We’ve gathered a few of our most popular posts from March to educate you about the latest trends and tips in website security.
Free Sucuri WAF for medical & social services
Our research continually demonstrates there is no depth that bad actors won’t sink to, and that includes exploiting websites that are vital for public health.
Free year of the Sucuri WAF for crisis responders
To help crisis responders help us, Sucuri is offering a free year of our Web Application Firewall for professionals including:
- Emergency medical technicians
- Food banks
To get started, they just need to submit an application.
How does it work and who is it for?
We are accepting applications from organizations with unprotected websites that directly provide critical support for the pandemic relief effort. People who don’t meet this criteria are encouraged to reach out to us directly.
Don’t let bad actors exploit our situation
While some ransomware groups have publicly stated they won’t target crisis responders during the epidemic, a fair amount of skepticism is warranted. People flocking to a website will likely prove irresistible to some bad actors looking to steal data or enact other scams.
How to protect personally identifiable information (PII) from search engines
We’ve become so reliant on a free internet, it might come as a shock to some to learn the information we give out so freely is being trafficked to make money. Some of this information we submit ourselves, and some of it comes from tracking software like cookies.
Protecting private information
When you submit information to a free website, it often goes to a data broker. This person, in turn, sells your information — often to places you’d rather avoid. However, on July 1, 2020 the California Consumer Privacy Act (CCPA) went into effect, which is why we’re already seeing the Do Not Sell option when we submit PII online.
Blocking tracking software
You can block cookies with an extension like uBlock Origin for Chrome and Firefox, which blocks not only targeted ads but also many types of malware. Ghostery and NoScript are also worth adding to your browser, especially when used together.
Using a P.O. box, email & Google Voice
Rather than giving out the physical address where you work or reside, a P.O. box lets you pick up mail at a designated location, buffering your space. In the digital realm, a throw-away or temporary email address can give you this additional privacy. And when it comes to your phone, Google Voice lets you add an additional phone line that you can give out, and then ignore when necessary.
VPN: A key to securing an online work environment
In today’s uncertain times, many of us have moved into work-from-home situations. That opens a big question about security. One of the strongest measures in this area is the virtual private network (VPN).
Types of VPNs
You might already be familiar with the commercial VPN, which protects your browsing. A more robust version is the corporate VPN, which gives you access to the environment of a larger organization.
What is a VPN’s static IP address?
As the name implies, this static identifier provides an additional level of security as a login credential. For example, you could configure a website firewall to allow only logins from allowlisted IPs.
Connecting to VPN servers
Once you install a VPN client, you can connect to a VPN server to go online. Your router might even include this feature. Connecting to a VPN server encrypts all internet usage, which can be useful when you’re using services that consume lots of data, like Netflix.
Cloud-hosted VPN servers
Because a VPN is often part of a larger security plan, many organizations prefer to keep their VPN server on site. However, the widespread adoption of cloud technology means VPN servers are now available “in the cloud.”
WordPress database brute force and backdoors
We often talk about bad actors using brute force to gain access through logins. However, hackers can also break in through the database, which WordPress relies on to store settings and other data.
Brute force attacks on WordPress databases
Because hundreds (or even thousands) of websites can connect to a single database, they’re prime targets for hackers. For example, one database brute force script we recently found (base.php) loads multiple database credentials from .txt files. That access can then be used to gain entry to a connected website.
Feasibility of database brute force attacks
While most hosting providers take measure to protect their databases, some can still leave vulnerabilities. For example, insecure naming parameters can attract hackers because they’re significantly easier to guess.
Alternative use scenarios
If server accounts are not properly isolated and the attacker gains access, a single compromised website can lead to others getting hacked. Hackers can also maintain access to a compromised site by installing backdoors and relying on legit users to hang onto weak passwords.