Top website security posts by Sucuri – March 2019

A monthly roundup of website security posts.

Our Malware Research and Incident Response teams work around the clock to identify emerging threats — and we’re proud to share our knowledge and findings with the community.

We’ve gathered a few of our most popular posts from March to educate you about the latest trends and tips in website security.

Free Sucuri WAF for medical & social services

Our research continually demonstrates there is no depth that bad actors won’t sink to, and that includes exploiting websites that are vital for public health.

Free year of the Sucuri WAF for crisis responders

To help crisis responders help us, Sucuri is offering a free year of our Web Application Firewall for professionals including:

  • Hospitals
  • Physicians
  • Emergency medical technicians
  • Food banks

To get started, they just need to submit an application.

How does it work and who is it for?

We are accepting applications from organizations with unprotected websites that directly provide critical support for the pandemic relief effort. People who don’t meet this criteria are encouraged to reach out to us directly.

Don’t let bad actors exploit our situation

While some ransomware groups have publicly stated they won’t target crisis responders during the epidemic, a fair amount of skepticism is warranted. People flocking to a website will likely prove irresistible to some bad actors looking to steal data or enact other scams.

Read more from the original post by Chase Watts.

How to protect personally identifiable information (PII) from search engines

We’ve become so reliant on a free internet, it might come as a shock to some to learn the information we give out so freely is being trafficked to make money. Some of this information we submit ourselves, and some of it comes from tracking software like cookies.

Protecting private information

When you submit information to a free website, it often goes to a data broker. This person, in turn, sells your information — often to places you’d rather avoid. However, on July 1, 2020 the California Consumer Privacy Act (CCPA) went into effect, which is why we’re already seeing the Do Not Sell option when we submit PII online.

Blocking tracking software

You can block cookies with an extension like uBlock Origin for Chrome and Firefox, which blocks not only targeted ads but also many types of malware. Ghostery and NoScript are also worth adding to your browser, especially when used together.

Using a P.O. box, email & Google Voice

Rather than giving out the physical address where you work or reside, a P.O. box lets you pick up mail at a designated location, buffering your space. In the digital realm, a throw-away or temporary email address can give you this additional privacy. And when it comes to your phone, Google Voice lets you add an additional phone line that you can give out, and then ignore when necessary.

Read more from the original post by Krasimir Konov.

VPN: A key to securing an online work environment

In today’s uncertain times, many of us have moved into work-from-home situations. That opens a big question about security. One of the strongest measures in this area is the virtual private network (VPN).

Types of VPNs

You might already be familiar with the commercial VPN, which protects your browsing. A more robust version is the corporate VPN, which gives you access to the environment of a larger organization.

What is a VPN’s static IP address?

As the name implies, this static identifier provides an additional level of security as a login credential. For example, you could configure a website firewall to allow only logins from allowlisted IPs.

Connecting to VPN servers

Once you install a VPN client, you can connect to a VPN server to go online. Your router might even include this feature. Connecting to a VPN server encrypts all internet usage, which can be useful when you’re using services that consume lots of data, like Netflix.

Cloud-hosted VPN servers

Because a VPN is often part of a larger security plan, many organizations prefer to keep their VPN server on site. However, the widespread adoption of cloud technology means VPN servers are now available “in the cloud.”

Read more from the original post by Marc Kranat.

WordPress database brute force and backdoors

We often talk about bad actors using brute force to gain access through logins. However, hackers can also break in through the database, which WordPress relies on to store settings and other data.

Brute force attacks on WordPress databases

Because hundreds (or even thousands) of websites can connect to a single database, they’re prime targets for hackers. For example, one database brute force script we recently found (base.php) loads multiple database credentials from .txt files. That access can then be used to gain entry to a connected website.

Feasibility of database brute force attacks

While most hosting providers take measure to protect their databases, some can still leave vulnerabilities. For example, insecure naming parameters can attract hackers because they’re significantly easier to guess.

Alternative use scenarios

If server accounts are not properly isolated and the attacker gains access, a single compromised website can lead to others getting hacked. Hackers can also maintain access to a compromised site by installing backdoors and relying on legit users to hang onto weak passwords.

Read more from the original post by Denis Sinegubko.


Art Martori
Art Martori thinks words are like chess pieces. While checkers might be more appropriate for the analogy, he’s aided by years of professional writing experience via mediums including content strategy, journalism and fiction. When he’s not typing on a keyboard, find Art strumming the 12-bar blues.