Over the last year, Sucuri has provided a wide array of posts in regards to how sites are infected, the types of attacks we’ve discovered, how to detect them, and how to prevent future infections with certain methods and tools. In this article we’ll discuss our top 10 posts involving website security, and what site owners can learn from them. Hopefully, these posts will provide more insight into how you can identify risks, and how to avoid them moving forward.
1 – How to Know If You Are Under DDoS Attack
Covering the basics of determining if you’ve been impacted by a DDoS (Distributed Denial of Service) attack, and how to mitigate it are important concepts to understand. By inspecting traffic with analytical tools, you can determine if a traffic spike is organic or not. Spoiler alert, most sustained spikes aren’t.
When carefully monitoring the network activity, you may need to increase the resources with the host, or implement a CDN (Content Delivery Network) to mitigate slow load times or downtime. Adding a firewall is also useful to ensure that fake requests are fully blocked when it comes to DDoS attacks.
2 – WPScan Intro: How to Scan for WordPress Vulnerabilities
In this article, we discuss utilizing the WPScan tool for your site, and how to implement the scanner via command line. This tool is able to provide in-depth information about things such as headers, files, WordPress versions, themes, plugins, and config backups.
We go over the benefits of using the WPScan Vulnerability Database API for themes and plugins, which will provide specific details regarding any vulnerabilities within them. With the enumeration scan feature, WPScan will be able to determine if any usernames are publicly discoverable. Generally, these can be found if you’re using the same public nicknames identical to the user IDs. This tool will also allow you to simulate a brute-force attack on your site with the discovered usernames.
Overall, this scanner tool provides an array of features and information the average scanner may not provide. If you manage a corporate site or collaborative blog, the enumeration scan can be quite useful. If you’re looking to incorporate more tools to minimize security threats this tool is a great addition to your security arsenal.
3 – UCEPROTECT: When RBLs Go Bad
Another useful tool that can be an addition to your security arsenal is an RBL, or a Realtime Blackhole List. RBLs compile lists of IPs, which are converted from domains, and determine whether they’re sending spam or include abusive content. This is also known as a “DNS Blocklist,” or DNSBL for short. Although Sucuri primarily handles cleanups and firewall protection, RBLs are more related to email. Only on rare occasions our remediation team may request a client’s hosting server IP be removed from one.
That being said, there’s the potential for an RBL to have shady practices such as demanding payment in return for “Express Delisting.” They’ve claimed our public WAF IP was involved in abusive activity, which isn’t possible since our IPs are never seen making requests, only accepting requests. They were unable to provide us any additional details of this abusive activity, yet we were able to find they provide a “service” for removing the IP off their list more “quickly” for about $100 USD. Although they provide this option, there’s no guarantee you’ll avoid being relisted later.
We later found out that if you threaten legal action against them, they dox you and feed your email address to spammers, email scrapers, as well as list the IP you contacted them from. The owner of this company also had a number of related sites with no SSL enabled and cleartext logins that require a username and password for “Executive members.” These run off of 20 year old Operating Systems, with a 17 year old version of PHP.
These security practices and overall approach to handling delisting requests is clearly unethical, and we felt it was necessary to bring more awareness to this issue.
4 – How to Find & Fix Mixed Content Issues with SSL / HTTPS
In this article, our founder, Tony Perez, goes over the Mixed Content warnings and why they occur. This basically occurs when various content resources are loading through HTTP instead of HTTPS. The browser alerts the visitor, and in some cases blocks content. This can impact how a site functions. Since the HTTP connections are insecure, this is a security vulnerability. Attackers can potentially replace content, spy on users, or take control of the website in its entirety.
We discuss the general cause of these warnings and how you can properly address them. The warning generally occurs when URLs for files such as images, media files, JavaScript, and CSS are hardcoded into a site, or default configurations are loading over HTTP. However, using plugins like really-simple-ssl, conducting a mass search, or configuring a database search and replace tool (be sure to remove later!).
5 – How Do Websites Get Hacked?
Explaining how website infections occur to site owners is crucial in our line of work. As the World Wide Web grows larger, so do the volume of attacks and the ways in which they’re executed. We’ve found these hacks occur either through access control, software vulnerabilities, or third-party integrations. In this article, we discuss the details of how an injection occurs.
Later on, we discuss the preventative measures one should take to minimize these threats, and how to protect your site moving forward.
Ready for more? Read our final 5 website security lessons for the year in Part 2 of this post. Coming soon!
Art Martori
Daniel Cid
Rianna MacLeod
Tony Perez
Estevao Avillez
Denis Sinegubko
Kaushal Bhavsar
Pilar Garcia
Luke Leal