The Register4Less.com Blog

New Softaculous Default Settings

If you’re using our cPanel based hosting, the R4L team has made a change to the default settings for the software installation program Softaculous.

When installing WordPress, automatically now a security plugin called WordFence will be installed.  We are also changing the default settings when installing WordPress so that WordPress itself, plugins and themes will automatically stay updated.

WordFence

With over 10.7 million downloads, WordFence is the most downloaded WordPress security plugin, and reputedly the best security plugin.  WordFence will help you scan your site for malware/hacks, and help clean the site if problems are detected.

Updating Your Settings

 Basic Options:

• Where to email alerts: — Enter in your email address

Click the Save Changes button before advancing to the advanced options.

Advanced Options:

 Alerts:

These will depend on how many sites you manage, and how many users you have using your site.  For high volume applications, leave only Alert when an IP address is blocked, Alert when someone is locked out from login, and Alert me when someone with administrator access signs in checked.

Firewall Rules:

• Check Immediately block fake Google crawlers.  It provides false traffic numbers.
• 404’s that exceed 2 per minute, choose throttle it
• How long is an IP address blocked when it breaks a rule, choose the maximum 1 month

 Login Security Options:

• Choose Force admins and publishers to use strong passwords
• Lock out after how many login failures, default is 5, recommend 2 or 3
• Lock out after how many forgot password attempts, default is 5, recommend 2
• Amount of time a user is locked out, set to 60 days
• Immediately block the IP of users who try to sign in as these usernames, set admin

Of course, your admin username must not be “admin”.  These settings help protect against brute force attacks

One of the Internet’s most valuable and very  carefully guarded secret is the complex algorithm used by the search giant Google uses to rank pages on the Internet.  Recently, though, Google announced in a web post that the search performance of the new gTLDs “will not be treated differently” from legacy gTLDs like .com and .net.   Any business or person considering moving their website to one of the new gTLDs

This is good news for owners of hundreds of new gTLDs (generic Top Level Domain) like .website, .works or .company and for businesses that are thinking of moving from a longer .com domain name to a shorter name with one of these descriptive gTLDs.  This is also very good news for the companies that operate the registries for these new extensions.

In the article, google provides four steps to make sure that your website’s current rankings will follow to new descriptive gTLD site.

• You will of course need to build your new site (or move the existing content over to the new site), but more importantly to test the new site throughly.
• You need to put together a URL mapping from the current to the new site’s pages.
• When you move the site, you will want to setup 301 redirection from the old to the new site.
• Finally, you’ll want to monitor traffic on the old and the new site to ensure the move is completely successful.

An example Google is showingFrom the post, it would seem Google is very much in favour of the new gTLDs for brand identity, brand protection & promotions.

Domain security is in our opinion the most important service a registrar can provide for their clients.  The ramifications of an account being compromised are potentially huge.

Encrypted Passwords

Your password, whether it’s for domain management, and FTP password, or access to your email are stored encrypted.  We do keep the last 4 characters of the login password for account verification purposes.  Keeping passwords encrypted in our databases ensure only you (and those to whom you have chosen to share your password) will be able to log into your account with us.  No employee or service provider to register4less.com will ever be able to see your login password.

Login Security Agent

Our patented Login Security Agent provides 24/7 account monitoring, and is set up to notify you when a login session has been created on your account.  In addition to notifying you of a successful login to your account, the LSA service gives you the ability to terminate the login session.

LSA has been designed to deal with the one element of account security that we as a registrar cannot control, the human factor.  Ways in which an account could be compromised include:

• Leaving a login session active on computer
• Logging into your account on a public terminal that’s infected with malware
• Sending an email in plaint text with the account information in the body of the email
• Leaving login credentials written down, etc.

When you set up LSA on your account, you will specify LSA to send a notification when logging in from a connection on any IP address, or you can specify an IP to be ignored.  You will create a “kill password” with the account as well.  This kill password cannot be changed, so you want to ensure it’s one that you will remember.

Let’s go with the scenario that someone malicious has gained your login username and password, and is logging into your account in order to steal your domains.  As soon as this person logs into your account, you will receive a notice that a login session has been created, and from what IP address the person is connecting.  You will recognize that this is not you logging in.

To kick the hacker off, log into your account, and go to Profile > Login Security Agent.  You’ll enter in the Kill Password, and then click the Kill Sessions button.  The next link the hacker will click will log them off the account.  The login password is automatically reset by LSA when you click the Kill Sessions button.  You’ll then need to change your password to a new one, and your account is now once again secure.

Two Factor Authentication

Two Factor Authentication combines the Google Authenticator app for your smartphone and your normal login password password.  The app will generate a 6 digit number that’s unique to the app that’s running on your phone.  When you log in, you will enter in the 6 digit code after your password (no spaces).

Part 2

Hide the Username from the Author Archive URL

Or better yet, don’t make public posts from your admin account at all.  If your admin name is published with posts or comments that you make on your site, this will be visible to hackers as well.  This is like having your admin username be “admin”.

Another way an attacker can potentially gain access to your username is via the author archive pages on your site.

By default WordPress will create an author archive under the URL http://yoursite.com/author/myblogs, using your username myblogs.  This is essentially the same security hole as described in last weeks post having the admin username be “admin”.

This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.

Disable file editing via the dashboard

In a default WordPress installation, you can go to Appearance > Editor and edit any of your theme files in the dashboard.  If a hacker has cracked your WordPress login, they will have access to these files, and upload whatever files or scripts that they wish.

To disable this method of file editing, add the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

Use a Security Plugin

As well as all of the measures above, there are many plugins you can use to strengthen your site’s security and reduce the chance of being hacked.

Here are a handful of popular options:

• http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
• http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
• http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
• http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
• http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
• http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
• http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.

Change the wp_ Table Prefix

By default, each table in the WordPress database begins with wp_. Just like the other default features already mentioned, if you leave it as is, it makes it easier for hackers to infiltrate your site and database tables since the table names are the same across most WordPress installs.

Changing this to something more customized and memorable to you means it will be less accessible to hackers.

There are many plugins that can change the table prefix to something else you choose and here are some of the most popular ones:

https://wordpress.org/support/topic/secure-wordpress-change-table-prefix-after-installation

Check Your File Permissions

If you’re hosting your site on a Linux or Unix server (all of our servers are Linux), files have permissions for owners, groups, and all users.  Permissions are grated for files to be readable, writable and executable.  If your file permissions on important files and directories are too open, almost anyone could have access to these files on the server.

The WordPress Codex has a great guide that explains file permissions in-depth.

Limit Access to Important Pages

Your admin dashboard and login page are among the most important pages since they can grant access to your entire site. Limiting access to these pages means you and your users will be the only ones that will be able to access your site, keep you all a little safer.

Click here to learn how you can limit access to a specific IP address.