CAll Us: +1 888-999-8231 Submit Ticket
Menu

Monthly ArchivesApril 2017

Home / Blog

Certificate Transparency Aims To Make eCommerce Shoppers Safer

Certificate TransparencyThe security of online eCommerce transactions depends on SSL certificates and a system of validation by Certificate Authorities. The math behind SSL / TLS cryptography is sound if used properly, but the entire system depends on Certificate Authorities behaving as expected. They issue certificates, validate the identity of applicants, and make sure the SSL system isn’t abused. Every time a shopper makes a purchase from an eCommerce merchant, they implicitly trust the Certificate Authorities. That’s a problem, because although most Certificate Authorities deserve the trust they’re given, some do not.

Recently it was revealed Certificate Authority WoSign had persistently broken the rules that exist to keep web users safe. Over a period of several years, they had abused the trust placed in them. Browser developers reacted quickly to prevent any further damage, but that’s a case of closing the barn door after the horse has bolted.

What the web really needs is a way to make sure Certificate Authorities are doing their job properly, a monitoring system that would make any malfeasance immediately obvious.

That’s the goal of Certificate Transparency, a project from Google that aims to make Certificate Authorities open to scrutiny. Certificate Transparency is intended to make it difficult for CAs to issue certificates for a domain without the owner of that domain knowing about it. At the moment, any Certificate Authority can issue a certificate for any domain, and there’s no straightforward way for the domain owner to find out.

Certificate Transparency provides a monitoring system for all issued certificates — a log of all certificates that anyone can query. The logs are append-only lists of all certificates issued by CAs. They can be queried by anyone, so if a domain owner wants to know if a CA has maliciously or accidentally issued a certificate for their domain, they can simply send a request to the log.

Certificate Transparency will keep CAs honest by making it easy to find out when they’re behaving dishonestly or incompetently.

It’s possible to dream up any number of systems that would make the web safer and more secure, but it’s a pointless exercise if the major stakeholders, especially browser vendors, don’t act.

The good news is that starting from next year, Google intends to make Certificate Transparency mandatory. If CAs want Google’s Chrome browser to trust their certificates, they’ll have to comply with Chrome’s Certificate Transparency policy. All certificates issued after October 2017 will have to comply.

October 2017 is almost a year away, and there are any number of reasons that deadline might slip, but it’s encouraging that at least one major browser developer is being proactive about the problem of untrustworthy Certificate Authorities.

eCommerce shoppers and retailers — and everyone else who uses the web — must be able to trust that their private data won’t be delivered into the hands of criminals and others who would use it maliciously. Certificate Transparency is a welcome move in that direction.

Posted in:
Security

Source link

Fake SEO Plugin Targets WordPress Sites

Fake SEO PluginWP-Base-SEO is a fake WordPress plugin that security researchers have found installed on over 4000 WordPress sites. WP-Base-SEO is a copy of a legitimate WordPress SEO plugin with added malicious code so the attacker can control infected sites.

When a hacker compromises a WordPress site, standard operating procedure is to inject malicious PHP or JavaScript code. The attackers’ code lets them access the site in the future and hijack its resources and traffic. But foreign code is easy to spot if you know what you’re looking for. A security researcher or automated malware scanner will find obviously out-of-place code quickly.

To avoid being discovered, the creators of WP-Base-SEO are using it as a Trojan horse. For the most part, it looks like a legitimate WordPress plugin. The difference lies in a few tweaks that allow the hackers to execute arbitrary code at will.

To see if your WordPress site has been infected with this malware, look in its /wp-content/plugins folder for directories containing “wp-base-seo”.

It appears the plugin is not being installed by WordPress users. Botnets trawl the internet for vulnerable WordPress sites, hack them, and inject malware. In this case the malware is hidden in a WordPress plugin. This technique depends on the availability of insecure sites: those where WordPress, plugins, and themes haven’t been updated to a recent version.

Many of the sites infected with WP-Base-SEO also have older versions of the RevSlider plugin installed. Older versions of RevSlider contain a critical and easily exploited vulnerability. It’s believed that the RevSlider vulnerability was the vector for the Panama Papers leaks. The attackers are exploiting the RevSlider vulnerability, installing their malware plugin, and using it to control WordPress sites.

The best way to secure your WordPress site is to ensure it’s always kept up-to-date. WordPress Core, plugins, and themes should be updated to the most recent version. There’s a wrinkle where RevSlider is concerned because it’s often bundled with themes and only updated when the theme’s developer chooses to do so. If you have any doubt, contact your theme’s developer.

In this case, the malicious plugin is installed by the attackers to hide their presence, but it’s not unusual for criminals to manipulate WordPress users into installing malware-infested plugins. That’s why it’s important to only install plugins from trusted and reputable sources. If you have any doubts about whether a plugin or theme comes from a trustworthy source, do not install it.

Pirated premium plugins are a particular favorite of criminals. They take the code from a genuine premium plugin, add malware to it, and make it available for free. As a general rule, avoid downloading plugins from anywhere other than the official WordPress Repository, well-regarded theme and plugin marketplaces, or a reputable WordPress developer’s website.

Posted in:
Content, WordPress

Source link

Home Routers Wage War On WordPress

Home RoutersA huge botnet of home routers has targeted WordPress sites with brute-force attacks over the last few weeks. Brute-force attacks are a risk for WordPress websites with insecure passwords, and they can cause problems even if a site has secure passwords by consuming a significant proportion of its resources.

A botnet is a collection of compromised internet-connected machines under the control of a malicious actor. Botnets are nothing new, but until recently, creating a large botnet was a difficult technical challenge. They were usually made up of hacked Windows PCs. Attackers compromise PCs and install malware, which is used to control the machine. Botnets are used for a wide variety of online crimes, including brute force attacks, distributed denial of service attacks, and spamming.

But in recent years, it’s become more common to see Internet of Things devices used in botnets. In this case, home routers shipped with vulnerable software accessible to the internet. You can see the full technical details in this WordFence post, but, in a nutshell, the routers expose a web server so that ISPs can send instructions to the device. Unfortunately, the web server is easily hacked, allowing criminals to install malicious software.

Tens of thousands of these routers have been used to target WordPress sites with brute-force attacks. Brute force attacks aren’t particularly sophisticated; they simply attempt to login to WordPress sites with guessed username and password combinations. Criminals know which passwords people are most likely to use, which increases their chances of finding the right combination.

Once the attackers figure out a valid username and password combination, they are able to take over the site and install software, deface pages, redirect users to malware sites, send spam, and so on.

If a WordPress site uses strong passwords on all accounts, the chance that a brute-force attack finds the right combination of credentials is minute. Brute-force attacks have an extremely low chance of success against properly secured WordPress sites. However, it’s impossible to guarantee that every user with an account understands how to create and use a decent password, so the best way to combat brute-force attacks is two-factor authentication.

Two-factor authentication combines the traditional username and password with a second factor: usually a one-time code delivered to a mobile device. Without the one-time passwords — which can only be used for a short period of time — the attacker will not be able to authenticate even if they manage to guess the username and password. Two-factor authentication effectively mitigates brute-force attacks.

There are several excellent two-factor authentication plugins for WordPress, including Duo Two-Factor Authentication and Google Authenticator – Two Factor Authentication.

But there remains the problem of resource use. Every time a WordPress site rejects a login attempt, resources are consumed. If a botnet decides to make thousands of login attempts in a short period of time, a substantial proportion of the site’s available resources can be wasted.

To avoid that happening, WordPress users can install a rate limiting plugin like WP Limit Login Attempts, which limits the number of failed login attempts that can be made from an IP address. Rate limiting isn’t a surefire way to beat botnet brute-force attacks, botnets have IPs by the thousand, but it can reduce the resources consumed by malicious login attempts.

Posted in:
Content, WordPress

Source link

Looking Forward to Craft CMS 3

Craft CMS 3Craft CMS is a favorite of developers and designers because it’s engineered with careful attention to the needs of professionals who build complex content sites. At the beginning of 2017, the beta for Craft CMS 3 was released, bringing hundreds of changes and improvements.

When the Beta was released, Pixel & Tonic estimated that it’d take 6–9 months to work the kinks out, so it’s time to take a close look at what Craft enthusiasts can expect when Craft CMS 3 is production-ready.

Craft CMS 3 isn’t ready for primetime just yet, but if you want to test it, the beta can be downloaded from GitHub.

PHP 7 Required

Craft CMS 3 requires PHP 7. PHP 7 is much faster than previous PHP versions, includes numerous enhancements, and is more secure. Some Craft CMS users may not be pleased that they’ll be required to find hosting that supports PHP 7, but at this point, a hosting company that declines to update to the most recent version of PHP should be regarded with suspicion.

Hostdedi supports PHP 7 across our hosting products.

Image Editing

This is one of my favorite new features. Craft CMS 3 includes a built-in image editor with the most frequently used image transformations. Users can crop, rotate, and straighten photos. A nice touch is the ability to set focal points so that Craft knows which area of the image is most important when applying transformations.

Composer Compatibility

Composer — a tool for managing PHP dependencies — has become an essential part of the PHP workflow for many developers. They’ll be pleased to hear that with the release of Craft CMS 3, it will be possible to manage and install Craft and plugins with Composer.

Craft CMS Multi-site

In response to a developer hack that used Craft CMS’s Locales feature to create multiple sites, Craft 3 introduces a new feature that makes the creation of multiple sites from a single installation (and with a single license) much easier.

More Powerful Templates

Craft’s Twig templates are a key part of what makes the content management system so appealing to developers. Without having to tangle with the PHP innards of Craft, developers are able to quickly build beautiful, functional front-end themes using standard web languages.

With Craft 3, templates get a significant power-up, with the addition of access to Craft’s Application instance and its associated services and components.

Craft 3 includes more than 600 changes. It’s a major update, so developers will want to take some time to check out what’s different before the final release.

Hostdedi provides a wide range of Craft CMS hosting options with a technology stack engineered to offer the best possible content management and publishing experiences, including Craft shared hosting, dedicated servers, and custom clusters for high-traffic Craft CMS sites.

Posted in:
Content, Craft CMS

Source link

Five Common Mistakes WordPress Theme Developers Should Avoid

WordPress Theme DevelopersGetting a theme into the WordPress Theme Repository can give a big boost to a WordPress developer’s credibility, especially if it proves popular with WordPress users. It’s also a great way to promote a premium theme — many theme developers publish “light” versions of their theme for free to promote a premium version with more features.

But to get a theme into the WordPress Theme Repository, developers have to follow some strict guidelines. Some of the guidelines are commonsense coding best practices, but others are specific to the WordPress project and are made clear in the Theme Review Requirements document and the documentation for the Theme Check Plugin.

But some developers either aren’t aware of the rules or choose not to follow them. In a recent blog article, Carolina Nymark discussed the reasons some themes are rejected. Many rejections could have been avoided with a better understanding of the guidelines, so I’d like to have a look at five common mistakes WordPress theme developers should avoid if they want a smooth voyage into the WordPress Theme Repository.

Missing Escape Or Using The Wrong Function

Forgetting to escape user input is a common problem, and one that can have disastrous results for security. Cross-site scripting attacks are the number one security risk on the web, and failure to properly escape input causes cross-site scripting vulnerabilities.

The WordPress Theme Handbook gives clear guidance about which functions should be used and which shouldn’t, so it’s well worth spending a few hours familiarizing yourself with it before embarking on theme development.

Text That Isn’t Translation Ready

WordPress is used by hundreds of millions of people in almost every country in the world. That’s a huge number of languages that have to be supported. WordPress provides plenty of tools and guidance for internationalization, so there’s really no good reason a theme shouldn’t be translation ready.

Scripts Or Styles Not Enqueued

WordPress provides functions for adding JavaScript and CSS files to themes. It’s better to use these functions than to load the files using other mechanisms.

The typical WordPress site has a theme and many plugins, all of which might load JavaScript and CSS files. The enqueue functions make sure that everything works well together and that there are no compatibility problems.

PHP Notices, Errors, Or Warnings

This one isn’t too complex: if your PHP code throws errors or warnings, you’re unlikely to be approved to join the WordPress Theme Repository.

Duplicate Theme

Some developers submit themes that are already in the repository. As I said at the top of this post, getting a theme in the repository is good for a WordPress developer’s career, so there’s an incentive to pass off another developer’s work as your own. But copied themes will be found and rejected immediately.

All of this is straightforward stuff for experienced WordPress developers, but if you’re new to theme development, taking a close look at some of the theme development resources we’ve linked to here would be a fruitful use of your time.

Posted in:
Content, WordPress

Source link

Five Email Newsletter Mistakes You Should Avoid

Email NewsletterEmail newsletters have long been a key part of any comprehensive marketing strategy. In fact, in recent years, newsletters have experienced something of a renaissance, with high-quality newsletters like Dave Pell’s NextDraft gaining huge audiences.

On the other hand, most of us receive no shortage of spam, and any marketing newsletter has to walk a fine line between valuable content and worthless spam. Unfortunately, I see many companies that don’t quite understand — or care — that an effective email newsletter demands high-quality content.

Most companies engaged in content marketing have grasped the idea that social media streams and blogs shouldn’t be focused entirely on the hard-sell. But many who wouldn’t for a second publish spammy garbage on their blog seem quite happy to send out tens of thousands of emails with practically no value from a content marketing or audience-building perspective.

I’m going to assume that you’re well aware that high-quality content is the way to go and take look at some mistakes that might scupper an email newsletter even if it contains great content.

Make It Easy To Unsubscribe

First and foremost, subscription must be voluntary, which means letting people unsubscribe as easily as possible. This is in the interest of leads, but also in the interest of marketers and the companies they work for.

The whole point of an email newsletter is to engage the attention of potential customers. If they simply aren’t interested, there’s no way to engage their attention. Don’t kid yourself that if you keep sending emails, they may see something in email number 50 that grabs their attention.

A valuable mailing list contains genuine leads, and letting people unsubscribe helps weed out leads that are going nowhere.

Don’t Spam

This should be obvious, but it often isn’t, so I’ll make it clear. Don’t buy email lists and spam everyone on them with content they aren’t interested in. Don’t send too many emails, because even if the recipient is interested in hearing from your company once a week, they won’t want to see your name pop up in their inbox several times a day. Be polite.

Include A Prominent Call To Action

Although I’ve stressed valuable, non-sales content, we send email newsletters because we want to sell something. If you don’t include prominent calls-to-action that lead to relevant landing pages on your site, users are unlikely to act on what they read even if they do find it interesting.

Keep It Short And Sweet

Attention is at a premium, so keep email newsletters to a reasonable size. By all means include links to your blog, but don’t try to squeeze the text of every blog article you’ve published in the last month into one email.

One mistake I often see is when businesses allow every department or team to make a contribution. The result is often a long messy email made of incoherent sections with no overall design or goal.

I prefer to create a theme or overarching goal for each newsletter and design content and graphics that contribute to achieving that goal.

Make It Mobile Friendly

Another one that should be a no-brainer on today’s web: make sure email newsletters perform well on mobile devices. If the recipient has to pinch-and-zoom around tiny text, they’ll just hit delete and move on to a less troublesome email.

The takeaway message is this: send people with a genuine interest in your products short high-quality content — and don’t forget the call-to-action.

Posted in:
Webmaster

Source link

How Can Small eCommerce Stores Compete Against Amazon?

eCommerce StoresAmazon is a behemoth that dominates the eCommerce world. If shoppers want a product, they’re almost certain to find it on Amazon. They know it’ll arrive in good time. And they know that Amazon has great customer service and a customer-friendly return policy.

How can small eCommerce stores compete? First, it’s obvious that small eCommerce stores can compete because there are thousands of flourishing eCommerce stores — many of them use our eCommerce hosting platform.

But that doesn’t mean it’s easy to compete against a brand with the name-recognition and market penetration of Amazon. Let’s take a look at some of the ways smaller eCommerce stores can stand out from the crowd.

Unique Branding

In many ways, Amazon’s scale isn’t an advantage at all. It can’t easily experiment with its brand or create a brand that appeals to a niche audience. The Everything Store must be all things to all shoppers.

Smaller stores, on the other hand, are free to focus their branding on specific groups, something we see most prominently with fashion eCommerce retailers. Brand is a big deal where fashion is concerned, and boutique eCommerce stores can directly shape their brand message and design to a specific audience.

Build A Community

People like to spend money with businesses they approve of, identify with, and feel affection for. In the modern eCommerce world, there are any number of ways for a brand to build a solid community of shoppers who will keep buying from what becomes their store.

Branding is important here, but eCommerce retailers should also focus on content marketing and social media to forge an authentic identity.

Specialize

A friend of mine loves rare science fiction books. Many of the books he buys are available on Amazon or eBay, but he refuses to buy from those retailers because he values the in-depth knowledge and personal touch of a smaller retailer — a retailer he’s never met in real life and is based in a different country.

Smaller retailers that specialize in a particular type of product, whether that’s books, engraved spoons, bespoke dresses, or whatever, have an advantage — they can use their personal knowledge about the products they sell to build lasting and authentic relationships with customers.

My friend can’t send an email to Amazon asking if a book he wants to buy is the rare 1947 edition with a misprint on page fifty. He can do that with his preferred retailer, and that’s why he’s loyal to them.

Domain knowledge and an authentic passion for the product is key to generating customer loyalty.

Curate

Quite often, customers don’t want to choose from 300 slightly different versions of the same product. They want someone with taste and knowledge to choose for them and present a selection of the best. Once they trust that your eCommerce store is great at curating the best selection of products, you’ll have a customer for life.

Amazon’s size gives it many advantages, but it can’t do authentic, it can’t do niche branding, and it can’t curate with the individual sensibility many shoppers yearn for. Small retailers can, which is why they’ll continue to flourish.

Posted in:
eCommerce

Source link

Close Comments On Older WordPress Blog Posts To Slash Spam

Content MarketingGoogle has long been wise to ways of comment spammers, but that doesn’t stop many comment threads degenerating into spammy lists of “work from home” comments and link spam. Akismet and similar spam filters catch most of it, but judging by the sites I see every day, these filters let plenty of spam through.

Although many publishers have removed comments from their sites, largely because they don’t want to deal with spammers and other “problem commenters,” hundreds of thousands of bloggers allow their users to contribute to the conversation.

If you think having comments on your blog is valuable, you have to deal with the spam. I’ve found that one of the best ways to reduce spam is to close comment threads after a while. This works because the majority of comments are posted immediately after an article is published. Publishers only have to moderate comments for a short time, and spammers have less of a window to get their comments into the thread.

For a moderately popular post, there’s a clear pattern to comment posting. The peak is almost immediate: usually in the first one or two days after the post is published. If the article continues to attract attention, the plateau may continue for a few days, but it’ll eventually decline, and after a couple of weeks, comments are sporadic. The most valuable interactions usually happen right after publication.

Closing comments after a couple of week will reduce the total number of comments and limit conversations — some potentially great comments won’t be published — but publishers should balance the risk of restricting comments with the benefits.

A moderately active blog that’s more than a couple of years old may have hundreds or thousands of posts; some have tens of thousands of posts. Monitoring every one of those posts for spam comments is a full-time job, sometimes it’s several full-time jobs. Those resources are better invested elsewhere. Allowing comments for a limited period drastically reduces the number of posts that publishers must actively moderate.

In fact, what tends to happen is that older posts aren’t actively monitored. Comment spammers love this type of blog. They can slip spam onto the site in the confidence that no one will see it. For some types of spam — link spam in particular — spammers don’t care whether anyone sees it. What matters is the link from a popular site. This sort of spamming isn’t hugely effective — smart bloggers no-follow links in comments anyway, but that doesn’t stop spammers and their bots.

Closing comments on older posts does little to limit the contribution that readers can make to site’s community, while massively reducing the amount of spam that site owners have to deal with.

Wordpress

Many comment systems recognize the benefits of closing comments after a predetermined period. Disqus has a setting that allows publishers to choose a number of days before the thread is closed. WordPress’s built-in comments have a similar option; you can find the option under “Setting -> Discussion” in the WordPress admin dashboard.

Posted in:
Content, WordPress

Source link

Managing Complex WordPress Publishing Workflows With Edit Flow

WordPress PublishingAs any blogger or publisher will tell you, managing publishing workflows takes a dedication to organization. There are any number of general productivity tools an editor might use, but if you’re managing a site that publishes multiple authors, a dedicated tool is the best option. A workflow management tool that’s integrated with your content management system is even better.

We’ve covered WordPress editorial calendars like CoSchedule and Editorial Calendar before, but I’ve avoided talking about Edit Flow. It’s an excellent tool, but since it was bought by Automattic, releases have been few and far between. Bug reports went unresolved, and the plugin wasn’t updated regularly.

This month, it seems that Automattic have started to pay attention to Edit Flow again. It received a new bug-fix release to address outstanding problems, and, after an intervention by popular WordPress news site WP Tavern, a project member apologized for poor communication and maintenance.

“Folks, we’re sorry that it looks as though we’ve abandoned Edit Flow. We certainly haven’t, and we should have at least updated the tested tag for the plugin as you rightly point out. We’ve done that today, as well as make sure Github and WordPress.org are in sync.”

Edit Flow implements a number of features that make it easier for editors to manage complex publishing workflows.

First and foremost, Edit Flow integrates an editorial calendar into the WordPress admin dashboard. The calendar allows editors to see upcoming articles at a glance, including their current status. Statuses are customizable, so each publisher can choose to implement statuses relevant to their particular workflow.

One of the most useful features of Edit Flow is editorial comments. Many publishers use Google Docs and similar collaboration tools while articles are actively edited, but it’s more convenient to bring the whole process into WordPress. Editorial comments facilitate communication between editors and writers and help streamline the process of shaping articles for publication.

In addition to a calendar view, Edit Flow also implements a Story Budget view: a list of upcoming stories that can be grouped and filtered according to author, date, category, and other criteria. If you make use of Edit Flow’s custom editorial metadata feature, that information can be integrated into the Story Budget.

Finally, Edit Flow includes a useful notification feature integrated with the plugin’s user groups. Custom notifications can be sent to users and groups both manually and when articles change status.

Edit Flow isn’t the slickest editorial workflow manager I’ve seen, but it’s a solid tool that allows publishers to bring the whole content creation and editorial process into WordPress.

Hopefully, Edit Flow will be more conscientiously updated in the future, and if that proves to be the case, it’s well worth trying if you’re struggling to manage your site’s publishing workflows.

Posted in:
Content, WordPress

Source link

Credit Card Scrapers Continue To Be A Risk On Insecure Magento Sites

Credit Card ScrapersDiscovering that an eCommerce store has sent their credit card data to a malicious third party is the worst nightmare of many shoppers. They adopt an eminently sensible “once bitten, twice shy” attitude towards retailers who allow sensitive financial data to fall into the hands of criminals. Leaking credit card data is a great way to lose customers.

In a recent blog article, security company Sucuri discussed a typical credit card scraper attack against a Magento store. Malicious code was injected into the popular SF9 Realex Magento extension. The code was simple: it routed credit card data submitted by customers to the attacker’s email address.

The scraper’s presence was not the fault of the extension. It’s likely the attacker exploited an existing security vulnerability to gain access to the Magento installation.

The best way to avoid having your store infected with credit card scraper malware is to make it difficult for attackers to compromise it in the first place.

First, and most important, keep your Magento store up-to-date. Many eCommerce merchants take the view that if their site is working as intended, updating is more trouble than it’s worth. But updates aren’t just for new features. Updates contain patches that fix vulnerabilities. Once a patch has been released, it’s a good bet criminals know about the vulnerability.

I advise store owners to follow announcements on the Magento Security Center, which publishes details of security vulnerabilities and mitigation guidance.

Magento store owners should also be careful which extensions they install and where they come from. Malware is often found in extensions sourced from unverified locations. Using “pirate” versions of premium Magento extensions is a serious risk because they often include malware. Magento Connect implements strict checks to ensure that malicious software isn’t published.

Finally, store owners should ensure they follow password best practices. The web is teeming with brute force bots that love nothing more than an easily guessed password. Robust password policies that enforce long, random passwords for administrator accounts are essential.

To help you keep criminals out of your Magento installation, Hostdedi developed two open source Magento extensions: Sentry and Alarmbell.

Alarmbell is a security extension that sends notifications whenever a new admin user is created. The creation of a new admin user without the knowledge of existing administrators is a key indicator that a Magento store has been compromised. Alarmbell will also log every change to admin accounts and failed admin login attempts.

Sentry is a two-factor authentication plugin for Magento. As I just mentioned, brute force attacks are a frequent cause of Magento stores being compromised. Sentry allows eCommerce merchants to integrate their store with Google Authenticator or Duo, making it practically impossible for brute force attacks to compromise a store.

These basic security precautions are not onerous or time-consuming, and if you consider the potential impact of a credit card scraper or other malware on your Magento store, they’re well worth the minimal time investment.

Posted in:
Magento, Security

Source link