Protect Your WordPress Sites With Two-Factor Authentication

Category Archives: Nexcess

Sep 24

  • Created: Sep 24, 2014 2:00 PM

Protect Your WordPress Sites With Two-Factor Authentication

Two-Factor AuthenticationThe Heartbleed bug was one of the worst online security vulnerabilities in recent memory, allowing an attacker to read chunks of a server’s memory that might contain private keys, authentication credentials, and other sensitive data. In the wake of Heartbleed, it’s a good time for WordPress site owners to audit their security procedures and implement mechanisms for keeping their site and its users safe. Two-factor authentication is one easy-to-implement security strategy that makes life more difficult for hackers.

The normal username / password combination can be thought of as one-factor authentication. There is one secret token that will grant access to the site. Two-factor authentication adds another token, which can be generated in various ways: most commonly by using an application to provide a one-time password, a physical token like a Yubikey, or a biometric factor like a fingerprint.

Read more

Posted in: Nexcess
Sep 17

  • Created: Sep 17, 2014 2:00 PM

Using Nofollow Tags Correctly On WordPress

Nofollow Tag On WordPress
Nofollow tags are frequently misunderstood. In this article we look at nofollow tags, their rationale, and how to nofollow (or “dofollow”) links on WordPress.

Google’s success as a search engine was largely based on its founders’ development of an algorithm that used incoming links as a signal of a page’s quality. The idea is that the more people who choose to link to a page, the more valuable the page is likely to be to other people. Although Google and the other search engine operators have increased the complexity of their algorithms considerably since the early days, links still play a fundamental role in determining search engine ranking.

However, not all links are trustworthy for the purposes of determining a page’s quality and value. They are only useful if they are “editorial” links — links that are created because the value of the content is what motivated the link. Because there are various other reasons that a page might be linked to, Google decided to provide a mechanism to signal that links should not be followed by search engine crawlers. That mechanism is the nofollow meta tag, which looks like this:

Read more

Posted in: Nexcess
Sep 10

  • Created: Sep 10, 2014 1:44 PM

WordPress Users Should Ensure Theme-Bundled Slider Revolution Plugins Are Up-To-Date

WordPress PluginMost WordPress users knows that WordPress plugins should be updated. Updates frequently include patches that fix security vulnerabilities. Part of every WordPress user’s routine should include regular plugin and core updates. But there’s another source of potential vulnerability that WordPress users may not be aware of: many themes include bundled plugins and those plugins are not part of the WordPress update interface.

It was recently discovered that some versions of the Slider Revolution plugin contained a critical vulnerability. This vulnerability is a particular problem because Slider Revolution is included in hundreds of premium themes, which means WordPress users are reliant on theme developers to update the version included in their themes.

In fact, the vulnerability was fixed back in February and it only became widely publicized in the last few days. The plugin’s developers quietly patched the plugin, mentioned the fix briefly in their release notes, but didn’t disclose any details. Unfortunately, the vulnerability was known to hackers, but its seriousness was not revealed to theme developers or WordPress users. That result is that many WordPress sites using themes that bundled the plugin are vulnerable. WordPress users should check their themes and ensure that bundled versions of the Slider Revolution plugin have been updated to 4.2 or later.

Read more

Posted in: Nexcess
Sep 3

  • Created: Sep 3, 2014 1:21 PM

The Pros And Cons Of Implementing SSL / HTTPS

SSL and HTTPS

Google has ignited a storm of interest in HTTPS, but what are the advantages and disadvantages of offering SSL-encrypted HTTPS connections to your users.

Since Google announced that serving sites over HTTPS would become a search engine ranking signal, the number of people interested in purchasing SSL certificates has skyrocketed. Many webmasters who would never have considered using HTTPS are worried that competitors will have an SEO advantage should they continue to serve their sites in the open.

Whatever you think about Google’s attempt to shape the web’s security policy using SERP position as a carrot (and stick), it’s worth thinking about the potential advantages and disadvantages of implementing HTTPS.

Read more

Posted in: Nexcess
Aug 21

  • Created: Aug 21, 2014 2:28 PM

What Can Big Data Do For eCommerce?

Big Data and eCommerce

Big Data is something of a nebulous concept, and like many ideas without a clear definition, it’s been seized on by various writers and pundits as the next big thing. It’s easy to write endlessly about something when you aren’t forced to constrain yourself to practicalities.

The eCommerce industry is nothing if not pragmatic, ever eager to grasp new technology but only if it proves itself where it matters — on the bottom line. In spite of the hype, big data is having a significant impact on how eCommerce retailers are doing business.

Big data is exactly what it sounds like. Businesses have access to far more information than ever before. That data is drawn from numerous channels: social media, customer relationship management software, web analytics, tracking, logistics, and so on. But data itself is next to useless; it’s only of value if we can harness it in ways that increase sales, customer loyalty, and conversion rates.

Read more

Posted in: Nexcess / Tagged:
Aug 15

  • Created: Aug 15, 2014 3:01 PM

Don’t Fall For ICANN Domain Protection Certificate Scam

ICANN scam

In a recent blog post, ICANN (Internet Corporation for Assigned Names and Numbers) revealed a scam in which registrants of top-level domains like .com and .net are approached by fraudsters and told that they need to buy a certificate to “protect their domain”. Although the certificates are well designed and incorporate official ICANN graphics, the scammers are not associated with ICANN, the certificates do nothing to protect domain ownership, and the offer is entirely spurious.

Web hosting clients and domain name registrants should not pay third-parties for this purported service. Nor should they pay money to any organization claiming to be or to represent ICANN, which does not sell services to domain name registrants (the individuals and organizations that use domain names).

ICANN is a non-profit organization that was created to manage the databases that allow the Domain Name System to translate the URLs we’re all familiar with into the IP numbers that machines use to route data around the Internet, as well as a number of other services connected with DNS and Internet namespace management.

Read more

Posted in: Nexcess, Security
Aug 12

  • Created: Aug 12, 2014 2:45 PM

WordPress 4.0 Beta Is Ready For Testing

WordPress Beta

Every few months the wizards who develop WordPress put out another release. It’s always an interesting time for WordPress users and watchers, who are eager to see what benefit the new features and enhancements will bring to their site (or, if you’re more pessimistic, what new annoyances they’ll have to deal with).

In this article I’d like to take a look at the highlights of the next major WordPress release, as well as how you can get it.

First a word of warning, beta releases are, by definition, under active development — there will be bugs, there may be security vulnerabilities. I’d strongly advise you not to upgrade your production sites to the beta version. There’s a possibility it’ll hose your site or break features.

Read more

Posted in: Nexcess, WordPress
Jul 25

  • Created: Jul 25, 2014 2:15 PM

Recent Exploit using Fake Magento Extensions

We are publishing this post in the hope that all Magento users can utilize this information to determine if their site has been compromised and take the steps required to correct the problem.

We were recently contacted by a client regarding a Common Point of Purchase Investigation that was initiated by a credit card issuer. These investigations are used to pinpoint the source of fraudulent activity reported by card holders. Our security team immediately began a comprehensive internal investigation to pinpoint the root cause of the fraudulent activity on the client’s account. Our security team found evidence of Magento core files having been modified to skim credit card data during the checkout process. The skimmed data would then be logged to a fake image file (actually a text file) located in the media folder, then the attacker would download these text files from a remote server.

Next, our security team began a scan of our entire infrastructure to determine if any other client sites were affected by the same exploit. We found a total of 39 sites (out of 15,000 Community and 1,500 Enterprise Magento stores) hosted with us, were affected by the same exploit. We immediately contacted all of the affected clients before their credit card processing companies had even detected a problem.

We have since cleaned all of the sites that were exploited and contacted all of the affected clients about the exploit.

PLEASE NOTE: If you are hosted with us and have not been contacted by our security team regarding this issue, then we believe your site has not been affected by this exploit. We are committed to the safety and security of your data and we take these issues very seriously. As a precaution, we are running hourly scans of our infrastructure to detect any further compromises.

Read more

Posted in: Magento, Nexcess, Security
Jul 15

  • Created: Jul 15, 2014 4:43 PM

Creating Multilingual WordPress Sites

Multilingual WordPress

Even though the web is a global network, many businesses are happy to create an English-language site and leave it at that. In some cases, that’s fine. The burden of translation can be quite high, and if the market a site is addressing is fairly localized, then the ROI of internationalizing isn’t worth the effort. The US and Europe, most of the populations of which have at least a passing familiarity with English, have long dominated the online economy, but that’s rapidly changing.

South America, India, and China are quickly growing in online spending power, and companies that fail to address expanding markets are missing a trick. Sites that are targeted at the European market will generally find that their audiences speak English, but if they can find what they need on sites in their native languages, they’ll preferentially do business there, so the international nature of English shouldn’t be relied on.

Even within the US, providing multi-lingual sites is a good idea. The Spanish-speaking population is large, and with Mexico, and Central and South America close by, there’s much to be gained from providing at least bilingual content.

Read more

Posted in: Nexcess