Category: information

September 12, 2018

WordPress Owners Survey

Dan Moen carried out a survey in 2016 of people who have WordPress websites that have been attacked, seeking to understand why and how the attacks were being made. 1,032 people responded to the survey.

The most telling statistic is that 61% of respondents didn’t know how the attacker compromised their website.

This is of concern as if you don’t know how the attack was made it is difficult to be sure you have blocked a repeat.

For the site owners who did figure out how the attackers entered, there are two main fidnings:-

Plugins Are A Big Risk

Plugins play a big part in making WordPress very popular and very useful and there are tens of thousands of plugins available for WordPress. But you obviously need to be careful with them, as plugin vulnerabilities represented 56% of the known entry points reported by respondents.

Brute Force Attacks Are A Big Problem

A brute force attack is a password guessing attack. The attacker needs to both identify a valid username on your website and then guess the password for that username. This type of attack is a huge problem, representing 16% of known entry points.

How to Protect Your WordPress Site

Don’t Use Obvious Usernames

Every WordPress site has an administrator login and this should be renamed as administrator or admin are too easy to guess and the most used in brute force attacks.

Make the login something impossible to guess and not used elsewhere on the site.

Add Security Plugins

e.g. WordFence, Jetpack etc. which typically use these kind of features:-

Enforce strong passwords
Lock users out after a defined number of login failures
Lock out users after a number of forgot password attempts
Lock out invalid usernames

Keep Plugins updated

Reputable plugin creators fix any vulnerabilities quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. Check for updates at least weekly if your WordPress website does not do this automatically.

Only download plugins from reputable sites

If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised plugin.

Keep your WordPress website safe.

If your website has been attacked – let me know the details and the outcome by email.

August 24, 2018

Santander Security Advice

Like the other big banks, Santander do offer advice to their customers on how to avoid the scourge of online fraud.

https://www.santander.co.uk/uk/help-support/security-centre/keeping-yourself-secure

Santander say “We take every step possible to keep your finances and personal details safe. However, you play an important role too. Together we can make life really difficult for would-be criminals”.

There is a list of common threats and a basic description of each and tips on staying safe online.

The common threats Santander focus on are:-

Remote Access Scam
Tech support scams
Telephone scam/courier scam
Free trial offer scam
Guide to Invoice Fraud
Text message phishing (smishing)
Phishing
Mule accounts
Cheque fraud
Investment fraud / share sale
419 / advance fee fraud
Trojans (Malware)
Spoofing – The caller ID scam
Pension scams

If you’re a Santander customer, you can ask them for specific advice about staying safe online and if you find irregularities in your account then do let them know ASAP.

If you have any experiences with scammers, spammers or time-waster do let me know, by email.

August 23, 2018

Check Who’s Using Your Wi-Fi

If your connection to your home Wi-Fi always seems sluggish – maybe someone is accessing it who shouldn’t be.

If you unplug the router for a few minutes, that will remove anyone connected to it, but only until you reconnect the router then your devices and possibly someone else can connect again.

If you think someone has access to your Wi-Fi who shouldn’t have, and knows the passcode then you need to change the passcode.

If there is still reason to suspect someone is accessing your WI-FI without your permission, then there are steps you can take to identify the culprit.

Check the Router Access List

You will need to login to your router. The instructions when you got the router will tell you how to do this and it may also say on the back of the device. These instructions differ for each router.

You will need to know its IP address (plus login and password) and then you can access from any computer browser.

The router will show you a list of devices currently attached to it and usually enough information for you to recognise who the devices belong to.

You will see something similar to this

Wired Devices
MAC Address	IP Address	Device Name	Time Connected
54:21:XX:XX:XX:XX	195.179.0.2	Erica’s PC	2 days 4 hours 31 minutes

Wireless Devices
54:21:XX:XX:XX:XX	190.161.0.9	Chromecast	45 minutes
54:21:XX:XX:XX:XX	190.161.0.8	Android Phone 140927271	1 day 12 minutes
54:21:XX:XX:XX:XX	190.161.0.7	iPAD	35 minutes

The device name will hopefully tell you enough to identify the owner of the device but if you have several Android phones in the house, for example, then it may not be enough.

What to do if you find an unauthorised device

If you have not set the router to encrypt the data then make that change and try again.

If you still seem to have an interloper then that person must have hacking skills and you would need to invest time and money in a network monitoring or employ an expert to trace the interloper for you.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

August 22, 2018

How to keep your home wi-fi safe

Internet broadband comes into your home by means of a cable from outside. That cable is connected to a small box in your home called a router. That router allows you to have Wi-Fi and cable network connections for your computers and other devices including televisions, iPads, mobile phones etc.

Router Login

You can login to the router from your computer using an IP address and a login and password.

You cannot change its IP address but you can and should change the login and password as soon as possible.

How you make that change depends on the make of router you have, which is determined by broadband supplier but is generally a straightforward process. The instructions with the router will explain how to do this.

Do not write the password down and leave it near to the router and of course do not tell anyone who you do not wish to have access to your Wi-Fi.

The router has various settings which are probably fine when you first receive the device but you may need to change if getting conflicts with the neighbours Wi-Fi for example.

Your router may have remote management facilities meaning that the broadband supplier can access it to make changes. It may be best to turn off this feature, but that would mean your supplier cannot access it either.

Wi-Fi and Encryption

Locate the “Wireless Security” or “Wireless Network” settings page.

Select WPA2-PSK encryption.

Choose a network name that doesn’t specify your house number or name.

Choose a strong network password or pass number i.e. one that no-one could guess.

Save these settings

You will need to reconnect your devices to the Wi-Fi using the new password or pass number.

Protect your router and Wi-Fi against outsiders.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

August 15, 2018

Advert Blockers

Adverts are useful in that they fund services that we wouldn’t necessarily want to pay directly for but still benefit from.

e.g. Freeview TV, commercial radio, Channel 4 TV, free newspapers etc.

A typical newspaper, partially funded by advertising, would need to increase its cover price by 100% – 200% if advertising was stopped.

But, there are huge amounts of advertising that most of us wish didn’t exist.

In print, you can ignore the ads, on TV you can go make a cup of tea during the ad breaks or record the programmes and fast forward through the ads etc.

However, in some situations adverts are intrusive and cannot be so easily ignored.

There are many websites with adverts that don’t get in the way – so that’s fine, but there increasing numbers of websites where the ads are flashing, moving, popping up in the middle of the screen and sometimes so bad we can’t see the actual content we went to the page for in the first place.

Advert Blockers can make your life easier by blocking most of these adverts.

The most popular browsers have some features for blocking intrusive ads.

e.g. Google Chrome (settings – content settings) blocks pop-ups and ads from sites classified as intrusive.

Opera has a built-in ad-blocker.

Blocking adverts also blocks many tracking cookies, which protects your privacy as well.

The Most Popular Ad Blockers

Ghostery

Ghostery has been around for years and is available for Chrome, Firefox, Opera, Edge and Internet Explorer plus Android and iOS.

Firefox Focus

You can install any one of the many ad-blocking extensions on the desktop version of Firefox, but Mozilla has created a dedicated mobile browser for Android and iOS called Focus.

This is focused on privacy which means that, by default, it works like the private browsing mode on other browsers.

AdBlock

AdBlock is free, but it does ask for a donation on installation.

It blocks all ads on the web, including on Facebook, YouTube and other social sites.

You can also allow what AdBlock calls Acceptable Ads – similar to those ‘non-intrusive’ ads in AdBlock Plus.

There are lots of Ad Blockers on the market. See which one best suits your needs.

Do Share this post on social media – click on the post title then scroll down to the social media share buttons.

July 5, 2018

Warning – Web Coin Mining on Your PC

For normal physical currencies, each country has an appointed currency maker – such as The Royal Mint in the UK that makes currency for the UK and several other counties. But with cyber currencies – who makes it and how?

The creation of new coins is called “mining” and involves large amounts of computer processing and this increases as more currency is created. For Bitcoin, the effort involved in making new currency means very few can manage it.

But, if you could somehow spread that computer processing demand out among thousands or even millions — of unknowing user’s computers, it would make mining a lot cheaper and possibly quicker.

This is exactly what some websites are doing. They use your CPU to mine cryptocurrencies like Bitcoin without your knowledge.

This can happen to you simply from visiting a website that uses JavaScript to start using your CPU for processing.

There are other methods but this is the most common and can be avoided if your browser has JavaScript disabled – but that will also block the functionality on some popular websites.

How to know if this has happened to your computer?

It’s not easy to identify unless your PC is suddenly very very slow and the CPU seems extremely busy while doing nothing.

Some websites can quietly use your CPU to mine cryptocurrency and they limit they effect on your work so you wouldn’t know unless you went out of your way to find out.

On a windows PC you can press CTRL, ALT and DELETE at the same time then select Task manager and see the CPU utilisation levels.

But if in doubt, the easiest remedy is to reboot your computer.

Do click on the Facebook or Twitter icons on top right to follow Fight Back Ninja.