WordPress Plugin CCTM Compromised

A WordPress plugin called Custom Content Type Manager has been revealed to contain a backdoor which its owner was using to access core files and steal user credentials. The plugin has been installed on over 10,000 sites in the three years it has been available, offering services for creating custom post types.

However, in the past month the plugin abruptly changed owner and released a new version, after having had no updates for the previous ten months. This new version was riddled with problematic changes, including the auto-update.php file which could download files from the server on the infiltrated website and CCTM_Communicator.php file which alerted the owner’s server when a new site became compromised.

The plugin gathered information on the infected site, recorded encrypted usernames and passwords, and sent the data to the core server, giving the owner full access as administrator to any of the infiltrated websites.

Those who have downloaded this plugin are advised to remove it immediately, downgrade core files to the standard version, and either get rid of the CCTM plugin or use the last confirmed stable version (0.9.8.6). Even if you have installed the plugin at some point but never updated it, you may have been automatically updated to this malicious version.

DDoS Attacks and How to Prevent Them

DDoS attacks (distributed denial of service) occur when a targeted system’s resources or bandwidth is flooded with such a multiplicity of traffic that the system is unable to handle it and shuts down. Most of the time these attacks are a calculated effort to overwhelm the system with multiple compromised systems.

Is this something you need to worry about? Here are some stats: one third of all downtimes can be traced to a DDoS attack, a week-long DDoS attack can cost less than $200 on the black market, and every day more than two thousand attacks take place.

These attacks work through a series of compromised computers in which the user does not even know that their computer is being controlled remotely. This network of computers (called botnets) can be made up of thousands to millions of machines. Once directed at a single target, huge flood of traffic is generated to overwhelm and incapacitate a system.

It is important to realize that every site is at risk and is vulnerable. The attacks can be random and it is far better to be well prepared than caught off-guard. Make sure your applications, supporting services, and DNS are all current and up-to-date. The common weak spots in corporate networks are the server, the internet pipe, and the firewall. It is helpful to already have an existing communication with your internet service provider so that in case of an emergency contacting them is one less thing to worry about.

It can take some time to realize that your system is under attack and not just experiencing a failing server or application. Knowing what your query load is will help alert you to the presence of an attack. BIND’s built-in statistics support, for example, keeps record of stats for later observation. Getting an idea of what is normal is important.

One of the most basic ways to prevent attacks is by overprovisioning your bandwidth. This is fairly inexpensive and helps you to accommodate sudden surges in traffic. This will not completely prevent DDoS attacks, but will give you a few extra minutes.

From there, rate limit your router, which will stop your web server from being overwhelmed. Use filters so that your router knows to drop packets from obvious attack sources. Set your timeouts to shut down half-open connections at a more aggressive pace. All these things will gain you time while you contact your internet provider. Their strategy usually involves black holing you for a bit, so that the DDoS does not consume bandwidth and affect other customers on the server. Then the provider is able to stop the attacking traffic from reaching the network, divert the traffic elsewhere so that your site can get back online, and then identify malicious packets for a mitigation specialist to take care of.

It is best to have a plan already set before the action is needed. Talk to your provider about their strategies and ask for their advice for your particular site.

 

Optimal Password Security

downloadCreating a strong password is essential for basic website security, whether it is for your email, your bank, or your website’s account. This security step is one of the simplest ones to take toward optimal protection against hackers and viruses. Don’t put it off! Use this list of tips for strong passwords to double-check that your password can stand against a hacking program.

  • Your main strategy should be to create a unique combination of words, numbers, symbols, and upper-case and lower-case letters. This can sound initially unappealing as it will be harder for you to remember, but it will be worth it in how much harder it will be for a hacking program to break through.
  • Stay far away from obvious passwords such as “password,” “admin,” or “user.”
  • Never use your username as part of your password.
  • Adjacent keyboard combinations may seem creative (“qwerty” or “asdf”), but they are used almost as commonly as “password” etc. and are simple to hack.
  • Avoid using details that you assume are confidential, like a birth date, phone number, Social Security number, or anniversary.
  • Ideally, stay away from words found in the dictionary. Password-hacking tools usually come with dictionary lists to run thousands of words and passwords. If you do use a word found in the dictionary, be sure to add a number, symbol, punctuation, and/or capitalized letters.
  • Try using a string of words such as part of the refrain from your favorite song, the title of a book, or a phrase/idiom you find amusing. It will be easier to remember as well as harder to guess.  The longer the password, the better.

After looking over these tips, understandably your first reaction might be that once you find a strong password, you will immediately forget it, and then what use will it be? Here are a few useful websites that help with just that problem.

KeePass is an open-source, free, light-weight service for storing usernames, passwords, and other information you might need to remember. It is stored in an encrypted file, which is protected by a master password or a key file. That way you only have to remember one password in order to access all of them. The database is stored on the local file system. The system is primarily designed for Microsoft Windows, but can support other systems through an add on.

Keychain is a password management system developed by Apple. It is synced via iCloud for iOS and OS X. Also free and open-sourced, it can store passwords, FTP servers, SSH accounts, network shares, wireless networks, groupware applications, private keys, certificates, and security notes. Additionally the service can help you generate unique passwords.

Password Vault Manager offers storage for passwords, credit card information, bank accounts, and other sensitive information. It is a paid service, but offers a free 30-day trial. The system uses an AES algorithm to keep all your information totally secure.

LastPass, as well as storing your passwords and sensitive information, offers automatic sign-ins for all of your online accounts from any location or device. You are the only person in possession of the master password, preventing even LastPass from accessing your information. It offers several different levels of security and features so that you can decide if your needs merit a free account, premium, or enterprise level.

Popular WordPress Plugins

Choosing a theme and plugins for your WordPress blog can be the fun part of setting up your site, but it can also be overwhelming with thousands of possible plugins available and new ones being developed every day. Here are some of the most popular and useful plugins we have found:

Yoast SEO works as a built-in editor to encourage and promote the best writing. It walks you through techniques for readable and consistent content by having you choose a focus keyword for each article as you write it and then making sure you continue to use the keyword throughout your writing. It goes on to show you examples of what your post will look like in search results, giving you an edge on competition to increase rankings. The Page Analysis plugin works as a final copy editor to check that your posts are the optimal length, if your images contain an alt tag with the focus keyword, and if the meta description also contains that keyword. All in all, this plugin optimizes your content for search engines.

wordpress-logo-simplified-rgbFor improving your webpage’s performance and speed, Zen Cache is designed to reduce download time, optimize progressive rendering, reduce the loading time for pages, and more. Search engine rankings will improve with the speed of your site.

BackupBuddy is a secure and complete option for complete reassurance that in case of a catastrophe you will not lose anything from your database, media library, theme files, and so on.  Automated backups are easy to set up and will be quick to restore in the case of emergency.

A great plugin for easily adding nearly any type of online forms, from contact forms to surveys and user submitted posts, is Gravity Forms. It is very popular, in use on over one million WordPress sites.

Ultimate Branding promotes your logo, company name, and so forth across your network in place of any WordPress branding. It makes your site feel more unified and consistent. The best part is that this plugin does all the fussy work for you, so you won’t have to worry about writing a single code.

A helpful plugin for reducing spam is Akismet, which automatically catches comments that look like spam and allows you to review the filtered comments.

Envira Gallery is an aesthetically clean and pleasing plugin to create beautiful image galleries. If your site is photography related or tends to be picture heavy, this plugin simplifies the business with responsive design, fast loading, and stunning effects. It even offers a helpful free version, so you can try out some of the features right away.

Sucuri provides malware protection by blocking attacks, identifying spam, and preventing intrusions. It gives you real time alerts to keep you updated with any causes for concern. When it comes to website security, it is always better to be safer than sorry.

Another excellent way of tightening security on your site is Login Lockdown. This plugin limits the amount of failed attempts a user receives. This is helpful for deterring hack attempts, as most are focused on breaking your password by entering multiple combinations.

Securing your WordPress site, Part 1

Blogs have been an increasingly popular way of distributing information since their inception in the 90’s. They provide many benefits for promoting information, updates, and multimedia sources. Naturally if you are looking to begin promoting your business, services, or your thoughts via a blog, you are going to want a secure, trusted method.

WordPress has been growing rampantly over the last couple years as a blogging platform. According to Google Trends, interest in WordPress from 2011 to present has been consistently twice that of other blogging sites. Its layout is understandable and has many options for customizing and personalizing. Clearly it is a trusted and effective platform to blog from.

While WordPress comes with security methods, there are steps you can take to improve the security of your blog and protect it from attacks. Most hackers are not willing to spend much time or effort in breaking into your site. They are looking to compromise your server and use it to email spam. An attack is most effectively deterred by making your site more than averagely inconvenient to the hacker.

wordpress-logo-simplified-rgbFor starters, avoid using “admin” as a username or part of your username. Most attacks target the username admin with a combination of passwords. Eliminate the first part and you will be protected from the majority of attacks. If you already have that username in use, changing this is fast and easy. Simply create a new user and give it administrator rights. Then delete the old “admin” user and assign past content to this new user so that nothing will be lost in the transition.

You have probably heard this hundreds of times, but it is worth hearing again: use a complex password. Consider this: the three most common passwords of 2015 are “123456,” “password,” and “12345.” Be ahead of the curve and pick a password that is not on SplashData’s annual list of stolen passwords!

Change the table prefix from wp_ to something obscure like nho509b_ to make it less accessible to hackers and harder to guess. This might sound complicated to the less tech-savvy, but it can be as easy as a five minute fix. If you are just now setting up your blog, the customization option will be available during the set-up for database details. Simply change the default setting.

Keep up with updates. WordPress is constantly striving to provide a better blogging platform for your needs. Each new version has updated security methods to address holes found in previous editions. Updated versions are released biannually, with more minor updates released following the two major versions.

These steps are a good place to begin, but for the best security, you will want a quality hosting company. Nearly half of hacking attempts are due to faulty hosting platforms. If you are using a shared hosting platform, make sure it offers account isolation. This extra layer of protection prevents one account from overloading the server and affecting your website.

We will soon be posting a more advanced article outlining addition steps you can take to secure your WordPress site, so stay tuned!

ASPnix – US-EU Safe Harbor certified

Denver, CO, USA

As of December 7th, 2011, ASPnix – an Anaxa Company is U.S.-EU & U.S.-Swiss Safe Harbor Certified by US Department of Commerce. We take privacy of all our customers very seriously. You can view our company information on the export.gov website:

http://safeharbor.export.gov/companyinfo.aspx?id=13780

What is U.S.-EU & U.S.-Swiss Safe Harbor?

From the Safe Harbor website:

The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.

In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor” framework and this website to provide the information an organization should need to evaluate – and then join – the U.S.-EU Safe Harbor program.

Similarly, the U.S. Department of Commerce in consultation with the Federal Data Protection and Information Commissioner of Switzerland developed a “Safe Harbor” framework to bridge the differences between the two countries’ privacy approaches and provide a streamlined means for U.S. organizations to comply with the Swiss data protection law. This website also provides the information an organization should need to evaluate – and then join – the U.S.-Swiss Safe Harbor program.

Denver, CO, USA

As of December 7th, 2011, ASPnix – an Anaxa Company is U.S.-EU & U.S.-Swiss Safe Harbor Certified by US Department of Commerce. We take privacy of all our customers very seriously. You can view our company information on the export.gov website:

http://safeharbor.export.gov/companyinfo.aspx?id=13780

What is U.S.-EU & U.S.-Swiss Safe Harbor?

From the Safe Harbor website:

The European Commission’s Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.

In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor” framework and this website to provide the information an organization should need to evaluate – and then join – the U.S.-EU Safe Harbor program.

Similarly, the U.S. Department of Commerce in consultation with the Federal Data Protection and Information Commissioner of Switzerland developed a “Safe Harbor” framework to bridge the differences between the two countries’ privacy approaches and provide a streamlined means for U.S. organizations to comply with the Swiss data protection law. This website also provides the information an organization should need to evaluate – and then join – the U.S.-Swiss Safe Harbor program.