One place for hosting & domains

      What Is Malware? Here’s What You Need to Know to Keep Your Website Safe


      Malware is one of the great boogeymen of the internet. It’s been around longer than the web itself and continues to be a threat to website owners, developers, and internet users to this day. If you don’t understand what malware is and how it can affect your site, you’re leaving yourself vulnerable.

      However, as malware evolves, so do the tactics for protecting against it. While malware can affect almost every site and device, if you educate yourself on how it works, you’ll have a good foundation for protecting yourself. Even better, there are a number of basic techniques you can use to strengthen your website against attacks.

      In this guide, we’ll go all the way back to the early days of the internet and discuss malware from its beginnings to the modern day. We’ll also explore some of the most common forms of malware and how they affect your site. Finally, we’ll show you how you can protect your WordPress site from malware. Let’s get started!

      The History of Malware

      Malware refers to any software developed with the intention of causing damage or gaining access to someone else’s system. In fact, the word itself is short for malicious software. Malware is sometimes simply referred to simply as viruses, but that is a reductive description. In reality, malware includes a wide variety of programs with multiple purposes and methods.

      The history of malware stretches almost as far back as the dawn of personal computers. It’s thought that the first piece of malware to reach the public was Elk Cloner, written by 15-year-old student Rich Skrenta as a joke. It was spread on a game disk that would display a poem after a certain amount of time. The program would also copy itself onto the computer’s memory and, after that, be automatically copied onto any disk that was inserted into that machine.

      While Elk Cloner did little actual harm to the infected devices, it was only the harbinger of things to come. As personal computers became more common from the mid-1980s onwards, malware also became more prevalent. Few programs were as harmless as Skrenta’s creation.

      One early example is CIH, which would cause massive damage to both software and hardware. It’s estimated that CIH infected over 60 million devices for a total of $1 billion in damages.

      At the time, malware was primarily delivered via disks so it was mainly spread on shared networks (such as those in universities and libraries). However, with the appearance of the internet, a new era of malware emerged. Today, malware can be spread online much faster than before and infect more sites and devices than ever.

      How Malware Works Today

      The trickiest thing about malware is that it’s often delivered under the radar so you don’t notice anything until it’s too late. It can be sent via email, added to a website so that it infects visitors, or hidden within a seemingly innocent program. There’s even such a thing as fileless malware, which affects your memory but doesn’t leave any trace on your hard-drive (to avoid detection).

      In short, malware is a lot more sophisticated today than when it relied on floppy disks. It’s also a lot more insidious and dangerous with a more focused purpose. In the past, viruses and other malware were usually created with the intent to brag or annoy others. Now it’s a money-making industry, encompassing networks of developers who are working full-time to create new ways of spreading unwanted, harmful software.

      If that sounds frightening, it probably should. As a website owner, malware can affect you in several ways. In the worst case scenario, attackers could access your site and leak sensitive information. They can also insert malware that infects the devices of people who visit your site. For example, this could be done by adding JavaScript to banner advertisements.

      The sad fact is that no device or site is ever completely secure. Malware is an industry that’s continuously improving and changing its methods, so you’ll never want to assume you can rest easy. Not even Internet of Things devices are safe. To defend yourself against this threat, you’ll need to learn as much about it as possible.

      Be awesome on the internet. Join our monthly newsletter to get tips and tricks for making the most out of your online presence.

      9 Types of Malware (And How They Affect Your Site)

      We’ve spoken about malware from a general perspective up until now. However, as we mentioned earlier, there are many different types out there. Let’s look more closely at some of the most prevalent kinds of malware and how they can impact your WordPress site.

      1. Computer Viruses

      This is arguably the most famous type of malicious programming — to the point that virus is commonly used as a synonym for all malware. In reality, a computer virus refers to any software that replicates itself and adds its own code into other programs. That’s why we use the term infected to describe the affected system.

      Since it hides its own programming inside some other software’s code, a virus can be used to perform almost any task. This task is known as its payload and can affect your site in numerous ways. For example, a virus could be used to access sensitive information, delete important data, hog site storage and server resources, or replace your content with spam.

      To protect yourself, you’ll need antivirus software. It’s likely you already have this installed on your computer and devices, but it’s a must for websites as well. Some web hosts offer built-in protection as part of their plans, which will help to stop most common attacks. You may also want to consider a WordPress security plugin that will scan your files for unwanted content, including viruses.

      2. Trojan Horses

      The Trojan horse myth is the story of how the Greek army managed to enter the besieged city of Troy in order to destroy it from the inside. They did so by gifting the Trojans a giant wooden horse that was secretly loaded with Greek soldiers. Surprise! When the horse was brought inside the city gates, the hidden soldiers jumped out and overtook the city.

      The horse’s modern-day namesake functions in much the same way. A trojan horse is a piece of software that appears to be doing one thing, while hiding its true functionality. For example, this could take the form of a screensaver that secretly corrupts files or drains your device’s memory.

      On WordPress websites, trojan horses can be plugins that claim to do something helpful while actually running malicious code in the background. This usually happens when you install pirated plugins or themes, which attackers can use to add backdoors and access your site’s data.

      To avoid this, make sure you’re careful about what you add to your site. It’s vital to always use trusted plugins from reputable, secure sources. This probably goes without saying, but pirating software is a lose-lose situation, both for you and its creators. Just say no.

      3. Cryptocurrency Miners

      The growing popularity of cryptocurrency like Bitcoin has had many strange side effects. For one, it’s caused the prices of graphics cards to rise. It’s also led to the creation of something called bitcoin mining. If this sounds confusing, that’s because it is.

      The short version: bitcoin is a type of virtual currency that can be mined (or collected) by using some of your computer’s processing power. This is why so many people buy graphics cards to mine it themselves. However, some people have naturally found a way to force other people’s systems to do the job.

      By installing mining software on a device or site, hackers can use that system’s resources to mine for bitcoin. It may not even be that noticeable, since many of these schemes infect thousands of devices and only use a fraction of each system’s resources to stay hidden.

      Protecting your site from this type of malware involves tracking your files to make sure none of them are malicious. You should make sure that you have a Web Application Firewall (WAF) and the ability to scan your site. If your site does get infected, you may need to perform some cleaning.

      4. Spyware

      As the name suggests, spyware is a program that hides on your device and collects information. This makes it one of the most dangerous types of malware as it can be used to gather sensitive data. Common uses for spyware include tracking your keyboard to collect passwords. It can also be used to watch your web activity or private conversations.

      Spyware usually spreads by either using the Trojan horse method of hiding inside other software or by being added to a website. When the latter occurs, the spyware will infect the devices of anybody who visits the site. In 2015, several WordPress sites were compromised in exactly this way.

      An important way to avoid spyware is by making sure every aspect of your site is always updated. This includes your WordPress install, theme, and plugins. You may need to perform these updates manually, but if you’re using managed hosting, your web host will usually take care of this for you.

      5. Adware

      Most of the malware variations we’ve discussed are purposefully designed to remain hidden. However, some take the opposite approach. Such is the case with adware, which forces the user to interact with an advertisement.

      Most of the time, this type of malware is harmless beyond being intentionally irritating. The goal is to make money by getting people to click on banners and links. Adware can also appear as pop-ups you can’t close or that will infinitely reopen until you click on them.

      Related: The Great Pop-Up Debate (and Other Dark UX Problems)

      Once again, the main vulnerability for WordPress users has to do with plugins. This was demonstrated in 2016, when the Simple Share Buttons plugin exposed thousands of users to adware. After an update, the plugin placed a message on the dashboard that you couldn’t remove without clicking on it.

      For this reason, it’s important to continuously scan your files, especially whenever you add or update a plugin. You could also use a tool like Plugin Security Scanner, which checks your theme and plugins daily.

      6. Ransomware

      If adware is the beggar of the malware world, ransomware is the bully. This is another type of malware that doesn’t hide in the shadows but proudly makes its existence known. Ransomware will threaten you with some action or disrupt your system unless you pay to have it removed.

      A common method of extortion is to encrypt your files and make them inaccessible. The attackers will then demand payment if you want to have the files decrypted. However, ransomware can also be used in reverse — to stop attackers from leaking information or damaging your system in some other way.

      Ransomware is often spread via emails, masquerading as attachments that infect the network once opened. It can also be used to target WordPress sites. In these cases, the ransomware typically encrypts each site’s files then tries to make the owner pay to get them back again.

      The best way to thwart these attacks is by keeping regular backups of your site. It’s also important to keep every aspect of your site safe as it could otherwise contain vulnerabilities attackers can take advantage of.

      7. Wiper

      In software terms, the word wipe is rarely attached to good news. As you might suspect, wiper malware is used to destroy the device or network it infects, making it one of the most overtly destructive types of malware.

      Wiper malware is primarily used as a type of cyber warfare. The goal is almost always to attack and destroy, rather than to sneakily use another device for illicit means. One of the most famous examples is the Shamoon attack, which was used to steal files from computers before wiping their storage clean. There’s also the Petya software, which purports to be ransomware, even though it doesn’t actually recover the destroyed files once a payment is made.

      Once again, keeping regular backups is your most important defense. This way, you’ll ensure that your data is recoverable even if your site is hit by a wiper. Avoiding a wiper entirely will require you to use all possible methods of site security. You’ll also want to be prepared to clean up your site if the worst-case scenario comes to pass.

      Related: How to Back up Your WordPress Website — A Complete Guide

      8. Computer Worms

      Computer worms are similar to viruses, with the exception that worms spread autonomously. A virus requires something else to help it move between systems, but worms can work on their own.

      For example, a virus could be triggered when you start an application or insert a disk into your hard drive. Meanwhile, a worm can automatically spread itself, such as through email. In that case, the worm will look at your address book and send itself to all the contacts within. It can then repeat this process more or less forever. In fact, some of the most long-lasting examples of malware are worms, such as the slammer worm, which has been around for more than 15 years.

      Protecting your site against worms is also very similar to securing it against viruses. Consider using a hosting plan that protects against automated attacks.

      9. Botnet

      A botnet isn’t malware in the strictest terms, but it often affects the same sites and exploits similar vulnerabilities. In short, a botnet refers to a network of infected devices that can be controlled from a single point. This network can be used to run tasks or to perform Denial-of-Service (DoS) attacks.

      The botnet works by attempting to insert its code into targeted websites. When a site is successfully infected, it can be used to perform tasks by an external command center. It basically becomes a remote-controlled robot — one that can be used for malicious purposes.

      Many security plugins will protect against injection attacks. This can help prevent your site from becoming part of a botnet. You should also have a means of tracking the activity on your site. This can help you see when injection attacks occur and take measures to fight them before it’s too late.

      How to Protect Your WordPress Site Against Malware

      We’ve already covered numerous ways of protecting your WordPress site against malware. However, keeping your site secure requires a lot of planning, work, and know-how. Fortunately, you don’t have to go it alone.

      Here at DreamHost, we offer tools that can help you safeguard your site. For example, our Malware Remover keeps your site safe from malware by scanning it and removing threats before they can destroy your files.

      The Malware Remover is a powerful tool that will help prevent your WordPress site from falling victim to the malware variations we’ve discussed. Some of its key features include:

      • Automated protection. Malware issues will be dealt with and cleaned up automatically.
      • Weekly website scans. Every file on your site is scanned each week to find any vulnerabilities or possible exploits.
      • Software update notices. We track all updates and inform you when you need to upgrade your software.
      • Whitelisting functionality. You can tailor the system to permit specific processes that the remover perceives as false-positive threats.

      You can add the Malware Remover to your DreamHost account for just a few extra dollars per month. It’s a perfect complement to the standard security features offered by our hosting plans. Your site will thank you!

      Stay Safe Out There

      Malware is an ever-present threat to any website owner; it has been since the dawn of the internet. Plus, it’s something you need to stay vigilant about as new types of malware crop up regularly. Fortunately, keeping your site safe is easier than you might expect.

      Do you have any questions about protecting your WordPress site against malware or how DreamHost can help? Find us on social and let’s start the conversation!





      Source link

      How to Create Strong Passwords to Keep Your Website Safe


      Your birthday. Your dog’s name. Or even worse, 1234. These are common passwords that are easy to remember — and an easy way to let people exploit your website.  When you own your own website, it’s even more crucial to create a smart password that will keep your site safe and secure, since upping the ante on your password game is one of the best ways to protect your business.

      “It’s important to have strong passwords because 81 percent of hacking-related breaches are due to weak or stolen passwords, according to the 2018 Verizon Data Breach Report,” says Darren Guccione, CEO & Co-Founder of Keeper Security. “Passwords are the single easiest entry point you can protect.”

      While a quirky word or secret nickname might seem unexpected to you, that’s not much trickier for a pro to solve.

      “Criminal hackers have password cracking tools at their disposal that actually plug-in well-worn, easy to guess passwords into website logins,” says Robert Siciliano, a security analyst with Hotspot Shield. “For example, many usernames are ‘admin’ and if the password is ‘princess’ that is easy to crack with a ‘dictionary attack,’ which is a software used to crack passwords.”

      If you have employees who have access to your company’s website, it’s crucial to share with them how to create a secure password. After all, even if you maximize all the steps to creating a strong password, if you’re not requiring your users to do the same, then that’s essentially creating an Achilles’ heel. Stay safe and secure by trying these 12 techniques to build a strong password.

      11 Password Tips to Help Keep Your Website Safe

      1. Make your password long.

      “Generally, a longer password takes longer to be cracked; however, it should also follow other rules to make it strong,” says Rema Deo, Managing Director at 24By7Security, Inc. “Length alone is not enough.” Aim for at least eight letters and/or characters since anything less than that takes less time to crack. The longer the password, the longer it takes to figure it out.

      “However, a long password doesn’t necessarily make it more secure,” Guccione cautions. “To be secure it should be both long and random, meaning it should contain a combination of upper and lowercase letters, numbers, and symbols. A password should be no less than eight to 16 characters, but certainly, more can be better. Some websites require a certain character length so be cognizant of those requirements when creating your passwords.”

      Want more security tips to protect your website? Sign up for DreamHost’s monthly newsletter today!

      2. Don’t use a common phrase.

      As Siciliano mentioned, the ‘dictionary attack’ is the main reason to avoid popular words and phrases. Passphrases are increasingly becoming more popular, but they can easily be guessed if it’s something obvious to you or the account. And don’t make the mistake of thinking that using an exclamation mark instead of an “I” or a “3” for the letter “E” will throw them off guard.

      “Algorithms used to crack passwords already consider common phrases and even common letter substitutions,” Deo cautions.

      3. Test your password.

      “Most websites have testing tools built-in to the setup process when creating a password,” Siciliano says. “The other option is to go to haveIbeenpwnd.com and look at their password checker tool.” While password strength meters help, keep in mind that they are not necessarily fool-proof.

      4. Don’t reuse your password.

      More than half of all people use the same password for all their websites and applications. “This is a common and very dangerous problem,” Guccione says. “Hackers keep dictionary lists of the most commonly used passwords. They also know that if they are successful in breaching a single account, they will often be able to access multiple accounts for the same person due to the high frequency of password reuse. So, the more you reuse passwords the easier it is for an attacker to gain access to every account that uses that same password.”

      As security breaches have become increasingly common, that’s another reason to keep mixing it up when it comes to your password.

      “There have been 12 billion records compromised just in the past two years alone, equating to over 10,000 data breaches,” Siciliano says. “That means criminals have access to billions of usernames and their associated passwords. This allows them to use that data to access any site where your credentials are reused.”

      Related: Why Security Through Obscurity Isn’t Enough to Keep Your Website Safe

      5. Use a password manager.

      If you’re creating passwords the right way — meaning they’re long, with lots of numbers and characters and on the gibberish side — it’s probably pretty tough to keep track of all of them. That’s where a password manager comes in. They allow you to have multiple passwords for all of your accounts and it remembers them for you.

      “Password managers generally store your passwords in an encrypted vault and therefore are meant to be more secure than other means of storing your passwords,” Deo says. “They also offer features like suggesting passwords; allowing you to enter, store and remember long complex passwords; identifying duplicate or reused passwords and allowing you to fix them.” Just be sure to pick the right one, since password managers have been known to have the occasional security flaws. Using a password management application will enable you to create stronger passwords, since you won’t have to remember each one.

      “They also allow you to be faster online by auto-filling your login credentials for you,” Guccione says. “Creating strong passwords is not difficult—remembering them is. We call this dilemma ‘password fatigue.’ The easiest way to create strong passwords is with a password manager. There are many options that once you’ve tried I can guarantee you’ll want the ease of use on every device.” And whatever you do, do not store your passwords on sticky notes or spreadsheets.

      6. Don’t store passwords in your browser.

      We know what you’re thinking: keeping passwords in your browser means they’re always at your fingertips. But like many other shortcuts in life, it just isn’t worth it. While password managers are security companies designed to protect your data, the same standards don’t apply to browsers for password management. “Browsers don’t encrypt your passwords, and if a hacker gets access to your computer, the passwords stored in your browser are open game,” Guccione says.

      “Further, passwords stored in a browser can’t be used for native applications and are also not available on your other devices or on other browsers. Passwords stored in a particular browser are not cross-platform, and browsers are not military-grade ‘vaults’ for securing and organizing your passwords and other private information.”

      And remember, generally speaking, Deo warns that passwords can be viewed once you are connected or logged in. If a hacker gets control of your browser with your login password, then the hacker can see all the accounts and their passwords. This is one risk that definitely isn’t worth taking.

      7. Follow the rules every time.

      It might seem OK to break a rule now and then, but that can be a slippery slope. Always — and we mean every single time — stick to the essentials. “Long and strong, lowercase, numbers and characters, indecipherable passwords that don’t spell anything out are best,” Siciliano says. “Otherwise, phrases incorporating the above can work. But a password manager does it best—that’s their job.”

      If you want to go above and beyond (and which business owner doesn’t when it comes to their website?), take it up a notch by setting a truly unpredictable password, one that simply has nothing to do with you or any other common phrase. “Since such unpredictable passwords are hard to remember, a password manager might be the next best thing to use to protect your accounts,” Deo says. “Multi-factor authentication is also a useful idea so that you would need multiple different methods to access your accounts.”

      8. Use two-factor authentication.

      Any extra protection you can take is a good idea, and two-factor authentication means that simply having your password won’t be enough. Two-factor authentication adds in a second layer of security for protecting access to your accounts, making the cracking process much more difficult. This second layer can consist of a code-generating app on your smartphone, a numeric key fob or a USB key.

      “A simple username and password combination has already been hacked and cracked with the 12 billion records compromised,” Siciliano says. “If you have two-factor installed, it doesn’t matter if a criminal has your username and password — they would need your mobile phone to get access.”

      Related: 13 of the Best Security Plugins to Keep Your WordPress Site Safe

      9. Consider the Passphrase/Diceware Method.

      The Passphrase/Diceware Method mainly consists of random words to create a secure password. “It is a good way to create a strong, long password,” Deo says. “Experts say that the number of words you need to truly make the Diceware passphrase strong used to be five, but now they recommend that you use a minimum of seven words to make a strong passphrase.”

      The downfall? “Just be aware that what you create, you also have to remember,” Guccione says. “Passphrases are becoming more prevalent. Therefore, it’s best used in conjunction with a password manager.”

      10. Use security questions wisely.

      Though security questions might seem like they’re there to help by adding an extra layer of protection, they can actually do more harm than good. “If possible, it’s best to avoid security questions because they tend to be questions of very common things about yourself,” Guccione says. “But if you do have to use them, I recommend setting a customized security question and answer to prevent hackers from planning a brute-force attack against common security question and answer lists.”

      In other words, be creative with your answers and record that data so that the information can’t be easily found via social media. “Answers to security questions can often be guessed easily or even found on public sources,” Deo says. “For instance, some security questions ask you the model of your first car or the high school you went to. These are not private questions. It is important to select questions that offer you a certain level of privacy where you may be the only one who truly knows the right answer.”

      11. Keep an eye on your smartphone.

      “Today, most people keep everything about themselves on their smartphones, from notes, contacts, lists, text messages, passwords, photos, videos, and emails—it’s all there,” Guccione says. “Hackers target smartphones because they are small and easy to steal. When a hacker is able to get physical access to your device, their chances of breaching that device increase exponentially. Each year, over 3 million phones are stolen. Keep them locked with a passcode and under a close eye!”



      Source link