Preventing fraud

We recently got a lot of invoices from sites all over the web, even from sites located outside of Sweden. Someone was mirroring our site using iframes and a similar domain name to ours.

Securing WordPress with .htaccess

Leaving your wp-login.php script or wp-admin folder accessible from the internet allows for bruteforcing of your passwords My way of solving this is by creating a randomly named folder e.g. “asbra” with som php code that sets a cookie which is required by the .htaccess file.

TLS v1.1 is being phased out by 30 June 2018

Apache supports lots of different encryption protocols, some of which have serious vulnerabilities that puts sites at risk of being breached. The Poodle and Beast exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and TLS to compromise organizations.

Unhacking a Hacked WordPress Site

A collection of commands to help you determine if you’ve been hacked, the same commands can be used to find obfuscated code and dangerous php in any other CMS system such as Joomla or Drupal.

xmlrpc.php

I was seeing lots of Warnings about POST-request to xmlrpc.php in the logfiles of modSecurity for apache. Turns out that wordpress uses the XML-RPC protocol that was created in 1998, the problem with having this enabled is that it encourages hackers to try and guess your password by making hundreds or thousands of login attempts… Continue reading xmlrpc.php

Tcpcrypt.. How could we miss this?

Install Tcpcrypt and you’ll feel no difference in your every day user experience, but yet your traffic will be more secure and you’ll have made life much harder for hackers.