The ratio of websites running on CMS’s can be assumed to be more than the custom designed sites built from scratch. Quite understandably, there are more number of users using WordPress than any other CMS, hence it becomes crucial to have enhanced security measures for your site. Due to a large volume of users using WordPress as a platform, an increasing number of hackers and fraudsters try to compromise the security of such sites. In majority of the instances sites running on WordPress are compromised due to outdated files and/or plug-ins. Such outdated versions of the associated scripts act as an easy meal for fraudsters.

So what measures should an individual adopt to keep a WordPress installation safe and secure from being compromised ?
Primarily, it is crucial to have a latest version of WordPress. In-addition, there are couple of useful WordPress plug-ins that can help you safeguard your website hosted on an affordable web hosting server.

Top List of WordPress Plugins For Enhanced Security

BulletProof Security
Average Rating : 4.5 || Total Downloads : 143,241

This plugin in particular has been considered to be one of the reliable security plug-ins for WordPress. It helps in protecting a WordPress based site against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. Moreover, it offers a single click .htaccess WordPress security protection.
The files that are protected with this plugin are wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. Moreover, it holds the capability to check DB errors off, file and folder permissions check.

6Scan Security
Average Rating : 4 || Total Downloads : 3,844

The plugin is claimed to offer protection against the SQL Injection, Cross-Site Scripting (XSS), Directory traversals, Remote file inclusion, including the one’s listed in OWASP Top Ten security vulnerabilities.
It has been developed in a way that there is no adverse effect on the site’s performance.

Ultimate Security Checker
Average Rating : 4 || Total Downloads : 35,851

This too similar to couple of other plugins seems to be quite appreciated by users. It a common scenario where a hacker manages to get access to the WordPress installations and delete the data it contains. The Ultimate Security Checker is capable of identifying security issues on your site. It scans the installation for known vulnerabilities and grades it accordingly. It suggests the vulnerabilities which you may either fix on your own or do it automatically.

Better WP Security
Average Rating : 4 || Total Downloads : 41,417

The plugin ensures that multiple security holes are patched without the need to bother about conflicting features. It comes with a built-in feature that bans troublesome bots, switches off the ability to login for a given time period, bans the users trying to login too many times with incorrect information and more importantly it enforces strong passwords for all accounts.

WP Plugin Security Check
Average Rating : 5 || Total Downloads : 4,168

It may at-times happen that due to an outdated security plugin a hacker manages to breach in, this plugin searches for plugins for bad practices and possible security holes limiting the risk of a compromised website.

Secure WordPress
Average Rating : 4 || Total Downloads : 611,889

This plugin removes the error information on login pages, adds index.html to plugin directories, hides the WordPress version (except from the admin area) hides the plugin-update information for non-admins, it blocks any bad queries that pose harm to your WordPress installation.

WP DB Backup
Average Rating : 4 || Total Downloads : 1,238,595

We all are aware about the importance of website backup, this plugin allow users backup the core WordPress database tables with minimum clicks. Looking at the number of downloads one can imagine its popularity amongst webmasters.

WP-DB Manager
Average Rating : 4 || Total Downloads : 601,825

This plugin would enable users to manage the database effectively. Optimization, repair, backup, restore database, delete backup database ,etc. can be carried out with enough simplicity. Moreover, webmasters may even automate the processes of back-up, optimization and repairing of database.

WP Security Scan
Average Rating : 3 || Total Downloads : 897,847

This plugin in particular scans your WordPress powered website for vulnerabilities and offers corrective measures for various parts such as Passwords, File permissions, Database security, Version hiding, WordPress admin protection/security and Removes WP Generator META tag from core code

Login Lockdown
Average Rating : 4.5 || Total Downloads : 135,907

This plugin restricts a user from too many failed login attempts, it makes a note of IP address and time-stamp of every failed login attempt. If a user tries to access the website thrice using incorrect login details within 5 minutes, the login function gets disabled for all the IP’s within that range. This helps in preventing the hackers from trying different combinations of login credentials to gain access to your website.

User Locker
Average Rating : 5 || Total Downloads : 33,695

This is one of the alternatives to the plugin ‘Login Lockdown’ which helps in preventing any unauthorized access to your website. Its works on the same logic helps restrict fraudsters from gaining unauthorized entry to your website.

Limit Login Attempts
Average Rating : 5 || Total Downloads : 107,935

It is a fully customizable plugin that restricts users from attempting multiple failed logins into the WordPress admin console. This is again an alternative to the above two plugins.

Login Encrypt
Average Rating : 4 || Total Downloads : 3,221

Login Encrypt is a security plugin that uses a a complex combination of DES and RSA for encrypting and securing the login process to the admin panel. It was developed with an intention of using for securing the login to the web hosting control panel and was later released for WordPress.

One Time Password
Average Rating : 4.5 || Total Downloads : 7,531

This is one of a kind WordPress plugin that generates a unique one-time password for each login. This helps you keep the unauthorized users away from accessing the admin areas of your site. The OTP (One Time Password) expires upon usage, sent via, email to the registered email address every time you want to access the WP-admin area.

Fast Secure Contact Form
Average Rating : 4.5 || Total Downloads : 2,125,581

The Fast Secure Contact Form plugin enables webmasters with creating and adding contact forms to their WordPress installations. Requester can send emails to a site’s admin, moreover they even get a scope to fix meeting requests via. a simple form. The administration of the site can create and preview multiple number of forms. The site admins can also set availability and synchronize the contact form with Google calendar enabling them to effectively manage the appointments. It supports Akismet anti spam protection hence making it a spam free plugin. The messages received by the administrator contains blog username, Date/Time timestamp, IP address of the sender, making it simpler to categorize and know more about the sender.

I hope you found this article useful. We’ll keep updating our blog with the latest and useful plugins which may help you have a great experience with using your WordPress installation.

Related Posts:

• Creating a Faster WordPress Website
• DNS Propagation and Caching – Factors Affecting the Process
• Wordpress Hosting Plugins
• Creating 404 page for Joomla
• Create a Website using Templates

Assuming that you have a website which has been developed either recently or has been living over the web since quite sometime. It may be a personal site running a blog, portal, designs etc. or may it be a business site where your sell products or services. All seems to be going well and the site is being appreciated and shared by users across the web. There must have been serious efforts which you might have taken to get the site to a certain level. Not to mention the time and money you’ve invested in it. During this while you’ve been focused on making the site successful over the Internet, but have you ever realised what would happen if the site suddenly goes inaccessible without a prior warning, it may be due to any odd reasons this may happen. What if your server holding the web-pages of your site crashes and after investigation the support staff from the web hosting company get back to your saying the hard-drive has got corrupted and all the data that was held has gone. Disaster Strikes !What if I say that there is nothing to worry about. If you’ve chosen a host that offers managed hosting services, there is a wide possibility that a backup copy of the files in your account would be available with them. This backup can be restored and your site could be brought back online within minutes.

Consider a possibility where the hosting company does not backup their servers too often, it means nothing but your efforts, your time, your money, your business have all been wasted, and you need to start back from the grass-root level. I don’t need to say about the frustration and agony that you’d face. Moreover, the time and money that you’d need to reinvest in getting the site back live.

Now I suppose you might have realised the importance of having a backup of all the data required to keep your site running over the web. Accidents and disaster don’t offer a warning before striking, all you can do is to have a backup plan to recover from it in the least possible time without spending too much, I mean that’s business. Backing up your site regularly becomes extremely important in this fast paced world of Internet.

There may be various reasons to justify the need to have a latest backup of your website at any given point of time. Choosing an offsite backup plan from an affordable web hosting provider can keep you away from devastation to your website and your business. Following are a couple of reasons why you must opt for such a solution, it was something where I didn’t need much efforts, they just came spontaneously. There are multiple instances that have happened in the past which have caused serious losses to businesses.

It may be a human error where the delete button gets hit accidentally, usually seen in cases where more than one individual have an access to the account. So imagine the possibility of the human error that may occur, your files, contact details of your customers, emails, etc. etc. can all disappear in a flash. Recollecting it can be a nightmare, expensive and more importantly it may pose a threat to your reputation.

If you have a busy website and the content gets updated frequently, it becomes necessary to maintain a backup of the data, because if a disaster does strike all the data that the site is updated with would be lost. Whereas if you do have a backup in place, the loss can be kept to minimal. For example, if you run a social bookmarking site or even a forum board, loss of all the data posted by the users wouldn’t be too pleasing to you nor for the users.

A gist of everything is that, such situations can be avoided if you have your site backed up with possibly the latest content. This should not only save you money but your efforts, time, reputation can all stay intact, even the users can understand the unforeseen situations. Moreover, the backup plans comes at a much cheaper price as compared to the heavy losses which you may face if it isn’t there in place.

Related Posts:

• Preparing yourself for Server Outages

It’s not surprising to see that, security has always played an important role in the past and so does it in the modern age as well, only the mediums and tools have changed. This for was sure was due to the evolution that even the dark world went through in trying to find newer techniques to steal data for illegal purposes. Even today, experts struggle to find newer, better and more advanced ways of dealing with Digital Security.

It you own an online business that holds crucial data such as customer banking and credit card details etc., it is crucial that you keep it in an encrypted form. If it hasn’t been done yet, this may prove to be a big mistake. Most organizations now-a-days have started to adopt serious measures to secure their data kept in a digital format. Though, despite all these measures no one would claim that it has been 100% secured as newer techniques evolve each day which may be better capable to serve illegal purposes. Yet, it is always better to have the latest security measures in place so that atleast most of the known threats can be tackled efficiently.

If we think of the years when there was no digital media nor technologies to save the data in an electronic media, all the crucial information was printed on paper and stored in lockers, racks, shelves etc. which were located in cabins of the concerned officials. Only the concerned people used to have the keys to these cabins. These were the traditional security measures adopted by the people then. Yet security was compromised where no trace about who stole a certain document was left behind. This made it even worse to track the culprit and the end result was a stolen data which could not be retrieved whatsoever. But today, in this digital age despite if a data theft occurs, if you have the right measures implemented in your organization, you can not only trace the thief but can also retrieve the stolen or deleted data. All you need to do is get your crucial data backed up on an off-site server by choosing a backUp plan offered by a reliable web hosting company. So, even if a fraudster gets access to your confidential data and deletes it for some reason, you have the right tools to retrieve it. Though this is just a measure that helps you retrieve data when lost, there are a number of techniques that can keep the bad guys away from even reaching near. If you have a website that accepts clients personal details or credit card information, an SSL Certificate can be one of the ways to keep the fraudsters away from accessing the data, even if they do get the access, since its in an encrypted format they wouldn’t be able to understand it proving to be a useless crap to them.

In the process of evolution, the traditional paper based documents, floppy disks, computers have been replaced by Servers or to be more specific about the latest advancement “the Cloud Servers”. So has there been a transformation in communication mediums, from print mails to emails, trunk calls to VoIP’s, etc. but despite these advancements, even the wireless networks are being compromised for security, hence using a system for encryption has become one of the core necessities for security. Not to mention about how locks can be broken, and keys either physical or digital can be imitated.

In short, you just cannot be sure about how much secure is actually secure. Your data maybe at risk, hence few organizations prefer to install multiple layers of security and fine tuning the systems to draw-back every single possibility of an attempt.

Luckily, technologies have evolved to a degree where most of the deadly threats can be tackled effectively and your data can be kept safe from falling into the wrong hands.

You can read here some ways to prevent your website from being hacked. Also, it’s common question that people usually ask is Where should an SSL be used.

It is usually seen a breach in security during festive seasons, where cyber criminals and scammers are on a hunt to take advantage of a weakness in a website. Hence Avoiding Cyber Crimes & Scams During Festive Seasons becomes a priority as well.

Following are couple of measures that you can adopt inorder to reduce Security Risks for your website.

• MAKING SECURITY a Core Component of Infrastructure – Vulnerability scans, patch management, antivirus, intrusion detection and prevention, wireless security and authentication is something that every organization should implement withing an operational infrastructure. Many consider them as security tools, while the fact is it should be considered as an infrastructural tool.
• Segmented Networks – In this, businesses can ensure that the damage doesn’t get spread across the system but stay within the affected regions, further reducing the span of impact on your other business processes.
• Log Management – Businesses can fine tune this system into an early warning system. It isn’t always true that a threat is kept away everytime, it may attimes enter your system long before you actually know about its existence. Here the log management can come in handy with identifying the threats early and taking appropriate measures to passify it early.
• ENCRYPTING SENSITIVE DATA – It has been observed recently that an increasing number of businesses have started to implement encryption systems for securing their sensitive and private data.
• Keeping a BackUp Plan Ready – Businesses must analyze the past experiences in dealing with security concerns and design a fool-proof strategy, something which can be used incase of emergencies such as breach and deletion of data.
• Anti-malware software – It is considered to be a primary stage of protection for any computing machines connected to Internet.
• Anti-Virus and Anti-Spyware – We are aware about the destruction that a virus can cause to a system.
• Suspicious Emails – Refrain from checking emails received from suspicious sources. More importantly, don’t open attachment enclosed in such mails.
• Offsite BackUps – It is important that you ritually take backup of your crucial data on offsite servers.
• Check permissions – We can see that many websites have Facebook plugins into webpages,it is important to check the permissions allocated to such external sites.

Related Posts:

• Avoid Cyber Crimes & Scams During Festive Seasons
• Database Security | Part 2
• Database Security | Part 1

Essential Pointers to Avoid Cyber Crimes During Festive Christmas and New Year Seasons

Festive Season, something which every individual awaits all year long. Fortunately in todays digital era, you are no longer required to travel distances to buy stuffs. Online eCommerce stores have brought much comfort and convenience to everyone, but we often forget to realise the threats involved. If everyone takes precautions while purchasing things over the web, a large share of scams can be avoided. In this article we’ve tried to cover most of the precautionary measures that one can adopt for a safe buying online.

The increased percentile of online shoppers tickle the brains of fraudsters operational online, who are in a stance to take advantage of your credit card and personal confidential information to perform their unethical activities.

Cyber criminals are usually on a hunt during the festive season for an innocent bait and exploit Internet users using various mediums, may it be via. emails, images, phishing and shopping scams. And to add more to this list today is the social networks and shopping carts that almost perfectly mimic the already popular brands and tempt shoppers to click on it. It has also been reported in the past that a number of hackers embed malicious content within Facebook and Twitter links.

That ofcourse doesn’t mean that you must quit making a purchase online.

Well, its not so difficult to keep such fraudsters away from taking advantage of situations. Here are some pointers that can help you safeguard yourself while making a purchase online.

Firewall, Anti-Virus, Anti-Malware and Anti-Spyware

Having a reliable and trusted firewall and antivirus software installed onto your machines is the most basic precaution that you can take. This should help you keeping malware off, hence avoiding the risk of exploitation. If you are low on budget, you may even opt for a free but reliable alternative such as Microsoft Security Essentials, Avast etc. Check for the Top 5 Free Antivirus for 2011.

It is suggestible to use a two-way firewall that is capable of blocking hackers from gaining access to your machine and carry out illegal stuff at their convenience.

Access Passwords

We’ve been always suggesting our clients to use strong passwords, something that has a combination of alpha-numeric, special characters with a combination of upper and lower cases for every account that you have online. Hackers use special tools and softwares to judge the passwords, hence inorder to make it tougher for them, using long passwords with the above stated combinations prove to be highly useful. Moreover, it is observed that users tend to use the same passwords for multiple accounts, now this is highly risky, if at all a hacker gains access to one of the systems they can easily exploit rest of the systems as well. So, a big NO to using the same password for every system.

Wi-Fi Zones

Wi-Fi zones are popular in populated areas, hence if you intend to buy stuff online using such a network, you need to ensure that the service is legitimate and safe to transmit your credit card and other details.

Well, if you aren’t aware about its legitimacy, better not buy. Later get connected to an authentic and a known service and proceed with the purchase.

Checking Legitimacy of an eCommerce Shopping Site

Its commonly seen now-a-days where a promotional email from a company where you had never left your email address reaches your inbox. Its a general practice used by fraudsters to send out such emails to users which includes tempting adds and attractive deals with a link, this is phishing where you are asked to confirm certain details from a seller. The website may seem a lot similar to the actual site, but in reality its like a fish bait with the strings in the hands of the scammers. Such sites may ask you to populate forms with your financial details and other personal stuffs. Hence it is very important not to click on any such links. Instead, you may visit the official company page and check for any such deals, this should help you confirm if the mail that you’ve received is legitimate or a way to trick you. Pop-ups are another ways that fraudsters use as we often tend to click on those easily, so
it.

SSL Certificate Secured Websites

One must ensure that a site that asks for your personal and financial information are secured by an SSL Certificate. To know if a site is secure uses an SSL, you must check the URL first, it should start with https:// while a non-secured site would start with http:// followed by the domain name. Next you can look for a padlock, similar to as shown in the image. An SSL certificate is used for encrypting data before transmitting it across the World Wide Web, hence adding a layer to avoiding theft.

A number of website’s would have secure site seal displayed on their website, yet it is advised to check for the above details to ensure your safety.

Legitimacy of Offers and Discounts

During the festive and new year seasons sites are loaded with attractive offers and catchy discounts, beware, everything that glitters isn’t Gold. Some websites may ask you to share links within your network of friends and others, asking for personal details by means of a surveys and stuffs similar. You must ensure that it isn’t another way used by a fraudster to collect your confidential information, instead of indulging into shopping from such sites why not buy from legitimate retailers.

Creating a Pseudo Account

Most websites would ask for an email account for correspondence, the same would be your user id. for logging in. You create a pseudo email account and use it for such purposes, this should not only safeguard your information but act as a precautionary measure to avoid thefts.

Using a Credit Card

Banks now-a-days offer temporary credit cards that have limited funds and an expiry date, this can be used while shopping online. Such cards have no relation with your actual bank account but are a sort of pre-paid system with certain funds allocated within.

Despite taking all the precautions stated above, if you do fall prey to frauds, you may report it to :

• National Fraud Intelligence Bureau run by the City of London Police for collation and analysis for email scams : http://www.actionfraud.org.uk/
• For scams in general - Consumer Direct

          Email to scams@oft.gsi.gov.uk
Tel: 08454 04 05 06

• Metropolitan Police, London
• Office of Fair Trading, London : euroteam@oft.gsi.gov.uk
• Report to the UK Information Commissioner for spam originating in the UK.

Wishing you a Happy and Safe Festive Season !!

Related Posts:

• No Related Posts

Recently, we have heard a lot of hacking attempts done on to forums. If your forum was hacked, in such a case, what you should do? What do you need to know? This article is created to help you follow the correct steps on the way to relaunch.

You should be clear about one thing, if your business forum was hacked and is attacked by another person from your forum, you are held responsible for such deeds. Hence, it is necessary to quickly initiate countermeasures before you get even into big problems.

Your Forum Website:

First thing you should do is prevent the worst. Lock down your forum website. Following are the reasons to lock your forum:

• Prevent further use by the hacker
• Prevent endangerment of third parties (For example: Trojans)
• Limit the damage to their image

There are various methods to block a project, however the most known and quick method that works best is .Htaccess file. You can simply put a .htaccess file in the root directory of your project, including the following content:

Order Deny, Allow
Deny from all

Backup:

Once you are done putting the .htaccess file, you should immediately take a complete backup of your business forum. This backup also includes a backup of the database. Under any circumstances, you must not create the backups using software that was already installed on your web space. This backup can be used later for analysis, to figure out what gives the hacker access. Furthermore you need the backup as evidence, if one takes into consideration to initiate criminal proceedings.

Set New Passwords:

Make sure you reset all the passwords including FTP, web front-end web host, database, etc… Each and every password much be changed.

Find out How the Forum has been Compromised:

The most important thing ever to figure out is what gives the hacker access. If you do not have the latest forum software installed, that’s for a good place to search. Unfortunately, that is not enough if you only use the latest forum software. Each expansion pack (Mod / Hack) may represent the vulnerability. Since the extensions are usually written to be very bad, do not automatically assume that the latest version of the extension of the security hole is fixed. One reason is that most programmers who write extensions, see this as a hobby and do not have the necessary background knowledge to write security-aware software. It is therefore always practice caution when using extensions. Pay attention to the source of your extensions and refer to the person who created the extensions.

The security hole could also be an unsafe and / or cracked password of the moderators or administrators account. Therefore, it applies to all user accounts that have special privileges to assign a new password. Also, there are some possibilities of CSRF attacks (ie. cross-site request forgery also called as One-click attack) is a kind of malicious exploit of a website whereby unauthorized commands are transmitted from a trusted user of the website.

Backup or Restore Complete Reinstall of the Software:

If a  backup exists, it is enough to have the forum return to normal functionality. The only loss that is present then, is the lack of data between the last backup and the time of compromise. However, you must be aware that the security hole can still exist in the backup that has been taken.

Well, if you have no backups at hand, it looks very much out worse. In such case, the complete re-installation of the software is the only solution. Here I mean not only the forum software itself, but also all the mods / hacks that have been installed. One should not take the risk and trust that the hacker has already changed nothing in the files.

To correct and secure the current installation, you should perform the following things:

Server Configuration

• Install latest version of PHP
• Install latest version of MySQL
• Perform operating system updates
• Always prefer using a Dedicated Hosting platform
• Increase security by Installing Suhosin PHP protection security patch.
• Install ModSecurity. Installing ModSecurity may affect the performance of the server, so it is advised to use a caching system like APC or eAccelerator.
• Disable all unnecessary services

Securing PHP

• Disable PHP extensions
• expose_php = Off
• display_errors = Off
• enable_dl = Off
• allow_url_include = Off
• disable_functions = system, shell_exec, popen, pclose, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, exec, passthru, show_source, ReadFile, escapeshellcmd, escapeshellarg
• One must be careful when disabling these functions, because so many scripts need some of these functions. So you should run tests if PHP applications still work, if one excludes these functions.

Securing MySQL Database Server

• Set password for root user
• Administrators accounts only allow localhost
• Skip database access from external computers to prevent

Securing Apache Web server

• Disable all modules that are not required
• All security-relevant setting should be integrated directly in the httpd.conf, not in .htaccess file

Monitoring Measures:

Once the forum returns to normal and is functioning normally, you should carry out more in the first term monitoring measures. If you wish you can use a special software or use Snort which is a network intrusion detection system as well as modsecurity to derive a comprehensive overview of the occurring events. The monitoring should be performed at least half an year, before it should switch back to “normal status”.

Unfortunately, it is often the case that is due to a lack of backup, the compromised system can disappear entirely from the network. A reconstruction of a business forum or any other project is often no longer feasible – either financially or because of the enormous time and effort. If the user data is gone and you don’t have backup of it, it looks very bad. When you are in this situation again from scratch, then you must not lose hope. But once you know, learn from mistakes, and make sure you backup your data offsite using an offsite backup hosting plan.

Related Posts:

• Points to Consider Before Moving to Dedicated Server
• What Type of Hosting Servers Would Be Better ?
• Tasks You Can Perform When Your Server Runs Perfectly
• What are the Strengths and Weakness of Dedicated Servers ?
• Choosing a Dedicated Hosting Solution ?