Dec 19

How to secure your WordPress website?

How to secure your WordPress website

In our previous article we learned “How to Build a WordPress Website” and today we’re closely inspecting the most important aspect of a website – its security.
One of the worst things that can happen to you online is to invest your time and efforts into building your website and then, out of nowhere, the website gets hacked by some 10 years old hacker wannabe for no particular reason. Fortunately, there are many plugins that can help you increase the security of your WordPress website and we’re going to look through the most popular of them.

However, before we begin with our list of favourite WordPress security plugins, please, make sure that you follow the 4 simple rules below in order to prevent security issues with your WordPress website.

1. Always make sure your WordPress website and its themes and plugins are updated to their latest version. Believe it or not, this is the most common reason why the hackers are using vulnerabilities in your code from which they can exploit your website.

2. Remove any unused WordPress themes and/or plugins. If you do not use it then remove it from your website. This you will help you decrease the number of potential security holes in your website and make it harder to being exploited.

3. Make sure that your local computer is clean from malicious software and it is being regularly scanned with updated and, most importantly, trusted antivirus software. This is very important because in case your computer is infected, your login details may be intercepted and used to hack your website. This can happen when you are entering your admin login details from your infected computer. That’s why it’s important to keep your computer clean from viruses.

4. Perform regular backups. It is one of the easiest things to do. Just download your website files and folders to your local computer regularly, for just in case something unwanted happens to the website. As a leading hosting provider, we at TMDHosting perform regular backups for your website files and database. However, having a local backup on your computer will provide you with one additional layer of security which is always a good thing.

WordPress is one of the most popular CSM applications and it has a very extensive catalogue of plugins of which you should take advantage. For your convenience we have selected the 5 most popular and, in my opinion, the best plugins with which you can increase the security of your WordPress website. Let’s take a look:

1. Akismet

Akismet - Fight the spam with Akismet WordPress plugin
This plugin comes by default with every single WordPress installation for a reason. Unfortunately, it is one of the most overlooked plugins of all times. What the Akismet plugin does is to protect your website comments from spam and trust me – Akismet is really good at it. You can read more on how to fight against spam in one of our previous articles “How to fight the internet trolls and spam bots in your site comment section” written by Morgan Collins.

You can download this plugin from the following url: http://wordpress.org/plugins/captcha/

2. Captcha 

Captcha - WordPress plugin which will spam-proof your websiteEven though it has mythical superpowers, the Akismet sometimes can’t protect you enough from all of those aggressive spam bots. This is where the Captcha plugin comes in by adding an additional verification box to your website comments and member login pages. This will stop those clever spam comments that will slip through the fingers of Akismet and should spam-proof your WordPress website.

You can download this plugin from the following url: http://wordpress.org/plugins/captcha/ 

3. Limit Login

Limit Login - Protect your WordPress website from bruteforce attacksWhile the above mentioned two plugins are directly protecting your website from unwanted spam comments, this Limit Login plugin is directly protecting your WordPress administration area by preventing the number of different attacks on the login section such as the dictionary attacks, and the random password guessing. In case someone tries to access your WordPress admin area too many times, the Limit Login locks down your login section and bans the attacker temporarily. However, the sweetest feature of this Limit Login plugin is that it immediately sends you an e-mail informing you if someone made malicious attempts to hack your website.

You can download this plugin from the following url: http://wordpress.org/plugins/limit-login-attempts/ 

4. Better WP Security

Better WP Security - Security suite for every WordPress websiteOnce your comments are protected from the spambots you should take care of the security of your WordPress website and protect it from hacker wannabes. The Better WP Security plugin consists of some of the best WordPress security features and techniques which are ready to be applied to your WordPress at instance in order to increase its security.

As with every single plugin I would highly recommend you to make yourself familiar with this plugin as it can even change the admin login url (as a security measure) and you might get locked out of your own website. However, in case you are experiencing issues with your plugins you can always submit a ticket to our Genius Support team who are always available to help you out of any situation.

You can download this plugin from the following url: http://wordpress.org/plugins/better-wp-security/ 

5. WP Updates Notifier

WP Updates Notifier - Be always up to date.
More than 90% of the hacked WordPress websites are being hacked due to the fact that either they were outdated or some of their third party themes and plugins are having security holes. This humble free plugin notifies you by email whenever there is any update available for your installed plugins, themes or WordPress core files. I find this plugin very useful because I manage to handle multiple WordPress websites and some of them are quite old and not regularly administered. However, with this little plugin you can always be up to date which, as we already mentioned, is crucial for your website security.

You can download this plugin from the following url: http://wordpress.org/plugins/wp-updates-notifier/

To sum it up – the above plugins are somewhat essential for every WordPress website security. Unfortunately, there is no single plugin to provide you with 100% guarantee that it will secure your website from malicious activities. For this reason, you might want to consider installing a number of the plugins we discussed. You can also browse through the extensive WordPress plugins library and choose the plugins you want to try but remember to read user reviews and try to avoid installing low-rated plugins.

Do you have your favourite WordPress security plugins? Share them in the comments below and stay tuned for our next article and most importantly – stay safe!

Nov 27

Achieving military-grade security is possible in shared hosting environment!

Hello everybody! It is Simon Davis from the TMDHosting Genius Support Team and it is #TechWednesday :) In today’s article I will want to talk about one of the roads we have recently taken to secure our clients’ web-sites and respectively their intellectual property which is the most important thing over the web these days. If you have been keeping an eye on us recently, you should have heard about our so-called web firewall. So, here is some info behind the curtains regarding it!

Lets face the statistics provided by the professionals!

12 to 14 millions of search queries performed by Google each and every day return warnings that some of the results are related to malicious contents or in other words are compromised by one way or another.

Pretty bad isn’t it?!

Another even worst statistic is that each day Google finds over 9000 newly infected websites with malicious contents over the web – viruses, phishing pages or even redirects to other infected web-sites.

Here in TMDHosting we don’t want our Customers to be part of that statistic and each day our security specialists are fighting the malicious activity on our servers causing the same to be progressively reduced to its minimum.

For the past year we have been developing  several options (features, improvements) to protect our clients websites no matter if the websites (usually opensource applications) are already using built-in protection or not. We are aiming at not only to improve that already developed  protection from the authors of the used scripts but to add completely new and separate layer of security which is individually unique and most importantly reliable.

The sunset of malicious activity!

In a pretty cloudy day over the past year we have saw the sun at the horizon and we took the long and dusty road to the sunset of malicious activity, hacked websites and stolen intellectual property. No one though that the road was gonna be clear and carefree,  instead we were prepared for every obstacle that we can face up to our goal – to build universal security tool using already released opensource security features without actually affecting the existing websites in a manner which will affect their access rate and functionality.

With all this being said I am proud to present you with the cutting edge in our latest security advancement – apache® ModSecurity .

What exactly is ModSecurity and why it is a mandatory these days? 

Behind the short and self explanatory name there is a powerful, opensource, web requests analyzing Firewall (or in short WAF – Web Application Firewall) which is essentially checking each and every request performed to the web service on our servers. By default ModSecurity is released in two major distributions:

  1. As standalone Firewall – Usually this distribution is used when the web service running on the server does not support the dynamic load of modules such as the Nginx web service. In that case ModSecurity can be compiled with the source code of the main server. More information on the matter can be found at the official page ModSecurity for Nginx .
  2. As a module for the widely distributed and most commonly user web service Apache® - This is the way we are using for the implementation of the ModSecurity WAF and we find it most useful and beneficial. It allows each and every request made to the server to be processed and checked for malicious contents which is exactly what ModSecurity is capable of.

As mentioned earlier in this post ModSecurity is an Web Application Firewall capable of providing great level of security for the websites of  our clients .  The way ModSecurity works is quite straight and it depends entirely on the rules set created in this case by our security specialists. That is right I said “Rules”.

As every Firewall type of feature ModSecurity needs a way to filter the incoming data (in our case web request) . Here the rule engine used by  ModSecurity comes pretty handy as it allows for every element of the incoming requests  to be filtered and checked for malicious contents.

The way we have configured ModSecurity is in close relation with the data submitted via the URL (GET requests)  and the data submitted to the server via the Forms(POST requests) of our clients websites.There are few most common principles used when a hacking attempt is performed and bellow I will cover some of them along with the way how ModSecurity is preventing these.

  • SQL Injections- By definition SQL Injection is the process of injecting a code via POST or GET request to the target data driven(MySQL type of database using) script which are currently most of the opensource applications. The result from such type an attack is that a certain query performed to the database of your website is changed.The purpose of this change  can vary from certain information on the website being changed to a complete control of the client website.The way ModSecurity protects your website from such type of attacks is that it filters the parameters passed via POST or GET requests. If any the parameters contain most commonly used phrases by the Injection technique ModSecurity automatically terminates the requests before it reach the server and send an error page to the client browser performing the request.

    Here is an example of the SQL Injection performed via the URL of your website:

Original URL: http://domain.com/blogposts.php?id=1
SQL Injection included in the URL:  http://domain.com/blogposts.php??id=-130 union select all 1,username(username,0x3a,password),3,4,5,6 from username

Since the id parameter is used for an SQL request to the database  it is directly included in the query via GET request. When the URL with the SQL injection is submitted the script which is handling the request will not only accept the SQL code in the URL but it will perform a legit request to the database displaying the Username and the Password as the above SQL injection statement is requesting these.

Of course the above example has only demonstration purpose and it cannot be used for anything else.

ModSecurity will fetch the id parameter and check it for any “Union” statements for example. Since none of the known opensource applications and custom scripts are actually performing SQL queries via their URL(GET request) it is quite suspicious that this one does. So instead of passing the request to the server ModSecurity will automatically terminate the request returning a 406 Not Acceptable error page.

  • Malicious User-Agents - This is basically a list of malicious user agents we have gathered over the years and also found over the web from major security experts and search engines.  Each and every User Agent from these has proven that in one way or another it performs malicious activities with the requests it sends to the server. Such activities for example are:

spamming your websites with comments
creating fake registrations with spamming purpose
flooding the server with connections (DDoSrelated)

and many more. What ModSecurity do is to check every User-Agent accessing your website and if it matches one of the malicious User-agents in our list (which is quite big actually) it will automatically terminate the request and return a 406 Not Acceptable Error page to the source of the request.

  • Malicious File uploads – This is usually a technique used to upload an malicious script directly on the web space where the files and folders of the website are stored. This is actually the attack that succeed most of the times it is performed due to the fact that many of the scripts used currently (not to say all of them) offers the option for registered users to upload picture for avatar of their profile.Well not every picture uploading form is used straight with its purpose. Many of the forms mostly provided from plugins and templates used for client’s website are offering the option for file uploads which are not additionally checked for the file type uploaded via the same. This allows the hackers to easily create profile and upload a script which is stored in a temporary or common upload folder which is accessible over the web .The result of such attack is that the uploader of the file get control of  entire web-site. From this point on the website’s files/folders and overall content depend on the mercy of the attacker. In most of the cases the attackers are ONLY changing the index.php file and by inserting traces (usually text and pictures) that the website has been hacked. But in rare cases they are deleting all of the files and folders of the client’s website and leave no tracethat such deletion has been performed.ModSecurity not only checks the uploaded files for malicious contents but also it checks the names of these files and match them with quite a huge I can say database of malicious file names and their hashes.  When such file has been uploaded and ModSecurity detects it, the file not only get permanently deleted but an 406 Not Acceptable error page is returned to the uploader.Even if lets say, ModSecurity miss such a file and it has been actually uploaded on the server it  cannot be accessed. Another great skill of ModSecurity is that it checks the output of each and every request.What I mean in regards to the uploaded file is that when such file is accessed ModSecurity matches its contents with a increasingly huge list of malicious stings used by the hackers in such scripts. If even one word in the output after the execution of the uploaded malicious script matches with a word in the list checked by ModSecurity the output of the request is terminated and instead a 406 Not Acceptable error page is displayed.
  • Bruteforce attacks - This type of attacks target mostly the username and the password used for logging into the admin area of  a website. It is quite successive type of attack due to the fact that it can be performed either as a Dictionary attack  or as a simple symbol matching attack.The general scenario of that attack is that a remote connection from the attacker to the server has been performed and a script (or usually a bot) is performing login attempts until it finds the correct one.The way ModSecurity protects your website from such type of attacks is that it matches the login attempts from a single IP address in certain period of time. For example – it counts the login attempts from a single IP address for 10 seconds and if the number of login attempts is greater than 5 (1 login attempt per 2 seconds) ModSecurity will block the IP address of the attacker PERMANENTLY.Since it is quite impossible for a single user to perform 1 login attempt each 2 seconds even if the password and the username are saved by the user’s browser ModSecurity will consider such behavior as an attack and the IP address will be automatically blocked.

As you can understand from the above type of attacks we are trying to cover almost every aspect of how your web-site can be hacked/defaced and to respectively reduce the possibility of that to happen to 0. This is not an easy task and each day we find newer type of attacks which we are inspecting in details and respectively we are updating our rules accordingly.

My last words but only in today’s article will be related to the logging strength ModSecurity has. As every Firewall type of software ModSecurity provides the option for logging. To be able to have some idea what malicious requests are performed on our servers and respectively denied by ModSecurity, we are provided with a local log in which all the matches of our rules are logged. This allows us not only to monitor the malicious activity on the servers but also to block the source of that activity.

At this point that log is available only for our VPS and Dedicated Servers users requested the installation of ModSecurity on their services with us. It can be found in their WHM control panels under the link  ”Mod Security” .

In a conclusion I would like to say that ModSecurity offers individuality and flexibility which makes it unpredictable for hackers and users with malicious purposes the same as trusted with the millions of options for filtration it offers.

We are proud that we have chosen to protect your blogs, forums, e-commerce application (online store) or social network with the help provided by ModSecurity.

Nov 01

6 Scariest Things To Happen To Your Site

Still in the Halloween mood, thinking of scary stories and movies, we thought about things, which scare us to death. Apart from fear of failure, ghost stories, sleeping in the dark, and falling off a large cliff, some of us pointed out their online fears.

So, here is a list of the scariest things, which might happen online, and what’s even worse – on our sites.

1. Your site being down:

This could be considered the worst nightmare for people who make their living from their website. Whether, it is a blog, an online shop, or even bigger – online media, we know no site is immune to a major crash. Losses might also turn out quite significant, especially for sites with higher traffic. Examples of such popular sites, which have had a similar scary experience, are the downtime of the New York Times in August this year, and Google being offline for less than 5 minutes.

Reasons: There are so many reasons for your site to be down. The Most common reasons for my site to be down might be connectivity issues, missing content in core files etc. Many times, the issue is more obvious than it seems – external issues with your hosting provider.

What-to-do-now plan: If you have a 24/7 support, try contacting your hosting company. They should be the people to turn to in such cases and the ones to identify the exact causes of the outage. Figure out a way to communicate the issue to your potential visitors – social media has proven quite useful in such instances. Make sure you pause your online ads, so that you do not throw money down the sink by sending potential customers to nowhere.

2. Incredibly slow load time:

If you have an e-commerce site, slow load time might notably affect your online orders. If your site runs 5 seconds slower than the competition, that could mean considerable financial loss, which is directly proportional to the size of your online business. For example, Amazon.com found that with every 100 Ms of load time, there was a 1% decrease in sales.

Reasons: Many reasons for your site to load more slowly are related to the content in it and the execution of the script(s) it uses. The most common reason, put mildly, is that your hosting provider isn’t the best. For a more comprehensive explanation of website slow time, you might want to check: Why my website loads slowly?

What-to-do-now plan: Talk to your hosting provider, who should best know whether the reason is internal (in them) or external (for example, one or more of their internet providers failed delivering proper service). They should be able to give you the best advice on what to do next, and whether there is any need of content optimization. If, in the end of the day, your site continues to be slow, you might try transferring your site some place faster. Some hosting companies do offer transferring your site and database completely free of charge.

3. Being spotted by hackers:

Attacks performed by hackers are random, painful, emotional and quite costly in most occasions. There might have been a security hole on the server your site resides, on the software your site is built on or any other vulnerability in the configuration that the hackers might use to get in. In 99% of the cases, the issue is caused by outdated software (WordPress, Joomla, etc), specifics of which are used by bad-minded ones to break in.

Reasons: Protecting your site from hack attacks may require considerable amount of development work. There are many causes increasing your site’s vulnerability and making it attractive to hack attacks. Some of them include, having an old version of a script (e.g. WordPress, Joomla), not having updated other components of your web site, not having updated templates.

What-to-do-now plan: The best thing to do in this case is protect yourself before you get ‘burned’. Having your site well secured is one of the main factors to consider when choosing your next web hosting provider. Choosing a good provider who knows how to secure their servers professionally is key to having a good night’s sleep for the next few years. Taking the prevention of hack attacks aside, and considering your site did get hacked after all, the best thing to do is get help from your hosting provider and your in-house developer, if you have one. Most important, in fighting random hack atacks is to keep your software always up to date. People developing software are usually one step ahead of the hackers – if they have released a new update for your software, there is no good reason for waiting – go ahead and install it. You should keep an eye regularly on that. Change all your passwords, go offline, so that your customers are not negatively affected by the attack, find a way to communicate the issue to your customers, and pray!

4. Huge bounce rate:

Your site is great, or at least you think so, but at some point of time, you notice a high percentage of your visitors leaving it, as if there is some type of plague inside.

Reasons: There are many reasons for an increase in bounce rate, and most of them have to do with the internal organization of your site –in terms of content and design. If your web design is cluttered, the site is not user-friendly, and the user at a first glance does not perceive your content valuable – they leave. Looking at it in a more abstract way, those reasons are just the same as a person leaving a shop – if the visitor does not feel comfortable skimming through it, and does not find interesting stock – they leave. There might also be some marketing and external reasons, such as irrelevant ads bringing people to your site, wrong keyword selection etc.

What-to-do-now plan: Re-think, re-design, and re-imagine your whole website concept. If the trend is ongoing, that means you should pay considerable attention to how you present yourself in the online world.

5. Software issues:

You have been playing around with the back-end of your site lately, installing plug-ins and themes, there was an update to the script that you wanted to install, and suddenly – bang! You get this internal error and your site refuses to load.

Reasons: Often, if we are not so tech savvy, but still have faith in ourselves, we try dealing with the back-end of our sites, all by ourselves. Sometimes it works, but sometimes, well – it doesn’t. There are a few occasions though, that it might really be a script issue or a combination of poor hosting and script error.

What-to-do-now plan: Communicate the issue with your host. Be as precise as possible, send screenshots of the errors you get, if necessary. Your hosting provider should be professional enough to investigate the issue and help you solve it quickly.  To go safer in the future, ask your hosting provider to create a sandbox copy of your website, so you can experiment changes there. Also – do not ever forget to take backup copies of your website. Your provider surely does, you just have to make sure they are as timely as possible. Having a backup each day is a good practice for your databases, having a backup each week is a good practice for your files. Of course, it all depends on how frequently you change them.

6. Google ban of your site:

Only the thought of Google banning their sites, makes some people recollect the back-in-school days, when the teacher punished them in front of everyone by the black board. Being banned by Google is not such a frequent event, but when it happens, it basically means that your site is out of Google’s index.

Reasons: There are many reasons why Google might decide they don’t like you. This can happen if Google decides that your site does not meet Google’s quality guidelines, or worse, that your site distracts users’ ability to locate relevant information. Speaking more technically, if you have been cloaking, or, in other words, designing your site, so that search engines see one thing and the visitors another, you are risking getting on Google’s nerves. Other reasons for being punished by Google are using keywords irrelevant to your content, duplicating content, or having a robot write your site.

What-to-do-now plan: You might want to create a Google Webmaster account, where there will usually be information about the reasons why your site got banned. Once you register a Google Webmaster account, you may request to be whitelist-ed. Resurrecting your site and bringing it back to Google’s attention is a slow and tedious process. So, good luck with it!

If you have experienced at least two of those issues, it might mean you desperately need a new hosting provider. The tech support in TMDHosting, would make sure you do not have a scary experience. You might want to give us a try and make use of our special SPOOKY code by the 6th of November for a 10% discount of your next hosting plan with TMDHosting.

Oct 30

Web hosting affiliate program – a safe way to a long-term passive income

Did you know that the word affiliate origins from the Latin word affiliatus and it means adopt as a son? Sounds strange? Well, let’s think about it – how can you sell anything without knowing it and loving it? Those of you, working in sales teams, know how hard it is to be convincing, if you are not convinced for yourself that what you offer is really good.

Yet, we understand that the sole power of conviction is not quite enough to become a successful affiliate with a lot of sales.  Another key-prerequisite to turn your website into a money making machine is that it serves your visitors ‘needs. Here is a great piece of news you are probably already aware of: there is a high-demand for both – secure and managed web hosting!

Why do we believe that TMDHosting is a value added product of a great demand mutually beneficial for you and your referrals?  In fact, we not only believe it, we know it for sure.

A team of professionals

At TMDHosting you can find all kind of people – always avid for more – readers, true gamers (yes, we share your love for Grand Theft Auto V), impressionable photographers, pro snowboarders …but what brings us all together, is the years of experience in web hosting.  If you are one of our happy customers, you already know this.

The in-house survey that we made for this post, show that the minimum average amount of time each of us has spent in the sphere of web hosting is 4.5 years.  For 7 years now we are online 24/7 to help you at any moment, sharing bits of information we have carefully stored in our brains and our knowledge base. We do also have a very good amount of people that are in the industry since its very dawn.

We offer you and your referrals a great value product

 What we stand out for is simple but worthy:

- Speed – sites we host do load fast – less than 1.80 seconds is our average loading time.

- Safety – we create full account backups each day.

- Security – we have system administrators that monitor our servers 24/7. This, in addition to all the hardware firewalls we have. This, in addition to the most innovative web firewall (based on mod_security) with daily updated rules.

- FREE technical support – That’s right, we don’t charge you when you need help. Our techs are friendly, professional and available 24/7 on your disposal. No matter what day it is, if it is Christmas, Thanksgiving or so. We strive to guarantee 15 minutes ticket responses.

- We improve constantly – only in the past year we have:

  • Performed 3 hardware upgrades to stay cutting-edge with the latest Intel Processor architectures
  • Introduced a new SSD storage engine, which is many, many times faster than the wide-used technology.
  • Doubled the account’s dedicated resources per customer on our shared servers infrastructure. We’ll prepare a full-year report with more detailed information and statistics as some upgrades are still to come until the end of 2013.

Our customers speak out:

“I came to TMD hosting on a whim, as i was looking for a compatible hosting company to house my social network. I am not as experienced as some … I constantly make errors on the FTP and there you have it, TMD cleans up my mess. They are more than my hosting company, they really are our tech support team and I’m glad to have found them

(via: http://www.whoishostingthis.com/hosting-reviews/tmdhosting/#ixzz2filAsORN) 

“In the past 14 years I have used hosting services from several big companies…But with Tmd server hosting I have a complete managed server package that rocks everything. I am using this service now for more than 2 years and I hope to use their service for many many years from now on.” 

(via: http://www.webhostingstuff.com/review/TMDHosting.html)

“I don’t usually write reviews but felt compelled to after a spell of fantastic support from Tmd. I had an issue over the weekend. Actually, it was a Sunday and they solved it within an hour. And then, I had another (self inflicted) issue today, which was solved superbly in less than 15 minutes. It seems that there’s always somebody around to help me, whenever I need it. Well done guys…

These are just random excerpts from our happy customers and none of them is written by us, we promise (we have more important things to deal with in our day-to-day work).

Is this already the moment to share some love with your friends and visitors? If you say ‘YES’, we are happy to let you know that this is going to be one of the rare moments in your life when love and money go together.