Tag Archives: security

Mindful WordPress Security Practices

Secure WordPress Practices

With WordPress, one of the easiest tasks to complete is to harden your site but it’s one of the most overlooked tasks! In this day in age with data breaches and hacks running rampant, it’s never too late to implement security practices on your website. While absolutely no site is 110%-without-a-doubt-no-way-in-hell-is-anyone-hacking-anything secure, there are many ways to minimize such risk. By not following any security practices or just “letting things go” you’re not only putting your site at risk, but you’re putting your audience at risk as well.

Quick Changes to Make Right Now

WordPress user practices

Please do not ever use the username of “admin” for your main administrative login. It is the WordPress default when creating a WordPress site, but it’s also the easiest to guess and easiest to start exploiting. Even if you use your email to log in to WordPress but still have your user created as “admin” you are still at a risk.

It’s always a great idea to periodically go through registered users and audit users that have any dashboard access whatsoever such as other Administrators, Editors, and Authors. That administrative user you made for a plugin support developer a few years ago that’s never been used again? You should delete that user ASAP. Multiple users with dashboard access are just more points of entry for bad guys.

Minimum password strength and password change schedule

Consider setting a schedule for yourself and additional users to change their login passwords. Your password that you haven’t updated since your site’s inception in 2013? Take a few seconds to change that today! We have a wonderful article on password security practices when creating new passwords. Try and put more thought into your passwords, and never use anything easy to guess like names and important dates.

If you care about your site at all, keep it up to date!

When Black Chicken Host receives a client request to install a new WordPress site, we always make sure to enable automatic core WordPress updates per our Terms of Service. Most likely if you’ve migrated to us you will need to enable automatic WordPress updates.

https://codex.wordpress.org/Configuring_Automatic_Background_Updates

Any theme or plugin developer worth their salt will test theme and plugin updates for compatibility with multiple versions of WordPress. While it is still an excellent practice to backup your site (you can ask us for help, we don’t mind!)  before doing major updates, unless your own website developer or “IT person” went to town with poorly coding your site, hit that update button!

…and just delete unused themes and plugins

The more themes and plugins, the more points of entry. Added bonus: reduces disk space!

Hide author usernames

Using your WordPress username as your “published” name on posts and pages is just handing people half of your login on a silver platter. But there’s a simple fix! Under your user profile, set a nickname for your user and change the “Display name publicly as” option:

“Advanced” Practices:

Change wp-login.php

One of the most common reasons we see for elevated server load/slow sites is IP addresses trying to brute force their way into your WordPress login landing pages. Since WordPress has a default www.yoursite.com/wp-login.php site landing page, this makes it easy for would be hackers and troublemakers to try and force their way into your WordPress dashboard. If your WordPress login landing page is a different URL that makes more “work” for the bad guys to try and locate and can help keep you safe!

We do not recommend editing your core WordPress files via FTP or File Manager to change your wp-login.php file or theme files. This can go wrong so quickly for so many reasons. There is however a myriad of plugins that quickly and safely change the default login landing page for your WordPress dashboard, just give a quick search! We’ve seen a few of our clients use WPS Hide Login.

Please note that if you do change the login for your site and later require our assistance with your site that involves logging into your site, please give us a heads up on what your login URL is. That will save us all some time and back and forth!

Use .htaccess to limit wp-login.php altogether

Via your site’s .htaccess file, we can deny all requests to your WordPress login page except for specified IP addresses. This is usually a last resort method as most folks do not have static IP addresses from their ISPs. So once your IP address changes, you will be locked out of your WordPress login page until your new IP address is added to your .htaccess file. If you would like assistance setting up this directive in your .htaccess, please contact us for assistance.

A Final Piece of Advice

Keep any computers and devices that access your WordPress site and email updated! If there are viruses to hack your email accounts, there are viruses to gain access to any site that requires a login. Make sure your computer has anti-virus setup and regularly updated, don’t slack on that! It’s an absolute nightmare trying to clean up an infected computer (we speak from experience).

When you don’t take your own computer and site security seriously, you aren’t taking your reader’s or customer’s security seriously. Data breaches aren’t just the huge ones you hear on the news, they can happen to any site no matter how small.

As always, please do not hesitate to contact us if you have any questions or concerns or just want to chat!

BCH Managed WP Services FAQ

If you were part of our beta testing this past summer, you already know the wonders that is our BCH Managed WP Service. Let us help you manage those mundane WordPress tasks for you! From offsite backup management to extra security scans, let us worry about the nitty gritty so you can focus on content creation and interacting with visitors.

Here are some common questions regarding our BCH Managed WP Services but if you don’t see a specific answer here, let us know!

If we don’t use this plugin, will we not have backups of our site(s)?

We do take backups for disaster recovery, however, they should not be relied upon as a viable backup solution as they may not include everything from your site. Depending on how far back or what day you need to restore from, we may not have that specific day or timeframe available.

Per our terms of service, backups are the customer’s responsibility:

Courtesy Services for Customers
All services such as backup and cPanel are provided for the courtesy of the subscriber. It is the sole responsibility of the subscriber to maintain the subscriber’s own backup of any data. Black Chicken Host is not responsible for lost data or for lost data due to third-party software that is not maintained by Black Chicken Host staff (cPanel, Softaculous, WordPress, et cetera, are not associated with Black Chicken Host.).

With WordPress, there are many backup plugins that you can use to back up your site either locally on the server in your account or they can even be sent to a remote location like Dropbox, Google Drive, or other locations. If you are interested in using a different backup plugin/solution, you are definitely more than welcome to choose that option. While we wouldn’t be managing that plugin/solution, we can definitely assist with any questions you may have regarding it and get you pointed in the right direction.

What is the fee for these services?

The pricing of these services can be found on the BCH Managed Services product page.

Don’t forget to check the “Bundled Savings” category for occasional savings!

How many backups are retained?

Backups are stored for 90 days, so the answer to this depends on what backup schedule you choose. For example, if you choose daily backups, you will have 90 backups available. If you choose 4x daily backups, 360 restore points from the past 90 days will be available for restoration.

What if I need a backup restored?

Open a ticket and let us know! We’ll get the backup restoration started and let you know when it’s complete.

What does the security scan do?

The security scan checks for various malware and exploits, as well as to see if your domain is on any blacklists. If there is anything found, you can receive a notification.

What is updated with the updates service?

In short: everything. You can choose to update all or only some plugins or themes. The WordPress software itself is a yes or no. There is also a great feature that will roll back an update if an issue is detected.

How is this all performed?

We utilize a very small plugin that we can actually hide from your list of plugins in the administration area of your site. Out of sight, out of mind! Let us manage the software so you can create more content!

As always, let us know if you have any questions about our BCH Managed WP Service by emailing us at support@blackchickenhost.com.

GDPR: a breakdown and what we’re doing about it

What is GDPR?

The GDPR (General Data Protection Regulation) compliance deadline of 5/25/2018 is swiftly approaching. If you’re not familiar with GDPR, it’s basically a new/updated set of privacy protection guidelines the EU is requiring for anyone that obtains, stores, or processes personal information about an EU resident. This includes name, email, city, favorite color, hair color, shoe size, type of car they drive, or even their height. Yes, all of this information is considered personal information. Additional information about GDPR can be found at these official resources:

https://www.eugdpr.org/ (the main site to find information regarding this regulation)

https://ico.org.uk/

https://www.cfte.education/gdpr/

How Does GDPR Affect Me?

If you collect any information about your visitors/users and think they might be EU or UK residents, please continue to follow along.

We will be starting to perform periodic checks of all sites for EU country references (and potentially other information) to identify if you have EU resident data saved in your database/site. If you do have EU resident data, it ultimately comes down to you as a site owner contacting them if you have any information at all. This includes email address, phone number, postal address, anything that could be used to contact them. Let them know specifically what information of theirs that you have and ask the EU resident what they would like you to do with their information. Or, you can simply choose to delete all associated data of EU and UK visitors. We actually recommend this if you have no further use of such data.

Through our research, bloggers and site owners should also plan to do the following:

  • Displaying a privacy notice anytime they collect personal information classified under GDPR,
  • Have a data processing and security policy, and
  • Have robust security anywhere data is processed.

The following should also be reviewed on your site(s) to make sure they comply with GDPR requirements:

  • Remove auto opt ins. Opt ins on newsletters need to have a “tickable” option, not something that is pre-ticked, or “assumed” to be accepted by the end user.
  • Do not use opt in freebies to get email addresses for one purpose then use them for another. If you gained email addresses this way you should go out to gain consent or you may be in breach of GDPR. You may use opt in freebies if you explicitly state what other purposes their contact information may be used for.
  • Discontinue sharing data with anyone else who wasn’t named at the point where data was provided, for example, a brand who asks for the email addresses of giveaway entrants.
  • Stop collecting data where not necessary, for example, contact forms and comments.
  • Do not share named brand PR contacts without explicit permission from end users.

Overall, it seems a privacy page and making sure mailing lists are compliant are the big tasks. There are a plethora of resources for bloggers and site owners regarding GDPR and getting your site ready. Just take to Google!

As most of you are using WordPress, we found that they are adding some tools to WordPress itself to help make things easier for website owners. They have already started adding some of these, but the rest should be out by the end of April or beginning of May. Information on this can be found at:

https://wordpress.org/news/2018/04/gdpr-compliance-tools-in-wordpress/

We will keep you apprised of any additional information/requirements we come across as the deadline approaches and as requirements develop. Again, this would only impact you and your site if you are storing personal information of EU residents.

We have been asked by several of our clients if we can just straight up block EU/UK resident IP addresses from accessing their site(s). Yes, there are a few ways we might go about that, however you would still either have to delete or notify EU/UK resident personal information from your site/databases. Just something to keep in mind! If you are interested in blocking the EU/UK from visiting your site(s), please open a support ticket so that we might discuss your options.

If you do not collect user data on your site, GDPR shouldn’t apply to you. If you do require GDPR compliance or just aren’t sure, please feel free to open a ticket with us (preferred method of communication) or send us a message through our Facebook page https://www.facebook.com/blackchickenhost/ .

What Black Chicken Host Has Done

We’ve always been about your rights to privacy here at Black Chicken Host, and already had processes in place in our system to allow you to alter or remove any personal data from your account. To make sure we explicitly comply with these new GDPR requirements, we have made changes to our Terms of Service and Privacy Policies, which can be found on our website:

https://blackchickenhost.com/our-products/terms-of-service/

https://blackchickenhost.com/privacy-policy/

We did review our own system for EU residents and sent messages to get in contact about their rights under GDPR as our clients. If you are an EU resident with an incorrect Country selection or we otherwise somehow missed contacting you outside of this message, please contact us as soon as possible!

If any of this sounds alarming or daunting, please do not worry. We are always here to help to the best of our ability!

Upcoming SSL Changes to Google Chrome

New labeling for http sites

Starting in July 2018, Google Chrome will be marking all http sites as “Not secure”, something you may have already seen on some sites. When you request a site with http rather than https, your connection is not secure and therefore vulnerable to malicious activity. Google is trying to move the web towards a secure (https) web by default and marking http sites as “Not secure” is part of that process. More information about the upcoming changes can be found in this Venture Beat post.

What does this mean for you?

In short, if your site doesn’t have an SSL, it will be marked as “Not secure”. Currently this is only happening for sites that contain password fields and/or take credit card information, but will soon apply to your site. This doesn’t have to happen though! We can help secure your site! We have a variety of SSL certificates but the CP SSL product is the best value. It will cover all domains and subdomains on your cPanel account.

If you’re using our WordPress Only product, you get free certificates included! If you don’t have one yet or aren’t sure if it’s enabled, just let us know and we’ll check!

Post SSL Installation

Once we install the SSL certificate, the site needs to be converted over to https. Meaning, all references of http will be changed over to https. Any image, script, whatever other links, need to be changed over. For WordPress sites (99.99% of what our customers use), we use the WordPress command line tool to make these changes. We’ve had great success with this method.

 

Please let us know if you have any questions or would like assistance getting your site set up with an SSL certificate!

Change in Our Terms of Service

The nature of technology is growth and change – what’s super-hot and super-fast one minute is obsolete and out-of-date the next. It’s a perpetual learning curve for people who want to stay on the latest and greatest hardware or software platforms, and a constant source of frustration for people who just want to write a blog without worrying about the tech.

As a web host, it is our duty to provide secure, stable, and user-friendly environments and features for our customers, so you can do what you do best – get your content out there!

Toward that end, we are adding the following verbiage to our Terms of Service, effective immediately:

“In order to maintain a secure and stable hosting environment, Black Chicken Host reserves the right to update without notification any code on our servers to its most current supported version, including, but not limited to:

  • Content Management Systems (WordPress, Drupal, Joomla, et cetera)
  • Plugins
  • Themes
  • Scripts
  • All packages offered by the Softaculous installer”

We realize keeping your software up-to-date can be a time-consuming task, but it is so very important to the security of your account. Thus, we decided to take it upon ourselves to do it for our customers.

We have seen some nasty malware put into place due to out-of-date plugins (RevSider, Gravity Forms, et cetera) which have had effects ranging from having the server’s IP address black-listed at Google and ATT to destruction of account data.

Going forward, we will be finding all outdated software on our servers and updating everything to the most current version. In almost every case, this should be completely transparent to you and your readers. In very rare cases, updating a theme may cause your site’s appearance to change. In other rare cases, updating a plugin may cause it to not function correctly in conjunction with the other plugins on your site.

While we don’t ever want to interfere with your site’s functionality, it behooves us all to keep everything on its current, most secure version, and it is incumbent upon BCH to keep you all as safe as possible.

We’ll have another blog post soon about what kinds of security exploits can happen as a result of outdated plugins – it’s scary stuff! – but that’s all for now.

Please do let us know if you have questions or concerns!

CloudFlare: What It is, What It is Not.

Black Chicken Host has partnered with CloudFlare CDN to bring you better load times and increased security at no cost to you.

CloudFlare Certified Partner

What CloudFlare is:

CloudFlare is a simple and free Content Delivery Network which places your website’s content closer to your readers all around the world. By caching your images and other static content geographically closer to your global readers, your website will load more quickly and consume fewer resources on the local server. The static portions are cached on the CloudFlare servers for a short period of time, typically less than 2 hours, after which time they check to see if your site has been updated. If there is new content, CloudFlare dumps their existing cache and starts fresh.

By automatically moving the static parts of your site closer to your visitors, the overall performance of your site improves significantly.

The overall effect is that CloudFlare will typically cut the load time for pages on your site by 50% which means higher engagement and happier visitors.

CloudFlare caches your content worldwide:

CloudFlare CDN Sites

Additionally, CloudFlare can save you money on bandwidth. On average, CloudFlare customers see a 60% decrease in bandwidth usage, and a 65% in total requests to their servers.

How does CloudFlare protect you from Distributed Denial of Service (DDoS) attacks?

Black Chicken Host already has impressive security metrics in place; utilizing CloudFlare’s service improves upon our already outstanding security. CloudFlare’s mitigations offer a broad range of protections against attacks such as DDoS, hacking, or spam submitted to a blog or comment form. What is powerful about the CloudFlare approach is that the system gets smarter the more sites that are part of the CloudFlare community. They analyze the traffic patterns of hundreds of millions of visitors in real time and adapt the security systems to ensure good traffic gets through and bad traffic is stopped.

In fact, CloudFlare was initially developed as a tool to increase website security – and its founders accidentally discovered it radically improved the load times of its customers. Now personally, I find that hilarious. And fantastic.

The CloudFlare servers filter out the bad guys before they even reach our servers or your website, blocking malicious traffic before it can do any harm. But how? Honestly? I have no earthly idea. It just… works. I suspect this graphic is slightly dumbed down:

CloudFlare - how it works?

That’s it in a nutshell – some magical thing happens inside that CloudFlare cloud, and it’s a black box for the rest of us. As long as it keeps working, I’m happy.

So, let’s sum this up:

  • Improved load times
  • Enhanced security
  • Less bot spam
  • Offline browsing potential
  • FOR FREE

Not bad, right?

CloudFlare: What it is not

The CloudFlare service is not an excuse to never update your software or not to use strong passwords. It’s an extension of our already superb security, but it is no replacement for common sense.

It is not a 100% guarantee of no down time, ever. However, should your server experience difficulties (high load, or even being offline for a short time,) CloudFlare can often keep your content flowing to your readers by utilizing their caching service.

It is not Google Analytics. CloudFlare offers statistics for your site, but they will vary from GA (they tend to report higher numbers, due to how they gather and parse the information.) They’re handy to track trends, but are not the best way to measure your audience (definitely use Google Analytics for that.)

Ok, I want CloudFlare! How do I get it?

For Black Chicken Host customers, enabling CloudFlare is as easy as pushing a button (provided you are using our nameservers.)  We are pleased to offer you the CloudFlare service for FREE. There is no commitment. Turning CloudFlare on and off takes two clicks of the mouse in your cPanel account, so feel free to try it out. If you’ve misplaced your cPanel login information from your Black Chicken Host welcome email, please just let us know via a support ticket.

How to Enable CloudFlare in cPanel

The one potential downside to using CloudFlare through Black Chicken Host (as opposed to signing up yourself and having to muck about with your DNS) is you must use www in your domain. Thus, if your WordPress site is set up using http://yourdomain.com right now, we’ll need to change that to http://www.yourdomain.com — this is an easy thing for us to help you with, and is only a matter of aesthetics.

Also, you must use Black Chicken Hosts’s nameservers. Nearly all of our customers already do, but it’s an important item to note.

CloudFlare also offers a paid-for “Pro” version, which of course offers more features and functions. You can read about that on their website. We offer the free version so you can take things for a test drive and see if you like it. If you do, the paid-for version might be something you’d like – it makes no nevermind to us, we receive no commission.

Here’s a short animated video which goes into far less detail than I have here… but it it gives a good overview:

Introduction to CloudFlare

Questions? Comments? Just let us know. If you’d like more information, or if you’d like assistance getting started with CloudFlare, you know we’re here and happy to help!

Best,

Erin D.

Password Security Which Will Surprise You

For so long, we in the information technology field have been pressing upon our users to maintain “secure” passwords, which included upper- and lowercase letters, punctuation, numbers, and absolutely no dictionary words. This began back in the day when hackers actually had to manually try to gain access to user accounts, which was time-consuming. If a bad guy couldn’t guess your password after a few tries he or she might move on to another unlucky victim with a less-secure password. I am totally guilty of recommending ridiculous passwords to users, because it’s how most systems administrators were brought up. Imagine my chagrin when math got involved!

hacker

Spoiler alert: There are exactly zero hackers who look like this.

These days, however, most hackers will use some kind of automated script to gain access to a server or account. These scripts (or “bots”) can rapid-fire login attempts at up to 100 login attempts per second! Black Chicken Host servers will shut these bots down after 5 failed login attempts, but it’s still an excellent idea to make sure you have a password that’s difficult for them to crack. We’ll do a post about our security metrics at another time, but suffice it to say, they’re pretty good!

These scripts often utilize a database of commonly-used passwords, dictionary words, and dictionary words with special characters like “p@assw0rd” instead of “password.”

Here’s the kicker, though: If you make a password out of four unrelated dictionary words, you’ll have a password which would take thousands of years to crack, but which is far easier to remember than the standard garbledygook we’re often forced to implement.

Did I just blow your mind?

Allow me to demonstrate with a comic from the renowned geek comic strip, xkcd:

password_strengthBy using the password “correcthorsebatterystaple,” the user has effectively created a password that would take a dedicated hacking script performing at 1000 attempts per second 550 years to crack. And? It’s dead simple to remember – yay!

Now, please don’t actually use “correcthorsebatterystaple” as your super-secure yet easy-to-remember password; it’s on the internet, and scripts are going to include it as one of their possible attempts. Come up with your own, such as elevatorbarnyardbackpackdonkey (please don’t actually use that one either, of course – it’s just an example.)

The goal with complex passwords is to ensure (as much as possible) the character combination does not exist in a database anywhere. “z%^Mgt501?$$” is very unlikely to exist in a database, but who can remember that? Prior to xkcd coming out with the “correcthorsebatterystaple” comic, that combination was also incredibly unlikely to be in a database, and is so very much easier to remember.

This is not to say the random passwords aren’t still secure, or that they aren’t more secure.– they are. The issue we’re trying to address here is easy of usability. If you have to write down your password on a sticky note, that’s utterly defeating the password process. So, let’s use something you can remember!

Personally, I still use a mnemonic to generate my own passwords (take the first letter of each word of the chorus in a favorite song, and insert the punctuation from the pauses in the song, too;) however, when we need to generate passwords for customers, we’ll be using this far simpler method of stringing four words together.

password3

Some admins don’t want to tell their customers this is the case – they’ve been preaching the nonsense passwords for so long, they don’t want to admit simple dictionary words are better. To be perfectly honest, I almost didn’t share this because how embarrassing, right? In my view, though, it’s better to be upfront and share the information, because this can make our lives so much easier! Who needs added complexity when we have gardens to plant, livestock to tend, jobs to go to, kids to feed, et cetera? Bask in an easy-to-remember password, courtesy of Black Chicken Host. 😉

If you’re interested in the science behind why this four word schema works, you can read more here: The Usability of Passwords. This quote hits the nail on the head:

“In Hollywood, passwords are hacked one digit at the time. Meaning the system would return true or false information based on partial matches. This is not how the real world works. You cannot match a password based on a partial matches. “This * *” is not the same as “this is fun”. It would return it as FALSE. You have to match all three words, all at once.”

In short, the real world of “computering” is far, far different from what film and television make it out to be.  You can craft highly secure passwords by using a combination of plain old-fashioned dictionary words.