Security

Moving Your Site to HTTPS

By: dmitri On: November 26, 2014 , , , Comments Disabled

HTTPS (adding an S for “secure” to HTTP) is an internet communication protocol that protects your users’ connections to your website. Data sent using HTTPS is secured in that HTTPS provides 3 layers of protection:

  1. Encryption: while the user is browsing a website, nobody can see their conversations, track their activities in the website, or steal their information.
  2. Integrity: data cannot be tampered with as it travels from your website to the user’s computer and vice versa.
  3. Authentication: ensuring that your users are really communicating with your website. This layer of protection prevents man-in-the-middle attacks and stops attempts at attracting your users to connect to a fake site or to download falsified files.

While the purpose of enhancing security is certainly a very good reason to move your website to HTTPS, consider that this could also slightly improve your website’s ranking.

TL;DR – How to activate HTTPS on eQPress

If you already have generated an HTTPS certificate for your website, you can install it via the Deflect dashboard. By following the procedure to install your TLS certificate, your website will be accessible on HTTPS.

If you don’t have an HTTPS certificate yet, you can contact us through the Deflect dashboard or send us an email and we will generate it for you.

Keys and Certificates

For TLS (formerly SSL) to work, you need a private key and a public key. After the public key is signed by a certificate authority, your public key becomes your certificate. The private key and the certificate need to live on the server that your website is hosted on, so the web server software that sends your web pages to your visitors can also create the secure (TLS) connection to the browser to secure the link. If you know how, you are free to generate your keys and then send them to us through the Deflect dashboard. Otherwise, we are happy to generate the key pair for you.

Certificate Authority

To generate a free certificate signed by a certificate authority, the easiest way is to use Let’s Encrypt, a free, automated, and open certification authority run for the public’s benefit.

If you prefer to have your HTTPS certificate signed by a different certification authority, here’s a short list of services that will sign it for you:

RapidSSL
NameCheap

Analytics and Tracking

If you use analytics tools like Google Analytics, you will want to update the URL that you are tracking from HTTP to HTTPS. Make sure you do this both in analytics and Google Webmaster Tools.

Read More

Changing Your Database Password

By: dmitri On: April 09, 2014 , , Comments Disabled

We are serious about our passwords here at Deflect. You might have noticed our 23 random character passwords for your WordPress admin user we generated during the installation of your site. That’s the kind of password that will keep your site safe from brute force and dictionary attacks. The random.org site provides some tools for generating super long passwords.

So why would you ever want to change your database password? Typically you won’t ever need to because we set it initially during installation to another unique 23 random character string. But there might be a good reason to change it. The one that comes to mind is Heartbleed. So, here we go…

Changing Your Database Password

Warning: Changing your database password can disable your site. Make sure you know what you are doing or send us an email if you need help

  1. Log into adminer. For example, if your site is example.com then go to https://example.com/adminer/.
  2. You can get your DB username and current DB password by SFTP’ing to your site and looking in your wp-config.php file which is located in the wordpress directory.
  3. Click on the “Privileges” link.
  4. Click on the “Edit” link beside “localhost”.
  5. Make sure the “Hashed” checkbox is unchecked.
  6. Use KeePassX or random.org to generate a long random password. Copy it and paste it into the Password field, then scroll to the bottom and click the Save button while simultaneously…
  7. Pasting the password you just set in adminer into your wp-config.php file on the line with define(‘DB_PASSWORD’, ‘password’); by replacing “password” with the new password.
Read More

Removing the WordPress admin User

By: dmitri On: April 17, 2013 , , Comments Disabled

Brute-force login attempts are typically carried out against the “admin” user. “Admin” used to be the default username of the first administrator created when installing WordPress, but now the installation asks you what you want to name it, and on eQPress it will be your administrator’s name and surname (not necessarily the “official” ones!).

If you have an old WordPress installation that you have migrated to eQPress, though, your website could still have an “admin” user. By removing this user, you will force the malicious hackers out there to guess not only your password but also your username. Here’s how to rename your “admin” user:

  1. Sign into your wp-admin as the admin user.
  2. Use the “Users->Add New” screen to create a new user.
  3. Provide a new username that’s not “admin”.
  4. The new user’s role must be set to “administrator”.
  5. Specify a super long passphrase. You can follow this guide to create a secure one.
  6. Click “Add new user”.
  7. Sign out as the “admin” user.
  8. Sign in as the new user.
  9. Delete the old “admin” user and assign all posts, pages and comments to your new admin user.
Read More

Protecting Your WordPress Website

By: dmitri On: April 12, 2013 , , Comments Disabled

Hosted behind the Deflect network, eQPress is designed to prevent your site from getting attacked or hacked. Security is best practiced as a series of countermeasures against known vulnerabilities or threats. We provide the essential underlying protective layers and the rest is up to you. There is no protection against a weak password, so…

The single most effective way to keep your WordPress website secure is to use strong passphrases. Use a password manager such as KeePassX, so you don’t need to remember those crazy long passwords. Alternatively, you can use your brower’s built in password manager (but keep in mind that if you don’t use a Master Password to protect it, all your passwords will be visible to anybody who may access your computer). To generate a long and random passphrase that is secure enough, you can use KeePassX itself or just click here to have 5 passwords generated automagically.

eQPress Console plugin provides a feature to put your site into lockdown mode, which makes all files and directories unwritable by the web server.

If you want to check your website for known malware, blacklisting status, website errors, and out-of-date software, you can use one of these third-party scanners:

Read More

Antispam Recommendations

By: dmitri On: April 05, 2013 , , Comments Disabled

Spam is a bummer, as we’re sure most of you agree. Here are some antispam tools we’ve personally used. This first one is great.

Anti-spam

Pros

  • super simple, no configuration
  • integrates seamlessly with any theme
  • free

So far no cons. Crazy, right?

Another strategy is to use 2 plugins together. For example, we’ve had excellent results using Antispam Bee and Spam Free WordPress. Antispam Bee alone sometimes misses spam posted by a spambot and since a blog can receive thousands of these per month, even a small percentage can mean quite a lot of spam removal to deal with. By adding Spam Free WordPress into the mix, you can pretty much eliminate automated (spambot) comment spam. Unfortunately, this plugin fails to catch some of the manual spam added by real people, which is where Antispam Bee shines, since it’s using the Project Honeypot which publishes a list of the top URLs, domains, and keywords being promoted by comment spammers. Project Honey Pot also publishes a list of the top IP addresses being used by comment spammers.

Plugins

Antispam Bee

Pros

Cons

  • doesn’t always work against automated (spambots) comment spam
  • support seems to be non existent or only in German

Spam Free WordPress

Pros

  • blocks 100% of automated (spambots) comment spam
  • free

Cons

  • may need some work to fit in with your theme
  • can be tricked by human spammers (actual people paid to add spam manually)

Service

Akismet

Pros

  • free for personal use
  • integrates seamlessly with any theme

Cons

Read More