Troubleshooting Mixed Content Warnings with HTTPS

Much of the web continues to march towards creating secure communications between devices through the use of things like HTTPS/TLS (aka SSL). We’ve seen Google talk about giving SSL a ranking boost and flagging non-HTTPS websites within the browser (Chrome) as insecure. We have also seen various organizations take the call to arms – with StartSSL offering free SSL Certificates, organizations like LetsEncrypt being established, Automattic (parent company of WordPress.com) enabling HTTPS for all its domains, and we too announced our support through our own LetsEncrypt partnership.

HTTPS secures data in transit – it does not secure the website itself. If you have HTTPS enabled, it will not stop attackers from attacking your website and exploiting its weaknesses. Additionally, if your website is hacked, it will not stop the distribution of malware; in fact, it’ll only distribute the malware securely. While HTTPS is definitely an important piece of the security framework for any website, it’s important we don’t get caught up in the noise and distort it’s true purpose and value. Read more… 

For those that have tried to deploy SSL, myself included, there are a number of issues to be mindful of. The most common seems to be with how assets (i.e., images, css, etc…) are being loaded once you make the switch. I went ahead and put together a little tutorial to hopefully reduce the potential anxiety you might feel with this undertaking. This will be especially important if you are using our Sucuri Firewall.


Read More

Investigating a Compromised Server with Rootcheck

02192016_RootCheck_V2

What do you do if you suspect your server (VPS or dedicated) has been compromised? If you are a customer, you have the option to leverage our team to perform the incident response on your behalf. What if you want to do an investigation on your own?

In this post, we will talk about Rootcheck, an open source command line tool that looks for indicators of compromise on Linux or BSD systems. It looks for known backdoors, kernel-level rootkits, malware and insecure configuration settings. It performs a few tests that will certainly help you during your hack investigation.
Read More

The Risks of Hiring a Bad SEO Company

Blackhat SEO Website Malware

Today we are not going to explore malware or any other overtly malicious traffic. Instead this post is a warning about dishonest marketing tactics used by services claiming to improve your website traffic or Search Engine Optimization (SEO).

We recently received a report from one our clients claiming that their website was experiencing a Distributed Denial of Service (DDoS) attack. Our Website Firewall offers DDoS protection capable of mitigating very large-scale attacks and it is rare that we need to step in to help mitigate. After a quick look, it was clear that no DDoS attack was occurring. As I suspected the site was being fully protected by our Website Firewall and there was no malicious traffic to be found. However, I did notice some strange traffic patterns that piqued my interest, so I felt it was worth investigating the issue further.

Read More

Using WPScan: Finding WordPress Vulnerabilities

Usingwpscan_blog

When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities.

Last time, we taught you how to install WPScan on Mac and Linux.

This time we are going to dive into how to use WPScan with the most basic commands.

Read More

WPScan Intro: WordPress Vulnerability Scanner

installwpscan_blog

Have you ever wanted to run security tests on your WordPress website to see if it could be easily hacked?

WPScan is a black box vulnerability scanner for WordPress sponsored by Sucuri and maintained by the WPScan Team, available free for Linux and Mac users. If you use Windows, you can install a virtual machine of a free Linux distro using Virtualbox (also free) or VMWare. If there is interest, we can do a tutorial on this in a future post. In this post we are going to cover the basics of installing WPScan, and we have also created a follow up post to teach you how to use WPScan.

We have included a video tutorial so you can follow along while you copy the commands into Terminal.


Read More

Analyzing Proxy Based Spam Networks

ReverseProxy_blog2

We are no strangers to Blackhat SEO techniques, we’ve actually spent a great deal of time working and sharing various bits of information related to Blackhat SEO techniques over the years. What we haven’t shared, however, is the idea of Proxy-based Spam Networks (PSN). It’s not because it wasn’t interesting, it’s just not something we’d seen that often, or at all. As is often the case in the website security, techniques continue to evolve, they’re mastered and as such the space changes and it’s on us to understand, dissect and of course, deliver that information to each of you.

This naturally brings me to the latest trend we’re seeing, while difficult to quantify (you’ll soon see why) we have started to see and experience interesting configurations in which Blackhat SEO actors are employing the use of reverse proxies to:

  • Hijack and rank for your content.
  • Leverage that ranking for their own SEO needs (often with nefarious intentions).


Read More

Demystifying File and Folder Permissions

File and Folder Permissions

If you have poked around a server before you have probably encountered file permissions. In fact, all computer file systems offer permissions based on the same core ideas. The file permissions in Linux, Mac, and Windows computers are very similar to the file and folder permissions in Apache, Nginx, and IIS servers. You can right-click any file on your computer and choose Properties (Windows) or Get Info (Mac) to see an example. You can also log into your server (using an FTP client like FileZilla) to do the same thing to your server files and directories.

For the purposes of this article, we’ll be discussing website files and folders on your server.

You may have heard references to things like chmod, 775, read/write, or user groups. This post is going to explain the bare bones of permissions, giving you clarity into these terms. This is important for those of us who are just starting to interact with servers, and for those who have always been curious to know more about file permissions. Ultimately, knowing how permissions work on your server will strengthen your security posture. In other words, knowledge about security concepts helps you develop a keen sense that stops you from doing things like granting full 777 permissions on a file (even if your theme documentation tells you to), or noticing when you have strange file permissions that could be the warning signs of an intruder.


Read More

WP-CLI Guide: Install WordPress via SSH

wpcli-install

This is our fourth post on using WP-CLI to manage WordPress securely over SSH. In our first post we showed you how to connect to WordPress over SSH. The second post had you typing a few commands to backup and update the WordPress core and database. We also covered a few commands in our third post about how to securely manage your plugins and themes with WP-CLI, including updating, removing, and adding them to WordPress.

Today, we are going to cover installing WordPress core from the ground up using WP-CLI. This is the pièce de résistance, and one of the most secure ways to install WordPress. The SSH protocol encrypts the commands and data transfer, keeping your connection to your website server more private than using FTP clients.


Read More

WP-CLI Guide: Secure Plugin & Theme Management

wpcli-plugin

Welcome to our third post on WP-CLI for secure WordPress management over an SSH command line interface. In our previous two articles, we discussed how to connect to WordPress over SSH, and then how to back up & update WordPress securely.

Like other open-source content management systems, WordPress lets you easily add code to make your website look and act differently. These are your themes and plugins, built by inspired developers and designers who understand how WordPress works. It’s these extensions that allow you to publish content with added functionality for your visitors and what facilitates the unique look of your brand.

The people who build these extensions know quite a bit about internet technology when it comes to user experience, but there are just too many ways to break a website. All developers should be ready to deal with a security flaw by patching and notifying users of an update if it comes to that.

Security is not the core competency for most developers and designers. Even the most secure code in the world has flaws that can allow an attacker to gain unauthorized access.


Read More

WP-CLI Guide: Secure WordPress Backup and Update

wpcli-backupdate

Welcome to our second post in the series on WP-CLI for WordPress management over SSH. In our previous post, we discussed how to get your SSH credentials and use WP-CLI to connect to your website over the command line.

Before we get into changing anything, we’ll show you how to back up your database and compress it with your files to make sure you have a complete backup of your system. For this, we’ll have to go a bit beyond WP-CLI’s capabilities and use some normal command-line tools to finish the backup.

After your website (database and files) is securely backed up and transferred to a safe location, you can update the WordPress core and DB without any worries.

Sometimes, things go wrong! Be sure to read our tips on how to back up your website safely.


Read More