CAll Us: +1 888-999-8231 Submit Ticket
Menu

Daily ArchivesJanuary 18, 2018

Home / Blog

Be a Shark in Today’s Phishing Pond

Would you do business with somebody you don’t trust? Neither would your customers. Phishing attacks are at an all-time high, with 1.4 million new phishing sites being created each month so they have good reason to be suspicious of any website—including yours.

When it comes to gaining your visitors’ confidence, the rules have changed. On today’s fraud-filled web—it’s no longer who you think you are, it’s who a globally trusted third-party Certificate Authority (CA) says you are.

You Can’t Earn a Premium Reputation with Standard SSL

According to a PhishLabs report, within a 30-day window, 99.5% of HTTPS phishing sites had Standard Domain Validated or DV, certificates which offer only the basic level of encryption.

Thanks to browsers labeling websites with Standard and even Premium SSL certificates as “Secure”, online customers are drawing dangerous assumptions that even phishing sites are legitimate businesses—like you. So, why would you want to display to online visitors that you have the same level of security as phishing sites?                                               

Beyond the Basics

One of our earlier blog posts summarized the important industry changes that have made basic encryption a must for all web pages. All SSL Certificates offer encryption so even blogs and personal sites can meet this new global requirement. They also all provide basic trust features—including displaying HTTPS and the padlock icon in the browser bar. But, where they really differ is in the level of validation and visual trust indicators they offer.

This is huge. Why? Because, with online customers being mistakenly led to believe that secure and safe are the same thing (which they aren’t), you need to clearly set yourself apart from hackers. That means going the extra mile to prove—based on what a respected third-party has determined—that you’re a legitimate business. The best way to do that is with an Extended Validation, or EV, SSL Certificate.

EV Isn’t an Expense—It’s an Investment

Trust can make or break you online, even if your site isn’t built for e-commerce. Here are five reasons to invest in EV SSL:

 

  • Boost Confidence—EV enables the Green Address Bar, which is impossible to fake, making it the ultimate trust-builder. You’ll be giving your customers absolute assurance that you are who you say you are.

 

  • Operate with Complete Authenticity—CAs only issue EV SSL Certificates after they’ve validated your legal, physical and operational existence. Their comprehensive process even includes manual steps to ensure legitimacy.
  • Gain a Competitive Edge—With shopping cart abandonment rates soaring as high as 75%, you need to give visitors every reason to click your “Buy Now” versus your competitors. According to an article by monetizepros.com, 61% of shoppers said they decided not to purchase a product because it was missing a trust seal. Don’t be that guy.
  • Increase Conversion—EV SSL Certificates are statistically proven to increase sales. In a Tec-ED survey, 100% of participants noticed the Green Address Bar, with 97% being comfortable enough to enter their credit card information. In fact, 77% said they’d be hesitant to shop on a website without an EV SSL Certificate.
  • Promote Your Commitment to Their Safety—By putting EV’s visible trust indicators front and center, you’re showing visitors that protecting them is your top priority.

No matter what type of site you have, it’s time to stop appearing to online visitors like you’re on par with hackers. Trust us, if you hook them with truly authentic credentials, they’ll bite.

Posted in:
Security

Source link

How To Harden WordPress Sites Against Brute Force Attacks

how-to-harden-wordpress-sites-against-brute-force-attacksWhen logging in to a WordPress site, users supply a username and password that WordPress associates with their account. If an attacker can guess the right username and password, they can authenticate in the same way. The process of guessing is called a brute force attack: the attacker tries different combinations of usernames and passwords until they discover one that works.

Brute force attacks are effective when WordPress users choose usernames and passwords that are easy to guess. Criminals use automated botnets — which are usually made up of compromised WordPress sites — to make thousands of login attempts with different credentials.

Towards the end of December, WordFence wrote about the largest brute force campaign they had ever seen. An attacker was attempting to brute force access to thousands of WordPress sites. Once they had access to the site, the attacker installed malware which had two tasks: to compromise more WordPress sites and to run the crypto mining software.

Cryptomining software hijacks the resources of a server to mine cryptocurrency. Cryptocurrencies like Bitcoin and Litecoin are generated by carrying out the computationally intensive math. Cryptomalware uses the resources of compromised machines to do the work of generating coins. In this case, Monero, a cryptocurrency that can be mined with CPUs rather than GPUs, is being generated. According to WordFence, the campaign has created well over $100,000 for the attacker.

Victims of the campaign have their sites compromised and their server resources used to generate coins rather than serving the site. Because the malware also carries out attacks on other sites, there’s a strong chance of infected sites being blacklisted by security companies and browser developers.

Protecting WordPress sites against brute force attacks is straightforward. It’s only possible to guess usernames and passwords if they are simple and if the WordPress site lets an attacker make lots of login attempts.

Use Complex Passwords

The obvious solution is to insist on complex passwords that are difficult to guess. A long, random password takes much longer to guess than a short dictionary word. A random password of 16 or more characters might take millions of years to guess. A short dictionary password like “password” can be guessed in less than a second.

Use Two-Factor Authentication

I advise WordPress site owners not to rely on users to create secure passwords: people tend to choose convenience over security. Installing a two-factor authentication plugin on your WordPress site removes the risk of brute force attacks without relying on users to do the right thing.

There are many TFA plugins available for WordPress. Two Factor Authentication is among the most popular.

Limit Login Attempts

To find the right username and password combinations, attackers have to make a lot of guesses. By limiting the number of login attempts that can be made from an IP address, site owners reduce the likelihood that the attacker will ever guess the right combination.

WP Limit Login Attempts can temporarily block IPs if they make too many login attempts and display CAPTCHA tests to suspected bots.

In 2018, we expect to see more attackers taking advantage of crypto mining malware as cryptocurrencies rise in value. By following the steps we outline here, WordPress site owners can prevent their sites from being used to make money for criminals.

Posted in:
WooCommerce, WordPress

Source link