busy with other projects, and my grandchildren, and this blog has taken a backseat.

First, I’ll provide links to the articles I have written. They may prove useful to you, they may not, and if nothing else will provide me with a concise summary of my work!

Updating Client Sites to WordPress 3.6 – A bit dated now, since we are on 3.9, but it is what it is.

Widget UI Refresh for WordPress Core – Already in place in core WordPress

WordPress Multisite Case Study

Designing Responsively

Table Plugins for WordPress

Backup Plugins for WordPress

A series of articles on how WordPress is put together, and how you can make it do your bidding!

Dissecting WordPress: Customizing footer.php

Dissecting WordPress: Customizing header.php

Dissecting WordPress: page.php

Dissecting WordPress: single.php

In the works is an article about Heartbleed, although there has already been an overload of information. Still, we each bring a unique perspective, and I’ve learned from each article I have read. Maybe my writing will help someone else.

And I’m open to ideas for what you would like to see discussed here. Let me know!

Another Review – BuddyPress Child Themes

Once again, I was asked to review an e-book for Packt Publishing.  This was a how to on BuddyPress and how to develop a theme for BuddyPress.  Here is my review:

Maybe I was expecting a more in depth or detailed instructions, specifically directed to “how to build a theme” – what I got was (as the author admits) a whirlwind tour of both WordPress and BuddyPress, a lot of code thrown about with not much explanation, and a ton of links to the codex and other resources to get more in depth information.

The first third of the book is all about installing WordPress and BuddyPress, something I know how to do, and I would assume anyone considering BuddyPress would know as well. At least the WordPress part could be skippped, perhaps a section on how a BuddyPress install is different than a WordPress install.

Once into themes, and theme basics, and developing a theme, it got more interesting. However, I found a lot more allusions to the information I wanted than the information itself. Some teaser information was given, with a link to the codex to follow up. Many times, code was given to add with no breakdown as to what each line was for or what the code actually did. Instructions were to just copy this code to your functions.php or a template file, and such and such function is added. I suppose this is where the included files come in; you are free to tweak them and play with them to see what happens.
In short, I was hoping the book itself would be a guide or manual I could use to create a child theme for BuddyPress. Instead, it was more of an overview of where to get the information to create a child theme – ie, the codex. I was also surprised at the number of grammatical errors there were, and the lack of a coherent flow to the material. I was often confused as to why some things were included where they were. Granted, the reviewers likely were all coders or designers, not grammar experts or copy writers, but still….

If you are interested in this title or others relating to web design, and technology in general, check out the $5 sales, going on through January 3 at Packt Publishing.

Here’s Something Different!

I was recently asked to review an e-book (also available in hard copy). The title? WordPress Multisite Administration – hardly casual reading! Since I have worked with Multisite, I was hoping to learn what I have been doing right (or wrong) and glean some tips to make my work more efficient! I was a bit disappointed, though I did learn! I agreed to post my review on my own blog, so here it is:

Stated in the beginning of the book: This book is geared towards people who have some experience with WordPress already. And in the first section, it goes through a quick (5 minute install) of WordPress, and assumes the reader knows how to and has already uploaded the files to the server and edited wp-config with the database connection info, since it begins with the “Installing WordPress” by starting the install wizard.

Then, in the next section on configuring MultiSite, it goes through how to upload the files, edit wp-config.php, etc – why cover it now and not prior? This was confusing to me. I would simply say that installing a multisite is done by installing a single site (and go through the procedures here), and then what to edit in the wp-config.php to allow multisite. Go through the file upload, editing the wp-config with your database information, change the prefix for security, add salts, etc – get the single site installed and working. Then add the multisite code lines to wp-config to convert to a multisite and continue with the network setup. It should all be one chapter, and since readers *should* already be familiar with WP setup – the file unzipping, upload, and initial username and password setup does not need to be covered in such great detail. And if it is to be covered, put it in the single site section, since it needs to be done and a single site install working before multisite can be set up. It was confusing to me the way it was written.

If anything, cover single site setup briefly. Then go right to editing the wp-config, reupload it, and on to the multisite dashboard and changes.

The later chapters on security, caching, optimizing, is good info, but not necessarily, specifically for multisite. Perhaps a note could be included that this can apply to all WP installs, not just multisite. And that there are many ways to accomplish the goals – plugins mentioned are suggestions only and each developer will find their own set of tools to use. (I have several not mentioned that I use for security, monitoring – and there are lots out there.)

I would suggest a chapter on subfolders vs subdomains, advantages and disadvantages of either setup, the difference between the two, and domain mapping (unique URLs for each sub site). The book “assumes” the sub sites will all be shown on your directory of sites, and are all interconnected. This is not always the case; each sub site may be a distinct site with its own URL. And that is where I, personally, had the biggest struggle in setting up my multisite – getting each subsite its own URL (site1.com, site2.com, etc).

The book does give info on multisite administration, but I feel it does not go into the depth I was expecting, and does not cover enough different situations to be considered a complete guide to multisite administration. Much of what is covered applies to ANY WordPress install, and the plugin suggestions, as I mentioned, were lacking. A good start, but there is room for improvement!

You can purchase the book here.

Word Camp San Francisco, July 26 & 27

I attended my first WordCamp last month, and I will very likely attend more WordCamps in the future!  What is Word Camp? WordCamp is a conference that focuses on everything WordPress. WordCamps are informal, community-organized events that are put together by WordPress users – everyone from casual users to core developers participate, share ideas, and get to know each other.

I learned, I networked, I met some of the names behind the code, ate some pretty awesome food, and picked up several T-shirts, sunglasses, stickers, and coupons for deals on hosting services! The sessions were informative and fast paced, so there was a lot of information packed into a very short time frame. It takes a few days after the event to process it all!

Tips and tools shared are now in my “arsenal”; I have more resources I can tap to build my business, and opportunities have come up as a result of people met and contacts made over that weekend. WordCamp is worth far more than the minimal registration fee – the “swag” I collected and the lunches alone were worth the cost!

Single Page website

I have partnered with Skyward Telegenics, a tech firm specializing in internet marketing tools. Together we are offering a one page website, live on the web in one week, with your custom domain name for the package price of $199.

WHAT YOU GET:

  • Domain registration and hosting for one year
  • A simple but effective one-page site with 3-4 sections containing basic information about your business
  • Site will be optimized for desktop and mobile access (workable on phones and tablets)
  • Site can be expanded to a full website with added functionality at any time by our in-house web design team
  • (Optional) One high impact video on our innovative, secure video hosting platform for one of the sections (additional fee)
  • Take a look at the example website right now at: http://One.SkywardTG.com/

This package may be for you if you are a small business, not sure if you even NEED a website, and can’t afford to spend thousands of dollars to find out. It may be ALL you need, or you may discover you need more. Either way, Skyward TG and I can provide you with the expertise and marketing you need to keep your business in front of your customers!

WordPress, Attacks, Reactions

Recent news of a “brute force” attack on WordPress sites world wide left many scrambling to protect their sites. While I kept a close eye on the sites I manage (this one included!) none of those sites were significantly impacted. Yes, hundreds, and even thousands of attempts to gain access were made on some sites, and some websites were sluggish for users at times, but that seems to have been the extent of the attack on “my” sites! I am happy to report that none of the sites I manage were “hacked” and the attempts were limited to just that – attempts.

I’ve added the Limit Login Attempts plugin to my basic arsenal. While the Bad Behavior plugin blocks the attempts, and logs the numbers, IP addresses, and other information, it does not STOP the attempts. A site being overrun with login attempts will run sluggishly or be shut down by the server. Limit Login works to lock out an IP address after a set number of unsuccessful login attempts so no repeated attempts can be made, so it reduces the number of access attempts and lessens the traffic. I have installed this on all my sites and now include it as “standard”.

Just for your information, the following is a list of plugins that I typically install on websites as part of my standard setup:

  • All in One SEO/WordPress SEO
  • BackupBuddy/BackWPup
  • Bad Behavior
  • *Limit Login Attempts
  • Spam Free WordPress
  • Tailored Login
  • wp-jquery-lightbox

* added as a result of the recent attacks, as recommended by several WP gurus

Other plugins may be (and most likely WILL be) added to accomplish specific goals on your site. The above listed plugins provide security and functions I feel are necessary on ANY website and I consider them “standard”.

Additional steps I have taken since the “attacks”:

  1. Implemented strong, randomly generated passwords for all my Administrator logins on WordPress sites
  2. Put my site on CloudFlare CDN to improve both security and efficiency of website performance – I will be adding client sites if this works as I expect
  3. More frequent site checks to ensure sites are functioning properly (twice or more weekly rather than just weekly)

It’s been an interesting month, and I have learned a few things, and made my site(s) and yours safer and more secure. And that’s a good thing!

Recent WordPress happenings

On April 11 I became aware of “brute force” login attempts on WordPress sites world-wide – I read of it on a few LinkedIn discussions, followed some of the links, and realized this was a major assault on WP sites. The focus of the attack was on sites that use “admin” as the username and easily guessed passwords for the password for the Administrator account(s). One of the first things I learned when working with WordPress is that you should NEVER use “admin” as a username and use SECURE passwords. I have never used “admin”, but have been inconsistent in using truly strong passwords.

I did a quick check of the multiple WP sites I manage (on Thursday afternoon/evening). They are on a variety of hosting services, including GoDaddy, which seemed to be one of the primary targets. Yes, there was evidence that the sites were under attack. My basic WP setup includes a plugin called Bad Behavior, and it was logging (in some cases) hundreds of attempts to log in to sites using “admin” and passwords such as 123456789, aaaaaa, a1b2c3b4, password, etc. But that’s all these were, attempts. In some cases, the sites had slowed to a crawl for visitors. None of the sites were “down”, just slow, and none of the sites were compromised.

I read voraciously to find out what else I could do to protect the sites, and one plugin was highly recommended – Limit Logins. It would lock out the IP someone attempting to login after 3 unsuccessful tries, and log the IP, thereby halting repeat attempts from that particular IP. I installed that plugin on sites also, on April 12-13. Reviewing the logs over the next few days, several of the sites have had IP’s locked, which means less spam traffic trying to log in, and site performance improvement in spite of the “attack”.

Not all, but several of the WP administrator accounts were inaccessible for a few hours on Friday morning, April 12, due to hosting providers blocking backend access to everyone. Access was restored by afternoon, and no sites actually went down.

Over the weekend I continued to read and follow the news and monitor the websites under my control – the attack continues, as evidenced by the Bad Behavior logs and lockout stats on multiple sites.
During the first few days of this week I have taken two more steps to further secure my own computer and sites – LastPass and CloudFlare. If successful, I will be contacting clients and recommending actions.

LastPass is a random password generator that creates very strong, very secure passwords, and remembers them so you don’t have to. All you need is ONE password (the “last” password you’ll need to remember!) to access and activate LastPass and it does the rest. I’ve actually had it on my computer and started to use it on a couple of sites some time ago, but did not use it consistently. I am making a determined effort to get ALL my passwords secure and safe in LastPass. The Premium version syncs across your mobile devices (tablets and smartphones) and is only $12 a year (that’s $1 a month!!) http://lastpass.com

CloudFlare is a CDN (Content Delivery Network) that filters out bad traffic, and optimizes the delivery of your website to legitimate visitors. A simple DNS change routes visitors through CloudFlare’s network, with a significant improvement in performance and a decrease in spam and other attacks. Of interest – sites on CloudFlare were protected from the recent brute force attacks and have little to no “attempts” or lockouts. I added my business site today (April 17) and look forward to improved speed on the site and lower stats on Bad Behavior and Limit Logins. http://cloudflare.com

Security of any website, WordPress or otherwise, is an ongoing battle. Because WordPress is so widely used, it’s a frequent target for spammers and hackers, but there are steps you can take to make your WordPress installation unique, less susceptible to spam, and more difficult to “hack”. Using CloudFlare’s CDN adds a layer of protection to whatever steps you choose to implement in your WordPress installation.

I will be following up with each of my clients and providing a report on how sites were affected (or not affected) by this recent activity, and recommending steps to improve security. It’s “all in a day’s work”, but one part of my workday that could be eliminated and I would not miss it one bit.

Spring Cleaning

Yes, even websites need a good “cleaning” now and then! And spring is a perfect time to review your site for old, outdated, and possibly incorrect information, get it updated and correct, and add anything new that you or your business has going.

Take ten or fifteen minutes to go through your site page by page, making note of changes to the content that need to be made. Perhaps a new color scheme will perk things up, or current images to replace the ones that have been there for the last several months. Are your business hours still accurate? Have your services changed?

Let’s SPRING into action and get your site tuned up and ready for business!

Maintenance Agreement

Think of your website as a stage production – and the website itself as what the audience sees. A lot of things have to happen “behind the scenes” for the production to appear effortless.

Changing the content is only a small part (although the most visible) of site maintenance. Site backups, scanning for malicious code, and updating plugins and add ons to the most recent version are some of the routine maintenance chores that need to be done consistently to keep your site healthy.

Check out my Maintenance Packages and let’s get started!