SSL certificates are crucial for websites that offer anything for sale as they provide a level of privacy and security that is necessary to ensure that customers are comfortable shopping there. In fact, many people will simply leave their full shopping cart in your virtual aisle and refuse to purchase anything from your website if they realize that it does not have an SSL certificate.

Secure Sockets Layer (SSL) is used to transmit private information online in a manner that keeps it private. Customers will know that any information that they provide you is being kept safe from prying eyes if https:// precedes your website address, and a lock icon is located to the left of it. Banks and other major financial institutions have used SSL certificates, which were initially developed by Netscape in 1994, for some time.

 

How Does It Work?

The data that is being sent is immediately encrypted, causing somebody attempting to hack into it to not be able to read it as all they will see is an undecipherable list of letters and numbers. The information will then arrive on the recipient’s end after being unencrypted into its original form so that it can be read and utilized as was originally intended.

Data being sent without the use of SSL certificates could either be hijacked by a hacker and then used for their usually nefarious purposes or it could even be altered en route to its destination without the sender or the recipient realizing that any changes had been made to it.

These digital certificates also ensure that the personal and private data is being sent to the secure site it’s supposed to go to and not being diverted to one that could be malicious.

 

It Works Both Ways

Any information that those running a website send to interested parties is also encrypted when using SSL certificates. These can include newsletters, promotional codes and vouchers as well as any information that you send during the purchasing process that you want to ensure is not intercepted and stolen or altered en route.

 

Indirect Benefits

Using SSL certificates is a wonderful way to increase your website’s search engine optimization (SEO). In 2014, Google announced that it will be giving rankings boosts to websites using this layer of protection. Although having this level of trust in your website is not going to impact the search engine results as much as the quality of your content, it will give you a leg up as far as search engine results go when competing against otherwise similar websites. Google may also increase its importance down the line.

 

Differences

Single certificates cover one domain name. Wildcard certificates are valid for one domain name and any subdomains underneath it. Multi-domain certificates are good for multiple domain names.

Domain validation certificates offer the most basic level of protection; they cover basic encryption and verify that the person whose name or email address is associated with the website has control over it. However, they do not verify exactly who this individual or company is or how much control he or she has over the website’s content or where information sent through it actually goes.

Organization validation certificates provide a more thorough validation process by checking on the applicant’s credentials and doing things like making sure the individual or company’s physical address matches up with the application and that they have a legal right to own and run that website. Businesses should at the very least use this certificate as domain validation certificates just do not provide the safety and trust that is usually necessary.

Extended validation certificates are the ones that offer the most security as a thorough examination is conducted before it is provided, assuring visitors that the individual or company being represented is accurate and that the entity possesses the rights necessary to operate that website. These certificates should be used by any websites that ask customers to provide especially sensitive information such as credit card numbers.

 

Which Certificate to Get?

Websites that garner a low level of traffic and do not ask visitors for information more personal than usernames and passwords can use domain validation certificates. A couple of the main benefits of going this route is that these certificates are more affordable and issued much more quickly.

However, if you are or will be receiving a decent amount of traffic or asking your visitors for any financial information or other sensitive date such as addresses, telephone numbers or social security numbers, you should at least get an organization validation certificate.

The extended validation certificates do provide the most protection and trust, but they are also the most expensive and take the longest to receive. Medium to large organizations tend to be the ones most apt to purchase these, but you should definitely consider it if you are or plan to be in one of those categories.

At TurnKey Internet we offer SSL certificates on all of our hosting plans as well as include a free SSL with every Reseller and SEO package. If you have any questions regarding which SSL solution is right for you or how to get started, feel free to email our support team (helpdesk@turnkeyinternet.net)

Follow Us :
Share :

Unfortunately, despite the trend, the bugs I’m referring to are not Pokemon.

Instead, they’re easily exploitable security bugs, discovered 15 years ago, that have reemerged, leaving your website or server potentially open to hijackers.

It’s being called the “httpoxy flaw” and it exists in a variety of server software, including PHP, Go, Apache HTTP server, Apache TomCat, and Python. If exploited, it can potentially be used to seize control of your website and access sensitive data.

Httpoxy is a set of vulnerabilities that affect applications running in CGI, or CGI-like environments. Essentially it comes down to a simple namespace conflict. This, in turn, can be exploited to configure outgoing proxies, allowing attackers to remotely execute malicious code.

Red Hat, Microsoft, The Apache Software Foundation, Ngnix, CloudFlare and others have released security advisories in an attempt to warn users of the httpoxy flaw.

Based on the affected software, specific CVE (Common Vulnerabilities and Exposures) numbers have been assigned: CVE-2016-5385 in PHP; CVE-2016-5386 in Go; CVE-2016-5387 in Apache HTTP server; CVE-2016-5388 in Apache TomCat; CVE-2016-1000109 in PHP-engine HHVM; and CVE-2016-1000110 in Python. Researches expect more CVEs coming for httpoxy as less common software is inspected.

Luckily if your website is hosted on TurnKey Internet’s cloud hosting platform (https://turnkeyinternet.net/linux-cpanel-web-hosting/) you are already protected. If you have any questions or additional concerns, feel free to email our support team (helpdesk@turnkeyinternet.net) and we would be more than happy to assist you.

Follow Us :
Share :

WordPress is one of the most popular, third party scripts used on websites.  Each and every time WordPress releases an update or a patch, the reasoning behind the update is publicly released but often its security related.  This is for all developers to be aware and update their code accordingly.  This factor alone, makes your site targeted.  Not to scare anyone reading this, however in a recent study WP White Security reported 70% of WordPress sites are vulnerable to attacks!

The majority of hacked sites are compromised for the sole purpose of sending spam.  TurnKey Internet and other web hosting services cannot guarantee your site will not become compromised due mainly to third party scripted plugins and modules that often modify or alter WordPress in ways that even the main security aspects of WordPress can’t anticipate.   TurnKey Internet makes sure your site is secured against a large scale of attacks and has a restoration plan if needed utilizing our multiple online cloud backup services we offer  with our hosting services .  The last thing a hacker wants to do is spend a large amount of time accessing your site.  The more road blocks, the faster the malicious user will lose interest and move on.

Before I get too far ahead of myself, let me first explain how your site becomes compromised.  I believe this is important when securing your site.  Understanding how malicious users are gaining access and what the user is doing.  While there is a vast scale of techniques a hacker can use, the main way a malicious user will gain entry to your WordPress site was grouped in the following categories by WP White Security:

41% – Security vulnerability on the hosting platform.  Nothing to worry about on TurnKey Internet’s web hosting server platforms, as we are constantly updating the servers with the latest security releases and patches.  As well as keeping all services on the server up to date in addition to having the most advanced firewalls and intrusion detection systems in place.  If you have a dedicated or VPS server and would like to TurnKey to review your server, shoot us a support ticket we’d be more than happy to investigate.

29% – Outdated WordPress Theme which can open security holes

22% – Outdated WordPress Plugins which can open security holes

51% of reported compromised sites are due to an outdated theme or plugin.  This is completely preventable!  When your plugin or theme is compromised, this makes it possible for a hacker to inject an eval base 64 decode code.  This allows the hacker to run a PHP function from the site.  These are PHP mailers the malicious user users to send spam from your account.

8% – Due to a weak password.  This is where brute force attacks are successful.  Hackers use a script to continuously generating random passwords, until they have gained access to your dashboard.

First and foremost, make sure everything is updated to the latest version.  Each time WordPress releases an update, the update is addressing a security threat.  This is why keeping the script updated is important.  As mentioned previously, due to the popularity of WordPress the exploits patched are publicly released.  This allows developers to adjust their coding accordingly.

In version 3.7, WordPress added in the feature to allow automatic updates.  This sounds wonderful, except by default it only applies to minor updates.  The WordPress team did this to prevent sites from automatically breaking when updated.  (Typically this happens if your plugins are not continually updated by the developer.)  You can add the following lines of code to the wp-config.php file and all updates will be automatic.

# Enable all core updates, including minor and major:

define( ‘WP_AUTO_UPDATE_CORE’, true );

Alternatively, if you would like to take control and complete all the updates yourself, you can add these lines instead.

# Disable all core updates:

define( ‘WP_AUTO_UPDATE_CORE’, false );

Since more than half of WordPress sites are hacked due to outdated themes or plugins, be picky as can be with the ones you activate.  Pay attention and investigate the themes and plugins you are using.

Not all plugins and themes are actively maintained by their developers.  Only use plugins that are updated regularly.  If the plugin or theme hasn’t been updated in 6-9 months, there is a good chance the developer is no longer maintaining their theme or plugin.  Stick with WordPress developers.  You can download tons of plugins and themes directly from WordPress.org.

Do you honestly need that plugin?  If it is not necessary for your site, deactivate it and remove it.  Not only does it take your site longer to load, you’re providing more chances for a malicious user to find a backdoor.

Lock down who has access to your WordPress dashboard.  The easiest way to complete this is by adding a few lines of code into your .htaccess file.  As with all aspects of web hosting case sensitivity is important.  Please note where the capitalization is when implementing this code into your .htaccess file.

<Files wp-login.php>

order deny,allow

Deny from all

Allow from 111.111.111.111

</Files>

You will want to exchange 111.111.111.111 with the IP address of the machine you are connecting from.  If you are unsure of the IP, Google “what is my IP” from the device you would like the IP of.

Hey, that’s great but what if I need to access the dashboard from the office and from home?  No worries, you can add additional ‘Allow from’ statements.

<Files wp-login.php>

order deny,allow

Deny from all

Allow from 111.111.111.111

Allow from 222.222.222.222

</Files>

Limit the number of login attempts an IP address can have before your server blocks the IP.  If this is a new install, using Softacoulous, there is an option ‘enable the number of login attempts’ listed in the preinstall screen.  If you have already installed WordPress, I recommend using the Limit Login Attempts plugin.

Do not use the default “admin” username.  On new installs you are given the ability to make the username.  If you already have WordPress installed you can change the username in the dashboard.  Once logged in, access account setting, and click the “change” link next to your username.  From there you can follow along with WordPress to change the username.

Change your passwords often and make sure you are using a strong password.  I know this can sometimes be overwhelming and often hard for some uses to remember.  However, it is extremely important to use.  A good way to remember the password is to use a short sentence or phrase.  Make sure to do something like replace vowels with number or make them capital.

W3bh05t1ngK1ng

1R0ckth3w3B

The above are far more secure than using:

password

123456

Johnny

Change the WordPress default table prefix.  If you’ve noticed all your core WordPress files start with ‘wp’.  wp-config, wp-login, wp-admin, ect.  Changing the prefix can help prevent against SQL injections.

The table prefix is defined in the wp-config file.

$table_prefix = ‘wp_’;

PLEASE NOTE – Changing the table prefix in the wp-config file will not change the tables in the database.

In a fresh install you have the ability to set the table prefix to something other than wp.  If you have already installed WordPress, I have found the iThemes Security plugin to be the quickest way to compete this task.  If you prefer to not have a plugin complete this task, you can do so manually.  It is a bit time consuming and you will need to make sure to rename each WordPress table, update the usermeta table and update the options table.  Of course you will want to backup the database, before making any changes.

Make sure your file permissions are correct.  WordPress states only the following permissions should be used;

Directories should be 755 or 750

Files should be 644 or 640

Your wp-config.php should be set to 600

Your wp-config file is extremely important.  I recommend protecting this file in the .htaccess as well.  To do so place the following lines of code inside your .htaccess file:

<files wp-config.php>

order allow,deny

deny from all

</files>

Speaking of protecting important files.  The wp-includes directory contains the majority of files needed to run WordPress.  There is absolutely nothing in this directory a user will need.  With that being said, I recommend adding the following lines of code to the .htaccess file to protect these files as well.

# Block the include-only files

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]

</IfModule>

Block out access to the xmlrcp.php file as well.

<Files xmlrcp.php>

order allow,deny

deny from all

</Files>

xmlrcp.php, this file is the worst!  While the features of using this file sound neat.  (Connect to your blog via text or email, sends tracebacks or pings.) This file has been used to take down a large number of server by implementing DDOS attacks with this file.  You can read more on these attacks here – https://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html

Since we are already protecting our files in .htaccess, might want to protect .htaccess as well.  To do use this code.

<Files .htaccess>

order allow,deny

deny from all

</Files>

Great, now my site is secured.  What about that restoration plan you mentioned earlier?

Backup, backup, backup!  I cannot stress this enough! If by chance a hacker is able to break through all these security measures we have put in place, the fastest way to get your site backup is by restoring a backup.

Depending on what service you have with TurnKey, we do provide backups.  However, it is not the responsibility of TurnKey to maintain your backups.  You should not rely on our backups and keep your own backups as well.  Our terms of service allows for you to keep one (1) full account backup stored on the server.  TurnKey recommends taking backups of your account weekly or even daily.  Connecting with an FTP client and storing the backup in a secure location.

While WordPress does off automatic updating services, we have disabled some of the PHP features required for this service to work on our shared hosting platforms.  The reasoning on this, we do not allow for the use of PHP execute.  This is for security purposes.

Inside your control panel you have the ability to take full account backups and database backups.  I strongly recommend doing so.

TurnKey also offers a backup add on service called TurnKey Vault which we highly recommend for anyone with a dedicated or cloud-based server, so you can protect your data If you need any assistance with competing any of the tasks listed in this blog, email our support team (helpdesk@turnkeyinternet.net) and we would be happy to assist you.

Happy blogging!

Follow Us :
Share :

Encryption fills the headlines with stories of APPLE and decoding iPhones – but with all the security challenges and cyber threats today – its getting hard pressed to have a web site, computer, or mobile device and not realize your data is as private as you once thought.  Encryption is what protects (hides) the details of what we do online certain web sites – keeping your private banking or purchasing data (or online traffic hidden) from prying eyes.  But last month a new threat called DROWN was publicized that essentially made it so many web sites you shop, visit or utilize that you thought were secure and private via their https SSL encrypted access turned out to not be so private.

DROWN, standing for Decrypting RSA with Obsolete and Weakened eNcryption, is an xample of a cross-protocol attack that exploits weaknesses in the widely used online encryption protocol, SSLv2.  Using weaknesses in the SSLv2 implementations against TLS (transport layer security) hackers can “decrypt passively collected TLS sessions from up to date clients.” Or in simpler terms, hackers and anyone can see what you are doing, your personal details, and more when you thought you may of been protected by that SSL ‘lock’ protected symbol next to the web site you were shopping or visiting.

TLS is probably the most important security protocol on the internet.  Almost every action you take on the internet relies on the use of a TLS version.  Not just you accessing a web site, but a lot of the back behind the scenes things like email transmission, to database connections, to sending files between servers for backups.

Fortunately, the latest versions of OpenSSL do not utilize SSLv2 connections by default.  However, if your certificate or key is being used in another location on a server that supports SSLv2, you could be at risk.  For example, the mail service (POP, IMAP, SMTP connections).

A DRWON attack would be able to decrypt HTTPS connections, sending specifically designed packets to another server.  If the certificate is on more than one server, it is possible a MitM (man in the middle) attack can be successful.

Isn’t SSLv2 depreciated?  Why is this still a threat?  In the early 2000’s SSLv2 was still supported by browsers, to be used as a fallback protocol.  An attacker could easily trick the browser into using an older protocol.  Thankfully, this is no longer an issue if you are using a recent version of your web browser.

While browsers are no longer supporting SSLv2, most servers still do.  Most servers are configured to use both TLS and SSLv2.  This means both protocols would use the same RSA private key.  Therefore, any bugs in the SSLv2 protocol that use the private key, potentially could affect the security of TLS.

While this all may sound a little scary, as most security vulnerabilities are.  TurnKey Internet takes all security avenues very seriously.  Our web hosting servers and software are always kept up to date.  If your account is on any of our shared hosting packages, you have nothing to worry about.  Just in case, you want to test your sites security against DROWN or the server your account is hosted on.  Please feel free to do so here – https://drownattack.com/#check  You will need to use the IP address your site is living on and not your domain name – which you can easily find by using a DNS lookup service such as http://www.getip.com/.

If you need assistance finding your web sites IP, or reviewing your security  please send us a support ticket (helpdesk@turnkeyinternet.net) and we would be happy to tell you.

 

 

 

 

Follow Us :
Share :

When discussing Cloud Backup with our staff here at TurnKeyVault.com I am reminded of a saying from the Late Billy Mays, that said “Prevention doesn’t Sell”.  The famous  pitchman, and star of his own Reality Show “PitchMen” often said that your product has to have a visual “wow”, and prevention based products just don’t sizzle because you can’t effectively demonstrate and produce the WOW effect for potential buyers.

Backing up your data, to the cloud or otherwise, is basically prevention; prevention from disaster, your own financial and corporate demise is what you ultimately are hoping to prevent.  Recently some new advances in the cloud backup space have come to market, that specifically being business continuity backup services that have added some new WOW to a prevention based product line giving it some new sizzle that is getting the attention of business owners and IT managers alike.  It may not have the WOW effect visually on TV of getting a stain out of a shirt, but the right backup solution will save you time, and ultimately keep you employed if you ever need it.

 

Cloud backups

 When I say cloud backup, what immediately comes to mind? I personally imagine a white, puffy cloud in the sky that resembles a vault. Was that what came to mind for you? If not, that’s quite all right. A cloud backup is a piece of software that takes a snapshot of your server or desktop computer and then stores the data in the cloud. What exactly do I mean by the cloud? The cloud is a piece of software or data that is stored off-site that can be accessed from any location. Cloud backups allow for greater flexibility than a local disk or tape backup. A disk backup or tape backup has the limitation of only being able to access the data locally and can be damaged, lost or stolen leaving you without your backup data when you need it most.  Even with cloud backup, to get back up and running from a disaster requires that you setup new computers, and copy back your data, and in many cases reconfigure and re-install most of your applications.  That’s how local and cloud backups have done things for years and quite frankly it doesn’t sizzle any more like it used to.

Now there is some WOW factor – the next generation of cloud backup service offered by TurnKeyVault.com offer live cloud replication and complete business continuity.   Cloud Replication allows restoration of your cloud-based backed up data to any virtualized server in rapid fashion.  That means you can restore your desktop or server including the entire operating system, applications, licenses, settings, and all your data to a perfect copy just as it was before the disaster struck.  Providers like TurnKey Vault even offer fully automated cloud replicated desktops and servers that utilize cloud-based infrastructure to make your data available instantly and allow you to access them remotely from anywhere in the world.  The key aspect here, the sizzle, is that cloud replication removes the bottleneck of the traditional backup technologies that would rely on local internet service providers bandwidth availability, and saves potentially hours of business critical time waiting for your systems to be back in working order.

Should a disaster occur in which your infrastructure is no longer available or accessible to be restored, the need to purchase new hardware and set it up in a new office can be completely eliminated. Utilizing cloud infrastructure you can be back online in minutes, not days. Employees can continue their work from home, remotely accessing images of their old workstations running live in the cloud, ensuring your business does not skip a beat.  Prevention may not sizzle on TV commercials – but in the IT world, knowing there is a business continuity plan regardless of possible disaster scenarios will leave you thinking of the WOW of your new backup plan.

 

 

 

Follow Us :
Share :

 

It’s been less than a year since Google’s April 21st change over that created what was thought to be mobilegeddon – where web sites that didn’t meet Google’s design and layout plans for being mobile friendly would be pushed down in the tankings (penalized if you will) to encourage more web sites to be universally accessible and usable. You see, big changes came to Google’s search algorithm. More specifically, the ranking of sites that are mobile-friendly. You may be wondering by what exactly I mean by “mobile-friendly” and how having a “mobile-friendly” website can increase your Google  SEO rankings. In order to clear up your confusion on mobile-friendly websites, let me start by asking you another question. Have you ever tried to view your favorite website on your cell phone or your mobile device? Chances are that in this information driven, technological day and age, that you’ve at least attempted to view one website on your mobile device. How was it? Did the site look as you thought it would and work properly? Or did see a funky website with styling’s out of whack and no idea on how to navigate this crazy looking website?

 

You see, my friend, that site wouldn’t be considered “mobile-friendly”. If you haven’t figured out what a “mobile-friendly” website is by now, then let me enlighten you. A mobile-friendly website is a website that has been designed for your mobile phone. This could mean the website looks completely different, however, the basic functionality of the site is still there. For example, go to yahoo.com in your computer browser and then go yahoo.com on your phone. Notice any difference? You see, yahoo is a great example of how a mobile-friendly website is supposed to function. The site when viewed on your phone may be slightly different, however, the site is still providing the same content.

As more and more users view websites on mobile devices, Google decided that it’s time to make it easier to find relevant, mobile-optimized websites. To do this, Google will now use mobile-friendliness as a factor in ranking search results. If you’ve not created a mobile-friendly website, no worries as Google has provided guides on how to create a mobile friendly website and also a mobile-website friendly tester.

Also, in addition to favoring mobile-friendly websites, Google announced that it will include content from mobile apps when ranking search results. Google is terming this App Indexing and it requires manually activation for your app content to be scanned and appear on search results.

With all of that being said, many people passed over “Mobilegeddon” without realizing it – and maybe now is a good time to re-review what you thought was mobile ready and where google thinks you are, and if you didn’t prepare last year then now is the time to consider revamping your web site.

Is your website mobile-friendly? If not sure or you want some tips check the links below:

https://developers.google.com/webmasters/mobile-sites/get-started/?utm_source=wmc-blog&utm_medium=referral&utm_campaign=mobile-friendly

https://www.google.com/webmasters/tools/mobile-friendly/?utm_source=wmc-blog&utm_medium=referral&utm_campaign=mobile-friendly

https://developers.google.com/app-indexing/webmasters/details?utm_source=wmc-blog&utm_medium=referral&utm_campaign=mobile-friendly

 

Follow Us :
Share :

Will your local grocery store be selling cloud hosted services next?  This may seem like a silly question but the reality is big companies in many markets like HP, Dell, and major telecom companies have chased the cloud services market spending billions.   The theory is anyone can get in on the cloud services gold rush.

 

The great Cloud Services gold rush is real – for the last few years major corporations like HP, AT&T, Verizon, TechData, Dell, and many more have spent billions trying to re-tool their tired business models into new trendy cloud-services models.  The unfortunate problem is that they each keep coming up short, and shuttering the doors.  HP announced the end of its cloud services at the end of 2015.  AT&T already handed over full control of it’s managed hosting to IBM and is rumored to be in talks to sell off the $2B in datacenter and hosting assets shortly.  Centurylink one of the nation’s largest telecom companies recently stated they are “considering alternatives to data center ownership” to exit the hosting market.  Telecom power house Windstream sold its datacenter and hosting business in 2015 to exit the market. The list goes on, and in 2016 we are sure to see others strategically and not-so-strategically exit the cloud services and datacenter market place

There is no question as to why every company on earth seems to be trying to get into the cloud services market, the perception of great riches and perceived low barrier to entry (people think its as easy as buy or rent some computers and put up your virtual lemonade for sale sign).  But the reason why even the deepest of pockets on earth can’t make those cloud services business profitable and viable at the same time cloud service companies continue to flourish, grow, and show industry and sector growth rates and profitability has major hedge fund managers, investors, and CEO’s scratching their heads as each major player unceremoniously exists the market.

The reason for success (and unfortunately failure) is so simple, it’s literally in the name – Cloud Services, and that is the word SERVICE.   That would be service you can provide only with experience – when its your core product, your core competency and you have you have been doing it for many years with a customer-focused vision to deliver what the client wants.  The word I believe best describes it would be  hubris.   So many big companies thinking they can successfully translate selling or delivering groceries, cd’s, software, desktop pc’s or computer parts into a cloud infrastructure and cloud services company comes at a large price tag, billions lost by these companies that are shuttering the doors and pulling the plugs on their cloud services gold rush attempts.

When was the last time you called any of the failed ventures from the company names above to ask for help, or get some good old fashioned customer service?  Customer Service – talking to someone, hand holding a client as they transition to the cloud and genuinely having someone present to answer questions and help is the corner stone to what made the Web Hosting industry successful for key players over the last 20 years to help those players evolve into today’s cloud services companies that remain successful.  When was the last time you called the telephone company for help, how did that go for you?  Exactly – and that’s why customers, revenue and growth flock to where there is genuine customer service.  Service comes with experience of course, and you don’t just become a successful cloud services company over night.

Don’t get me wrong – there is a place for non customer service oriented offerings in the cloud landscape for do-it-your-selfers and through partnering service companies that add on top that layer of a cloud infrastructure offering.  AWS has captured the lion’s share of the market space with that strategy, but that didn’t come over night but evolved over 20 years.

There is a great quote in the 2011 movie Margin Call from actor Jeremy Irons that sums it up – “there are three ways to make a living in this business: be first, be smarter, or cheat.”  And I don’t think you are going to see any of these pc makers, or telephone companies accused of cheating their way to the top of the cloud services race while they fight over each other to sell off and unplug their cloud business units in the next few years.  The cloud service companies that have been around and made the right investments long ago in people, infrastructure, and culture will continue to succeed by delivering and focusing on what customers want.  Those that try to jump into the cloud services gold rush hopefully have the right core competency’s and culture to support a cloud services business model.  So next time you are at your grocery store, feel free to ask one of the cashiers or managers if they’ve heard any rumors about their grocery chain expanding into cloud services any time soon.  You might be surprised at the answer.

Follow Us :
Share :

While you may have been urged by Drupal to update your software late in 2014 due to SQL injection attacks in compromised Drupal 7 sites. Drupal has released version 6.35 and 7.35 to address a few newly discovered vulnerabilities within their software.

Listed in an advisory by Drupal’s security team, Drupal stated one of the vulnerabilities they are addressing has allowed password reset URLs to be forged. This allows malicious users to gain access without knowing the password.
In Drupal 7 this vulnerability is segragated to sites where accounts have been imported or edited in ways that will result in the password hash, in the database being the same for multiple user accounts.

In Drupal 6 this vunlnerability can be exploited on sites where administrators have created multiple user accounts with the same password. As well as where accounts have been imported or edited in ways that will result in the password hash, in the database being empty for at least one user account. Drupal 6 sites having an empty password hash, or a password with an easily compromised string in the database are extreamly prone to this vulnerability.

The second vulnerability Drupal’s team has patched is the ability for malicous users to devise a URL, sending visitors to a 3rd party website.

Drupal modules use a destination query to redirect users to a new destination after completing an action. Malicious users can use this destination parameter to construct a URL that will fool users by redirected them to a 3rd party website. Several URL related API functions in Drupal 6 and 7 can be fooled into passing through external URLs when that was not the intention, leading to open redirect vulnerabilities.

This vulnerability is has been down played as a large amount of the destination parameter are not vulnerable to the attack. Although, all confirmation forms built using Drupal 7’s form API are vulnerable! Drupal has also stated some Drupal 6 confirmation forms are vulnerable too.

Drupal versions affected:

Drupal core 6.x versions prior to 6.35

Drupal core 7.x versions prior to 7.35

How to rectify these vulnerabilities? Update to the latest versions.

If you use the Drupal 6.x upgrade to Drupal core 6.35

If you use the Drupal 7.x upgrade to Drupal core 7.35

For those using TurnKey Internet’s Web Hosting with Drupal can simply login to your cPanel control panel, click on the Softaculous icon, and update your drupal version from there as well as from the Drupal Control panel of your installated copy on your web site.  If any questions contact our customer service team, or keep posted on our help desk at http://helpdesk.turnkeyinternet.net/

Follow Us :
Share :

When I say POODLE, what do you think of? Is it a fluffy dog? In most cases, I would be referring to the fluffy dog, but for this article, we will be focusing on a security vulnerability. I’m not sure if you’re aware, but if you’re currently using SSL version 3.0, you will need to perform some updates to your SSL daemon on your server. SSL stands for Secure Sockets layer. A SSL is what every ecommerce site should have. It allows for you to securely process payments through your website. In fact, if you’re taking orders from your clients, you should be using a SSL. SSL’s add another layer of security and trust for your clients. If you’ve not read my post on PCI compliance and you’re running an ecommerce site, you should read my post on PCI compliance here: (Insert link to PCI compliance post)

 

With SSL’s as with any piece of software on the internet, there are different versions. SSL version 3.0 is nearly 18 years, however, SSL version 3.0 is no longer secure and remains in widespread use across the internet. Nearly all browsers support SSL version 3, and in order to work around bugs, within HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. This retrying of failed connections within SSL v3, allows the POODLE exploit to be initiated. This POODLE exploit works due to the nature of the failed connections and allows for a possible leak of your customers data when processing orders. You can read more about the specifics of the attack here:

 

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

 

Browsers and websites should turn off SSLv3 in order avoid compromising users’ private data.  The most straight forward method is to disable SSL 3.0 entirely, which you can see how to do at the links below, however, this can cause a myriad of computability issues. Therefore, the recommend plan of option is to enable TLS_FALLBACK_SCSV. Using the links below, they will show you how to properly secure your servers SSL daemon. These options resolve the issue of retrying failed SSL connections. It also prevents hackers with knowhow from downgrading from TLS 1.2 to 1.1 or 1.0.

 

 

For WHM/cPanel servers –  https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

 

For DirectAdmin servers – http://forum.directadmin.com/showthread.php?t=50105

 

For Plesk servers – http://kb.sp.parallels.com/en/123160

 

Follow Us :
Share :

Did you know in August 2014, Google announced that HTTPS would become a ranking credential? This is news worthy of mention and note as Google rarely reveals ranking criteria – and more so confirms that the SEO optimized hosting at TurnKey in fact  does raise your rankings for SEO systems (at least with google, now confirmed).

You can read more about Google’s comments here:  HTTPS as a ranking signal here. [PDF ] 

HTTPS is an added layer of encryption that Secure Socket Layers on top of HTTP or web traffic. This adds additional security to standard HTTP communications or web communications. SSL certificates are required for
e-commerce sites especially if you’re desiring your site to be PCI compliant. You can see my post on PCI compliance here: https://blog.turnkeyinternet.net/web_hosting/pci-dss-compliance-in-the-cloud-for-web-sites-servers-and-colocation/ .   Having an SSL certificate  is essential on an ecommerce site because of the secure transmission of sensitive information like credit card numbers, personal information, and login accounts.

If your website or blog begins with https://, you have likely received an uptick in Google’s rankings. This is currently a lightweight signal meaning that it doesn’t affect your site rankings greatly, but experts believe it will become stronger in the near future.

To turbo charge your web site’s rankings, be sure to use SSL certificates with a dedicated ip address on your web site, TurnKey offers an all-in one ‘turnkey’ solution to this to help you increase your search engine ranking with our Turbo SEO cPanel Web Hosting that bundles in multiple dedicated class-c ip’s and ssl certificates for one low cost in a simple to use interface.

Do You Need an SSL Certificate for Your Website?

REQUIRED: All websites should have some form of protection on them. This form of protection can come in many forms, however, if you’re going to be taking any type of data from your customers such as credit cards, phone
numbers, emails, or any personal information, you need to ensure that the data is transferred securely. SSL’s remain one of the most robust ways to do this.

As an online merchant, it’s your responsibility to make your customers’ private information is secure. If you are storing credit card information in a database on your website so you can manually charge it later, then you need an SSL certificate to secure the credit card data stored on your server. If you have any sort of log-in form where customers enter a username and password, on top of sanitizing the input from the user, a SSL certificate is highly recommended.

NOT REQUIRED: An SSL certificate is optional if you don’t gather personal information and instead forward your customers to a 3rd party payment processor like PayPal. This can be done as simply as embedding a PayPal button to your website. PayPal uses their own certificate to encrypt customers transactions.  HOWEVER, you can still benefit with SSL for search engine rankings, so it’s worth the investment but not REQUIRED for this category.

What Webmasters Should Do Now?

Decide the kind of certificate you need: single, multi-domain, or wildcard certificate. (More on this in a minute.)
Use 2048-bit key certificates. Use relative URLs for resources that reside on the same secure domain. Use protocol relative URLs for all other domains. Don’t block your HTTPS site from crawling using robots.txt. Allow indexing of your pages by search engines where possible by avoid the noindex robots meta tag.

Purchase an SSL Certificate from TurnkeySSL.com

Turnkey Internet is a trusted reseller of GlobalSign SSLs. The GlobalSign SSL certificates includes domain validation, quick issuance, re-issues among many other options such as adding a full trusted bar in your browser that allows visitors to see your SSL is trusted across the web.

Turnkey Internet has multiple types of SSL certificates for secure communication with business, system, portals, mail and more.

Our TurnKeySSL alpha certificate  is ideal for small business, blogs, and personal websites which costs $29 per year.

The TurnkeySSL Professional certificate is  ideal if you wish to have multiple subdomains covered (example: corp.yourdomain.com and web.yourdomain.com). This Pro level SSL certificate has full organization vetting which provides higher levels of trust and includes a malware site scan service. This is also preferred for service providers and SEO companies. $150 per year.

Lastly, TurnKeySSL Extended Validation (EV) Certificates are the most secure and offer visitors the green bar and enhanced sales. It also includes malware site scan service. The green address bar that comes with a TurnkeySSL Extended certificate prominently displays your company name, providing immediate trust and improving customer conversions. This certificate is $899 per year.

Keeping your certificate always up to date is recommended as you never want your clients receiving any SSL warnings when purchasing a product from you. Ideally,you would set the certificate to auto-renew annually. You can always check the expiration date by clicking the padlock symbol and then “View Certificate”. Test your entire checkout process in Firefox, Google Chrome, and yes, even Internet Explorer.

Once again, you can go directly to turnkeyssl.com to purchase any of the mentioned SSL types above

To turbo charge your web site’s rankings, be sure to use SSL certificates with a dedicated ip address on your web site, TurnKey offers an all-in one ‘turnkey’ solution to this to help you increase your search engine ranking with our Turbo SEO cPanel Web Hosting that bundles in multiple dedicated class-c ip’s and ssl certificates for one low cost in a simple to use interface.  Learn more
Until next time…

Follow Us :
Share :