Apple has released Friday, Apr 10 2015

With all of the hacking going on with no end in sight, I have come across some helpful infomation from Apple

I am probably the last person in the Web Universe to find out about this, but I wanted to post this information just in case.

Hubble Photo of the Andromeda Galaxy

According to Christo Van Gemert at htxt.africa, Apple has recently released “Secure Coding Guide for Developers” to help   develop secure software.  This PDF file can be downloaded for free: https://developer.apple.com/library/ios/documentation/Security/Conceptual/SecureCodingGuide/SecureCodingGuide.pdf.

It would seem that Microsoft would have similar informatioin, but I am unable to locate it.

I do hope what I have posted here helps somebody!

Leave a Response »

 

9 tips to make your WordPress blog more secure Thursday, Jan 8 2015

by Anirban Banerjee

Jun 5, 2014

Easily one of the most popular blogging platforms preferred by the amateur and professional alike, WordPress has many advantages over its competitors. However, its relative ease of use and many attractive themes and capabilities must be enhanced by WordPress security and protection, so that your website doesn’t fall victim to malware attacks that exploit weaknesses in coding – or anything.

In the spirit of WordPress security, then, consider these nine tips to keeping your site up-and-running well:

1. The first tip is to take a proactive approach regarding unused plugins, themes and other additions stored in your WordPress content directory; they are almost certainly outdated, which makes them susceptible to hackers and their bots. Software makers update their programs precisely because updates eliminate holes that can be exploited. Basically; discard your old unused stuff and get the latest versions of the new ones.

2. The second tip for better WordPress security is quite general for anything you do online requiring your personal details; this doesn’t make it any less significant, however. Use a maximally strong password. This means alternate capital letters, numbers and special characters. Furthermore, if you have multiple websites up, make sure you use a different password for each one; in fact, there are powerful password-generation plugins available for WordPress protection.

3. Research forums and other reputable online communities for information on the best anti-spam plugins for WordPress security. Make sure you understand how well-written the code is for any plugin you do end up installing.

4. Avoid doing things that used to be standard, such as keeping the “admin” name as your default. Updated WordPress themes and directories don’t usually have this for a reason – they were a common target for website exploitation. Similarly, don’t start the name of any of your directories with the wp prefix.

5. Connecting to your WordPress sites via public WiFi access can give any snoopers access to your username and password. Avoid doing this unless you have your own secure SSL connection socket for added protection.

6. If you’re not very web-savvy, and find yourself overwhelmed by the prospect of trying to decipher the signs of a blog compromise, there is affordable professional help available. Web security solutions are provided by robust malware monitoring and removal products likeStoptheHacker, which is a 24-hour sentinel that protects your systems.

7. While not exactly in the category of security, backing up your WordPress site is definitely in the realm of protection from future attacks. If all goes wrong, this copy can save you invaluable time and money in getting back up to speed, or moving your operation to another web host.

8. Hackers want to get into your private details more than anything else, because this will allow them to take over your website for their own personal gain. One useful way to impede this is to erase information regarding the version of WordPress you’re using, which can be done by deleting the appropriate meta tag description.

9. A simple but powerful WordPress security measure comes in the login section. If you have multiple users contributing to your site; or even if it’s just you, implement a lock-down plugin that stops multiple login attempts, which may signal a bot trying to gain access by trying many passwords.

http://www.dreamhost.com/dreamscape/2014/06/05/9-tips-to-make-your-wordpress-blog-more-secure/

Leave a Response »

 

How To Hide The Fact That Your Website Runs On WordPress Monday, Dec 8 2014

Posted by KeriLynn Engel on Dec 07, 2014 09:00 am

Security is always top concern when you’re running a website.

But… sometimes all the hubbub over hacking seems a little over the top. All the scary stories about big businesses like eBay, Target, Adobe, Steam, and others who have suffered big data breaches can feel like fear-mongering. Surely hackers won’t go after your website when they have such big fish to fry?

The post How To Hide The Fact That Your Website Runs On WordPress appeared first on Elegant Themes Blog.

The data, unfortunately, tells us otherwise. Smaller websites are hacked just as frequently as big ones, with almost half of small businesses reporting being hacked, their resultant costs averaging $8,700.

And those are only the businesses who are willing to report being hacked. It’s probable that others keep their vulnerability a secret, not wanting their users to lose their trust in their ability to keep private data safe and secure.

Even if you only take into account reported instances, tens of thousands of websitesare hacked every day, and many of them don’t even know they’ve been hacked and that their websites are being used to spread malicious code.

As a WordPress user, you’re using one of the most secure content management systems available. But no CMS is 100% invulnerable, and hackers are evolving their methods just as fast as developers can patch vulnerabilities.

You may have heard that hiding WordPress is the best way to keep your site secure from hackers and bots.

There’s actually quite a bit of debate among developers and security experts about this practice.

I’ll go over the pros and cons of both sides and the reasoning behind them, and leave it up to you to decide if hiding your CMS is right for your website.

Then we’ll talk about how you can obscure your implementation of WordPress.

Let’s get started!

Isn’t WordPress Secure Enough Already?

WordPress is known for being a very secure content management system (CMS). Security issues are a top concern of WordPress core developers, and the software is patched and updated regularly to address any vulnerabilities that arise.

The security of WordPress is one of the reasons for its popularity. WordPress is now one of the most popular content management systems on the web, used for tens of millions of websites around the world. Even big websites like CNN, The New York Times, eBay, and Mashable use WordPress for their blogs.

But just the fact that you’re using WordPress for your website doesn’t make your website invulnerable to hackers.

In fact, its very popularity is what makes it a popular target.

Hackers know that millions of websites that are using WordPress aren’t using the best security measures to keep their sites secure. Many of those sites are using weak passwords, outdated versions of WordPress with known vulnerabilities, or old and insecure plugins and themes. Hackers know there they’ll have plenty of targets out there once they discover those vulnerabilities and create a way to exploit them.

The most common ways that hackers attack WordPress sites are with brute force attacks or HTTP requests.

Brute-force hackers use software to try to gain access to your website by guessing at your password until they get lucky and break in. Often, simple countermeasures like requiring CAPTCHA or 2-step verification on login can easily stop brute force login attempts in their tracks.

Another common category of hacker attacks are specially-crafted HTTP requests sent to your server. These requests are designed to exploit specific vulnerabilities which are often caused by outdated or insecure software, themes, or plugins. Anything contained in your wp-content directory, whether active or inactive, can potentially introduce security vulnerabilities to your website that knowledgeable hackers can exploit to disable or gain access to your blog.

Why Hide WordPress?

Here’s where the debate comes in.

But first, let’s get our terminology straight: Sometimes people mean different things when they say they’re hiding WordPress.

What’s usually meant by “hiding WordPress” is that you’re attempting to obscure the fact that your site runs on WordPress from any person or bot that attempts to identify the CMS.

But hiding WordPress could also mean just trying to hide which version number of WordPress you’re using, or changing permalinks, file names, subdirectories, etc. to hide them from bots.

Is hiding WordPress worth the effort? Depends on who you ask.

The fact is, there’s no way to completely obscure the fact that your website runs on WordPress. A tech-savvy person who knows enough about WordPress will be able to detect your CMS using any number of means.

Even if you’re just trying to hide your WordPress version number, there are a multitude of ways to discover what WordPress version you’re using just by being familiar with the differences between versions.

And security experts warn that security through obscurity is a discouraged practice, since it can encourage laxness in addressing vulnerabilities if you think no one can find them: “The security of a system should depend on its key, not on its design remaining obscure,” security engineer Ross Anderson wrote.

Does that mean it’s a waste of time to hide WordPress?

Maybe, maybe not. It won’t help you to foil a dedicated hacker that’s targeting you specifically.

But the majority of hacking attempts are made by bots, and you may be able to foil hacker bots by obscuring your WordPress installation. Just by changing some default permalinks, you may be able to protect your website against things like brute-force attacks, SQL-injection, and requests to your PHP files.

Other WordPress Security Measures

Hiding WordPress by obscuring a few permalinks and files can be a good security measure, but it’s not your only option, and it shouldn’t be the only action you take to protect your site.

There are some basic WordPress security tips you can easily follow to keep your site more safe from hackers, without hiding WordPress:

• Always use strong passwords.
• Always keep your WordPress core updated to the latest version.
• Keep all your themes and plugins updated, delete inactive themes and plugins, and stop using any themes and plugins that are no longer being updated.
• Consider protecting your login page from brute force attacks by requiringCAPTCHA and/or 2 factor authentication.
• Consider installing an all-in-one security plugin like iThemes Security or Bullet Proof Security.

(If your website’s already been hacked, check out this great guide by Nathan B. Weller here on ElegantThemes to find out how to fix it: “Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked.”)

How to Hide the Fact You’re Using WordPress

So you’ve decided you still want to try to hide the fact that you’re using WordPress from your visitors as well as potential hackers and bots.

How exactly do you go about it?

There are plenty of tutorials out there for hiding just your WordPress version number, but I’m not going to rehash those for a few reasons:

• If security is really your goal, you should always be updating to the latest version anyway.
• The WordPress version number shows up in a multitude of places in various files, so it can be difficult and time-consuming to obscure them all, and not worth the effort, because…
• Even if you do manage to erase every mention of your WordPress version number, there are still plenty of ways someone can find out what version of WordPress you’re using.
• Obscuring your version number won’t protect you from bots, either. Bots don’t generally check to see what version of WordPress you’re using; they just go straight for the vulnerability they’re targeting. If you keep your WordPress core updated, they won’t find it. And if you’re using an old version of WordPress, theywill find it regardless of how well you try to hide your version number.

Still determined to hide the fact you use WordPress? It could be that you have a client demanding you hide WordPress for them, or maybe you think that your business looks unprofessional using blogging software to run your website.

In that case, I recommend a premium plugin called Hide My WP, available on Code Canyon. It works well as a general security plugin, and will hide the fact that you’re using WordPress by changing your permalinks without making changes to the actual locations of your files.

Hide My WP has a number of features that improve your WordPress security:

• Changes permalinks of files (like wp-admin) to obscure them from bots
• Removes meta info (like version number) from your headers and feeds
• Controls access to your PHP files
• Changes the default subdirectories of vulnerable folders like wp-content
• Changes query URLs to protect from SQL injections
• Hides files that can give hackers information about your WordPress installation (like readme.html or license.txt)
• Gives you the option to disable specific archives, categories, tags, pages, posts
• Notifies you of security risks with the new “Intrusion Detection System”

Hide My WP is also compatible with many other popular WordPress security plugins. It’s rated 4.5 out of 5 stars on Code Canyon, and the plugin author is very timely to respond to support requests.

Are You Hiding Your WordPress Installation?

Back to you!

After reading the pros and cons, are you determined to hide the fact that your website is powered by WordPress? What steps have you taken to obscure your CMS, and how well have they worked for you? Share in the comments below!

By KeriLynn Engel

KeriLynn Engel is a freelance business writer and professional blogger with a passion for WordPress and all things Internet. She writes about technology, women’s history, and other topics for a variety of websites & businesses.

One Response »