Security on YOUR website.

1
104 followers
Updated

In my opinion, if you are not using automatic email verification before someone can post or add a comment as a user to your website, you are begging for spam and for your website to be a launch platform for malware attacks on visitors to your website.

Wealthy Affiliate does do a good job of managing somethings, but the Internet, like any environment, contains intelligent entities who are sometimes hostile. Just like when we walk down the street, paying some attention to who else is on the street is a good idea.

There is no such thing as a safe neighborhood because strangers can drive by at any time. Depending on what WP plugins you are using, you may, or may not, detect your website has been identified as a possible target for an attack or a hostile intrusion.

The attacks can take several forms and they are often accompanied by probes to collect intelligence about your site. In my observation the probes may be slow and go on for days or longer or they can come as a sudden flurry of activity they hope you don't detect. If you do not have any kind of security plugin in place, you probably won't detect anything.

Probe attacks are done by attempting to connect with a specific web page of your theme where they know a vulnerability exists. Different WP Themes and plugins contain different vulnerabilities in how they are constructed. Some have vulneable pages. Because there is money to be made by taking over your website intrusive hackers can be both organized, knowledgeable and persistent.

In my observation at least one group (yes, they are often groups (not individuals) with probes launching from widely different ISPs) begins with probes that a stock WP with no security plugin will never detect.

Here below are some security alerts my own security system at one of my sites has captured for me. These target pages do not exist on my website possibly because I do not use the WP theme someone thought I do, or possibly because I did some editing or changed some page names, Whatever. These probes are not registered Users, but if they had found the page they were looking for, I have no doubt an immediate attempt to inject or upload malware could have occurred. I have deleted the IPNs of the attackers, but you can see the specific pages they are seeking.

".., and tried to access non-existent page http://plimking.com/wp-content/plugins/simple-ads-..../&action=upload_ad_image"

".., and tried to access non-existent page http://plimking.com/wp-content/plugins/wp-symposiu..."

".., and tried to access non-existent page http://plimking.com/wp-content/plugins/wp-symposiu..."

The above is fairly analagous to the burglar who visits your house while you are at work and who tries your doors and windows in the hopes of finding something unlocked.

These attempts were several hours apart, but are clearly indicative of very specific probing to map out the website and determine which plugins are in place. There were about 30 other unsuccessful attempts to find certain pages logged by my system spaced out over several days and all coming from within the same range of ISP net.

[A probable ted flag we should be alert for when using a 'who is' is although the ISP is a US registered ISP, the abuse phone number is a 555 phone number and as all Americans more than 40 years old know, any number prefixed with 555 is a dummy telephone number and any dialing of a 555 number is a simple rerouting to a phone directory service. The range of servers used for the probes above all have an abuse phone number pre fixed with 555 which of course means don't waste your time trying to contact them. The simple fact that the attackers have an entire range of dedicated anonymous servers with no valid physical address or means of contacting someone inside that ISP speaks to the money and effort being thrown at launching such probes,]

If I had the plugins named (under those names) above, then possibly upon the confirmation of their existence by connecting with the target page, either a backdoor attack or an exploitation of a known vulnerability would have occurred.

Now almost two months ago I had a User register and leave an innocuous feedback from within the range of IPNs serviced by the same ISP these probes were launched from. At that time although my system requested an email address, it did not require a validation of that email. However, something about the comment had bothered me, too short perhaps, so that it to me not seemed worth bothering to register as a user. So, on my own I sent a thank you for registering email to that new user. Needless to say my email bounced back as there was no such email address. I made note of the incident, but took no action.

Yesterday I got an alert of a new posting on my website by the user (who had remained dormant since the day of first registration). He/she had simehow posted an advertisement on my website. This of course violated the posted rules of the website so it was deleted and the originating account was also deleted and the user's IPN permanatly blocked.

Then I learned more. It is now obvious the user placed the ad on someone else's benefit (probably for a fee).

Why do I say this? Because folks attempted to log on from totally different countries and ISPs to view the ad (which of course no longer existed).

".., tried to access non-existent page http://plimking.com/power-cleaning-business-in-las... 7/11/2016 3:44:47 AM (13 hours 1 min ago)"

At least 3 such attempts from around the planet today. The bogus ad (which contained at least one link google and mozilla consider a hostile site) did not exist on the site long enough for googlebot to find it. So from my perspective obviously the placer of the ad reported the deed was done and the customer attempted to verify the ad existed before making payments. Since then the placer of the ad has made at least a dozen attempts to return. I have no doubt that within a day or two they will change their IPN. Securtiy bulletins from SANS indicate there are many, many points of origins for attacks and probes.

A few months back I installed a plug in that requires verification of a user's email address before a password is assigned and registration is completed. I may not have had many registrations since then, but at least the users are real.

You should have security software installed that can log what goes on and also alert you when something looks hinky. When it is time to update your Theme, SEO or plug in, do so at once. Do not solely rely on other people or software to catch things for you. Keep one eyeball on your website. Check all pages and all posts now and then looking for unwanted additions or modifications. Do not use short or cutesy passwords based on your pet's name or your date of birth or anything childish like that. Use complex alpha numeric strings unlikely to be guessed. Note: the passwords used by WA's Site Rubix are very good ones. I suggest using them in conjunction with other security steps.


Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training

Recent Comments

3

Thanks for sharing that :)

That is very informative and I hope to have a security system in place. Thank you.

Check out FREE wordfence for a quick plug in. Read the docs of course.

See more comments

Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training