View
2
Download
0
Category
Preview:
Citation preview
1
2
Preventive Security for Your Website
How To Effectively Secure Your Website Free and Easy Without Installing Another Plugin
FREE EDITION 2017
By Marc Jayson P. PappCreator and Webmaster of www.MarcJaysonPapp.com
© 2017 Marc Jayson P. PappALL RIGHTS RESERVED
Dedication
To Julia and Jay-jay. My daughter and son. The two people that keeps me inspired everyday to never back down from life’s challenges and to continue moving forward to reach my dreams…
To my grandmother, Roberta. who taught me the real meaning of sacrifice and love...
To YOU. Who is never giving up on your dreams. You will be successful, that’s for sure!
3www.MarcJaysonPapp.com
Quick Links08 Introduction
13 My Mission in this eBook
14 How I Can Help You
18 Your Takeaways
22 Composition of a Website
25 Chapter 1: Fix Your Security Holes NOW!
35 Chapter 2: Make Sure That The Weakest Link Is Not You
53 Chapter 3: Design Your Website With Security In Mind
54 Chapter 4: What’s Your PLAN?
55 Final Words From Marc
4www.MarcJaysonPapp.com
Quick Links
58 Appendix A: The File Permission System
62 Appendix B: Permission Control on Critical Files and Folders
84 Appendix C: How Hackers Bypass Your Security Login and Execute a Malware
86 Appendix D: How Hackers Bypass Your Security Login and Access Your Files
88 Appendix E: How to Protect Your Website from Appendix C and D
95 Appendix F: How to Protect Your Website from Brute Force Attack
99 Appendix G: How to Protect Your cPanel from Phishing Attack
104 Appendix H: How to Protect Your cPanel’s Credit Card Information
106 Appendix I: How to Verify Any Changes You Made On Your Website
109 Appendix J: How Hackers Can Get Your Private Information
5www.MarcJaysonPapp.com
Quick Links
114 Appendix K: How To Protect Your Private Information From Hackers
122 Appendix L: How to COMPLETELY Remove an Uninstalled Plug-in
124 Appendix M: Disable Member Registration in WordPress
125 Appendix N: How To Keep You Website Updated and Pro-actively Maintain It
129 Appendix O: How To Protect Your Source Code in WordPress
131 Appendix P: Use The Logout Everywhere Else in WordPress
132 Appendix Q: How To Easily Backup Your Website’s Database Without Using Any Plug-in
140 Appendix R: How To Easily Backup Your Website’s Files Without Using Any Plug-in
144 Appendix S: How To Restore Your Website's Backed Up Database and Files
145 Appendix T: How To Audit Your Website Thoroughly
6www.MarcJaysonPapp.com
Quick Links
147 Appendix U: How To Perform a Health Check of Your Website
150 Your Next Step
151 About The Author
152 Disclaimer
7www.MarcJaysonPapp.com
IntroductionSecurity Starts From You
Securing Your Website is Like Protecting Your HOME: It MUST Start from You!
8
Introduction
Let me ask you a simple question. Who is the person in your home who locks your bedroom door, front door and back door to prevent intruders from coming in? I know the answer is obvious: it’s either you or your family members. You don’t ask your neighbors to do this for you nor hire an “expert” just to do this simple task of protecting your home. You can do that yourself without a problem and without paying anyone a huge amount of money.
9
Securing your website is just the same. You can secure your website easily and effectively without having the need to pay someone 300 to 500 dollars annually! At least, not immediately when you still cannot afford it.
Yes, that’s the regular price today that website owners pay for a website security service. I’m not surprised because I know how important it is to secure your website. It will make or break your website and online business.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Don’t get me wrong. I’m not saying you shouldn’t
get security expert’s help to secure your website.
If you can afford them, that is your choice. But
regardless if you can afford them or not, I still
believe that protecting your website and your
online business MUST always start from you!
After all, you are the number one casualty if ever a
disaster happen on your website. So you must be
the number one person who always look after your
back (and every point of attacks).
It is your responsibility as the owner of your
website and your business to at least understand
how intruders and hackers attack your website
and how you can protect it from your
10
level.
After you have implemented the free and easy
steps I detailed in this eBook which I call
Preventive Security for Your Website, and you
think you want more security for your website and
the cost is not an issue to you, that’s the time you
should get the services and/or products of
security experts. That way, you will be setting up
multiple lines of defense for your website:
First, you have done your responsibility to secure
your website from your level.
Second, you have asked the help of security
experts for additional layers of security.
Introduction
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Website Security is more than just having the hardest password. Yes, I make sure my passwords are all very hard to crack. But I will show you in this eBook how hackers can bypass your security login easily. I will even show you how it’s very much possible that you can freely give your username and password without you realizing it.
Security vulnerabilities are not only found in our system and website. Most of the time, the vulnerability in security is us - THE WEBSITE OWNERS.
Most website owners, especially the non-techies and first-timers are not trained enough to discern the hoax against the legitimate. A lot of people forget to spend some of their time to learn about
11
website security. NOT UNTIL they become a victim.
The worst things that could happen are just overwhelming:
1. Hackers can ask you for a ransom. 2. You can lose the contents you painstakingly
put into your website and spent precious time and effort to make.
3. You can lose your site’s traffic which you worked hard for to achieve.
4. You can lose the money, time, and effort you have invested in building your business.
5. You can lose potential income and opportunities while your website is down due to an attack.
Introduction
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
In one of Pat Flynn’s (my online influencer) blog
entitled: So THIS Is What Happens When Your
Server Goes Down for a Week he detailed in this
blog the unfortunate experience he had when his
server was attacked using a method known as
Distributed Denial of Services (DDoS). It was a
big lesson learned for him… and hopefully for
everyone else.
When I learned about this, I came to a realization:
Pat Flynn was still lucky because at that time when
the attack happened to him, he has already the
money and means to get the people and
resources that can help him. But how about those
who are still starting up?
12
How about those who still cannot afford to pay a subscription fee of 300 to 500 dollars a year to
protect their website?
That’s where I saw how I could be of help to so
many people. That’s where I got the inspiration
to write this eBook. That became my mission in
this eBook...
Introduction
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
My Mission in this eBook
My mission in this eBook is to help
Online Entrepreneurs, Bloggers,
Professionals, Website Owners, and
ANYONE who wants to build a
profitable and SECURED website.
My goal is to teach first the FREE and EASY ways to secure a
website. Those that are already
available at their disposal but they
have no idea how to use it OR they
have no idea that it’s there.
13
Build a Profitable and Secured Website
www.MarcJaysonPapp.com
How I Can Help You
My Experiences and Passions
I’ve been in the IT industry for more than 16 years now (and yes, I’m still practicing my profession.)
Technically, I’m a System Developer and a Database Programmer. Part of my job is to ensure security of the systems (be it a website or an application) we are working on.
14www.MarcJaysonPapp.com
How I Can Help You
I don’t consider myself as a security expert yet. I
just consider myself as an experienced
practitioner in this field. I understand and practice
security procedures in my work. I know how to do
them the simple way or the long way, that may
require programming skills.
What I’m going to teach you in this eBook are the
simple ways on how to secure your website.
Those things that don’t need any programming
skills to implement. BUT, don’t ever think that
because these are simple, they are weak. As a
matter of fact, IT IS THE ONLY WAY! It is YOUR
FINAL LINE OF DEFENSE.
15
My trainees from one of my IT trainings.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
How I Can Help You
To make you understand what I mean let’s go
back to the analogy I made earlier: Securing your
website is like protecting your home. If your
home is surrounded by a concrete wall fence, that
is your FIRST LINE OF DEFENSE. This is the kind
of services that security experts offer for 300 to
500 dollars a year.
But the LAST LINE OF YOUR DEFENSE are closing
your “Front Door”, “Back Door”, and “Bedroom
Door”. That is what we are securing in this eBook.
16
Prevention is the best approach not only in security but even in business. Because when you
are preventing, you are anticipating. Anticipation
is the ultimate competitive advantage. This is the
reason why I decided to focus on implementing
preventive security measures rather than focusing
on reactive security measures.
Even at work, before we even worry about the
security firewalls, we will first secure our own
“territory”.
IT MUST ALWAYS START FROM THERE!
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
You cannot afford to build a concrete wall fence
around your home but forget to close you home
doors. Someone who is skilled enough to climb
that wall or bypass it can still intrude or attack your
households.
This is the reason why even after a site has been
restored coming from a disaster, the website got
hacked again. It’s because a lot of website owners
don’t know how to close their website’s final line
of defense. And a lot of people are not aware that
they can actually do this for FREE and EASILY
(Yes! You don’t need 16 years of experience in IT
to implement these security measures.)
17
I also made conscious efforts to provide you
solutions that will keep your website’s security
intact and avoid another security risk. Even if it
means not following what is popularly practiced.
Example of this is installing plugins or
extensions.
You will learn later in this eBook that installing
plugins are the most common cause of security
breach. As much as possible, I aim to minimize
the use of plugins.
How I Can Help You
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Your TakeawaysBoth the tangible and intangible
benefits
This eBook will serve as your Website’s Preventive Security Manual. You can always pick it up, go back to the topic you need and follow the screenshot-based step-by-step instructions that is very detailed and easy to use.
18www.MarcJaysonPapp.com
Your Takeaways
My recommendation is to implement the security measures that you will learn here as
soon as possible. Don’t wait for that disaster or
attack to come into you BIG TIME. Secure your
website as soon as you learn how to do it.
This is the reason why this eBook is full of detailed
screenshot-based step-by-step instructions. So
that you can easily follow and implement them
quickly.
Here are some of the benefits that you can get
from this eBook:
19
1. You can strengthen one of the favorite
vulnerability of hackers and intruders: Your
Security Awareness. With this eBook, you will see
how hackers can deceive you and penetrate your
website even if you have the hardest password in
the world.
2. You can save yourself 300 to 500 dollars a year of subscription for the meantime while you
still cannot afford the regular cost of security
services provided online by security companies.
You can do this by simply educating yourself about
website and online security.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
20
3. You can now focus in growing your business. After you have implemented the security measures
I detailed here, you have done your part. You
educated yourself to be more aware on how to
secure your website and business. You become
proactive in preventing hackers and intruders from
causing harm in your business.
Of course I cannot guarantee a 100% hack-proof and disaster-proof system. NOBODY can
guarantee that even the security experts
themselves.
But what I can assure you is that by educating
yourself using this eBook and following the
This is important especially to those who are still
starting up their business.
To reiterate, you will be needing the help of security experts as you grow. But while you are
still growing your online business and still cannot
afford to pay them this amount of money, you can
implement the security measures I detailed in this
eBook and that should serve as your first line of
defense for the mean time (it will become your
final line of defense once you avail the security
products and services offered by security
companies). You can add another layer of defense
later on once you are earning enough.
Your Takeaways
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
21
security measures I’ve presented here, your
website will be more secure than it has been
originally.
4. Your Google ranking should improve as well if
you keep your website secured. Google is giving
priority to secured websites. Google is banning
and tagging unsecured websites and therefore
demoting their ranking in the process.
Your Takeaways
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Composition of a Website
All websites are composed of the following:
1. A domain name which is basically a web root directory accessible to public residing in a server.
2. Website Files like the program scripts, themes, plugins and other files and folders.
3. Database. A website may or may not use a database to store its other data.
4. Web Host Server. Where these folders, files,and database are stored.
22www.MarcJaysonPapp.com
Composition of a Website
23
Your web host server received the request
A visitor sends a request (using a url address and a browser) to your web host server to access your website’s folder, files, & data
Your web host server process the request and respond accordingly
The visitor’s browser display whatever is the result of the request
Note: This illustration is a very simplified presentation of how website works. Technically, there are more things that happen along the way. But this illustration is a good overview on how the four components of a website works together to achieve its purpose.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Composition of a Website
As you can see from the illustration above, a
website is simply another computer (powerful
than an ordinary laptop) that shares files,
folders, and data to the visitors. The world wide
web is simply a network of computers
accessible to the world. The problems starts
when some visitors want to access files and
data that you do not want to share to them.
And they will do all possible techniques, be it
manual or automated, just to access these data
and achieve their purpose.
Your responsibility as a website owner is to
make sure that these components are properly
secured.
24
That all possible vulnerabilities that these
hackers and intruders can abuse are locked
and guarded.
In this eBook, I showed in detail how you can
implement these security measures by yourself
because it’s easy and free. If you have
someone doing your website security for you,
make sure to review these security measures
with him or her to ensure that he or she has
implemented the necessary security measures
for your website. You can test whatever
security measure has been implemented. I also
showed how to properly do that testing in this
eBook.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security
Holes NOW!This is URGENT and IMPORTANT!
I made this the first chapter because it is URGENT and IMPORTANT. You might not be aware that you already have security holes in your website and intruders like bad bots and hackers are already taking advantage of it. In short, you are “leaving your doors wide open for them”.
25www.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
It’s now time for you to take control of your business’ security before somebody else takes over it.
Security holes in your website can come from a wrong setup in your Web Host Server and CMS (Content Management System) like WordPress. We will review the configuration or setup of these two and fix the security holes that we can find.
Let’s start with your Web Host Server
1. Understand the File Permission System of your server (See Appendix A) then as soon as you can, set permission controls on the
26
CRITICAL files and folders in your server (See Appendix B.)
2. I have explained in detail in Appendix C how hackers can bypass your security login and execute a malicious code in your server. This is really alarming so make sure to check this out.
Also in Appendix D, I have explained in detail how hackers can bypass your security login to access your website’s files and folders at will.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
NEVER allow this to happen. Follow the security measures for this vulnerability which I detailed in Appendix E.
3. In WordPress, you login to your Admin Area by using this address:
www.yourdomainname.com/wp-admin
wp-admin is actually a folder on your server. Intruders know this and they can try to access it so they can brute force their way in guessing your password or attacking your website.
Thus, it’s important for you to protect this folder. In Appendix F, I showed an effective way
27
on how you can protect this folder.
4. Additional layer of security for your web host’s cPanel by enabling Google’s 2-Step verification.
In Appendix G, I have detailed the steps on how to enable Google Authentication 2-step verification in your web host’s cPanel area.
Aside from having a hard-to-guess password, the 2-step verification will provide another layer of security wherein the user will need to enter a numeric code after successfully logging in. This numeric code is randomly generated every 30 seconds or so and you can get these codes if
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
you install the Google Authenticator app in you smartphone or receive it via email.
So even if you have compromised your cPanel’s username and password (maybe you were victimized by a social engineering technique which is similar to what I have discussed in Chapter 2) intruders will still need to get through with this additional security layer which only you can access.
5. Secure your credit card information in your web host’s cPanel.
In Appendix H, I’ve explained in detail how you
28
can protect your credit card information in your cPanel.
Why is this important? Because as your business grow, you may want to delegate the tasks you are doing in your cPanel. So you may assign or hire someone to do these tasks for you. But of course, you don’t want them to access your credit card information so you need to secure it.
6. Make sure to test your implemented security measures.After implementing the security measures I have detailed in this chapter the next important step is to test if they are working.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
Testing your security changes requires some tools and techniques. Otherwise, you might not able to see the actual result of your changes.
Check out Appendix I to learn how to do this.
Securing Your CMS Admin Area
After securing your server and cPanel area the next security holes that you need to fix are the security holes of your CMS or Content Management System.
In this section we will apply these security measures in WordPress. If you are using a
29
different CMS, you may research how to apply the same security measures that I presented here for your CMS.
Your CMS should have the same security features. They just probably differ on where and how to set them up.
First, Disable the “Anyone can register” membership registration feature in your WordPress admin area IF your website is not meant for that.
I remember when I first used WordPress many years ago, I got a notification a few minutes after I have installed WordPress in my web server.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
The notification informed me that there’s a new member that registered in my blog.
I was surprised to see that since I haven’t even started working on my blog and I’m not even planning to use my blog for membership registration.
After some research, I saw that by default, this “Anyone can register” feature is enabled. Although I think this has changed now.
To disable this feature, check out Appendix M for the detailed steps.
30
Second, proactively manage the updating of your WordPress installation, Plugins, Themes and extensions.
There are pre and post steps that you need to do every time you perform an update.
Check Appendix N to learn more about this.
Third, by default source code editing is enabled in WordPress. This means the code source for your plugins, themes, or extensions can be modified by a user that has an administrator rights.
If you are a programmer, this is something you
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
can keep enabled so you can modify the code. Just make sure you make some backups before implementing any change and make sure that you know what you are doing.
If you’re not a programmer, it is safer to disable this feature. This way, even when someone has able to access your WordPress account, they will not be able to modify your source code and inject malicious programs.
I have dedicated Appendix O to show you how you can easily protect your source code in WordPress.
Fourth, Use the “Logout Everywhere Else” feature of WordPress.
31
Today, there are many ways you can access WordPress. You can access it on different computers and mobile devices. Because of this, there is big chance that you can left some of your login sessions open in these computers or devices by forgetting to logout from these devices or by losing these devices.
To make sure that nobody can access those open login session that you forgot or failed to logout to, you can use the Logout Everywhere Else feature of WordPress.
To use this, checkout Appendix P and implement the steps I have provided there.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
Fifth, Enable the JetPack Security Features.
WordPress continues to improve its product by merging features from their different products. One of this is JetPack.
I’ve seen some people online teaching people to uninstall this plugin in WordPress. For me, JetPack is one of the free but reliable tools I’m using with my online business to track visitors, site statistics, security, performance and many more.
JetPack offers free security features that you can enable, so why not use them?
32
Let’s enable these useful features one-by-one now:
1. Login to your WordPress Admin Area.
2. In the sidebar menu, locate for Jetpack then click on Settings. You may be asked to login to WordPress.com or create an account there. Just do that to access Jetpack.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!3. When you see the Jetpack page, click on the Security tab:
4. In the security tab enable the following security features:
Protect: This security feature prevent and block malicious login attempts.
Go to Jetpack > Dashboard then click on the At a Glance tab. You will see here your site statistics and how many malicious attack has been blocked by Jetpack.
33
Monitor: if you enable this security feature, you will receive an immediate notifications if your site goes down anytime of the day.
This is like having an automated system that alerts you whenever a suspected attack or downtime has been monitored by Jetpack. This way, you can quickly apply a solution if you are the webmaster of your website or call your webmaster to quickly resolve any problem.
Site Statistics. You can use this free tool not only to monitor traffic in your website but to monitor any Distributed Denial of Service (DDoS) attack. A sudden burst of traffic with no logical reason at all (you were not interviewed on tv or featured in a popular news, program and
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 1: Fix Your Security Holes NOW!
publication) but you are seeing a sudden burst of traffic that is using random keywords and accessing random pages on your site. That should give you a red flag and do the necessary steps to investigate further or take an immediate action.
If there’s any new cool features in the future that I think can help you with your online business, I will keep you updated. Make sure that you have subscribed to to my newsletter. If you haven’t done that, you can visit my site here.
34
Enter your first name and valid email in the opt-in form I provided there.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the
Weakest Link is Not You
YOU - is the MOST INTEGRAL part of your Business’ Security
Do you know that a lot of compromised accounts and hacked websites were taken not through a sophisticated, highly technical attack? But through a simple email or phone call.
It’s called Social Engineering. The most commonly used social engineering technique is called Phishing. According to a study from Google, some of the most effective phishing attack have a 45% success rate!
35www.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
In a phishing attack, an attacker will send you an email pretending to be a legitimate organization and request for your confidential information. Another way they do phishing is they simply call you and pretend to be representing a legitimate company.
For phone call phishing, make sure that you scrutinize the caller before even doing what he or she is asking you to do. Verify your caller from the company he claimed to belong with. It is not rude to ask for his complete name and tell him that you will call him back after you’ve done your verification. A good rule of thumb is to never give your personal and sensitive
36
information over the phone or any other communication media IF you’re in doubt.
For email phishing, this will require you to pay attention on some key details to determine if a particular email is legitimate or not.
Before I started writing this eBook, I received 2 phishing emails that I was able to figure out quickly before it could potentially victimize me. I think they are great examples for this chapter so I’m going to show them here and detail to you the exact steps I took to quickly figure out what a phishing email is.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
On March 11, 2017, I receive this email that seems to came from bluehost, my web host provider:
37 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
Here are the warning signs that you can check
to determine if an email comes from a legitimate
source or not:
1. Carefully check the sender’s email address.
In the preceding screenshot notice the domain
name used in the sender’s email address:
@12.bluehost.com
If I’m not careful, I could easily fall into their trap
and think that the email really came from
bluehost. But the domain name of bluehost is
not 12.bluehost.com. The domain name of
bluehost is bluehost.com. That alone
immediately confirmed that this email is a hoax.
38
2. Scrutinize the details of the url link that was provided in the email (if there is any)
http://my.bluehost.com.e0ab531ec312161511493b002f9be2ee.fizo.testv1.testforhost.com/
Again, it tried to trick my eyes. It’s true that
bluehost has a subdomain named
my.bluehost.com but it doesn’t have a
subdomain as long as this one:
my.bluehost.com.e0ab531ec312161511493b002f9be2ee.fizo.testv1.testforhost.com
That subdomain was made to trick my eyes
and make me fall into their trap.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
3. When I clicked the link that was provided, it showed a similar bluehost login screen:
39
Social engineering is really sneaky. They will try to deceive you by copying some pages of the real website to make you believe that they are the real one.
To avoid falling into this trap, I always advice people to always look into the URL address first and not on the web page.
The images, contents, and designs in a page can always be copied but a domain name is always unique.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
At this point, if you are not very careful, once
you enter your domain name and password in
the text boxes, those information will be stored
or sent to whoever made that fake bluehost
screen. You just compromised your security and
given away your valuable information. Anytime,
they can take over your website, do whatever
they want or maybe contact you and ask you for
a ransom.
This is the reason why I detailed in Appendix G
how to enable Google’s 2-Step verification
security. So that even when you made the
mistake to fall into this trap, you will have
another layer of security that will be difficult for
40
the attackers to penetrate.
This is the real login screen of bluehost. Notice the difference in the URL address:
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
The Second Email
The second email I received is not exactly a
phishing email but more of hoax email. But again,
this is another social engineering technique but
the goal here is not to hack into your account but
rather to get some money from you.
On March 8, 2017 (6 days after I signed up a new
account with bluehost for my second website) I
received this peculiar email from a certain Bryan
Younglass. This is the exact email address:
Bryan Younglass
<websitesupport@registrationdomainsite.com>
41
Here is the screenshot of the email.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
In this second email we have to realize two things:
First, the sender is NOT pretending to be someone else or claiming to belong to a
legitimate company. He is claiming to be a
legitimate company instead. Therefore, we
cannot prove that the domain name is fake
because he is not doing a copycat approach.
Second, For some reason he was able to target a newly registered domain name. It is not
coincidence that in the body of his email, he
knew that I was a newly-registered domain
name as you can see in this snippet:
42
“Now that your domain name
mydomainname.com has been purchased the
next best thing you can do for your site is to
make sure it is listed in the search engines.”
The approach of the attack is very systematic. There is a reason why the sender is targeting
newly signed up accounts: Newbies are easier
to deceive.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
The best approach to not fall into this trap is to
treat ALL new emails whose sender is not
saved in your contacts, with great caution. If
you are unsure you can ask someone who is
experienced with online security.
So how did I figure out that this is a hoax email?
Because of this claim he did:
“To list your website in Google, Bing, and Yahoo follow the link below:
43
Please list your new website as soon as possible so your new domain is properly indexed.Don’t forget to take advantage of our special discount we are running right now!”
This is not true. It is NOT TRUE that you need to
enlist your website to any entity (not even with
Google) to have your website indexed. Website
Indexing happens automatically once Google
“crawled” your website. There is also a way to
have it indexed quickly with Google but there is
NO ENLISTMENT needed.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
To show you that indexing of your website happens automatically, here is how Google found my
website without me doing any enlistment with anyone, not even with Google:
44 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
Since I already figured this is hoax
email, I just simply explored the real
motive of the email although I already
had a hint that it’s about money since
the previous snippet of the email
indicated that they are “currently
running some special discounts”. I
just want to see how much.
So I clicked the link and got a coupon
code. The coupon code makes you
think that they are doing you a big
favor by giving you a discount.
45
It is now playing psychology with me. If I’m not careful, I could
easily let my guards down and trust them instantly. Never fall
into that trap!
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
The price tag was a whooping $97! giving you a discount of $300 for a service that you can get
for FREE. I stopped right there and told myself, I
need to blog about this!
Social engineering can come in many ways and forms. This is why as an owner of your website
and business, you need to be updated and
correctly informed. Make sure that the weakest
link is not you.
You can sign up with my newsletter to get updates
not only about security but anything about
breaking the technical barriers in your online
business.
46 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
Still, How Did He Get My Email Address?
This is the question we left hanging awhile back.
Now it’s time to dig deeper into this.
Learn More
47 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
Be Careful When Installing Plugins, Themes, Widgets and Extensions
Installing Plugins, Themes, Widgets, and Extensions (or other extended features in your website) must be
done with great care. Allowing so many plugins and extensions installed in your website is like opening
new vulnerabilities that hackers can use as a “backdoor”.
Learn More
48 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
Learn More
49
Here are some tips on how you can carefully choose the plugins, themes, and other extensions that you may want to install in your website:
1. Make sure that the plugins is continuously improved and updated. A plugin that hasn’t
provided any update for a long time (6-12 months)
should be a red flag for you. To learn how to keep
your CMS, Plugins, Themes and extensions always
updated and how you can proactively maintain
them check out Appendix N.
2. Install themes, plugins, etc. that comes only
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
from trusted and reliable sources.
3. Remove plugins that you no longer use AND no longer maintained by their developers
(no more updates being provided).
When removing a plugin, make sure to remove everything (See Appendix L on how to do this).
4. If you really need to install a plugin for a
short-term purpose, install it then remove it
immediately once your purpose is done.
Example, if you want to put your website in
maintenance mode to prevent people from
accessing it while you are working something
50
on your website. One way to do this is by a plugin.
But once you are done with your purpose for that
plugin, remove that plugin and just reinstall it when
you need it again.
5. Be careful and skeptic on free plugins or themes from untrusted sources. This is the most common
way attackers can add malicious code and penetrate
your website.
6. Install plugins and extensions that you only need and keep them at a minimum
UPDATE: I now only have 4 plugins left in my
website. I am still looking for ways to trim it down to
zero if possible.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
Plugins can degrade the performance of your website and expose your website to
vulnerabilities. So make sure that the feature you
are adding to your website is not a duplicate of
what is already available to you.
Learn More
7. Research carefully the plugins and extensions that you are going to install in your server.
51
They should come from a trusted source. Make
sure that there are many good reviews about
them and a lot of people trust and use them.
Satisfied and happy users are good indications
that the plugin you want to install is serving its
purpose. Finding the website and contact details
of your source will allow you to contact them
anytime if you encounter issues with their plugin.
8. Review the file permissions of the folders and files of the plugin that you just installed or
updated in your server. Any folder that has a
permission of greater than 755 should be
downgraded accordingly (704 is recommended).
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 2: Make Sure that the Weakest Link is Not You
Any file that has a permission greater than 644
should be downgraded as well. I would suggest to
downgrade the permission to 604 (by default I
usually remove the group’s permission)
As much as possible, we don’t want the public to
have write permissions to the plugin’s files or
folders. To review the File Permission System,
revisit Appendix A.
Learn More
52
Audit Your Site for Any Data Leaks
Learn More
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Chapter 3: Design Your Website with Security in MindDon’t Just Design for Functionality;
Design for Security
Most people when designing their website are hooked on making an impression. They want animations, modern, colorful and sleek designs that catches the eyes.
Some people are focused on the features. They want their website to have all the cool features available to the point that their website has so many plugins installed into it.
53www.MarcJaysonPapp.com
Chapter 4: What’s Your PLAN?
“If you fail to plan, you are planning to fail”
- Benjamin Franklin
Question:
If a disaster or an attack will hit you NOW, what is your plan of action?
54www.MarcJaysonPapp.com
Final Words From Marc
Securing your business is a continuous process of improvement. So expect that we will keep you posted for my new learnings and discoveries on how to create and maintain a profitable and SECURED website.
For the meantime, we hope that we were able to help you BREAK another TECHNICAL BARRIER in your online business: WEBSITE SECURITY.
55
Thank You!
www.MarcJaysonPapp.com
Final Words From Marc
If there’s anything you want to discuss further, clarifications, questions, or whatever you have in mind that you think we can help you with, please email us here: mjpc56@yahoo.com
Also, me and my team did our best to review and ensure that the content of this eBook is accurate and correct. But we are not perfect. It’s possible that we missed something.
If you see anything that is inaccurate or wrong in this eBook, we also like to have that sent to us using the same email address above. We will do the necessary correction and who know’s we may offer you something as a token of our appreciation.
56
I would like to make a BIG THANK YOU!!! shoutout to Pat Flynn for giving me the seed of idea for this eBook and for inspiring me to take action for my dreams.
Lastly, We’d like to take this opportunity to THANK YOU for buying this eBook. My team and I have spent 6 months to put everything together. We made sure that we did our best. We hope that we were able to serve and help you.
This is not the end. This is simply the beginning of more great things to come!
Sincerely,
Marc Jayson Papp
AppendicesThe detailed step-by-step instructions on how to secure your website are presented and organized in this section.
57
from A to U
www.MarcJaysonPapp.com
Appendix A: The File Permission SystemWhen changing a file’s permission, you must understand very well the File Permission System in order to avoid unexpected results.
The Three Modes of a File Permission:
Read: A readable file is a view-only file. It is represented by the number 4. If set in a directory, it grants the ability to view the names of files in that directory, but no further information is provided.
Write: Writable files can be modified. It is represented by the number 2. If set in a directory, it grants the ability to modify entries in the directory including the ability to create, delete, and rename files.
58 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Execute: Executable files can be triggered for program execution. These are usually used for program files or scripts that needs execution privilege to run. If this is used in a directory, it grants the ability to access file contents by its filename, but not list the filenames within the directory (unless a read permission is set). It is represented by the number 1.
Appendix A: The File Permission System
The Three Types of User Groups:
User: The user is the owner of the web directory where files and folders of the website are kept.
Group: A group can be created to assign one or more users in that group. Example, user1 and user2 (both on the same web host server) can be assigned to an existing group named admin. If you give permission of a particular file or folder to admin group, it means you are giving permission for both user1 and user2.
World: This is the public that access your website.
59 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Appendix A: The File Permission System
When you assign a Read permission (see no 1) you will get a number code of 4. If you assign the Write permission (see no 2) you will get a number code of 2. If you assign the Execute permission (see no 3) you will get a number code of 1. This means, if you assign Read and Write permission, you will get a 6 number code (they are added together). A Seven (7) number code means you gave all the three file permissions to a particular user or group.
60
1
23
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Appendix A: The File Permission System
Understanding these file permission concepts, you now have an idea on what level of permission you can give to a particular type of user.
In my website, here are the critical files and folders I set permissions on:/public_html/wp-login.php = 644/public_html/wp-config.php = 644All .htaccess file = 644All my files in /public_html/wp-content/uploads have file permission of 644. There’s also no php file in this directory.The file readme.html can leak the version of your WordPress, set its permission to 000 or simply delete it.
If there are any installation zip files that are not needed anymore. You can delete them.
61
The folders /public_html/wp-content/themes /public_html/wp-content/plugins
by default have a permission of 755. I decided to keep it that way and I will just adjust it in my next security audit if necessary.
To learn how to easily set the file permission on the folders and files in your server which I named here, please refer to Appendix B.
As you adjust the file permission, ALWAYS test in a FRESH cache OR Private browser to see the real-time effect of the permission change.
Refer to Appendix I to learn more on how to verify the real-time effect of a file permission change.
Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com
Appendix B: Set Permission Control on Critical Files and Folders
Here’s your step-by-step guide on how to set permission control on some critical files and folders in your website:
Login to your Web Host’s cPanel (in my case, it’s bluehost)
Go to the Files section and click on the File Manager icon:
62 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific page
www.MarcJaysonPapp.com
Appendix B: Permission Control on Critical Files and Folders
A dialog box similar to this image >>>will appear in your cPanel. Select Web Root and check the Show hidden files check box below.Then click the submit button.
Note: Web root is the folderin your server that isaccessible to the world wide web.This folder is usually named public_html. To the public, they access this using your domain name.
Hidden files are the files that has the period prefixed in the filename. Example of this is .htaccess
If you checked the Show hidden files check box, you will be able to see these hidden files.
Upon clicking the submit button, the file manager page will appear.
63 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific page
www.MarcJaysonPapp.com
Appendix B: Permission Control on Critical Files and Folders
Right-click on the file or folder that you want to set the file permission with. In the quick menu, click on Change Permissions.
The next dialog box should appear. Set the permission by checking the boxes or typing the number code in the text provided below.
When done, click the Change Permissions button.
64 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific page
www.MarcJaysonPapp.com
Your Next Step
If you want to save 5 years of your life (like what I did) figuring out the BEST ways to build your website and earn online, let me help you with that. Here is a great resource I personally created and compiled just for you:
Your Ultimate Guide on Building Your Website and Online Business
Download this BONUS guide too:
How to can get your web hosting service and free domain name
65www.MarcJaysonPapp.com
About TheAuthor
Marc Jayson Papp has been in the IT Industry for more than 16 years now. He has worked for big companies like Deutsche Bank, Hewlett Packard, Emerson Electric, Prudential Financials Inc. and Government institutions in the Philippines.
He has worked for these companies as a System Developer, Database Programmer and Administrator.
He also train professionals and students in using Oracle Technology as his side gig with a training institution.
He created the website marcjaysonpapp.com to help non-technical individuals to break the technical barriers in building their website and business. He was able to use his passions for Learning, Teaching, and Writing in this blog.
If you need help in building a profitable and secured website, you can reach him in this email: mjpc56@yahoo.com
66www.MarcJaysonPapp.com
Disclaimer
67
The information provided in this eBook is for informational purposes only.
Although what we have provided here are the best solutions that we have used and researched, WE CAN NEVER GUARANTEE that you will have a “hack-proof” and “disaster-proof” website once you implement all of what was taught here. Not even the security experts can guarantee something like that.
Please understand that there are some affiliate links contained in this guide that we may benefit from financially. The material in this guide may include information, products, or services by third parties. Third Party Materials comprise the products and opinions expressed by their owners. As such, we do not assume responsibility or liability for any Third Party material or opinions. The publication of such Third Party Materials does not constitute our guarantee of any information, instruction, opinion, products, or services contained within the Third Party Material. The use of recommended Third Party Material does not guarantee a 100% security for you, your website, or your business. Publication of such Third Party Material is simply a recommendation and an expression of our own opinion of that material.
No part of this publication shall be reproduced, transmitted, or sold in whole or in part in any form, without the prior written consent of the author. All trademarks and registered trademarks appearing in this guide are the property of their respective owners.
I am not a website security expert. Users of this eBook are advised to do their own due diligence when it comes to making decisions on securing their website. All information, products, and services that have been provided here should be independently verified by your own qualified professionals. By reading this eBook, you agree that myself and my company is not responsible for the success or failure of your business or website; and security decisions relating to any information presented in this eBook.
©2017 Marc Jayson P. Papp. All Rights Reserved.
Copyrighted MaterialChapters 2-4 and Appendices C to U are part of the COMPLETE Edition of this eBook. To get the COMPLETE Edition, click the image below or click HERE:
68
Recommended