14 Action Steps To Secure WordPress Now

Saturday, May 10th, 2014
14 Action Steps To Secure Your WordPress Site

I’ve written a lot about the steps to secure WordPress.  It is a bit of a wonder that I don’t have them listed in one place for you to refer to over and over. Well, I’m rectifying that right now. Here are so actions, with updated information you need to take immediately. Install iThemes Security Before proceeding, please know that… WordPress security isn’t a set once and forget thing. It’s a series of steps, and layers of processes. Now that is out of the way, there are many different plugins out there for security. I like and use iThemes Security extensively. Mostly because it has a checklist of things that covers a lot of the common issues that I used to handle by hand. Great as it is, sometimes, on some servers it just doesn’t want to work nicely. It could be an incompatibility with other plugins or with the way a web host has configured the server. In these instances, my fallback is Wordfence. While Wordfence does not do as much but it has one really important feature – to block suspicious logins and brute force logins. Both are free though there is a Pro version for iThemes Security.

Read More→

Comments (4)

What Is Heartbleed & What Should I Do About It?

Thursday, April 10th, 2014

The web has been alight with the heartbleed vulnerability. If you’ve only heard of it in passing, listen up. This one is a biggie. The bad news – it affects a lot of web servers. If you have a website, there’s a good chance the server could be vulnerable. If you’d like to check your own servers, you can go to Flippo.io/Heartbleed. Before going too deep, let’s understand it. What is Heartbleed? I’m no systems security expert and I may not do a great job explaining this. I’ll let someone a whole lot more qualified than me – Elastica’s CTO Dr. Zulfikar Ramzan -explain in the video below. Please do take time to view it. It isn’t all that long and it is that important. What You Can Do First, don’t panic. Depending on how swift your web host is on these issues – it may already have been taken care of for you. For the most part, if you’re on shared hosting. There’s nothing you can do to patch this. This is a patch that has to happen on a much higher level and as a shared host account holder, you simply don’t have the permission/access levels to do

Read More→

Comments (0)

Why You Can’t Think Of Your Data In Isolation Anymore

Thursday, January 30th, 2014
Your Online Data is Not Isolated

Let’s start in November a few years ago. A  friend contacted me, obviously distressed. Her site had been hacked. I thought, no problem. We’ll get on it. It turned out to be not so routine. Eventually, we found out her website wasn’t hacked. Her domain was stolen. The new website was not hers. Not on her web hosting account. Someone stole her entire business from under her. Fast forward a couple of months. Another sobering story. Mat Honan, one of Wired’s senior writers had his Macbook, iPhone, iPad, Google Account completely wiped and his Twitter account hijacked. Then, I heard news of another friend’s domain getting hijacked. Then just this week, another major story. Naoki Hiroshima, creator of Cocoyon and developer for Echofan had his highly valued Twitter username extorted from him. What did the extortionist have on him? Oh… just all of his domains and PayPal account. Reading his story and the hacker’s responses sent chills up my spine. Since working with my client and learning about Mat Honan’s hacking, I’ve been careful. There’s still much to be done but definitely more careful. I worry a lot about what my husband puts out too. But that’s another story for another

Read More→

Comments (10)
Send to real address

Have you ever come across people with email addresses that look like they were created exclusively for a website? Here’s what I mean. When creating an account at Pinterest, the email address that may be used to register is [email protected] or, when signing up to receive our free yearly blogging planner and calendar and the email address used is [email protected] In short, anytime they are asked to provide an email address, they enter any word, number, phrase or combination in the front of the @. Surely these people didn’t have so much time to create a separate email account for each of these addresses? On that note, you are absolutely correct. This is a simple technology known as wildcard email addresses, sometimes known as catch-all. Once you have it set up, you can create any address you desire on the fly and have it all routed to your real address. Why do this at all? Let’s count the reasons You want to sign up to try a new service but they do not allow free email addresses You want to receive information from someone but are new to the author or merchant You want to maintain email privacy and keep

Read More→

Checksum distributed

If you’ve ever had any kind of nasty-ware attach itself to your computer, you know how very annoying and potentially dangerous it can be for your privacy, and even your finances. Yet, despite all that, more and more software is being delivered via the Internet than before. Sometimes, the same software is available for download from a multitude of sites especially if they are open source. Thus, the big question is… How do you know the copy you downloaded and are about to install on your computer is an unaltered copy, free from additional nasty code? One thing’s for sure. We aren’t developers so we can’t just pop it open and be able to tell what’s in it. That’s where checksums come in. Check what? Simply put, a checksum – sometimes also called hash sum – is like a verification code. When you run a program or any file through a checksum calculator, it will spit out a length of code. When you distribute that file and tell people your checksum code, they can use that code to verify if the copy they received is indeed the exact same one as the one you sent and thus, safe to use

Read More→


It has been over 2 years since I first wrote about sandboxing my browser and all Internet-facing programs but think it is high time to revisit it again because it is that important. Also because my friend Nicole Dean got duped into installing a bad program from deceptive advertising. Not cool. Anyhow, the original post also focused on how sandboxing saves you from infected websites when there’s lots more sandboxing can do. Before moving on, let me attempt once again to explain what sandboxing does. This time, I am going to use a graphic. I’m not the best graphic artist so pardon my drawing What Is A Sandbox Program? Working in a sandbox program is a lot like putting down a mat before you let kids start making crafts or laying down sheets before you start to paint a room. When you launch your browser, Skype, instant messenger, email client (Outlook, Thunderbird) or any program that connects to the Internet inside a sandbox, anything you download and install is contained inside the sandbox. So, if you run a program inside the sandbox and it contains a virus, your computer is not affected at all (pictured on right, top) This way, when a downloaded

Read More→

Stop broadcasting your username

After the highly publicized hacking of Wired reporter Mat Honan’s identity, it is clear to me that hackers don’t always go about things they way we think they do. When we hear “I’ve been hacked”, we immediately think someone has been trying to crack our passwords using software that tries all sorts of passwords in the dictionary or based on whatever complex algorithm. Or maybe we think they install something malicious on our computer to spy on us. Yet, Honan’s experience shows us that hackers don’t always need to do all that stuff. In fact, all they did was cleverly and logically work their way through various systems. They call it social engineering. Whatever the name, it’s not good. Keep Your Security Processes But Keep Your Eyes Open Don’t get me wrong. I’m not saying abandon your difficult to guess passwords that include caps, characters and numbers. Or don’t use tools to help you secure your personal accounts and business systems. Not at all. It would be foolish of you to. What I’m saying is, sometimes, sit back and take a moment to review if some loops need to be closed. How I Cracked A WordPress Admin Account Just this

Read More→

Time To Switch To 3rd Party Shopping Cart?

Wednesday, April 18th, 2012
Flip the switch

Photocredit:Yutaka Tsutano  There’s a really good chance, this won’t be a decision you have to make – good for you. Most marketers I know, sell their digital content via a third party system like 1ShoppingCart, eJunkie or Clickbank. If you ever wished you could drop that monthly payment, perhaps you might reconsider after reading this post. With that said, I’m writing this not to convince people to stay nor switch to a third party system, merely to pose the question to all – a question that we have perhaps never worried too much about until now. Why now? Because, in the last 6 months (and I predict going on into the future), we’ve seen more hacking and site breaches. These are beyond the normal defacing and uploading of malicious content. Those are bad enough but this is even more scary, ranging from domain hijacking to outright stealing of customer databases. These types of attacks, rob us of our brand, business, credibility and trust. Things that are much tougher to fix than cleaning up a site and getting it back on into the search engines. They also leave small businesses very vulnerable to law suits. Just one case could end our

Read More→


Hey all, I know some of you are on top of this regularly and already know it. At the same time, many don’t as well so here you go. If you are using Dean’s FCKEditor editor plugin, there are several versions of it. Make sure you’re not using the one with PWWANGS Code for WordPress. It has a vulnerability in it. Here are two places to learn more about it. Sucuri iThemes

Photo courtesy of duosecurity

In Gmail, when you enable 2-step authentication, each time you log in to your account via an unknown device or computer, you will be asked to enter a verification code that can be sent to your cell phone via SMS or good old fashioned phone call. The idea is to provide an extra security layer to verify you are the person logging into your account. My initial thought is, how secure can this be? After thinking through it a little, 2-step verification is perhaps as good as it gets for now. Why? Because a hacker sitting somewhere half way around the world is not likely to have my cell phone. So when they try to log in to my account, they are immediately presented with the code request, which is sent almost immediately to my cell. Without that, they cannot enter and I know at once someone is trying to log in to my account. Is it fool proof? Of course not. If there is a concerted effort like someone breaks into my office, steals all my logins and my cell phone. Yeah sure they can get into my email. Can people half way around the world hack my cell

Read More→