I have been seeing more contact form spam in the past month or so from my own WordPress sites and clients are reporting the same. I assumed this was human spam and that little could be done to prevent it using the usual automated measures against spambots. However, while making changes on one of the sites, I noticed: that the form was no longer working, displaying a “There was a problem. Your email could not be sent.”, or words to that effect. that the reCaptcha 2 form was not being displayed below the form. I was vaguely aware that current versions of Contact Form 7 supported reCaptcha 3. What I failed to appreciate was that these versions were not backward compatible in that they no longer supported reCaptcha 2. That means, depending on the site, either visitors attempting to use your contact page were not getting their messages delivered; or messages sent via the form were no longer being intercepted by reCaptcha. If you use Contact Form 7 on any of your sites, make sure that you update them to reCaptcha 3: go to reCAPTCHA: Easy on Humans, Hard on Bots scroll down to the bottom of the page listing your sites and create a new listing for your domain to use reCaptcha 3 (there does not appear to be any way to just update a version 2 listing to version 3) delete your old site keys under the Integration option for Contact Form 7 and replace them with the new reCaptcha 3 site keys (Note: since these site keys apply to a domain plus any subdomains or subfolders under that domain, don’t delete your reCaptcha 2 keys until you are certain that you don’t have an application still using the old version. In particular, note that any custom HTML
Mozilla’s new Firefox update puts user security at risk with TRR feature by AnkitGupta, TheWindowsClub.com August 7, 2018 Mozilla is all set to introduce two new features to its Firefox browser in its upcoming patch. Called as ‘DNS over HTTPs’ (DOH) and Trusted Recursive Resolver (TRR), Mozilla says that they are meant to enable additional security, with many security experts thinking otherwise. Signaling out TRR among the two, security experts at Ungleich say that this feature by default routes requests with a 3rd party service; thus making it less secure. With Trusted Recursive Resolver (TRR) turned on as default, any DNS changes that a Firefox user configured in the network will be overridden. This is because Mozilla had partnered with Cloudflare and will resolve the domain names from the application itself through a DNS server of Cloudflare located in the US. This allows Cloudflare to read user’s DNS requests. Lashing out on Mozilla for advertising TRR as a feature that ‘increases security’, the security expert at Ungleich mentions, “From our point of view, us being security geeks, advertising this feature with slogans like “increases security” is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don’t know, it is not true that this increases security in general.” Cloudflare on its part, though commits to a ‘pro-user privacy’ policy and the detection of all personally identifiable data after 24 hours, there is no guarantee where a user’s data may finally end up. Mozilla’s TRR disables user’s anonymity With TRR allowing all DNS requests seen by Cloudflare, user’s anonymity stands completely destroyed. Government agencies always have the right to request data from the service owners,
True to their word, Google today released version 68 of their Chrome Browser and, as promised, they have changed the way they warn users about potential issues with web sites. In previous versions, Chrome (and Firefox and most other browsers) alerted users to sites that were not using SSL with a red padlock next to the URL, and sites with mixed content displayed an orange padlock. Starting with version 68, Chrome now uses a stronger warning system. If you haven’t yet converted your site to HTTPS / SSL, now is the time to give it serious consideration. You should also check that your site correctly redirects from HTTP to HTTPS in case anyone enters just the domain name into the browser. On their Google Chrome Help page, Check if a site’s connection is secure, they preview what this now looks like to users: Check if a site’s connection is secure To see whether a website is safe to visit, you can check for security info about the site. Chrome will alert you if you can’t visit the site safely or privately. In Chrome, open a page. To check a site’s security, to the left of the web address, look at the security status: Secure Info or Not secure Not secure or Dangerous To see the site’s details and permissions, select the icon. You’ll see a summary of how private Chrome thinks the connection is. What each security symbol means These symbols let you know how safe it is to visit and use a site. They tell you if a site has a security certificate, if Chrome trusts that certificate, and if Chrome has a private connection with a site. Secure Information you send or get through the site is private. Even if you see this icon, always be careful when sharing
With new stories about hacked websites and stolen passwords emerging almost daily, here are some new browser tools that alert you if you sign in anywhere using a password that has been breached. Here’s How To Find Out If Your Password Has Been Stolen By Hackers By Robin Andrews, IFLScience.com May 27, 2018 [Statistically, you] are likely to be someone who uses the same password for several logins, across websites or computers. There’s a fairly decent chance that at some point, one or several of your passwords have been stolen and posted on forums for other hackers to try out. Enter, Okta, whose plug-in for Chrome (a version for Firefox is coming soon) lets you know how safe, or unsafe, your passwords really are. Okta is described by CNET as a login management company, which doesn’t sound particularly thrilling. Popping over to their website, it appears that this is indeed what they do, but to put it in a mildly more exciting way: They are the guardians of the virtual gateways, those that stop nefarious hackers getting to you as you log in to whatever digital platform you or your company are using. They’ve recently gone one step further and released a browser plug-in named PassProtect. When you use a password to sign in to Twitter or anything of the sort, it’ll inform you just how many times the password in question has been exposed in a data breach. As noted, PassProtect is currently available as an extension for Chrome only, although they say a version for Firefox is in the works. In the meantime, if you are a Firefox user, you can try a similar add-on called Prevent Pwned Passwords. Prevent Pwned Passwords helps make sure you don’t use any password that’s known to have been part of a
I’m neither a novice nor naïve when it comes to computers, the internet, and online security issues. However, I have to admit this one slipped by me. I was expecting a package or perhaps two to be delivered by Canada Post a couple of days ago. I was working away troubleshooting a website and a server problem, tired and a bit distracted because I was trying to do two things at once.Microsoft Outlook popped up a notice indicating that an email had arrived from Canada Post. Of course I went over to have a look and it claimed it had been unable to deliver a package to me the day before. I opened it and it certainly looked like it was from Canada Post. It contained a link for instructions on how to get it re-delivered. Now normally I am very suspicious about that sort of thing and one of the things I do regularly is hover over the link in any email so that outlook displays the actual destination in the notice bar. This time, tired and waiting for that package, I clicked on the link and it opened in my browser. Even as the page was rendering I saw in the address bar that it was certainly not Canada Post. The loaded site hijacked my browser before I could stop it and any attempts to backtrack or go to another site gave me a message that the site was insecure. Fake Canada Post Email Before it could do any more damage, I shut down the browser and rebooted to do a malware scan. As it booted up, it loaded something called php.exe or something similar. I killed that immediately. That turns out to be a Trojan, so it was a little extra left behind in addition to the
Here’s why you’ll probably want to turn off browser autofill Globalnews.ca January 18, 2017 It’s annoying to type your personal details — name, address, phone numbers, all the rest of it — every time you need to fill out on online form. Browser makers realized this years ago, which is why your browser spares you the tedium, helpfully filling in the blanks when you type the first letter of your name, or the first digit of your address. Finnish developer Viljami Kuosmanen demonstrated [last week] that in many (not all) browsers, if you start to fill in basic information like your name and email address, all your other autofill information becomes invisibly available to the site. That can include your name, home address, credit card details and workplace, not just the limited amount of information you thought you were giving away. If you’ve autofilled a form in a browser other than Firefox, you can give it a try on this site, which Kuosmanen set up to demonstrate the problem. Global News successfully used Kuosmanen’s site on Chrome, extracting a reporter’s address after he had only put in his name and email. Firefox doesn’t have the problem, but other browsers such as Chrome, Opera and Safari do. Test your browser HERE: if you’re vulnerable, the test page will show you what information is revealed and also includes a link in your browser automatically taking you to where you can turn autofill OFF. Here’s how to turn off autofill: In Chrome: Settings/Show Advanced Settings/Passwords and Forms, and unclick Enable Autofill to fill out Web forms. In Opera: Settings/Privacy & Security/Autofill and uncheck the box. In Safari: Preferences/Autofill tab/ and uncheck the appropriate boxes. In Firefox (though this shouldn’t be as necessary): Options/Privacy. In the Firefox will: menu, uncheck Remember search and form
The WordPress Security Learning Center – Wordfence Wordfence.com December 16, 2015 The makers of the WordPress security plugin, Wordfence and Wordfence Premium, announced a new free feature today: The WordPress Security Learning Center – Wordfence. It includes tutorials from beginner to advanced and developer level. Everything from WordPress Security basics, security threats and attack types to guides for developers to help them avoid writing vulnerabilities and to penetration test their own code. The Learning Center is a completely free resource. No registration is required and absolutely no payment is needed. We have put this together as a resource for the WordPress community to do our part to help secure WordPress as a platform. This new resource should prove to be an excellent resource for beginners to seasoned WordPress users. The articles and videos are written and designed for anybody wanting to learn more about WordPress Security; also, a great selection of back-to-the basic resources for any WordPress Network Pro or Admin, computer sciences (Comp Sci) student and professors too. They also include information on what to do if your WordPress site has been hacked. Check it out here: The WordPress Security Learning Center – Wordfence Disclaimer: I have no association or affiliation with Wordfence. However, I do use Wordfence on all my sites and on sites I create for others, and I highly recommend it to anyone.
A recent article by Megan Totka talks about the increasing targeting of small businesses in cyberattacks. When we think of cyber attacks, our minds often jump to major corporations, millions of dollars, and large scale media scandals. However, experts are saying that small businesses are increasingly at risk for data breaches and other cyber threats. …. In 2012, a report from Symantic Security Response found that attacks on small businesses had risen 300 percent over the previous year. That number has been on the rise ever since. The reason cyber attackers target small businesses is simple: it’s easier. They’re often less secure, with a smaller security budget, and the mindset that they’re too insignificant to attract attention. Given that most attacks are fully automated, these attackers can make it through a small business’s defenses much faster than they can a larger corporation, allowing them to target more companies in a shorter period of time. Unfortunately, the negative impact on small businesses may also be disproportionately higher. They often face a loss of public trust as well as a significant financial loss, which can be crippling to many businesses of this size. That’s precisely why today it is so important to build your small business website with security in mind and to ensure that your website is kept up to date to plug any security vulnerabilities that may arise in the future. All of the website designed by Psychlinks include site security as a top priority. For a free quote on creating a secure website and/or maintaining an existing website, please contact us today!
How to Scan Your WordPress Site for Potentially Malicious Code WPBeginner.com August 11th, 2014 If you don’t like the video or need more instructions: Theme Authenticity Checker (TAC) Theme Authenticity Checker is a free plugin that scans all of your WordPress theme files for potentially malicious or unwanted code. Often hackers target themes to inject links, so this plugin is a good way of checking for that. Exploit Scanner Exploit Scanner is another free WordPress plugin that is much more robust than the Theme Authenticity Checker because it search all files and database of your WordPress install. It checks for signs that may indicate if your installation has fallen victim to malicious hackers. Note: this does return a lot of false positives, so you have to know what you are doing to see if the error is really malicious or if it is ok. Sucuri Sucuri is by far the BEST WordPress security scanner out there. They have a very basic free site scanner, which checks your site to see if your site is doing ok. But the real value is in their paid version. See our article: 5 reasons why we use Sucuri to improve our WordPress security for detailed overview. In short, once you install Sucuri, it automatically monitors your website 24×7 against all threats. It audits all the activities that happen on your site to keep track of where things went wrong. If something looks fishy, Sucuri blocks the IP. They also send you alerts if they notice something going on with your site. Last but not least, they offer a malware cleanup service which is included in the price of their service (no matter how big or small your site is). WordFence Not mentioned in this article is WordFence, another free WordPress plugin which I personally
WordPress has become increasingly popular as a platform for creating highly customizable responsive websites. And of course this makes it increasingly attractive as a target for hackers and spammers. To help guard against this, here are a couple of plugins that help to at least minimize unknown vulnerabilities. Your first defence should be to ensure that you keep WordPress itself and all your plugins and themes up to date. WordPress and the WordPress community is very good at reacting to security threats and vulnerabilities as they are discovered and typically patched or updated versions are made available within a few days. But the patches won’t do you any good if they are not applied. Advanced Automatic Updates by pento adds extra options to WordPress’ built-in Automatic Updates feature. On top of security updates, it also optionally supports installing major releases, plugins, and themes. If you use this to keep your themes updated, please see Don’t let WordPress theme upgrades break your site to avoid losing your theme customizations. Plugin Vulnerabilities by White Fir Design alerts you when any of your installed plugins contain known security vulnerabilities, as well as warning you of vulnerabilities in other versions of those plugins. This will at least make you aware of an issue until the plugin updater can instgall a patched version. Finally, Wordfence Security by Wordfence is a must have plugin for any WordPress site. From the plugin description: Blocking Features Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected. Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall. Report security threats to network owner. Rate limit or block security threats like aggressive crawlers, scrapers and bots