We all saw that how Osama’s death video malware was spreading on Facebook recently and created lot of trouble for the social network users. It’s sad to see that how anti-social elements are trying to socialize in their own manner! Anyway, I’m fully aware of such nasty tricks, so thankfully I didn’t become a victim, moreover, I keep myself safe with the help of fantastic software utilities by some fantastic individuals & companies! Let me share that how I keep myself safe from malicious websites and then I’ll share that how as a blogger/webmaster you should take the responsibility to keep your visitors safe.

Tools to keep yourself safe from malicious websites

1. Internet security softwares – There are some amazing internet security software both paid & free that are doing a fantastic job in keeping the users safe. I personally use Comodo’s free internet security software – even though it’s free – it’s got much more features and has better detection rate than even most popular paid internet security softwares! It’s got antivirus, antimalware, firewall, sandbox technology and what not, I recommend it to everyone.

2. Secure DNS solutionsOpenDNS, Comodo’s secure DNS are some of those services that deserve all the respect in the world! By just making small changes in your internet connection’s DNS settings, you can do tons of good to yourself! These services have a database of malicious and phishing websites and will automatically block them even if you happen to click on a dangerous link. I prefer Comodo’s secure DNS.

3. Web of TrustWeb of Trust is another such service that alerts you about the site’s reputation and the dangers associated with it. Facebook partnered with them, to alert it’s users for bad & dangerous links after it was raided by “social anti-social elements”. They have a plugin for major browsers which alerts users for bad links. It’s a must have for everyone!

4. McAfee SiteAdvisor – I’d be honest, I used to love Siteadvisor like anything, I still love it as it saves me from going to unreliable links and even shows the website’s reputation in search engine and thus allowing me to avoid possibly dangerous websites (It’s very much similar to Web Of Trust). However, now McAfee also install it’s toolbar and changes the search engine – that’s something it didn’t do earlier and I loved that way. Anyway, you can disable those things – so it still has my respect. It integrates well with major browsers and can be a great savior as you can see that which link can be dangerous even before you click it.

5. Sandboxie – Even though Comodo offers sandbox technology, I prefer to use Sandboxie. It’s a free tool that runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. Check out the Sandboxie’s website to know more about this fantastic concept! Again, it’s a must have!

These tools keep my pretty much safe from most of the threats and I’m thankful to the wonderful developers who’ve made them.

Be a responsible blogger and secure your WordPress now!

As a user, I was safe however as a webmaster, the incident got me thinking that how blogs and websites can also be targeted by malware & virus makers, not that they haven’t done in the past, however – this is where I see it growing even more and a much faster rate! There is a flurry of automated comment submitting softwares in the market, any malware maker can host the malware on a website and then submit the comments with that malicious link on thousands of blogs in a matter of minutes and an ignorant blogger/webmaster can approve the comment which may result in the following -

  • Infect website/blog readers’ computers.
  • Reduce site’s ranking in Google – Google doesn’t like site that promote malware!
  • Bad reputation of website amongst visitors.

These are some points that no blogger would like to see happening to them. I certainly wouldn’t want this happening to me either. So, I decided to find a tool that would alert me of a malicious link before I approve any comment or which scans the links in the comments & posts and gives a report so that I can take corrective measures against those links. Unfortunately, I couldn’t find one!

Then it hit me that why are security companies not making such a tool? Tools like Web of Trust, Siteadvisor, OpenDNS, Comodo’s secure DNS depend a lot on community’s feedback, they certainly are useful and keep people safe, however it takes some time before the community gets to know of a newly created malicious website, what if you visit those sites before they are marked as unsafe? Wouldn’t it be cool if the security companies made a tool, that integrates with famous content management systems like WordPress & Drupal and shows the reputation of outgoing links to the visitor before hand? Not only this will be a win-win situation for bloggers, webmasters & readers; it’ll be a win-win situation for the antivirus company as well -

  • Tons of free data about links. This will only strengthen their commercial offerings! They can directly block dangerous links for their software users.
  • Free marketing – If not for the data, they can at least get the free marketing about their company! If they’ll show reputation of the link then they can always show the following message below it – “Link’s safety checked by XYZ Security Tool“. As a webmaster, I wouldn’t mind such a message, as it’ll strengthen my reputation amongst my readers that I care for them!

I’d given up looking for the tool and had started hoping that some security company will come up with such a tool that’ll show me link security report and will also show the reputation of out going links to my readers. And well, then I came across BitDefender’s Antispam! It’s almost the tool that I was expecting and that too from a popular and reputed security company!

Why Bitdefender Antispam when I’ve got Akismet?

That’s the first question that came in mind when I read the plugin’s name, however I was super happy to find out that it’s almost doing the same thing that I was thinking about, it’s just that it doesn’t take the advantage of free marketing & doesn’t scan the links in the posts. Bitdefender has made this essentially an anti-spam plugin, however I think it’ll gain the edge over Akismet as it will also check if the links are malicious or are phishing sites. The plugin is in beta and doesn’t appeal in terms of usability at all, however I’m still running it for few weeks to see how well it performs in terms of detecting the spam! Of course, I’ll be sharing my experience in the next blog post. Installation instructions for Bitdefender Antispam. Will I suggest the plugin now? Like other security tools that I’ve recommended, I won’t recommend this for now – it certainly needs a face-lift! However, I’m sure by the time it’ll be out of Beta, it should be one of your anti-spam solutions.

Secure WordPress to avoid stupid hacks & avoid becoming owner of a malicious website!

There have been lot of posts written about as to how one can secure WordPress, I’ve covered this topic as much as I could. The guides that we’ve included will not be the ultimate solution for making the site un-hackable, however by following them you’ll save yourself from automated attacks and newbie hackers who try and hack websites for fun. Please follow these links to make your WordPress secure -

I hope that other security companies take inspiration from Bitdefender and well my marketing tip and come up with such powerful tools for webmasters. This way together we’ll be able to make internet a bit safe! After all, we’ll be able to block them at source itself! And I hope that if you’ve not taken steps to secure your WordPress installation, then you would do them right after you share this post on social networks ;)

Bookmark and Share

I’ve written a fair bit on the topic of securing WordPress based sites and blogs however, it seems that no matter how much I write, it still is less. There is hardly any week that goes by where I don’t hear about the horror stories from our clients and various other friends in the trade whose sites get infected with malware. After handling lot of such cases and doing some research about it, I found out that one of the major reasons why the sites get infected is because its webmaster’s own computer was infected with a malware.

I’ll be also listing various resources that can be used to further strengthen the security however, firstly I would like to put forth my views on the topic of why web-masters should use Mac or Linux. I would only list those points that are logical and none of them are influenced by any sorts. So here’s why I suggest so and how its easy to switch too -

1. To keep yourself safe from viruses :  I’ve used all three OSes and I’ve personally experienced that Mac & Linux aren’t prone to viruses as Windows is and the simple fact is that the market share of Windows is more than 90% and thats why almost every virus is targeted towards Windows Users. So, if you are using any of those two OSes you’d be safe from viruses and thus you reduce the chances of getting your website hacked.

2. For keeping others safe : As I’ve said that majority of cases that I’ve dealt are those where the webmaster’s computer was compromised. Moreover, once the sites are infected, they infect those computer who visit that site and that’s how they spread so quickly! Now, if at the first place the webmaster would have been using linux or mac, it would have ensured that at least they are not making the situation worse.

3. Switching is pretty easy – Most of the users give a reason that they won’t be able to switch because of the incompatibility issue and that they think that it would be pain to switch the platforms because of unavailability of ssoftware. I agree at one time it would have been difficult for most of the people, however web-masters specifically won’t find any issues in choosing these two platforms as most of their tasks are done online, else most of the software required have either a worthy alternative or if you are an open-source fan then you’d surely find most of them available for all three platforms. Here are some of the resources -

Try a gradual switch and start using these OSes and if you really want to run a windows software then you can try WineHQ or CrossOver (commercial) and most likely the software will work fine for you. If the software still doesn’t work and you don’t find any alternative then you can simply use VirtualBox or Parallels to run Windows inside Linux or Mac.

So when we know that for web-masters it can be easy to switch to Mac or Linux then why not use either of those two operating systems and keep yourself and the world safe from those malware? Anyway, enough of ranting – as I said that during my research, I did read quite a bit about security websites, so I would like to share that with you :

How to strengthen the security of your WordPress blog?

  1. Don’t forget to read my articles that I wrote a while back on the topic of securing wordpress.
  2. If possible switch your OS as soon as possible – Don’t think it as a stupid suggestion. Consider this one for sure!
  3. Restrict WordPress admin use by IP Address.
  4. Learn to restrict the FTP server access for specific IPs using VSFTPD – I know that not everyone gets a static IP address from their internet service providers, however use of VPN can certainly [I use StrongVPN] help you get over that problem.
  5. More security steps that can be done through htaccess file, here are some 11 more steps that you can use.
  6. Jeff Starr has created wonderful instructions for securing servers via htaccess and blocking the know malware techniques.
  7. Blocking spam is equally important – Chances are that some spam comment will have the URL to a site that is infected, so its important to ensure that no spam comment passes through.

What else can be done other than IP address, Htaccess tricks?

Some of WordPress’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images. In short we are talking about CHMOD settings of the server.

All files should be owned by your user account, and should be writable by you and any file that needs write access from WordPress should be group-owned by the user account used by the webserver. Of course, learning this can surely take some time, but if you really want to secure your server, then this is one thing you should focus on!

  • / — the root WordPress directory: all files should be writable only by your user account.
    • EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you
  • /wp-admin/ — the WordPress administration area: all files should be writable only by your user account.
  • /wp-includes/ — the bulk of WordPress application logic: all files should be writable only by your user account.
  • /wp-images/ — image files used by WordPress: all files should be writable only by your user account.
  • /wp-content/ — variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).
    • /wp-content/themes/ — theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
    • /wp-content/plugins/ — plugin files: all files should be writable only by your user account.
    • other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.

Plugins that I prefer for securing WordPress

1. WordPress File Monitor - Think of it as a watch dog! It monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. So even if you add files using FTP, it will let you know. This is a fantastic way to ensure that no compromised file will go on server without going through its nose.

2. WordPress Firewall – I personally love this plugin. Of course, using this plugin means that you’d lose out on WordPress theme/plugin editing capabilities and few things here and there, however this plugin will ensure that everything will be super secure.

3. Block Bad Queries – Another gem from Jeff Starr. This plugin will ensure that your WordPress site will be safe from known vulnerabilities.

Well there have been countless number of posts on the topic of security and the worst part is that things aren’t improving a little bit. Its important to choose the right web-hosts as well. If this post of mine was a request towards web-masters, Mark Jaquith has asked web hosts to become more secure and to help web-masters in understanding the security of blogs/websites. It is one interesting read, so even if you are not a web host,  I would suggest you to read it.

What are your thoughts about changing the OS for ensuring safe and secure website? Do you think that one should go ahead and change their OS to ensure that their site will remain secure from malware to a large extent? Please share your thoughts in comments.

Bookmark and Share

vaultpress.jpg

From last couple of weeks, I’ve been trying to ensure that how WordPress can be secured enough to avoid any kind of malware attack. In the course, I found lot of new information about securing web applications and realized that how small and little settings can make and break things. While my struggle to know more about security was going on, I came across the launch post of VaultPress, a blog backup and protection service from Automattic.

Please note that the service has been announced in beta and is available for only few users. One can apply for the invite over here. It’ll be a premium service and while signing up you can also mention that how much are you comfortable in paying for this kind of a service. If I were to decide the price, I would keep it around $10/month. I’ve not tested the service myself, however we could gather all the information about VaultPress from the coverage it has received from the biggies like TechCrunch, ReadWriteWeb, Silicon Alley Insider, VaultPress blog and finally my favorite WordPress Tavern.

Features of VaultPress

1. Focused on WordPress.org users – WordPress.com is one of the most powerful and secure blog services around. However, same can’t be said for the users who use self hosted WordPress version on their own servers. There have been many horror stories in the past where many self hosted WordPress installs got infected from malware and much hoopla was created. VaultPress has been designed to work with self hosted WordPress to ensure that they can also get the quality backup and security service to avoid any mishap.

2. Real Time & Complete Backups – VaultPress is an all-in-one backup package. It will backup posts, categories, tags and rest of the data along with themes, files etc. Jeff @ WordPress Tavern reckons that VaultPress will face stiff competition from Backupify, BackupBuddy and other backup plugins. According to Matt, founder of WordPress, VaultPress will be able to make the backup instantly as soon as one would publish the changes on the blog or website.

3. Safeguards against Zero-Day Attacks – This is one feature that I would be most interested in as this is one feature that no one else is offering. VaultPress will be able to safeguard your blog against the Zero-Day Attacks focused towards WordPress. It will also monitor your site to alert you against any suspicious or hacking activity.

Well, keeping these features in mind. We can install few plugins that can help us achieve similar level of protection and that too free of cost. We just need to ensure that we configure the plugins in the right manner. Here’s the guide …

Get VaultPress Security Features Before Hand!

wordpress-backup.jpg

1. Automatic WordPress BackupThis little plugin saves all the important files including themes, plugins and database on Amazon S3. The plugin allows you to schedule the backup of the database or just files or if you want you can ask for the complete backup as well. The plugin will send you the confirmation messages over the email, so you will constantly be aware of the happenings. Amazon S3 can be used as a backup service for your blog’s important files and believe me in most of the cases this will not cost you more than $5/month. Only in case of large publishers this cost can be more than $15/month i.e. the indicative price of VaultPress. By the way, Amazon S3 can help you in improving the site load time as well, don’t forget to check our guide on how to optimize the WordPress blogs.

2. WordPress Firewall – This nifty plugin monitors changes in the files, attacks based on various Zero-day patterns. Of course, this is not the ultimate solution however, our experience has been pretty neat with this plugin. It did alert me whenever I tried to make any change in the theme files or plugin files. It didn’t allow the change until and unless I approved the change. Make sure that if you are planning to install this, then you may get lot of notifications. So keep the settings appropriate or use GMail filters for ease!

3. OSSECossec-security.jpgOSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Of course, this is something which will not be as easy as installing WordPress plugins, however investing a little time on this can ensure that you’ll have real peace of mind in future!! There is enough documentation available for avoiding initial hiccups!

Of course, the first two plugins won’t ensure that you are getting instant and real time backups. However, a regular and weekly backup will ensure that you’ll be able to bring your blog back from a situation where nothing will look nice in the world. I hope you understand the point that i’m trying to make here! If you install OSSEC then I’m sure one could easily compare this setup with something that VaultPress will offer in future!

Isn’t it neat that you can enjoy the VaultPress like features even before you can get a hand on it or if VaultPress looks out of budget!

The success of VaultPress will depend on the following factors; 1) what will be the cost involved for end users and 2) how effective its monitoring system will be. I’m sure the takers of this service will be much more than any other similar service as it directly comes out from the makers of WordPress. However, personally I’ll be willing to test other services if they offer similar features at a competitive price. What are your initial thoughts on VaultPress.

Bookmark and Share

secure-wordpress.jpg
(Image Credit – ClickonF5)

Since few months, I’ve been hearing lot of horror stories regarding the security compromises that bloggers have to deal with. It’s open source nature, what has been the boon for WordPress, is now standing against it (For Hardcore Open-source lovers – I am in favor of Open-source all the way and that statement of mine should not be taken as personal attack). There have been many blogs that weren’t using the latest version of WordPress are now infected with some sort of worm or some hacker gets access to the web server and misuses your precious resources. There are cases where they even harm the website by effecting its search engine rankings.

read full article →

Bookmark and Share

WordPress, Firefox and many open-source projects are great however, because of their open nature, they generally get targeted by hackers & notorious fellows. Its pretty important to keep your blog software up to date, if its based on any open-source code as the security breachers tend to attack on old codes.

read full article →

Bookmark and Share

What would have been the ideal time to discover about this wonderful product, more than now when I’ve recently published various blog posts on security of WordPress blogs. I was amazed to know about YubiKey USB token that secures your WordPress blog with a two-factor authentication mechanism.

read full article →

Bookmark and Share

Sherif Elsisi has a wonderful blog on WordPress and related stuff and I was amazed to see the amount of efforts he has put in to ensure that bloggers take care of their blog’ security. He has posted lot of blog posts and has written about lots of security plugins and that should help most of you!

Bookmark and Share