5 Common WordPress Security Issues
2020: HAS AN ONTARIO CAS USED AN ONLINE CMS LIKE WORDPRESS TO STORE DOCUMENTS WITH YOUR FAMILY'S PERSONAL CONFIDENTIAL INFORMATION UNENCRYPTED WITHOUT TAKING ANY REASONABLE PRECAUTIONS TO PROTECT IT?
Content management system: A content management system is a software application that can be used to manage the creation and modification of digital content. CMSs are typically used for enterprise content management and web content management. Wikipedia
Is WordPress database encrypted?
The data will be stored encrypted but decryption is transparent when accessing so there's nothing to do on the wordpress end.
https://wordpress.org/support/topic/how-can-i-encrypt-user-data-in-database/
84% of all security vulnerabilities on the entire internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins.Nov 6, 2019.
https://torquemag.io/2016/03/wordpress-sites-hacked/
How WordPress Sites Get Hacked (And What to Do About It)
5 Common WordPress Security Issues
If you own a WordPress-powered website or are considering using WordPress as your CMS, you may be concerned about potential WordPress security issues. In this post, we’ll outline a few of the most common WordPress security vulnerabilities, along with steps you can take to secure and protect your WordPress site.
Is WordPress Secure?
The answer to the question “is WordPress secure?” is it depends. WordPress itself is very secure as long as WordPress security best practices are followed.
According to the latest usage of content management systems data from W3Techs, WordPress powers 34% off all websites. So WordPress security vulnerabilities are inevitable because not all users are careful, thorough, or security conscious with their websites. If a hacker can find a way into one of the hundreds of millions of WordPress websites on the web, they can scan for other websites that are also running insecure setups of old or insecure versions of WordPress and hack those too.
WordPress runs on open source code and has a team specifically devoted to finding, identifying and fixing WordPress security issues that arise in the core code. As security vulnerabilities are disclosed, fixes are immediately pushed out to patch any new security issues discovered in WordPress. That’s why keeping WordPress updated to the latest version is incredibly important to the overall security of your website.
It’s important to note that WordPress security vulnerabilities extend beyond WordPress core into the themes or plugins you install on your site. According to a recent report by wpvulndb.com, of the 2,837 known WordPress security vulnerabilities in their database:
75% are from WordPress plugins
14% are from core WordPress
11% are from WordPress themes
ALLEGED 2016 CAS HACKER DECISION DELAYED TO MAY 2020.
READ THE COMPLETE TRIAL TRANSCRIPT HERE:
https://www.kelleyandderek.com/
THE FINAL DEFENSE SUBMISSIONS HERE."
Part One: https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244397172436711/
Part Two: https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244397722436656/
Part Three:
https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244398162436612/
Part Four:
https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244398895769872/
:::
5 Common WordPress Security Issues
The most common WordPress security issues occur before or just after your site has been compromised. The goal of a hack is to gain unauthorized access to your WordPress site on an administrator-level, either from the frontend (your WordPress dashboard) or on the server-side (by inserting scripts or malicious files).
Here are the 5 most common WordPress security issues you should know about:
1. Brute Force Attacks
WordPress brute force attacks refer to the trial and error method of entering multiple username and password combinations over and over until a successful combination is discovered. The brute force attack method exploits the simplest way to get access to your website: your WordPress login page.
WordPress, by default, doesn’t limit login attempts, so bots can attack your WordPress login page using the brute force attack method. Even if a brute force attack is unsuccessful, it can still wreak havoc on your server, as login attempts can overload your system and slow down your site. While you’re under a brute force attack, some hosts may suspend your account, especially if you’re on a shared hosting plan, due to system overloads.
2. File Inclusion Exploits
After brute-force attacks, vulnerabilities in your WordPress website’s PHP code are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.)
File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. File inclusion exploits are one of the most common ways an attacker can gain access to your WordPress website’s wp-config.php file, one of the most important files in your WordPress installation.
3. SQL Injections
Your WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data.
With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.
4. Cross-Site Scripting (XSS)
84% of all security vulnerabilities on the entire internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins.
The basic mechanism of Cross-Site Scripting works like this: an attacker finds a way to get a victim to load web pages with insecure javascript scripts. These scripts load without the knowledge of the visitor and are then used to steal data from their browsers. An example of a Cross-Site Scripting attack would be a hijacked form that appears to reside on your website. If a user inputs data into that form, that data would be stolen.
5. Malware
Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your website’s files, so if you suspect malware on your site, take a look at recently changed files.
Although there are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them. The four most common WordPress malware infections are:
Backdoors
Drive-by downloads
Pharma hacks
Malicious redirects
Each of these types of malware can be easily identified and cleaned up either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from a previous, non-infected backup.
What Makes Your WordPress Site Vulnerable to WordPress Security Issues?
Several factors can make your WordPress site more vulnerable to successful attacks.
1. Weak Passwords
Using a weak password is one of the biggest security vulnerabilities you can easily avoid. Your WordPress admin password should be strong, include multiple types of characters, symbols or numbers. In addition, your password should be specific to your WordPress site and not used anywhere else.
Curious if your password has been compromised? The iThemes Security plugin checks if your password has appeared in a data breach. A data breach is typically a list of usernames, passwords and often other personal data that was exposed after a site was compromised. With the Refuse Compromised Passwords setting, you can refuse compromised passwords and force users to use passwords which do not appear in any password breaches tracked by the Have I Been Pwned API.
2. Not Updating WordPress, Plugins or Themes
Simply put: You’re at risk for an attack if you are running outdated versions of WordPress, plugins and themes on your website. Version updates often include patches for security issues in the code, so it’s important to always run the latest version of all software installed on your WordPress website.
Updates will appear in your WordPress dashboard as soon as they’re available. Make a practice of running a backup and then running all available updates every time you login to your WordPress site. While the task of running updates may seem inconvenient or tiresome, it’s an important WordPress security best practice.
If you manage more than one WordPress website, you can use a time-saving tool like iThemes Sync Pro to better manage updates. Instead of logging in to each individual site, gives you one dashboard to manage updates for multiple WordPress sites from one place.
3. Using Plugins and Themes from Untrustworthy Sources
Poorly-written, insecure, or outdated code is one of the most common ways attackers can exploit your WordPress website. Since plugins and themes are potential sources of security vulnerabilities, as a security best practice, only download and install WordPress plugins and themes from reputable sources, such as from the WordPress.org repository, or from premium companies that have been in business for a while. Also, avoid bootleg or torrented “free” versions of premium themes and plugins, as the files may have been altered to contain malware. The cost of these “free” plugins and themes can come at the expense of your site’s security.
4. Using Poor-Quality or Shared Hosting
Since the server where your WordPress website resides is a target for attackers, using poor-quality or shared hosting can make your site more vulnerable to being compromised. While all hosts take precautions to secure their servers, not all are as vigilant or implement the latest security measures to protect websites on the server-level.
Shared hosting can also be a concern because multiple websites are stored on a single server. If one website is hacked, attackers may also gain access to other websites and their data. While using a VPS, or virtual private server, is more expensive, it assures your website is stored on its own server.
8 Actions You Can Take Today to Protect Your WordPress Site
1. Use a strong password for every online account.
If you’re currently using a password that contains fewer than 6 characters, change it now. If you’re currently using a password on more than one login, change it now. If you’ve had the same password for more than six months, change it now. If you’re reusing a password for multiple online accounts, change it now.
Start practicing good WordPress password security, especially if you’re an admin user. To make password management easier, use a password manager such as LastPass.
2. Install a WordPress security plugin.
Using a WordPress security plugin is a great way to take care of additional security measures on your WordPress website. iThemes Security offers a one-click WordPress security check that activates the most important and recommended WordPress security settings. A good WordPress security plugin can handle the more technical aspects of your site’s security, so you don’t have to be a security expert to use one.
Check out iThemes Security for 30+ ways to secure your site in one easy-to-use plugin. With iThemes Security, you can also monitor your site’s security activity with a real-time WordPress security dashboard.
3. Enable WordPress two-factor authentication.
Two-factor authentication adds an extra layer of protection to your WordPress login. In addition to your password, an additional time-sensitive code is required from another device such as your smartphone, in order to login. Two-factor authentication is one of the best ways to lock down your WordPress login and nearly completely minimizes the potential of successful brute force attacks.
Use the iThemes Security Pro plugin to activate WordPress-two factor authentication.
4. Keep your WordPress site updated.
Again: keeping your WordPress site updated is one of the best ways you can avoid potential WordPress security issues. Login to your WordPress site now and run any available updates for WordPress core, your themes or plugins. If you’re using premium WordPress plugins or themes, make sure you have a current license to ensure you’re getting updates and not running outdated versions.
Use iThemes Sync Pro to manage multiple WordPress sites from one central dashboard. Try it out free for 30 days here.
5. Set up proper permissions on your server.
Ensure proper permissions are set on all directories on your server. Proper permissions dictate who has permission to read files, create and edit files.
See the status of your WordPress file permissions with iThemes Security Pro.
6. Run scheduled malware scans.
Keep tabs on potential malware infections with scheduled malware scans. Most services, like the malware scan offered in the iThemes Security Pro plugin, give you a report on your website’s malware status along with several other blacklisting statuses.
Use the WordPress malware scan feature in iThemes Security Pro.
7. Have a reliable WordPress backup plan.
Having a WordPress backup plan is an important component of your WordPress security strategy. Set up scheduled backups to run and make sure you’re sending your backups safely off-site to a secure, remote WordPress backup location. Also, make sure your backup strategy has a restore component in case you need to restore your site from a clean backup.
Use the WordPress backup plugin BackupBuddy for real-time WordPress backups.
8. Activate WordPress Brute Force Protection.
Protecting yourself from brute force attacks is another way to reduce any potential vulnerabilities or server overloads. Use a service that includes both local and network brute force protection to ban users who have tried to break into other sites from also breaking into yours.
Tip: Use iThemes Security Pro’s WordPress brute force protection .
While security issues for WordPress do exist, most can be avoided with WordPress security best practices and an awareness of the potential security risks. Armed with knowledge and strategies to protect your WordPress site, you can greatly minimize your vulnerability to hacks and keep your WordPress site safe and secure.
A trusted WordPress security plugin like iThemes Security Pro can help secure and protect your WordPress website. With over 30+ ways to lock down your site, iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials.
https://ithemes.com/wordpress-security-issues/
2019: 5 INDISPENSABLE TIPS TO KEEP YOUR BUSINESS SECURE ONLINE
Regardless of the size of your business, you will need to take the necessary steps to ensure its safety and security online. The consequences related to a lapse in security or data breaches can break businesses in the long run.
Consider the fact that all associated stakeholders will lose faith in such a business, for which reason it is even more important to keep your business secure online at all costs. If you are looking for ways to make this possible, the following five tips will do just that.
Stay Clear from Malware
Just like you would never want to leave the backdoor to your home unlocked at night, you will not want to leave your business open to cybercriminals. To make this possible, you will need to secure every computer.
Malware is designed to damage or infiltrate a network PC without your consent or knowledge. To protect your business from malware of any kind, here is what you will need to do:
Turn on the onboard firewall on your router. It is not entirely enough to deal with malware, but it will act as your first line of defense.
Get the best security software programs for all your PCs. It would be best if you spent more than expected, but it will be worth every penny.
Employ good security that will automatically adjust itself according to the device being used. The level of protection should change depending on whether or not they are in the office.
Get antispam protection to get rid of unwanted email. It will block distractions and risks for employees, all the while preventing malware from getting into systems.
Tackle Social Media Effectively
In this day and age, the importance of social media cannot be denied. It is here to stay, so you will need to empower your employees regarding guidelines and the best practices they need to adhere to while using social media platforms.
Instead of just anyone, assign an individual or individuals that will speak for your business. Make them responsible for writing about external and internal events.
In your security policy, do not forget to include social media sites like LinkedIn, Twitter, Facebook, and others. The non-disclosure agreement will ensure that confidential information remains intact.
While using any social media platform, be smart:
Only publish the information you are confident about.
No matter what you have in mind, always prepare for the worst, it will save you from many problems later on.
To expand your contact list, don’t just add anyone. Only add people you trust.
Avoid clicking on links from unknown contacts.
Ensure Usage of Strong Passwords
Passwords are vital for business networks, as they prevent unauthorized access to your data. To decrease the chances of success for hackers, cybercriminals and third party agencies, use stronger passwords by incorporating more characters and keystrokes.
Use passwords with at least a minimum of eight characters, not excluding numbers. This will stop simple attacks dead in their tracks. However, do not stop there; request password changes frequently. To ensure employees are changing their password more often than not, time out old passwords.
It is important to note that your employees may even need to be educated about some malpractices while dealing with passwords. Discourage them from writing down passwords, or using guessable passwords that could put your business at high risk.
Be Critical about Internet Security
The latest security threats can be dealt with using top-notch security solutions. Your employees will not think about security nor will they restrict themselves from accessing the internet or the network. To make things easier for them, make security transparent and automate updates.
Apart from providing a guideline for web use, adopt solutions that prevent unacceptable use. One way of making this possible is by using URL filtering to block unproductive or risky sites.
Develop a BYOD Plan
Employees bringing their own devices to work (BYOD) can also put your business at risk. To handle BYOD risks, you will need to develop a BYOD plan. It will serve as a safety net against mobile system costs and legal repercussions. You will need to draft a customizable, clear and comprehensive BYOD policy that covers subjects like location tracking, internet monitoring issues, and data deletion.
To lessen probable pitfalls, anticipate employee usage of mobile devices. Mobile device management solutions and virtualization are effective in controlling access and network bandwidth for employees.
Most businesses adopt the BYOD trend to increase overall productivity, but very few take the time to assess whether the trends if worth their investment. Keeping this in mind, you will have to monitor your use of BYOD to prevent future device security lapses and justify its deployment.
These are just a few of many ways you can go about ensuring your business is secure online. If you want to take things up a notch, you should also consider getting a Business VPN.
With the help of a business VPN, employees can be given new IP addresses, thus masking their original ones. Since their internet traffic will be hidden and encrypted, it is highly unlikely they will be compromised or attacked. At the same time, they will not have to worry about private and confidential information being monitored or recorded by surveillance agencies, or even ISPs for that matter.
Of course, there is more to online security for businesses than meets the eye. What is important is that companies realize that they will need to adapt if they wish to survive. These days, the measure of success for a business is based on factors like internet security, client confidentiality and so on. Believe it or not, it could also give companies the edge they need to stay ahead of their competition.
Remember, all of this will only work if you take the lead. Lead by example so that others follow you without hesitation. Don’t be the reckless one, and if you do come across a way that will improve the overall online security of your business, be sure to let other people know as well. ELISA COLLINS.
Elisa Collins is a tech professional who loves to write on cyber-security related topics. She is currently associated with Ivacy.com as a content strategist and digital content production head.
https://www.colocationamerica.com/blog/5-tips-for-a-secure-business
:::
NINETY PERCENT OF WEBSITES VULNERABLE TO ATTACK
According to DOSarrest Internet Security, findings by its Vulnerability Testing and Optimisation service (VTO) of deep website scans, ninety percent of websites are vulnerable to attack.
Further findings include that 95 per cent of the flaws could cause information leakage due to outdated software versions and installed modules, while 71 per cent could allow sensitive information disclosure. More cross-site request forgery (CSRF) flaws (67 per cent) were found in scans of websites than cross-site scripting (28 per cent) and SQL Injection vulnerabilities (22 per cent).
How Hackers Attack Your Devices When They’re Off the Office Network
Today’s generation is plagued with cybercrimes which are happening day by day. Hackers are discovering new vulnerabilities in networks and exploiting them to their advantage. In the past year alone, 3-billion Yahoo accounts were hacked which has been recorded as the biggest attack on a company ever.
Worse, hackers do not care about the size or worth of a business. Their main aim is to gain an advantage such as earn money or get private information. When you’re off the office network, breaches could occur in some ways.
1. Phishing
Phishing is whereby cybercriminals pose as legitimate entities with the sole aim of gaining your trust and thereby giving them access to your private account or personal data. Such attacks come in the form of emails, telephone calls or even texts.
These attacks aim to get you to provide usernames and passwords, viruses or credit card information. For example, you could receive an email update from someone posing as your company’s IT officer informing you that your office login credentials have been hacked and they need to be changed.
You unknowingly then open the link and give your old password and new password. The cybercriminal on the other end uses the old credentials to log in to your office servers and steal data.
The email may contain a link that directs you to a page where you may download a virus into your computer. The virus then starts collecting data from your computer and sends it back to the hacker.
It is, therefore, safer to be cautious especially with links and emails that require you to provide personal information or login keys. Look for spelling or grammatical errors in email addresses. For example, they may use an address such as admin@gmall.com instead of admin@gmail.com.
The l in the phishing email’s Gmall is very similar to the actual ‘i’ in Gmail which may be confusing to many and people would probably shrug it off as a minor mistake. It is therefore essential to take time and assess the situation before providing personal data or downloading anything from suspicious links.
2. Malicious Mobile Apps
For most people, it is a common belief that any application in the play store or Appstore is safe and legitimate. However, this is not the case as an application could be containing lines of code that may put your device at risk of exploitation.
These apps may contain lines of code that are malware in the real sense. Furthermore, these apps may request unnecessary permissions to access and extract contact information, personal private media, emails, messages, and stored passwords.
The Permissions Which Can Be Exploited by a Hacker Include;
Account Access
An app with access to your accounts has access to your contacts and email addresses. The hacker receiving this data could use it to exploit your friends’ trust in you. They could send an email using your account for phishing purposes.
SMS Access
The app can use your SMS for phishing attempts or sending personal information to the hackers.
Microphone Access
An app with microphone access can exploit and use the microphone to record private conversations. A hacker could access your conversation with maybe your bank agent or CTO. This is also a common way in which trade secrets are stolen.
Device Administrator Capabilities Access
Apps requesting to be given administrator privileges are apps that work at the core center of the phone. If a hacker could exploit these privileges, they can track and follow your movements in Realtime.
They would, of course, have the ability to lock and erase your phone or hold the phone for ransom remotely.
To stay safe, it is then advisable to carefully scrutinize app permissions before downloading them, checking comments about applications, avoiding third-party app providers or even cracked applications.
3. Malware
Malware Is commonly defined as software that is malicious and is built for the sole purpose of compromising a system and stealing the information available in the system.
This malicious software can access private data, modify the core functionality of the system and also track the user’s activities. It is more like someone watching you without your knowledge.
Access to your system may be gained when you download and run pirated software or when you use operating systems which have not been updated to the latest version.
The Main Types of Malware Include;
Trojans
Trojans create access points; backdoors to systems, which are used by the hacker to access your system for exploitation. It is commonly included in legitimate software which has been compromised.
Viruses
Viruses have for a long time been known to have the ability to modify systems, replicate and destroy data.
Spyware
Spyware is software which runs on your system’s background and can monitor every action you take using your microphone, webcam, or track actions on websites.
Ransomware
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid.
Keyloggers
These are spyware whose primary purpose is to record and send keystrokes to hackers. These keystrokes are usually passwords, credit card information or even chats.
The keylogger records the times you use a specific combination of keywords and a hacker with this information could easily access your accounts.
The best way to counter such attempts would be the use of a legitimate premium anti-virus software. It would also help if you would steer clear of pirated software and avoid clicking on fake anti-virus popups in websites.
4. Insecure networks
Connecting your device to public free or unknown networks may expose you to hacking attempts. With today’s advancement in technology, it would be impossible to find a place without WIFI connections. Even restrooms have free WIFI. Hackers use these networks to connect to your digital devices and access data.
They could also use these networks to control and change legitimate websites you know and use. You could be thinking that you are checking your bank account balance on your bank’s website, but in the real sense, you could just be typing your password on a hacker’s screen.
With available online programs, a hacker could also hack your home network and expose your files. Worse, they could destroy your home. This is possible due to today’s Internet of Things (IoT) whereby every home appliance is connected to the same network.
To be safe, it is wise to create strong passwords for your home network and installing firewalls to prevent external access. It would also be wise to avoid free and open WIFI networks.
When in public places like hotels and cafes, it is wise to inquire from staff on which network is legitimate. It is also best if you avoid doing online transactions in such networks. If possible, use the network for minimal browsing.
5. Physical security threats
Threats to your data do not occur only through remote means; they could even come from having physical contact with other people. This happens when people physically access your devices such as laptops, mobile phones or even hard drives.
It would be wise to consider physical threats as a probable attack. Many people often underestimate the probability of physical attacks occurring and affecting them. Protecting your devices should not be an option.
It is one of the easiest ways in which hackers access data. All they need is your laptop and voila!
They have every bit of information you ever recorded on your computer.
This physical access could occur anywhere and at any time. For instance, in your workplace, at home, when your walking; there is no limit.
Leaving your devices unattended would also be a good chance for a hacker to access them.
It is, therefore, best if you be careful when recording and storing sensitive data. Using encryption is also a good idea. The best option is to avoid storing data on physical devices and storing this data on the cloud or secured servers.
6. Smishing
This is a form of hacking attempt in which the hacker poses as a legitimate institution or person and gains access to sensitive data either through SMS or telephone calls. You have probably received a call from an unknown number asking you for secure bank details for reasons such as security updates. Most of such requests; if not all; are smishing attacks.
Smishing uses the advantage of social engineering to get you to share private data. The primary goal is to have the hackers gain your trust. Messages may come in the form of limited offer links which when clicked downloads malware into your device hence giving access to the hacker.
To avoid such vulnerabilities, examine the legitimacy of SMS before clicking the links they carry. It is also best if you never share any private information on calls or SMS.
Basic security methods mentioned above can protect some amount of attack from hackers, but the best way would be to have a good security firm and data protection experts do the work for you.
It would be keen to note that every second a hacker is trying to access your personal information and you should protect it in every way possible.
:::
Here are the top 5 reasons for which you shouldn’t opt for a WordPress site if your part of a government funded multi-billion dollar private corporation with a legal obligation to protect client information:
Website builders are a perfect solution for - individuals and small businesses - to start a website without hiring a developer. However, finding the best website builder can be tricky for beginners.
WordPress is an open source software. It is free in the sense of freedom not in the sense of free beer. ... Open source software comes with the freedom for you to use, modify, build upon, and redistribute the software in any way you like without paying any fees.
What are the disadvantages of using WordPress?
WordPress is the most popular content management system. This fact alone makes WordPress a prime target for hackers everywhere. As a matter of fact, according to a Sucuri report WordPress is the most hacked CMS platform worldwide. (Talk about putting children and clients at risk...)
Disadvantages of A WordPress Website.
Without a doubt, WordPress is the most used Content management system (CMS) in the world. With millions of users, it is widely praised and appreciated for its advantages. But, while the hype is still strong, many people overlook or are not aware that WordPress has certain weak points that might make them reconsider their decisions or options.
1. Vulnerability
Unquestionably the biggest disadvantage of WordPress is its security. WordPress is an Open Source platform, and it relies heavily on plugins and themes for customization. Both the plugins and the themes are developed by different people and companies and since there isn’t anyone monitoring them, they can easily contain bugs or malicious code lines. On top of this, as stated above, today, WordPress is the most popular content management system. This fact alone makes WordPress a prime target for hackers everywhere. As a matter of fact, according to a Sucuri report WordPress is the most hacked CMS platform worldwide.
2. Can be expensive
While the WordPress itself is free, when looking at the whole picture there are significant costs. WordPress relies on plugins and themes for customization, and while there are some that are free, they are not always reliable or safe. Furthermore, if you want your website to stand out and your visitors to have a great you have to buy a theme, as the free ones are overused. With numerous updates coming out constantly, it can become quite expensive to keep your website up to date. Naturally, if you’re a WordPress designer, or have the knowledge you can make a lot of adjustments yourself, but most people need to use a plugin or a well-developed theme.
3. Needs frequent updates
Simply installing WordPress, is going to help you very much as this platform requires a theme and at least several plugins to work properly. WordPress updates can often render parts of your theme or some plugins usable. The more plugins you use, the more likely it is for you to encounter more compatibility problems. The whole maintenance process in WordPress can be quite challenging, and you have to be ready to make adjustments to your plugins and theme in order to have a functional website. If you don’t have the budget or the knowledge (design, programming), giving the fact that in general WordPress doesn’t offer support, and solutions can only be found on WordPress forums, chances are that you should choose another website solution for you.
4. SEO friendliness
WordPress is definitely an SEO friendly platform, but so is virtually any open source CMS. However, for the people with little to no SEO experience and knowledge, WordPress can create quite a few problems. Probably the most known one is caused by the WordPress’ category and tagging system. If the content is over-tagged or marked into many categories, Google will flag it as duplicate content, a fact that will affect your SEO rankings.
5. Customization needs Coding
To make certain change your WordPress site, you have to possess HTML, CSS and PHP knowledge. If you want to personalize in a unique way, or to enhance its design, you may find yourself needing to write numerous complicated code lines. If you’re in the category of people which possess the knowledge, things can go down smoothly, but if you try to write code without having the right expertise — most people in this category, you can make a lot of damage to your website.
https://www.websitetooltester.com/en/blog/wordpress-alternatives/
https://www.wpbeginner.com/beginners-guide/how-to-choose-the-best-website-builder/
:::
Here's one secure alternative to Wordpress.
QuickSilk provides a sensible, solution for developing and maintaining your own secure content management system. Trusted since 2010.
Traditionally, when selecting a content management system (CMS), agencies and organizations like Ontario's children's aid societies have compromise their voluntary, involuntary and suspected clients confidential information security for the simplicity and affordability of Wordpress and it's 14 000 known vulnerabilities.
QuickSilk says, “No more compromising!”
“We’ve been using QuickSilk for a few years and keep acquiring new licenses because it keeps delivering a solid return on investment for us and our clients.”
Sahir Khan
Executive Vice President, IFSD, University of Ottawa
"With QuickSilk we enjoy excellent value and a secure solution that meets our needs today and is scalable for the future. Using their easy ‘drag & drop’ CMS means that our staff team is in control of our website in a way we never thought possible."
Michael Brennan
Executive Director, Canadian Association of Management Consultants
“According to our testers, QuickSilk did a great job with security best practices ......other areas they excelled in included output encoding and configuration management for their web server."
Marc Punzirudu
Vice President of Security Consulting Services, ControlScan
“As a creative branding, marketing and design agency QuickSilk is a game‑changing CMS for us. We are able to quickly design and deploy robust websites that our clients can easily update and maintain on their own.”
Nadine Buckley
Partner, McGill Buckley
https://youtu.be/xw30JU-bY6U
QuickSilk’s CMS provides the drag and drop simplicity of easy-to-use website builders with unrivaled security, at a lower total cost of ownership (TCO) than WordPress, Joomla, and Drupal.
Our simple-to-use drag and drop interface eliminates the need to hire a website designer or developer, and our website monitoring - 24 hours a day, 365 days a year, software updates, and maintenance, eliminates worries about website up-time and security.
Drag, Drop & Deploy
QuickSilk takes the challenge out of website development. Our product is so simple to use, people without website development experience can build, maintain, and update a world-class website. With QuickSilk, you are no longer challenged by technology or access to skilled professionals and resources.
https://www.quicksilk.com/
:::
IS THERE ANYWAY TO USE WORDPRESS AND GUARANTEE THE INTEGRITY OF THE SECURITY USED BY THE FREE PROGRAM/APP AND WHAT DOES PROPER INTERNET SECURITY ACTUALLY LOOK LIKE?
The ISG Series Integrated Security Gateways.
(estimated cost $40 000 AND UP)
The ISG Series Integrated Security Gateways are ideally suited for securing enterprise, carrier, and data center environments where advanced applications, such as VoIP and streaming media, demand consistent, scalable performance. The Juniper Networks ISG1000 and ISG2000 Integrated Security Gateways are purpose-built security solutions that leverage a fourth-generation security ASIC, along with high speed microprocessors to deliver unmatched firewall and VPN performance. Integrating best-inclass firewall, VPN, and optional Intrusion Detection and Prevention, the ISG1000 and ISG2000 enable secure, reliable connectivity along with network-and application-level protection for critical, high-traffic network segments.
Network segmentation: Security zones, virtual systems, virtual LANS and virtual routers allow administrators to deploy security policies to isolate guests and regional servers or databases.
Optional Integrated IDP:
The ISG Series firewall/VPN with IDP uses the same award-winning software found on Juniper Networks IDP Series appliances.
The IDP security module combines eight detection mechanisms, including stateful signatures and protocol anomaly detection.
The ISG with IDP defends against security threats such as worms, trojans, malware, spyware, unauthorized users and hackers and can provide information on rogue servers and data on applications and operating systems that were inadvertently added to the network. Application signatures enable administrators to maintain compliance and enforce corporate business policies with accurate detection of application traffic.
https://www.terabitsystems.com/juniper/integrated-security-gateways/ns-isg-2000-sk1
https://netpoint-dc.com/blog/wp-content/uploads/2015/11/1100036-en.pdf
:::
Remember to always check to see if a website's connection is secure before using the site.
To see whether a website is safe to visit, you can check for security info about the site. EXAMPLE:
Chrome will alert you if you can’t visit the site safely or privately.
In Chrome, open a page.
To check a site's security, to the left of the web address, look at the security status:
Lock Secure
View site information Info or Not secure
Dangerous Not secure or Dangerous
To see the site's details and permissions, select the icon. You'll see a summary of how private Chrome thinks the connection is.
What each security symbol means
These symbols let you know how safe it is to visit and use a site. They tell you if a site has a security certificate, if Chrome trusts that certificate, and if Chrome has a private connection with a site.
Lock Secure
View site information Info or Not secure
Dangerous Not secure or Dangerous
Fix "Your connection is not private" error
If you see a full-page error message saying "Your connection is not private," then there's a problem with the site, the network, or your device. Learn how to troubleshoot "Your connection is not private" errors.
What a security certificate is
When you go to a site that uses HTTPS (connection security), the website's server uses a certificate to prove the website's identity to browsers, like Chrome. Anyone can create a certificate claiming to be whatever website they want.
To help you stay on safe on the web, Chrome requires websites to use certificates from trusted organizations.
:::
How does a computer become infected with Ransomware?
Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.
Crypto ransomware, a malware variant that encrypts files, is spread through similar methods and has also been spread through social media, such as Web-based instant messaging applications. Additionally, newer methods of ransomware infection have been observed. For example, vulnerable Web servers have been exploited as an entry point to gain access to an organization’s network.
How ransomware works
There are a number of vectors ransomware can take to access a computer. One of the most common delivery systems is phishing spam — attachments that come to the victim in an email, masquerading as a file they should trust. Once they're downloaded and opened, they can take over the victim's computer, especially if they have built-in social engineering tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.
Crucial practices against ransomware attacks on your PC
Ransomware has become a growing threat to home users and small offices with less sophisticated defense systems. Put an end to malware infections, here are some tips and tricks to avoid becoming another victim of ransomware.
Update your operating system
Outdated computer systems are relatively more vulnerable to ransomware attacks. This is why it is essential to perform regular software and operating system updates to improve the security of your computer.
Install a reputable security suite
Install a good antivirus software or a reputable security suite to help you detect and fight off malicious threats, giving you an extra form of protection.
Avoid suspicious files
Stay on guard and think twice before opening email attachments or clicking files from unknown sources. Watch out for suspicious files with hidden file-extensions such as “.pdf.exe”
Disable remote access
Malware often targets computers using RDP (Remote Desktop Protocol). Keep RDP disabled if you do not require remote access.
How to prevent ransomware
There are a number of defensive steps you can take to prevent ransomware infection. These steps are a of course good security practices in general, so following them improves your defenses from all sorts of attacks:
Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
Don't install software or give it administrative privileges unless you know exactly what it is and what it does.
Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
And, of course, back up your files, frequently and automatically! That won't stop a malware attack, but it can make the damage caused by one much less significant.
For more long-term prevention of ransomware attacks, follow these ransomware tips for businesses and consumers:
New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
Email is one of the main infection methods. Be wary of unexpected emails, especially if they contain links and/or attachments.
Be especially wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However, organizations should ensure that backups are appropriately protected or stored offline so that attackers can’t delete them.
Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.
Here are some other helpful things to keep in mind from Kevin Haley, director, Symantec Security Response.
Ransomware is an online form of the bully’s game of keep-away. Here, the bully gets on your computer and takes your personal files: documents, photos, financial information, all the things you care about. Those files are still on your computer, dangling in front of you, but they are encrypted now, useless to you. In order to get them unencrypted, you’ll need to pay the bully 300-500 dollars.
This is the fastest growing crime on the internet. It grew by 4500% in 2014, and shows no signs of stopping, it's just too profitable for the bullies. How do you stop the bullies? There are five things that will make a tremendous difference.
Five Simple Dos and Don’ts:
Don’t pay the ransom. I can hear someone asking, “But won’t you get your files back if you pay the ransom?” Just like a bully who tires of the keep-away game, you likely will get your files back if you pay. But you may not. Sensing a sucker on the hook, you might get asked to pay again and again. But let’s say you’ve got an honest thief, one willing to unlock your files if you pay. Why would you ever give money to a crook? Especially one who will use the money to fund playing bully to a host of other people? It just doesn’t seem right to me.
Don’t click on attachments in email. There are a lot of different gangs running ransomware scams, who use different ways to try and infect you. One of the most popular is using spam. The email could be saying there was a package for you that couldn’t be delivered. Or a cool screensaver that you should install. Whatever the con, the bad guys want you to click on an attachment to install the malware. Don’t do it. Just don’t click.
Do keep software up to date. The bad guys know about weaknesses in the software on your PC before you do. And they try to use them to get on your machine. It's called exploiting a vulnerability. Patching removes the vulnerability. If you’re asked if you want to update your software – Do. It. Now. Waiting only helps the bad guys.
Do use security software. If you have a friend who is a security expert, who spends 24/7 keeping up on all the latest malware threats and watches over your shoulder whenever you are on your computer, you’ll be pretty safe on the internet. Otherwise, get good security software to do that. Make sure it is more than Anti-Virus. I recommend Norton Security.
Do back up. No one ever thinks anything bad will happen to them, until it does. I sure hope you never have ransomware infect your machine. But if it ever does, wouldn’t it be nice to have a copy of all your files somewhere safe? You can tell the bully where to get off. Everyone knows they need to back up their files. Now you have one more very good reason to do it.
These ransomware bullies are preying on us. But just by following a few simple dos and don’ts we can protect ourselves from them. And protect ourselves from all the other malware bullies out there.
:::
2018: Family and Children’s Services of Lanark, Leeds and Grenville suffered another alleged cyberattack.
"Raymond Lemay is back working at his computer, something he wasn’t able to do a few months back. In November, staff of Family and Children’s Services of Lanark, Leeds and Grenville were hit with a “malware” attack that locked them out their systems until they paid a $60,000 ransom."
Lemay says he wants to assure the public that no one’s private or personal data was taken as a result of the attack.
As it turned out, the office caught a lucky break. IT staff were able to restore the system within eight hours — and without having to pay hackers.
Children’s Services of Lanark, Leeds and Grenville, the office might have caught that lucky break, but the malware attack was still a hassle. Lemay says it took cybersecurity experts two to three weeks to eliminate the malware from the office’s computer network.
As for how the malware got on the office’s network in the first place, that remains a mystery.
“It could have been through somebody using a flash drive. It couldn’t have been through an email. It could have been any number of things,” Lemay says. “We really don’t know.”
https://globalnews.ca/news/4054200/leeds-lanark-and-grenville-family-childrens-services-ransomware/
:::
2018: Alleged ransomware attacks hit two Ontario children’s aid societies.
The alleged ransomware attacks at two children’s aid societies have spurred the Ontario government to tighten cybersecurity around a new, $123-million provincial database for children in care.
Officials with the other agency — Family and Children’s Services of Lanark, Leeds and Grenville — claim they saw an English ransom message flash on their computer screens, demanding $60,000, when they tried to access their database in November.
“It encrypted most of our servers,” says the Lanark agency’s executive director, Raymond Lemay. “No data was taken out of our system. It was just an attempt by whatever you call these people to get a ransom.”
Lemay says his agency didn’t pay up. He says it used an offline backup of computer files to get the agency up and running again in about eight hours.
Backup copy or was there two sets of books?
To cook the books is an idiom describing fraudulent activities performed by corporations to falsify their financial statements and God knows what else when it comes to the Ontario CAS..
Lemay says the ransomware attack cost his agency $100,000 to fix, an expense covered by his agency’s “cyber insurance.”
How does that make any sense? FCSLLG could have paid $60 000 and then fixed the problem and maybe the police could have tracked the money back to the bad guys but choose instead to pay $100 000 to regain control of their computers?
Cybersecurity experts from the province’s Ministry of Children and Youth Services, along with a private internet security firm, swooped into the agency to neutralize the malware in the infected servers.
“It took them about three weeks to find the needle in the haystack,” Lemay says.
The ransomware attack locked the agencies out of local online files that contained private information on the children and families they serve.
The computer virus attacked while the Lanark agency was uploading its data to a centralized database known as CPIN. It will allow societies across Ontario to share information more easily and better track how children in foster care and group homes are doing.
“They might have taken advantage of vulnerabilities that occurred because we were changing over to a new system,” Lemay says of CPIN. That’s one of the hypotheses, but we don’t know for sure.”
https://www.databreaches.net/ransomware-attacks-hit-two-ontario-childrens-aid-societies/
https://www.thestar.com/news/insight/2018/02/22/ransomware-attacks-hit-two-ontario-childrens-aid-societies.html
No comments:
Post a Comment