Do Hackers Care About Your Meta CharSet?

The other day, I got this question about the meta charset tag in the mail:

“Would you be so kind as to explain to me, in logical terms, how in 7 hecks does the presence of:
<meta charset="utf-8">
is supposed to affect a ‘hacker attack’ in accordance to your book?
I literally cannot imagine hackers caring much about which charset you display on the UI side when attacking.”

This is a great question. The book he’s referencing is Sams Teach Yourself Bootstrap in 24 Hours, and in it I emphasize the importance of using the meta charset tag and placing it as the first element of your <head> element. But while I explain that leaving it out can leave a page vulnerable to hacks, I don’t explain why. But I will now.

. . .

Laugh of the Day: Prime Ranking in SERP, but No Content

Getting high ranking on search engines is usually pretty hard. But if you have invented something new or have a revolutionary product or service, your website might rank well for those search terms just because you’re the only one doing it. This is a really good thing. After all, if you’re the first, it is nice to be recognized for that. But be careful, as if you’re not ready, this can end up as bad SEO, not good.

If you’re not ready for recognition, prime placement can end up backfiring.

Today, I was thinking how nice it would be if the Apple Watch or other smart watches didn’t have to be worn on your wrist. My husband joked “an Apple Pocket Watch” and I thought “what about a necklace?”

So I did a search on Bing for Apple Watch Necklace. I was surprised and excited to see a listing (after all the ads for the Apple Watch, a Samsung smart watch, and plain watches) titled “Apple Watch Pendants | The Premier Site For Apple Watch …” I didn’t read any further, I just clicked through.

At first glance, it looked pretty good. No pictures, but a nice clean template with the headline “The #1 Most Trusted Apple Watch Pendant Store.” I scrolled quickly to see if there were any pictures, and didn’ see any so I started to read:

Lorem ipsum dolor sit amet, consectetur adipiscing elit. In in risus eget lectus suscipit malesuada. Maecenas ut urna mollis, aliquam eros at, laoreet metus.

Shop Now

I thought “Number one? Yeah, because they got the domain name!” I don’t think that’s what the site owners wanted me to think. Sure, the domain name helped their search engine optimization, but having no content is just bad SEO. But since all they have put up so far is a template and some placeholder text I’m not going to stick around long enough to do anything other than laugh. Instead of being impressed by their cool idea or new concept I was reduced to tears laughing at their complete fail of a website. (See the screen shot of the entire page.)

If It’s Live—It’s Live

It’s easy to forget that if you build a web page and put it live on the Web that people other than yourself and your company may see it. But you should consider that a rule of thumb. If a page is live on the Web, anyone can see it. And if anyone can see it, search engines can see it. And if search engines can see it, they will rank it in their results. And once you’re in their results people can find you.

And if people find your page and then can only read “lorem ipsum…” they won’t be impressed. Not even if you have ebullient phrases adorning the page like “#1 most trusted” and “Holiday Sale.”

In fact, by rushing your website out the door without all the content you need, you risk alienating some customers. I don’t recognize the company Divi, but I will remember them in the future. I don’t know if I would be willing to buy a pendant holder from them. And that’s too bad. As they might actually be a really great company for this type of accessory. I’ll never know now.

Apple Watch Pendants Do Exist

There was a Kickstarter campaign that ended on September 5, 2015, to create both a pocket watch and pendant style holder for the Apple Watch. You can pre-order them from the Bucardo website and they will start shipping in January 2016. Too late for a birthday present for me for this year, but maybe next year! Of course, first I’d need to get an Apple Watch.

Security Through Obscurity is Not Secure It’s Just Bad SEO

The moral of this story is that you shouldn’t assume that a page you haven’t promoted won’t be seen. Security through obscurity is really just wishful thinking. If your content isn’t ready, then don’t put up a page.

High ranking site with placeholder text - Bad SEO
Full website – it’s not ready for prime time (click to view full size)

Could the Shellshock Exploit Destroy Your Website?

UPDATED October 7, 2014: Keep Patching!

There have been several new patches since Shellshock was first patched, and you need to make sure that your server is still up-to-date, even if you patched on the first day.

Learn What You Need to Do to Protect Your Site

Shellshock is a huge security threat to the internet, but if you’re like most people, the technicalities underlying it make it hard to get too worried about other than in a general sense. After all, you may be thinking “Yes, I worry, but I worried about Heartbleed last month and nothing bad happened, so is this another one of those?”

Let Me Put the Dangers Shellshock Poses in Personal Terms

It’s one thing to hear that the exploit is  “using fast-moving worm viruses to scan for vulnerable systems and then infect them…” (source: The Times of India) or that they are creating botnets to attack Akamai with a distributed denial of service (DDoS) (source: itnews).

Yes, those sound bad, but they probably wouldn’t immediately affect your bottom line. So, it might be enough to just wait and see what happens.

But if You Run a Website Your Server Could Get Infected

And if your server gets infected the attackers could do all kinds of things that could directly impact you and your business. Things like:

  • Delete every page on your website
  • Deface every page on your website
  • Take control of your web database and steal all the data
  • Add back-door functions to your web forms and scripts to steal your customer’s information as they submit it to you—things like credit card numbers, email addresses, and any other information

I have had to deal with scenarios where portions of a website were deleted, defaced or hacked, and it’s not fun. Do you really want to have to report to your customers that their credit card information may have been stolen? Do you really want to rebuild your entire site from scratch? I know I don’t.

What To Do About Shellshock

The first thing you should be aware of are the devices and tools you use that might have Bash on them. This could affect things like: web servers, routers, Linux and Mac OS X Computers, and other devices.

If You’re Running a Web Server

If you run your own web server, you should immediately go and patch it. This exploit affects nearly any web server running Bash and nearly all Linux and Unix boxes run that. Here is a list of some popular Linux vendors and their information on patching for Shellshock:

If You Host Your Website

If you don’t run your own web server, but you host on another site, you should find out if they are running on Linux (most hosting companies are) and if they’ve patched their server. There are several experimental tools available on the web that you can use to test your site.

And if you have access to a shell prompt on your web server, you can test using the following script. Just go to your shell prompt and type:

If your server is vulnerable you’ll get a response of:

If it’s not vulnerable, you’ll get a response of:

Contact Your Web Hosting Provider

If you run these tests and your web server is vulnerable, you should contact your hosting provider immediately. Right after you contact them, you should then backup your entire website, including any scripts, databases, images and so on. Then if your server is attacked before your provider patches it, you have a current backup.

If You Run a Mac with Mac OS X

Mac OS X is currently vulnerable, and Apple has not yet released a patch. However Apple says “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities…” (source: iMore). This is because the system is protected by default, and advanced Unix services would need to be enabled to disable that protection.

If you have enabled Bash on your Mac OS X system, you should take it back to the factory settings for now. Or you can patch it manually with the instructions at LinuxNewsPro but only do this if you know what you’re doing. If you don’t know what I mean by advanced Unix services, do not do anything. Just wait for the Apple patch.

If You Have Other Things Running Bash That Could be Attacked by Shellshock

Your best bet is to contact your support or service providers for them to find out if they have provided a patch. Many router companies have already got them up, or are working hard on a patch. Symantec also has created an Intrusion Prevention signature for protection against this exploit.

How to Secure WordPress After You’ve Been Hacked (or Before!)

Login with 2-factor authentication
Do you have 2-factor authentication?

Getting hacked is a nightmare. After a hacker attacks your site, you can spend days, weeks, or even months worrying about when it’s going to happen again, how it happened in the first place, and what you can do about it to prevent future hacks.

Secure WordPress Starts with You

The first thing you should do after you discover your site was hacked is to take a deep breath. You are not the first person to get hacked and you won’t be the last. In many ways the fight against hackers is a constant battle with the hackers tools getting better and the security tools getting better to fight them. Security companies like McAfee and Symantec have been hacked! Don’t feel too bad if your website gets hacked. Just learn from what happened and do your best to fix things.

Once you’re a bit calmer, look over your basic security measures. Things like:

  • What is your admin password?
    • A secure password is long—more than 10-15 characters.
    • It has upper and lowercase letters, numbers, and special characters (! # $ % etc.).
    • You should never use the same password for your WordPress admin account as on any other site. If that other site gets hacked, your WordPress installation is then compromised too.
    • It should not be a word—even changing the letters to numbers like “p@5sW0rd” won’t work, as most hackers have those in their files as well. If you can read the word, then so can the hackers!

    If you don’t think you can remember a password like “brg3@4u{o8pet#NHL?r2HuiFf,” and believe me most people can’t, then you should consider getting a password safe. This is an application that stores your passwords in an encrypted safe that you can use to look them up when you need them. Some options include: LastPass, KeePass, 1Password, or even the built-in managers in your web browsers and operating system. A password safe or password manager will help keep your passwords secure while not forcing you to remember hundreds of crazy, random passwords.

  • What is your administrator user name?If you’re like most WordPress users, it’s “admin.” I’m not a hacker, but I know that this is a common username. And if I know it, then the hackers know it. And that’s just one less thing they have to figure out before they can hack into your site.The challenge is, once you’ve got a WordPress admin password, and WordPress makes it very difficult to change it. While changing your username on WordPress.com is just a matter of adjusting your personal settings, changing a self-hosted WordPress blog is a lot more difficult. The easiest way is like this:
    1. Create a new user in WordPress by clicking Add New in the Users menu
    2. Give that new user admin access
    3. Login with the new username
    4. Change the access of the old admin account to the lowest access role available (usually “Subscriber”)
    5. If the old admin account has no posts associated with it, you can delete it rather than changing the role. But if you delete an account with posts, you may end up deleting the posts as well.
  • What security plugins do you have on WordPress?In order to keep WordPress secure, it’s a good idea to use a couple of security plugins. Some of the ones I use include:
    • Acunetix WP Securityblock-security-holes-acunetixThis is a comprehensive tool that attempts to make it harder for hackers to know a lot about your site. It removes information like the WordPress version, when WordPress needs updates, and so on. Plus, it gives you a list of items you should look at to know where your site is vulnerable.
    • Bad Behavioruse-bad-behaviorBad Behavior attempts to block automated bots from using your site. It is primarily for preventing spam. I find that it helps keep the spam manageable. However, this can sometimes block things you want to get through.
    • Google Authenticator for WordPressThis allows you to enable (and require if you wish) 2-factor authentication on your WordPress site. This requires that people logging into your site have both a username/password and a code that your phone generates. If they’ve stolen your phone as well, you probably have more problems than just whether they are breaking into your WordPress site.
    • Limit Login AttemptsI find this tool invaluable. Today alone it blocked over 50 hack attempts on one site. Because you need access to the site, this tool doesn’t block IPs until they’ve reached a threshold number of attempts. You can set both the number of tries and how long the lock out is for. On one site I manage, we set the lockout to 5 days because of the number of hacking attempts we were getting.
    • LionScripts: IP Blocker LiteI use this to block the IPs that come back again and again to try to hack my sites. Limit Login Attempts blocks IPs for a period of time, but if a hacker is really determined they will just come back later and try again. So I use this IP blocker to block them completely.
    • WordPress Database BackupWhile some people might not see this as a security plugin, I feel that regular backups are critical to any security system. That way if your site gets hacked, you can reinstall and not lose too much. I like this plugin because it’s automatic. I have it email me backups of all my sites.

Be Ruthless When Trying to Secure WordPress

Many people are reluctant to block IPs and limit access to customers because of just that—they are customers! But the reality is that anyone that you didn’t authorize who would try to login to your site using an admin account is not a customer. They are a hacker. They aren’t going to read your articles, they aren’t going to comment on your site, and they certainly aren’t going to buy anything from you. You don’t need them. Be ruthless. If a hacker gets access, he won’t be gentle.

Start with your own access. One thing that can really help your security, besides a strong password, is two-factor authentication. I use the Google Authenticator with my mobile devices to prove that I’m me and I should have access to my site. This means that I have to provide both something I know—my username and password—and something I have—my phone. If I can’t provide both those things then I can’t get into my account. Two-factor authentication can seem tedious at first, but it does improve your security, and most people keep their phones with them all the time.

check your usersThen be ruthless with your subscribers. You should periodically check out your WordPress users (in the Users tab) to make sure there aren’t any surprises. Look for any accounts that have higher access than you gave them. In general, “Subscriber” is the lowest level of access, and anyone who has more access than that should have been given those permissions by you. If you find any strange ones, delete them.

What to Do After You’ve Been Hacked

All of the above security measures are good, but what about after a hacking? If you discover your WordPress site has been hacked, you need to secure it as well as you can, but there are also a few things you need to do to help make sure that you get rid of the hackers.

The problem is, once you’ve been hacked, the hackers could have put in back doors in many places on your site without you realizing it. So you have to do more than add security—closing the barn door after the horse is gone, so to speak.

Here are the steps I recommend you follow after you discover a hack.

  1. Find or make a clean backup of your site data. I recommend getting a backup of your database, and all files in your wp-content directory. It’s best to choose backups dated before you know the hack occurred, which is why regular backups are critical. If you’re not sure when it happened, get a backup that’s at least one month old. Yes, your site will be out-of-date, but the hacker will be gone! Here’s information on the WordPress Codex about backing up your site.
  2. Then delete everything on the site except the database. Yes, this means your site will be down. People will get a 404 or other error. If you can leave it down for at least 24-48 hours, that would be best as this encourages the hackers to go somewhere else. If there’s nothing to hack, they will hack someone else.
  3. After your down time, re-download WordPress from the wordpress.org site. This is critical. You must not use any old files from when you were hacked. You need to make sure that you have a clean install, and that means starting over from scratch. Don’t forget to download your plugins and themes as well.
  4. Turn on all the security plugins you’ve installed immediately. And if they recommend taking action, do this before you do anything else.
  5. If you haven’t already, change your administrator username to something other than “admin.”
  6. Take a deep breath—you’ve survived a hacking!

As I mentioned above, maintaining a secure WordPress site is difficult. And no security is foolproof. But if you’re careful and ruthless you can keep your site as secure as possible. No one likes being hacked, but it doesn’t have to be the end of your site. I have personally survived being hacked (including one major site I was running) as well as other disasters (including completely deleting my entire web directory without any backups). It’s not fun, but it’s not the end of the world.