The Importance of Password Security
Wednesday, November 15th, 2017 - Security
We have seen a growing number of web hosting accounts being hacked and when investigating and tracking down the reasons for the hacks, we are finding most of those accounts are hacked through weak admin passwords on their website CMSs (WordPress, Joomla!, Drupal, etc).
One thing you should understand, if you are using a weak admin password for anything tied to your web hosting account then you share some of the blame for it’s hacking. That may seem harsh to say that, but it is the truth. Being an administrator of your web hosting account you are responsible for practicing good security on your web hosting account. Sure, it sucks that there are malicious users and hackers out there taking advantage of your web hosting account – but there is also some level of responsibility on you for allowing a weak password to be used.
How do I choose a secure password?
A good password will use a combination of upper and lower case letters, numbers, and non-alphanumeric characters. I like to use the Password Strength meter at
to determine how strong a password might be. I generally aim for something above 80% and the closer you can get to 100% the better.
I also encourage the user of local password managers. I’m less thrilled by online password managers, because if those get hacked, then all of the passwords you have stored there could then potentially be hacked as well. I like the portable version of KeePass. The portable version allows you to run it from a USB thumb drive – this way the database is not installed on your local computer. If you have a password manager installed on your local computer, and your local computer gets infected with malware, a virus, or a keylogger then the information stored in the installed password manager could potentially be compromised.
Putting a password manager – like KeePass – on a USB thumb drive and keeping it near your computer insures that your passwords are safe from any malware infections you might have on your local computer, and also available to be used whenever you need it.
To download the portable version of KeePass, see:
https://keepass.info/download.html
Instructions for setting up the portable version of KeePass is at:
https://keepass.info/help/v2/setup.html#portable
Why do hackers hack into my site?
The simple answer is because they can. You might think that you have a small web site that doesn’t really garner a lot of attention. But if you are using a weak password, outdated script/plugin, or otherwise have something in place that would allow malicious users to take advantage of your web hosting account – you’d better bet that they will eventually.
Commonly hackers and malicious users will hack into a web hosting account to setup phishing sites, send out spam, SEO Spamming, or Search Engine Poisoning.
• Phishing sites have to do with creating a look-a-like mirror of a popular with the intent of tricking visitors to disclose personal information about their real account at these popular websites. A NetFlix phishing scam recently went through this cycle, hackers had to have a place to host the NetFlix look-a-like site. They do this by hacking and exploiting other smaller websites.
• Spamming pertains to the sending of unsolicited messages. We’ve all received spam messages and we all know what spam messages look like. Most of those messages are sent out because someone allowed their web hosting account to become compromised.
• SEO Spamming or Search Engine Optimization spamming has to do with building a network of links to raise the search engine rankings of one website. That website can then monetize this popularity with ads.
• Search Engine Poisoning is similar to SEO Spamming but has to do with poisoning the content that search engine crawlers see when they crawl your website. This can have the effect of associating your website with various pharmaceuticals, gambling, or other shady businesses.
How do I keep my web hosting account safe?
• Keep your scripts, plugins, themes, components, etc. all up to date. When an update is released by it’s developers that update is not automatically applied to your installed version. You will need to update it. Sometimes this is simple, sometimes it is not. But not doing the update is dangerous to the well being of your web hosting account.
• Use reputable scripts, plugins, themes, and components. Stick to popular and well maintained scripts. When looking at plugins, themes, and addon components check to see when it was last updated. The further back this is, the less reputable this plugin is. Check to see how many active installations the plugin is said to have, the more the better. Check the plugins overall rating, the higher the rating, the better. A plugin that was last updated 3 years ago, has less than 1000 active installations, and 3 or fewer stars is probably not reputable and probably something to avoid.
• Use strong and secure passwords. The weaker a password is, the easier it is for hackers and malicious users to guess the password and log into your account. If your website is important to you, then you will want to insure that you are using strong and secure passwords.
•
[Updates] Joomla! 3.4.6 released
Monday, December 14th, 2015 - Security, Updates
The Joomla! developers have released an updated version of their Joomla! script, Joomla! 3.4.6
This release fixes a major security bug in Joomla!
This security bug is also present in prior Joomla! releases, Joomla! 1.5 and Joomla! 2.5. But since Joomla! 1.5 and Joomla! 2.5 are end-of-life, no security patches are being released for those versions.
Users on our servers that have been using these outdated Joomla! versions have been sent several notices about this. Because of these notices and this recent security issue, this may be the final nail in the coffin for Joomla! 1.5 and Joomla! 2.5 scripts. We will likely have to start disabling Joomla! scripts that are end-of-life. We apologize for having to do this, but advice to upgrade your Joomla! scripts have gone ignored and the dangers of allowing these exploitable scripts outweighs any benefit from a server security standpoint.
If you are not using Joomla! 3.4.6, please upgrade as soon as possible
Steven
•
[Security] VirtueMart Joomla! Vulnerability
Friday, September 12th, 2014 - Security
A nasty security exploit has been discovered affecting several thousand old an outdated versions of the popular Joomla! extension, VirtueMart.
More information is available at:
Security Advisory – Critical Vulnerability in the VirtueMart Extension for Joomla!
Security release of vm2.6.10 and vm2.9.9b
All users need to upgrade or remove the affected VirtueMart Joomla! extension.
Versions of VirtueMart that are safe appear to be versions 2.6.8c and 2.6.10c.
Unfortunately, we cannot provide any support for this. We are just a messenger letting you know that a serious security threat is there. If you are using a vulnerable version and you do nothing, your web hosting account will likely get hacked. We may have to suspend or disable web hosting accounts that are hacked or do not upgrade or resolve this issue.
If you require support for this, you may want to contact your web developer or web designer for more information. Additional support may be found directly at the VirtueMart Support Forums:
or at the Joomla! support forums:
Again, we are just advising you that a threat exists. If you do not know what to do about this, I encourage you to seek help at one of the above forums.
Steven – AMS Support
•
[General] WordPress login attack
Thursday, January 16th, 2014 - General, Security
PLEASE READ IF YOU ARE SEEING A LOGIN PROMPT WHEN TRYING TO ACCESS YOUR WORDPRESS ADMIN AREA
Some of you may be aware that there has been a growing BOTnet across the Internet that has essentially been launching a DDOS attack on WordPress scripts throughout the Internet.
WordPress is an extremely popular blogging and CMS platform. Many people use it. It is widely installed throughout the Internet and on our web hosting servers. This makes it a very inviting target for hackers and other malicious users to take advantage of.
The attack is basically a system of thousands and thousands of IP addresses all trying to login into various site’s backend WordPress admin panel. All of these requests undermines the performance of the server, because the server has to respond to each of those requests. This is why this essentially becomes a DDOS like attack.
Up until now, we have been able to mitigate most of this with a series of IP blocks. But unfortunately this system is reaching it’s saturation and is no longer being effective. The next step to mitigating this is to employ a specific web/captcha system. With this enabled, you will see a dialog box when you go to log into your WordPress admin panel, telling you to enter a specific set of characters for a username and answering a simple arithmetic/addition problem as the password. This is becoming the standard way to mitigate this attack.
We don’t yet know if we will deploy this server-wide or if we will do it on an account-by-account basis. But it is becoming clear that we are going to have to deploy this system in some capacity.
If you see this dialog box pop up on your WordPress admin panel login screen, don’t be alarmed. It is a mitigation solution to stop this WordPress login attack.
We do apologize for having to deploy this, but if we do nothing this attack is just going to continue to undermine server performance for your site and all of the other sites on our web hosting servers.
Steven
•
[Security] Joomla! JCE component hack
Thursday, May 30th, 2013 - General, Security, Updates
We have seen a flurry of accounts being hacked due to outdated Joomla! Content Editor components (JCE). Because of this we have made the decision to go through all of our servers are remove/disable all outdated JCE components.
The reason for this is because these accounts with outdated JCE components are being hacked into, compromised, and used to send out spam. This affects the integrity of our servers and is not fair to other users on the server that are keeping their scripts and components up to date, to have to deal with a server that is blacklisted for sending out spam.
It seems that a large portion of our users are unable or unaware of the need to keep their scripts, components, plugins, extensions, and themes up to date. Disabling these outdated JCE components will hopefully bring to light why it is so important to keep things up to date.
The latest version of the Joomla! Content Editor (as of May 30, 2013) is 2.3.2.4. If you are not using 2.3.2.4 then your version is outdated and potentially dangerous. That is why it has been disabled/removed. The website for the Joomla! Content Editor is:
http://www.joomlacontenteditor.net
We wanted our users to be aware of this.
Steven