Ransomware

Ransomware is on the rise — here’s how you can protect yourself

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Wikipedia

Ransomware is a hot topic right now, not only in the tech press, but in the mass media too, because of crippling attacks on companies like Colonial Pipeline, which recently found their electronic systems hijacked by profit-seeking attackers. But it’s not just big companies, governments, and hospitals that are suffering from the scourge of of ransomware: the bad guys are going after smaller targets, too, including small business and home NAS (Network Attached Storage) systems and personal computers.

Though the future that many cybersecurity experts were worried about years ago has sadly arrived, there’s a lot users can do to minimize the likelihood that they’ll become the victims of ransomware. Improving your cybersecurity posture is a very rewarding pandemic related activity that will leave you feeling happier and healthier. Here are my top recommendations for protecting yourself and your data from threats like ransomware.

1. Backup, backup, backup

If the worst should happen and you do fall victim to malware, you’ll be able to recover your precious data without paying the ransom if you have backups. Your backup strategy should be multifaceted, encompassing both local/onsite and remote backups. For example, you could use Apple’s Time Machine to automatically back up your Mac to a network drive or external hard drive, and you could use Backblaze to automatically back up that same Mac to a remote datacenter. Mobile devices can be backed up, too, using tools like iMazing or Android Device Bridge. Take advantage! Backups will not only help defend you against the risk of ransomware, but can help you in the event of other catastrophes, like loss/theft or a disaster like a house fire or tornado.

2. Embrace the three big cybersecurity wins

The three big cybsersecurity wins are:

  • Insist on encryption: Your data should not be stored or transmitted in the clear. You should encrypt your computer, your mobile devices, even your remote backups. Modern operating systems and applications make this fairly straightforward, for the most part. For example, Windows offers BitLocker, macOS offers FileVault.
  • Adopt a password manager: It’s better if you don’t know your passwords. That way, they can’t be weak and guessable. Let a password manager generate, store, and autofill your passwords for you. I can’t say enough good things about 1Password, my password manager of choice.
  • Deploy multi-factor authentication: From Facebook to Gmail to Twitter and LinkedIn, your accounts should be protected with multi-factor authentication, also called two-factor authentication, or 2FA. You can either use a hardware-based device like YubiKey or an authenticator app like Authy as your second factor.

3. Build a firewall for your whole network

You spend more of your time at home than anywhere else, and it’s also where most of your Internet-connected devices probably are, from your tablet, “smart” TV, Blu-ray player, personal computers, and “Internet of Things” gadgets, if you own any. These all need protecting. A network-based security strategy makes a lot more sense than a device-only based strategy, because it’s all-encompassing and doesn’t require any software to be installed.

This is where tools like Firewalla and pfSense come in.

Firewalla is a really nifty hardware based firewall. It’s a small box that you hook up to your router. Once you plug it in, it starts watching your entire home network like a hawk, and reports back to you using a mobile app for iOS and Android. It can block attacks, quarantine new devices automatically, and monitor what your vetted devices are doing. It comes in several flavors. The Blue Plus version ($199) is ideal for most home users.

Firewalla also offers ad blocking.

Its ad blocking tech is not as good as Pi-hole’s, but fortunately, if you like Pi-hole and are already using it, or want to use it, it is compatible with Firewalla. The two solutions can be used together. Just tell Firewalla not to monitor Pi-hole, and ensure Firewalla’s ad block tool is turned off.

You can even use Firewalla to set up policies to block social networks and gaming at certain hours if you want to reclaim family time.

Best of all, the team behind Firewalla is actively engaged in making it better. It regularly sees new releases, and you don’t need a subscription to use it. You just buy the hardware once and get free updates from then on.

pfSense, meanwhile, is a great choice for more advanced users.

4. Keep your devices and browsers up to date

New software vulnerabilities are being discovered all the time in all major operating systems and browsers, from Windows to macOS to GNU/Linux distros. It’s important to stay current, and the best way to do that is to turn on autoupdates on your computers and mobile devices.

Unless you’re a disciplined sysadmin who prefers to determine the precise manner and timing that updates will be installed, autoupdates are your best bet. You can set your browser to automatically pick up where you left off (keeping your tabs listed) in the event your machine restarts in the middle of the night to reduce the annoyance of autoupdates forcing a system restart.

brass colored metal padlock with chain

Making a WordPress site accessible via HTTPS only is about to get a lot easier

Since the inception of my Hardening WordPress guide nearly ten years ago, I’ve urged WP users everywhere to improve the security of their websites by setting up secure hosting and configuring WordPress to be accessible via HTTPS-only, at least on the backend (wp-admin). While enabling Forced HTTPS mode for administrative sessions has long been easy to achieve by setting a constant in wp.config.php, switching an entire WordPress site (backend + frontend) over to HTTPS has been unnecessarily difficult, requiring a number of carefully-executed steps.

But at long last, that is set to change, with WordPress 5.7. In a beta release announcement today, WordPress devs shared this very good news about a long-overdue enhancement that will make switching much simpler.

Migrating from HTTP to HTTPS is streamlined
Switching a WordPress site from HTTP to HTTPS has proven to be a pain for all involved. While on the surface, the Site Address and WordPress Address have to be updated, content with embedded HTTP URLs remains unchanged in the database. With this release, migrating a site to HTTPS is now a one-click interaction. URLs in the database are automatically replaced when the Site and WordPress Address are both using HTTPS.  Also, Site Health now includes an HTTPS status check.

Upon upgrading to WordPress 5.7, those who still are running unsecured sites will finally have an easy and officially supported migration path to HTTPS. As the excerpt above noted, it has historically been necessary to swap out http:// prefixes for https:// ones in a whole bunch of places to get a WordPress site working over HTTPS with no “mixed content” warnings:

  • The site URL and blog URL in Settings > General;
  • The site’s theme and widgets;
  • The site’s database tables (for instance, image URLs in post content);
  • … and sometimes even abandoned plugins still in use.

It’s far too easy to bork a site while doing the above, especially if the operations are being performed without care and without restorable backups.

WordPress sites built within the last few years are much more likely to have been set up with HTTPS enabled from the get-go, but there are plenty of older sites out there that aren’t. The advent of Server Name Indication (SNI) and Let’s Encrypt has eliminated barriers to the adoption of secure hosting, and it’s now essentially considered to be unethical for a host to charge extra for secure hosting as part of a hosting plan.

Yet there are still many WP sites that aren’t set up to be reached only via HTTPS because they date back to an era when secure hosting was unavailable or costly or harder to deploy. The work being done to create a proper migration path within WordPress in Version 5.7 could really help these old sites jump on the encryption bandwagon.

This looks like it could be one of my favorite WP releases ever.

Hang up to avoid becoming a victim of a phone scam

I’m occasionally asked how to avoid becoming a victim of the robocall-driven phone scams that seem to be so common and prevalent nowadays.

The answer is fairly straightforward: Hang up.

If someone calls you with an offer, do not give them any information, just terminate the call. If someone tells you your computer is infected with a virus and you need to install a particular tool to clean it, disregard their instructions and immediately end the conversation. If someone asks you to wire money somewhere for any reason, refuse and tap your phone’s End button.

Why is it always safe and prudent to hang up, even if you’re not sure? Because hanging up won’t hurt your relationship with a legitimate business or a government agency. You should only provide sensitive information over the phone when you originate the call. Caller ID can be spoofed and businesses you have a relationship with can be impersonated.

So you need to be careful.

To avoid falling for scams, don’t give someone who calls you any sensitive information at all, and don’t let them direct you to do anything, whether that’s wire money someplace or install software on your computer.

And, if time allows, report scams so that they can be investigated by the authorities.

This morning, a group of scammers who are engaged in harvesting credit card numbers called me. I answered the phone and knew within seconds it was a scam, but decided to play along for as long as I could in order to (a) learn more about the scam and (b) waste the scammers’ time.

This particular group of scammers was running a con that goes like this:

  • Place a robocall to lots of people that advertises being able to get lower interest rates on credit cards (the brands Visa and MasterCard, which are networks, not issuing banks, are specifically mentioned)
  • Screen people who respond to the robocall by pressing “1” to see if they are an appropriate target for the scam by asking a bunch of fake qualifying questions that pretty much everyone would answer “yes” to;
  • Transfer the call to a fake “supervisor” who will then attempt to extract credit card numbers from the victim.

These scammers use some of the same techniques physics and magicians use. For instance, to establish their credibility and get you interested, they ask their would-be victims questions like: “You have three or more credit cards, correct? And you’re paying interest of more than ten percent on each card? And you’d like to pay less interest on those cards?”

(Most people would be able to answer yes to these questions.)

Among those Americans who have a credit card (29% don’t), the average is almost four cards. That means most Americans with a credit card have several of them, typically at least three. Hence the scammers’ question, “You have three or more credit cards, correct?”

The next question they asked was which banks the cards were issued from. I told the screener I had cards with Bank of America, Wells Fargo, and CapitalOne, all of which are major card issuers with millions of customers. To all of the other screening questions, I offered responses like: “Great!”, “Excellent!,” “Yeah, sure,” or “That’s right.”

I was also told that I am a good customer and that I have a long history of making payments on time.

After I got through screening and was passed off to a more senior member of the scamming crew, I was asked for card numbers, beginning with my nonexistent Bank of America card. I used a credit card number generator to give the scammer a fake number, to see what he would do, and discovered he was trying to validate (and maybe authorize) the numbers in real time.

When the scammer protested that the sixteen digit number was invalid and not even a number beginning with a Bank of America prefix, I said, “Oops, sorry about that; try this,” and supplied a second fake number.

“Sorry, sir, that is not a valid Bank of America credit card number either,” the scammer said solemnly, a hint of contempt and resentment in his voice. “Darn,” I said. “That’s a shame.” He promptly hung up.

In this case, instead of hanging up on the scammers, I forced them to hang up on me, and I wasted several minutes of their time while learning more about their scam… a satisfying result.

If you only get robocalled once in a while, you may be able to deal effectively with the occasional scammer simply by hanging up the phone. Terminating a call is the simplest and easiest way to thwart phone scams.

If scam and spam calls are a frequent annoyance, however, you may want to go further so you can reclaim your time and sanity. There are many tools that can help shield you from unwanted calls of all kinds, scam calls included.

For example, there’s Jolly Roger Telephone Service, which can deploy bots to talk to telemarketers and their bots for you.

Or Nomorobo, which can protect VOIP lines and mobile lines. (Most VOIP providers, like Vonage and Ooma, include Nomorobo as part of their plans.)

Or Truecaller, which provides an app for mobiles that can be used to identify unknown numbers, record calls, and block numbers.

Scammers are wily people who have ways of evading defenses like number blocks, so don’t expect any of the aforementioned tools to totally eliminate unwanted calls. Your best defense of all against phone scammers is your own good judgment and critical thinking skills.

If more people had the equivalent of a Spidey-sense for detecting scams, scamming wouldn’t be as lucrative and profitable as it is. So pass on your scam fighting knowledge! It makes a difference.

Don’t give out your personal mobile telephone number by default

This week, the New York Times published a stellar piece by Brian Chen which spells out the problems that stem from giving out your mobile number when asked for a means of being contacted by phone:

For most of our lives, we have been conditioned to share a piece of personal information without a moment’s hesitation: our phone number. We punch in our digits at the grocery store to get a member discount or at the pharmacy to pick up medication. When we sign up to use apps and websites, they often ask for our phone number to verify our identity.

An increasing number of Americans don’t have landlines and have become accustomed to typing their mobile number into online forms or giving it out without a second thought to entities of all kinds. If you do that, though, you’re increasing your risk of becoming a victim of cybercrime.

In fact, your phone number may have now become an even stronger identifier than your full name. I recently found this out firsthand when I asked Fyde, a mobile security firm in Palo Alto, Calif., to use my digits to demonstrate the potential risks of sharing a phone number.

Emre Tezisci, a security researcher at Fyde with a background in telecommunications, took on the task with gusto. He and I had never met or talked. He quickly plugged my cellphone number into a public records directory. Soon, he had a full dossier on me — including my name and birth date, my address, the property taxes I pay and the names of members of my family.

The CEO of Fyde is quoted in the next paragraph explaining that phone numbers are actually more unique than names are.

Many people can be called “James Smith” or “Mary Jones”, for example, but only one of those people will have a phone number like 907-555-0100 (that’s a fake phone number, by the way.) So if you give out your mobile number by default, then you’re creating a strong link between your mobile number and your name, which can be exploited by bad actors.

What should you do instead?

First: Get a VOIP (Voice Over Internet Protocol) telephone number and give that out as your primary phone number instead.

Even when you’re asked for a mobile number on forms, give out your VOIP number instead. Only provide your mobile number to family, friends, and institutions you trust. For example, you’ll probably want your bank or credit union to have your mobile number, along with your parents, siblings, spouse, children, and close friends.

Reputable VOIP providers include OomaGrasshopper, and RingCentral. Ooma is primarily marketed towards residential users, while Grasshopper and RingCentral are marketed towards business users.

Note that Ooma doesn’t support text messaging. If you want a VOIP number with SMS support, don’t pick Ooma.

There are also app-based VOIP providers, like Shuffle. These provide the ability to create auxiliary phone numbers (referred to variously as secondary phone numbers and auxiliary phone numbers.)

All reputable VOIP services cost money, so there is a cost associated with setting up and maintaining a VOIP number. But it’s worth it. You’ll have a number you can give out that isn’t directly associated with the smartphone you’re carrying around and the SIM card inside it.

Second: Avoid using the Short Message Service (SMS) for two-factor authentication. Use an authenticator app instead (like Authy, available for both iOS and Android), or better yet, hardware-based authentication like a YubiKey if that’s supported. These methods are more secure than getting a code by text message and putting that in.

Many platforms that require a telephone number to set up multi-factor authentication will accept a VOIP number (Google is a good example of a provider that accepts VOIP numbers) so you can provide that instead of your mobile number when you’re going through the initial setup.

Change your Venmo privacy settings

Do you use Venmo? Your transactions are public by default. Here’s how to change that.

Venmo, the popular person-to-person money transfer service owned by PayPal, is back in the news again after a computer science student named Dan Salmon created a website profiling several of the millions of Venmo users who use the service to send and receive payments.

The reason Salmon was able to do this is because in Venmo, transaction histories are public by default. That’s right… public.

Unless you’ve specifically configured your privacy settings to hide transactions, your Venmo activity is an open book.

As Zack Whittaker of TechCrunch bluntly put it, using Venmo’s API (automated programming interface), “anyone can look at an entire user’s public transaction history, who they shared money with, when, and in some cases for what reason — including illicit goods and substances.”

Now — yes, now — would be a very good time to check your Venmo privacy settings and make sure your transaction history is set to Private. Again, this is NOT the default setting in Venmo. It should be, but it isn’t. If you want to protect your privacy, then you need to take action!

If you have the Venmo app, you can use this visual guide created by Salmon to adjust your privacy settings.

You can also adjust your privacy settings through the Venmo website. Go here and select the Private option. Then click the button under Past Payments that says “Change All to Private”. This will make that same setting retroactive to your past transactions. Here’s a visual guide:

Change your Venmo privacy settings

Travel confidently with these on-the-go financial management tips

Heading abroad on a trip this summer? Reduce your anxiety and minimize the likelihood that you’ll become the victim of a crime by following these best practices for managing your money while you’re away from home.

Tip #1: Limit the amount of cash you carry, and get it from an ATM

It’s a good idea to have some cash on your person when you’re abroad… but it shouldn’t be a huge amount, since an increasing number of places in an increasing number of countries take plastic.

You don’t need to be walking around Rome or Madrid with more than a hundred euros in your wallet, for example, since you don’t need huge sums to patronize street vendors and farmer’s markets.

You also don’t need to worry about stocking up on foreign currency before you arrive at your destination; you can get it from an ATM after passing through customs. Look for an ATM run by a reputable financial institution so you can avoid paying unnecessary fees. (Bank-owned ATMs generally have the bank’s logo prominently displayed; that’s how you can tell the difference.) You’ll be able to withdraw cash in the currency of the country you’re visiting.

Oh, and don’t bother with American Express “traveller’s cheques” … those are a thing of the past, as this traveler discovered. Hardly any establishments will accept them. Instead, bring multiple chipped credit and debit cards.

Tip #2: Keep your cash and your plastic in a money belt

Beware of pickpockets when traveling, especially while using public transit or when you’re visiting crowded tourist attractions. To protect your money and your identification, wear a money belt under your clothing so that your wallet can’t be lifted out of your pocket or purse by a skilled thief.

Tip #3: Use a credit card for purchases

Use your debit card to withdraw cash, but not to buy anything.

When you check into a hotel, rent a car, or make a purchase, always provide a credit card instead of a debit card. That way, you’re spending your bank or your credit union’s money instead of your own money.

If you experience the misfortune of your card number being fraudulently used, you won’t have to worry about a hold being placed on funds in your checking account, or worse, your money disappearing out of your account until you can get the fraudulent charges disputed. You also won’t have to worry about the many annoying restrictions rental car companies place on customers trying to pay with a debit card if you’re trying to get wheels.

Don’t have a credit card? Apply for one before you travel.

Tip #4: Tell your bank or credit union where you’re going

Most financial institutions will now let you set up travel alerts with a few mouse clicks or taps from a mobile device. You don’t even need to talk to anyone. Just log in and specify where you are going and for how long you’ll be there. By telling your bank or credit union about your travel plans, you greatly reduce the possibility that any transactions you attempt during your travels will be blocked due to suspected fraud. Do this for each bank or credit union that you have a relationship with.

Tip #5: Review your activity every night

Use your financial institution’s mobile app to review authorizations and charges that have posted to your account every night before going to bed. That way, you can quickly spot any fraudulent charges and keep track of your spending. Avoid signing into online banking using a cybercafe. If you’re connecting to the Internet through a public Wi-Fi hotpot, initiate a VPN session on your device prior to signing into your accounts.

Tip #6: Make photocopies of all of your cards before you travel

Before you depart on your trip, you should make copies of all of your cards… debit cards, credit cards, driver’s license, health insurance card, auto insurance card, and so on. You should also make a copy of your passport.

Leave one copy in your safe at home and give one to a trusted neighbor or family member who isn’t traveling with you. In the event your cards are stolen, you’ll then have an inventory of what needs to be replaced.

Bonus tip: Put your card data into your password manager too

You can also enter all of your card data into the secure vault of your password manager if you have one (and you should have one).

Microsoft recognizes that password expiration policies don’t help — they hurt

Recognizing that mandatory password changes don’t help an organization’s security posture, Microsoft last month announced that the next iteration of Windows 10 Build 1903) would no longer require periodic password changes.

In a post on Microsoft’s Security Guidance blog,

There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them. When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives such as enforcing banned-password lists (a great example being Azure AD password protection) and multi-factor authentication. While we recommend these alternatives, they cannot be expressed or enforced with our recommended security configuration baselines, which are built on Windows’ built-in Group Policy settings and cannot include customer-specific values.

This reinforces a larger important point about our baselines: while they are a solid foundation and should be part of your security strategy, they are not a complete security strategy. In this particular case, the small set of ancient password policies enforceable through Windows’ security templates is not and cannot be a complete security strategy for user credential management. Removing a low-value setting from our baseline and not compensating with something else in the baseline does not mean we are lowering security standards. It simply reinforces that security cannot be achieved entirely with baselines.

Props to Microsoft for making this change.

Password expiration policies are not unlike anti-piracy measures for music and movies: They were conceived and are meant to deter bad guys, but they end up getting in the way of the good guys while failing to stop the bad guys.

Just as no one wants to have to spend thirty minutes downloading and installing a firmware update for their Blu-ray player to make a disc playable, no one likes having to change their password when they log in simply because some amount of time has passed.

If a password is set to expire every thirty days, then that means a user will be asked to change their password twelve times every year. To deal with this annoyance, users can be expected to — as said — make “small and predictable” alterations to their previous password.

A strong password stored securely in an electronic vault is better than a password that is frequently changed. Instead of setting and insisting on password expiration policies, information technology departments should require the use of password management tools, and join independent cybersecurity professionals in encouraging everyone to also set up their own password management tool for personal use.

POSTSCRIPT: Need a password manager for personal use? Try Dashlane or 1Password. Need one for a small team that doesn’t cost anything? Give CommonKey a look.

Flying this summer? Here are some tips for staying safe and comfortable

Taking to the skies this summer — or sooner? Whether you’re a seasoned jet setter or a more infrequent traveler, you may be interested in strategies to improve your experience of going from Point A to Point B. I’m a firm believer in the concept of enjoying the journey. Air travel can be unpleasant, but it doesn’t have to be. Here are some ways you can make your next flight more relaxing… or at least less painful.

Hydration

You’ll feel better if you stay hydrated during your travels, so drink water whenever you feel thirsty. Water is the only thing that will actually quench your thirst. Stay away from alcoholic beverages while in the air.

“The air in an aircraft is very dry and, coupled with the diuretic effect of drinking alcohol; you may become dehydrated much faster than you would on the ground,” KLM explains. If you want to feel your best during your trip and minimize the toll traveling takes on your body, then skip the alcohol.

I also recommend staying away from carbonated beverages (unless you have an upset stomach, in which case you may want a carbonated beverage).

Most airlines offer juice (apple, orange, cranberry) in addition to water from their beverage carts. If you want a flavored beverage, choose fruit juice instead of soda or an alcoholic beverage. You don’t have to worry about ending up with a cup of Tang: In my experience, most U.S. airlines nowadays are serving one hundred percent juice out of large juice boxes, not juice made from concentrate or fake juice made with powders.

Skip the ice whenever you get a beverage from a flight attendant.

While the water airlines serve is typically bottled, the ice could have been made in an ice machine using tap water that came out of the airplane’s water tanks… and with the notable exception of Southwest, airlines don’t have such a great track record when it comes to tap water quality.

A 2004 study by the Environmental Protection Agency (EPA) found that one in eight airplanes had water that totally failed safety standards. A more recent round of testing, in 2013, showed not much had improved.

Also, by skipping the ice, you’ll end up with an empty cup when you finish your beverage (ideally water or juice, as mentioned) instead of a cup with still-melting, possibly also sticky ice cubes that could spill.

Avoid coffee and tea for the same reason.

To ensure that you have water at the gate as well as in the air, bring an empty Kleen Kanteen or a HydroFlask with you in your carry-on.

After you pass through the security checkpoint, fill your water bottle using either a filling station next to a drinking fountain or ask someone working at a bar or restaurant in the concourse to fill it. Don’t use a drinking fountain spout because some people put their mouths right on the spout.

Food

If you want to be comfortable while in the air, be careful what you eat while at the gate and on the plane. In addition to avoiding alcohol, it’s also best to avoid greasy and sugary foods like burgers or pizza along with cruciferous vegetables, such as broccoli and cauliflower.

And, to avoid irritating your neighbors, I suggest skipping smelly foods like garlic, canned fish (sardines, tuna, etc.) and onions.

Stay away from chewing gum, too… it can contribute to bloating. (Yawn, as deeply as you like, to pop those ears safely and effectively.)

Here are some foods that you can enjoy while on the plane. You should bring snacks as well as an entree or two for a longer flight.

  • Cherries. They’re one of the few natural sources of melatonin.
  • Chicken and vegetable wrap. This can be your main course.
  • Pasta salad. If you’re a vegan, this could be your main course.
  • Bananas. They go down easy and are a good source of potassium.
  • Lemons. You can use them to flavor your water if you want.
  • Whole grains like quinoa and brown rice for an energy boost.
  • Protein bars for a non-messy treat in between meals.

Essential supplies

When flying, there are some must-haves that you’ll want to keep with you besides that reusable water bottle (which is the key to staying hydrated).

  • Something to read. You can’t use a laptop during takeoff and landing, but you can read from a printed publication or handheld. To minimize weight, bring a magazine, a tablet, or an e-book reader instead of books. If you do pack a book, make it a paperback.
  • Disinfecting wipes. Airplane seat-back tray tables are dirtier than your toilet at home. Disinfect them, your armrests, and seat buckle as soon as you’re seated with Clorox on the go wipes or an equivalent product.
  • External battery. Not all planes have USB charging ports, so it’s a good idea to have an external battery pack with you, like the Anker PowerCore series.
  • Noise canceling headphones or earbuds. There’s no shortage of options right now when it comes to noise canceling headphones and earbuds. Most do an excellent job of filtering out the hum of a jet engine. Connect the pair that’s right for you to your smartphone or an inexpensive audio player like the Sansa.
  • Sleep kit. If you want to catch some Z’s while at 30,000 feet, pack an eye mask and a neck pillow.

Perhaps the most important thing to do is to give yourself plenty of time to get to the airport and arrive at the gate. Remember, you can always read a book or work on your computer at the gate until it’s time for your flight.

If you’re not stressed out, you’ll feel better and have a more pleasant trip.

Happy travels!

How to give your WordPress site a security checkup

Are you responsible for a self-hosted WordPress site?

If so, one of the most important things you can do to keep it healthy is to give it a security checkup and make sure you’re maintaining it in accordance with all of the recommended best practices. That way, its likelihood of being hacked by the Internet’s hive of scum and villainy is reduced.

Here’s a step-by-step guide to giving your site a security checkup. (Most of these steps are adapted from the Hardening WordPress presentation that I’ve been giving to members of the WordPress community for several years.)

Step One: Backup your site!

There are several ways to manually back up. From within WordPress, backing up can be done with one of many plugins available from the WordPress repository. If you have shell access, making a manual backup is as easy as running a couple of commands. For example, from the directory above your site root, you could run:

bash:~$ tar -zcvf MONTH-DAY-YEAR-Site-Backup.tar.gz public_html/

Then, to make a snapshot of the database (presuming you’re using MySQL):

bash:~$ mysqldump -h hostname -u username -p databasename > MONTH-DAY-YEAR-Site-Database-Backup.sql

If wp-cli is installed on your server, exporting a database becomes even easier:

bash:~$ /home/user/path/to/wordpress/ wp db export

A few words of caution: Do not keep backup files in your publicly accessible web space unless your host doesn’t give you access to the directory above your web root. Leaving backup files in your publicly accessible web space jeopardizes the integrity of your site and is a surefire way for your credentials to leak. If backups must be stored in your web space, make sure access to that folder is restricted. On a server running Apache, this can be done by setting directives in an .htaccess file.

For bonus points, verify the integrity of the backup by using the archive files you made to create a local copy of your WordPress installation.

It’s nice to be able to know how to make a backup on demand, but the key to ensuring backups get made is automating them. This saves time and ensures that a copy of the site is being made at regular intervals.

To automate backups with shell commands, simply create a cron job by editing crontab or using your host’s cron job manager. With a plugin, you’ll need to visit the configuration page to specify how often backups should be made, and where they should be stored. You should have a set of backups stored locally on the server, and another set stored offsite in a secure cloud repository. That way, in the event disaster strikes and your host’s datacenter is beset by a catastrophe, your data is safe.

For most WordPress users, a plugin is the easiest and best way to automate and manage backups. I recommend UpdraftPlus.

Step Two: Install pending updates (if any)

Once your backup is made, you should install any pending updates to WordPress, your installed plugins, and your installed themes. You can do this using wp-cli, or from within WordPress using the built-in Updater. If you have plugins or themes installed that you bought from an online marketplace, you should go back to that marketplace and see if there are updated versions available. If there are, download them and install them by deactivating the version on your site, deleting the old code, and uploading the new version.

Some premium plugins and themes can be automatically updated from within WordPress just like ones installed from the WordPress.org repository, but access to automatic updates usually requires a license key from the developer. Consider renewing any subscriptions to premium plugins that have expired — it’ll make installing updates much simpler in the future.

Step Three: Scan your site for problems

With backups made and updates installed, it’s now time to scan your site for problems. There are several security suites available for WordPress; my favorite is BulletProof Pro. (There is also a free version of BulletProof, and that’s better than nothing, but it doesn’t have all the features of BulletProof Pro.)

Install BulletProof Pro if you don’t already have it in your site, and put the scanner to work to see if there are any issues that need your attention.

If your site has been around for a few years and has a bunch of plugins installed, chances are good that you’re using one or more abandoned plugins. This is a common security issue with WordPress websites.

There’s no need to panic if you discover you’re using a deprecated plugin, but you should take steps to switch over to alternatives that are currently maintained. If you are notified of an abandoned plugin (which is one of the most common results I see in a scan of an otherwise healthy site), head over to the WordPress.org repository to look for a replacement.

Again, chances are, you’ll find one that does pretty much the same thing as the one that is no longer maintained.

Step Four: Make sure your site is protected by a firewall

One of the capabilities you get with BulletProof is the ability to deploy a firewall. Deploying a firewall is one of the most important ways you can protect your site.

Usually, deploying BulletProof’s firewall is as simple as clicking a few buttons and running the setup wizard. At other hosts, some intervention on your part may be required to enable extended protection mode and realize the full benefits of the firewall.

Step Five: Change your passwords

Since you’re giving your site a security checkup, take advantage of the opportunity to change all your hosting-related passwords now.

Consider installing a password manager like Dashlane or 1Password to securely generate and store your new passwords. A manager greatly reduces the complexity and anxiety involved in coming up with strong passwords and keeping them safe. You should have unique passwords for:

  • your hosting control panel
  • your database (MySQL, MariaDB, etc.) user
  • your WordPress account(s)
  • any additiontal shell accounts or FTP users you have

Step Six: Turn on multi-factor authentication (MFA, also called 2FA)

Many hosts will let you add another layer of protection to your site by turning on multi-factor authentication (MFA), also called two-factor authentication.

To find out if your host will let you set up MFA to restrict access to your control panel, check their support center or knowledge base for an article about “MFA” or “2FA”.

With MFA, access to your online accounts is secured by something you *have* in addition to your password. That something could be a mobile device (the most common second factor), or a hardware authentication module like a YubiKey.

If you’re using your mobile device, I recommend using an authenticator app instead of using SMS (short message service) if possible, as authenticator apps are more secure.

The three most popular authenticator apps currently available are Google Authenticator, Authy, and Duthio.

Do you use Jetpack? Turning on multi-factor authentication at WordPress.com will help protect your site from the nasty Jetpack remote management attack that’s afflicted a lot of WordPress websites recently.

To turn on multi-factor authentication (also misleadingly called cell-phone sign in by some) for your WordPress installation’s administrator accounts as well, there’s a nfity plugin simply called Two Factor, by George Stephanis. Unlike other plugins purporting to provide 2FA, George’s supports YubiKeys, so you can use a physical key as your second factor. Physical keys are the most secure 2FA method, followed by smartphone authenticator apps like Twilio’s Authy.

Step Seven: Configure and use HTTPS on your site

Help encrypt the Web by configuring and using HTTPS (HyperText Transfer Protocol Secure) on your WordPress site. When you make the switch to HTTPS, you’ll no longer be sending your username and password in the clear when you login to manage your site, and your users’ comments and form submissions will likewise be encrypted while in transmit between their computer and your site’s server.

Switching to HTTPS is one of the most important ways you can protect your WordPress site. Switching to HTTPS now will also ensure you’re prepared for the day when Google Chrome (and other browsers) begin marking non-HTTPS pages as “Insecure”, which is due to happen this September.

The process for configuring HTTPS varies by host, so as with the previous step, you’ll want to check your provider’s documentation.  You will need to obtain a secure certificate from a certificate authority to securely access your site in a browser without triggering a scary-looking warning.

Certificates can be obtained for free through Let’s Encrypt or for a fee from a number of traditional certificate authorities. Note that some hosts require you to buy a certificate through them in order to set up HTTPS on the server that serves your website.

After you’ve configured HTTPS, you’ll need to make changes to your site to enforce its use. First, modify your site’s wp-config.php file to require HTTPS for all administrative sessions by adding this constant:

// Require encryption for administrative sessions and logins
define('FORCE_SSL_ADMIN', true);

This is the recommended way to force HTTPS on your site’s backend because it doesn’t depend on a plugin being active.

Note that setting this constant does not require HTTPS on your site’s frontend… the public-facing part of your website.

To force HTTPS on the frontend, start by going to your site’s Settings (you’ll want the General screen) and changing the site and Home URLs to begin with https:// instead of http://. You will be immediately logged out once you save this change, and will have to login again.

You’ll then want to use a plugin like Velvet Blues Update URLs to replace all the hard-coded http:// URLs in your site with https:// URLs. If you don’t do this, some of your site’s resources, like images and scripts, may not load securely.

Always make a fresh backup of your site (repeating what you did in Step One) before you run a plugin like Update URLs.

The last step is to browse around your site and look for any mixed-content warnings. You may need to modify your theme files or theme settings to get rid of a final http:// reference or two.

Made it through all that? Good work!

Completing the steps above is the ticket to a safer, happier WordPress site. If you’d previously completed some of the steps, congratulations on completing the remaining ones. And if you’ve never done work to strengthen your site’s security posture before, but have been inspired to do so, I hope this post helped you take action.

Don’t let an injury to one become an injury to all: Strategies for safely managing multiple sites

If you’re adept at building websites, chances are excellent that you have more than one of them in your care, whether you own them yourself or whether you simply manage them on behalf of a friend or a business/nonprofit/community group that you have a relationship with.

Ensuring that all the sites you’re responsible for are well maintained is no easy task, especially when it’s a large number.

But it’s really important, because maintenance and administration go hand in hand with security. A neglected site can become a serious liability — and not just to the entity that it’s associated with. Since a hosting account is only as strong as its weakest link, it’s very important to ensure that no site gets left behind when it comes to regular maintenance and administration.

Here are three strategies you can use to minimize your risk of an injury to one site becoming an injury to all sites in your hosting account.

Strategy #1: Isolate your sites from each other

The first strategy you should consider to protect multiple sites that are sharing a hosting account is to isolate them from each other to the fullest extent possible. This way, if one site gets infected, the ability for the infection to spread is minimized. This strategy only works for sites that reside at different domains or subdomains (for example, mysite.tld and subsite.mysite.tld, or mybusiness.tld and hobbysite.tld).

You need to do several things to effectively wall off sites from one another:

  • Use unique, strong passwords for each site’s WordPress accounts
  • Associate each site with its own unique database and database user
  • Run each site under a separate shell or FTP/SFTP user (be aware that some hosts will not allow this) 
  • Make sure your shell/FTP/SFTP users do not have access to each others’ files (check with your host to ensure this is the case)

Again, to properly compartmentalize your sites, make sure you do all of the above. If you’ve got sites that “live together” in your hosting account and are not compartmentalized, they will all need to be cleaned in the event that one of them gets hacked.

Strategy #2: Use a manager to collectively administer your WordPress sites

If you are responsible for more than one WordPress site, you can greatly simplify your administrative workload by using a site manager to keep an eye on all of your sites at once.

Perhaps the biggest benefit of a site manager is that it will allow you to install updates in tandem without having to log in to each and every site you’re responsible for separately.

For example, suppose the WordPress development team releases a new version of Akismet, the spam catching plugin that ships with WordPress, as they did a few weeks ago. With a site manager, you can install that update across all the sites you have with just a couple of clicks, saving a lot of time and ensuring that no site gets left behind.

Connecting your sites to a site manager is as simple as installing a plugin and completing the pairing process by providing the site URL and a key to the manager.

When it comes to site managers, you’ve got choices. Two of the most popular managers currently available are InfiniteWP and MainWP. Both of these managers integrate with security plugins. And both can be installed in your existing hosting account at no cost to you. (Like your client sites, run your manager under a separate shell/FTP/SFTP user as described above.)

Do note, though, that many advanced capabilities you may want, like scheduled backups or security plugin integration, will require the purchase of an add-on.

Since your manager will be connected to all of your sites, you’ll want to log in often to ensure the manager itself is up to date, and protect it with a strong password. It’s also best to run all of your sites — your manager included — over HTTPS only.

Strategy #3: Convert dormant WordPress sites to static sites

If you’ve got a WordPress site in your hosting account that is no longer being updated with new content, but that you don’t want to take offline, consider giving it a proper retirement by converting it to a static site.

It’ll load faster, and there will be one fewer application in your web hosting account that you need to worry about updating and securing. This is a great alternative to deleting a site altogether and having the content disappear from the Web.

To convert your site, you can use the Simply Static plugin. It will generate a snapshot of everything you’ve got — posts, pages, images, scripts, and all — preserving your permalink structure in the process. Pretty cool!

Once your archive has been successfully created by Simply Static, move it out of your web root. Then, take the WordPress site offline by making a backup of the site and deleting the filesystem.

Keep in mind that depending on the size of your website, the archive could take a while to build, and be quite large.

Unpack the archive file you created in place of the filesystem you deleted, and verify that your posts and pages are still accessible at the URLs they had when the site was a WordPress site.

Note that when you retire a WordPress site by converting it using the process described above, comment threads, forms, and other interactive functionality will no longer work. You may wish to edit your now-static contact page and other pages where forms were present to remove them and make it clear to site visitors that they are viewing an archived site which isn’t accepting new form submissions. You can always put in a link to a currently-maintained site where they can reach out to you.