Dodge Web Solutions

Comptia Cybersecurity

By Leave a Comment

Really enjoyed earning a CEU from Comptia by watching (actually re-watching, cause first time I saw it we had a thunderstorm and power went out 3 minutes before end of presentation and I didn’t get credit) the Comptia ChannelCon State of Cybersecurity talk.

Some of the points that caught my ear were

  • One speaker posited a 5900% ROI for the average hacker (TrustWave puts it at a more modest – but still astonishing – 1425%)
  • In fact, hacking is such a profitable business to be in that there are gangs of hackers running actual businesses.  Even have health insurance for their employees, continuous training/development
  • Women “better” at cyber security – we have more “attention to detail” and we “like puzzles” and “enjoy analyzing stuff.”  Gag.  Or…women are people and some people like puzzles and pay attention to detail.  I mean, there is real, demonstrable strength in promoting diversity in hiring.  Different viewpoints make the whole team stronger in planning and problem-solving.  But seriously – women “like puzzles”?
  • Some people in cybersecurity are so tense and stressed that there is a high prevalence of self-medicating with alcohol or other substances.  How can we support our coworkers in this field?  We need to move towards a more collaborative approach and a team-centric setup.  The security and continence of your firm’s data shouldn’t just sit on one person’s shoulders.  That is a lot for one person, especially as this is a constantly changing and expanding field.
  • Cyber security is now just an extension of your personal security.  It affects everyone, and we all need to learn and work together.   We all have a lot of risk, and security is EVERYONE’S business.
  • Website tech support (or sales ) chatbots as the perfect social engineer if they can be hacked – fascinating

    ie, if as part of authenticating a customer or user, we ask for username/pw/PII of whatever sort  …and it’s actually a black hat bot that is just impersonating a customer service bot and saving all that info for later

What do you think – what are you thoughts on the latest cyber security developments?

 

 

One Approach to Updating Your Site’s Version of WordPress

By Leave a Comment

Some people are very reluctant to update their sites – they fear, perhaps not wrongly, that their stuff will break.  So they stand on the deck of their slowly sinking ship (read – outdated website), afraid to step off into potentially shark-infested water.  Well, that is maybe not the best analogy – the newest version of WordPress or your updated themes and plugins are not shark infested water.  Probably.  I mean, they shouldn’t be.

As a brief practical aside, this is not a sustainable way to live your digital life.  You should pick reputable themes and plugins – and pay money for them, so they will be maintained and kept current.  Then you can update without worry.

All this is to say you should update when WordPress pushes out a new version, and you should update your themes and plugins.  But how quickly?  And what is the process to do it safely?

For years, WordPress (and therefore the attendant themes and plugins) averaged updates every 4 months, and, it seems to me, they usually try to time the big releases for the end or beginning of the year.

One school of thought is to immediately update on all minor releases, as those are only bug-fixes and security patches.  You can tell it’s a minor release by the 3rd digit – eg, 5.1.1. Some people wait on the major updates – eg, the latest 5.2 from last week.   Sometimes this is the sort of update to break your site, and sometimes, because these are bigger updates to a lot of WordPress files, there are errors.  And sometimes there is another update almost immediately afterward to fix those errors (please see the list of release dates for major updates and then the next minor update – they are often only separated by days).   So some people wait for that next minor after the major.

As stated above, I use only themes and plugins that I know are actively maintained and will work with the latest version of WordPress.  But I do like to update them on a staging site first.

For further reading:

Slightly dated but still great article on doing your research before clicking update.

Setting your automatic updates in the wp-config file

 

 

An Email “Cat” Among the Pigeons…

By Leave a Comment

Really interesting thread on Reddit this am about someone getting spammed with tons of emails – like 30 or 40 a minute for an hour.  The trick the hackers were trying to pull was to put hide legitimate emails announcing purchases in within the other spam emails.

The emails got through the spam filter because they used a bot to register for email mailing lists from legitimate businesses.  So the emails were not spam…just unneeded/unwanted.  It would be like if I wanted to burgle your house so I invited a bunch of honest strangers over for a fake party; they all walk in and while they don’t mean any harm they confuse you and you don’t notice me, the burglar.  (fun fact – robbing and burgling are two different things.  Perks of a cop husband)

 

When Right Click is Disabled (WTF, amirite?!?!?)

By Leave a Comment

If you’re like me (mouth-breather, loves yo-yo’s and warm potato salad) any visit to an interesting site usually includes casually right-clicking to inspect the element or view the source.  I like to see if I can guess just from looking if it’s a WordPress site.  (I’m right about 80% of the time!)  I came across one yesterday that disallowed it; specifically they blocked it using javascript.

Couple of methods to get around this:

  • Ctrl + Shift + i opens the console (this is the easiest one and what I recommend)
  • Disabling javascript (remember to undo this unless you want to live in a boring world) from the settings of your browser
  • Looking for the specific script and disabling it
  • Pasting in javascript:void(document.oncontextmenu=null); to the browser console (supposedly…I was not smart enough to get this to work, so I had to use one of the first two methods)

What worked for you?

Move Over, Caching

By Leave a Comment

I listened to a few downloaded youtube videos (sort of a choose your own adventure poor man’s podcast) while I was on a recent road trip.  They were by Miriam Schwab, and one was about speeding up your site, (and so was this one) and a very approachable one was about securing your site.  I listened to one about content security policies (and another on the WordCamp 2018 livestream Guitar track, starting at 29:02) which, full disclosure, was a little over my head.  Like, not completely over but I had to stand on tiptoe.  Both were good, especially since they challenge us to start thinking about ways to make our sites faster and and more secure; at the end she talks about her new company Strattic which sounds like it will do both.  Or like caching, only better.

I described it to my dad thus:

Molly: Picture you could make a cardboard cutout of me, and it was ready instantly. 
Dad: So we wouldn’t have to wait for you to get ready before we could leave for breakfast. 
Molly: Yes. 
Dad: Like, it’s just a cardboard cutout so it’s ready to go, we could just pick it up and there’s no waiting. 
Molly: Yes. But also, the cardboard cutout can’t be hurt.  Like, it’s impervious to stab wounds.  So it’s me, it’s the latest version of me, but ready at a moment’s notice and completely secure. 
Dad, interrupting: …stab wounds?!?! 
Molly: What I mean is, in this example I/the website can’t be hurt.  Your site is the latest version, but blazing fast because it’s also static, and un-hackable, because it’s not a living, dynamic thing. 

I’m only curious about how often you’ll need to do changes – obviously on most sites pushing out a new version once a day would be more than fine.  But on huge sites or membership sites it could be a problem.  Also, I guess this wouldn’t work for something like membership site with a discussion board.  And – I’m showing my ignorance here, but I think it would interfere with any contact forms giving confirmation messages, right?

Still, I love the elegance of the security and speed inherent in simply serving a static site.  What do you think?

 

Easy Way to Stop Those Varmints from Stealing Your Images n Stuff

By Leave a Comment

If you don’t lock down your directories, people can come along and poke through them and take your images and sometimes even pirate a copy of your theme.  (though I doubt they’d be able to update it, but still, it’s the principle of the thing)

Easy-peasy fix for this.  But first go test if your site is unsecure at the moment.  I’ll wait.  Type in

mysitename.com/wp-content/uploads

And you’ll likely see a list of your images, themes and plugins.    Yowza!

But there’s a simple fix, just a line of code in your .htaccess file.  Navigate to the .htaccess file you need for any particular site (remember you might need to look in the root directory if it’s the main domain) and paste in

# Disable directory browsing
Options All -Indexes

before the comment ending WordPress (# END WordPress).  Here is another site explaining the steps to prevent people seeing your directories.  They list a few plugins that can do this for as you as well if editing files is not your jam.

  • WP safely disable directory browsing
  • Hide My WP – WordPress Security Plugin
  • AB WP Security

I ran out of time to do the links but if you like you can easily search out these plugins.  Remember to back up your .htaccess file before you start to edit!  And good luck!   

 

Upgrading Your Version of PHP for Fun and Profit

By Leave a Comment

  • What does it mean to upgrade your version of PHP? (start using a newer, better version of PHP to run your site)
  • Why should you do it? (your site will load faster and be more secure)
  • How often should you? (check the releases, but generally…maybe twice a year)
  • Will it hurt? (not if you are doing other stuff right – keeping your themes, plugins and version of WordPress up to date)

Here is what the WordPress community has to say about upgrading your version of php (hint: they’re all for it).  Basically, PHP (which stands for Php Hypertext Preprocessor – pretty cute, that) is the language that runs a WordPress site.  Periodically a new version is developed and released, usually running things faster, better while using fewer resources.  Doing more with less.  The big change was the release of PHP 7.0 in 2015, but as of Nov 2018 we are already up to 7.3

WPEngine has a helpful post about it as well, talking about what PHP is and why you need to keep current.

Overall, PHP 7 is faster, more secure, and significantly more resource efficient than older versions. To give you an example, a site running PHP 7 can handle twice as many visitors as PHP 5 can, using the same amount of memory.

It’s generally agreed that you should aim to be on the latest secure release, not the most recent bleeding edge one.  (though most people are lagging behind updating PHP 7.0 – only less than 1 in 5 sites as of 2018)  And it’s further agreed that you should probably not experience any problems from upgrading to a higher version of PHP.

Probably.

WPMUDEV explains it well:

If you use plugins, themes or scripts on your site that rely on outdated PHP code and you upgrade to a newer version of PHP, the changes from the upgrade would cause old code on your site to be incompatible and break.

It’s not a bad idea to check if your site will be okay with a newer version of PHP by using a plugin like Compatibility Checker.  If you’re always updating WordPress and using reputable, premium, well-supported plugins and themes, you should be all ready to move forward.  However, if your plugin or theme is not being updated frequently, it may not play nicely with a newer version of PHP.  To be honest, you may already be aware of which theme or plugin might cause a problem if something crashed your site after a WordPress version update.  (Remember, if you can’t access the dashboard, you can sftp in or use the cpanel to easily rename and disable your plugins and themes one by one till your site comes back up and you identify the culprit).

A reputable webhost will have the latest couple of versions of PHP available to you to select from via the cpanel.  Remember, you may not be able to upgrade if you’re on a managed WordPress plan (at least from GoDaddy).  And you should always have a backup of your site (files and database) in case things go sideways and you need to restore.

 

 

 

 

Good Habit – Keep Your Hosting and Domain and Backups Separate

By Leave a Comment

You know how the royal family has to travel separately, in order to mitigate risk to the line of succession?  Of course you do, it was the entire plot of King Ralph.  Keeping your domain and hosting separate helps to manage the risk that your site can be hacked.

Think about it – if someone hacks your site, at least they can’t take your domain as well (this is assuming they figured out the account user name and password with the host/registrar).  If they get your domain, that’s a little trickier, but at least your still have your site on the host.  And if your host’s backup of your files fails, at least you have a copy of your site in your DropBox, your Google Drive (and for the extra paranoid, a hard copy of your site on a usb stick, which was a brilliant idea I got from an InMotion support dude.  Not all heroes wear capes, guys)

You’ll also tend to feel kind of stuck if you want to transfer away from that host – and a lot of times those sweet first year hosting plans get pretty pricey the second year.  It doesn’t cost any more to register somewhere other than your web host, and you can just pick one domain registrar and then shop around for a plan to host your sites.  It’s a good habit to spread the risk around and make things harder for hackers.

Also consider two factor authentication and installing wordpress in a subdirectory.  These are simple steps but hackers go for low hanging fruit, so harden up your site, yo.