Page 52 of 62

Benefits of a Website Malware Scanner

website malwareConsider this scenario: You’re the VP of IT for an insurance company. It’s 4 a.m. and you receive a frantic phone call from your CEO who informs you that sensitive client information (credit card numbers, SSN’s) has been leaked. Completely stunned, you look for answers. Turns out someone injected a Paline of malicious script into your website source code… nearly two months ago.

A recent report from PandaLabs suggests that “there were twice as many malware infections in 2014 compared to 2013” and that 2015 could be even worse. Today’s attacks are becoming increasingly sophisticated, and a simple malware injection can compromise your entire database.

One of the most effective and efficient ways to prevent attacks is by employing a type of website scanner. Website scan tools run in the background and can immediately identify malware and vulnerabilities but not all scanners are made equally. External malware scanners crawl each page of a site, much like a search engine, and look for malicious links or script, while internal malware scanners download a site’s source code and analyze each line looking for the signatures of malicious code. Finally, penetration testing scanners manipulate URLs and forms to attempt to exploit weaknesses in code.

Benefits:

  • Identify malware and receive notifications  if issues are found, helping keep your information secured and your website from being blacklisted
  • Automatic remediation of known threats
  • Ensure network security by checking ports on your server to make sure only appropriate visitors gain access to your website
  • Monitor FTP and file change to provide you with full visibility of website changes
  • Protect your database from SQL injections by probing your website for weaknesses

Companies should be cautious when making purchase decisions for a scanning product as poorly performed scans can negatively impact your site’s ability to conduct business.  For instance, some scanners submit thousands of requests to web forms – such as contact forms –  to probe for weaknesses. Similarly, poorly designed vulnerability tests can spam your inbox with testing emails and impact the performance of your website due to unnecessary load (similar to DDoS).

SiteLock INFINITY is a safe and efficient solution that provides well-designed and continuous scanning, including the only automatic detection and removal in the industry. For an added layer of security, the SiteLock TrueShield Web Application Firewall (WAF) prevents malicious traffic from even getting in. Active website scanning tools and a WAF will help mitigate cyber attacks, and more importantly, protect your customer’s valuable data. For more information on integrating these solutions into your existing website call 855.378.6200.

 

PCI compliance

PCI Compliance: The Dangers of Noncompliance

If you accept credit card payments, you’re likely familiar with PCI compliance and what it entails. If you accept credit card payments, or are considering it, and are NOT familiar with PCI compliance, be sure to take accurate notes on the information that follows.

PCI DSS Overview

Created in 2004 by the five global payment brands — Visa, Mastercard, American Express, Discover and JCB — the Payment Card Industry Data Security Standard (PCI DSS) is a security compliance requirement for businesses that handle credit cards. It was created to protect customer and cardholder data from cyber attacks and fraud.

Read More

What You Need to Know About the FancyBox for WordPress Vulnerability

wordpress fancybox vulnerabilityFancyBox for WordPress is a plugin which provides stylized, Lightbox-like decoration for blog images. It’s a popular plugin with around half a million downloads, even though it hadn’t been updated in years. Posts emerged on the WordPress community support forum about malware injections and a vulnerability was discovered in the FancyBox plugin.

SiteLock scanners detected the malware — a Javascript payload with an iframe pointing to 203koko[dot]eu — before the vulnerability was known.

Here are three things to consider before moving forward with FancyBox:

Update FancyBox as soon as possible

The initial response to the FancyBox hack was to remove it immediately. Since the vulnerability released, the FancyBox developer released an update which corrects the issue and provides support for WordPress 4.1. If you’re uneasy about using FancyBox, Easy FancyBox is an actively developed alternative, though official Easy FancyBox support caps at WordPress 4.0.1.

Scan for Malware and use a WAF

One of the best ways to secure your website is to scan for malware and vulnerabilities on a daily basis and use a Web Application Firewall (WAF). The WAF will block potential threats from entering your website (e.g. DDoS attacks) while the daily scans will identify malware and vulnerabilities that have been placed on your site.

Update your WordPress plugins and themes

WordPress has done a wonderful job facilitating near-painless backups for its users. Once you get to the late 3.x releases, upgrades are essentially automatic. But what about plugins? More plugins, more problems, as the saying goes. Sometimes it’s not easy to wrangle the compatibility issues which come with the amazing and broad capabilities plugins add to a WordPress site.

Take it one plugin at a time. Research the plugin’s compatibility with the WordPress version you have, and then test it (with the previously mentioned backup at the ready).

SiteLock’s team of experts, expert services and products constantly monitor site files and traffic for malicious indicators. As with FancyBox, we’ll continue to find and mitigate malware even before before a vulnerability becomes known.

Contact SiteLock today to learn how website security software can help protect your website.

 

content delivery network

Three Ways to Boost Website Security and SEO at the Same Time

Seo Key On Computer KeyboardSEO (Search Engine Optimization) is the process of improving your website’s ranking among search engines like Google and Bing. Over the past few years, SEO has greatly evolved. Keywords and backlinks (other websites linking back to yours) used to have a huge impact on SEO rankings, but have since been taken over by new and improved algorithms such as Google’s Penguin and Hummingbird, which aim to decrease black-hat (negative) SEO techniques such as link spam.

With cyber attacks on the rise, search engines have been increasingly factoring spam injections, malware infections, and website speed into their SEO algorithms. Properly securing your website can provide a large boost to your SEO rankings. Below are 3 ways you can improve the SEO ranking of your website by securing your website.

1. Moderate comment spam

Malicious links hosted on your website can negatively impact your SEO and, worst case, can flag your website as malware or spam, preventing users access to it.

One of the easiest ways for hackers to place malicious or irrelevant links on your site is through comments on your blog. These links damage your site’s authority and credibility so managing them is critical. Fortunately, there are several things you can do to automate the moderation process of comments:

  • If you’re using a Content Management System (CMS) like WordPress, look into one of their comment system plugins
  • Enable CAPTCHAs when possible, as an extra layer of security
  • Disable anonymous posting, and only allow registered users to post comments
  • If you have an active moderator, require that comments be approved before they are posted on your website
  • Enable a web application firewall (similar to our TrueShield WAF) which will block malicious bots from accessing your site to begin with
  • If you’re still having trouble with comment spam, you should disallow hyperlinks in comments altogether

2. Regularly scan your website for malware

Often times, malware and malicious links can be injected into the code of your website without notice, negatively affecting your SEO, and potentially harming your visitors. Reversing the whole process is both difficult and time consuming, since injected malware is usually hidden and made to look like regular code, and your hard-won SEO rankings may be lost in the meantime.

A website malware scanning tool can scan your code each day for malware (and suspected malware) and in some cases automatically remove the threats or point you directly to the suspected malware. This means  you don’t have to search line-by-line  through code in the event that your website is compromised. The SiteLock Website Scanning and Malware Removal product provides automated alerts to help you avoid search engine blacklisting, saving your business’s reputation and SEO positions.

3. Cache website data with a CDN

Malware can dramatically increase the time it takes a website to load, if it allows it to load at all. But even a  malware-free website can improve its SEO, performance, and security at the same time. A CDN (Content Delivery Network) is a website optimization infrastructure that works by caching website’s content across data centers around the globe. This results in quicker  website load times since content is served locally to visitors. It also improves website security since, as is the case of the SiteLock CDN, data is fully encrypted both in transit, and at rest.

Major search engines like Google factor load times into their SEO algorithms (time to first byte – TTFB), so by using a CDN, your website can experience a boost in SEO while improving security at the same time.

Want to see how your SEO stacks up? Many online tools can scan your website and provide suggestions to improve your SEO. Contact a SiteLock Security Consultant today to learn what solutions are the right fit for your site.

 

Website protection

The 7 Biggest Cybersecurity Scoops from February 2015

Cyber security February 2015

One year ago in February, the major eBay hack was in progress, eventually resulting in over 233 million passwords being stolen. Fast forward to 2015, and we’ve had several trending cyber security issues appear in just these first few weeks.

Below are 7 trending cyber security stories that you should read for February 2015.

Read More

UpdraftPlus Presents Website Security Concerns

UpdraftPlus is a premium WordPress plugin that automates WordPress file and database backup as well as restoration to the cloud. The free version prior to 1.9.51, and versions without the “automatic backups” or “no adverts” add-ons, are vulnerable to security token, or nonce, disclosure which allows malicious actors outside your company to perform administrative-level actions like downloading sensitive configuration files and uploading remote control shells.

What should you do as a WordPress and UpdraftPlus user?

If you’re a SiteLock customer with TrueShield, breathe easy. Thanks to the TrueShield Virtual Patching, patching UpdraftPlus is automatic.

SiteLock protects WordPress site owners from the UpdraftPlus vulnerability with the SiteLock TrueShield web application firewall with Virtual Patching, regardless of UpdraftPlus version. TrueShield analyzes site traffic and stops attempted unauthorized security token use, again, even before the patch is applied.

If you don’t have SiteLock, you’ll need to update UpdraftPlus to version 1.9.51 as soon as possible. With disclosure, automated attacks follow, and without a firewall like TrueShield, or SiteLock’s SMART scanner which finds malicious code as soon as it hits your site, updates are your best defense.

For more information on SiteLock security solutions call 877.563.2791.

Infographic: How to Beat a Web Hacker

Did you know that hacking was the number one crime Americans feared in 2014, above car theft, burglary and terrorism? Take a look at SiteLock’s new infographic below, for more web security statistics and five things you can do to mitigate cyber attacks.

SiteLock-HowToBeatAWebHacker-Infographic-v6_s

Ready to protect your website from hackers? Call SiteLock at 877.563.2791.

ghost vulnerability

The GHOST Vulnerability: What You Need to Know

GHOST vulnerabilityGHOST is now a household name to those even peripherally involved in information security. GHOST is the buffer overflow vulnerability found in certain versions of glibc, the GNU C library, and it’s named after the functions used to reach the exploitable code in the library, gethostbyname() and gethostbyname2().

What has SiteLock done to address the GHOST scourge, and what do SiteLock customers need to know moving forward?

SiteLock patched all TrueShield and TrueSpeed servers against the GHOST vulnerability on September 28, the day after disclosure. Signatures mitigating XML-RPC exploits, which could be used against WordPress installs for example, were implemented beginning the week of February 2nd. And as always, our security team is constantly on the lookout for signs of new GHOST exploitation use.

As a SiteLock customer, we recommend patching all servers using vulnerable versions of glibc, glibc-2.2 to glibc-2.17, to glibc-2.18 or higher.  All major Linux vendors released patches for glibc and they should be applied and servers rebooted as soon as possible.  Also be aware of SUID-root programs on servers which use gethostbyname*().  To find SUID binaries on a system — a sound security practice regardless of GHOST — open a root shell and run the following command.

# find / -user root -perm -4000 -exec ls -ldb {} ; | tee suid.list

For assistance with the GHOST vulnerability call the SiteLock team at 877.563.2791.

 

DDoS: How to Prevent Hackers from Overloading Your Web Server

DDoS AttackWeb security has become one of the hottest topics of the past few years, with cyber attacks originating in many forms. In 2014 alone, we had the Snapchat hack, Heartbleed, Shellshock, SoakSoak and many other attacks (you can learn more about each of them here).

Read More

Why Data Privacy Day is Important for the State of Web Security

Data privacy dayAs technology continues to evolve, web security threats are on the rise with an estimated 160,000 samples of malware  detected around the world each day. Unfortunately, 70% of these attacks are targeted at small businesses and other particular industries (e.g. retail, healthcare and hospitality).

Fortunately, web security has come a long way in just a few years. Thanks to national events like Data Privacy Day (DpD) which bring together privacy professionals, law enforcement and industry leaders alike, fostered communication helps to ensure the long-term viability of our digital ecosystem.

Read More

Page 52 of 62

Powered by WordPress & Theme by Anders Norén