Archive for Security

Hack Prevention: Maintenance & Security Vulnerability news you need to know

A New WordPress Version!

WordPress has remained at 4.7.2. And you MUST be updating your site, or having someone like Wordflirt do it. Because a vulnerability that was fixed in this release has been actively exploited. As of a few February 6, 2017, over 300,000 sites have been screwed up. Yikes!!!

(Note: as of mid-March, WordPress is up to 4.7.3 – more on this next month).

Password Managers

Click on the link for a great review on password managers, if you’ve interested. The great thing about them are

  • They remember the passwords for you – you don’t. Typically you might have to remember ONE password.
  • You can easily have different passwords for different sites.
  • You can have much stronger passwords.
  • It can automatically fill in password credentials for you.
  • They sync across all of your devices

The above is SO critical because even the best of the best gets hacked, including a service we have used in the past: Cloudflare. Apparently millions of passwords and chat data could have been exposed.

Most of the web is now Encrypted!

It’s happened! More than 50% of the web traffic is now encrypted: https://wptavern.com/more-than-50-of-web-traffic-is-now-encrypted. This is important to have on your site for better SEO ranking as Google announced a few years ago they are using HTTPS as a ranking signal in their search results. Plus, they give a slightly warning in the browser bar if it’s not HTTPS:

Wordflirt February 2017 Security and Maintenance SSL1 - Hack Prevention: Maintenance & Security Vulnerability news you need to know

versus showing this:

Wordflirt February 2017 Security and Maintenance SSL2 - Hack Prevention: Maintenance & Security Vulnerability news you need to know

 

Then if you click on the “i” with the circle in it, you’ll see this:

Wordflirt February 2017 Security and Maintenance SSL3 - Hack Prevention: Maintenance & Security Vulnerability news you need to know
So it really makes sense these days to install a SSL certificate. We can quote you on this if you wish.

An Incredibly Clever Phishing Email

Claudia received a very clever spam email:

From: “Cadwalader, Wickersham and Taft LLP” <cwtinfo@cadwalader.com>

Subject: Fraudulent card charge

Date: February 8, 2017 at 10:31:04 AM PST

To: <claudia@thewordflirt.com>

Who the f___ are you and why is there a charge from thewordflirt.com on my card?
Here you can view my statement , get back to me asap.
Bofa_card_statement_claudia.doc (this was a link)

Thank you
Nadine Barrera

The “document” that she could click on was actually a link to a site that would have likely infected her computer with malware if she had clicked on it. So be EXTREMELY careful when you click on links in your emails – you’re better off cutting and pasting it in to a browser so that it looks safe before even trying it.

Phew – it can be nasty out there! It’s so important to protect yourself, and we take extra steps to protect your website that most don’t.

Any questions or needs you might have, just send us an email or give us a call!

January 2017 Maintenance and Security updates you need to know

As expected, WordPress 4.7.1 was released in January. Specifically on January 11. It fixed eight security issues that affected WordPress 4.7 and below. Then on January 26, version 4.7.2 was released to fix three additional security issues. All of those fixes were applied as appropriate to 4.6.1.

Normally we wait a month to update our WordPress sites to major versions (like 4.6 to 4.7) because of potential incompatibilities between the WordPress version and plugins and themes, as well as for bugs to be fixed. WordPress is at such a stable point in terms of features that most things are just nice enhancements, and waiting is fine.

However, for security updates for WordPress, as well as the themes and plugins we use, we update those on all our client sites as fast as is possible; in fact, for the security updates for WordPress, like going from 4.7.0 to 4.7.1, we allow those to be updated automatically since there are ALWAYS security updates.

W3Techs has ranked WordPress as the fastest growing CMS. More people using it leads to two things:

  1. More plugins, themes, and options when you choose to upgrade your site
  2. More people trying to hack into your site

A great tool that we use for some things, which we recommend to our clients to use, is Trello. It allows you to create a “flow” to any major activity, such as keeping track of tasks, a sales pipeline, a bug list, etc. It’s free for most things you’d want to do.

A highly effective Gmail Phishing technique has been going on. They basically trick you into signing into a google look-alike page, and the URL in the address bar looks authentic! A lot of technically savvy people have gotten stung by this. Please be careful and keep your antenna up for these types of things.

Passwords remain terrible in the world wide web. Keeper Security analyzed 10 million passwords that became public via data breaches in 2016 and found that nearly 17 percent of users are protecting their accounts with “123456,” which Keeper ranked as the most common password of 2016! Can you believe that??? We can’t over-emphasize that you don’t have repeated and simple passwords.

December 2016 Maintenance and Security update

WordPress 4.7 was released on December 6. We haven’t seen any compatibility issues yet, but we are still planning on waiting to update until sometime in January, as per our policy to wait at least a month before moving to a major WordPress update.

We anticipate 4.7.1 being released sometime in January, so we will likely wait for that, as there are no security issues, but some bugs we want to be resolved.

If you’ve not heard of “ransomware” before, this article discusses it, but it also talks about something even more insidious. Basically the ransomware locks a PC demanding payment to unlock it; however, a 2nd option is presented to the user: instead of paying the ransom, a user can attempt to infect other PCs! And the ransom amount from this case amounted to over $700, so some people will be tempted.

As we’ve written about before, here are the best ways to stay free of problems:

  1. Have strong passwords
  2. Don’t use the same password for multiple accounts
  3. Have antivirus running, especially on your PC
  4. Keep your software on the PC and phone up-to-date
  5. Backup regularly just-in-case
  6. Avoid clicking on links in your emails – use your common sense.

This is REALLY important as even big companies get breached, such as Yahoo’s recent disclosure of more than one BILLION accounts getting hacked!

Another example is Sony Music’s twitter account was hacked and tweeted out “Britney Spears is dead”. If this type of hack happens to you, and you have shared passwords, then they have the password to other accounts. Please don’t use the same password for multiple accounts.

security on laptop smaller 300x210 - December 2016 Maintenance and Security update

For your website, we are strongly considering two additional measures for protection. While they are inconvenient for you, they have proven to be very effective in preventing unauthorized logins:

  • Force you to change your password every 90 days (very likely to implement)
  • Force you to implement two-factor authentication

Sometimes we see large hosting sites have major network outages with major downtime. Bluehost has had this happen a couple of times, and most recently it was down for 12 hours in December. That’s one hosting company we avoid using. However, it can happen. Just in case it does, we have offline backups we can use to restore a site.

Any questions or needs you might have, just send us an email or give us a call!

Email Warnings

Do you get emails like this?

screenshot linkedin spam - Email Warnings

I get stuff like this all the time. It’s usually some threat that my computer is infected or I’ve done something wrong on Twitter or in one case, someone was claiming to be from China and was going to buy a Wordflirt URL even though it’s trademarked. All scams!

Here’s a quick way to tell:

Now I’m on a Mac, so this may look different for you. If you hover over the “from” email address or even click once on it, you should see the true email name. If that doesn’t work, hit “reply” and see whom it’s going to. See below for an example.

LinkedIn screenstho spam 2 610x180 - Email Warnings

 

As you can see, this is NOT a LinkedIn email address. Another clue is that they did not address it personally – every email I get from LinkedIn addresses me by name. Finally, LinkedIn’s emails are branded with their logo.

Seeing emails like these annoy me, especially because I know there are people that fall for it and end up clicking on the link provided. Who knows what’s waiting for them on the other end?

My advice to you – DELETE!

Hope this helps!