Doing business online makes things easier and more convenient for you and your customers, but the internet comes with risks. Throughout the years, cyber threats of varying effectiveness have gained notoriety among online communities. If you are an eCommerce leader or someone handling their own website, you need protection against ransomware and other malware.

What is ransomware?

Ransomware is a cyber threat that encrypts files to make them unusable or prevents a user from accessing their computer. The ones behind a ransomware attack usually demand money from the user so the latter could access the files or computer again — hence the name. Situations like this will cause considerable damage to your website and in turn, your online business operations.

1. Prepare regular backups and a recovery plan
Ensure that you keep a backup of your files so that you can revert to them in case the files get encrypted by ransomware. Your recovery plan should include steps to restore your files or system in case of a large-scale attack.

You should have experts perform regular backups so that you have a copy of your files’ latest versions kept safe. This way, your business can recover faster which is key especially in situations like this, to prevent further loss in sales.

2. Update your OS and antivirus software
Whether you use Microsoft, iOS or some other operating system, keep it updated with the latest patches. These patches or updates address the latest cybersecurity threats that may target the OS or software you’re using.

An updated OS gives you peace of mind because you know it helps secure your computers against ransomware attacks. A gravely outdated OS would leave your system vulnerable to sophisticated cyber-attacks from its lack of relevant security patches.

3. Scan all emails and downloaded files
Ransomware can penetrate your computer through emails or downloads, so be sure to scan these first. Enable email filtering for your computers, in which you set your inbox to automatically block or remove suspicious emails instead of letting them in.

Through email filtering, ransomware scams get removed before they get viewed by your team members in their inbox. An expert can further educate you on suspicious emails and what to watch out for.

4. Restrict non-administrator privileges
It’s good practice to only have a few or one administrator account. This helps prevent the ransomware from completely taking over a team or company’s network of computers.

Restricting privileges means that non-administrator users would not be able to install unnecessary or external applications. This is so whether that user is your team member or a cyberattacker. Only the administrator can perform such actions.

5. Update default or weak passwords to secure ones
Hackers today can penetrate security measures using advanced and insidious methods. One such example is brute-force attacks, in which the hacker uses trial-and-error to correctly guess your log-in information.

They may use a computer programme that exhausts all possible combinations of characters until they successfully guess your password. Since default passwords are the ones that computers automatically generate, these may be easily guessed by a hacker’s computer programme. Make sure to update default or old passwords to secure ones that only you know.

6. Train your team to spot cyber threats
Lastly, don’t forget to cascade information to your team. Make sure that everyone who has access to your company’s computer knows how to spot ransomware and other cyber threats.

Incorporate this information in your onboarding of new members, and remind older teammates if needed. It helps to tap an expert that can explain ransomware protection and other cybersecurity topics in easily understandable ways to your team.

7. Know the devices connected to your network
Besides computers, you must know what other devices might be connected to your network. This could be something as inconspicuous as a smart vending machine or it could be something poorly secured, such as a WiFi printer.

Check if these devices are sufficiently protected against ransomware before such cyber threats attack leave your system vulnerable. This also lets you disconnect devices that are no longer helpful in your operations.

Securing WordPress & Hardening your Server In a Few Easy steps.

WordPress is one of the most popular content management systems (CMS) in the world, powering millions of websites across the globe. However, its popularity also makes it a prime target for hackers and cybercriminals. Therefore, it is essential to secure your WordPress installation and harden your server to prevent any unauthorized access and protect your site from cyber threats.

In this article, we will discuss some best practices to secure your WordPress installation and harden your server.

1. Keep WordPress Updated
   One of the most important steps to secure your WordPress site is to keep it updated. WordPress is constantly updating its software to fix bugs, add new features, and most importantly, patch security vulnerabilities. By keeping your WordPress software, plugins, and themes updated, you reduce the risk of your website being hacked or compromised.
2. Use Strong Passwords
   Passwords are the keys to your website, and if your password is weak, your website is vulnerable. Therefore, it’s essential to use strong passwords that are difficult to guess. You should also consider using two-factor authentication, which adds an additional layer of security to your website login.
3. Limit Login Attempts
   Limiting login attempts is an effective way to prevent brute-force attacks. Brute-force attacks are a common hacking technique that involves trying multiple username and password combinations until the correct one is found. By limiting login attempts, you can prevent these attacks and protect your website from unauthorized access.
4. Use Security Plugins
   WordPress offers a wide range of security plugins that can help you secure your website. These plugins offer features such as malware scanning, firewalls, and intrusion detection systems that can help protect your site from cyber threats.
5. Backup Your Website
   Backing up your website is essential to protect your site from data loss or corruption. You should regularly backup your site and store the backups in a secure location. This way, if your website is compromised or hacked, you can restore it to a previous version.
6. Secure Your Server
   Securing your server is just as important as securing your WordPress site. You should ensure that your server is properly configured, and all security patches are applied. You can also consider using a firewall and intrusion detection system to protect your server from unauthorized access.
7. Use SSL Encryption
   SSL encryption is an essential component of website security. SSL encryption ensures that all data transferred between your website and your visitors is secure and encrypted. This prevents any sensitive data, such as login credentials or credit card information, from being intercepted by hackers.
8. Remove Unnecessary Plugins and Themes
   You should remove any plugins or themes that are not being used. These can be a potential security risk, as they may contain vulnerabilities that can be exploited by hackers. You should also regularly review your plugins and themes to ensure that they are up to date and do not pose a security risk.
9. Monitor Your Website
   Regularly monitoring your website can help you detect any security issues before they become a problem. You should monitor your website for any unusual activity, such as a sudden increase in traffic or suspicious login attempts. This can help you identify and resolve any security issues before they cause any damage.

In conclusion, securing your WordPress installation and hardening your server is essential to protect your website from cyber threats. By following these best practices, you can reduce the risk of your website being compromised, and ensure that your website remains secure and available to your users.

How to disable xlm-rpc in WordPress the non bullshit guide

Tired on long lengthy annoying guides guides where you have to scroll for ages to the end find the solution to your problem?

Well this is not one of them. In short xlm-rpc is a protocol that enables you to blog from your phone and bla bla. (things you don´t need to know or want to know anyway and we won’t bore you with it.) But you don´t need any of this and after since WordPress version 6.1.1. is vulnerable to hackers exploiting and wrecking your WordPress website you should disable it all together and forever. So here is what you need to do disable How to disable xlm rpc-in WordPress:

First off you do not need a silly plugin that will bloat your website and your database. We will do it all through code and it is very easy!

First you need to take the code below and and save it in in a notepad txt document as “wp-disable-xlm-rpc.php”.

This will create something called a “mu-plugin”. If you do not have the folder in your wp-content folder, then create a folder called “mu-plugins”. Then upload and save your new mu-plugin in this folder. This will disable most of the xlm-rpc functionality so it only accepts POST commands. That is fine, not enough as we want to block it completely. 

Now in your servers www root folder (Usually called public_html), where your WordPress installation files are. Look for a file called “.htaccess” and add these lines of code:

and then save the document. You now need to test in your browser and verify that it worked.

E.g. https://mywebsite.com/xmlrpc.php

if your server responds with a 403 forbidden or 404 not found then you have succeeded! 

Congratulation, you just made your WordPress server safer from exploits of the XML RPC security hole that hackers use in an attempt to break into your server.

Protect yourself from WordPress User Enumeration Attacks and how to prevent it.

So what is user Enumeration Attacks?

Well user Enumeration Attacks are several brute-force techniques with the purpose of guessing or confirming login credentials such as usernames, e-mail addresses and passwords. Basically a hacker attempts to guess your login information and they do not of course do this manually but they use computers/servers to randomly scan the internet with bot spiders to din a vulnerable website; you website!

User enumeration is often a web application vulnerability, though it can also be found in any system that requires user authentication. Two of the most common areas where user enumeration occurs are in a site’s login page and its ‘Forgot Password’ functionality.

The malicious actor is looking for differences in the server’s response based on the validity of submitted credentials. The Login form is a common location for this type of behavior. When the user enters an invalid username and password, the server returns a response saying that user ‘rapid7′ does not exist.

By default, WordPress is vulnerable to such User Enumeration attempts. Of course, bad username and password practices will have an even greater impact on this vulnerability.

The two most common web application targets for enumeration attacks are:

• The login page
• Password reset page

A webserver with poor application security will identify a non-existent username with an invalid username message where is displays that either the user name does not exist or password is incorrect:

This confirms for a hacker/ cyber criminal that the user/password doesn’t exist in the database. Thus this is a way to validate if the user does not exist and keep trying until a combination works and the hacker can successfully login.

How Does User Enumeration Work in WordPress?

Method 1: Author Archives
Perhaps the easiest method to find WordPress usernames is by going through the author archives. To enumerate usernames through the author archives method, simply append an integer (i.e. 1,2,3, etc.) as a value to the parameter “author”. For example, look at the following values:

<codestyle=”color:#000000;”>http://example.com/?author=1 http://example.com/?author=2 http://example.com/?author=3

These values would then fetch the results like the following:

http://example.com/author/admin/
http://example.com/author/user2/
http://example.com/author/user3/

Therefore, by fuzzing the parameter author in the WordPress home URL, multiple author names can be enumerated.

How can you prevent these attacks?

Use a security plugin such as :

• WPMU Dev Defender – https://wpmudev.com/project/wp-defender/
• CledanTalk Cloud firewall: https://cleantalk.org/wordpress-security-malware-firewall
• WordFence – https://wordpress.org/plugins/wordfence/
• All-In-One Security (AIOS) – https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
• BBQ Firewall – https://wordpress.org/plugins/block-bad-queries/
• Really Simple SSL (Their pro version which allows you to lock down vulnerabilities): https://wordpress.org/plugins/really-simple-ssl/
• Require two-factor authentication (2FA) on all users on your website. At least for the administrators, editor and moderation accounts.
• Use strong password that is at least 15-20 characters long and mixed with both upper, lower characters and various symbols. You could use for this purpose a password manager such as Lastpass: https://www.lastpass.com either for yourself or your entire team and set the password policies there too. This will prevent any hackers from finding any weak passwords in your website. LastPass can also generate passwords up to 100 characters making passwords extremely secure.

You can also do further hardening of your WordPress security by blocking user-enumeration through functions.php in your WordPress theme:

Alternatively you could also do it by creating a WordPress MU-plugin:

A MU-plugin is a little custom code plugin that enables the code’s function systemwide. This is very useful and requires a less resources from your servers too than using a plugin for it. It also is beneficial when running WordPress Multisite as all websites created in the system will apply the code simultaneously thus effectively protecting all websites instead of manually applying it to every website’s theme functions.php.

How to activate your MU-plugin:

Once you saved the plugin with a unique name “My-plugin-function.php“.
Now create a new directory in your WordPress installation server folder E.g. the www folder:

Save or create your MU-plugin folder as follows: Path: Your www root folder >>> wp-content >>> mu-plugins

and upload your new MU-plugin to that folder. Once it is uploaded it is activated instantly. That’s it!

You can confirm also that the MU-plugin is activated:

Login to your WordPress admin back-end and click on “plugins” in the right menu pane. Click on “Must Use” and find your new mu-plugin in the list.

Block WordPress Enumeration through the .htaccess file:

You can also block at server level rather than website level and block server requests by adding the this .htaccess code in your server’s www root.

Note: You must change http://mywebsite.com to your own website domain name address!span

Examples of Complex Enumeration Attacks:

LDAP Enumeration: Light-Weight Directory Access Protocol (LDAP) is a protocol used to access directory services – hierarchical structures of user records.

A successful LDAP enumeration attack could reveal the following sensitive information:

• ​Usernames
• Addresses
• Contact information
• Business sector information

NetBIOS Enumeration
Network Basic Input Output System (NetBIOS) is used as an API that enables endpoints to access LAN resources.

Each NetBIOS protocol is comprised of a unique 16-character string that identifies network devices over TCP/IP.

To facilitate NetBIOS enumeration attacks, printer and file services need to be enabled. These attacks occur via port 139 on the Microsoft Operating System.

A successful NetBIOS enumeration attack could make the following attacks possible on the compromised machine.

• The compromised endpoint could be recruited into a Botnet and used to launch DDoS attacks.
• The hackers could execute further enumerate privileged access accounts to gain access to sensitive resources.
• SNMP Enumeration
  Simple Network Management Protocol (SNMP) is a framework for requesting or modifying information on networked devices. SNMP is software agnostic, meaning networked devices can access regardless of the type of software they are running.

Cyberattacks enumerate SNMP on remote devices to gather the following intelligence:

• Traffic behavior
• Remote device identifiers
• Identifying information about networked devices and resources

How to your harden WordPress the right way

A short guide to prevent you from being hacked

Below you find a list with some very good tricks to harden your server and WordPress installation which will help with preventing your system from being hacked by script kiddies and other lame bad people that which you mess up peoples hard work; including yours.
Remember that there isn’t a fool proof way to secure your system. Internet security is an on-going process and never stops.

• • Place .htaccess files in all folders that should not be accessed.

• • In your control panel shut down all directory listing and browsing access. Login to your control panel at your web host and search for “Indexes” and then chose the directory folders that needs to be protected
    

    

    

    

• • Prevent editing core files from WordPress itself. Add the code to your wp-config.php file in wordpress which then will disable the ability to edit WordPress server files from the WP dashboard.

• • Move the wp-config file above the WP root directory e.g. public_html
    

    

• • Move the content of the wp-config file to another secret location above the public_html so that the wp-config file is just a fake file.

    
    Once you done that then you need to create a new directory in C-panel (home/your-account-name/) where you place your real wp-config file in. The real WP-config should be locked with 400 file permission and the .htaccess file should use 404 file permission.

    

    

  • Delete the first user (The first administrator user) and create new one that do not have ID number 1. The WordPress admin user that is automatically created for you when you first install WordPress is known as WordPress user with id of 1. This is because in the _users database table, the record id for the admin user is 1. As you can see here:

    
    The user can be easily replaced that you create a new user in the WordPress control panel and then set that new user to be the administrator. Once you have done that then logout of the first admin with ID1 and login to your new administrator account and then delete the first account. This can of course be done from the database too and delete the user with ID1. But it just easier to do it directly from the WP backend.

• • Install and configure a security plugin/firewall such as for example:

    WPMU Dev’s Defender https://wpmudev.com/project/wp-defender/ or
    iThemes Security https://wordpress.org/plugins/better-wp-security/.

    You can of course find other firewalls too here if you search at WordPress.org: https://wordpress.org/plugins/search/firewall/

• • Harden the server itself. Use Patchman:
    

    If it is your own hardware/VPS server, (Which you should run anyway in the first place and not a shared hosting environment), then installing an additional security layer in Linux itself such as Patchman makes perfect sense: https://www.patchman.co ,
    (Patchman is a Premium service).

    Patchman will scan and monitor 24/7/365 not just your WPMU (WPMU=WordPress Multisite) or single/stand-alone WordPress installation, but the whole Linux server itself and all other web applications you might run off your server and Patchman does this down deep from the OS core itself. If any mischief things are found then Patchman will automatically correct and patch it to close the security hole. Pretty neat, right?

• • Also always remember to delete the files upgrade.php and install.php from your wp-admin and license.txt and readme.txt from the wp-root directory each time you upgrade.

• • Make sure to have access to real host backups:

    

    No backup plugin can ever substitute and beat host backups which is based on real server backup infrastructure taking full backups of your whole server on a daily basis, (and it makes your site faster too because one less plugin to bog down your server which is an additional bonus.). Having access to a reliable solid backup system with retention points that goes months back will save your sorry skinny butt when the sky falls down on you and it will.

    It is not a question of “if it will happen“, but when it happens. You need to be ready for that situation when things fail in regards to your website.

  • How to Configure Secure WordPress Database Permissions,(After WordPress installation):

    

    Never run your WordPress Installation with full database user permissions.

    The WordPress database is the most important component of your WordPress website. It contains all the content of your website, such as information about your users and all your posts, etc.

    In order to access the database, a database user should have specific privileges that allow him or her to manipulate it. The WordPress database is built using MySQL/MariaDB and contains privileges which allow users to make certain changes. The ‘grant access privileges’ give users full privileges. This is a very convenient option for a user if they want to have full control over the WordPress database.

    However, from the security point of view, this is extremely dangerous, since if a hacker gains access to the database then he or she will have full control over the WordPress database and the stored data, which can have catastrophic consequences on your website security. Therefore it’s not recommended to grant a user full access, unless the user needs to be able to use the DROP or DELETE SQL commands.

    Below is an example of the minimum privileges a database user needs to have. Other database permissions are regarded as “extra” privileges that in most cases are not needed. A typical WordPress user should be granted the following database privileges only:

    • SELECT
    • INSERT
    • UPDATE

    

    If you are upgrading WordPress, the above database permissions might not suffice between versions, WordPress might need to make further changes to the database. In this case, if you are only upgrading to the latest version of WordPress, add the below privileges to the WordPress database user:

    • CREATE
    • ALTER

    NOTE: Some plugins might require additional database privileges such as CREATE, DROP or DELETE and in those cases these privileges should be granted.

    In addition to securing your WordPress database permissions, you should make sure that each database of your website is accessed through a separate account and not through the root account.

    

• You should lock mission critical files with 400 or 404 file permissions

  You can read more about why that is so important here in this article: https://support.shorturl.gg/business-marketing-and-seo-forums/topic/why-you-should-lock-your-wordpress-mission-critial-files/

• Finally but last:
  Remember to set and apply the .htaccess files to your WordPress installation to further secure it and harden it:

  

  .htaccess | wp-admin folder
  

  .htaccess | wp-includes folder
  

  .htaccess | wp-content folder
  

  .htaccess | wp-content plugin folder
  

  .htaccess | wp-content MU-plugin folder
  

  .htaccess | wp-content theme folder
  

Why you should lock your critical WP files with read only 400 and 404 permissions

If you have a WordPress website, (like most website owners have) and your web host is using suPHP or suExec and running PHP as a CGI (Common Gateway Interface) and not using DSO – running PHP as an Apache Module (mod_php) then you should be locking your WordPress Mission Critical files.

Why? In Mass Code Injection attacks aimed at Web Hosts there is a vulnerability with having 644 Group Permissions on files. What this means is that it could be possible to cross code inject your WordPress Mission Critical file in a Shared Hosting Environment if Group Permissions Read is allowed. Just allowing Group Permissions Read and not having Group Permissions Write on files can make them vulnerable to Mass Code Injection attacks on Web Hosts in a Shared Hosting Environment.

404 File Permissions;

.htaccess files should have 404 File Permissions

• Owner Permissions – Read On – Write X – Execute X
• Group Permissions – Read X – Write X – Execute X
• Public Permissions – Read On – Write X – Execute X

400 File Permissions:

index.php, wp-config.php and wp-blog-header.php should have 400 File Permissions

• Owner Permissions – Read On – Write X – Execute X
• Group Permissions – Read X – Write X – Execute X
• Public Permissions – Read X – Write X – Execute X

By doing this you will harden your installation further while minimizing the outside access to files. Remember that this doesn’t just apply to your files in the root folder of your WordPress installation, but to all your .htaccess files throughout your whole file structure within the WordPress directory.