Top website security posts by Sucuri – July 2019

A monthly roundup of security posts

Our Malware Research and Incident Response teams work diligently around the clock to identify and stay ahead of the website security threat landscape—and we’re dedicated to sharing our knowledge and publishing our findings.

In the spirit of security education, we’ve curated a selection of our most popular posts and discoveries from July to help you protect your website.


How to stop a DDoS attack

Distributed Denial of Service (DDoS) attacks use fake traffic to flood a network, server, or application and prevent legitimate users from accessing a website. If a website isn’t positioned to mitigate the threat of DDoS, the results can have a significant impact on their business and traffic.

These attacks are quite cheap for attackers to perform and can lead to devastating results for website owners:

  • Over 2,000 DDoS attacks occur worldwide on a daily basis
  • Incurred costs can range between thousands to millions of dollars for victims
  • Cybercriminals can purchase a week of DDoS attacks for as little as $150

How to prevent DDoS attacks

Being unprepared for DDoS can lead to loss of reputation and sales, but fortunately there are a number of preventative measures you can take to reduce the impact of a DDoS attack on your website.

1. Monitor website traffic

Volumetric DDoS attacks are made of massive amounts of traffic, emphasizing the importance of monitoring for any peaks in site visitors which may allude to a DDoS attack.

Would it be suspicious if your website suddenly received millions of new visitors in one hour?

Dramatic increases in traffic are a massive red flag for DDoS attacks. Use monitoring tools, set up alerts, and check your log files to stay informed of potential threats. The time of day, origin of visitors, and time of year also play an important role in determining the legitimacy of your traffic sources.

2. Activate country blocking

Country-based blocking can be effective at minimizing the risk of a DDoS attack, but keep in mind that regional origin is related to IP addresses, which may be based off of outdated tables.

Would you expect a large amount of traffic from Indonesia if you’re a local bakery in Canada?

Country blocking can have negative implications for your website, however: it’s important to consider what effect it might have on legitimate website visitors from the country you’re blocking.

Attackers can also work around country blocking by employing a proxy or some other anonymous communication, like Tor.

3. Use a web application firewall (WAF)

A web application firewall filters and inspects all incoming requests to your website to identify if they are malicious. Whenever traffic is determined to be harmful, the firewall blocks the request before it even reaches your server.

Some web application firewalls offer automated DDoS threat mitigation. These services also help protect against file inclusion, cross-site scripting (XSS) attacks, and SQL injections.

What should you do during a DDoS attack?

The most obvious answer is to block these malicious traffic sources as soon as possible to prevent downtime and mitigate the risk to your website.

However, there are a few things that you can put together to help prevent and respond to a DDoS attack.

  • Create a systems checklist and properly configure your hardware and software components
  • Form a response plan and define responsibilities
  • Ensure that team members know who to contact in the event of an attack
  • Develop communication workflows to inform your customers of any issues

Sucuri Firewall

The Sucuri WAF intercepts and inspects all incoming Hypertext Transfer Protocol/Secure (HTTP/HTTPS) requests to your website. Malicious requests are stripped before it arrives at your server, preventing downtime and mitigating threats in real-time.

Sucuri Firewall customers also enjoy added performance benefits from the globally distributed Content Distribution Network (CDN), which can see increases in site speed up to 70% faster.

Read more from the original post by Victor Santoyo.


7 things you should monitor in your WordPress logs

WordPress activity logs can be extremely useful when troubleshooting – or when trying to identify a hack.

Activity logs are mandatory for ecommerce shops and PCI-DSS compliance.

When it comes to WordPress, there are a number of core areas you should be monitoring.

1. Website changes

Integrity checks can provide an early warning of a potential compromise.

Ensure that you are set up to receive notifications any time a file or DNS record is modified in any way, or if important changes are added to security settings, users have been modified, or downtime occurs.

2. Blog post changes

Changes to a posts status, including both post creation and modification, can highlight unusual activity on your website.

3. WordPress plugin changes

Detection tools can help you maintain visibility over your plugins. These tools will inform you if a plugin has been installed, activated, deactivated, deleted, or has had any settings modified.

Storing unused plugins in your WordPress environment increases the risk of a security incident, and we encourage website owners to remove them if they are not being actively used.

4. WordPress theme changes

Keeping track of any changes to your WordPress themes is just as critical as your plugins. Set up alerts for any modifications made to your themes, or with your theme editor.

5. WordPress core integrity

If you didn’t authorize changes to your WordPress instance, this should be considered an immediate red flag. Make sure you set up alerts to track any changes to your WordPress version, along with modifications to directory permissions.

6. User login activity

When reviewing user activity on your website, you should ask the following questions:

  • Who is logging in?
  • Are there provisions for new user access?
  • Should this user be logging in?
  • Were those logins successful? Did they fail?
  • Why are they changing that post/page?
  • Why are they logging in when they should be sleeping?
  • Who installed that plugin?
  • Who installed that theme?
  • Why does that user have administrative privileges to adjust other permissions?

WordPress allows users to attempt a login unlimited times by default, but this leaves a site vulnerable to brute force attacks. Add an extra layer of security by limiting the number of login attempts against an account through a plugin, or by using a Web Application Firewall (WAF).

7. Website security changes

Monitor changes to your security configurations and answer the following questions:

  • Who logged in?
  • Did the log in succeed or fail?
  • Were there changes to any settings?
  • Where there any sites impacted by the change?

The free Sucuri Security plugin helps address a number of these questions and is a useful way to centralize WordPress logs.

Read more from the original post by Victor Santoyo. 


How to perform a website security audit

Cyberattacks typically happen due to poor security practices. One of the first steps you can take to improve your security is to audit your website and identify exactly what’s been installed there.

Website audit checklist

We’ve provided a simplified template in checklist format for you to follow.

  • Change default CMS settings for users, comments, and information visibility
  • Set suitable file permissions for each account and role
  • Check for software updates and apply the latest security patches
  • Use security extensions and check your plugin settings
  • Review third-party components and ensure they are updated
  • Backup your data offsite and create a backup recovery plan
  • Follow server configuration file best practices
  • Install an SSL certificate to encrypt data in transit
  • Automatically scan your site for malware on a regular basis
  • Employ strong, unique passwords for all of your credentials
  • Check for blacklisting

Once you’ve performed an initial audit on your website, we encourage you to regularly review your settings and logs, remove inactive third-party components, and update software with the latest security patches.

Read more from the original post by Pilar Garcia.