Hacked websites are damaging businesses, there are 30,000 hacked websites every single day. Simple steps to ensure your website is secure and managed properly to prevent and fix a hacked website

15 actions to reduce email spam

Email spam is something to learn to manage, it is not something we can stop completely, but it can be very harmful. Here are 15 actions to reduce email spam so you can get on with your day.

Most servers will identify and block spam they think is a risk but some will get through so it is important to be aware of what to look for and how to stop it.

Spam is designed to obtain financial gain, whether legitimate or illegal. Businesses should not be sending emails to your inbox without your consent, but this is happening.

How are some practical steps to take to reduce spam and ensure you don't infect your PC or worse, hand over your personal information.

What are spam emails

In short, a spam email is an email sent to you without your consent. Someone has found your email address and is sending emailing you did not agree to receive.

Most of these emails contain marketing content but sometimes can contain malicious links, blackmail or content you would not want to receive.

Some well known organisations will start sending you marketing content when you hand them your email address even though you have not officially agreed to receiving emails.

Emails sent to you still need to comply with the law of what they send to you. The Privacy and Electronic Communications regulations 2003 (PECR) stipulate you must have consent to send someone an email, unless they are a customer.

The Information Commissioners office can investigate identifiable UK businesses sending spam and has partnered with organisations overseas, so you can contact them.

Unsubscribe from emails you do not wish to receive

If a business starts sending emails you did not agree to the first thing to do is unsubscribe. There should be a link at the bottom of the email.

The emails should stop, if they do not then write to the company to complain or write to the ICO to investigate.

I would suggest do not reply to the email you received, find the legitimate email on their website.

Email Encryption and Security

Accordingly to the EU, workers send out on average around 122 work related emails per day, under EU GDPR companies are bound by law to protect personal information.

Your mailbox can contain a lot of personal data that you are not aware of so its imperative your mailbox is secure.

The GDPR requires “data protection by design and by default,” meaning organizations must always consider the data protection implications of any new or existing products or services.

End to end encryption services are growing and cloud based encryption offers a strong technical solution.

Under GDPR data can only be stored an held for so long, then it needs to be deleted.

Under EU GDPR there are 6 rules of managing someones data:

  1. Consent must be “freely given, specific, informed and unambiguous.”
  2. Requests for consent must be “clearly distinguishable from the other matters” and presented in “clear and plain language.”
  3. Data subjects can withdraw previously given consent whenever they want, and you have to honor their decision. You can’t simply change the legal basis of the processing to one of the other justifications.
  4. Children under 13 can only give consent with permission from their parent.
  5. You need to keep evidence of consent.
  6. You must have a “legitimate interest” to process the person’s data

GDPR also states - “against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

The reason I refer to the EU GDPR is that the rules are a lot stricter and I have noticed a considerable increase in spam since Brexit.

Actions to reduce this type of spam

There are actions you can take to reduce this type of unwanted marketing email:

  1. Be mindful who you give your email address to.
  2. Keep personal and work emails separate
    • i.e. do not do internet shopping using your work email, use Gmail or yahoo.
  3. Use a separate email for registering for things.
  4. Choose email address that can not be guessed
    • some emails are coming to you from people who do not know your email address, they are guessing.
  5. Do not reply to spam emails.
  6. Use security on your computer and the server hosting the emails
  7. Use Junk/spam filter in Outlook or your email processor
  8. Before giving email address to unknown businesses, read their Privacy Policy to see what they do with your personal information
  9. When signing up for something, look for a check box that has been automatically selected
    • read it and uncheck it if you disagree with the statement.
  10. Marks Spam AND delete all spam emails
    • Keep your inbox clean of all spam
  11. Do not forward anything to anyone unless you know exactly what you are forwarding.
  12. Make good use of Googles Captcha on websites with emails.
  13. Hide email address
  14. Check for spelling mistakes in emails, this will be spam, spam it and delete it
  15. Hover over the senders email to check where its from

Security threat spam to be aware of

Received an unwanted marketing email from Vodafone can just be deleted, but here are the spam emails you need to be aware of to handle with care:

Trojan Horse

Trojan horses come disguised as a legitimate program. Even if you think you know how to verify whether an email is legitimate, a trojan horse uses deception to get past those defense mechanisms.

For instance, they can hide inside free software downloads or arrive as an email attachment, possibly from someone you know.

When you open the email, the trojan installs malicious code — typically spyware or viruses — designed to create problems on your computer.

It may allow an attacker to control your computer, lock you out, steal your data, account information or email addresses. Installing anti-malware software may help you catch these trojans.

To help avoid trojan horses, avoid clicking on pop-up messages on your computer. If you are seeing a lot of pop-ups, consider running an antivirus scan.

Zombies

Zombies are a type of malware that also comes in email attachments. They turn your computer into a server and sends spam to other computers. You may not know that your computer is compromised, but it may slow down considerably or the battery may drain quickly. Meanwhile, your computer may be sending out waves of spam or attacking web pages.

One way to avoid zombies is to avoid opening attachments or clicking links in emails from your spam folder.

Phishing

Phishing emails are usually a copy of a real business such as a bank with the same branding as a bank, or they may look like a well known business. The phishing email will ask you to enter your details, but you are giving your details to a scammer.

The Vishers will request you call them on a phone number that looks very legitimate but is infact a scammer posing as the Bank and asking for your personal information.

Hover over the email of the sender or call the business directly to verify. Delete the email if you know its not legitimate.

If it is a Vishers, check and verify the phone number is legitimate.

If you don't recognise the caller then let them leave a message then verify the phone number they leave at Text Magic.

https://www.textmagic.com/free-tools/phone-validator

Fake offers

Fake offers are a good way for cyber thieves to get you to take action. Who doesn't want to win lots of money? Maybe the email says you have already won a prize.

You haven't just won a car or £100,000 it is a scam.

If it is urgent it is a red flag as they are designed to make you take action.

Summary

For business emails your host provider will be monitoring and managing emails listed as spam, so many of them should not even hit your mailbox as they are blocked at the server firewall.

If they get through, then always mark a spam email as spam to prevent it from getting through again. Delete it from your pc.

Keep your mailbox free from spam.

Since leaving the EU the new UK GDPR rules are not as stringent on unsolicited emails but make sure you understand the new GDPR rules and if you see a sudden surge in spam emails in your work inbox then contact your host provider.

We use Cloudflare hosting service that blocks a lot of spam and the servers we use has a good firewall but some will slip through, be vigilant and have good security on your computers.

Malwarebytes offers a great computer scanner to find viruses and remove them.

If you are having issues then please get in touch and we will see if we can help you.

Hacked websites

Has my website been hacked? What to do

The first thing to do if you feel your website has been hacked is not to panic, it can be resolved, we just need to go through a few steps to identify the issue and start to fix it.

One thing that is very important is that you deal with it straight away, do not delay as the faster its resolved the less damage will be done.

Once the website has been cleaned and is back up we make sure it doesn't happen again tightening the security.

[lwptoc min="2" numerationSuffix="none" title="Table of Contents"]

 

Why do people hack websites?

One of the questions I get asked a lot is "why do people hack websites?" what do they gain from it.

Some people will hack your website just for their own amusement, they like the challenge and wreaking havoc on those they perceive as less knowledgeable about coding than them.

They may be rookies and will be hacking to impress others in their community.

You may see a sign on your website saying "hacked by a hacker". The world is full of those that are useful, and those that are not.

They may leave some nasty malware on your website files for you to find.

A lot of the issues come from bots crawling websites sent out by humans to access and infect websites.

Here are few more reasons people will spend time hacking websites.

1. Host their own content on your website

Hackers will use your website to their own pages and images of products with links i.e. Amazon affiliate links.

2. Host phishing pages on your website

Fake webpage will appear on your website with the sole purpose of phishing for personal data.

They may had a form on your website and ask for visitors to enter all their personal information.

3. Add harmful virus

Bots and humans upload malicious code and files to the File Manager with the sole purpose of stealing data from visitors and spreading the virus.

4. To break a website

If you are writing articles that are contentious i.e. writing about a vaccine that others don't agree with they may just want to take the site down.

You maybe a successful business and others may want to harm your business.

5. Steal money

Hackers will seek vulnerabilities for the soul purpose of stealing money. This depends on the type of website you are running.

6 Steal data

Your website might have data that the hackers would like to use, so they attempt to steal it.

7. Steal server bandwidth

Server Bandwidth is when someone is stealing the bandwidth you are paying for to host and load images they have stolen to put on their website.

Some host providers have a cap on bandwidth so bandwidth can be pricey.

Websites use your images from your website with your url to publish on their website.

This practice is called hotlinking.

Tools to scan your website for malicious code

If you have access to login to the WordPress website then add the WordFence plug and run a scan.

WordFence has a tool that scans and repairs files at the click of a button.

There is a virus scanner in cPanel you can use to scan for the root and emails.

Have I been pawned?

Have I been pawned is a trusted website that has all the data of security breaches and those affected.

The search tool is a quick check to see if your email has been included in a security breach.

Sucuri Security Scanner

Sucuri is one of the top WordPress security plugins and offers a search tool to scan a website for any suspicious activity.

Abuse IP

You can check your raw access logs for IP addresses and see if there are any banned IP's accessing your WordPress files and check domains in your spam folder in AbuseIPDB.

Four website checks to make

You can run a quick website audit:

  1. Run through your website checking for speed and checking pages.
  2. Search your business in Google and check the meta data for Japanese writing or meta data unrelated to your business.
  3. Run website through Google safe browsing
  4. Check notification emails to see if you are getting unusual emails

Actions to take if your website has been hacked

Contact your host provider to see if they can assist you. Hosting services offer different services, some just offer the hosting and that's it, others will be more proactive and give you advice.

  1. Change all passwords, website, emails and hosting emails.
  2. Restore backup
    • If your host provider uses Jetpack you could restore the files from a date prior to the hack, so identify the date of the hack and restore files and database.
    • Your host should be creating regular backups, if not you should manually backup the files and database.
  3. Upload fresh WordPress install - malicious files are usually on the WordPress files so replacing the WordPress files with new files may over ride the hacked files.

Summary

1.6 million WordPress websites were targeted by 16,000 IP address last year in a targeted attack on plug-in vulnerabilities and WordPress settings.

It was WordFence that picked up the the attack and has the data to show where the attacks were targeted.

It shows how the hackers are quick to spot a security gap in which to jump in and seize control. It is important when working with WordPress that you are fully aware of the security protocols or delegate this to someone.

All themes, plugins and WordPress versions need to be kept up to date and basic principles of not letting anyone register as a Administrator or having user names as admin must be followed.

If you need help fixing a hacked website then contact us.

20 Security Essentials WordPress

20 security essentials for WordPress

If you choose to create a WordPress website yourself then there are a lot security tasks you may not be aware of, so here are 20 recommended security essentials when working with WordPress.

30,000 WordPress websites are hacked every day so it is a huge problem and most people are not aware of the scale of the problem. WordPress is one of the simplest and cheapest platforms to create a website as it is Open Source with lots of amazing free themes.

The WordPress developers are making the software more secure but the the hackers are as slippery as eels, so they learn to get around just about anything.

If you have been hacked and need some help, please contact us immediately as it needs to be fixed swiftly to minimise long term damage.

[lwptoc min="2" numerationSuffix="none" title="Table of Contents"]

 

1. Secure hosting service

The most fundamental element to a good website is the server the website is hosted on. The quality of the server is of utmost importance not only in terms of keeping personal data secure but all the additional services i.e. tracking emails, logging of IP addresses, server access etc.

Do not pick a host provider on price alone, if you do not have the technical knowledge to understand what you are getting from your host provider then either research or ask the questions.

Your host provider is tasked with ensuring the servers are secure, high spec and operating high speed for the websites hosted on them.

The host server we offer using cPanel with all the additional functionality cPanel has to offer.

2. Cloudflare

We discovered Cloudflare many years ago and continue to use their service for all our websites. Cloudflare aims to make the internet more secure.

Cloudlare offers another layer of server protection and speeds up websites.

Cloudflare firewall (WAF website application firewall) is second to none at monitoring activity, blocking malicious attacks and keeps millions of websites safe.

Website - Cloudflare - server

Cloudflare has become a highly sophisticated cloud hosting solution we recommend for all WordPress websites.

3. HTTPS encryption

We made HTTPS mandatory following the Google announcement in July 2018 that a visitors using Chrome who land on a site without https will get a warning saying 'site is not secure'.

We took this to understand that sites without https would be downgraded by Google which is not good for our customers.

Every website should have https:// encryption as standard, not as an option.

4. PHP Management

WordPress is a Content Management System (CMS) which means the data is stored and updates connected to a database.

This database also could by vulnerable to attack if it is not using the latest version of PHP. The PHP developers work continuously to fix bugs, close security vulnerabilies and increase the efficiency so it is vital that the website is using the correct version.

We are using PHP 7.4 for our websites at the time of writing. Each PHP version is only supported for 2 years.

See the WordPress stats

5. Security plugin

Every WordPress website should have a security plugin that acts as a firewall and offers data on who is trying to access the site and functionality to improve the security of the website.

Our preference is WordFence but there are others you can try:

  • iThemes Security
  • All in One WP Security
  • Bulletproof
  • Sucuri

WordFence basic features are free to use and quite extensive for small websites. The following

  1. 2 Factor Authentication
  2. Whitelist IP addresses
  3. Premaritally block IP addresses
  4. Turn off xmlrcp.xml
  5. Email notifications of IP's trying to access the site
  6. Scan picks up file changes and offers a repair tool
  7. Hides Wordpress verions

There are lots more functions and WordFence developers offer lots of training and updates so they are a company to trust.

6. Turn off xmlrcp.xml

Xmlrcp.xml has become quite a problem for brute force attacks so the cons outway the benefits of this function. Switch it off.

We switch this off in WordFence but there are ways to do this with other security plugins.

7. Hide WordPress version

It is easy to tell the WordPress verions of a website just by looking at the page source. The WordPress version may indicate to a potential hacker that this site is out of date so potentially their next victim.

Hiding the WordPress Version is just another deterrent to hackers.

8. Database security

To create a new Wordpress install you have to first create a Database.

When you create a database you a very unique and random name and the same for the user name, make it random with a good strong long password.

(Don't call the database the same name as your business.)

When loading new WordPress install it is recommended to change the database prefix from wp_ to something else i.e. rf_ when you go through the set up process you will be given an option to change the prefix.

9. Secure login details

It is common practice to not use - admin - as your username for WordPress.

In fact, never use it! create a unique user name a very strong password and reduce the number of login attempts from 20 to 3.  Lock users out if they do not know their user name or password.

It goes without saying, keep your login details safely secured.

If they forget, they can easily reset this by using the link to reset password which sends an email to their email address to reset. If they are a hacker they won't receive this.

10. Add 2 factor authentication

We use 2 factor authentication to access Facebook and other services so why not your most important asset?

You can switch on 2 factor in WordFence by using the Google Authentication app.

You scan the QR code WordFence shows you to your iphone then add the 6 digit code the app gives you into the website and this gives you access to the website.

Only those with access to your iphone and can get the code to access the site. Complete lockdown to accessing the site via wp-admin.

11. Disable editing

Disable editing in the the Website dashboard. No-one except you and delegated colleagues should administrator access to your website.

If you want people to write articles they should be given the correct access rights i.e. editor. Administrator access gives them FULL access.

12. File permissions

The files on the server have user permissions to read, write or execute.

The protocol for WordPress file permissions is:

Folders - 755

Files - 644

wp-config should be 440 or 400 (this file should not be readable)

Note - No directories should every be 777.

13. Hot linking

Hotlinking is happening more and more but there are ways to stop this practice.

Hotlinking is when someone uses your image on your website to display on their website but uses your server power, not theirs.

It is stealing and is a copyright enfringement. You must have copyright on your website so you can be law sue someone hotlinking. Check to see if your images have been hotlinked by using this code provided by Google.

inurl:yourwebsite.com -site:yourwebsite.com

Contact the sites that are hotlinking and request removal.

14. Update Plugins, themes and WordPress

This is a very important website management task and should be actioned by either yourself, your web host provide or someone delegated to manage the website.

As a website host provide I update all my hosted websites, it is a service included in the hosting fee.

Most of my customers do not have the time or the inclination to manage their website updates and it is important that the sites run effectively.

A plugin update might be related to a security issues, so its important the updates are carried out promptly.

Wordfence will send you a notification when plugins need updating.

15. WordPress security keys - salt

Check your WordPress files to ensure the salt keys have been added. You can update the salt keys anytime. They look like this.

define('AUTH_KEY', 'B>ibH`[hdA-;Avyr+ymv4ss7&[dTW~ZV&B5vXT|oe`ba>8zX8h#K*?88-aMLo(=K');
define('SECURE_AUTH_KEY', 'E={{n~BCOj[AGWjsHN?}_n%s*Nb8(~>Sb5FYYN6&&GZ|@))EC_~.{s(=.(jB6bn7');
define('LOGGED_IN_KEY', 'X9jV?BlMq9}hN8uTyiwK*g~`~JKAm(wGbQTI7t@TnUUiB]Mt_rc}H0@?W$&`i!m6');
define('NONCE_KEY', '(Ei20?b/[m2W9rQHi/.iC2T$Xa_B|F|(*@UXWQJNn^e7<^WwpruSTxhhG%`cg+*.');
define('AUTH_SALT', 'Oy[!y~2@~5mygYU6v}R XgCn],SO5UPI/*44-Vn-SM3)7oFE,sW:y-k1|d{7<aq)'); define('SECURE_AUTH_SALT', '54V` 2Hl+u&eB+=NLvVv{e+e$8RsyB+o$Sh3!q.XGSJ8!&I~_I{mmV0h5/ O3d8|'); define('LOGGED_IN_SALT', '-|=YwQ!KDs!p6hwKwQeSa-w]C}WH?NyIa@vLd:B-tV~O0d>u>3LI-](%OXd5!WYA');
define('NONCE_SALT', '10u`OC>khqe7-h/7G&7Plei=HyjpT-0[1,Vq?3-)%y>xh1;4DPuU%ic_Uf/X|]]k');

Make sure these keys are included, if not copy and paste new ones, see below link.

Salt keys

16. Rename login

By default we login to a WordPress website by https://website.co.uk/wp-admin

Everyone know this including the hackers, therefore to keep the website more secure we change this to a different name i.e. main or work

To do this we can load a plugin that will change the name of the login url.

We highly recommend this for sites being targeted.

17. Computer must have security installed

None of what you do online will be secure if your computer is hacked and all your passwords are stored on your computer.

Norton is good, but their our others you can use but always invest in computer security as once they are in and once your pc is infected it will become a serious issue.

18. Store backups - Jetpack

We have Jetpack installed on our server so all the websites have a daily file manager and database and email back up.

If your website is hacked on 10th January, we can just restore the website from 8th January pre-hack and the hack will be clear. We will find the culprit and report them.

If  you don't have cPanel you must have a back up plug in i.e. Backup wp.

You can manually back up your website by making a zip of the files and downloading the database.

19. Monitor and get security alerts

Set up email notifications if anyone accesses the site, changes the files or new users are added to the site.

WordFence will notify the main admin of any important security alerts.

20. Http security headers

You can check your website for security headers here

Summary

We are the internet generation where goods and services are now mostly traded online, payments are made online and we market ourselves online hence we will find more and more pilfering and opportunists.

One site I recently cleaned was a site hacked just to add Amazon links. People are so desperate to get their commission they have to hack legitimate websites to get the click through s.

In December 2021 there was over 1.6 million websites attacked by 16,000 IP addresses.

If you follow the rules and monitor your website you will manage to keep them at bay but you do need to be proactive. We manage our websites daily and monitor activity so if you want to hand the website over to us then get in touch.

If you website has been hacked get in touch and we will fix it for you.

[ms-form id=1]