GDPR Archives

An SSL certificate does NOT mean you have a secure website

Posted on 5th April 2018
By SD1

Is that news to you? If it is you really MUST read this.

I’ll keep it short and sweet and keep technical jargon to an absolute minimum.

You need an SSL certificate but it really does not mean your website is secure. Let me explain…

Cryptographic protocols: Secure Sockets Layer (SSL) certificate, and it’s successor Transport Layer Security (TLS) allow secure communications over the internet. You can see in the address bar of this site, the green SECURE and lock which tells you that you are where you are supposed to be and that no one can snoop or tamper with your communications on this site.

SSL/TLS certificates ensure a secure connection. That’s it.

They do not ‘secure’ your website.

SSL/TLS certificates are issued by a Certificate Authority (CA) and are stringently verified against the owner of the website to which they are issued. When you connect to a site with a certificate the browser goes through a series of checks to make sure that all is present and correct. Assuming that it is then you are granted a connection.

Filed under: Best practice, GDPR, Security

Are you gambling on your data security?

Posted on 12th December 2017
By SD1

Has your web developer left the back door open?

Your web developer has a responsibility to make sure that you receive the right advice about your data security. To make sure that your business does not inadvertently expose sensitive data. There are tens of thousands of so-called WordPress developers. They most often use WordPress because it is easy to build a site, and crucially you don’t have to know how to code, program or use a database. They just point and click. This is how nearly all WordPress websites are created. This is also where nearly all of the vulnerabilities creep in.

If your directories are not secured, then they will be accessible to anyone, including Google, a Hacker or even a competitor. If Google has not been specifically told not to index information it just sucks it up and makes it available to find in a search.

So is it data security protection ignorance or arrogance?

If you don’t know how WordPress works, under the bonnet, you can’t fix it, so it’s mostly ignorance. But, if you don’t even think it’s a problem, and you’ve never bothered to look into it, then that is perhaps arrogance. In what I do, I come up against the latter all too often. Developers with vulnerable sites are just not interested, they are not taking data security seriously, as I keep finding out. The new GDPR compliance should help, but only if developers take notice.

How do you check your website?

I have put together a handful of tests to help you. They are completely free to use and you’ll find them here: https://formapps.co.uk/wordpress-website-testing/

Or, you can drop me a line and I’ll take a look for you, in confidence of course.

How do you get it fixed?

Fortunately for most websites it’s not a massive job and can be secured fairly quickly, depending of course on the vulnerabilities. But don’t leave it to chance. Get secured now.

Please share this article and help raise awareness of these issues.

Thank you for taking the time to read this and I hope you stay safe and secure.

Filed under: Best practice, Business, GDPR, Security

The easiest way to detect if WordPress is not secure

Posted on 17th January 2017
By SD1

How easy is it to find your login page?

If you can type /wp-admin after your domain name and get this screen below, then please read on. Find out how easy it could be to hack into your site.

What about the username and password?

Now we need the login credentials. Both of these could be brute forced fairly easily, especially if the default settings with the user ID of 1 and Admin have not been changed. But, what if we could find the username?

It may be easier to find your login ID (username) than you think. Scan your site with the Hacker Target WordPress Security Scan and see if your User IDs are available. You are looking for something like this:

Is user Enumeration possible? That is to say, are your IDs are showing similar to the above screenshot?

If so then all it takes is a brute force attack on your password field, and that is a lot easier than you could probably imagine.

What is a brute force attack?

A brute force attack is an automated script that guesses your password. Usually, this takes the form of checking against a list of known passwords.

Statistically, there’s a 91% chance that your password is within the first 1,000 on a list of 10,000 passwords which is freely available on the internet. So, it will probably only take a couple of minutes to hack your website this way.

Feeling vulnerable?

I would. I know what can happen.