Charles Tips – Best practices for mitigating website hacks

We at CharlesWorks are often asked by our web clients if their site is protected from malware and getting hacked. They also want to know if there site IS hacked, whether there be a charge to fix it.

The totally hack-proof website

The totally hack proof website has no access to it. So it’s not connected to the Internet. No one can view it. Such a website doesn’t sound like its of much use if no one can see it.

So, let’s agree that it is unrealistic to believe that a publicly accessible website can be totally hack-proof. Any website that is accessible via the public Internet is consistently subjected to attempts to break into it. Believe it or not, that’s the norm as opposed to the anomaly.

That being said, however, there ARE things you can do to mitigate website hacks. I have to stress the word mitigate here. Mitigation is defined as the action of reducing the severity, seriousness, or painfulness of something.

Site hacks are based on odds

My goal here is to simply remind you of what you most likely already know: that we can reduce the probability – the odds – of your site being hacked. We at CharlesWorks want that probability to be so low that it hopefully it doesn’t ever happen to you.

The major hacking causes

I have been operating CharlesWorks since 1998. In my experience, there appear to be two major reasons why sites get hacked:

      • The access credentials/passwords have been compromised.
      • The software that operates them wasn’t kept up to date.

Lets take a look at each of these below.

Compromised Access Credentials

Compromised passwords and bad actors gaining access to website login credentials is the major reason we see sites hacked. Think about this in terms of your car. You could have alarms on it. But if you make a copy of your car key and give it to someone, they can do whatever they like with the car. Whether its a drive along the beach or to rob a bank, your car is theirs to use with the key you gave them. Credentials – log in and passwords – work pretty much the same way.

CharlesWorks has many clients who want to be able to do things themselves. We are strong proponents of doing it yourself when it’s feasible and convenient. This is especially true for adding posts or page materials. It also makes sense when making other changes or modifications to your site. It is, after all, YOUR website.

However, many people fall prey to phishing schemes. Directly or indirectly, they usually end up tricked into giving out their website access credentials (as well as credentials to everything else they own). This is especially true if your email account is hacked and the hackers are able to access emails containing your website’s (and other) login credentials.

This problem is exacerbated if you have shared your website’s administrative or other access with others. Think of your emails containing various authorizations or login information as a potential weak link in a chain. If you have shared that information with others you have now created more weak links. This increases the odds of a potential compromise.

One of the best ways to mitigate these situations is to change your site’s access passwords so they are different than those possibly stored in your emails. And, to hope that anyone you may have shared your website access with has done the same.

Obviously, should site access be gained in such a manner, it would be your burden to have the site restored. I’ll expound upon this a little more at the end of this article.

Out of Date Security/Software Updates

Malware and virus protection on home computers operates a little differently than the same types of protection on servers. Website servers operate in the publicly accessible Internet. This results in many more entry points for potential issues. There are a number of very standard server protections available (which we utilize here at CharlesWorks).

After bad actors getting (or guessing) your passwords, the next major reason sites get hacked surrounds unapplied security updates and other software update issues. At CharlesWorks we mitigate such issues by running anti-malware software on our servers. Also, WordPress sites hosted on our servers are kept up to date automatically via automatic updating of the WordPress core as well as automatic updating of the the website’s plugins and themes.

There are literally thousands of individual pieces of software that must work in unison to operate most websites. These are developed by many more thousands of developers around the world. Unfortunately, no company can guarantee that a website will never get hacked. They can only mitigate security compromises and hope against the worst.

Restoring your Website

Regardless of which of the two situations above may have led to your website’s issues, your website will most likely need to be restored. That’s because after a bad actor or a hack back doors into the site will most likely have been installed for the bad actors to gain access again.

Many Internet companies claim to have automatic backups. In most of those, those backups are accessible to the user in their account. If the account is hacked, how safe do you suppose that is?

Some Internet companies delete and account upon a website being hacked. In those cases I have seen many left with no website or backup as a result.

What I believe is most important regarding this topic is the manner in which our WordPress sites are backed up every day for 30 days. Our backups are made to separate servers – external to those your the site operates on. For security reasons, the site administrators do not have access to these backups. So even with a site administrator’s compromised passwords there is no access to the backups. With these backups we can usually restore an average site in about 10-30 minutes if it needs restoring. And we can go back as far back as 30 days. We would only bill our web client for the 10-30 minutes (again – for an average website) which results in only a minor charge to restore it. Note that some websites are extremely large and require much more time to restore but these are very rare).

In my experience running CharlesWorks since 1998, we’ve built and handled more than 5,000 websites. At this point in time, I do not recall the last time a website we built and totally maintained was hacked (unfortunately I recall several instances of sites maintained by others that failed to ensure the site was updated and/or had their passwords compromised).

Sites getting hacked for out of date software happens far less frequently (if at all) when security updates are kept up to date and bad actors are kept out.

I hope this helps you understand a little more about this topic.

Charles Tips – Importance of Shredding for Security

How we handle security for our sensitive items at home is important. With all of our concern these days about our online security, secure disposal is often overlooked when it comes to home or office security.

Aurora AS1000X shredderI have been using an Aurora AS1000X that I purchased from Staples for many years now. I like to think of it as my “big boy” shredder. It is rated to do 10 sheets of paper at a time. It can be set to work automatically when paper (or a credit card) is inserted into the middle of the feed slot. It also has a “reverse” setting so it can be unjammed if it gets stuck. For safety, the slot is small enough to prevent nearly anyone’s fingers from entering it.

Paper credit card and bank statements and invoices received via mail that are simply thrown away can be a huge security risk. Anything that contains sufficient parts of your credit card or bank account numbers should be shredded or burnt (or both). Also, credit card companies often send those low interest offers in the form of checks that can be used against your credit card accounts. If these checks end up in the hands of the wrong person, you could be in for many headaches. All this can be easily avoided by shredding such items you do not intend to use.

In addition to paper items, most of us have credit cards we need to dispose of on occasion. When credit cards become expired, compromised or simply worn out and needing replacement, they need to be disposed of in a secure manner to avoid giving out the information on them. Just like with paper, shredding is my preferred way of disposing of old credit cards.

Made it through the shredder

That being said, I recently ran into an issue trying to shred an outdated shopping card issued by one of the large banks. Much to my dismay the card had passed through the shredder with the account number still readable. The card appears to be made of metal covered in plastic. In such a case, I had to use a metal shear to manually cut the card into pieces small enough to prevent the information from being ascertained from the card!

Bottom line is that your home office is incomplete if you are without a shredder. A good shredder can save you many headaches in the long run. Also, the output from your shredder makes excellent kindling for getting a fire going in your fireplace, wood stove or firepit! And as an added benefit, you can rest assured that the shredder output is absolutely unable to be reconstructed after burning.

Charles Tips – Adding Akismet comment spam protection

Akismet provides a convenient and free way to protect your personal WordPress site or blog from spam.

Many times we’d like to allow comments to be left on our WordPress site. The hassle with this can be the tremendous amounts of spam that come through the forms on websites.

Akismet is a compact WordPress plugin that filters the incoming comments. It is pretty straightforward to use and pretty easy to set up as well.

Install the Akismet plugin

The first step in this process is to ensure that the Akismet plugin is installed in your WordPress website:

      • Log into your WordPress website’s dashboard as an administrator
      • Click on Plugins in the left dashboard navigation column
      • Look and see if Akismet is listed – if it is – and it is not activated you can proceed to the Akismet Setup step below – otherwise
      • Click on Add New under Plugins in the dashboard navigation column
      • If you don’t see Akismet in the plugins, then in the text box to the right of the work Keyword in the row starting with Featured type in Akismet – then click on its Install Now button. Do not activate it yet.

Akismet Setup

To set up Akismet you will need an API code from the Akismet site. The first step in that process is to navigate to:
https://akismet.com/plans

This (as of the time of this writing) brings you to a page that should look similar to the screenshot below.

Akismet offering pricing page
Akismet offering pricing page

To get the free version of Akismet comment spam protection, you will need to click on the Get Personal button on the above page.

Once you’ve done that, you should see a page similar to the one below. Before attempting to fill out anything on this page, we need to set that $36 / YEAR to $0 / YEAR. Click on the $36 / YEAR box and drag it to the left.

Akismet Default $36 per year page
Akismet Default $36 per year page

Dragging that $36 / YEAR box to the left should change the page to display something like the one below showing 0$ / YEAR. You can also see that the information to fill in has changed.

Akismet $0 per year page
Akismet $0 per year page

Now fill in the information completely. Note that you need to be able to check all three checkboxes indicating the following:

      • you don’t have ads on your site
      • you don’t sell products/services on your site
      • you don’t promote a business on your site

If these are the case, then you will qualify for a free, personal plan.

All you have to do once you have gotten this far is follow the directions on the page below.

Akismet signup complete page
Akismet signup complete page

Finally, it is suggested that while on that settings page in Akismet, you can choose to show the number of approved comments beside each comment author and choose whether to show a privacy notice or not. Then just click the Save Changes button and you are on your way!

Charles Tips – Checking Your Site

Something many folks overlook is occasionally checking their website’s functionality. I recommend doing this every couple weeks, but at minimum once a month.

Most websites and the servers they are on are subjected to ongoing software updates. Unless you are paying an additional fee for maintenance checks, it’s normal for things to occasionally break due to updates.

Most website owners are not paying additional fees for such maintenance. This means you really need to take the time to check:

– that the site appears to work properly
– that your hours of operation are correct
– that any website forms are working
– that email addresses are correct

The site operation and forms are most susceptible to software updates. If you have a good web developer, the fixes will happen quickly and it will not cost you too much.

Website maintenance should be thought of like automotive maintenance. We get oil changes. We get inspections. We even make modifications and do repairs to keep our vehicle operating the way we want. And our older vehicles can cost more to upkeep – just like older websites. As websites age, more work needs to be done to keep them secure and working as originally intended.

So check your site every now and then to keep things working and have the correct information out there!

Charles Tips – PPP Pandemic Scams

The pandemic we are dealing with doesn’t always bring out the best in human nature. Such times are when scammers are more apt to take advantage of people. Many people are feeling anxious and helpless. Add economic issues and it’s clearly a recipe for depression and uncertainty.

Phishing
The bad guys are everywhere just waiting for you to click on their phishing traps!

Most small business owners have heard of PPP (Payroll Protection Program) loans. These are to help businesses stay alive and keep people employed during this pandemic. There are incredible numbers of scams involving PPP loans.

Most scams come through email. They also happen over the phone. Unbelievably, calls and email are great mediums for scammers. Emails trick people into loading viruses onto their computers. Both manipulate people into volunteering personal information! The result is identity fraud and/or account thefts.

Internet and telephone scams have one important factor in common: instill a sense of urgency in the mark. If the scammer can make you think you need to act on this right away, you probably will.

I suggest you:

1) Deal with bankers/lenders at respected institutions you actually know. Use the drive-through window if you must to set up an appointment.

2) Call your banker/lender if you get an email or phone call offering their help with the PPP loan – even if the email or phone call appears to be from a legitimate source.

3) Understand that emails and phone numbers can be spoofed – made to look like they’re from a legitimate source.

Be cautious and you won’t have to regret the unimaginable headaches that those who have suffered identity theft and other losses have experienced.

Charles Tips – Scamming Web Developers

Most of the articles I submit are to help the average web user or website owner learn a few web related tidbits. This one is geared toward web developers.

The scam asks about doing web development and whether it can be paid via credit card. It lets you know right away that they have a good budget to make the site. They also tell you they want it to be like a particular other site that you can check out to see what the project will entail.

Then the scam is presented – the scammer needs a favor. When you write back and ask what that favor is, here is a verbatim response I received:

“The favor i need from you is. i would give you my card info’s to charge for $7,700 plus credit card company charges, so $2,000 would be a down payment for my website design and the remaining $5,500 you would help me send it to the project consultant that has the text content and the logo for my website so once he has the $5,500 he would send the text content and logo needed for my website to you also the funds would be sent to him via Instant Transfer or Cashier Check into his account, sending of funds would be after funds clears into your account And also $200tip for your stress So i will be looking forward to read back from you. Thanks”

Then I indicate my credit card company doesn’t allow such transactions. I never hear from them again…

Most scams are built upon the greediness of the mark – purposely using poor grammar and presenting what looks like it’ll be a easy way to make some quick cash. That’s how they trick you out of your money. We all know the old saying: If it sounds too good to be true, it probably is.

Charles Tips – Another Domain Scam

Explained really simply, domain names are just pointers that convert recognizable words or characters to Internet addresses so we can view a website. Whenever a domain name is created, its creation date and expiration date are publicly available.

There are many domain scams out there. A rather common one I often see is where an unscrupulous company tries to overcharge you for your domain name and get control of it.

The main way they do this is by first scaring you into thinking you might lose your domain name because it is expiring. They do this by sending a carefully crafted letter to you through the postal service. The message appears at first glance to resemble an invoice convincing you to renew your domain name with them. These messages are very convincing.

Reading the “invoice” carefully actually reveals it states it is not an invoice – but in fact it is an “offer”. That statement is what keeps it “legal”. Amazingly, some of the companies that trick domain owners like this have been prohibited from operating in Canada after being legally challenged by the Canadian government.

My advice is to always check with your domain provider when presented with anything appearing to be a bill that appears suspicious. It will save you a lot of headaches going forward.

Charles Tips – Persistent Scammers

I’ve written several articles about specific scams that are occurring on a regular basis on the Internet. They seem to subside for a short time – a very short time – and then a wave of them happens again.

One of the worst – as far as I am concerned – are the ones where the email recipient is being told they must verify their email. These have some common traits with most Internet scams:

1) A sense of urgency – they want you to take care of this immediately

2) A time limit – they give you within 24 hours to act

3) A threat – they tell you your email will be locked.

The first thing you have to understand is that nearly everyone gets these on occasion. I have received them myself in which they are made to look like they are from CharlesWorks. So when our clients get these they tend to become very worried very quickly.

I can’t stress enough that most legitimate companies will not send out messages like these. To fall prey to these can be a real nightmare. With access to one’s email these days the bad guys can wreak havoc in one’s life. The worst cases are called identity theft!

Don’t be the unfortunate one who falls prey to these scammers. If you have been “notified” of something serious – call your provider up and speak with a representative. Just like at my company – it’s a lot easier for us to allay your fears than to have to try to clean up the mess that can happen with compromised accounts.

Charles Tips – Halloween Spoofs

It’s Halloween time again so I thought I’d mention Halloween Spoofs! Well, actually email spoofing happens year round.

Halloween Spoof Ghost - Okay - Spoofing has nothing to do with Ghosts!!An example of spoofing is when emails are sent that are addressed from you (and maybe to you) but you didn’t send them. In that case your address has been “spoofed”.

Spammers and scammers alike do this. There are a couple reasons it’s done.

Sometimes it is malicious. Let’s say someone goes onto numerous websites to sign up for information as XYZ Company. So a ton of spam is sent to XYZ. XYZ finds itself barraged with email and phone spam – wasting lots of their time.

More often XYZ is spoofed to appear to be the sender of spam. Folks local to XYZ are more likely to open the spoofed emails. The spam really isn’t from XYZ – just made to look like it is. So recipients think XYZ is spamming them. They’re annoyed with XYZ and report them as spammers and complain and so on.

Fortunately, spoofing doesn’t account for most Internet issues. It just makes life miserable for XYZ – the target – for a while.

The good news is that usually spoofing usually only lasts a few days. The actual sending server is identified and blocked or shut down.

Always report these issues to your email administrator. Early intervention saves lots of headaches in the long term.

Charles Tips – Hosting Includes Encryption

Website visitor safety is extremely important. I’ve mentioned terms here before like SSL, encryption, security and so on. A padlock that shows with an encrypted site using https in some browsers.These involve that little green or grey lock in front of the web address in your browser. Clicking on that tells you whether the encryption is valid and what site it’s issued to.

Providing encryption was traditionally expensive for website operators. However, it can be had for free these days. There’s no reason not to have it.

Encryption refers to a method on website servers that helps ensure you are actually on the website you think you are on. This greatly reduces the risks of fraud.

Ripping you off is a top priority for many nefarious individuals and organizations on the web. One method is tricking you into giving your credit card or other personal information on a “fake” site or web page. These pages often look exactly like those of your bank’s or credit card company’s or even your email’s login pages.

There’s usually a small one-time charge for initial setup. Website owners should check with their hosting company or web developer to ensure website encryption (SSL) is included in their monthly hosting at no extra charge. If need be, it’s worthwhile to move to a company whose hosting provides this.

Charles Tips – Rampant Phishing

When working in the web world as I do, Internet scams appear to be everywhere.

Phishing is defined as the act of attempting to trick the recipient of a malicious email into opening and engaging with it.

It’s amazing how people fall for phishing scams. They fall for them mostly because the emails are designed to appear like the writer isn’t too bright. So immediately the recipient thinks they have the upper hand. Many count on the recipient’s greed – believing they’ll get something for nothing.

The bad guys that develop these schemes are experts. All they do is work scams – day and night. They wouldn’t continue if it didn’t pay off in the long run.

Phishing
Phishing – Will you bite?

I read someplace that billions of dollars annually are conned out of people through the various scams out there on the Internet. For the most part – I hate to say – they can’t be stopped. They are sent from all types of email addresses, all types of servers, from all over the world.

Bottom line is that you should keep deleting them. The best course of action is to stop responding to them and opening them. Report them as spam or report them as phishing attempts. Your email provider may provide insight with how to do this. They will ultimately stop coming.

Remember that if the bad guys can’t trick you into parting with your money they will focus on someone else – until they find someone who does. Just don’t be that someone.

Charles Tips – Nightly Website Backups

Your website is an important investment. Whether you made it yourself or paid to have a professional develop it for you – you wouldn’t want to lose it. We have taken on clients who were with the largest company in the world who lost their website because of having no backup. The terms for doing business with that company even state they are not responsible for the loss of the website.

Nightly Backup Server

I couldn’t imagine not backing sites up. Nowadays the technology is ever present to back everything up. In the not too distant past, hard drives were much more expensive than they are now. Hard drive space is extremely inexpensive nowadays – so there’s no excuse for a company to not make backups.

One third of today’s sites are on a platform called WordPress. Security updates happen often and changes can be readily made to WordPress sites – so they need backups at least every day. Whether there’s a server catastrophe or simply one of your employees blowing up your site while making changes – it can be recovered.

Definitely protect your website investment by hosting with a company that provides daily backups of your WordPress website every night for at least a month. That will avoid having to restart your website from scratch.

Charles Tips – An Email Contact is Essential

This week is a closely related follow up to last week’s article. As I mentioned then about a lack of a phone number, it seems like it would go without saying that a website trying to sell something should have an email contact someplace on it.

Last week I was referring to a web developer’s website with no telephone number or email address on it. Some developers put forms on their sites to try to get out of displaying an email address. The main issue with forms – besides the fact that form output is more often than not considered spam by many mail servers – is that people generally don’t want to fill them out. It’s much easier these days to click on an email link and send off an email saying exactly what you want to say. Of course you can speak it even more clearly but email may be the next best thing.

If you can’t find an email address to contact someone, my advice is to just move along to the next prospective web developer on your list. You want to deal with a web development company that makes it easy to be reached.

Charles Tips – Carrying Liability Insurance

Carrying liability insurance is yet another important part of maintaining a legitimate, caring, responsible business. I’ve come to realize that in the web business many businesses operate without insurance. When something goes wrong, they just change the business name and open as another name.

Businesses operating in this fashion create problems for their potential clients. First and foremost is that should something happen that triggers the need for insurance, the client is stuck totally. The client in such a case may have no recourse or might not even be able to recover damages.

Folks who operate their “businesses” this way are fundamentally dishonest fly-by-nights. It’s easy enough to ask a web developer who handles their insurance needs and a quick check with their agent can verify that.

Avoiding dealing with a dishonest vendor can save you a ton of headaches in the long run.

On the other hand, good, honest businesses are always thinking in terms of the long run. They are thinking in terms of developing healthy business relationships with their clients. Part of that is staying in business so they can continue to provide services to their clients.

Finally, looking at all the items on the checklist we’ve provided in our Web Developer’s Checklist post will ensure you have the best possible shot at a positive experience having your website developed.

Charles Tips – The “Send me Bitcoin” Scam Continues

We had intended to continue weekly with our web developer checklist. However, this week we’re presenting this post because so many people are receiving these bogus scam messages trying to trick them into paying an extortion.

This scam we mentioned quite a while ago. It has continued to pick up steam – plowing its way through every part of the Internet. It IS a SCAM. Do NOT pay it. We’ve had numerous people contact us that they are receiving such messages.

Here is is below in English and Chinese:

ENGLISH

Hello there!

You may have noticed that I sent an email from your account.
This means I have full access to your device.

I have been watching it for a few months.
The truth is that you are infected with malware through an adult website you have visited.

If you are not familiar with this, I will explain.
I created high quality spyware. It allows me to gain full access and control over your device.
This means I can see everything on the screen, turn on the camera and microphone, but you don’t know.

I can also access all your contacts and all communications.

Why is your antivirus software not detecting malware?
Answer: My malware uses the driver, I update the signature every 4 hours so that your anti-virus software is silent.

I made a video showing how you can satisfy yourself in the left half of the screen, and in the right half you will see the video you watched.
One Key! All of your contacts in email and social networks will receive this video! Your life will change forever!
I can also post access to all email communications and messengers you use.

If you want to stop this ʌ
Transfer the $362 amount to my bitcoin address (if you don’t know how to do this, please write to Google: “Buy Bitcoin”).

My bitcoin address (BTC wallet) is: *********************************

After receiving the payment, I will delete the video and you will never hear my voice again.
I will give you 50 hours (more than 2 days) to pay.
I received a notification from this letter and the timer will work when you see the letter.

It doesn’t make sense to file a complaint somewhere because it can’t be tracked like my Bitcoin address.
I have not made any mistakes.

If I find that you shared this message with others, the video will be distributed immediately.

Good luck, goodbye!

CHINESE

你好!

您可能已经注意到,我从您的帐户发送了一封电子邮件。
这意味着我可以完全访问您的设备。

我已经看了好几个月了。
事实是,您通过您访问过的成人网站感染了恶意软件。

如果您对此不熟悉,我会解释。
我创建了高质量的间谍软件。 它允许我获得对您设备的完全访问权限和控制权。
这意味着我可以在屏幕上看到所有内容,打开相机和麦克风,但您不知道。

我也可以访问您的所有联系人和所有通信。

为什么您的防病毒软件没有检测到恶意软件?
回答::我的恶意软件使用驱动程序,我每4小时更新一次签名,以便您的防病毒软件无声。

我制作了一个视频,展示了你如何在屏幕的左半部分让自己满意,在右半部分,你会看到你观看的视频。
一键! 您在电子邮件和社交网络中的所有联系人都将收到此视频! 你的生活将永远改变!
我还可以发布您使用的所有电子邮件通信和信使的访问权限。

如果你想阻止这个ʌ
将362美元的金额转入我的比特币地址(如果您不知道如何做到这一点,请写信给Google:“购买比特币”)。

我的比特币地址(BTC钱包)是:**********************************

收到付款后,我将删除该视频,您将永远不会再听到我的声音。
我给你50个小时(超过2天)付款。
我收到了这封信的通知,当你看到这封信时,计时器会起作用。

在某处提交投诉没有意义,因为无法像我的比特币地址那样跟踪此电子邮件。
我没有犯任何错误。

如果我发现您与其他人分享了此消息,则视频将立即分发。

祝你好运,再见!

AND IT IS IN MANY OTHER LANGUAGES AS WELL!