Tag Archives: Security

My WordPress Test Site Got Hacked

I am sure you’ve heard about the “scandal” in which millions of WordPress sites got “defaced” by those pesky hackers. As it turns out, according to reports from leading security companies, it wasn’t particularly hard to pull off either.

WordPress introduces a REST API which allows you (and others) to do all kinds of wizardry remotely. Apparently, that included the option to edit all your posts and pages without providing any kind of credentials. Great job, WordPress!

With millions of people being “hacked”, of course my test website couldn’t miss out. You see, I have WordPress sites in all sorts and shapes that I keep up to date. Personal blog. Work websites. Fun blogs. However, there are also my “test blogs”, which I use to test plugins for WordPress. I also have those kind of sites for Joomla, but that’s another story.

Most of those sites are hosted on Siteground, but one is hosted on a server I shall not name. One where updates don’t happen automatically, and WAF’s are non-existent.

Well, my friends, that website got “hacked”. The reason I keep writing “hacked” is because alledgedly it takes nearly zero knowledge or effort to pull it off. You just need to know about the exploit, do two minutes of work and you can go crazy.

Which they did. The nice Syrian Peshmerga message left a message stating that ISIS sucks and that they’re going to do stuff. I’m guessing it’s related to shooting them. There was also the online pharmacy that wanted to promote some sort of products.

In my case, no damage was done. This is a test site. I don’t update it, because the site is a “throwaway” site. If something is broken, I’ll just start over. There’s the fair expectation that something WILL go wrong. Seeing the REST API hack in action on that site wasn’t scary, it was more of a “Ahah, it’s that easty?” moment.

However, can the same be said about those other sites? How about your sites? Can you afford to have your website defaced? Probably not. It would be bad for business.

That’s why you need to make sure your websites are up to date. And educate yourself on what to do when you DO get hacked. To help you with that, here’s a short and sweet strategy guide.

How not to get hacked

  1. Keep Your WordPress site up to date. Or, have someone else do it for you. Our friends over at Siteground allow you to enable automatic updates. If I’m not wrong – and I often am – they offer to enable this by default. The feature is super easy – once a new version is released Siteground will roll it out for you. Alternatively, some “Installers” like Installatron also roll out automatic updates. Of course, you could do it all manually. Assuming you’ve picked up on the news that an update is released. Unlike Joomla, WordPress doesn’t send reminders that a new version is available.
  2. Make sure you’re using quality web hosting. It’ll prevent you from most server side exploits. And if your hosting company is *really* good they’ll have rules and checks in place to prevent common exploits, like (again) our friends over at Siteground have in place.
  3. Don’t install shady plugins. Or themes. That’s an open invitation to be hacked. And those “cracked” versions of ExpensivePlugin? Yeah, that’s not a good idea either.
  4. If your website is technically sound, make sure that *you* aren’t the weakness. If your password is easy to crack, change it. Websites like HaveIBeenPwned can tell you if you’ve been part of security breaches. That can lead to a big “Oh, shit” moment when you were using the same password everywhere. Also, make sure to enable two-factor authentication.

How to recover from being hacked

  1. Restore your back-ups. What’s that? You didn’t make any, and assume your host is making them for you? While that might be true in some cases, that is NOT a safe bet to make. Setup your own backup tool, like Akeeba Backup or Vaultpress, an configure it. Make backups to more than one location. AND TEST YOUR BACKUPS
  2. Audit your website. Do you know how they got in your website? Then you probably have no idea how big the damage really is. If your website is used professionally, and your income depends on it, consider hiring an expert who knows what he’s doing. Unfortunately, that excludes  most of the $5 freelancers from a certain continent that “claim to be expert in Joomla, WordPress, Drupal, Magento, Grav, Prestashop, OsCommerce, Ghost, Facebook and Microsoft Word.”

    If you are using Joomla, a tool like MyJoomla can help you audit your website. I’m sure similar websites for WordPress exist as well.

  3. Patch your security holes. Don’t just restore your website, and assume you’re not going to get hacked again. You’d be wrong, and stupid to assume that you were just unlucky.

Of course, some people would suggest that my list is missing “Migrate away from WordPress, lol.” I mean, yes. That can be an option if the security holes in WordPress concern you. Just keep in mind that no CMS is perfect, and prone to security problems. Yes, even the one you built yourself. Especially the one you built yourself.

Do you have tips or suggestions to update our list? Questions and being hacked? Use the comments below to be heard. Please keep the “WordPress sucks lol get gud noob” jokes to a minimum.

 

Advertisements

Microsoft to Outlook 2016 users: “Trust the certificate, and it all goes away…”

Of course, Microsoft never really said these words to the Mac users using Outlook 2016. Which is the best mail client available for the Mac by far, especially if you grew up with Outlook. If you ignore one error that hasn’t been fixed for ages.

When you are using Office 365 and your website isn’t hosted on the same server as the mail server, you run into a neat little problem. You get an SSL error, since Outlook 2016 is looking at the wrong server, and says “Hey, this SSL record is no good”. It happens whenever you don’t have an SSL certificate installed (get with the time people, me included) on your website, that isn’t hosted on Office365. Which is basically, every website error.

So, anyway, this error is pretty well known with the folks of Microsoft and instead of doing something about it, they’re telling people to just ignore the error. It’s okay. You can just click to always trust the certificate, and the problem is gone!

While that technically solves the problem, it’s not exactly the most security minded advice, Microsoft. How about an actual explanation on how to solve the problem when your site is hosted on your own server? A tip on how to re-issue the certificate? You’re just going to choose to focus on telling people to ignore warning messages in a time when that very same Outlook 2016 offers support for encryption and digital signing? Okay, then.

In case you’re wondering what I’m talking and ranting about, here’s the official KB article on the problem. Short. To the point. The security equivalent of “Did you try turning it on and off again?”

Enjoy the article in it’s full glory here.

Pike in attempt to abuse old Joomla exploits

Is your mailbox currently blowing up with Admintools notifications? Then you’re not alone. We’re noticing a definite spike in attempts to abuse Joomla exploits. The exploits the “attackers” are using are for older versions of Joomla.

Using Admintools or a similar tool will help you to block these malicious attempts to screw with your site. But instead of patching those holes, it’s better to make sure that the holes aren’t there.

How?

Make sure that you’re running the latest version of Joomla. We know it’s not always within your means to update that 2.5 or 1.5 website. Clients aren’t willing to pay. And you don’t work for free. We get that.

But, if it’s within your means, now is a good time to update those older sites. Actually, last year was a good time, but it’s better to be late than sorry. Joomla 3.x is the latest release and should be supported for a long time from now.

On top of a more secure version, you’ll get the following features:

  • A CMS that wasn’t built years ago
  • A faster Joomla
  • Better UI with more configuration options
  • Detailed UI
  • No more “Your old crap site isn’t supported, you moron” from both developers and your Joomla site itself (See for reference: Joomla 2.5 sites displaying a message it’s outdated)

Gentlemen, start your analysis of your old sites and get to updating.

Watch out for fake invoices!

Users and anti-virus companies are reporting a big number of spam messages, which contain fake invoices. The senders aren’t out for your money, but they’re interested in infecting machine. The invoices are fake, and opening the files can or will infect your machine.

Word documents

There’s a few ways to detect these fake, virus-ridden invoices right off the bat – so keep them in mind.

  • Word documents: If the attachment is a Word document, don’t open it under any circumstance. No self-respecting company would send you an invoice using an editable document format like a Word document. The reason they’re sending these word documents is that they contain Macro’s which are run on opening the document, to infect your machine.
  • You didn’t order anything: This should be an obvious give-away; if you didn’t order anything you’re not supposed to get an invoice. Most self-respecting vendors allow you to lookup your invoices on their sales platform, anyway.
  • Your anti-virus kicks it in the ass: If you’ve got a decent anti-virus solution which includes e-mail scanning, such as Gdata’s Internet Security solution, you won’t even get to see the mail – or the attachment – as they’re taken care of before they reach your inbox.

Of course, there are exceptions to the first rule. PDF’s which trigger malicious code are also on the rise. So, the golden rule is “If you didn’t order anything, don’t open that invoice.”

Be safe, kids. It’s a dark place out there.

Akeeba brings “single touch login” to Joomla with Yubikey

Akeeba is best known for it’s flagship product, Akeeba Backup. However, they don’t stop with making back-ups of your site. The latest, completely free addition to their offering, is a plug-in which integrates the Yubikey token with Joomla 2.5 and above.

A Yubikey is a reasonably priced hardware token, which you plug into your USB port. Upon touching the “golden disk” it sends a one-time password to your computer. Hardware tokens like the Yubikey can do wonders in making authentication safer – and they’re now supported by Joomla!

Single Touch or Two-Factor

When you install and configure the plug-in you can use the Yubikey to log into Joomla. In Joomla 2.5, you can log in by simply touching the Yubikey button – you don’t even need your username. One touch of the button and you’re good to go.

In Joomla 3.2, you can combine your Yubikey with the built in Two-factor authentication, making for a very secure logon. You can configure your account so you need a user name, password, AND a single touch of the gold disk. Secure? You bet.

We’d love to write more in this review, but the concept is so simple we ran out of things to say. Here’s a breakdown:

  • The plug-in is absolutely free.
  • Works in Joomla 2.5 but offers even more features in Joomla 3.2
  • A token costs €22; there’s no setup. Plug it in and it works.

If you can’t wait to test this out for yourself, here’s two essential links: