The Register4Less.com Blog

WordPress is the most popular Content Management System (CMS) on the Internet, making up 43% of all websites (up from 34% when this post was originally written in 2019).  WordPress stores all user data, including your admin username and password in a MySQL database.  For security reasons, WordPress stores passwords encrypted, making them not readable or directly writable.  You can’t just connect to the database and update the username and password in plain text.  You need to first use an online tool to encrypt new password.  Here are the steps to follow to reset your admin login:

• Log in to manage your domain name, and go to the menu Profile > Manage Advanced Hosting to open the Plesk interface.  It will open in a new pop up window or tab.
• On the Plesk interface, you should see Dashboard highlighted/underlined.  It it’s not, click it.
• Click the link for Databases.
• Click phpMyAdmin
• You should see a list of “tables” in the left column.  They will all have a username prepended to each table name, followed by an underscore and the wordPress table name.
• Look for the one that ends with _users and select that.
• You will see two columns with user_login and user_pass.  The user_login will have your admin username.  The user_pass is what we’re going to be updating.
• On a separate browser window, go to your favourite search engine and look up generate md5 hash.  This is the way to encrypt your new password.
• On the site you choose, enter in your new password and have the site generate the md5 hash encrypted string.  It will be 32 characters long.
• Select and copy (Control or Command C) the entire string.
• Double click the current encrypted that is on the same line as your admin user_name.  That will select the entire string for the user_pass.
• Paste (Control or Command V) in the new encrypted password and hit Enter.  You should see a pop-up message that says 1 row affected.
• Close the phpMyAdmin window and go back to the login screen for your WordPress website.  You can now log in with your new password.

With all of our paid hosting platforms, R4L provides you a free digital digital certificate called Let’s Encrypt.  The web is quickly moving towards requiring sites to use encryption.  When you order an paid hosting plan with R4L, the SSL cert is automatically installed and maintained for you, allowing your website and email to be fully encrypted.

As posted on the news last week on the website Slashdot, the Let’s Encrypt open source SSL Certificate is now recognized by all major root certificates, including:

• Microsoft,
• Google,
• Apple,
• Mozilla,
• Oracle, and
• Blackberry

Let’s encrypt has been trusted by almost all borwsers, it had done so thoruh an intermediate certificate from a vendor called IdenTrust.  With Let’s Encrypt now being directly recognized and trusted, there is no longer a third party involved.  If ever in the future there were a problem with IdenTrust (we’re not saying that’s likely), Let’s Encrypt would continue to be trusted without a problem.  A problem similar to this did happen to Symantec certs when they were untrusted by Google and Mozilla.

Let’s Encrypt is now directly trusted by all major browsers and operating systems.

You may have read that Register4Less.com has added to our paid hosting plans Let’s Encrypt, a free open-source SSL certificate.  This certificate is now installed automatically when you order an advanced hosting plan, and has been installed for all existing paid hosting plans.

Benefits of having your site visitors connect using the https encrypted protocol include:

• Better Search Engine ranking
• Enhanced User Trust
• Protect your User’s sensitive information

Forcing an https:// Connection

When people visit your website, but default if they type in your domain without specifying https://, they will connect with a standard unencrypted http:// connection.  Older links to your website may also not specify the secure protocol, so these would also provide un-encrypted connection.

You can however quite easily switch an http to an https connection by editing your .htaccess file.  Here’s how to do this.

1. Log in for your domain, and go to Paid Hosting > Manage Advanced Hosting to open up the cPanel window
2. In the Files section, click on the icon for File Manager.  This will open in a new window
3. On the upper right click on Settings.  If the option for Show Hidden Files (dotfiles) is not checked, check it and save.
4. On the left column, click on the public_html folder.
5. Look for a file named .htaccess in your public_html folder.  If there isn’t one, go to File and create a new file named .htaccess in the /pubic_html folder.
6. Select the file, and click Edit
7. Paste the following two lines into the file, and click the Save Changes button.

          RewriteCond %{HTTPS} off
          RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

On December 1^st, 2016, ICANN will require all accredited registrars significantly change how they handle domain ownership changes.  Briefly, it will no longer be possible to update the domain owner’s contact information by simply logging in to manage the domain and submit a new set of contact data.

Inter-Registrar Transfers

Currently, the only type of transfer of a domain that requires confirmation is the Inter Registrar transfer which is governed by ICANN’s Inter Registrar Transfer Policy.  The process of transferring a domain from one registrar to another will still follow the confirmation process with the domain’s current administrative contact.  The current contact must click a link sent to the contact in the current Whois record for the domain being transferred.  The admin contact must confirm the transfer with the current registrar, and may confirm the transfer away from the current registrar.

Inter-Registrant Transfers

New starting in December will be the process of confirming changes in the owner contact of a domain.  When there is a change in the owner contact’s first or last name, organization name, email or telephone number, a new confirmation process will be triggered.  The process is as follows:

• Register4Less (R4L) will first check if the domain name is eligible for a change in the owner’s contact.  If the domain is not, the contact update will not be saved and a message presented to the user stating why the domain cannot be updated at this time.
• R4L will send an email to the current owner contact requesting they (or their designated agent) approve the change.  If that email is not responded to favourably, the contact change is rejected.
• Once confirmed by the current owner contact, R4L will send an email to  the new owner contact requesting they (or again, their designated agent) approve the change.  Note, the previous and new owner contact may be the same address.  Both emails need to be confirmed in order for the update to complete.
• If / when both confirmations are positive, R4L will then send an email to both contacts confirming the update.

The R4L Team will post updates to this procedure as they develop.

Usually, for the weekly blog post we try to write about something informative, about a new service we’re rolling out, etc.  This past Wednesday, though, we had an interesting incident in our support team we’d like to share with you.

Mid afternoon, William Wakely, an relatively new customer for Register4Less, contacted our support via the secure online chat on our website.  He was reporting that overtime he logged our of his account, his password would get reset.  He was able to log back in by using the email that is sent with the Lost Password function.

Passwords of course will not reset themselves.  The only way for a password to get changed is for someone that is already logged in to go to the menu Profile > Change Password and submit a new password.  Once we were able to confirm William was the true domain owner, we asked him to check the Login Security Agent (LSA) page (also under Profile).

Sure enough, William was able to see there was another login session active from a different IP address.  William provided us with the IP address, and we were able to see this was coming from a different internet service provider from his, and not one that he recognized.

William had not yet setup the LSA kill password, so he did that while we were still on our chat session, and once set up, terminated the other person’s login session, and then reset his password.

We don’t actively track how frequently the LSA kill session function is used, though we could if we went through all of our log files.  It was however interesting and rewarding to be chatting with a customer and help them use this function live.  With any other registrar, the customer and true domain owner would not able been able to kick the other person off of their account, so resolving this problem would not have been easy.  LSA saved the integrity of William’s account!

New Softaculous Default Settings

If you’re using our cPanel based hosting, the R4L team has made a change to the default settings for the software installation program Softaculous.

When installing WordPress, automatically now a security plugin called WordFence will be installed.  We are also changing the default settings when installing WordPress so that WordPress itself, plugins and themes will automatically stay updated.

WordFence

With over 10.7 million downloads, WordFence is the most downloaded WordPress security plugin, and reputedly the best security plugin.  WordFence will help you scan your site for malware/hacks, and help clean the site if problems are detected.

Updating Your Settings

 Basic Options:

• Where to email alerts: — Enter in your email address

Click the Save Changes button before advancing to the advanced options.

Advanced Options:

 Alerts:

These will depend on how many sites you manage, and how many users you have using your site.  For high volume applications, leave only Alert when an IP address is blocked, Alert when someone is locked out from login, and Alert me when someone with administrator access signs in checked.

Firewall Rules:

• Check Immediately block fake Google crawlers.  It provides false traffic numbers.
• 404’s that exceed 2 per minute, choose throttle it
• How long is an IP address blocked when it breaks a rule, choose the maximum 1 month

 Login Security Options:

• Choose Force admins and publishers to use strong passwords
• Lock out after how many login failures, default is 5, recommend 2 or 3
• Lock out after how many forgot password attempts, default is 5, recommend 2
• Amount of time a user is locked out, set to 60 days
• Immediately block the IP of users who try to sign in as these usernames, set admin

Of course, your admin username must not be “admin”.  These settings help protect against brute force attacks

Part 2

Hide the Username from the Author Archive URL

Or better yet, don’t make public posts from your admin account at all.  If your admin name is published with posts or comments that you make on your site, this will be visible to hackers as well.  This is like having your admin username be “admin”.

Another way an attacker can potentially gain access to your username is via the author archive pages on your site.

By default WordPress will create an author archive under the URL http://yoursite.com/author/myblogs, using your username myblogs.  This is essentially the same security hole as described in last weeks post having the admin username be “admin”.

This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.

Disable file editing via the dashboard

In a default WordPress installation, you can go to Appearance > Editor and edit any of your theme files in the dashboard.  If a hacker has cracked your WordPress login, they will have access to these files, and upload whatever files or scripts that they wish.

To disable this method of file editing, add the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

Use a Security Plugin

As well as all of the measures above, there are many plugins you can use to strengthen your site’s security and reduce the chance of being hacked.

Here are a handful of popular options:

• http://wordpress.org/plugins/better-wp-security/ – offers a wide range of security features.
• http://wordpress.org/plugins/bulletproof-security/ – protects your site via .htaccess.
• http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ – adds a firewall to your site.
• http://wordpress.org/plugins/sucuri-scanner/ – scans your site for malware etc.
• http://wordpress.org/plugins/wordfence/ – full-featured security plugin.
• http://wordpress.org/plugins/websitedefender-wordpress-security/ – comprehensive security tool.
• http://wordpress.org/plugins/exploit-scanner/ – searches your database for any suspicious code.

Change the wp_ Table Prefix

By default, each table in the WordPress database begins with wp_. Just like the other default features already mentioned, if you leave it as is, it makes it easier for hackers to infiltrate your site and database tables since the table names are the same across most WordPress installs.

Changing this to something more customized and memorable to you means it will be less accessible to hackers.

There are many plugins that can change the table prefix to something else you choose and here are some of the most popular ones:

https://wordpress.org/support/topic/secure-wordpress-change-table-prefix-after-installation

Check Your File Permissions

If you’re hosting your site on a Linux or Unix server (all of our servers are Linux), files have permissions for owners, groups, and all users.  Permissions are grated for files to be readable, writable and executable.  If your file permissions on important files and directories are too open, almost anyone could have access to these files on the server.

The WordPress Codex has a great guide that explains file permissions in-depth.

Limit Access to Important Pages

Your admin dashboard and login page are among the most important pages since they can grant access to your entire site. Limiting access to these pages means you and your users will be the only ones that will be able to access your site, keep you all a little safer.

Click here to learn how you can limit access to a specific IP address.

Part 1 of 2.

More and more of our customers are opting to use WordPress to build and maintain their websites.  WordPress is an excellent Content Management System (CMS), and now is used for approximately 20% of websites out there.

With WordPress being so popular, it has become a target platform for hackers and spammers to attack WordPress sites.  The platform is mature and secure, however there are steps every developer should take to help protect their websites from these people.  Some are just common sense, and some involve adding additional plugins to your website.

While the following recommendations will largely apply to any CMS platform like Joomla & Drupal, in our examples here, we’ll be focussing on the Web’s number one CMS platform, WordPress. (more…)

Accepting credit card payments online has always carried risks for online businesses such as ours.  Fraudsters get ahold of credit card data, and will attempt to make online purchases with the stolen credit card info.  Once the card’s owner realizes there are charges on their card they’ve not authorized,  they call the bank that issued the card to dispute the purchase.  This has the effect of reversing the purchase, so the vendor does not get paid, and will also get charged an additional chargeback fee.

(more…)

We have had reports from customers having problem accessing our secure website after we disabled SSLv3 (ref. SSLv3 vulnerability).

Turns out most anti-virus software have an option to allow scanning encrypted connections to websites (ref. SSL content scanning). If the anti-virus does not support TLS 1.1 or TLS 1.2, this prevents it from connecting in secure mode to our website.

So far, we have confirmation that the following anti-virus software have problem with websites not supporting SSLv3, but will add others to the list once we get confirmation:

• Bitdefender (ref. http://www.bitdefender.com)

Thank you for your continued support.

Note: the following website helps checking your encrypted connections quality (ref. https://www.howsmyssl.com)