Loading....

How To Fix Windows Networking Issues After Windows Updates KB4480960 & KB4480970

TL;DR: Head to Control Panel > Windows Updates, click View Update History, click Installed Updates, uninstall KB4480960 (reboot) then uninstall KB4480970 (reboot).

K, for those who ran into issues accessing files, printers, shared .MDB Access databases (e.g. ConsignPro software users) this week, the cause was two Windows Updates.

Fortunately, the great community over @ /r/sysadmin was all over this.

In short, after Windows Updates rolled-out on Patch Tuesday (1/8/2019), if you have a network of computers where they connect to folder shares, printer shares, etc., they were no longer able to connect.

For those running consignment software, this impacted stores either completely, or partially — e.g. ConsignPro uses a file-based database (MS Access .MDB file) which a share is setup on the server, then workstations are pointed to that share via UNC path. For other consignment programs that utilize a SQL Server-based database management system (e.g. Peeps’ Consignment Software, Liberty Consignment Software, etc.) this didn’t impact the software’s ability to run, but any file-based features — e.g. images, report files, etc. — could be impacted.

The fix — roll-back (uninstall) the two, offending Windows Updates.

Below is a detailed outline of the screens/steps. Hope this helps!

Head to Control Panel > Windows Updates:

https://thecomputerpeeps.com/images/snaps/dean/18/2019-01-11_1121.png

Click View Update History:

https://thecomputerpeeps.com/images/snaps/dean/18/2019-01-11_1114.png

Click Installed Updates:

https://thecomputerpeeps.com/images/snaps/dean/18/2019-01-11_1115.png

Uninstall KB4480960 (reboot) then uninstall KB4480970 (reboot):

https://thecomputerpeeps.com/images/snaps/dean/18/2019-01-11_1115_001.png

Be patient. On systems without SSDs (Solid State Drives), this can take a long time to process. On systems with SSDs, this can still take a bit, but it processes much quicker. You might see ‘Preparing to configure…’ during this process and then ‘Configuring Windows Updates 100%’ for quite some time:

https://thecomputerpeeps.com/images/snaps/dean/18/2019-01-11_1143.png
https://thecomputerpeeps.com/images/snaps/dean/18/2019-01-11_1247.png


Heading To San Antonio for the NARTS Conference? Keep Your Connection Secure With Private Internet Access!

Private Internet Access

Are you heading to the NARTS conference in San Antonio, TX this year? If so, how you connect to the Internet while you travel, is something you should be aware of – i.e. your connection is likely not secure.

First and foremost, if you connect to a public/free WiFi hotspot, you need to know that all of your network traffic can be captured. There are a variety of things an attacker can do, when he or she has control of your network traffic:

[checklist]

  • Trick you into visiting fake, malicious sites.
  • Collect your sensitive passwords.
  • Collect credit card information.

[/checklist]

Even if you’re not on a public WiFi connection, your ISP or whoever manages the connection, can see any website you visit.

If you’re connecting to a network that is not your home or business network, or if you don’t want your browsing activity to be viewable by your ISP, we recommend utilizing a VPN (Virtual Private Network).

What the heck is a VPN? A VPN creates a secure, virtual ‘tunnel’ across the Internet, through which your network is transmitted. This prevents malicious attackers from seeing your network traffic as you connect to the Internet and other networks.

Which VPN do you recommend?

There are a variety of VPN options out there and a variety of situations to consider, but for a simple, easy, secure connection, we typically recommend Private Internet Access.  We’ve talked about PIA a few times before.

They have a great video that explains exactly what Private Internet Access does to keep you protected:

[hr]

[hr]

Private Internet Access or PIA, is available for the following platforms:

[checklist]

  • Windows
  • Mac OS X
  • Android
  • iOS

[/checklist]

PIA is dead-simple to use – just click Connect… that’s it…

[hr]

Private Internet Access

[hr]

PIA alone, is not enough to keep a device secure, but it does provide you with a secure connection when you have to connect to public networks.

What are some other security tips you recommend?

[checklist]

  • Prey – Locate your laptop, computers, phones, and tablets if they’re lost or stolen.
  • Device/Disk Encryption – If someone gets your laptop — it doesn’t matter if it’s a Mac or PC — all of your files, are fully accessible. It means absolutely nothing if you have a password — all of your files can be viewed and copied directly from your hard drive. There are a variety of disk encryption options out there and we could dedicate a post to just this topic. Newer versions of Android and iOS are encrypted by default. Many mobile OSes allow you to enable encryption, if it’s not enabled by default. There are also 3rd-party encryption programs, such as the final build of TrueCrypt.
  • Antivirus – I don’t care if you’re running Windows or Mac OS X, you should be running antivirus, period. If someone tells you otherwise, they’re being cocky and they likely are not personally responsible for your computer’s security. Not just any antivirus either. Stick with one of the top-performing antivirus solutions — we typically recommend ESET NOD32 Antivirus. Whatever you do, do NOT use Microsoft Security Essentials. It does not work and anyone who recommends it, well, they should stop doing that – they’re 100% incorrect.
  • Do Not Use Internet Explorer or Safari – Our first recommendation, is Firefox. Some people have been falsely told that “Chrome is the best, install it and you’re secure!” We hope to dissipate that notion. Chrome is definitely a better alternative to Internet Explorer and Safari, however, simply switching to either Chrome, or Firefox, is not enough. You need to be concerned with ad-blocking, Javascript blocking, and malicious changes to your browser, as well as click-jacking. This is why so many Mac users are getting their browser nailed with malware. Instead of letting a website just run whatever it wants in the background (and no, this isn’t stuff you have to enter a password for), you should stop all websites from running anything and only allow websites you truly trust. Right now, you’re letting any website you click, run wild. It’s much better to take the option of NO website can run wild, except for the ones you explicitly trust. This is why we typically recommend Firefox, as the NoScript + uBlock/AdBlock Plus/AdBlock Edge + Public Fox combo is hands-down, the most effective Web Browser configuration @ preventing unwanted downloads or changes in/to the browser itself.
  • Do Not Login As Admin/Root – Whether it’s a Mac or PC, it is better to log in as a ‘restricted’ account, instead of a user that has full access to do anything to your system.

[/checklist]

As always, if you have any questions, don’t hesitate to call us @ (888) 374-5422.

[hr]

Featured Image Source: Private Internet Access

Protect Yourself from ISPs Selling Your Personal Information

Private Internet Access - How It Works

Everything you do on your Internet connection, can be seen by your ISP.  That information, while you might not care who sees it, is about to become a commodity to be sold and utilized in ways you might not approve of.

We discussed VPNs and keeping your connection private while online, but many think that’s only when you’re on public networks, such as WiFi hotspots.  With your personal and business Internet browsing being fully accessible and up for sale, keeping any/all Internet activity private is something many might be interested in doing.

We still recommend Private Internet Access.

They have a great video that explains exactly what Private Internet Access does to keep you protected:

[hr]

[hr]

Private Internet Access or PIA, is available for the following platforms:

[checklist]

  • Windows
  • Mac OS X
  • Android
  • iOS

[/checklist]

PIA is dead-simple to use – just click Connect… that’s it…

[hr]

Private Internet Access

[hr]

So don’t think a VPN is just for when you’re traveling.  Whether you’re at home or your consignment store, toggle that VPN on and keep your personal browsing habits, just that.

Liberty’s SMTP Relay Doesn’t Meet Modern Security Standards

Liberty SMTP Relay Doesn't Meet Modern Security Standards

We’ve been through this once before @ Liberty not being compatible with secure email systems such as Google:

[hr]

http://thecomputerpeeps.com/2013/02/consignpro-and-liberty-are-incompatible-with-gmail/

[hr]

We’re here again.  Liberty is still incompatible with modern, secure email systems so RSW released the SMTP Relay utility — a stand-alone utility you install on each of your computers, which sends emails on behalf of Liberty.  It too, doesn’t utilize modern security standards.

If you try to utilize Liberty’s SMTP Relay utility along with Google/Gmail, it will fail to send emails:

[hr]

Liberty SMTP Relay Fails to Send Emails through Google
Liberty SMTP Relay Fails to Send Emails through Google | Click to Enlarge

[hr]

In your Google inbox, you’ll see a handy message telling you why:

[hr]

Liberty SMTP Relay Doesn't Meet Modern Security Standards
Liberty SMTP Relay Doesn’t Meet Modern Security Standards | Click to Enlarge

[hr]

From an app that doesn’t meet modern security standards.

Simple as that.

When software attempts to send emails, it has to follow certain rules, especially when it comes to SSL/TLS.  Certain techniques simply aren’t considered ‘modern’ and will be blocked by secure email providers such as Google.

Google offers a workaround for this though — i.e enable the ‘Access for Less Secure Apps‘ (https://www.google.com/settings/security/lesssecureapps) feature:

[hr]

Google's 'Allow Less Secure Apps' Setting
Google’s ‘Allow Less Secure Apps’ Setting | Click to Enlarge

[hr]

ConsignPro suffers from this too.

Both vendors could easily fix this issue and any outside consultant or developer can verify what I’ve outlined above.

USPS Directing Customers To A Fake Website

USPS Hijacked Domain

So, I went to the USPS the other day to drop-off a few packages.  While I was there, I inquired about PO Boxes.  The clerk handed me a pamphlet with details about how to apply for a PO Box.  The pamphlet didn’t list any prices though and instead, tells customers to visit a website for pricing info.:

[hr]

USPS Hijacked Domain
USPS Hijacked Domain

[hr]

Seems like a nifty little domain name someone involved in marketing came up with.  I first visited the site on my mobile device and got this:

[hr]

Fake Website
Fake Website

[hr]

That’s weird, why is the website calling me a ‘UPS Customer’, when I’m visiting a website the USPS told me to visit?  While I use Firefox with uBlock Origin ‘locked-down’ pretty tightly @ ads, redirects, etc. uBlock Origin still allowed that fake site through and the redirect to take place.  Also, look at the address bar — I’m not at ‘yourotheraddress dot com’ anymore, I’m at some ‘survey’ website.  Neat!

When I try visiting that page on an actual computer, using Firefox with NoScript and uBlock Origin, I get the following:

[hr]

Fake Shipping Website
Fake Shipping Website

[hr]

Someone’s clearly tried to make the page look like an ‘official’ shipping website, but that’s a pretty janky looking website — and definitely not the USPS’.

Keeping Javascript blocked, the site still redirects to the following landing/parked page:

[hr]

'yourotheraddress' Landing Page
‘yourotheraddress’ Landing Page

[hr]

And finally, if I enable Javascript, the site is able to load its remaining content, which uBlock Origin then detects the ad site doubleclick dot net:

[hr]

USPS Redirecting to Ad Sites
USPS Redirecting to Ad Sites

[hr]

So who owns this domain name?  Not the USPS.  If I do a whois lookup on the domain, it’s registered at a domain registrar in Shanghai and the server is located in Australia:

[hr]

USPS Domain Lost & Re-Registered in Shanghai
USPS Domain Lost & Re-Registered in Shanghai

[hr]

While I didn’t detect any immediate malware from these redirects, this is a pretty serious issue.  The USPS registered a domain name to use for advertising purposes.  In 2011, they forgot to (or just didn’t) renew the domain.  Someone else came along and bought it, taking over ownership.  That new owner has created a fake shipping website to try and make it look like what visitors expect, when they’re told to go there by the USPS.  Ads lead to malware, but more importantly, the owner of this domain can redirect visitors to anywhere they’d like.

So due to the USPS neglecting to keep hold of a domain  name they used in advertising, they’ve created a bit of a security hole and are putting customers at risk.

I contacted the USPS directly by phone and they referred me to a customer service department.  I was told this new department would be able to look into this and get to the bottom of it.  That wasn’t the case though.  When I spoke with customer service, they were a bit confused as to what I was explaining and simply asked that I go back to the USPS office where I was first handed the pamphlet, to let them know about the issue.

I tweeted USPS about this as well, but never heard back:

[hr]

[hr]

Since the USPS isn’t taking ownership of this issue and since they’re relying on me, a customer, to go around to each of the local post offices to tell them about this, there’s really nothing I can do other than bring this to the attention of those who utilize the USPS — specifically, anyone who inquires about a PO Box and wants to find out how much one costs.

The moral of this story — big companies, even the government, make major mistakes and let simple things fall through the cracks, putting individuals at risk.

An Open Letter To the Consignment Software Vendors

Dear Consignment Software Vendors,

You each have programs that hundreds, even thousands of customers have spent thousands of dollars on.  They utilize your programs to run their businesses.  These are real people, who work very hard, and who make your companies what they are today.

Consignment software and software in general, is a unique industry in that, to those on the outside, it can seem that software development is ‘magic’ or something only someone special can comprehend.  Software is like sausage – you don’t want to see how it’s made.

Software developers are normal human beings, who make mistakes.  They can be under time constraints or budget constraints.  Just like there is more than one way to install flooring in your home, there is more than one way to solve a problem with software.  Their solution to a problem, isn’t always the best one – sometimes, it’s the least-expensive or quickest one and sometimes, that causes problems for the users of the software.  As a user who spends $1,000 on a program, they can’t help but have the expectation that the developer attempts to own and fix every legitimate bug presented to them, and spends all day, every day, looking at the ways they can improve their software to make it easier to use, more stable, less error-prone, and more reliable.

A common response you’ll hear from the vendors is, “All software has bugs.”  You’re right, but to utilize that response to all bugs and deficiencies in your software, is a cop-out.

There is this seemingly-gray area where the software vendors will blame issues with their software, on the computers you’re running it on, or on some “seemingly far-beyond-your-understanding” issue that is so complex and ultimately, not an issue with their software.

Vendors, it’s time to stop thisNot for us, but for your customers.  The Computer Peeps don’t get a “kick” out of proving your software is the issue or needs to be improved.  This is not a game, these are not opinions.  We ask on behalf of your customers, that you stop denying the issue is your software, when it is 100% verifiable.  You make yourself come off worse than if you would simply own up to the verifiable issue and let your customers know you’re going to take steps to fix it.  You’re wasting our time and more frustrating, is when you make your customers waste not hours, not weeks, but months on an issue.

So please, we ask that for the benefit of your paying customers, that you stop putting up such walls when legitimate issues are brought to your attention.

The Computer Peeps look forward to seeing a positive change amongst the vendors and regardless of what the vendors do or don’t do, The Computer Peeps will continue to be stewards of proper and secure system configuration.

Sincerely,

The Computer Peeps

Heading To Scottsdale for the NARTS Conference? Keep Your Connection Secure With Private Internet Access

Private Internet Access - How It Works

Are you heading to the NARTS conference in Scottsdale, AZ this year?  If so, how you connect to the Internet while you travel, is something you should be aware of – i.e. your connection is likely not secure.

First and foremost, if you connect to a public/free WiFi hotspot, you need to know that all of your network traffic can be captured.  There are a variety of things an attacker can do, when he or she has control of your network traffic:

[checklist]

  • Trick you into visiting fake, malicious sites.
  • Collect your sensitive passwords.
  • Collect credit card information.

[/checklist]

Even if you’re not on a public WiFi connection, your ISP or whoever manages the connection, can see any website you visit.

If you’re connecting to a network that is not your home or business network, or if you don’t want your browsing activity to be viewable by your ISP, we recommend utilizing a VPN (Virtual Private Network).

What the heck is a VPN?  A VPN creates a secure, virtual ‘tunnel’ across the Internet, through which your network is transmitted.  This prevents malicious attackers from seeing your network traffic as you connect to the Internet and other networks.

Which VPN do you recommend?

There are a variety of VPN options out there and a variety of situations to consider, but for a simple, easy, secure connection, we typically recommend Private Internet Access.

They have a great video that explains exactly what Private Internet Access does to keep you protected:

[hr]

[hr]

Private Internet Access or PIA, is available for the following platforms:

[checklist]

  • Windows
  • Mac OS X
  • Android
  • iOS

[/checklist]

PIA is dead-simple to use – just click Connect… that’s it…

[hr]

Private Internet Access

[hr]

PIA alone, is not enough to keep a device secure, but it does provide you with a secure connection when you have to connect to public networks.

What are some other security tips you recommend?

[checklist]

  • Prey – Locate your laptop, computers, phones, and tablets if they’re lost or stolen.
  • Device/Disk Encryption – If someone gets your laptop — it doesn’t matter if it’s a Mac or PC — all of your files, are fully accessible.  It means absolutely nothing if you have a password — all of your files can be viewed and copied directly from your hard drive.  There are a variety of disk encryption options out there and we could dedicate a post to just this topic.  Newer versions of Android and iOS are encrypted by default.  Many mobile OSes allow you to enable encryption, if it’s not enabled by default.  There are also 3rd-party encryption programs, such as the final build of TrueCrypt.
  • Antivirus – I don’t care if you’re running Windows or Mac OS X, you should be running antivirus, period.  If someone tells you otherwise, they’re being cocky and they likely are not personally responsible for your computer’s security.  Not just any antivirus either.  Stick with one of the top-performing antivirus solutions — we typically recommend ESET NOD32 Antivirus.  Whatever you do, do NOT use Microsoft Security Essentials.  It does not work and anyone who recommends it, well, they should stop doing that – they’re 100% incorrect.
  • Do Not Use Internet Explorer or Safari – Our first recommendation, is Firefox.  Some people have been falsely told that “Chrome is the best, install it and you’re secure!”  We hope to dissipate that notion.  Chrome is definitely a better alternative to Internet Explorer and Safari, however, simply switching to either Chrome, or Firefox, is not enough.  You need to be concerned with ad-blocking, Javascript blocking, and malicious changes to your browser, as well as click-jacking.  This is why so many Mac users are getting their browser nailed with malware.  Instead of letting a website just run whatever it wants in the background (and no, this isn’t stuff you have to enter a password for), you should stop all websites from running anything and only allow websites you truly trust.  Right now, you’re letting any website you click, run wild.  It’s much better to take the option of NO website can run wild, except for the ones you explicitly trust.  This is why we typically recommend Firefox, as the NoScript + uBlock/AdBlock Plus/AdBlock Edge + Public Fox combo is hands-down, the most effective Web Browser configuration @ preventing unwanted downloads or changes in/to the browser itself.
  • Do Not Login As Admin/Root – Whether it’s a Mac or PC, it is better to log in as a ‘restricted’ account, instead of a user that has full access to do anything to your system.

[/checklist]

As always, if you have any questions, don’t hesitate to call us @ (888) 374-5422.

[hr]

Featured Image Source: Private Internet Access

Apple ID Phishing Email

Apple ID Phishing Email

A client of ours received an email warning her that someone had used her Apple ID to download an app:

[hr]

Apple Phishing Email
Apple Phishing Email

[hr]

This email did not come from Apple.  This is a fake email, known as a phishing email, and they’re trying to bait the recipient into clicking on the links in the message.  The message tries to trick the recipient into thinking their Apple account has been compromised, when in fact, the message itself, is attempting to do just that.

The links do not lead to Apple’s website.  Instead, the links lead to a malicious website:

[hr]

Apple ID Phishing Link
Apple ID Phishing Link

[hr]

This is the first place your Web Browser makes a difference.

If you use Internet Explorer and click that link, it does nothing to stop it (and that’s with Smart Filter protection enabled).

If you use Firefox, it detects it is a malicious link:

[hr]

Firefox Phishing Protection
Firefox Phishing Protection

[hr]

If you use Chrome, it detects it is a malicious link:

[hr]

Chrome Phishing Protection
Chrome Phishing Protection

[hr]

By no means should you rely on your browser as your sole point of Web security, but you can see how Internet Explorer compares to Firefox and Chrome when it comes to ‘safe browsing’.

Next, you get to see how well your antivirus holds-up.  For you Microsoft Security Essentials users out there, it does nothing to detect, nor prevent this phishing attack.  If you’re utilizing ESET NOD32, you’re in better shape:

[hr]

ESET NOD32 Antivirus Phishing Protection
ESET NOD32 Antivirus Phishing Protection

[hr]

[info_box style=”notice”]The Computer Peeps recommend a layered approach to Web Security, including OpenDNS Web Filter, Firefox w/ NoScript, AdBlock Plus, and Public Fox, as well as logging-in to your system as a non-admin + utilizing ESET NOD32 Antivirus (or one of the top performing antivirus solutions).[/info_box]

[hr]

The takeaways from this post:

[hr]

[checklist]

  • Be cautious and aware of emails that are trying to get you ‘riled up’, so you click on something without thinking.
  • Utilize an email service that does a good job of filtering out fake/fraudulent emails – e.g. Gmail/Google Apps for Business.
  • Switch to Firefox or Chrome.
  • Implement additional security in your Web browser – e.g. ad-blocker, Javascript/Flash blocker, password-protection for downloads/changes, etc.
  • Utilize a proper antivirus solution, such as ESET NOD32 Antivirus.
  • Do NOT use Microsoft Security Essentials.
  • Utilize a Web Filter, such as OpenDNS.
  • For daily-use, do not log in to your computer as an administrator.

[/checklist]

[hr]

If you have any questions, don’t hesitate to comment below or give us a buzz!

5 Reasons Why Consignment Stores Should Not Use Microsoft Security Essentials

Consignment Stores Should Not Use Microsoft Security Essentials

We’ve compiled five very specific reasons why consignment and resale stores (or any business) should not use Microsoft Security Essentials (MSE).

First and foremost, what is Microsoft Security Essentials?  Microsoft Security Essentials is free security software provided via Microsoft.  On Windows 7, Microsoft Security Essentials is automatically downloaded via Windows Update, if an antivirus product is not detected on the system.  On Windows 8/8.1, it’s known as Windows Defender and is included out of the box.

#1 – AV Comparatives Considers MSE “Non-Competitive”

AV Comparatives regularly tests the major antivirus/security products and publishes their findings.  They recently published their October 2014 Real-Word Protection Test results.

See the white, dashed-line?  That represents Microsoft Security Essentials:

[box]

AV Comparatives October 2014
AV Comparatives October 2014 | Click to Enlarge

[/box]

Now, no antivirus solution is 100% effective, 100% of the time, nor should antivirus be your sole point of system security/malware prevention.  However, MSE can’t even compete @ only 83.3% protection.

Source: http://www.av-comparatives.org/wp-content/uploads/2014/11/avc_factsheet2014_10.pdf

[hr]

#2 – AV-Test Revoked MSE’s Antivirus Certification

Two years ago, AV-Test revoked Microsoft Security Essentials antivirus certification.

[box]

MSE No AV-Test Cert
MSE No AV-Test Cert | Click to Enlarge

[/box]

Again, no antivirus solution is 100% effective and ratings from one testing firm should not be the sole reference point for selecting a security product.

MSE flunking though, is right in-line with real-world experience, as well as other testing firms’ results.

Source: http://www.maximumpc.com/article/news/microsoft_security_essentials_flunks_av-test_loses_certification419

[hr]

#3 – Microsoft Does Not Recommend Utilizing MSE

[hr]

Even Microsoft, does not recommend utilizing MSE:

[box]

Microsoft Does Not Recommend MSE
Microsoft Does Not Recommend MSE | Click to Enlarge

[/box]

Source: http://www.howtogeek.com/173291/goodbye-microsoft-security-essentials-microsoft-now-recommends-you-use-a-third-party-antivirus/

[hr]

#4 – Computer Peeps Have Found MSE Does Not Work

The Computer Peeps manage hundreds of systems for consignment and resale stores all across North America.  We are directly responsible for keeping computers clean, protected, and available; computers which store employees utilize to search the Web for pricing, browse Facebook, sell on eBay, check email, etc.  i.e. Computers that are a high-risk for getting infected.

We regularly work on systems that are utilizing the all-too-common (yet ineffective) Chrome + MSE combo:

[box]

[hr]

[/box]

In five years of managing, maintaining, and securing systems for consignment and resale store owners, The Computer Peeps have not seen a worse or less-effective antivirus solution than Microsoft Security Essentials.

[hr]

#5 – MSE Is Not PCI Compliant

Last but not least, MSE is not PCI Compliant.  First, it’s simply not considered antivirus by multiple, independent testing authorities.

Second, Microsoft recommends utilizing an actual antivirus product, further reinforcing that MSE is not antivirus.

Third, MSE does not have the ability to retain its log files for 365 days (required as per the PCI DSS, Requirements 5.2d and 10.7):

[box]

ESET NOD32 Logging
ESET NOD32 Logging | Click to Enlarge

[/box]

Source: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

[hr]

This isn’t a matter of opinion or “We like pepperoni pizza vs. cheese pizza – so should you!”  It’s just really simple – MSE doesn’t work, it is not considered antivirus, Microsoft recommends not utilizing it, and multiple antivirus testing firms have found MSE cannot compete against even the worst antivirus program.

So please, if your tech or vendor recommends or implements MSE, stop them and ask them to remove it.  Then, ask them to install and configure a viable antivirus solution.  MSE is free and it helps avoid the topic of money – yes, viable antivirus costs money + time to configure.  Would you rather avoid the topic, or would you rather spend $57 for a viable antivirus solution?

Important WordPress Security Alert

WordPress

If your site is built on WordPress, please read this post.

[info_box style=”warning”]TL;DR – Disable XML-RPC for WordPress.[/info_box]

This past weekend, we started receiving failed login attempt alerts from a few of the WordPress sites we manage.  This is abnormal, because all of the sites we manage, are IP-restricted – i.e. You cannot access the login page unless you’re at an approved location, such as your store or home.

So it was definitely, interesting, to say the very least, to start seeing failed login attempts coming in…lots of them (automated via bots/’hacking’ tools):

[hr]

Click to Enlarge
Click to Enlarge

[hr]

I verified that the sites’ login pages were in fact inaccessible from other IPs.  So how the heck were *they* submitting a login?  Even a temporary rename of /wp-admin and wp-login.php had no impact, so the logins clearly weren’t coming in through there.

One of the first things that came to mind, were plugins.  We only utilize a strict list of plugins and we tend to avoid flooding WordPress sites with random plugins.  The sites that were triggering these alerts though, were sites we inherited and did not originally design/build.  All plugins are fully managed and updated on a daily basis, so it wasn’t so much an out of date plugin, but possibly one of the odd-ball plugins utilized by a previous developer.  There were no consistencies across the sites experiencing this issue though and none of the plugins in question appeared to provide any form of authentication functionality.

What else is ‘listening’ in a WordPress installation?  What has its ear against the Internet, waiting for incoming information?  XML-RPC, which is utilized for remote publishing from mobile apps and Pingbacks from other blogs.

Sure enough, when inspecting the server logs, I found the offending IPs were in fact submitting /xmlrpc.php:

[hr]

WordPress XMLRPC
Click to Enlarge

[hr]

Disable XML-RPC and voila, the login attempts stopped.

This isn’t a new attack, but XML-RPC was disabled by default until WordPress 3.5.  It appears that with more and more site owners becoming aware of proper WordPress security and proper Web server security, *they* are looking for other ways in.

Things you can do to better-protect your WordPress site:

[hr]

[checklist]

  • Regularly update your plugins, as well as your WordPress installation.  We work with so many store owners who have been paying someone to do this for them, only to find their WordPress site is still running 3.5.1 and plugins have never been updated!
  • Install a login limiter, as well as an intrusion detection system for your WordPress installation.
  • Properly secure your Web server’s configuration – e.g. disable directory indexing, restrict access for your WordPress login page to only approved IP addresses, restrict access to sensitive configuration files, etc.
  • Regularly review your Web server’s logs.
  • Disable XML-RPC.

[/checklist]

[hr]

If you have a WordPress site, The Computer Peeps offer a free security audit of your site.

As always, if you have any questions, feel free to comment below or give us a buzz at (888) 374-5422.

Back To Top