Top website security posts by Sucuri – May edition

A monthly roundup of security posts

Our Malware Research and Incident Response teams work diligently around the clock to identify and stay ahead of the website security threat landscape—and we’re dedicated to sharing our knowledge and publishing our findings.

In the spirit of security education, we’ve curated a selection of our most popular posts and discoveries from May to help you protect your website.

5 Ways to protect your WordPress installation from a hack

by Dutch Hill

With over 34% of all websites on the internet using WordPress, it’s no wonder that this content management system is frequently targeted by bad actors.

We’ve provided a helpful list of tips to mitigate threats against your WordPress website.

1. Use strong passwords & unique usernames

Dictionary attacks are commonly used against websites to guess important credentials, such as username and password combinations.

To prevent a bad actors from gaining access to your site, encourage you to create, implement, and manage complex and unique passwords for your WordPress account, databases, and other website environments.

Use uncommon usernames to make dictionary attacks even more difficult for bad actors.

2. Leverage the principle of least privilege

The Principle of Least Privilege is a computer science principle based on using the minimal set of privileges for each user.

WordPress conveniently offers default roles with associated capabilities, which can be easily modified or adjusted to fit your needs.

By assigning the least privileges necessary for each user account, you can mitigate the risk and scope of damage if the profile is compromised or begins performing malicious actions (e.g rogue employee).

3. Keep your plugins & software up-to-date

Keeping your WordPress installation up-to-date with the latest security patches prevents attackers from leveraging known vulnerabilities to compromise your website, and WordPress developers work diligently to provide security releases and protect users from threats.

That being said, if you aren’t leveraging the auto-update feature or have it disabled, vulnerabilities can’t be patched unless you maintain your software or employ a web application firewall.

The use of third-party components — including extensions, themes, and plugins — increases your security risk as they provide additional entry points for bad actors. Maintain any extensible components with the latest patches and updates, and remove unused plugins and themes to improve your security.

4. Harden .htaccess

A variety of WordPress hardening options are available for webmasters via the .htaccess file.

Implementing one or more of these rules can reduce the attack surface for your website and mitigate the risk of a hack:

  • Restrict login URLs to a specific IP range to prevent unauthorized login attempts.
  • Restrict access to your wp-config.php file.
  • Prevent directory browsing and image hotlinking to your site.
  • Restrict file extensions that can be loaded from a directory.

Check out our WordPress security guide for technical details.

5. Use a website firewall

According to our latest report, WordPress accounted for over 90% of all hacked sites in 2018. One of the most common reasons for the compromises stems from bad actors exploiting known vulnerabilities in software and third-party components.

If you are unable to patch all security updates in a timely fashion, you can virtually patch your website by using a web application firewall.

Using a firewall can also make the overall process of hardening easier, as it includes hardening functionalities such as automatically handling malicious requests or limiting administrative access to a specified set (or range) of IP addresses.

A great feature of Sucuri’s web application firewall is its ability to mitigate DDoS attacks, which can disrupt a website’s availability and prevent users from accessing your website.

Read the original post here.

Who’s responsible for the security of your website?

by Josh Hammer

As a website owner, you’ve likely invested hundreds — or even thousands — of hours and resources into creating the perfect site, building traffic, and generating revenue.

While most people recognize that a security incident can be detrimental to brand reputation and earning potential, procrastination or an overall lack of security knowledge from webmasters may lead to apathy or improper configuration.

There are a number of things you can do to protect your traffic and revenue streams.

  1. Monitor your website for indicators of compromise, blacklisting, and website malware.
  2. Implement secure and reliable site backups and store them in a secure location.
  3. Mitigate threats with virtual patching and hardening.

At the end of the day, the security of your website is your responsibility.

Read the original post here.

Monetization of stolen data on the darknet

by Luke Leal

Bad actors don’t just compromise ecommerce websites for fun. Personal information, bank accounts, and credit cards can all be monetized by cybercriminals — and there’s a variety of methods used to generate money from stolen data.

Infected ecommerce websites

During a recent response incident, we identified a malware injection stealing payment information from a compromised Magento website.

The injection gathered valuable payment information during the ecommerce checkout process, including first and last name, address, and credit card details. It  then submitted it to a safe location, where the hacker sorted it based on card provider (ie. Visa, MasterCard, American Express, etc).

Reseller networks 

As soon as the data is sorted, it’s ready to be sold on the darknet marketplace. Hackers may use resellers, or a network of resellers, to limit the number of transactions they need to perform and reduce exposure.

Once a card has been cancelled, it is much less valuable to the attacker but the stolen personal information associated with the card can still be monetized. The use of multiple resellers allows a bad actor to monetize stolen data as quickly as possible before the theft is detected.

The sale of personal information

The valuation of the stolen data is based on two important factors:

  1. Has the credit card been balance verified and is it still active?
  2. Is personal information (name, address, phone number, email, birth date, etc…) associated with the credit card?

Stolen data that meets this criteria can fetch a much higher price for resellers on the darknet, which is why attackers leverage compromised ecommerce websites to obtain this information.

Read the original post here.