Subscribe to the newsletter to receive the latest content.
SSL is the standard security technology for establishing an encrypted link between a server and a client. Usually a web server and a browser, but can also be a mail server and a mail client.
Without encryption, information is sent in plain text. If someone is able to intercept the data they can see and use it. So inputting credit card number or login information in an unsecured site is dangerous and must be avoided. A secured site starts with "https", as my site. Browsers also show the "padlock" icon.
To enable SSL connection, a website requires an SSL Certificate(CRT). The CRT contains information about the domain, company, address, city, state, and country. It also stores the expiration date and details of the Certification Authority(CA) responsible for the issuance of the certificate.
When a browser connects to a secure site it retrieves the site's CRT and checks that it has not expired, it has been issued by a CA the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks, the browser will display a warning to the end-user that the site is not secure.
Let'sEncrypt is a free, automated, and open CA. However, demonstrating ownership of a domain requires running software that uses the ACME protocol on the server. To do so, shell access is needed. For the non techies, SSL for Free, FreeSSLCertificate, and ZeroSSL are sites that make the entire process much easier. These services have one issue. The Let'sEncrypt certificate for all its good intention, expires after 3 months only, after which it has to be renewed. CloudFlare offers free SSL if you use their service, renewal is automatic. Webhosting services offer free Let'sEncrypt SSL via their control panels like cPanel and CloudPanel.
Here's how to generate the CSR using cPanel, ZeroSSL's CSR Generator can be used also. It has an option to create a 4096 or 2048 bits encryption key. The 2048 bits works like a charm.
If technically knowledgeable, a CSR can be produced using OpenSSL on the local PC.
Creating CSR also generates cryptographic private and public keys. Anything encrypted with the public key can only be decrypted using the private key, and vice versa. The private key must be kept secret at all times, even the CA doesn't know about it.
The resulting downloadable CSR data file which also contains the public key is then submitted to the CA, who in turn validates it and issue the CRT. To validate the domain, the file based option is better, as one only need to upload a text file. After the CRT is generated, download it as a "Server Certificate" with .pem extension.
When installing CRT on the site, the server will match it with the private key. If they matched, the website will then be able to establish encrypted and secure communication with the visitor's browser. Here are instructions for installing CRT in cPanel. It's possible to just supply the CRT and private key and skipped the CA Bundle entry.
To check if the SSL installed properly use SSL Shopper's SSL Checker. SSLLabs have an SSL Server Test tool that provides comprehensive information that other tools aren't showing.
Safari is quite strict when it comes to security certificates, in case of "untrusted" error, just disable the TLS 1.0 and 1.1 protocols.
To spare the hassle of the entire process, most web hosts with cPanel or WHM offer AutoSSL with LetsEncrypt support. If there's an issue with SSL like, it has expired, just remove the existing cert via the SSL/TLS, then Manage SSL sites in cPanel. After removing the defective cert, go to SSL/TLS Status, select the domain and run the AutoSSL.
Now that you have secured the site, there's a need to redirect all HTTP traffic to HTTPS. Do this by adding the following as the first rewrite rule in the .htaccess file found in the "public_html" directory:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If using WordPress, force users to use HTTPS with Easy HTTPS Redirection. Most webhosting control panels nowadays have the option to do this.
To fix the mixed content issue, just add this code in the head section:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
To resolve Shopify Ajax cross-domain restriction, use an app proxy. When creating an app, take note to always use the full pair when defining scopes and follow steps on how to generate a token.
If the website is hosting resources that are shared to the public such as CSS or Javascript library, there's a need to ensure that these files aren't hacked or compromised. One way to implement this is by using SubResource Integrity(SRI). SRIHash and ReportURI generate the hash and code based on the resource URL provided.
Before using SRI, enable Cross-Origin Resource Sharing (CORS) on the server by adding this piece of code in .htaccess:
Header set Access-Control-Allow-Origin "*"
More codes specific to different web servers are available in Enable-CORS.
Use Google's CSP Evaluator to review Content Security Policy(CSP) policies as a strong mitigation against cross-site scripting attacks.
To set in place authentication to a protected resource, use JSON Web Token. The site provides a list of libraries to use. Here's a simple tutorial using PHP and jQuery.
If using Mautic and you can't login because you forgot the password and its not able to send email. You may use this bcrypt generator to generate your new password hash and store in your database. Works like magic.
---
Password problems? Have you already decided on what password to use? If not yet, no worries. A password is no small thing. Choose an easy one and your account might be compromised in a few minutes. To help secure your online accounts, check out the cool resources below.
Read guides on how to create the "perfect" password from TheDrum, ZDNet and Lemonly. Here's a nice article How I'd Hack Your Weak Passwords from Lifehacker.
RandomKeyGen is a password and key generator, useful when a secret key is needed. They can generate Fort Knox quality keys. VPNMentor's Password Generator is also worth checking.
So now that you have a password in mind, how would you know that it is really "strong"? Kaspersky has a password strength checker that's fun to use. You enter the password and it gives you an estimate of how long it can withstand a brute force attack. Mine will take more than 3 centuries, haha.
If you are lazy like me and don't want to sweat over passwords, LastPass is an easy-to-use password manager that also has a password generator. There is no need to download software; just use their browser extension or add-on. Your passwords are stored on their cloud server. They have a free but limited account, which is still good enough. If you organized your passwords properly by folders, you can even use it as a personal landing page with all your online account links and open them in just 1 click. LastPass is now limited to only 1 device. A multi-device alternative is BitWarden, the downside is that the personal free account can't share passwords. Other options are AliasVault, Proton Pass, HeyLogin and Norton Password Manager. KeePass is desktop-based.
As a rule of thumb, passwords for accounts that are very important, like your primary email and online banking or financial services, are never stored online. You need to remember them. For anything else, use a password manager.
Check out these username generators from NordPass and LastPass. To add further security enable 2FA(2 Factor Authentication) feature in online accounts, most services have them.
What if you were hacked? How would you know? In light of all the news about big company sites being compromised, it's good to be vigilant and get informed if you were a victim. Have I Been Pwned lets you know. Just supply your username or email and it will scan through records of website breaches that have been made publicly available. Here's a list of free tools to check if your data is on the dark web.
---
I was assigned the task of integrating ads from various ad platforms into one of the websites I’m managing. Some of these ads have geographic restrictions. For example, these ads will show up only if the website visitor is from the US. Since I’m from the Philippines, I can’t check if the ads were properly added or not.
This is one of the many situations where a VPN comes in handy. VPN is a method of securing both private and public networks like the Internet. Once used only by corporations, personal VPNs are now offered by a lot of providers.
One important feature of a VPN is the ability to hide a user's IP and location. Together with encryption, these allow you to avoid censorship and surveillance. In superhero lingo, a VPN gives you the power to teleport and pass through walls.
VPN Gate is an academic experiment project by the University of Tsukuba in Japan. The project’s site has a list of public VPN relay servers provided by volunteers around the world that you can connect to. The service is free, and there’s no need to register. For the technically inclined, there’s FreeLAN, a powerful command-driven tool.
WindScribe offers a free service limited to one device, eight location options, and 10 GB of bandwidth per month. Hoxx VPN is another option. BetterNet is completely free, but requires you to watch a video before connecting. Mullvad offers cheap VPN costing 5 EUR/month. Its based in Sweden.
Here's LifeHacker's list of free VPN services.
---
If you have a WordPress site, take note of these facts:
In 2017, 83% of all CMS based websites that were hacked were running WP.
39% of hacked WP websites were using an outdated version of the software.
Almost 50% WP sites are affected by a security vulnerability caused by an outdated or poorly coded plugin or theme.
Only 8% of WP sites were hacked due to a weak password.
As of 2016, only 11.45% of WP sites use SSL Encryption.
To prevent your site ending up as another statistic of the above, try using the plugins below:
Implement HTTP security headers using HTTP Headers. Be careful though, learn more about it first. Analyze security headers with Security Headers.
To confuse would-be hackers, use WPS Hide Login. It "hides" the login URL: wp-login.php by changing it to something else. Make sure the new URL is hard to guess, but easy for you to remember. Here are different ways to hide the login page and here's a list of plugins to do that.
Salt keys are used by WP to encrypt your passwords and it is suggested to change it periodically. The keys are generated here. Replace the existing keys with the new ones in the wp-config.php file. Spare yourself the hard labor and do this automatically with Salt Shaker.
To make your login more robust, enable 2 Factor Authentication by installing Security Optimizer by SiteGround. It has a lot other features like additional site and login security, activity log, and post hack actions. Just set it to remember the device so you don't have to authenticate yourself every time.
Install WordFence Security, it also has 2FA authentication. If your site is hacked, you can use it to scan and fix any infected files. It has a built-in firewall that's very effective, but it is good practice to use a server-level firewall instead of an application level. Most web hosting providers offer a firewall as part of their service. Sucuri offers the firewall feature as a premium. It runs on their server, they also offer offsite scan. CloudFlare plugin offer free DDOS protection among other services.
Other options are BBQ Firewall and the duo of NinjaFirewall + NinjaScanner plugins.
Here's how to scan the WHM/cPanel for malware. Google Safe Browsing, Sucuri SiteCheck, and VirusTotal offer free website scan. If the site is blacklisted, request for removal at BitDefender and FortiGuard. Here's are guides on website blacklist removal for Google, McAfee, and Norton.
Now that you have secured your WP site, you need to back it up regularly. For backups, I use reliable WPVivid or UpDraftPlus. Backup Migration plugin by BackupBliss, comes with 1GB free cloud storage space.
If you get hacked, don't panic. If you have a backup, then simply restore it. But in case you don't, still, remain calm. Here's how to fix a hacked site.
The first thing to do is to regain control of your site. That means you have to hack your way inside. Remember, you still have access to the webhost's control panel and their built-in File Manager or FTP and phpMyAdmin. Use the phpMyAdmin to change the admin username, email and password. Save the new password as MD5. Delete any suspicious user. While you're in control panel, change the database password. In File Manager or FTP, edit the wp-config.php file and update the DB password and replace the Salt keys. Don't forget to clean the file for any malicious codes.
In FTP, in case you can't edit the files, check the user permissions of the files, hackers may have modified them. I use this PHP script, to "ch mod" all files and directories. Next, download the latest WP version. In FTP, remove the infected WP core files by deleting the wp-admin and wp-includes folders. Don't delete the wp-content. Upload the wp-admin and wp-includes directories.
From here, you must now be able to log in. Capture a screenshot of the active plugins. Download the latest version of the plugins and in FTP, upload and overwrite the existing ones. Using WordFence, scan your site. WordFence is capable of fixing infected files. But in case it can't, download the entire wp-content dir. Using NotePad++, open the infected file and copy the malicious code, then do a search and replace for all the files in the folder. Repeat this process until no more malicious code remains and upload the cleaned files back. Repeat the WordFence scan and do an offsite scan to confirm.
You know what's a faster solution? Each webhost usually run their own daily offsite backups, although this is limited to mostly just a few days copy. If you were able to detect the hacking early, then maybe you can recover your site from their copy of several days back.
---
Have an old PC or a used cellphone? Need security at home? AtHome Camera is a software that makes these unused tech gadgets useful again by turning them into surveillance cameras that you can control remotely using a smartphone. It has other features such as pre-scheduled video recording, motion detection, push and email alert notification, video clip deletion, and secure connection, and it is free!
PreyProject is a device protection service that keeps track of your mobile, laptop, and tablets and protects the data. It helps you find it in case you lose it. Android has the Find My Device app.
Do you require more privacy? If yes, then go deep down, up to the OS level. Tails is a live operating system that can run from a DVD, USB, or SD card. It preserves your privacy and anonymity by using the Tor network when you browse the internet and by using state-of-the-art cryptographic tools to encrypt your files, emails, and instant messages.
---
For self-defense, Taurus G3C Series 9mm, Hi-Point Pistol Model C9 9mm, Armscor/Rock Island Armory A1 CS GI STD MAS 9mm are affordable but reliable hand-guns.
Affiliate Disclosure: Post may contain links to affiliate websites, and we may receive a commission for any purchases or actions made by you on the websites using such links. Thank You.