Preventive Securitymarcjaysonpapp.com/free_pdfs/FREE-EDITION-2017-Website-Security-for... · and how you can protect it from your 10 level. After you have implemented the free and

1

2

Preventive Security for Your Website

How To Effectively Secure Your Website Free and Easy Without Installing Another Plugin

FREE EDITION 2017

By Marc Jayson P. PappCreator and Webmaster of www.MarcJaysonPapp.com

© 2017 Marc Jayson P. PappALL RIGHTS RESERVED

http://www.marcjaysonpapp.com







Dedication

To Julia and Jay-jay. My daughter and son. The two people that keeps me inspired everyday to never back down from life’s challenges and to continue moving forward to reach my dreams…

To my grandmother, Roberta. who taught me the real meaning of sacrifice and love...

To YOU. Who is never giving up on your dreams. You will be successful, that’s for sure!

3www.MarcJaysonPapp.com

Quick Links08 Introduction

13 My Mission in this eBook

14 How I Can Help You

18 Your Takeaways

22 Composition of a Website

25 Chapter 1: Fix Your Security Holes NOW!

35 Chapter 2: Make Sure That The Weakest Link Is Not You

53 Chapter 3: Design Your Website With Security In Mind

54 Chapter 4: What’s Your PLAN?

55 Final Words From Marc


Quick Links

58 Appendix A: The File Permission System

62 Appendix B: Permission Control on Critical Files and Folders

84 Appendix C: How Hackers Bypass Your Security Login and Execute a Malware

86 Appendix D: How Hackers Bypass Your Security Login and Access Your Files

88 Appendix E: How to Protect Your Website from Appendix C and D

95 Appendix F: How to Protect Your Website from Brute Force Attack

99 Appendix G: How to Protect Your cPanel from Phishing Attack

104 Appendix H: How to Protect Your cPanel’s Credit Card Information

106 Appendix I: How to Verify Any Changes You Made On Your Website

109 Appendix J: How Hackers Can Get Your Private Information


Quick Links

114 Appendix K: How To Protect Your Private Information From Hackers

122 Appendix L: How to COMPLETELY Remove an Uninstalled Plug-in

124 Appendix M: Disable Member Registration in WordPress

125 Appendix N: How To Keep You Website Updated and Pro-actively Maintain It

129 Appendix O: How To Protect Your Source Code in WordPress

131 Appendix P: Use The Logout Everywhere Else in WordPress

132 Appendix Q: How To Easily Backup Your Website’s Database Without Using Any Plug-in

140 Appendix R: How To Easily Backup Your Website’s Files Without Using Any Plug-in

144 Appendix S: How To Restore Your Website's Backed Up Database and Files

145 Appendix T: How To Audit Your Website Thoroughly


Quick Links

147 Appendix U: How To Perform a Health Check of Your Website

150 Your Next Step

151 About The Author

152 Disclaimer


IntroductionSecurity Starts From You

Securing Your Website is Like Protecting Your HOME: It MUST Start from You!

8

Introduction

Let me ask you a simple question. Who is the person in your home who locks your bedroom door, front door and back door to prevent intruders from coming in? I know the answer is obvious: it’s either you or your family members. You don’t ask your neighbors to do this for you nor hire an “expert” just to do this simple task of protecting your home. You can do that yourself without a problem and without paying anyone a huge amount of money.

9

Securing your website is just the same. You can secure your website easily and effectively without having the need to pay someone 300 to 500 dollars annually! At least, not immediately when you still cannot afford it.

Yes, that’s the regular price today that website owners pay for a website security service. I’m not surprised because I know how important it is to secure your website. It will make or break your website and online business.

Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com

Don’t get me wrong. I’m not saying you shouldn’t

get security expert’s help to secure your website.

If you can afford them, that is your choice. But

regardless if you can afford them or not, I still

believe that protecting your website and your

online business MUST always start from you!

After all, you are the number one casualty if ever a

disaster happen on your website. So you must be

the number one person who always look after your

back (and every point of attacks).

It is your responsibility as the owner of your

website and your business to at least understand

how intruders and hackers attack your website

and how you can protect it from your

10

level.

After you have implemented the free and easy

steps I detailed in this eBook which I call

Preventive Security for Your Website, and you

think you want more security for your website and

the cost is not an issue to you, that’s the time you

should get the services and/or products of

security experts. That way, you will be setting up

multiple lines of defense for your website:

First, you have done your responsibility to secure

your website from your level.

Second, you have asked the help of security

experts for additional layers of security.

Introduction


Website Security is more than just having the hardest password. Yes, I make sure my passwords are all very hard to crack. But I will show you in this eBook how hackers can bypass your security login easily. I will even show you how it’s very much possible that you can freely give your username and password without you realizing it.

Security vulnerabilities are not only found in our system and website. Most of the time, the vulnerability in security is us - THE WEBSITE OWNERS.

Most website owners, especially the non-techies and first-timers are not trained enough to discern the hoax against the legitimate. A lot of people forget to spend some of their time to learn about

11

website security. NOT UNTIL they become a victim.

The worst things that could happen are just overwhelming:

1. Hackers can ask you for a ransom. 2. You can lose the contents you painstakingly

put into your website and spent precious time and effort to make.

3. You can lose your site’s traffic which you worked hard for to achieve.

4. You can lose the money, time, and effort you have invested in building your business.

5. You can lose potential income and opportunities while your website is down due to an attack.

Introduction


In one of Pat Flynn’s (my online influencer) blog

entitled: So THIS Is What Happens When Your

Server Goes Down for a Week he detailed in this

blog the unfortunate experience he had when his

server was attacked using a method known as

Distributed Denial of Services (DDoS). It was a

big lesson learned for him… and hopefully for

everyone else.

When I learned about this, I came to a realization:

Pat Flynn was still lucky because at that time when

the attack happened to him, he has already the

money and means to get the people and

resources that can help him. But how about those

who are still starting up?

12

How about those who still cannot afford to pay a subscription fee of 300 to 500 dollars a year to

protect their website?

That’s where I saw how I could be of help to so

many people. That’s where I got the inspiration

to write this eBook. That became my mission in

this eBook...

Introduction


https://www.smartpassiveincome.com/

https://www.smartpassiveincome.com/server-problems/

https://www.smartpassiveincome.com/server-problems/

My Mission in this eBook

My mission in this eBook is to help

Online Entrepreneurs, Bloggers,

Professionals, Website Owners, and

ANYONE who wants to build a

profitable and SECURED website.

My goal is to teach first the FREE and EASY ways to secure a

website. Those that are already

available at their disposal but they

have no idea how to use it OR they

have no idea that it’s there.

13

Build a Profitable and Secured Website

www.MarcJaysonPapp.com

How I Can Help You

My Experiences and Passions

I’ve been in the IT industry for more than 16 years now (and yes, I’m still practicing my profession.)

Technically, I’m a System Developer and a Database Programmer. Part of my job is to ensure security of the systems (be it a website or an application) we are working on.


How I Can Help You

I don’t consider myself as a security expert yet. I

just consider myself as an experienced

practitioner in this field. I understand and practice

security procedures in my work. I know how to do

them the simple way or the long way, that may

require programming skills.

What I’m going to teach you in this eBook are the

simple ways on how to secure your website.

Those things that don’t need any programming

skills to implement. BUT, don’t ever think that

because these are simple, they are weak. As a

matter of fact, IT IS THE ONLY WAY! It is YOUR

FINAL LINE OF DEFENSE.

15

My trainees from one of my IT trainings.


How I Can Help You

To make you understand what I mean let’s go

back to the analogy I made earlier: Securing your

website is like protecting your home. If your

home is surrounded by a concrete wall fence, that

is your FIRST LINE OF DEFENSE. This is the kind

of services that security experts offer for 300 to

500 dollars a year.

But the LAST LINE OF YOUR DEFENSE are closing

your “Front Door”, “Back Door”, and “Bedroom

Door”. That is what we are securing in this eBook.

16

Prevention is the best approach not only in security but even in business. Because when you

are preventing, you are anticipating. Anticipation

is the ultimate competitive advantage. This is the

reason why I decided to focus on implementing

preventive security measures rather than focusing

on reactive security measures.

Even at work, before we even worry about the

security firewalls, we will first secure our own

“territory”.

IT MUST ALWAYS START FROM THERE!


You cannot afford to build a concrete wall fence

around your home but forget to close you home

doors. Someone who is skilled enough to climb

that wall or bypass it can still intrude or attack your

households.

This is the reason why even after a site has been

restored coming from a disaster, the website got

hacked again. It’s because a lot of website owners

don’t know how to close their website’s final line

of defense. And a lot of people are not aware that

they can actually do this for FREE and EASILY

(Yes! You don’t need 16 years of experience in IT

to implement these security measures.)

17

I also made conscious efforts to provide you

solutions that will keep your website’s security

intact and avoid another security risk. Even if it

means not following what is popularly practiced.

Example of this is installing plugins or

extensions.

You will learn later in this eBook that installing

plugins are the most common cause of security

breach. As much as possible, I aim to minimize

the use of plugins.

How I Can Help You


Your TakeawaysBoth the tangible and intangible

benefits

This eBook will serve as your Website’s Preventive Security Manual. You can always pick it up, go back to the topic you need and follow the screenshot-based step-by-step instructions that is very detailed and easy to use.


Your Takeaways

My recommendation is to implement the security measures that you will learn here as

soon as possible. Don’t wait for that disaster or

attack to come into you BIG TIME. Secure your

website as soon as you learn how to do it.

This is the reason why this eBook is full of detailed

screenshot-based step-by-step instructions. So

that you can easily follow and implement them

quickly.

Here are some of the benefits that you can get

from this eBook:

19

1. You can strengthen one of the favorite

vulnerability of hackers and intruders: Your

Security Awareness. With this eBook, you will see

how hackers can deceive you and penetrate your

website even if you have the hardest password in

the world.

2. You can save yourself 300 to 500 dollars a year of subscription for the meantime while you

still cannot afford the regular cost of security

services provided online by security companies.

You can do this by simply educating yourself about

website and online security.


20

3. You can now focus in growing your business. After you have implemented the security measures

I detailed here, you have done your part. You

educated yourself to be more aware on how to

secure your website and business. You become

proactive in preventing hackers and intruders from

causing harm in your business.

Of course I cannot guarantee a 100% hack-proof and disaster-proof system. NOBODY can

guarantee that even the security experts

themselves.

But what I can assure you is that by educating

yourself using this eBook and following the

This is important especially to those who are still

starting up their business.

To reiterate, you will be needing the help of security experts as you grow. But while you are

still growing your online business and still cannot

afford to pay them this amount of money, you can

implement the security measures I detailed in this

eBook and that should serve as your first line of

defense for the mean time (it will become your

final line of defense once you avail the security

products and services offered by security

companies). You can add another layer of defense

later on once you are earning enough.

Your Takeaways


21

security measures I’ve presented here, your

website will be more secure than it has been

originally.

4. Your Google ranking should improve as well if

you keep your website secured. Google is giving

priority to secured websites. Google is banning

and tagging unsecured websites and therefore

demoting their ranking in the process.

Your Takeaways


Composition of a Website

All websites are composed of the following:

1. A domain name which is basically a web root directory accessible to public residing in a server.

2. Website Files like the program scripts, themes, plugins and other files and folders.

3. Database. A website may or may not use a database to store its other data.

4. Web Host Server. Where these folders, files,and database are stored.



23

Your web host server received the request

A visitor sends a request (using a url address and a browser) to your web host server to access your website’s folder, files, & data

Your web host server process the request and respond accordingly

The visitor’s browser display whatever is the result of the request

Note: This illustration is a very simplified presentation of how website works. Technically, there are more things that happen along the way. But this illustration is a good overview on how the four components of a website works together to achieve its purpose.



As you can see from the illustration above, a

website is simply another computer (powerful

than an ordinary laptop) that shares files,

folders, and data to the visitors. The world wide

web is simply a network of computers

accessible to the world. The problems starts

when some visitors want to access files and

data that you do not want to share to them.

And they will do all possible techniques, be it

manual or automated, just to access these data

and achieve their purpose.

Your responsibility as a website owner is to

make sure that these components are properly

secured.

24

That all possible vulnerabilities that these

hackers and intruders can abuse are locked

and guarded.

In this eBook, I showed in detail how you can

implement these security measures by yourself

because it’s easy and free. If you have

someone doing your website security for you,

make sure to review these security measures

with him or her to ensure that he or she has

implemented the necessary security measures

for your website. You can test whatever

security measure has been implemented. I also

showed how to properly do that testing in this

eBook.


Chapter 1: Fix Your Security

Holes NOW!This is URGENT and IMPORTANT!

I made this the first chapter because it is URGENT and IMPORTANT. You might not be aware that you already have security holes in your website and intruders like bad bots and hackers are already taking advantage of it. In short, you are “leaving your doors wide open for them”.


Chapter 1: Fix Your Security Holes NOW!

It’s now time for you to take control of your business’ security before somebody else takes over it.

Security holes in your website can come from a wrong setup in your Web Host Server and CMS (Content Management System) like WordPress. We will review the configuration or setup of these two and fix the security holes that we can find.

Let’s start with your Web Host Server

1. Understand the File Permission System of your server (See Appendix A) then as soon as you can, set permission controls on the

26

CRITICAL files and folders in your server (See Appendix B.)

2. I have explained in detail in Appendix C how hackers can bypass your security login and execute a malicious code in your server. This is really alarming so make sure to check this out.

Also in Appendix D, I have explained in detail how hackers can bypass your security login to access your website’s files and folders at will.



NEVER allow this to happen. Follow the security measures for this vulnerability which I detailed in Appendix E.

3. In WordPress, you login to your Admin Area by using this address:

www.yourdomainname.com/wp-admin

wp-admin is actually a folder on your server. Intruders know this and they can try to access it so they can brute force their way in guessing your password or attacking your website.

Thus, it’s important for you to protect this folder. In Appendix F, I showed an effective way

27

on how you can protect this folder.

4. Additional layer of security for your web host’s cPanel by enabling Google’s 2-Step verification.

In Appendix G, I have detailed the steps on how to enable Google Authentication 2-step verification in your web host’s cPanel area.

Aside from having a hard-to-guess password, the 2-step verification will provide another layer of security wherein the user will need to enter a numeric code after successfully logging in. This numeric code is randomly generated every 30 seconds or so and you can get these codes if



you install the Google Authenticator app in you smartphone or receive it via email.

So even if you have compromised your cPanel’s username and password (maybe you were victimized by a social engineering technique which is similar to what I have discussed in Chapter 2) intruders will still need to get through with this additional security layer which only you can access.

5. Secure your credit card information in your web host’s cPanel.

In Appendix H, I’ve explained in detail how you

28

can protect your credit card information in your cPanel.

Why is this important? Because as your business grow, you may want to delegate the tasks you are doing in your cPanel. So you may assign or hire someone to do these tasks for you. But of course, you don’t want them to access your credit card information so you need to secure it.

6. Make sure to test your implemented security measures.After implementing the security measures I have detailed in this chapter the next important step is to test if they are working.



Testing your security changes requires some tools and techniques. Otherwise, you might not able to see the actual result of your changes.

Check out Appendix I to learn how to do this.

Securing Your CMS Admin Area

After securing your server and cPanel area the next security holes that you need to fix are the security holes of your CMS or Content Management System.

In this section we will apply these security measures in WordPress. If you are using a

29

different CMS, you may research how to apply the same security measures that I presented here for your CMS.

Your CMS should have the same security features. They just probably differ on where and how to set them up.

First, Disable the “Anyone can register” membership registration feature in your WordPress admin area IF your website is not meant for that.

I remember when I first used WordPress many years ago, I got a notification a few minutes after I have installed WordPress in my web server.



The notification informed me that there’s a new member that registered in my blog.

I was surprised to see that since I haven’t even started working on my blog and I’m not even planning to use my blog for membership registration.

After some research, I saw that by default, this “Anyone can register” feature is enabled. Although I think this has changed now.

To disable this feature, check out Appendix M for the detailed steps.

30

Second, proactively manage the updating of your WordPress installation, Plugins, Themes and extensions.

There are pre and post steps that you need to do every time you perform an update.

Check Appendix N to learn more about this.

Third, by default source code editing is enabled in WordPress. This means the code source for your plugins, themes, or extensions can be modified by a user that has an administrator rights.

If you are a programmer, this is something you



can keep enabled so you can modify the code. Just make sure you make some backups before implementing any change and make sure that you know what you are doing.

If you’re not a programmer, it is safer to disable this feature. This way, even when someone has able to access your WordPress account, they will not be able to modify your source code and inject malicious programs.

I have dedicated Appendix O to show you how you can easily protect your source code in WordPress.

Fourth, Use the “Logout Everywhere Else” feature of WordPress.

31

Today, there are many ways you can access WordPress. You can access it on different computers and mobile devices. Because of this, there is big chance that you can left some of your login sessions open in these computers or devices by forgetting to logout from these devices or by losing these devices.

To make sure that nobody can access those open login session that you forgot or failed to logout to, you can use the Logout Everywhere Else feature of WordPress.

To use this, checkout Appendix P and implement the steps I have provided there.



Fifth, Enable the JetPack Security Features.

WordPress continues to improve its product by merging features from their different products. One of this is JetPack.

I’ve seen some people online teaching people to uninstall this plugin in WordPress. For me, JetPack is one of the free but reliable tools I’m using with my online business to track visitors, site statistics, security, performance and many more.

JetPack offers free security features that you can enable, so why not use them?

32

Let’s enable these useful features one-by-one now:

1. Login to your WordPress Admin Area.

2. In the sidebar menu, locate for Jetpack then click on Settings. You may be asked to login to WordPress.com or create an account there. Just do that to access Jetpack.


Chapter 1: Fix Your Security Holes NOW!3. When you see the Jetpack page, click on the Security tab:

4. In the security tab enable the following security features:

Protect: This security feature prevent and block malicious login attempts.

Go to Jetpack > Dashboard then click on the At a Glance tab. You will see here your site statistics and how many malicious attack has been blocked by Jetpack.

33

Monitor: if you enable this security feature, you will receive an immediate notifications if your site goes down anytime of the day.

This is like having an automated system that alerts you whenever a suspected attack or downtime has been monitored by Jetpack. This way, you can quickly apply a solution if you are the webmaster of your website or call your webmaster to quickly resolve any problem.

Site Statistics. You can use this free tool not only to monitor traffic in your website but to monitor any Distributed Denial of Service (DDoS) attack. A sudden burst of traffic with no logical reason at all (you were not interviewed on tv or featured in a popular news, program and



publication) but you are seeing a sudden burst of traffic that is using random keywords and accessing random pages on your site. That should give you a red flag and do the necessary steps to investigate further or take an immediate action.

If there’s any new cool features in the future that I think can help you with your online business, I will keep you updated. Make sure that you have subscribed to to my newsletter. If you haven’t done that, you can visit my site here.

34

Enter your first name and valid email in the opt-in form I provided there.



Chapter 2: Make Sure that the

Weakest Link is Not You

YOU - is the MOST INTEGRAL part of your Business’ Security

Do you know that a lot of compromised accounts and hacked websites were taken not through a sophisticated, highly technical attack? But through a simple email or phone call.

It’s called Social Engineering. The most commonly used social engineering technique is called Phishing. According to a study from Google, some of the most effective phishing attack have a 45% success rate!


Chapter 2: Make Sure that the Weakest Link is Not You

In a phishing attack, an attacker will send you an email pretending to be a legitimate organization and request for your confidential information. Another way they do phishing is they simply call you and pretend to be representing a legitimate company.

For phone call phishing, make sure that you scrutinize the caller before even doing what he or she is asking you to do. Verify your caller from the company he claimed to belong with. It is not rude to ask for his complete name and tell him that you will call him back after you’ve done your verification. A good rule of thumb is to never give your personal and sensitive

36

information over the phone or any other communication media IF you’re in doubt.

For email phishing, this will require you to pay attention on some key details to determine if a particular email is legitimate or not.

Before I started writing this eBook, I received 2 phishing emails that I was able to figure out quickly before it could potentially victimize me. I think they are great examples for this chapter so I’m going to show them here and detail to you the exact steps I took to quickly figure out what a phishing email is.



On March 11, 2017, I receive this email that seems to came from bluehost, my web host provider:

37 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific pagewww.MarcJaysonPapp.com


Here are the warning signs that you can check

to determine if an email comes from a legitimate

source or not:

1. Carefully check the sender’s email address.

In the preceding screenshot notice the domain

name used in the sender’s email address:

@12.bluehost.com

If I’m not careful, I could easily fall into their trap

and think that the email really came from

bluehost. But the domain name of bluehost is

not 12.bluehost.com. The domain name of

bluehost is bluehost.com. That alone

immediately confirmed that this email is a hoax.

38

2. Scrutinize the details of the url link that was provided in the email (if there is any)

http://my.bluehost.com.e0ab531ec312161511493b002f9be2ee.fizo.testv1.testforhost.com/

Again, it tried to trick my eyes. It’s true that

bluehost has a subdomain named

my.bluehost.com but it doesn’t have a

subdomain as long as this one:

my.bluehost.com.e0ab531ec312161511493b002f9be2ee.fizo.testv1.testforhost.com

That subdomain was made to trick my eyes

and make me fall into their trap.



3. When I clicked the link that was provided, it showed a similar bluehost login screen:

39

Social engineering is really sneaky. They will try to deceive you by copying some pages of the real website to make you believe that they are the real one.

To avoid falling into this trap, I always advice people to always look into the URL address first and not on the web page.

The images, contents, and designs in a page can always be copied but a domain name is always unique.



At this point, if you are not very careful, once

you enter your domain name and password in

the text boxes, those information will be stored

or sent to whoever made that fake bluehost

screen. You just compromised your security and

given away your valuable information. Anytime,

they can take over your website, do whatever

they want or maybe contact you and ask you for

a ransom.

This is the reason why I detailed in Appendix G

how to enable Google’s 2-Step verification

security. So that even when you made the

mistake to fall into this trap, you will have

another layer of security that will be difficult for

40

the attackers to penetrate.

This is the real login screen of bluehost. Notice the difference in the URL address:



The Second Email

The second email I received is not exactly a

phishing email but more of hoax email. But again,

this is another social engineering technique but

the goal here is not to hack into your account but

rather to get some money from you.

On March 8, 2017 (6 days after I signed up a new

account with bluehost for my second website) I

received this peculiar email from a certain Bryan

Younglass. This is the exact email address:

Bryan Younglass

<[email protected]>

41

Here is the screenshot of the email.



In this second email we have to realize two things:

First, the sender is NOT pretending to be someone else or claiming to belong to a

legitimate company. He is claiming to be a

legitimate company instead. Therefore, we

cannot prove that the domain name is fake

because he is not doing a copycat approach.

Second, For some reason he was able to target a newly registered domain name. It is not

coincidence that in the body of his email, he

knew that I was a newly-registered domain

name as you can see in this snippet:

42

“Now that your domain name

mydomainname.com has been purchased the

next best thing you can do for your site is to

make sure it is listed in the search engines.”

The approach of the attack is very systematic. There is a reason why the sender is targeting

newly signed up accounts: Newbies are easier

to deceive.



The best approach to not fall into this trap is to

treat ALL new emails whose sender is not

saved in your contacts, with great caution. If

you are unsure you can ask someone who is

experienced with online security.

So how did I figure out that this is a hoax email?

Because of this claim he did:

“To list your website in Google, Bing, and Yahoo follow the link below:

43

Please list your new website as soon as possible so your new domain is properly indexed.Don’t forget to take advantage of our special discount we are running right now!”

This is not true. It is NOT TRUE that you need to

enlist your website to any entity (not even with

Google) to have your website indexed. Website

Indexing happens automatically once Google

“crawled” your website. There is also a way to

have it indexed quickly with Google but there is

NO ENLISTMENT needed.



To show you that indexing of your website happens automatically, here is how Google found my

website without me doing any enlistment with anyone, not even with Google:



Since I already figured this is hoax

email, I just simply explored the real

motive of the email although I already

had a hint that it’s about money since

the previous snippet of the email

indicated that they are “currently

running some special discounts”. I

just want to see how much.

So I clicked the link and got a coupon

code. The coupon code makes you

think that they are doing you a big

favor by giving you a discount.

45

It is now playing psychology with me. If I’m not careful, I could

easily let my guards down and trust them instantly. Never fall

into that trap!



The price tag was a whooping $97! giving you a discount of $300 for a service that you can get

for FREE. I stopped right there and told myself, I

need to blog about this!

Social engineering can come in many ways and forms. This is why as an owner of your website

and business, you need to be updated and

correctly informed. Make sure that the weakest

link is not you.

You can sign up with my newsletter to get updates

not only about security but anything about

breaking the technical barriers in your online

business.


http://www.marcjaysonpapp.com/mjpc/be-careful-with-this-email-for-new-domain-owners/



Still, How Did He Get My Email Address?

This is the question we left hanging awhile back.

Now it’s time to dig deeper into this.

Learn More



Be Careful When Installing Plugins, Themes, Widgets and Extensions

Installing Plugins, Themes, Widgets, and Extensions (or other extended features in your website) must be

done with great care. Allowing so many plugins and extensions installed in your website is like opening

new vulnerabilities that hackers can use as a “backdoor”.

Learn More



Learn More

49

Here are some tips on how you can carefully choose the plugins, themes, and other extensions that you may want to install in your website:

1. Make sure that the plugins is continuously improved and updated. A plugin that hasn’t

provided any update for a long time (6-12 months)

should be a red flag for you. To learn how to keep

your CMS, Plugins, Themes and extensions always

updated and how you can proactively maintain

them check out Appendix N.

2. Install themes, plugins, etc. that comes only



from trusted and reliable sources.

3. Remove plugins that you no longer use AND no longer maintained by their developers

(no more updates being provided).

When removing a plugin, make sure to remove everything (See Appendix L on how to do this).

4. If you really need to install a plugin for a

short-term purpose, install it then remove it

immediately once your purpose is done.

Example, if you want to put your website in

maintenance mode to prevent people from

accessing it while you are working something

50

on your website. One way to do this is by a plugin.

But once you are done with your purpose for that

plugin, remove that plugin and just reinstall it when

you need it again.

5. Be careful and skeptic on free plugins or themes from untrusted sources. This is the most common

way attackers can add malicious code and penetrate

your website.

6. Install plugins and extensions that you only need and keep them at a minimum

UPDATE: I now only have 4 plugins left in my

website. I am still looking for ways to trim it down to

zero if possible.



Plugins can degrade the performance of your website and expose your website to

vulnerabilities. So make sure that the feature you

are adding to your website is not a duplicate of

what is already available to you.

Learn More

7. Research carefully the plugins and extensions that you are going to install in your server.

51

They should come from a trusted source. Make

sure that there are many good reviews about

them and a lot of people trust and use them.

Satisfied and happy users are good indications

that the plugin you want to install is serving its

purpose. Finding the website and contact details

of your source will allow you to contact them

anytime if you encounter issues with their plugin.

8. Review the file permissions of the folders and files of the plugin that you just installed or

updated in your server. Any folder that has a

permission of greater than 755 should be

downgraded accordingly (704 is recommended).



Any file that has a permission greater than 644

should be downgraded as well. I would suggest to

downgrade the permission to 604 (by default I

usually remove the group’s permission)

As much as possible, we don’t want the public to

have write permissions to the plugin’s files or

folders. To review the File Permission System,

revisit Appendix A.

Learn More

52

Audit Your Site for Any Data Leaks

Learn More


Chapter 3: Design Your Website with Security in MindDon’t Just Design for Functionality;

Design for Security

Most people when designing their website are hooked on making an impression. They want animations, modern, colorful and sleek designs that catches the eyes.

Some people are focused on the features. They want their website to have all the cool features available to the point that their website has so many plugins installed into it.


Chapter 4: What’s Your PLAN?

“If you fail to plan, you are planning to fail”

- Benjamin Franklin

Question:

If a disaster or an attack will hit you NOW, what is your plan of action?


Final Words From Marc

Securing your business is a continuous process of improvement. So expect that we will keep you posted for my new learnings and discoveries on how to create and maintain a profitable and SECURED website.

For the meantime, we hope that we were able to help you BREAK another TECHNICAL BARRIER in your online business: WEBSITE SECURITY.

55

Thank You!


Final Words From Marc

If there’s anything you want to discuss further, clarifications, questions, or whatever you have in mind that you think we can help you with, please email us here: [email protected]

Also, me and my team did our best to review and ensure that the content of this eBook is accurate and correct. But we are not perfect. It’s possible that we missed something.

If you see anything that is inaccurate or wrong in this eBook, we also like to have that sent to us using the same email address above. We will do the necessary correction and who know’s we may offer you something as a token of our appreciation.

56

I would like to make a BIG THANK YOU!!! shoutout to Pat Flynn for giving me the seed of idea for this eBook and for inspiring me to take action for my dreams.

Lastly, We’d like to take this opportunity to THANK YOU for buying this eBook. My team and I have spent 6 months to put everything together. We made sure that we did our best. We hope that we were able to serve and help you.

This is not the end. This is simply the beginning of more great things to come!

Sincerely,

Marc Jayson Papp

mailto:[email protected]

AppendicesThe detailed step-by-step instructions on how to secure your website are presented and organized in this section.

57

from A to U


Appendix A: The File Permission SystemWhen changing a file’s permission, you must understand very well the File Permission System in order to avoid unexpected results.

The Three Modes of a File Permission:

Read: A readable file is a view-only file. It is represented by the number 4. If set in a directory, it grants the ability to view the names of files in that directory, but no further information is provided.

Write: Writable files can be modified. It is represented by the number 2. If set in a directory, it grants the ability to modify entries in the directory including the ability to create, delete, and rename files.


Execute: Executable files can be triggered for program execution. These are usually used for program files or scripts that needs execution privilege to run. If this is used in a directory, it grants the ability to access file contents by its filename, but not list the filenames within the directory (unless a read permission is set). It is represented by the number 1.

Appendix A: The File Permission System

The Three Types of User Groups:

User: The user is the owner of the web directory where files and folders of the website are kept.

Group: A group can be created to assign one or more users in that group. Example, user1 and user2 (both on the same web host server) can be assigned to an existing group named admin. If you give permission of a particular file or folder to admin group, it means you are giving permission for both user1 and user2.

World: This is the public that access your website.



When you assign a Read permission (see no 1) you will get a number code of 4. If you assign the Write permission (see no 2) you will get a number code of 2. If you assign the Execute permission (see no 3) you will get a number code of 1. This means, if you assign Read and Write permission, you will get a 6 number code (they are added together). A Seven (7) number code means you gave all the three file permissions to a particular user or group.

60

1

23



Understanding these file permission concepts, you now have an idea on what level of permission you can give to a particular type of user.

In my website, here are the critical files and folders I set permissions on:/public_html/wp-login.php = 644/public_html/wp-config.php = 644All .htaccess file = 644All my files in /public_html/wp-content/uploads have file permission of 644. There’s also no php file in this directory.The file readme.html can leak the version of your WordPress, set its permission to 000 or simply delete it.

If there are any installation zip files that are not needed anymore. You can delete them.

61

The folders /public_html/wp-content/themes /public_html/wp-content/plugins

by default have a permission of 755. I decided to keep it that way and I will just adjust it in my next security audit if necessary.

To learn how to easily set the file permission on the folders and files in your server which I named here, please refer to Appendix B.

As you adjust the file permission, ALWAYS test in a FRESH cache OR Private browser to see the real-time effect of the permission change.

Refer to Appendix I to learn more on how to verify the real-time effect of a file permission change.


#

Appendix B: Set Permission Control on Critical Files and Folders

Here’s your step-by-step guide on how to set permission control on some critical files and folders in your website:

Login to your Web Host’s cPanel (in my case, it’s bluehost)

Go to the Files section and click on the File Manager icon:

62 Quick Links 1 2 3 4 OR Press Shift + Ctrl + N to go to a specific page


http://www.bluehost.com/track/mjpc88/

Appendix B: Permission Control on Critical Files and Folders

A dialog box similar to this image >>>will appear in your cPanel. Select Web Root and check the Show hidden files check box below.Then click the submit button.

Note: Web root is the folderin your server that isaccessible to the world wide web.This folder is usually named public_html. To the public, they access this using your domain name.

Hidden files are the files that has the period prefixed in the filename. Example of this is .htaccess

If you checked the Show hidden files check box, you will be able to see these hidden files.

Upon clicking the submit button, the file manager page will appear.



Appendix B: Permission Control on Critical Files and Folders

Right-click on the file or folder that you want to set the file permission with. In the quick menu, click on Change Permissions.

The next dialog box should appear. Set the permission by checking the boxes or typing the number code in the text provided below.

When done, click the Change Permissions button.



Your Next Step

If you want to save 5 years of your life (like what I did) figuring out the BEST ways to build your website and earn online, let me help you with that. Here is a great resource I personally created and compiled just for you:

Your Ultimate Guide on Building Your Website and Online Business

Download this BONUS guide too:

How to can get your web hosting service and free domain name


http://www.marcjaysonpapp.com/your-ultimate-guide-on-building-your-website-and-online-business/




http://www.marcjaysonpapp.com/free_pdfs/How-to-get-your-webhosting-service-and-free-domain-name-v3.pdf




About TheAuthor

Marc Jayson Papp has been in the IT Industry for more than 16 years now. He has worked for big companies like Deutsche Bank, Hewlett Packard, Emerson Electric, Prudential Financials Inc. and Government institutions in the Philippines.

He has worked for these companies as a System Developer, Database Programmer and Administrator.

He also train professionals and students in using Oracle Technology as his side gig with a training institution.

He created the website marcjaysonpapp.com to help non-technical individuals to break the technical barriers in building their website and business. He was able to use his passions for Learning, Teaching, and Writing in this blog.

If you need help in building a profitable and secured website, you can reach him in this email: [email protected]


http://www.marcjaysonpapp.com/learn-oracle-today/






Disclaimer

67

The information provided in this eBook is for informational purposes only.

Although what we have provided here are the best solutions that we have used and researched, WE CAN NEVER GUARANTEE that you will have a “hack-proof” and “disaster-proof” website once you implement all of what was taught here. Not even the security experts can guarantee something like that.

Please understand that there are some affiliate links contained in this guide that we may benefit from financially. The material in this guide may include information, products, or services by third parties. Third Party Materials comprise the products and opinions expressed by their owners. As such, we do not assume responsibility or liability for any Third Party material or opinions. The publication of such Third Party Materials does not constitute our guarantee of any information, instruction, opinion, products, or services contained within the Third Party Material. The use of recommended Third Party Material does not guarantee a 100% security for you, your website, or your business. Publication of such Third Party Material is simply a recommendation and an expression of our own opinion of that material.

No part of this publication shall be reproduced, transmitted, or sold in whole or in part in any form, without the prior written consent of the author. All trademarks and registered trademarks appearing in this guide are the property of their respective owners.

I am not a website security expert. Users of this eBook are advised to do their own due diligence when it comes to making decisions on securing their website. All information, products, and services that have been provided here should be independently verified by your own qualified professionals. By reading this eBook, you agree that myself and my company is not responsible for the success or failure of your business or website; and security decisions relating to any information presented in this eBook.

©2017 Marc Jayson P. Papp. All Rights Reserved.

Copyrighted MaterialChapters 2-4 and Appendices C to U are part of the COMPLETE Edition of this eBook. To get the COMPLETE Edition, click the image below or click HERE:

68

http://www.marcjaysonpapp.com/shop/

http://www.marcjaysonpapp.com/shop/

Documents

Preventive Securitymarcjaysonpapp.com/free_pdfs/FREE-EDITION-2017-Website-Security-for... · and how you can protect it from your 10 level. After you have implemented the free and