Weblogs

Friday, 01 November 2013

Is it Spam? This week in Comment Spam

Every web, blog or social site is interested in attracting visitors. Generally, visitors find sites by using search engines. Improving the likelihood that your site will be among the links a search engine returns is thus extremely valuable to every site, especially ones that earn revenue from visitors. The higher your ranking is, the more likely your web site or hyperlink will appear on the initial page a search engine presents to users.

Like any other digital commodity that legitimate businesses value , criminals will inevitably attempt to profit by game ranking systems: this misbehavior is called spamdexing. Sites that allow comments are frequent targets for spammers who submit comments that serve no other purpose than to insert a hyperlink that points to a spammer's site. Comment spam shares many characteristics of mail spam, as these samples from my comment moderator panel at Typepad  illustrate:

Commentspam

If published, these comments would include hyperlinks to health improvement products. Some may be scams. It doesn't matter. The comments contribute nothing or may pose a risk to your visitors. And the mere existence of comment spam on your blog or site can suggest that you don't pay attention to comments.  

Show your visitors that you pay attention to your blog:

Comment

Moderate comments. Set up your submission form so that you can review comments before you publish them.

Require a sign-in or CAPTCHA for comments. These don't dissuade all comment spammers but they may defeat automated spamdexing.

Delete questionable comments. Treat this as a coarse filtering activity and be aggressive. You're better off having fewer comments at your site than frivolous, unrelated, poorly composed ones. 

ModerateReport Spam. Many blog or web publishing platforms have a comment moderation panel. If you're confident a comment is spam, report it. If you're uncertain, you can err on the side of caution and delete, or you can check the embedded links against comment spam block lists.

Projecthoneynet.org offers an IP check, and a directory of comment spammer IPs so extract the domain name from the URL, use dig or nslookup to resolve the name to an IP address, and check it. If you are being targeted for comment spam or the volume is too large to manage without automation, consider implementing some of the other Projecthoneynet services: subscribe to and use the Blacklist (http:BL), install a honeypot, or if you don't have administrator privileges and cannot install a honeypot, consider a Quicklink

Posted at 09:30 AM in Anti-Malware and Anti-phishing, Is it Spam?, Rants, Stop Think Connect, Weblogs | | Comments (0)

Thursday, 17 January 2013

Use These WordPress Plugins to Help Secure Your Site

Part I of guest Kim Crawley's multi-part series presented a multi-tiered strategy for protecting sites that run the popular open source WordPress content management system. In Part II, Kim examines plug-ins you can add to further improve WordPress security.

Wordpress2

In How to Protect Your WordPress Site from Hackers, I explain that securing your web site's OS, web server, WordPress CMS, and PHP content will reduce your risk of falling victim to the kinds of attacks we describe in How Hackers Target and Attack Your Site. There are also a number of  WordPress plug-ins and configuration choices that I recommend you install. When used properly, these can harden your WordPress site very effectively.

(Note: Only install plugins offered through your admin panel or under the plug-in directory at http://wordpress.org. Officially released plug-ins are audited for security and scanned for malware. Third party plug-ins may be secure, but it’s best to not to take the risk.)

Follow these five steps to further secure your WordPress site from attack.

Scan for Vulnerabilities

In Part I, I mention the Exploit Scanner plug-in. Run this plug-in regularly against your site to check for vulnerabilities and compromise attempts. Use WP Security Scan along with Exploit Scanner. WP Security Scan will check file permissions, database security settings,  and dangerous default settings. The plug-in reports vulnerabilities it finds, and gives specific advice for how to mitigate these.

Keep in mind that attackers are very familiar with WordPress default settings. In Part I, I recommend changig as many WordPress default settings as possible. One often overlooked default setting is URL generation: hackers can identify yours as a WordPress site by the strings common to default generated URLs. To evade this kind of site fingerprinting, consider using the Stealth Login plug-in to create custom URLs for logging in and out of your site.

Secure your Admin Panel

Attackers want to gain access to your Admin panel. Use Login Encryption to encrypt your login credentials. The plugin uses both the DEA and RSA encryption algorithms to encrypt usernames and passwords and in doing so, protects your site from man-in-the-middle (MITM) attacks that look capture "plain text" credentials.

Protect User Logins

Configure the Limit Login Attempts plugin to prevent brute-force attacks.  With this plug-in, you can set a maximum number of login attempts, and also set the duration of lockouts in between. The User Locker plugin works in a similar way: you can set a maximum number of invalid authentication attempts before the account is locked.

Another excellent plug-in for securing your site’s login is Chap Secure Login. By using that plugin, all of your login credentials, except for usernames, will be encrypted with the Chap protocol and SHA-256 algorithm.

Take Measures to Thwart Spambots

WordPress sites are frequently targeted by spambots. First and foremost, moderate comments posted to your site. I have to spend a lot of time reviewing comments on my site, and the majority of my pending comments have to be marked as spam. Some comment spam simply attempts to increase linked traffic to an affiliate site, but other comments can include malicious, scam, or phishing URLs. 

Install Bad Behavior on your site and log your site’s HTTP requests so that you can better troubleshoot spambot issues. The plug-in can also be used to block access to your site the next time a discovered spambot visits. Use User Spam Remover in combination with Bad Behaviorto remove unused user accounts on your site. You can customize how you define "unused user account" and you can also configure a whitelist.

Add Layers of Protection

Some plug-ins are useful to detect or block suspicious activity. Add Block Bad Queries  block malicious queries made to your site.  This plug-in looks for suspicious strings such as eval( or base64 in request URIs, and also looks for request strings that are suspiciously long.

Add an anti-malware shield to your site.  AntiVirus plugin scans for viruses, worms, rootkits, and other forms of malware. Remember, as with desktop antivirus software, it's important to keep the virus definitions updated.

Closing Remarks

Keeping your WordPress site hardened for security is an ongoing responsibility, just like all other areas of IT and development security. You can’t just configure a number of settings or programs and then forget about it. Your WordPress site should be on a schedule for malware and vulnerability scanning, and logs should be kept and analyzed.

By keeping your WordPress site secure, you’re doing your part to prevent malicious activity that could not only harm websites, but also web servers and user’s PCs, tablets and smartphone devices. As WordPress is such a common CMS on the web, knowledge about the design and configuration of the console is readily available, and certain hacks could work on perhaps millions of websites. Fortunately, knowledge about WordPress security is abundant, for much the same reasons. In the ongoing maintenance of your website and web server, always be security minded. You can then have proper control over your web content, and do your part to make the Internet a better place.

 

References:

Infographic : History of WordPress, N.S Gautham Raj

Hardening WordPress, wordpress.org

Exploit Scanner, wordpress.org

6 simple steps to hardening WordPress, Sam Devol

Hardening WordPress Security: 25 Essential Plugins + Tips, Daniel Smeek

How to Stop Your WordPress Blog Getting Hacked, David SEM Labs

Hardening WordPress Security, Brian Haddock

6 Tips to Secure WordPress from Hackers, John Phillips

Vulnerability Report: WordPress 3.x, Secunia.com

Posted at 06:55 AM in Web/Tech, Weblogs | | Comments (1)

Next »
Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories