Your website Will be hacked

It is not IF you will be hacked, but When it will be hacked.H
Yes your website is vulnerable to being hack and destroyed! Are you worried if it is? I would be.

WordPress security watchdogs, Sucuri, have revealed that “brute force” attacks are at an all time high.

A brute force attack occurs when an attacker runs a script that attempts to crack a website’s password. This occurs by attempting to log in to a site with automatically generated passwords at rate of thousands of times per minute.

Brute force attacks are not new — in fact, they’ve been around over 15 years, and data shows they’re still going strong.

There have been so many this year that Sucuri has created a new page dedicated to monitoring the current threat level of brute force attacks.

On this page you’ll see that the amount of brute force attacks has grown from around 5 million per day at the beginning of the year, to 35 million per day in the second week of September.

Sucuri’s data also shows the majority of brute force attacks originate from the United States. Attacks tend to occur most frequently between 12pm to 2pm EST, but a site can be vulnerable to a brute force attack at any time.

One of the best way’s to protect yourself from a brute force attack is to have a strong password that’s difficult to crack. It’s also a good idea to have some kind of monitoring system in place so you’ll be notified if your website is the target of a brute force attack.

Another easy way for attackers to gain control of your WordPress site is through flaws found in older versions. It’s important to stay on top of WordPress update because they often contain important security fixes.

That being said, there are always updates being put out for WordPress. Use them!!. If you dont know how and want to keep your site safe against known vulnerabilities, then contact us today to see if your site is more at risk than it should be. We will have a look at your site for free and tell you what is missing and how we can assist you in making your site safer.

While there are numerous ways in which a WordPress site is vulnerable to attack, the following four weak spots are most commonly at fault when a WordPress site is hacked. Dont think these are the only ways, but just 4 of the most common.

  1. Easy to hack or weak usernames/passwords
  2. Theme or plugin that have bugs in them.
  3. If you don’t update the WordPress core files and themes/plugins in a timely manner.
  4. Nice (NOT) people who hack WordPress sites

Weak Usernames/Passwords: As of WordPress 3.8, the standard “password strength detector” forces you to create something extremely strong. This is undoubtedly part of the WordPress Foundation’s efforts to help reverse this particular statistic. So, never use the “admin” username and go as difficult as possible with your password (mixing letters, numbers and letter-case throughout). If you find you want to keep it simple for you to remember then your also making it simple to get your site hacked. Write it down (if you have to) and most importantly, keep it private. If you want to  learn more about how weak usernames/passwords to reduce chances of a hacked site, contact us and we can have a chat to you.

Theme and/or Plugin: Now and then, even the most extremely popular premium themes/plugins will have an some sort of security flaw.  However, you can avoid them by simply reading up on the plugins you’re installing, before you install them. But then most of the time you wont know as they dont know themselves. Stay away from free themes/plugins when they are not from the official WordPress Directories. Also, try to stick to themes/plugins with four and five star ratings. And to be on the safe side, just Google this: “[insert plugin name] security” and see if anything shows up.

Not Updating WordPress Core and Themes/Plugins: It’s understandable that if your site is highly dependent on the functionality of a few plugins, that you’re going to want to wait until they’re compatible with the newest version of WordPress before you update your core. However, when it comes to high quality and reliable plugins, they will almost always have an update within hours or days of the WordPress core release–if it’s needed at all. As a rule of thumb: if you see that an update is available, backup your site and run it.

On ‘Nice” People Who Hack WordPress Sites: It’s important to remember that there are ‘Nice” people out there (as well as misguided wannabe’s with malicious scripts) just waiting for you to slip up. So stay vigilant, follow the guidelines below, and you should be ok.

 

Phishing Emails

Phishing EmailsWhat is a phishing email?
You may have received an email falsely claiming to be from the company or another known entity. This is called “phishing” because the sender is “fishing” for your personal data. The goal is to trick you into clicking through to a fake or “spoofed” website, or into calling a bogus customer service number where they can collect and steal your sensitive personal or financial information.

You need to be a proactive contributor by reporting suspicious-looking emails to the banks or company that the email is about. See if they have an Abuse Department and send it to them.
Most big companies have a security team who work to identify if the email you received is a malicious email.

Most Businesses will carefully review the content reported to them to certify that the content is legitimate. They will generally contact you if they need any additional information for investigating the matter. Please take note to the security tips provided below as they may help to answer any questions that you may have about the email you are reporting to them.

Most Businesses will Always:
– Address their customers by their first and or last name or business name of their account.

They Generally  Will Never:
– Send an email to: “Undisclosed Recipients” or more than one email address.
– Ask you to download a form or file to resolve an issue.
– Ask in an email to verify an account using Personal Information such as Name, Date of Birth, Driver’s License, or Address.
– Ask in an email to verify an account using Bank Account Information such as Bank Name, Routing Number, or Bank Account PIN Number.
– Ask in an email to verify an account using Credit Card Information such as Credit Card Number or Type, Expiration Date, ATM PIN Number, or CVV2 Security Code.
– Ask for your full credit card number without displaying the type of card and the last two digits or four digits. Or similar to this.
– Ask you for your full bank account number without displaying your bank name, type of account (Checking/Savings) and the last two digits. Or similar to this.
– Ask you for your security question answers without displaying each security question you created.
– Ask you to ship an item, pay a shipping fee, send a Western Union. Western Union has a very bad name for allowing Scammers or Spammers to transmit money via their system without due care.

READ!
Any time you receive an email about changes to your account/s, the safest way to confirm the email’s validity is to log in to your account, and go to where where any of the activity reported in the email will be available to view. If there is nothing in the site itself, then take the email as spam.

DO NOT USE THE LINKS IN THE EMAIL RECEIVED TO VISIT THE WEBSITE.

Instead, always go to a browser window like I.E or firefox etc and enter www.website.com into your browser to log in to your account. ( where website.com is the web address of the bank or other account the email is about)

Oh NO You Didnt Did You?

Help! I responded to a phishing email!
If you have responded to a phishing email and provided any personal information, or if you think someone has used your account without permission, you should immediately change your password and security questions.
You should also report it to the Bank or company immediately and they will help protect you as much as possible.
Contact the appropriate business and discuss the email with them. They will help.

If you do this, you will help make a difference.
Every email counts. By forwarding a suspicious-looking email to the business involved, you have helped keep yourself and others safe from identity theft.

Email Scam From AFP

Today we would like to remind you of the importance of NOT clicking any links in your emails unless you are very sure of where the email came from and if you can trust it.

In the last couple of weeks we have heard of and seen on TV how people are getting emails from the Australian Federal Police. ( well not really but that’s what the email says)

here is what the AFP website says. (see story here)

The Australian Federal Police (AFP) is urgently warning the public of an email scam currently circulating throughout Australia and internationally that requests payment for a bogus AFP Traffic Infringement Notice.

The scam email initially asks the recipient to pay an ‘AFP fine’ of approximately $150. If links within the message are clicked, the recipient’s computer is infected with malware which renders it inoperable.

At that point ransomware is activated where the recipient is asked to pay thousands of dollars to reactivate their computer.

AFP National Coordinator Cyber Crime Adrian Norris has said anyone who receives the email should delete it immediately.

“This email has taken off widely today and looks legitimate, and many people have been compromised, so I would urge people to be vigilant,” Superintendent Norris said.

“The AFP never sends out traffic infringement notices via email, so if you have received an email that purports to be from the AFP and have doubt about its authenticity, do not make a payment or provide personal details.

“This email scam looks legitimate and contains AFP branding and may be from email addresses like TrafficInfringement.afp.org, TrafficInfringement.afp.com. or similar.

“Payment of this Traffic Infringement Notice will not go to the AFP, your money will be going to scammers overseas.”

Superintendent Norris said this was a timely reminder to ensure your anti-virus software is current and those who may have received the email to consider running a virus scan of their computer in case it has been infected.

Members of the public who believe they have been a recipient of the fraudulent email should report it to the Australian Cyber Crime Online Reporting Network (ACORN) immediately via http://www.acorn.gov.au/ or to ScamWatch http://www.scamwatch.gov.au.

So the rule is, Don’t click on any links in your emails unless you are sure you know where it has come from. And Remember, The AFP, Your Bank (or any bank), Microsoft, Telstra etc etc will not email you unless you are expecting an email because you have recently spoken to them etc.
You just have to think, how did they get my email address? Did I give it to them? If No, then consider it a scam.

Ransonware

The above AFP email was opened by a customer of ours and EVERY personal file was encrypted, as well as many other files on his computer. So in all, 33,000 ( yes that many) files we locked up with no known way to get them back. He lost 100’s of photos and documents.

Oh and remember also that if you have any USB devices like backup drives are also part of your computer when they are plugged in. So unplug these when not in use.

Lesson learnt the hard way.

Please take care

Unfriendly Links In Emails

Spam EmailsThis week (Mid May 2015) some clients that are hosted with Hostgator were getting emails saying they should be putting in place a SSL Certificate for their site and to click a link in the email to go and buy a SSL Certificate from Hostgator.

This turned out to be a phishing email.

The content of the email is as shown below.

Block the bad guys. Prevent hackers, spies and thieves from gaining access to sensitive information. Positive SSL encryption establishes a secure connection between your server and any visitor’s web browser, and keeps personal data private. Your SSL security icon lets visitors know their data and transactions are always safe on your site.

Build Customer Confidence with Positive SSL.
Encrypt credit card data.
Protect passwords and confidential information.

Secure online payments and form submissions.

Standout with Google!

Recently Google made a change to their algorithm that prioritizes rankings for websites with SSLs. Make sure you aren’t penalized by ordering an SSL today!

So, is it now true that google will penalise us for not having SSL on a non money generating site.
and 2, do we really need SSL on every site we produce?

Suspicions were that the email was NOT legitimate because of the email address that the email came from.
The email address was info@e.hostgator.com ( it was the e. that gave it away when it should have been hostgator.com (Not e.hostgator.com)
So we contacted Hostgator to confirm this and a reply was sent saying that,
The email you received which claimed to be from HostGator was actually a targeted phishing campaign against our customers. This phishing campaign’s goal was intended to obtain cPanel usernames and passwords from our clients. These emails are not from us at HostGator. Email addresses also appear to be obtained using public WHOIS information. Please do not click on any content within these emails.

So to answer the question of “Do I need an SSL Certificate on my site?”

The answer is mostly a no at this point.. with a catch.

Google does now use SSL as a ranking signal, but it accounts for a very small amount at present, with the potential it might mean more in the future as we move to a SSL-everything world.

You definitely don’t *need* SSL on every site you create, but it can lead to a perceived higher amount of trust by consumers, even if only using something like CloudFlare’s free-ssl offering.

Generally you only need an SSL for your site if you are passing money through it.
So if you are looking at taking payments thru your site then yes..
Payments as in when you ‘connect’ to the bank etc.
Not Bpay as that is done from within the bank of the buyer and not paypal as they are also secure.

 

So as the image says in the email we got, “Stop Evil Do’ers”  HaHa what a laugh as these turkeys are the Evil Doers themselves.

Please Please be very careful of any emails you get from anyone with links in them. Dont assume that the email is legit. Like this one it was sent to gain access to your hosting account.

Mobile Friendly Website

Recently in early 2015 Google came out and said that if your Website is not Mobile Friendly then you will be de-listed from the Google listings. Then they changed that and said you will be moved down the list. This means if you are moved down the search listing, there is a high chance no one will see your website at all. ( unless they search through pages and pages of listings)responsive design

So what should you do?

First thing to do is check and see if your site is mobile friendly here. Mobile Friendly Test.
If your site passed the test, then great.

So what does it mean if you failed?

You should be looking at getting a new website. This choice will usually mean that you should be getting a site that  employs modern responsive design principles. You will then find that the biggest advantage of responsive design is that your site will look good on both a desktop computer and mobile device by adapting to every type of browser it encounters.

If you failed the test you will see Not mobile-friendly. If this is the case then contact us at Quick Link Designs to discuss how we can make your site Mobile Friendly.
And at the same time we can give your site a new modern look to go with the Mobile Design.

 

Remember just because you CAN see your current website on your mobile device, doesn’t mean it is mobile friendly. Do a check and see for yourself. If you have to scroll sideways on your phone to see your pages, then guess what, you need to contact us here at Quicklink Designs to see what we can do for you.

Responsive Website