JBCR Virtual Solutions Blog

Archive for the ‘Security’ Category

In our two pre­vi­ous posts I talked about being hacked,  what to do after if you site has be com­pro­mised and how to get cleared with Google if they have blocked vis­i­tors because of mal­ware found on your site.

This post talks about how to make your Word­Press as secure as possible.

Word­Press has good secu­rity built in. Their team of devoted and very tal­ented pro­gram­mers are con­stantly work­ing to stay ahead of the bad guys. Even so, being such a pop­u­lar soft­ware makes it a tar­get so it’s impor­tant to be proac­tive in keep­ing your Word­Press as safe as possible.

Be Vig­i­lant

You can’t phone up an alarm com­pany and have them put in motion detec­tors, door and win­dow strips, so what do you do? There are sev­eral things you can do and plug-ins you can install or have your web per­son help you with.

• check your site’s secu­rity for vulnerabilites
• lock down your site as best you can
• mon­i­tor changes to your site that you have not made
• scan your site for mali­cious files (dis­cussed in our last two posts)
• and also scan for viruses

A plug-in to check your site’s secu­rity for vulnerabilities

Ulti­mate Secu­rity Check

http://wordpress.org/extend/plugins/ultimate-security-check/

This plug-in scans you site and makes rec­om­men­da­tions then pro­vides set­tings you can tog­gle on or off.

There are oth­ers plug-ins you can find and most require ‘set­tings’ deci­sions you might need help with. They gen­er­ally have default set­tings you can safely apply with­out blow­ing up your site. But… There is never a guar­an­tee you won’t encounter a prob­lem because there are so many dif­fer­ent web server con­fig­u­ra­tions… So be care­ful! Always do a back-up first (another topic and another plug-in).

Lock down your site as best you can

Unless you are an advanced user, you will need help with this task and so I’m going to keep my expla­na­tion brief… Hack­ers often look for files and fold­ers on your site with per­mis­sion set to allow them to be edited. For exam­ple your footer file and other theme files. Remov­ing ‘write’ per­mis­sions on these files will make it harder for hack­ers to inject code into your site. Explain­ing how to do this is beyond is beyond the scope of this post and if you don’t know how, we rec­om­mend you get help.

Lock­ing down your theme files is a pain and not many folks go to this extreme but it does make your site more secure and you will have to judge your­self whether the extra work it causes is worth it.

This post is get­ting on the long side so I’ll stop here for now and dis­cuss the other list items (above) another night…

In our last post we wrote about a mal­ware script we have been deal­ing with the past cou­ple of weeks. That it was being injected into Word­Press footer files and how to remove it.

If you find this quickly and deal with it, there is min­i­mal impact to your site. But if you don’t dis­cover it quickly, you could end up on Google’s ‘Attack Site’ list and they will block vis­i­tors from vis­it­ing your site.

Curi­ous about your site’s health sta­tus? Google has a tool for check­ing to see if there are any prob­lems with your site. Replace the last part of this link with your domain they will show you a report:

http://www.google.com/safebrowsing/diagnostic?site=yoursiteurl.com

Right now we’re going back to our topic for this post… How to sub­mit your site to Google after you have cleaned up fol­low­ing a mal­ware attack.

First thing you are going to need is an account at Google Web­mas­ter Tools.

http://www.google.com/webmasters/tools/

Once you have an account set up, you will need to add a web­site. There’s a but­ton for this promi­nently dis­played on the index page. Click on it and you will be offered a field to enter your site url. I usu­ally have this on my clip board ready to paste in.

Next they will require you ver­ify own­er­ship the site. There are sev­eral dif­fer­ent meth­ods offered. You can add a meta tag they pro­vide or down­load an html file, which you then upload to your site. This fast and easy as long as you have an FTP pro­gram or web site author­ing tool with file trans­fer set up. Explain­ing how to use these is beyond the scope of this post and if you don’t how to do this, you are some­one who should have pro­fes­sional help.

Once you have uploaded the google html file or inserted the meta tag into your home page header, go back to the Google Web­mas­ter tools page [still open I hope!] and hit the ‘ver­ify site’ button.

There are var­i­ous things you can look at in Web­mas­ter Tools but we in there for a par­tic­u­lar rea­son at the moment. We want to get our site pro­nounced healthy and open to vis­i­tors again. To do this, look for the ‘diag­nos­tics’ link on the left side bar. Click­ing will expand the menu. The ‘mal­ware’ link take you to a page with an alert that your site is blocked. Here is where you will be able to sub­mit your site and add a lit­tle mes­sage about what you have done to clean out the malware.

That’s all there is to it. It’s not hard but then we do this for a liv­ing. If you need help with this or some­thing else on your site that is beyond your tech­ni­cal com­fort level. Con­tact us!

Happy Trails,

Billy

PS -  Next post we’ll talk about a few plug-ins to help with security.

The bad guys have been busy this month!

Sev­eral of our clients had their Word­Press blogs hacked. A mal­ware Javascript was used to load bogus sites was injected into the page footers.

How can you tell if you have this prob­lem on your Word­Press site or blog?

This par­tic­u­lar script, is easy to spot from how your site reacts even though it is not vis­i­ble in the con­tent. When you visit your site [or blog], instead land­ing at the top of the page where you would expect to start, the script imme­di­ately takes you to the bot­tom of the page instead. If it does this, then there is a strong like­li­hood you have this mal­ware on your WordPress.

If you use Fire­fox for your web browser, you may get an ugly warn­ing page that your site has been reported as an attack site. Not fun. You will not be able to access your site at all… anywhere. This can make it harder get to rid of the prob­lem because you may not be able to access your site admin area. Internet Explorer did not block entry to the sites because of this particular malware.

What should you do if this has hap­pened to your WordPress?

If you can access your Word­Press admin area using your web browser, then it’s rel­a­tively easy to get rid of the mal­ware script. This par­tic­u­lar exploit only affects one file, named footer.php.

You can edit this by going to Appearance=>Themes=>Editor and open­ing this file in the edi­tor pane. The files are all listed to the right hand side of the pane.

Now you edit the footer.php file to remove the script. It will look like this screen­shot of the one we removed from sev­eral sites.

Screen­shot of mal­ware javascript

Select the entire script with your cur­sor being care­ful not to touch any­thing else. Delete it and save your changes. Your site is clean again.

WARNING: If you needed these instruc­tions, you are not some­one who should be doing this on your own and we so we wouldn’t nor­mally rec­om­mend you even attempt this your­self. But it’s sim­ple dele­tion so we thought we’d include it here. Even so, if there is any doubt in your mind about whether you should be doing this your­self, get help. If you don’t have a web per­son, con­tact us for help

If you are one of the unlucky ones who have been reported as an attack site, you will need to sub­mit your site to Google for it to be declared clean oth­er­wise vis­i­tors may not be able to access your site for some time.

It may be cleared with­out sub­mit­ting it but it will def­i­nitely take much longer. Post­ing right away and each day for a few days will alert the search engines to spi­der your site and find a clean, mal­ware free site.

Stay tuned for our next posts where we will dis­cuss how to sub­mit your site to Google Web­mas­ter tools for review and what you can do make your Word­Press more secure from this type of an attack.

Google has started an Onli­neSe­cu­rity Blog.

Any of you who read my blog, or arti­cles page at my site, know that I was hacked. The cul­prit was “Mal­ware”. Look­ing for infor­ma­tion about this ‘nasty’ in a search today I came across: Google Online Secu­rity Blog at http://googleonlinesecurity.blogspot.com/

“To pro­tect Google’s users from this threat, we started an anti-malware effort about a year ago. As a result, we can warn you in our search results if we know of a site to be harm­ful and even pre­vent exploits from load­ing with Google Desk­top Search.” Ok, yes it is absolutely a great idea to warn poten­tial vis­i­tors that the may be infected if they go to a website.

One thing that con­cerns me a “tad” is this:

Even after a site that was infected in the past, but is now clean has a cache of the old “bad” pages that can turn up in searches. How does a web owner clear that. If some­one turns up an old page cached which con­tains a mali­cious script, who is respon­si­ble? Could this hap­pen? We don’t have a clear answer on this yet. When we do, we’ll post it here… So as I say­ing the Goole secu­rity blog states: “If your site has been hacked­Take the site offline in order to keep from putting your site’s vis­i­tors and your cus­tomers at risk. Then remove all of the offend­ing code and fix all under­ly­ing secu­rity vul­ner­a­bil­i­ties before putting your site back online.”

Ok, (I say that too much don’t I) so… Okay I read on and they refer web mas­ters to a link that says

“There are three basic steps to main­tain­ing a clean site from Iden­ti­fy­ing bad­ware on your site Remov­ing bad­ware from your site Pre­vent­ing bad­ware in the future ”

Source: http://www.stopbadware.org/home/security The attack on us was a lit­tle dif­fer­ent than a malware/badwrare sce­nario. We didn’t have malware/badware put on our site. We were attacked at some­one elses web­site BY mal­ware that used our com­puter to upload objec­tional con­tent to our site.

Even though we didn’t have malware/badware on our site, we used many of the same sug­gested reme­dies as we would have for malware/badware.

It’s been over month since we dis­cov­ered our site had been com­pro­mised, and nearly a full month since we cleaned out the bad files. Our site is still impacted by this episode and suf­fer­ing the back­lash from Google searches show­ing results for these bad pages even though they were removed at the end of April…

Oh… As for Google’s Matt Cutts — he has not, as of the date of this entry, responded to the mes­sage I left on his blog. Stay tuned!

Jan

It appears that mal­ware has been down­load­ing to unsus­pect­ing web­sites with Win­dows update (yikes!) Read the arti­cle here:
http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9019118

Note: This is no doubt what hap­pened to my site

“The threat of mali­cious web­sites host­ing exploits has reached a point where Google’s engi­neers have decided to respond with a secu­rity analy­sis of the pages they index. ”

For web­sites that con­tain mal­ware through no active fault of the web­mas­ter, or sites that do not prop­erly san­i­tize user con­tributed con­tent, the ulti­mate Inter­net penalty could be imposed on them — a Google advi­sory that the site found in a search is unsafe. That could effec­tively destroy traf­fic to a site that has been hacked or designed poorly.” Nick Carr calls Google’s secu­rity aims a plan to police the Web.

Read more on this and my ques­tion to Matt Cutts:

http://www.jbcr-virtualsolutions.com/tips-and-articles.html#Not

Jan