News

04

February

What's a Web Host Suppose to do When Your Site Gets Hacked?

04 February 2016 Hosting 0 1324

Today you went to visit your website only to find that it’s been pwned by some script kiddies from Turkey who think it’s funny to take over your homepage. Maybe you visited your site to discover that it has been taken over as part of some sort of Chinese shopping cart scheme. Or, perhaps you received a notice from your hosting provider that your website is sending out thousand of spam emails with the subject "buy cheap Viagra” or has become part of a bot net DDOS attack and has now been suspended.

Whatever the case, you may not know how your site ended up this way, but you sure as heck want it fixed–and pronto!

What do you do? What should you expect your hosting provider to do for you?

How Did Your Site End Up This Way?

Those are great questions, but first it’s important to understand why your site ended up this way. The number of ways to hack a website can be endless, so it would be impossible to discuss them all here in detail. Though, the most common site hacks are due to the simplest of factors: vulnerable site software and poor security.

Vulnerable Site Software

Hackers are always going to target the easiest prey. Think about it this way: if a burglar shows up in your neighborhood to find a street full of houses that have posted alarm systems installed and one house with no alarm system, which house is the burglar going to target? The house without the alarm of course. In much the same way, If a hacker is looking through a bunch of sites and sees that they all have the latest software installed and third party software that’s all up-to-date, are they going to go through the trouble of trying to discover new security holes in your site software or do you think they’ll move along to other sites using out-of-date software with published vulnerabilities? Unless they’re very experienced and on a mission to find something specific that they know is there, they’re going to move onto an easier site. But why?

You see, most hackers are only interested in using your site for nefarious purposes. Their end goal is to use your site as a place to hide their spamming scripts or DDOS scripts. Even though it happens, most don’t even want to deface your site. They just want to use you for your site. So you have to make it difficult for them to do this.

When you don’t stay on top of updates, it’s like posting a sign in your yard that says, “please, come steal my stuff.” Keeping your software up-to-date with the latest security patches is like posting a security alarm warning in your front yard. Hackers are going to move along to easier targets.

Poor Security

Hackers with a little more determination will use techniques like brute force to guess your passwords over time. Burglars know what those fake rocks look like where you hide your spare key and will check under your door mat. Using a weakly composed password, with your first pet’s name in it, your birthdate, or other easily guessed combinations of letters and numbers will eventually fall victim to a brute force dictionary attack. And what gives with using ‘password’ as your password or ‘admin’ as your username? Why not just invite our burglar in for dinner? That’s basically what you’re doing will hackers when you don’t use strong passwords.

A good hosting company will help limit much of this by enabling or providing the ability to limit failed login attempts in your site software or use their firewall to prevent hackers from trying to brute force your hosting account. If you don’t know anything about this, make sure to ask your host about what they do and what options they provide.

Hackers on a mission will utilize social hacking techniques where they pretend to be you to get at your site and/or information. Find out what your host does to stop this. We provide two-factor authentication and require security authentication answers when attempting to gain assistance to help prevent social hacks. But, again, unless a burglar knows you have a safe with gold bars in it, they’re probably going to leave you alone. Most hackers just want to use you for your site.

So, What Should You Expect Your Hosting Provider to do?

Now that we’ve looked a little into why hackers might be interested in hacking your site and how they might go about accomplishing it, we’re in a better place to discuss what you should expect your hosting provider to do.

Usage of open source software has exploded over the past decade. With such great, free and easy to use scripts out there such as Joomla, Wordpress, etc., it’s understandable why you would choose to use them for your site. We highly recommend them. The problem, as we mentioned eariler, is all too often people don’t keep these things up-to-date. Just like there are huge communities supporting each of these open source projects, there are hacking communities out there that write exploits to take advantage of these vulnerabilities and share them in the dark nether regions of the internet. When you don’t keep your site software up-to-date, who’s fault is that? We provide all sorts of tools for helping keep your site up-to-date and even plans where we go the extra mile to keep everything up-to-date for you for Joomla and WordPress, but ultimately the responsibility to keep sites up-to-date falls to the hoster. You need to figure out how you’re going to keep it up-to-date. What tools are available to you? Would you prefer to not have to think about it? How much will it cost? What is your plan?

So when your site gets hacked, what’s your host likely to do? Hosting companies have to protect their other customers and their network. We’re not sure exactly what you can expect at other hosts, but here at Simple Source, despite all of the protections we provide, sites do get hacked due to customers not keeping sites up-to-date. So, when this happens:

  • we’ll usually find out that a site is sending out spam or utilizing a ton of system resources, track down the source and then suspend the offending account and notify the account holder. It’s in our terms of service. When we hear back from the client, we’ll then run a scan and null root the offending script and allow the customer the opportunity to clean up their own site if they so desire or offer to do a deep cleaning and restoration at our standard hourly rate–work that we guarantee.
  • If the customer has said they have cleaned up their account only to find out that it’s being used for nefarious purposes again, we’ll go through the same process again.
  • If this happens a third time, we will generally suspend the offending account and offer again to clean up the account at our standard hourly rate. If the customer doesn’t want to go that route, we’re happy to send the customer a link to download their site files and databases.

At some point, if customers keep inviting burglars into their house, we have to put a stop to it before it starts to negatively affect other customers. It takes our valuable time to do this which means we have less time to serve our other customers and make Simple Source even better.

Bottom line: we know all of this can be incovenient, but if you’re in the habit of sending out invitations to hackers to hack your site, you should expect it will cost you something in terms of time or money to recover from what they do to your site. 

19

January

Our Client Area - The Power of Sub-Accounts

19 January 2016 Hosting 0 1269

A while back we took a look at how you can easily manage all of your Apps from your client area at getsimple.net. Today we're going to take a look at sub-accounts.

Sub-Accounts are an often all too underutilized tool of our client area at getsimple.net which is now even more powerful than before. Sub-Accounts allow you as a client to assign users with permissions to various functions who can then carry out a variety duties for specific purposes that you only want your users to have access to perform. Whether you’re wanting someone to have access to billing, support, domain, hosting services, and more, Sub-Accounts give you the power and control over who can do what–all from your client area.

How Can You Use Sub-Accounts?

There are plenty of use-case scenarios we could look at, but let’s look at just a few common examples you may find useful for Sub-Accounts:

Billing Managers

Many companies have a dedicated billing or accounting manager or department that is responsible for keeping track of financial records such as receipts, payment information, or who may need support for any financial information associated with your services. You can allow them access to invoices and/or billing support and to receive notices from billing all through setting them up with a sub-account.

Web Designers

You may be working with website developer or designer to build your website. You may want to give this person or company access to our support or to your hosting services without giving them access to billing information or account info. This would allow them access to manage your hosting service, access your cPanel services such as file manager, email accounts, and more.

Domain Management

Suppose you have someone in your company or organization that you want to setup Google Apps on your domain. You could simply allow them access to the domains section of your account or the hosting services area of your account so they can add the mx records necessary to point your mail to Google Apps.

How Do I Setup a Sub-Account?

It’s simple:

  1. just login to the client area and click on “Contacts/Sub-Accounts”
  2. enter in the user’s name and contact information
  3. tick the box under "Activate Sub-Account” next to "Tick to configure as a sub-account with client area access"
  4. tick the boxes for what you want the user to have access to under "Sub-Account Permissions"
  5. tick the boxes under "Email Preferences” for which notices you would like the user to receive
  6. click “Save Changes"
    hosting sub accounts permissions

And viola! You have now put the power of Sub-Accounts to good use–delegating roles to someone else in your company, organization, and/or to a third party vendor to securely do work for you.

13

January
(0 votes)

3 Simple Ways to Keep Your Joomla Site Secure

13 January 2016 Joomla News 0 0 votes

In an age of constant news of security breaches, it’s more important than ever for webmasters of Joomla websites to keep their sites safe and secure. While there’s no one-size-fits all solution for keeping your Joomla site secure, there are some good rules of thumb to follow to help ensure that your site is as secure as possible and it’s not as hard as it may seem.

Keep Your Joomla Installation Up-to-date

This is the biggest area where we see users fail in keeping their site secure and is the easiest pitfall to avoid. With the built-in updater that’s been available since versions following Joomla 1.5, updating is really no more difficult than a few clicks.

We strongly recommend backing up your site before applying any updates. You can easily do so by installing Akeeba backup or using the App manager in the client area of your account at getsimple.net.

Once you successfully backed up your site, you can then proceed to upgrading your site by using the built-in updater or you backup and update all in one step from our App manager.

Keep Your Joomla Extensions Up-to-date

While many users tend to keep their Joomla installations up-to-date, they often ignore all of the wonderful extensions that they have installed, leaving their sites open to attacks.

Start by visiting the extensions > manage area of your Joomla administration area and then click on “update” to review extensions updates that are available to update. After backing up apply any available updates.

There are still plenty of extensions which do not use the updater built into Joomla, so you’ll need to click on “manage” and then compare your list of installed extensions against the Vulnerable Extensions List to find any of your extensions that may be vulnerable. You will want to update any you find pronto.

Lastly, even if you do not have any vulnerable extensions installed, there are likely updates available for your particular extensions. Some 3rd party extension developers have updaters built into the component, which you can utilize to update their extensions and enjoy the benefits of new features and bug fixes. Even if they have no updater available, there still might be newer versions available, which you can download and install via the Joomla extension manager.

Permissions, Passwords, and Protecting Your Administrator Area

File Permissions

You need to use a hosting provider that utilizes something (e.g. suPHP) to keep your file permissions secure while you interact with them. Generally speaking, files should stay at 644 and folders should be 755 to prevent world read/write access.

Passwords

When creating passwords for your users, we recommend that you should always create strong passwords, with letters, numbers–both lowercase and uppercase, and characters with at least 10 digits. Utilize some sort of password manager such as LastPass, 1Password, or Dashlane, to assist with generating strong passwords and managing them.

For additionally security, utilize two factor authentication. Joomla has this built-in which can easily be turned on by visiting your plugins area and searching for "Two Factor Authentication” where you can select frontend, backend, or both options. and enable the plugin to use with google authenticator or a physical YubiKey.

If you don’t have the need for users to sign-up on your site, disable registration. Simply visit Users > Manage > Options and select “No” next to “Allow User Registration”. This will help prevent plenty of issues including, but certainly not limited to, spamming from your site by nefarious users taking advantage of your site.

Protecting Your Administrator Area

Believe it or not, a hacker can gain access to your administrator area if you make it easy for them. Make sure to avoid using usernames like “Admin” or “Administrator”. These will be a hackers first guess.

Strong passwords help, but if a hacker can brute-force attack your administrator area, they’ll eventually get the right combination of usernames/passwords given enough time. So, we recommend making it harder for them by hiding your administrator area from them. The standard Joomla administrator url has always been http://yourdomain.com/administrator/ and hackers know this. There’s a free plugin for Joomla named kSecure that will allow you add a secret key to your administrator url like http://yourdomain.com/administrator-secret to make it even more difficult to access. It also gives you the option to protect your administrator directory through http authentication.

You can find additional tips and resources on securing your Joomla site at the Joomla Security Checklist page.

If you're looking for professional assistance with keeping your Joomla site secure, we do all of these things and more for you with Joomla Hosting Complete. Joomla Hosting Complete is totally managed, end-to-end hosting solution for your Joomla website. 

Get in Touch

Newsletter