Important – new privacy centre & how do YOU hold user data on your WordPress site?

Do your WordPress sites contain EU user or customer data?  If so, today is GDPR day which means you now legally need to consider the privacy and security of their data whether or not you’re in the EU.

If you backup your WordPress site with EU user data, then you need to consider the security of those backups. UpdraftPlus Premium can protect the customer data in your backups by encryption and lock settings access. It can also delete old backups, which is another important consideration as you mustn’t keep unused EU user data under GDPR.

If you’d like to see our own privacy policies on how we protect your data (or unsubscribe from this newsletter), then we’ve built a helpful privacy centre here.

The post Important – new privacy centre & how do YOU hold user data on your WordPress site? appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Have no SSL certificate and think you’re secure? Think again.

The online world is a dangerous place. Being aware of the risks and taking steps to mitigate them has never been more important, and we at UpdraftPlus are committed to helping all our customers to keep their WordPress websites safe and secure. That’s why we recommend that you have SSL.

What is SSL? SSL is at the heart of website security. It ensures that sensitive information such as credit card details, usernames and passwords are safe as they transverse global computer networks. Having an SSL certificate on your web server provides privacy, critical security and data integrity for both your website and for your users.

How does SSL work? SSL Certificates basically work by making sure that all traffic between the web server and the web browser is secure and can’t be intercepted. SSL uses something called public key cryptography, which involves two ‘keys’ (long strings of randomly-generated numbers)- one private, and the other public. A public key (known to your server) is available in the public domain and encrypts all sensitive information. With SSL, data sent by your website will be ‘locked’ with the server’s public key so that it’s encrypted and can’t be read if intercepted by a hacker or identity thief. It can only be ‘unlocked’ and decrypted by the server’s private key, i.e. its intended recipient.

Extra benefits? Aside from the obvious security benefits, SSL is invaluable for giving your customers peace of mind. Customers can tell when a web serves has an SSL certificate because the application protocol (HTTP) will change to HTTPs (where the ‘s’ denotes ‘secure’), and the address bar is either green or shows a little padlock (depending on the web browser). Seeing this provides assurance that you’re taking their security seriously- which is more important than ever these days.

What’s more, since SSL certificates are only given out to verified companies who’ve undergone robust identity checks, they reassure users and visitors that any website using it is genuine and legitimate. Demonstrating the trustworthiness of your brand improves conversion rates, motivates customers to return and increases the likelihood you’ll get recommended to someone else. SSL also has an SEO benefit: since it’s now a part of Google’s search ranking algorithm, being certified will boost your Google Ranking.

Next Steps: It’s important to purchase an SSL certificate from a trusted Certificate Authority (like GlobalSign, VeriSign and GeoTrust). Once you’ve bought one, we recommend getting a plugin like Really Simple SSL to make its installation… really simple! It “automatically detects your settings and configures your website to run over https” so that all you have to do is sit back and relax. One last thing: before you install, it’s always a good idea to back up your website, just in case.

 

The post Have no SSL certificate and think you’re secure? Think again. appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Wannacry ransomware

You’ve probably heard all about the Wannacry ransomware that’s been spreading like wildfire across computer networks since last Friday- the one that encrypts computer files, demands a ransom (that doubles within 3 days) and threatens to delete the files in 7 days if the ransom isn’t paid.

So far, it’s affected over 200,000 computers in 150 different countries. By this morning, people had paid just under £30,000- but the true cost in terms of lost time, lost data and lost business is much greater. Germany’s rail network Deutsche Bahn has been affected, as has the Spanish telecommunications operator, Telegonica, French car producer Renault, US Logistics Company FedEx and even Russia’s Interior Ministry. The attack on 61 of the UK’s NHS trusts has resulted in huge disruption to services and delayed or cancelled operations, putting people’s entire lives at risk.

This attack wasn’t specifically targeted at any particular groups or individuals, but just a faceless virus let lose by cybercriminals with no thought of anything but their own profit. The reality is that because we all depend on technology, personally and corporately, our vulnerability runs deep.

Reports of attacks have slowed down, although experts are warning that we shouldn’t expect it to have gone away just yet. A 22-year-old security researcher became an “accidental hero” when his registering of a domain name to track the virus’ spread ended up putting a stop to it. But even he expects that it’s not over: “The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”

This attack is unprecedented in scale. It exploits a flaw in Microsoft Windows that was identified by the US intelligence- but not sufficiently guarded. Microsoft’s Chief Legal Officer, Brad Smith said: “The governments of the world should treat this attack as a wake-up call.”

Keeping up with schemes that endlessly increase in scale and sophistication is a huge challenge. Of course, major security flaws represent potent ammunition for online terrorists and should be more carefully guarded.

But the truth is that every single person who uses a computer has a responsibility to have a basic understanding of the risks. Everyone should practice basic cyber security.

Here are the basic security measures we recommend that everyone should implement:

• Back up your files.
If your files are stored in the cloud and not just on your computer, you’re not going to be held to ransom. Store data on external servers like Dropbox and Google Drive this makes it easy to restore the latest version of your files.

• Use antivirus software
This will scan files before they’re downloaded. It should also block secret installations and seek out malware that may already be on a computer. If you don’t already have it, enabling Windows Defender is free and effective.

• Install updates!
This is vitally important, since new versions of things like Microsoft Windows fix exploitable vulnerabilities. You can set up alerts to inform you when there’s a new release. If you use Windows, make sure you install the patch that’s been released to block the specific exploit that the Wannacry software is using.

• Be suspicious!
If you receive an unsolicited email, be suspicious! Don’t open it, and certainly don’t click on any links. The same applies to adverts and unfamiliar websites. Don’t download apps that haven’t been verified by an official store, and always look at reviews.

Wannacry doesn’t seem to affect website files, but there are plenty of other viruses that do. Viruses are getting cleverer and firewalls and security software can’t protect against everything. The best way to have peace of mind is to back everything up as that protects against every kind of threat. So if you have a WordPress site, make sure that you install UpdraftPlus today.

The post Wannacry ransomware appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Why are hackers interested in your website?

Did you know, that people are trying to break into your WordPress website basically all the time?

This comes as a shock to some – I’ve seen a few anxious requests for guidance from people who read their logs, and discovered that attacks were going on.

WordPress now runs around a quarter of all websites on the Internet. As such, it’s an attractive target for attackers – they can build tools which have a huge number of potential targets.

But, why do they want to do this anyway? Motives vary – there are indeed plenty of people who think that destroying things is fun. However, the main motive is a predictable one: profit. There’s money to be made.

This at first seems surprising – where’s the money to be made in my little blog, someone asks? After all, I don’t make any money from it myself – how can they?

Three main ways…

1. Computing power, “free” and anonymous

It’s not your website itself that the average attacker wants – they want the computer power of the webserver that it’s running on. They want the free electricity. This can be used to perform complex computations such as those used to “mine” digital currencies like Bitcoin – or simply to hide the hacker’s identity, whilst he uses a server that is not linked to his name, to perform other tasks.

2. Spam, spam, spam spam…

That computing power can also be used to churn out zillions of spam emails – again, for free (to the attacker), and in a way that’s hard to trace, since the emails will come from your server, not the attacker’s own computers. Since emails are quick and easy to send, often by the time it is spotted, the attacker has got his pay-off. Spam equals money – sadly, there are people who don’t immediately delete them, but who reward the evil business model. Website owners and hosting companies get to pay the bills, when the addresses of their servers get black-listed as spam sources, and time has to be invested in cleaning up.

Another way is to insert links into web pages, to websites selling things – like various pharmaceuticals. These links may not even be intended or visible for people to click on – they may be intended only to be visible to search engines, to help the destination websites move up the search rankings. Unscrupulous marketeers can find it much cheaper to buy space on a thousand hacked websites from shady operators, than to build up genuine interest in their products.

3. Serving up viruses

A hacked website can be modified to serve up viruses to its visitors – catching vulnerable visitors whose own security on their PC/Mac/etc. wasn’t up to date. Viruses then allow the visitor’s computer to be used for the same purposes – and some others. For example, some viruses will encrypt all your files, and decrypt them only upon payment of a ransom – i.e. “ransomware”. Or they may inject new adverts into every web page you visit, making money for either the sellers of advertising space, or the sellers of the advertised products. Or they may log clicks and key-presses on the computer, and capture valuable passwords by this method – e.g. online banking passwords.

Sadly, insecure websites are economically valuable. Weak passwords, un-updated plugins, etc., provide ways for the bad guys to use your computing resources, to make money. The costs of breaking in are less than the revenues they can make – so hacking is a profitable activity.

Conclusion: don’t say “my website’s not interesting to hackers – it’s just small, so I’m fine.” Much WordPress hacking is an automated activity. Other hacked websites are running code to try to automate the process of hacking yours, if you’re vulnerable. Everyone’s at risk, and everyone needs to keep on the ball. Future training articles will discuss how. But you won’t be surprised by rule number one: keep regular backups! ? Sadly, even if you follow all the rules, sometimes, hackers find a flaw before the good guys do, and begin taking over websites straight away. When that happens, you need a good backup. With a good backup, you can always recover: without one, you’re really in for a hard time to get back to where you once were.

David Anderson (founder, lead developer, UpdraftPlus).

 

The post Why are hackers interested in your website? appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.