Posted at October 16, 2017 at 5:42 am by Stacey Talieres
As a longtime fan of WordPress, working on my former employer’s website pained me. I compared the organization’s online presence to a kindergartener’s craft project—held together with macaroni noodles and paste.
The website looked fairly modern to visitors, but the backend was a disaster. The theme had been customized beyond recognition, meaning updates would require days of rebuilding that we couldn’t afford. Our performance and security continually suffered, and I spent tons of time beating back the malware, pharmaceutical ads, and SQL injections.
The person who originally created the website was a fantastic graphic designer but knew very little about running a website. He naturally chose WordPress, the world’s most popular content management system, and did his best to keep up with the various requests and ideas that sprung up across the office.
Over time, our brand suffered from what turned out to be unsound and unintentional mistakes and bad decisions. When properly managed and hosted, however, WordPress does wonders for efficient workflows and improved user experiences. Below, I’ve outlined the top five lessons I’ve learned or witnessed through many years of hosting, building, and fixing WordPress sites.
Mistake #1: Choosing a Cheap Host Instead of One That Brings Value
Although nearly every reputable hosting provider offers an ultra-simple one-click installation of WordPress, not all companies have invested in the modern infrastructure required to run the platform efficiently.
Upgraded hardware, such as faster-performing solid-state drives, can come with added costs. While it’s certainly understandable to seek out the most affordable hosting plan for your website, you risk getting exactly what you paid for.
Instead of looking for the cheapest option, search for the biggest bargain. Many hosts—InterServer included—offer upgraded services, support, and a surprising number of features for $5 or less per month.
With SSD-powered infrastructure, free SSL certificates, and unlimited storage, bandwidth, and email accounts, InterServer shared hosting delivers long-term value and peace of mind to WordPress users. The company takes shared hosting security seriously, even launching a five-pronged malware and prevention system called InterShield in mid-2017.
Mistake #2: Installing Suspect Plugins—And Then Not Updating Them
While there are certainly several must-have WordPress plugins, some might actually do more long-term harm than good. According to the WPScan Vulnerability Database, plugins account for more than half of the known WordPress vulnerabilities. WordPress core files account for about 30% of the weaknesses, with themes covering roughly 15% of the remaining deficiencies.
When looking to install a plugin, look first at the options that have been installed the most number of times. If thousands or millions of users trust a plugin, the program is probably pretty reliable. Similarly, take stock of the plugin’s ratings and notice when the code was last updated. Frequent revisions are a sign that the developers are actively keeping up with security concerns and usability features.
Mistake #3: Using the Infamous Admin Username or Having Weak Passwords
Until WordPress 3.0 was released in 2010, the platform automatically set up new sites with an administrative username of—you guessed it—admin. This spawned a feeding frenzy of brute force attacks, as intruders didn’t need to guess an account’s username, just the password.
Even though WordPress ended that practice, the admin username is a major weak spot for unsuspecting site owners. Similarly, using a password of “123456” or “admin” or—cringe— “password” is likely going to accomplish exactly what one might expect. Strong passwords are critically important to successful WordPress usage, as well as limited login attempts (more on that later), and two-factor authentication.
Mistake #4: Thinking You Know How to Edit Theme and Core Files
Being able to edit a theme or plugin file directly from the WordPress interface might be convenient for the most experienced developers, but it represents a major security hole for most users. As if an intruder having unfettered access to the inner workings of your site isn’t scary enough, self-inflicted problems and broken code are incredibly common.
Limit the ability for you or your colleagues to introduce vulnerabilities to your website’s code by establishing and maintaining WordPress users roles and capabilities—give people the least amount of access needed. To take matters a step further, you can actually disable the WordPress theme and plugin editor by inserting define(‘DISALLOW_FILE_EDIT’, true); in the site’s wp-config.php file. You’ll still be able to access the files through FTP access, if you’re daring and desperate enough to still need to edit those files.
Mistake #5: Leaving Yourself Open to Attack by Not Configuring Properly
The popularity and widespread use of WordPress understandably makes the platform a major target for attackers. New malicious strategies now enable intruders to find and infiltrate fresh WordPress installations within 30 minutes of paying for a web hosting plan.
With just a few quick adjustments, however, you can help your website turn back the large majority of attacks. Start by installing a plugin that caps the number of login attempts; we recommend Limit Login Attempts Reloaded for standing up to brute force strikes. This 10-point guide includes several other code snippets you can add to various configuration files to block access to important WordPress directories and prevent certain suspicious behaviors.
Building Online Brands Often Includes a Polarized WordPress Experience
Admittedly, the much-loved open-source publishing platform does not come without a few quirks. Even experienced developers have a love/hate relationship with WordPress, as a 2017 survey showed that, while roughly 35% of developers loved working with the content management system, about 65% dreaded using WordPress.
The platform’s undeniable usability and simplicity, however, make WordPress a go-to option when looking to build an online brand—if you know a little bit about what you’re doing. InterServer provides customers with an easy-to-follow checklist of the top 10 ways to secure WordPress.
Mercifully, I eventually got the green light to redesign and relaunch my former employer’s website. Nearly all of the site’s ailments disappeared once I installed a new theme and a host of plugins, and switched to a better hosting provider. I still spent more time than I wanted running backups, updates, and security scans, but at least I could establish the best practices and routines needed to maintain the site well past my eventual departure.
Laura Stamey writes, designs, and develops for HostingAdvice as a Contributing Editor for Digital Brands, Inc. The HostingAdvice team boasts more than 50 years of combined experience building and scaling personal projects and industry-leading websites and applications.
InterServer gives back!
Hurricane Harvey has devastated parts of the United States with its record-shattering destructiveness. Parts of Louisiana and Texas struggle with extreme flooding conditions that make it impossible to inhabit the area. InterServer has connected with American Red Cross to support the relief of the tragic event. For every Web-Hosting order InterServer will donate 100% of the first month to the American Red Cross.
A key component of InterServers belief system is to give back to the community. If there is a chance to strengthen or aid a community especially in a case of disaster, InterServer will be there!
How donations help?
The American Red Cross actively seeks donations of food and money to help victims of Hurricane Harvey. Through donations, the Red Cross sends pallets of water and fresh meals to supply those in need. Already, about 30,000 people have been aided as a result. InterServer is proud to join in on assisting the Red Cross in such tough times.
American Red Cross stated the following,
“More than 1,800 people took refuge from the deadly storm Saturday night in 34 Red Cross and community shelters in Texas. In Louisiana, one shelter is open where 8 people spent Saturday night. These numbers are expected to grow and dozens of additional shelters could open. Harvey will continue to produce large amounts of rain over the next several days. Millions of people are facing flash flood warnings, including the entire Houston metro area which is under a flash flood emergency. There are reports of people stranded in their homes and water rescues are ongoing. Roads are flooded, rail lines are shut down, airports closed and hundreds of thousands have no power. Numerous hospitals, nursing facilities and dialysis centers are closed.
Hundreds of Red Cross volunteers from all over the country are on the ground now, working to provide safe shelter and comfort to people impacted by this devastating storm. The Red Cross has enough shelter supplies in Texas to support 28,000 people and supplies for an additional 22,000 people are being sent in now.
In addition, tractor trailer loads of ready-to-eat meals, comfort kits, kitchen supplies and cleaning supplies are on the ground in Texas. Nearly half of our emergency response fleet — more than 150 vehicles – have been mobilized. The Red Cross also prepositioned blood products in Houston ahead of the storm to help ensure we can maintain an adequate blood supply over the weekend. We have staged additional blood inventory in Dallas.”
As a response summary of Hurricane Harvey.”
After confirming the purchase of Standard Web Hosting package InterServer will automatically donate the first month payment to American Red Cross.
American Red Cross Information:-
The American Red Cross is always looking for more volunteers. If you are interested in volunteering, you can visit redcross.org. The organization is also looking for financial donations.
The organization is offering a variety of ways for people to donate. You can call 1-800-RED CROSS or text HARVEY to 90999 to make a $10 donation for those in need.
*update* we have concluded this program.
Ransomware is a dangerous piece of malware that infects computers. CBT Locker Website, a spin on the infamous CBT Locker for desktops, is one of the latest versions of ransomware that enables an attacker to take WordPress sites hostage and charge a fee for their release.
What is CBT Locker and Ransomware?
Ransomware, which has only been popular for the past few years, is most effective when an attacker plans to make money from his/her victims. Ransomware encrypts all data and leaves the victim a message that important files won’t be decrypted until the victim pays a fee, which can run any where between $50 through thousands of dollars. If the victim waits too long, sometimes fee increases. Payments can be requested in bitcoins, and the malware will even help the user find a bitcoin provider. The scam has made attackers millions in ransom fees.
CBT Locker works in a similar fashion; the attacker just needs to get the victim to download malicious software, which can be easier than gaining access to a website.
Hacking a website involves accessing the file system to upload files. This can be done using phishing attacks or keyloggers. WordPress sites vulnerable to SQL injections can also give the attacker escalated privileges on the web server.
What Happens After a Website Is Hacked?
After the website is hacked, the attacker uploads a new index.php file. When you access a site, the default file that launches content for the main homepage is index.php. The attacker’s index.php file replaces the legitimate one; the next time it executes, data encryption is triggered.
The malicious code searches for numerous file types, usually those most likely to be important to people. Here are a few file types that ransomware, including CBT Locker, searches for:
Ransomware uses a two-key system: a public key is used to encrypt the data and a private key is used to decrypt it. Only the private key can decrypt data encrypted with the public key. When you pay the ransom, you pay for the private key.
An interesting part about the CBT Locker website version is the real-time chat system. If your files are decrypted, you can go to your site and use the chat system to talk to the attacker. The attacker will help you find a bitcoin provider and even provide you technical instructions on how to pay for the key.
WordPress sites Protected by InterShield
The attacker needs access to your site, so the only way to defend against this attack is to know common vulnerabilities within WordPress.
The most common way an attacker gains access to a site is from a malicious plugin. Even legitimate plugins could have some kind of vulnerability that gives an attacker control of the site. Install only trusted plugins with authors that keep up-to-date on the latest attacks and frequently update their software to patch any recent bugs. Never download random plugins from sites that promise cracked themes (also known as “nulled” themes).
Some legitimate plugins are shown to have vulnerabilities. Responsible plugin developers patch their software to stop the vulnerability and release the new update as soon as possible. You must update your plugins each time a patch is released to avoid having your site hacked.
Penetration testing is the process of having a “white hat” hacker run scripts against your site to find any common vulnerabilities. You can pay for testing or buy your own software that penetration tests your WordPress site. If any vulnerabilities are found in your plugins, you can either disable them and find replacements or alert the plugin author in the hopes that they will provide you with a fix.
SQL injection is a common attack on database vulnerabilities. Unless you understand SQL language and the way databases work, you won’t know how to find these vulnerabilities. A penetration test includes SQL injection vulnerabilities.
Not only should you always keep your software up-to-date, but also be aware of phishing scams when you read your emails. Never give out your login credentials for your web server to anyone.
Rest assured when you purchased our shared hosting that you are well protected from whatever malware that lurks around the corner. In the event your site does get hacked we are here to help you clean it up, which extended to every customer running on a managed wordpress plan. In addition, with InterShield we deploy a five prong defensive against vulnerabilities which include: web app firewall, file upload scanner, automatic scan of running scripts, outbound email protection, and malware detection.
We are extremely excited to announce a new virtualization platform that we are offering to customers for our VPS. This latest platform is called Virtuozzo 7 which is built on top of the RHEL7. Also known as OpenVZ 7, this virtualization platform is a huge leap forward for features regarding density, management tools, and recovery. Listed below are some of the benefits and features for OpenVZ 7.
As it is based on openvz, features like memory hotplugging (increase/decreate ram on the fly), CPUs, upgrade or downgrade disk space are still supported. Openvz unlike InterServer’s KVM system can shrink as well as increase resources on the fly.
Density really refers to how much efficiency is given from our servers. Using Virtuozzo 7 increases density allowing for us to take advantage of the hardware used in the server. Not only does this prove to be beneficial to our customers, but helps us maximize output from the server itself.
In terms of performance, Virtuozzo permits a higher uptime. As part of 99.99% uptime guarantee, we constantly seek to find solutions that will enable us to meet our customer’s expectations. The way this platform handles storage ensures minimal downtime.
This virtualization platform is be comparable to OpenVZ in the fact that you can still take backups from our control panel. We understand the importance of backups, therefore we made sure to use a platform that would allow our customers to perform this action from my.interserver.net making this feature easily accessible and of an overall great value.
Another important tool that is found in our control panel for VPS is VNC. This allows our customers to connect to either their Windows Desktop or Linux command line interface. Thus far, it was only available in our KVM platform. Now with the release of Virtuozzo 7 it will be provided with VNC as an option to access your server just as you would with a KVM VPS.
If you are looking for storage with speed we do offer Virtuozzo 7 with SSD. For each slice it will cost you an additional $3. We highly recommend this option if you require this level of speed to power your websites.
If you are interested in trying out this new virtualization platform head on over to interserver.net. We sell slices at affordable prices – $6 a slice for our Linux VPS. If you decide that this platform meets your needs you can always increase your resources by purchasing more slices. We even offer a free control panel called Breadbasket which will help you manage your VPS.
Posted at June 5, 2017 at 3:00 pm by Stacey Talieres
“I’ve been hacked”! How many times have we heard this line before? My guess would be way too many times. As we all become ever more interconnected thanks to the power of the World Web Wide, and along with it comes the dangers of malware. However, malware has always been a step above those trying to mitigate its power and consequences. According to an independent IT-Security Institute, AV-TEST claims that “over 390,000 new malicious programs are developed every day” Numbers like this make us here at InterServer quite concerned. Not many end-users are aware of the dangers that lurk around the corner or on their very own website. As a result, we have decided to develop a new five prong malware and prevention system which we call InterShield. These five prongs include:
We believe that this approach should quickly prevent malware from posing a major threat to not only us, but any of our customer using our shared hosting. Let us further explore what each of the five prongs exactly does and accomplishes.
Websites are constantly under threat from cross site scripts, SQL injections and various other threats. The two most common, cross site scripts and SQL injections can prove to be quite harmful. Cross-site scripting is a form of client-side code injection where the hacker executes scripts into a website or application. These forms of attacks specifically target one’s website because it will then affect those who visit the site. SQL injections are another form of code injection into websites. At which point the attacker uses SQL commands into data entry fields to impact database integrity. These hackers are trying to gain escalated access to website data and other forms of confidential information.
With Mod_Security enabled in our linux shared hosting servers these common attacks are prevented. We won’t get into the exact details on how it works, but there are expressions and rules that helps stop these attacks dead in their tracks. Mod_Security adds another layer of security for us since sometimes programming code leaves itself open to vulnerabilities
Another way malware can be spread onto servers is by uploading malicious files. Sometimes people can unknowingly upload files that contain viruses. This can spell disaster for anyone. However, this layer of the InterShield scans for malware from uploaded files. Malware usually contains a certain signature that can be detected. Our scanners are always updated regularly, so that the latest malware won’t be a problem for us.
Scripts can be very useful when running a website. However sometimes certain scripts that people use can be malicious. On our shared hosting servers we are constantly scanning to make sure that any current scripts running are non-malicious. This additional layer of protection and prevention allows you to rest assured that your website will never be compromised due to a bad script.
As part of our longstanding promise to our customers, guaranteed email delivery is always protected on our standard hosting. We make sure that we follow through on this promise by allowing the delivery of valid, non-spam, and non-bulk emails. Our technology allows to find compromised accounts quickly. This prevents an IP address from getting blacklisted, so that everyone else does not suffer because of one customer.
In an effort to protect our customers on our standard hosting account we maintain a large database full of malware scripts. Keeping track of their signatures allows for us to quickly target and remove any malware that poses a threat to us. Over 155k pieces of malware have been detected. If you are interested in learning more about this please follow this link:http://sigs.interserver.net/. As you can see our intrusion system is constantly catching malware signatures and updating them into this database.
There you have it. We hope that given the information provided that you will elect InterServer as your shared hosting provider. Our standard shared hosting comes with cPanel, Softacolous script installer, unlimited domains, email, bandwidth, and so much more. Before signing up with us, customers always ask what built in security features do we have. As you can see, InterServer’s InterShield provides multiple layers of protection against various levels of malware.