Archive for security

Free WordPress Ecommerce Ebooks

Free WordPress Ecommerce Ebooks

 

Whether you’re totally new to using WordPress for ecommerce or a freelancer developing WordPress ecommerce websites for clients, we have a library of free ebooks to help. These ebooks cover everything from digital product ideas to how to scope and price ecommerce projects.

Download all 5 WordPress Ecommerce Ebooks: 

 

The WordPress Ecommerce Opportunity

Ecommerce for Everybody

How to Create Your First Ebook

WordPress & Ecommerce: A Simple Guide for Selling Products Online

Join the Club: How to Create a Membership Site

“Heartbleed Bug” OpenSSL Vulnerability Affecting Internet Community

“Heartbleed Bug” OpenSSL Vulnerability Affecting Internet Community

hbapril10.png

Summary

The Heartbleed bug (http://en.wikipedia.org/wiki/Heartbleed_bug) is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1.f.

This vulnerability allows an attacker to read chunks of memory from servers and clients that connect using SSL through a flaw in OpenSSL’s implementation of the heartbeat extension.

OpenSSL provides critical functionality in the internet ecosystem, and therefore vulnerabilities, such as Heartbleed, have a significant impact on digital communications and their integrity.

What does this mean for WHMCS installations?

SSL is an important protocol for securing web traffic, and thus securing web requests for logins, order transactions, etc.. WHMCS, like all web applications, must rely on web servers to correctly implement the SSL protocol. WHMCS as a web application cannot patch the Heartbleed vulnerability, nor can we mitigate its effects. However as a member of the internet community, we feel it’s important to raise awareness of the risk and ensure that our users check that their server is protected.

How do I check if my server is protected?

Essentially, there are three ways you can verify if your server is protected:

1) You can open a support ticket with your hosting provider.

2) You can leverage a third party scanning tool via the web.

Below are three such sites that the community deems reputable and trustworthy. You simply enter your website and it will let you know:

3) You can run a scanning tool locally on your server. One such tool is:

https://github.com/n8whnp/ssltest-stls/blob/master/ssltest-stls.py

What do I do if my server is not protected?

Contact your local system administrator or hosting provider immediately! They will have the technical expertise to update the OpenSSL libraries on your server to protect your SSL communications going forward.

Once I have patched my server, is there anything else I need to do?

Due to the nature of the vulnerability it is not possible to immediately know what information, including private keys, passwords, or session ID’s, may have been compromised. Attacks that leverage the Heartbleed bug occur very early in an information exchange process, before a full connection has been made, and thus leaves no log history that an attack has occurred.

We recommend that you take precautionary action and regenerate all SSH keys as well as reissue all SSL certificates in use.

If you have purchased SSL certificates directly from WHMCS or resell SSL certificates through Enom, you can find more information on how you and the SSL provider can reissue your certificates here: http://docs.whmcs.com/Reissueing_Enom_SSL_Certificates

We also recommend that you take precautionary action concerning passwords used to authenticate against your WHMCS installation. This would include resetting administrative passwords as well as contacting your customers and asking them to reset their passwords. A step by step guide and sample email template are provided here: http://go.whmcs.com/386/heartbleed-pw-reset-email-tutorial

How has WHMCS servers and my account been affected by Heartbleed?

The WHMCS website, our public servers, and the whmcs.com SSL certificate end point were not vulnerable to the Heartbleed bug when it was publicly disclosed on April 7th 2014.

Any secure communication with our servers, such as logging into the members area, would not be affected by any attacks following the public disclosure of the Heartbleed bug.

The Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet. It is for that reason that we are encouraging our customers to reset their member area passwords at their earliest convenience as a matter of common password maintenance. Please remember to always make your passwords unique, random, and periodically rotate them.

WHMCS is in the process of emailing all active clients to inform them of this blog post. That email also contains a direct link to the whmcs.com password reset function as a precautionary measure.
Posted by Matt on Friday, April 11th, 2014 at http://blog.whmcs.com/?t=88022


Good reminder to Change Your Passwords “LinkedIn”

While regularly changing your online passwords is always a good thing to do, recent news of leaked LinkedIn passwords are a great reminder why:

http://mashable.com/2012/06/06/6-5-million-linkedin-passwords/ 

WordPress Addresses Vulnerabilities

A new version of WordPress, a popular open-source blog and content management system, was released which addresses three security issues. Few details have been provided however, the issues addressed are a cross-site request forgery (CSRF) vulnerability, a denial of service (DoS) issue and a cross-site scripting (XSS) vulnerability. It is not clear which prior versions of WordPress are vulnerable so we urge all WordPress administrators, particularly those whose implementations of WordPress are public facing, to update to the latest fixed version, 3.1.1.

As WordPress is a Web application it seems timely to note that the IBM X-Force 2010 Trend and Risk Report contains insightful information on web application vulnerabilities and of particular relevance, the likelihood of the occurrence of CSRF and XSS vulnerabilities listed by application technology and business sector in Section IIIDeveloping Secure Software. Additionally, Section I contains information on XSS trends observed though 2010.
http://wordpress.org/news/2011/04/wordpress-3-1-1/
http://blogs.iss.net/archive/2010trendrep.html

What member info to post on the site?

See Heal Your Church Web Site: HIPAA (HIPPA), Disclosures and your Church Website for some thoughts and warnings about both website information privacy and prayer chain privacy.

Some basic guidelines are:

  • Photos on our site is considered a privilege, and we respect and honor that privilege.
  • Photos are almost always of people at public events.
  • Embarrassing, objectionable or hurtful will not be used. If someone is shy, we ask them before posting the photo.
  • We don’t put full names of children or youth with photos, we minimize the use of full names of adults.
  • Credit is given for those who took a particular photo if desired by the photographer, and we would certainly honor any copyright wishes or restrictions.
  • We will gladly remove any photo immediately upon request.

INFORMATION PROTECTION WEEK? ASK GOOGLE!

Since Google disclosed in January that Internet hackers stole information from its computers systems, the details of the theft have been closely guarded. This week, nearly four months after the high profile breach, someone with direct connection to the investigation revealed that the cyber theft made off with one of Google’s crown jewels – a password system that controls access for millions of users worldwide and to almost all of the company’s Web services, including e-mail and business applications. If this Internet giant is vulnerable to hackers and cyber criminals, how about you?

 Malicious cyber attacks around the world more than doubled last year and accounted for more of reported data security breaches than human error; a disturbing new trend. Attacks on websites can come from viruses, malware and through Internet and social media.

 That’s why highlighting the importance of using strong passwords, using anti-virus software while keeping it and patches up to date, being careful when sharing personal information, and making sure sites are secure and legitimate are key everyday business practices to follow and share with others.  

A website that focuses on wordpress plug-ins is available so you can research the best security measures for your website. There are many plugins  that are designed to protect your website. Check them out at  WordPress Plugins