Register4Less.com Account Security Features

December 14th, 2015

Domain security is in our opinion the most important service a registrar can provide for their clients.  The ramifications of an account being compromised are potentially huge.

Encrypted Passwords

Your password, whether it’s for domain management, and FTP password, or access to your email are stored encrypted.  We do keep the last 4 characters of the login password for account verification purposes.  Keeping passwords encrypted in our databases ensure only you (and those to whom you have chosen to share your password) will be able to log into your account with us.  No employee or service provider to register4less.com will ever be able to see your login password.

Login Security Agent

Our patented Login Security Agent provides 24/7 account monitoring, and is set up to notify you when a login session has been created on your account.  In addition to notifying you of a successful login to your account, the LSA service gives you the ability to terminate the login session.

LSA has been designed to deal with the one element of account security that we as a registrar cannot control, the human factor.  Ways in which an account could be compromised include:

  • Leaving a login session active on computer
  • Logging into your account on a public terminal that’s infected with malware
  • Sending an email in plaint text with the account information in the body of the email
  • Leaving login credentials written down, etc.

When you set up LSA on your account, you will specify LSA to send a notification when logging in from a connection on any IP address, or you can specify an IP to be ignored.  You will create a “kill password” with the account as well.  This kill password cannot be changed, so you want to ensure it’s one that you will remember.

Let’s go with the scenario that someone malicious has gained your login username and password, and is logging into your account in order to steal your domains.  As soon as this person logs into your account, you will receive a notice that a login session has been created, and from what IP address the person is connecting.  You will recognize that this is not you logging in.

To kick the hacker off, log into your account, and go to Profile > Login Security Agent.  You’ll enter in the Kill Password, and then click the Kill Sessions button.  The next link the hacker will click will log them off the account.  The login password is automatically reset by LSA when you click the Kill Sessions button.  You’ll then need to change your password to a new one, and your account is now once again secure.

Two Factor Authentication

Two Factor Authentication combines the Google Authenticator app for your smartphone and your normal login password password.  The app will generate a 6 digit number that’s unique to the app that’s running on your phone.  When you log in, you will enter in the 6 digit code after your password (no spaces).

Keeping Your WordPress Site Secure

December 7th, 2015

wordpress_logo1Part 2

Hide the Username from the Author Archive URL

Or better yet, don’t make public posts from your admin account at all.  If your admin name is published with posts or comments that you make on your site, this will be visible to hackers as well.  This is like having your admin username be “admin”.

Another way an attacker can potentially gain access to your username is via the author archive pages on your site.

By default WordPress will create an author archive under the URL http://yoursite.com/author/myblogs, using your username myblogs.  This is essentially the same security hole as described in last weeks post having the admin username be “admin”.

This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.

Disable file editing via the dashboard

In a default WordPress installation, you can go to Appearance > Editor and edit any of your theme files in the dashboard.  If a hacker has cracked your WordPress login, they will have access to these files, and upload whatever files or scripts that they wish.

To disable this method of file editing, add the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

Use a Security Plugin

As well as all of the measures above, there are many plugins you can use to strengthen your site’s security and reduce the chance of being hacked.

Here are a handful of popular options:

Change the wp_ Table Prefix

By default, each table in the WordPress database begins with wp_. Just like the other default features already mentioned, if you leave it as is, it makes it easier for hackers to infiltrate your site and database tables since the table names are the same across most WordPress installs.

Changing this to something more customized and memorable to you means it will be less accessible to hackers.

There are many plugins that can change the table prefix to something else you choose and here are some of the most popular ones:

https://wordpress.org/support/topic/secure-wordpress-change-table-prefix-after-installation

Check Your File Permissions

If you’re hosting your site on a Linux or Unix server (all of our servers are Linux), files have permissions for owners, groups, and all users.  Permissions are grated for files to be readable, writable and executable.  If your file permissions on important files and directories are too open, almost anyone could have access to these files on the server.

The WordPress Codex has a great guide that explains file permissions in-depth.

Limit Access to Important Pages

Your admin dashboard and login page are among the most important pages since they can grant access to your entire site. Limiting access to these pages means you and your users will be the only ones that will be able to access your site, keep you all a little safer.

Click here to learn how you can limit access to a specific IP address.

Keeping Your WordPress Site Secure

November 30th, 2015

wordpress_logo1Part 1 of 2.

More and more of our customers are opting to use WordPress to build and maintain their websites.  WordPress is an excellent Content Management System (CMS), and now is used for approximately 20% of websites out there.

With WordPress being so popular, it has become a target platform for hackers and spammers to attack WordPress sites.  The platform is mature and secure, however there are steps every developer should take to help protect their websites from these people.  Some are just common sense, and some involve adding additional plugins to your website.

While the following recommendations will largely apply to any CMS platform like Joomla & Drupal, in our examples here, we’ll be focussing on the Web’s number one CMS platform, WordPress. Read the rest of this entry »

New Online Chat

October 13th, 2015

Secure-Online-ChatYou may have notice that the chat system on Register4Less.com’s website is different.   You’ll see the image on the right on the bottom right of your screen.   Our previous chat application was only available to visitors of our website when they were not logged in.   Our team is extending the availability of chat hours to the following:

  • Weekdays: 8:30 – 20:00
  • Weekends: 10:30 – 20:00

Secure-Chat-MobileOn Mobile devices, the chat icon will look like the green bubble image you see on the right.   The chat application works on all operating systems, tablets & smart phones, not only for you, but from our end as well.  This gives our staff the ability to answer a chat and help a customer even if away from the office.

There are a number of new features that this chat system provides that allows our support team to provide even better customer support for you when you connect with us online.   The chat system opens up new possibilities with new features such as:

  • Our support agent can see what you are typing as you type, allowing us to respond more quickly.
  • The app keeps a history of chats, so if we need to go back to something from a previous session, that’s possible
  • Under Options, you can upload a file (show us a screen shot of the problem you’re having for example), email or print a transcript of your can’t, etc.
  • The chat from our end is not only web based.  Their are native apps for Windows, MacOS, iOS, Android

The team here at R4L always tries to do our best to provide you with the best possible customer service, and we’re all very excited about this new tool that will help extend our hours of support, and provide you with a better customer service experience.

Get Less Spam with Greylisting

August 17th, 2015

Less Spam with GreylistingUpdate: We have disabled Greylisting accross the board since it was confusing too many users. We will re-enable whenever cPanel offers to enable this and default to “disabled”.

If you use our advanced email service for your domains and have a package that includes email hosting, your account will have been upgraded to add greylisting service.

Greylisting is a great weapon in the ongoing war against spammers. Greylisting is quite simple in it’s implementation and takes advantage of how most spammers set up their servers to send out spam.

Most people recognize spam pretty easily, and usually will simply delete any spam they receive.  Spam email will also occasionally get reported to the hosting provider, in the hope that they will shut down the spammer.  Unfortunately, there are providers in certain areas that allow this kind of abuse to go in.  You should note greylisting is available for our advanced hosting plans, and is not for the free email aliases.register4less Read the rest of this entry »

R4L Poll Results are in!

August 12th, 2015

Last week, we sent out an email asking you to vote on the option of R4L adding automated telephone notifications in the event one or more of your domain names is about to be suspended. A total of 755 votes were cast. The team at R4L would like to express our gratitude to all of you that took the time to express your preference. The result of the votes are as follows:

Do you wish Register4Less.com to add an automated telephone notification for domain names that are to be deactivated?

  • Yes, please add this for BOTH domains that are deactivated due to expiration and non-confirmation. (58%, 435 Votes)
  • No, I don't wish to receive automated phone calls from Register4Less.com. (23%, 175 Votes)
  • Yes, only for domain deactivated for owner's email not being confirmed. (19%, 145 Votes)

Total Voters: 755

Loading ... Loading ...

Clearly, the overall preference is to add this service, and our team are now working on getting this live. We have already updated the messaging preferences page to have allow you to opt out of telephone notifications for either domains that are to be suspeded due to expiry or contact not being confirmed. The default for both of these is enabled, so if you do not wish phone notifications, please log in and update your preferences (Profile > Messaging Preferences).

Owner Contact Verification

August 3rd, 2015

Unknown

The poll is now open.  Please click here to cast your vote.

ICANN requires all accredited registrars to verify new contact information for domain owners.  If you would like to read ICANN’s policy regarding Whois accuracy, please click this link.

Currently Register4Less.com manages this process by an email that we send to the new contact email address.  This email contains a link for the domain owner to click to verify their address.  In the event that the email sent to the domain registrant bounces or if the link in the email that we send is not clicked, we are required to place a clientHold on the domain name.  This will prevent the domain from resolving, so any web hosting or email service will stop working.

It does happen that people will sometimes ignore the request to verify, or their spam filter will mistakenly block the email (please, whitelist in your spam filter email coming from any address @register4less.com).  In cases like these, the verification doesn’t happen, and the domain in question will be suspended.

Register4Less.com as you hopefully know tries to provide the best possible customer support, and tried to do this in the most streamlined, efficient manner possible.  Our support team have dealt with some customers who have understandably been upset by their domains being suspended due to this process.

Our team have been discussing options to improve notification.  Having our support staff call is not an efficient way to handle this, so the solution we are proposing would be to have an automated notification call to the phone number on file for the domain owner.  There of course would be an option to opt-out of this type of notification.

Cast Your Vote Now

We have added a poll on our blog site for you to be able to cast your vote.  As always, if you’re an R4L customer reading this, thank-you for your continued business!

Your Whois Privacy May Be in Jeopardy

June 25th, 2015

Whois PrivacyRegister4Less.com has been providing free Whois Privacy service to our customers since the we first introduced this service back in 2002.  We were one of the first domain name registration providers to introduce Whois Privacy.  We are one of the few domain name registrars who still provide this essential service at no additional cost to our customers.

MikeandtheSuspects.com (full disclosure, I am the drummer for the band), for example, is a domain name registered with us and is using our free Whois Privacy service.  If you look up the record for the registrant of the domain, you will see:

Registrant Name: Register4Less Privacy Advocate
Registrant Organization: 3501256 Canada, Inc.
Registrant Street: 5802 Bob Bullock C1 Unit 328C-195   
Registrant City: Laredo
Registrant State/Province: Texas
Registrant Postal Code: 78041-8813
Registrant Country: US
Registrant Phone: +1.5143941150
Registrant Email: admin@privacyadvocate.org

Read the rest of this entry »

Anti Fraud Measure

April 22nd, 2015

CBCC-ComputerAccepting credit card payments online has always carried risks for online businesses such as ours.  Fraudsters get ahold of credit card data, and will attempt to make online purchases with the stolen credit card info.  Once the card’s owner realizes there are charges on their card they’ve not authorized,  they call the bank that issued the card to dispute the purchase.  This has the effect of reversing the purchase, so the vendor does not get paid, and will also get charged an additional chargeback fee.

Read the rest of this entry »

Register4Less Digital Certificate & Anti-Virus

March 5th, 2015

We have had reports from customers having problem accessing our secure website after we disabled SSLv3 (ref. SSLv3 vulnerability).

Turns out most anti-virus software have an option to allow scanning encrypted connections to websites (ref. SSL content scanning). If the anti-virus does not support TLS 1.1 or TLS 1.2, this prevents it from connecting in secure mode to our website.

So far, we have confirmation that the following anti-virus software have problem with websites not supporting SSLv3, but will add others to the list once we get confirmation:

 

Thank you for your continued support.

 

Note: the following website helps checking your encrypted connections quality (ref. https://www.howsmyssl.com)

New FTP Gateway

January 29th, 2015

FTP IconRegister4Less.com’s new FTP gateway allows you to connect to all of your sites using a common configuration.  The new FTP gateway that makes publishing your website work in the same fashion whether you are using one of our advanced hosting plans or the free 10MB hosting we provide with your domain registration.

In the past, if you upgraded from the 10MB service to one of the advanced hosting plans, we would migrate your website over to the new AHS server, but you needed to create an FTP account on the server if you wished to publish using FTP.  Now however, you can connect to our FTP server on ftp://ftp.R4L.com, and the server will check which type of hosting plan your domain has and on which server, and then connect you to the right place.

Read the rest of this entry »

Attention gmail Users

December 30th, 2014

If you have email aliases setup with R4L (why not, they’re free) and forward your aliases to a gmail account, you can use our new SMTP service in order to configure GMail to use this alias.

Read the rest of this entry »