Websites are being Encrypted and held to Ransom

Encrypted Website Database - RansomThere is a new security threat for website owners to contend with.

Similar to Crypto-locker and other Ransomware, there is a new threat that will encrypt the core database files of a website.

Dubbed “RansomWeb” by Security firm High-Tech Bridge, database files are encrypted, and an email is sent to the admin demanding the payment of a Ransom to unencrypt the files. In one case, the Ransom demanded was US$50,000.

Stop your website from being encrypted and being subjected to a Ransom

Now even though this particular website was doing backups of the database, they were doing automated backups that remained on the Server. Unfortunately for them, their website was compromised months before the attack occurred, and consequently all their backups were compromised. This is why it is so important to download backups and keep them separate from the Server.

One of the things that we do here at Website Design by Spotty Dog Computer Services as part of our Monthly Maintenance and Backups Service is to download backups of your website to a local hard drive. We will keep up to 12 mths of backups so that in the event that something like this happens to your website, we can restore an uninfected and uncompromised backup.

Apart from downloading backups to a local hard drive, the best thing you can do is have a secure website. That means installing security plug-in’s that close security holes, and keeping WordPress and all Plug-in’s up to date as new releases are made available. This is of course part of our Monthly Maintenance Services too.

So if you have a WordPress based website, we can take steps to protect your website (and your sanity), but please do not wait until it is too late!!!

Just one of the many services we offer.

 

How to stop Comment Spam

Over the years I have used many different Plug-in’s and methods to reduce Comment Spam on my websites.

Those Plug-in’s included the default WordPress Plug-in [tooltip title=”Info” content=”Akismet is a hosted web service that saves time by automatically detecting comment and trackback spam. It’s hosted on their Servers, but they give you access to it through a plugin and an API.” type=”info” ]Akismet[/tooltip] (at last count on my main website it has blocked 3,306 Spam Comments), [tooltip title=”Info” content=”An extremely powerful anti-spam Plug-in for WordPress that reduces comment spam, including trackback and pingback spam. It works invisibly without CAPTCHA’s, or other inconveniences to site visitors. The plugin includes spam-free contact form feature as well.” type=”info” ]WP-SpamFree[/tooltip] (it’s blocked 4,725 Spam Comments), and along the way various other Security Plug-in’s and methods.

But none of them have been 100% effective.

Sure, they “reduced” the amount of Spam, but some Spam has always managed to get through.

Now obviously you need to set your WordPress Discussion Settings so that they must be approved by an Administrator first (see image below), but having to plough through the Spam Comments and manually delete them too, well that is an additional Admin overhead we can all do without.

WordPress Discussion settings

Discussion Settings

Comment Spam has been a real bug bear for me, and to be honest, a pretty big problem. But at last I’ve finally found a Plug-in that reduces Comment Spam to zero, zilch, nada!!! That’s right, it’s 100% effective in preventing Comment Spam.

Well, let me qualify that by saying that it’s 100% effective against automated Comment Spam.

Obviously, if a real human is determined and prepared to take the time to post a bogus comment and physically undertake the CAPTCHA test, then you won’t stop that.

The Plug-in in that I have discovered is [tooltip title=”Info” content=”Fun Captcha presents a mini-game that blocks the bots while giving your users a few moments of fun. It’s a real security solution hardened by experts and automatically updated to provide the best protection.  Users complete these little games faster than other CAPTCHAs, with no frustrating failures and no typing. Fun Captcha works on all browsers and mobile devices.” type=”info” ]Fun CAPTCHA.[/tooltip]

The trouble with most CAPTCHA systems is that they are quite difficult to read (see the image below), and visitors to your website hate using them, and the Spammers are getting smarter all the time and can circumvent them.

CAPTCHA Examples

CAPTCHA Examples

So what Fun CAPTCHA does is stop the BOT’s, and turns the CAPTCHA system into a mini-game.  The visitor wishing to post a comment is required to complete the game with a series of mouse clicks, rather than trying to decipher hard to read CAPTCHA Images, and it works on all Browsers and Mobile Devices.

The best thing is that Fun CAPTCHA is totally free, however you must create an account on their website to obtain some security codes first.

Below is a video that shows how the Fun CAPTCHA Plug-in works.

You can download the Plug-in from the WordPress Plug-in Directory.

CMS Websites at risk from Hackers

Content Management Systems (CMS) websites like WordPress have long been a target for Hackers.

CMS systems like WordPress are popular because they are free and Open Source, and very flexible to such an extent that just about anybody can create a Website, or Blog, or eCommerce website with relative ease.

The problem is that a lot of website owners either fail to keep their CMS and plug-in’s up to date.

New versions of the platform and plug-in’s are regularly released, not just to improve functionality, but to plug security holes.

This is why Hackers love to target CMS websites.  It’s because they know there is a high chance of discovering an unpatched website.

Even if you do keep the platform and plug-in’s up to date, you must also do a few other things.

Here is a checklist:

  • Use a strong Password – You must not use easy to guess and simple passwords.  Never use “Password” as your password for example.  Also avoid using dictionary words, pets names, family members names etc.  Use Upper and Lower case letters in combination with numbers and keyboard characters like @#$%^&* if possible.  If you find it difficult, try substituting some letters with characters or numbers.  For example MyPassword2013 could become MyP@55w0rd2013.
  • Use a good Security Plug-in – My favourite Security Plug-in is Better WordPress Security.  Among the things it does is:
    • Change the urls for WordPress dashboard including login, admin, and more
    • Rename “admin” account
    • Change the ID on the user with ID 1
    • Change the WordPress database table prefix
    • Change wp-content path
    • Ban troublesome bots and other hosts
    • Ban troublesome user agents
    • Prevent brute force attacks by banning hosts and users with too many invalid login attempts
    • Enforce strong passwords for all accounts of a configurable minimum role
    • Detect and block numerous attacks to your filesystem and database
  • Add CAPTCHA to your User Log-in – I like to use another Plug-in called SI-CAPTCHA Anti-Spam.  Not only does it add CAPTCHA to your Log-in, but to WordPress forms for comments, registration, and lost passwords too.

It may sound daunting, but if you have your website hosted and maintained by Spotty Dog Computer Services, all the updates are included in our Monthly Maintenance Fee.  And as an added bonus, if a Hacker does manage to compromise your website, we make regular backups so we can restore your website if it all turns pear shaped 🙂