Tech Tuesday: Backup Before Going Forward

Backup Before Going Forward

2017 is the year you have to finally take backup seriously, seriously. In the past it wasn’t such a big deal but with Ransomware becoming big business, you have to protect yourself.

In case you somehow don’t know Ransomware is malware that installs itself onto your computer either via a website you accidently (or on purposely) visited or downloaded to your computer via other means that encrypts your hard drive and demands a “Ransom” to get your files back. This Ransom is usually paid in a digital currency called Bitcoin.

While the Ransomware goes by many names, once you have it, you are in a world of hurt.

Here are some of my tips to protect yourself from Ransomware:

The Best Option: Backup your files to an external hard drive. Regardless of what type of computer Operating System you run, if you run Mac OS or Windows, your best friend is an external USB hard drive. On a Mac, backup is easy, Time Machine. If you buy a USB Hard drive such as the Western Digital My Book series, they often come with backup software to assist in backing up your system. The first time you run backup, it will take a long time because it is backing up everything and I recommend having it backup everything.

Paranoid Alert: The issue is, if you get Ransomware onto your computer, it will also infect your external hard drive unless… After you run your backups (which you should do at least weekly), you should safely “eject” the external hard drive, disconnect it,  and store it somewhere safe you will remember. Why? Because if the drive is disconnected from your computer and your computer is infected by Malware or Ransomware, once you get your computer back in working order, you can restore your files from this. You may have had to recover the laptop but you didn’t have to work to hard to get your files back. Also, if you are going on vacation, really hide this hard drive. If you computer or laptop are stolen, you can always eventually get a new one and your files are still safe.

Second Best Option: Backup your files to the cloud using iCloud if you are a Mac user or Google Drive or OneDrive or Dropbox or any service you trust to backup to. The issue with these options are they are not always user friendly and may not backup everything. OneDrive will backup your My Documents folder on Windows machines but offers no automation at all on Mac. To use Google Drive you basically have to save everything to your local Google Drive folder and wait for it to upload or sync up to the Cloud. If you are using iCloud on Mac, you have to tell it what folders to backup.

Paranoid Alert: Three things, 1) If you use more than their free space, these services cost money. As of this writing it costs $20 a year for 100 gig of iCloud or Google Drive space. OneDrive gives you a Terabyte if you buy Office 365 subscription so that may be a cost effect way if you really need Office 365 (a discussion for another day). 2)Don’t put confidential files into the cloud. Your tax returns DO NOT BELONG in the cloud. Why? Because if your cloud service is hacked, you are hacked. This leads to a discussion about Encryption (also a topic for another day) 3)If your computer is hacked and your cloud service is active, your computer is sending Ransomware encrypted files to your cloud. This means you may be losing your files if they don’t offer some type of versioning (versioning is where old versions of files are kept along with the new latest version). As of this writing, Google Drive keeps 30 days of versions of your files. That means you have to know within 30 days or less that you have been compromised and you need to restore your old versions. So if I write a file on Tuesday and then I update it on Wednesday, Google will allow me to go back to the version of the file I had Tuesday.

Other ways to protect your computer:

  1. Antivirus -The issue with Antivirus is they are not always kept up to date and sometimes there are viruses that are so new, no Antivirus in the world can protect you. But as the saying goes, the best offence is the best defence. It is better safe than sorry. In a Mac World it could be argued you don’t need antivirus and that is mostly true but sometimes you can be socially engineered into allowing something bad to happen. Always get a prompt when something is trying to install to your Mac or Windows, sure, but did you read what it said? Were you actually expecting something to pop up? Were you even installing anything? Or worse, sometimes the worst malware comes as a bonus (read that as bogus) that comes with something “legitimate” you are installing. I have had good luck with McAfee and Norton Antivirus suites. You can’t run with only their Antivirus and expect it to defend it all. You also need their malware and other features that come with Internet Security suites they offer.
  2. Web Of Trust Browser extension: My favorite browser extension is WOT, Web of Trust. It is an extension that works with Chrome or Mozilla that tells you the reputation of various websites you visit or in the case of bad ones, attempt to visit. If it is really bad, it will block it and ask, are you really sure? It is especially useful in Google Search as it puts a Green ring (if it is considered a good site) beside the search results. No Green Ring and I don’t click on it. McAfee offers a similar service for free but sometimes I see conflicting information between McAfee and WOT. Since most Malware and Ransomware is picked up by the sites we surf, this is good peace of mind. See image of sample search results with WOT on Google.WOT-Web Of Trust
  3. Firewall – Windows and Mac both come with firewalls. Also most home wireless routers come with some firewall protection, but usually this is turned off or set at a very low level. Also this is the type of thing that can be tricky to manage and requires some technical skill. Go with at least the minimum protection. Read the Manual and you too can try to learn to increase your security.
  4. HTTPS or else: I know right now this site is not HTTPS but it will be soon. You should always only visit sites that are HTTPS (meaning the connection is encrypted). This doesn’t mean bulletproof mind you but it does offer some protection. When you visit sites without HTTPS, you are allowing information to travel between your web browser and the website without encryption, which means plain text, which means if someone were snooping, they could see everything you are passing back and forth. EFF.org has an extension for Chrome and Mozilla that forces HTTPS. It is called HTTPS Everywhere. I highly recommend running it to help ensure you are on the legitimate sites for things.

 

My WordPress Security Essentials

WordPress Security

If you have run a WordPress site a bit, you may (or maybe you haven’t) noticed that sometimes it feels like your site is a target. If you don’t view your logs, you may not even know. But once you start watching a little closer you will find just like every other site on the Internet people, bots, and zombies like to come and rattle our door knobs to make sure your doors are locked. And if they aren’t, they will just walk on in and if they are, some will try every key on their key ring to make sure your doors really are locked.

Having hosted many a WordPress site mostly for fun and rarely for profit, I have used a lot of free or nearly free tools to protect my sites. It is only in the last two years I have started to pay more money to be sure my sites were not easily compromised. So here are some suggestions on some good ways to protect your site.

1. Backup and Backup often.

Assume your site will be compromised. If your website were to magically disappear today with all of your content, what would you do to get it back? Re-setting up WordPress is easy. Remember the “famous five minute” install? But your content is irreplaceable. Backup and backup often. If you are self hosted most providers offer ways to backup your site and your database. Remember, you have to backup both pieces if you want to be able to restore everything about your site to original condition. Look for another post that goes into great details about backups and backup options.

2. Don’t make it easy for bots and zombies to log into your site.

Everybody probably hates reCAPTCHAs but they do make it harder for automated attacks to get into your website. One plugin I use is “Are you robot google recaptcha for wordpress“. That is the name of it. There are others but this one works well. Google recently simplified the whole reCAPTCHA process with this. This is what your login will look like after you add it. You will need to have a Google Gmail account so you can log into their API (Application Programming Interface) and get developer keys to run this. This is free and so is the plugin.

Are You A Robot Login

3. Update Update Update

Sure, it is a challenge. You can’t always be sure if you update your WordPress version to the latest your plugins or customization will still work. But if you installed WordPress 4.0, there was a major security flaw found and they quickly released 4.1. Meanwhile hackers discovered the flaw and began writing stuff to exploit it. The same is true with plugins. Sometimes well meaning plugins have major flaws. If you follow security bulletins offered by some security sites, you can almost keep up. But it is important to update and it is of course important to test after the update to be sure your site still works.

4. Two Factor Authentication

If you aren’t using Two Factor Authentication on every possible website you can, then you should be. It is super easy to add TFA to your WP site. First go and download the plugin “Google Authenticator” from WordPress.org. Second before you install it, go and download the Google Authenticator app for your mobile device (either Apple or Android). Before you activate this, you will want to be able to scan a QR code from your mobile device so that adding it to your phone (after you install the app) is easy. Secondly, once you enable this, it is kind of like locking one set of doors before the real set. You will have to know your Google Authentication code and your password to log in from now on once you enable it.

Note: To disable this in the event you some how lock your self out of your site, you can temporarily move or rename the Google Authenticator plugin out from under the plugins directory.

By default it does not enable itself on all accounts on your site. So you have to visit each account and enable it. Here are what the settings look like for each user.

Google Authenticator Settings

And after you enable it, your login screen looks like this. So when you login, go to the Google Authenticator app on your phone and get the current code to log on.

Google Authenticator Login

 

For security reasons I can’t show you my authenticator screen but here is what the screen looks like except there will be an entry for your WordPress site on your phone.

 

Google Authenticator Screenshoot

 

5. Don’t let “people” try to login over and over again.

WordPress does not by default limit the number of login attempts allowed. But a simple plugin called “Limit Login Attempts“. This sets limits on the number of times you allow someone (or something) to attempt to login. And it locks the account if they try so many times. And it can email you after so many attempts if you want. You can set time limits on lockouts and duration times as well.

Limit Login Attempts

 

6. Firewalls help keep the “evils” out

I looked for a free firewall plugin. I settled on “WordFence Security“. It has grown on me and is now my “Go To” plugin when someone says “Help! People are rattling my website”. WordFence scans your site, shows you when something has changed that shouldn’t have. Granted sometimes those alerts are false positives. It will block IP addresses from things that keep trying over and over to get into your site. It has advanced blocking features and also does Caching (if you want to speed up the performance of your site). A post on Caching and other performance tuning will be done at a later date. And lastly when my site was constantly under attack from certain countries, I was forced to buy the premium version of WordFence to allow me to block by country. I want my site to be viewable to the world but sometimes you have no choice so I paid for a license and I now block a few countries as they constantly rattled my doors. This cut down dramatically on any attacks I was receiving. Also, I like being able to easily see the logs of who has visited my site. It is always nice to see Google and Bing have visited me each day to index their site for their search engines.

Conclusion

There are certainly other products in the market to secure your site such as Sucuri, which scans your website and claims to be antivirus and firewall. I am also told they will help clean up your site in the event you have been hacked (for a fee of course). And there is iThemes Security Pro which has a plugin that works a lot like WordFence. I would certainly consider all three and decide what seems the best fit for you.

Stay Safe Out there!