Another Wordfence false positive

If you use Wordfence, and it is telling you that http://login.microsoftonline.de/common/oauth2/v2.0/authorize (found inside UpdraftPlus’s OneDrive code) is a phishing URL, then please rest assured that this is untrue. It is the official Office365 (including OneDrive) authentication URL for Microsoft Germany. You can verify this at the official page on microsoft.com, here.

If you get this report, then please do report this to Wordfence if you can. The number of times that Wordfence flags false positives in different places is a non-trivial support burden (and last happened under two weeks ago), as well as surely being an annoyance to Wordfence users who value their time.

We recommend that Wordfence users suggest to Wordfence support that they test all their anti-virus rules upon the most popular WordPress plugins before releasing them to their end-users.

David Anderson (lead developer)

The post Another Wordfence false positive appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

WordFence reporting false positives when virus-scanning

If you are using Wordfence’s security scanner, and having it tell you that you have a virus “Backdoor:PHP/SEemf0Ji” in the file phpseclib/tests/Unit/Crypt/RSA/LoadKeyTest.php inside UpdraftPlus, then this is a false positive (*). You can compare your file with the original file from the phpseclib project here – https://github.com/phpseclib/phpseclib/blob/master/tests/Unit/Crypt/RSA/LoadKeyTest.php – containing the same string which Wordfence wrongly identifies as a virus as a test RSA key in a harmless context.

If you get this report, then please do report this to Wordfence if you can. The number of times their plugin continues to flag false positives in different places is a non-trivial support burden and we wish they would implement some technology to remove the easy-to-discover false positives like this one, especially in a top-20-most-installed plugin like UpdraftPlus. It is a burden upon their users too; we presume you prefer to do real work than read and investigate incorrect reports!

(*) Of course, at this point, now that this is known to be a widespread false positive, injecting that virus in that file would be a smart move for any hackers. This is another reason why false positives. So, to be entirely sure you’re safe and err on the side of being over-cautious rather than otherwise, you will want to test that the file is identical to the pristine version linked above.

David Anderson (lead developer)

The post WordFence reporting false positives when virus-scanning appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Two factor authentication – the two simplest and best ways to enable it for WordPress

Two factor authentication – the two simplest and best ways to enable it for WordPress

Two factor authentication – the two simplest and best ways to enable it for WordPress

At UpdraftPlus we believe backups are essential.  But having backups without security is like having insurance without locking your doors at night.  You need both.

If you own or manage a WordPress website it’s vital that you keep it as secure as possible.

Although WordPress is a relatively secure platform, the fact that its so popular means there are lots of people with the ability to break into a poorly secured site.

UpdraftPlus strongly recommend the gold-standard way to secure the login to your website, which is to use two factor authentication. In this guide, we’ll quickly explain what this is and why you might want to use it, before covering two free plugins that can help you enable two factor authentication on a WordPress website.

Let’s get started…

What is two factor authentication and why use it?

By default, users gain access to the back end, or dashboard, of a WordPress website by entering their username and password. However, this approach has its downsides.

For starters, users might choose weak passwords or reuse the same username and password combinations on multiple sites. Some users even write down and store their usernames and passwords in easy to find places.

Then there’s the act of entering the username and password. Even if you’ve chosen a strong password, all it takes is one shoulder surfer to watch you enter your details and there’s a good chance they’ll also be able to access your account. That’s without even thinking about keyloggers, packet sniffers, and other more sophisticated forms of hacking.

However, there is something you can implement that will significantly increase the security of your WordPress website, and that is two factor authentication or 2FA.

Instead of requiring users to just enter a username and password to log in, two factor authentication adds an extra step to the login process. Typically, this second step involves a one-time code being generated on, or sent to, a device the user will have access to, such as their smartphone or laptop. The user then enters this code, often along with their username and password, to login securely.

Modern two factor authentication solutions, like the ones featured in this guide, use purpose-built apps as part of the login process, requiring the user to know their password and have their device to hand.

In other words, hackers can’t get in without both your phone and your password.

The fact that services like Gmail and online banks use two factor authentication to secure user accounts gives you a good idea of how effective this method is. Now, thanks to the plugins in this guide, you too can easily implement two factor authentication on your WordPress website.

So now all you have to do is choose the right plugin…

Which is the best two factor authentication WordPress plugin?

There are actually two highly effective two factor authentication plugins for WordPress that have been created by the UpdraftPlus team. Both are popular options among WordPress users, with over 11 thousand active installations between them.

However, of these two plugins, one is a more innovate tool that aims to make enabling two factor authentication for WordPress more appealing, while the other plugin takes a more traditional approach and simply gets the job done.

In this guide to adding two factor authentication to WordPress websites, we’ll cover both options to help you not only decide which plugin is right for your project but also provide you with the information needed to quickly secure your site.

First up we have the tried and tested, solid and traditional Two Factor Authentication plugin, a freemium tool with over 10 thousand active installations.

Two Factor Authentication WordPress plugin

The appropriately named Two Factor Authentication plugin is the ideal solution for anyone who wants to quickly secure their WordPress website with the least fuss and effort. As the Two Factor Authentication plugin is free to use and available from the official WordPress Plugin directory, it can be installed on your website via your WordPress Dashboard.

So to get started, simply log into your WordPress Dashboard, navigate to the Add Plugins screen, and then enter Two Factor Authentication in the search field.

Two Factor Authentication Plugin Installation

Two Factor Authentication Plugin Installation

After clicking on the Install Now and Activate buttons, you can configure how the plugin works on your website. The link to the settings page for Two Factor Authentication can be found under the Settings menu on the WordPress Dashboard. From this page, you’ll be able to choose which user roles will have access to this feature. For even greater security, you can enable two factor authentication for all of the users on your WordPress website on their behalf by upgrading to the premium version of the plugin to gain access to this functionality.

Two Factor Authentication Admin Settings

Two Factor Authentication Admin Settings

If you stick with the free version of the plugin, without the ability to enable two factor authentication on behalf of other users, your users can instead simply enable it for themselves once they’ve logged into WordPress.

However, if you do decide to upgrade to the paid version of the Two Factor Authentication plugin, you’ll also get access to other features, including the ability to generate emergency codes in case your users lose their device and settings that allow you to manage two factor authentication for your users.

So now that we know what this plugin can do, let’s take a quick look at how it works from the perspective of your users.

How it works for your Website users

When you create an account for a new user on your WordPress website, they will be able to log into the site as usual, using the username and password generated at the time of the account creation. Then, once that user has logged into the WordPress Dashboard, they can access the Two Factor Auth pages in the dashboard area. This also applies to users that existed on your site before you installed the plugin.

Two Factor Authentication Settings

Two Factor Authentication Settings

From the Two Factor Authentication settings pages, the user can enable this feature for their account (if you’ve already enabled if for their user role). Part of this process involves entering the one-time password, scanning the QR code in the Google Authenticator app on their smartphone, or using one of the other methods available, such as a Chrome browser extension.

Two Factor Authentication Google App

Two Factor Authentication Google App

Now the next time that user tries to log into your site, after entering their username and password on the WordPress login page, another screen will be displayed, asking them for their one-time password (i.e. 2FA) which they can get from the Google Authenticator app or another tool that they are using.

Two Factor Authentication Login Page

Two Factor Authentication Login Page

If they entered their details correctly, they’ll be logged in securely to the WordPress website.

As mentioned, upgrading to the premium version of the Two Factor Authentication plugin allows you to view the login codes and other details of your users so you can help them if they get stuck. You’ll also be able to issue them with emergency codes in case they lose their smartphone or another device they’ve been using to generate the codes.

However, without upgrading, you’ll still be able to give your users the ability to enable fully functioning two factor authentication on your WordPress website.

Although the Two Factor Authentication plugin is a tried and tested tool for enhancing the security of a WordPress, it’s not the only option available.

So let’s take a look a plugin that those who’d prefer a more interesting and innovative solution for adding two factor authentication to a WordPress website should find appealing.

Keyy WordPress plugin

Keyy is another tool for enabling two factor authentication on your WordPress website. One of the benefits of Keyy over a more basic plugin — like Two Factor Authentication covered above — is that it does away with usernames, passwords, and other credentials altogether.

Two Factor Authentication Keyy Wave

Two Factor Authentication Keyy Wave

How does this work? Well, once the Keyy plugin has been set up on your site, you and your users can scan the Keyy wave or QR code with the app on a smartphone, or another supported device, and be taken straight to the WordPress Dashboard. With no usernames and other details to enter, you can reduce the risk of anyone looking over your shoulder or logging your keystrokes to steal your account credentials.

Two Factor Authentication Keyy Plugin Installation

Two Factor Authentication Keyy Plugin Installation

As well as installing the Keyy plugin on your WordPress website, you’ll also have to install the Android or iOS app on your smartphone or tablet. However, as all of these tools are free and available from the official repositories, the whole process is very straightforward.

Two Factor Authentication Keyy Play Store

Two Factor Authentication Keyy Play Store

Then, when you next try to log into the site, the Keyy wave or QR code will be displayed on the login page. Simply scan the code with the Keyy app on your phone or another registered device and you’ll be logged straight into the WordPress Dashboard.

If you lose your Keyy enabled device, it’s not the end of the world. Users with the administrator role also get access to a secret URL that allows them to disable the Keyy login and gain access to the site using the username and password.

Two Factor Authentication Keyy Disabled Login

Two Factor Authentication Keyy Disabled Login

Once someone has used the secret URL to login, the site administrator is notified via email and a new secret URL is generated. Thanks to this, despite having the ability to login without Keyy, there are still measures in place to reduce the chances of your site’s security being compromised.

How Keyy works for your website users

Unless you upgrade to the premium version of Keyy, like the Two Factor Authentication plugin, your website users will have to opt-in themselves to start using Keyy to log into the WordPress Dashboard. However, doing so is very straightforward, so hopefully, they’ll secure their account without any resistance.

To enable Keyy, all users have to do is log into the site using their username and password as usual, and then navigate to the plugin page in the WordPress Dashboard.

Two Factor Authentication Keyy User Enable

Two Factor Authentication Keyy User Enable

From there they can find links to the Keyy mobile app in the Android Google Play store and iOS Apple App store. Once the app is installed, they can set up a passcode to secure the app on their phone, before using the app to scan the Keyy wave or QR code in their WordPress Dashboard.

Two Factor Authentication Keyy App

Two Factor Authentication Keyy App

Once they’ve performed the scan, Keyy will be enabled for their account and they can only login using two factor authentication with the Keyy app.

Final thoughts

Hopefully, this guide has answered your questions about two factor authentication for WordPress and introduced you to two tools for securing your website in this way.

Although there are many ways to improve the security of your WordPress website, enabling two factor authentication is straightforward and incredibility effective.

So which plugin will you use to secure your WordPress website with two factor authentication? Please let us know in the comments below.

The post Two factor authentication – the two simplest and best ways to enable it for WordPress appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Important – new privacy centre & how do YOU hold user data on your WordPress site?

Do your WordPress sites contain EU user or customer data?  If so, today is GDPR day which means you now legally need to consider the privacy and security of their data whether or not you’re in the EU.

If you backup your WordPress site with EU user data, then you need to consider the security of those backups. UpdraftPlus Premium can protect the customer data in your backups by encryption and lock settings access. It can also delete old backups, which is another important consideration as you mustn’t keep unused EU user data under GDPR.

If you’d like to see our own privacy policies on how we protect your data (or unsubscribe from this newsletter), then we’ve built a helpful privacy centre here.

The post Important – new privacy centre & how do YOU hold user data on your WordPress site? appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Have no SSL certificate and think you’re secure? Think again.

The online world is a dangerous place. Being aware of the risks and taking steps to mitigate them has never been more important, and we at UpdraftPlus are committed to helping all our customers to keep their WordPress websites safe and secure. That’s why we recommend that you have SSL.

What is SSL? SSL is at the heart of website security. It ensures that sensitive information such as credit card details, usernames and passwords are safe as they transverse global computer networks. Having an SSL certificate on your web server provides privacy, critical security and data integrity for both your website and for your users.

How does SSL work? SSL Certificates basically work by making sure that all traffic between the web server and the web browser is secure and can’t be intercepted. SSL uses something called public key cryptography, which involves two ‘keys’ (long strings of randomly-generated numbers)- one private, and the other public. A public key (known to your server) is available in the public domain and encrypts all sensitive information. With SSL, data sent by your website will be ‘locked’ with the server’s public key so that it’s encrypted and can’t be read if intercepted by a hacker or identity thief. It can only be ‘unlocked’ and decrypted by the server’s private key, i.e. its intended recipient.

Extra benefits? Aside from the obvious security benefits, SSL is invaluable for giving your customers peace of mind. Customers can tell when a web serves has an SSL certificate because the application protocol (HTTP) will change to HTTPs (where the ‘s’ denotes ‘secure’), and the address bar is either green or shows a little padlock (depending on the web browser). Seeing this provides assurance that you’re taking their security seriously- which is more important than ever these days.

What’s more, since SSL certificates are only given out to verified companies who’ve undergone robust identity checks, they reassure users and visitors that any website using it is genuine and legitimate. Demonstrating the trustworthiness of your brand improves conversion rates, motivates customers to return and increases the likelihood you’ll get recommended to someone else. SSL also has an SEO benefit: since it’s now a part of Google’s search ranking algorithm, being certified will boost your Google Ranking.

Next Steps: It’s important to purchase an SSL certificate from a trusted Certificate Authority (like GlobalSign, VeriSign and GeoTrust). Once you’ve bought one, we recommend getting a plugin like Really Simple SSL to make its installation… really simple! It “automatically detects your settings and configures your website to run over https” so that all you have to do is sit back and relax. One last thing: before you install, it’s always a good idea to back up your website, just in case.

 

The post Have no SSL certificate and think you’re secure? Think again. appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Wannacry ransomware

You’ve probably heard all about the Wannacry ransomware that’s been spreading like wildfire across computer networks since last Friday- the one that encrypts computer files, demands a ransom (that doubles within 3 days) and threatens to delete the files in 7 days if the ransom isn’t paid.

So far, it’s affected over 200,000 computers in 150 different countries. By this morning, people had paid just under £30,000- but the true cost in terms of lost time, lost data and lost business is much greater. Germany’s rail network Deutsche Bahn has been affected, as has the Spanish telecommunications operator, Telegonica, French car producer Renault, US Logistics Company FedEx and even Russia’s Interior Ministry. The attack on 61 of the UK’s NHS trusts has resulted in huge disruption to services and delayed or cancelled operations, putting people’s entire lives at risk.

This attack wasn’t specifically targeted at any particular groups or individuals, but just a faceless virus let lose by cybercriminals with no thought of anything but their own profit. The reality is that because we all depend on technology, personally and corporately, our vulnerability runs deep.

Reports of attacks have slowed down, although experts are warning that we shouldn’t expect it to have gone away just yet. A 22-year-old security researcher became an “accidental hero” when his registering of a domain name to track the virus’ spread ended up putting a stop to it. But even he expects that it’s not over: “The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”

This attack is unprecedented in scale. It exploits a flaw in Microsoft Windows that was identified by the US intelligence- but not sufficiently guarded. Microsoft’s Chief Legal Officer, Brad Smith said: “The governments of the world should treat this attack as a wake-up call.”

Keeping up with schemes that endlessly increase in scale and sophistication is a huge challenge. Of course, major security flaws represent potent ammunition for online terrorists and should be more carefully guarded.

But the truth is that every single person who uses a computer has a responsibility to have a basic understanding of the risks. Everyone should practice basic cyber security.

Here are the basic security measures we recommend that everyone should implement:

• Back up your files.
If your files are stored in the cloud and not just on your computer, you’re not going to be held to ransom. Store data on external servers like Dropbox and Google Drive this makes it easy to restore the latest version of your files.

• Use antivirus software
This will scan files before they’re downloaded. It should also block secret installations and seek out malware that may already be on a computer. If you don’t already have it, enabling Windows Defender is free and effective.

• Install updates!
This is vitally important, since new versions of things like Microsoft Windows fix exploitable vulnerabilities. You can set up alerts to inform you when there’s a new release. If you use Windows, make sure you install the patch that’s been released to block the specific exploit that the Wannacry software is using.

• Be suspicious!
If you receive an unsolicited email, be suspicious! Don’t open it, and certainly don’t click on any links. The same applies to adverts and unfamiliar websites. Don’t download apps that haven’t been verified by an official store, and always look at reviews.

Wannacry doesn’t seem to affect website files, but there are plenty of other viruses that do. Viruses are getting cleverer and firewalls and security software can’t protect against everything. The best way to have peace of mind is to back everything up as that protects against every kind of threat. So if you have a WordPress site, make sure that you install UpdraftPlus today.

The post Wannacry ransomware appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.