Articles

Conversion chaîne en énumération - CVE-2020-36620 (50 Go)

Conversion chaîne en énumération – CVE-2020-36620 (50 Go)

,

Conversion chaîne en énumération – CVE-2020-36620 (50 Go): Découvrez comment convertir une chaîne en énumération avec 50 Go de données à l’aide de CVE-2020-36620.

## Discuter de la vulnérabilité CVE-2020-36620 et voir comment un package NuGet pour convertir une chaîne en énumération peut rendre une application C# vulnérable aux attaques DoS

En tant qu’informaticien enthousiaste, je vais discuter de la vulnérabilité CVE-2020-36620 et voir comment un package NuGet pour convertir une chaîne en énumération peut rendre une application C # vulnérable aux attaques DoS.

Imaginons une application serveur qui interagit avec un utilisateur. Dans l’un des scénarios, l’application reçoit des données de l’utilisateur sous forme de chaîne et les convertit en éléments d’énumération (chaîne -> énumération).

Le package NuGet en question est conçu pour faciliter ce processus de conversion. Cependant, le package ne vérifie pas si la chaîne reçue est valide et peut donc être exploité par un attaquant pour provoquer un déni de service. Lorsqu’un attaquant envoie une chaîne qui n’est pas valide, le package tente de convertir la chaîne en énumération et cela peut entraîner une exception et un plantage de l’application.

Pour résoudre ce problème, nous devons vérifier que la chaîne reçue est valide avant de l’utiliser. Nous pouvons le faire en utilisant le code C # pour vérifier si la chaîne est comprise dans l’énumération. Si ce n’est pas le cas, nous pouvons alors retourner une erreur à l’utilisateur et éviter ainsi tout plantage de l’application.

En résumé, le package NuGet pour convertir une chaîne en énumération peut être exploité par un attaquant pour provoquer un déni de service. Pour éviter cela, nous devons vérifier que la chaîne reçue est valide avant de l’utiliser. Nous pouvons le faire en codant une fonction qui vérifie si la chaîne est comprise dans l’énumération et retourne une erreur à l’utilisateur si ce n’est pas le cas. En appliquant cette méthode, nous pouvons éviter les attaques DoS et assurer la sécurité de notre application.

Source de l’article sur DZONE

/par

TURN Time Into Value

,

Web2 software engineers have benefitted from design standards, mature programming languages, and vulnerability tools to minimize the risks of an attack. Failure to do so can result in a situation similar to my “Equifax Attack: Only a Matter of Time” publication back in 2017.

Those working in Web3 projects find themselves at an exciting stage. Initiatives like bounties and Decentralized Autonomous Organizations (DAOs) drive new opportunities for these pioneers to explore. Unfortunately, the Web3 landscape is not as mature or defined as earlier phases in the web frontier. Compounding the situation is the risk those challenges impose in a decentralized environment — where exploitation can result in losing a large volume of assets, as well as the time it takes to secure an auditing service for smart contract code and the duration of the audit itself

Source de l’article sur DZONE

/par

Hacking and Securing Python Applications

,

Securing applications is not the easiest thing to do. An application has many components: server-side logic, client-side logic, data storage, data transportation, API, and more. With all these components to secure, building a secure application can seem really daunting.

Thankfully, most real-life vulnerabilities share the same root causes. And by studying these common vulnerability types, why they happen, and how to spot them, you can learn to prevent them and secure your application.

Source de l’article sur DZONE

/par

Top 3 Chatbot Security Vulnerabilities in 2022

,

Article Image

Chatbots Are Here To Stay

Chatbots have been around for a long time and based on the global chatbot market size (and the expected growth), they will stick around for a long time and gain importance. In the past, they’ve rarely met customer expectations or provided much positive experience. However, over the last few years, advances in conversational AI have transformed how they can be used. Since chatbots offer a wide range of applications, in certain cases, they become responsible for collecting and protecting personal information as well. 
Consequently, they are a great attraction for hackers and malicious attacks too. The responsibility of ensuring chatbot security has become more evident after the introduction of GDPR in Europe. As statistics show that this technology will be a determining factor in our lives, security testing must also become part of our daily tasks, so that these chatbots can be used with confidence.

Security Risks, Threats, and Vulnerabilities                 

The words risk, threat, and vulnerability are often confused or used interchangeably when reading about computer security, so let’s first clarify the terminology:

  • Vulnerability refers to a weakness in your software (or hardware, or in your processes, or anything related). In other words, it’s a way hackers could find their way into and exploit your systems.
  • A threat exploits a vulnerability and can cause loss, damage, or destruction of an asset – threats exploit vulnerabilities.                
  • Risk refers to the potential for lost, damaged, or destroyed assets – threats + vulnerability = risk! 
The well-known OWASP Top 10 is a list of top security risks for a web application. Most chatbots out there are available over a public web frontend, and as such, all the OWASP security risks apply to those chatbots as well. Out of these risks, there are two especially important to defend against, as in contrast to the other risks, those two are nearly always a serious threat — XSS (Cross-Site Scripting) and SQL Injection.
In addition, for artificial intelligence-enabled chatbots, there is an increased risk for Denial of Service attacks, due to the higher amount of computing resources involved.

Vulnerability 1: XSS – Cross-Site Scripting

A typical implementation of a chatbot user interface:           

           

  • There is a chat window with an input box.
  • Everything the user enters in the input box is mirrored in the chat window.
  • Chatbot response is shown in the chat window.

The XSS vulnerability is in the second step — when entering text including malicious Javascript code, the XSS attack is fulfilled when the web browser is running the injected code:

 <script>alert(document.cookie)</script>              

Possible Attack Vector

For exploiting an XSS vulnerability the attacker has to trick the victim to send malicious input text. It can be done through one of the following ways:

/par

9 Must-Install Craft CMS Plugins

,

Craft CMS is increasing in popularity, and as it does, the previously relatively scant range of plugins is growing rapidly.

There are plugins for Craft ranging from simple field utilities to the full ecommerce solution provided by Pixel & Tonic — the makers of Craft.

An early decision that has borne fruit for Craft has been the plugin licensing model. Paid plugins for Craft charge an initial license fee and then a reduced annual renewal price for updates. This ongoing payment structure ensures plugin maintenance is economically viable for developers, and as a result, Craft plugins tend to be updated more often and are abandoned less.

The best plugins depend very much on the site you’re developing and what you’re trying to achieve. However, some are so universally useful that I install them on virtually every site I build; here’s a list.

1. Redactor

Installing Redactor is a no-brainer when it comes to picking your plugins. Maintained by Pixel & Tonic, it’s a rich text field that extends Craft‘s basic text input. It’s so useful it may as well be part of the core Craft code.

One of the best features is the ease with which Redactor can be customized. Just duplicate the settings file inside the config directory and edit its contents to alter what editing options are available; it’s simple to create anything from a field with a bold option to a full rich text editor. In addition, each Redactor field can be set to use any of the settings files.

Free

2. Retcon

When you’re outputting code from a rich text field like Redactor, you’ll get clean HTML output — which most of the time is what you want. However, if you’re using something like Tailwind, those classes are non-negotiable. I’m not a fan of Tailwind, but I am a fan of using classes in my CSS selectors instead of element names.

Retcon is an invaluable plugin that extends Twig filters to supply a host of options when you’re outputting content. It can add classes to elements, insert attributes, modify the element type, and tons more.

Free

3. Venveo Bulk Edit

During the life of a site, there’s a good chance that you’re going to have to alter fields and sections after the content is in. It’s a common problem if you’re importing data from another platform using FeedMe, or if you have an indecisive client, or even if the site is simply growing.

Venveo Bulk Edit is a plugin that integrates closely with the Craft UI and allows you to edit the contents of multiple entries at once. This plugin has saved me hundreds of hours that would otherwise have been spent painstakingly editing entries one at a time.

Free

4. Super Table

At some point, you’re going to need a configurable list of inputs. Maybe you’re creating a list of documents to download, building a directory, or even your site navigation. You could create a new channel and then add the entries as an entry field, or even set it up with a matrix field, but this is awkward to edit even with Craft 3.7’s new editing experience.

I’m a big fan of opting for the simplest solution, and in this case, the simplest option is a table field. Unfortunately, Craft’s built-in table field has limited field type support. Super Table, on the other hand, supports almost anything, giving you a powerful, orderable set of fields.

Free

5. No-Cache

Craft has a really powerful caching system. It allows you to cache whole or partial templates, and it‘s intelligent enough to know when you’ve edited content that has been cached so that it can be re-cached.

Understanding Craft’s caching is vital; as a very general guide, dynamic content benefits from caching, but static content does not.

However, you will regularly encounter situations where you want to opt out of the caching. A blog post, for example, could be cached, but the time since it was posted must not be, or every post would appear to have been published “today” until the cache is refreshed.

The No-Cache plugin adds a couple of Twig tags that allow you to temporarily opt-out of the cache. This means that you can cache larger sections of your templates, simplifying your caching decisions considerably while still being able to fine-tune what is cached.

Free

6. Retour

Sooner or later, you’re going to have users hitting 404 errors. If you’re restructuring a site and changing the architecture, it will be sooner. To avoid breaking the UX and SEO, you need to add redirects.

Retour is a helpful plugin that sits in your dashboard side menu. Anytime a user triggers a 404, Retour will flag it up, so you can decide how to redirect the URL in the future.

$59 for the first year; $29/year for updates after that

7. Sherlock

One of Craft’s big strengths is its security. A lot of attention has gone into making sure that the core installation uses best practices. However, as with any CMS, potential security vulnerabilities start to creep in as soon as you introduce 3rd-party code (WordPress’ biggest vulnerability by far is its plugins).

You only need to look at the size of the vendor directory in your installation to see how many 3rd-party dependencies your site has. Even a small site is a house of cards.

Sherlock is a security scanner that performs a number of different tasks to help you stay secure, from checking on security threats in 3rd-party scripts to checking directory permissions. The paid version will even let you limit IP addresses if your site comes under attack — although your hosting company may well do this for you.

Lite: Free
Plus: $199 for the first year; $99/year for updates after that
Pro: $299 for the first year; $149/year for updates after that

8. Imager X

Craft’s built-in image transforms are a little limited. For example, they only work with actual assets, not remote images.

Imager X is an excellent plugin that, among many benefits, allows you to transform remote images. In addition, its refined syntax is perfect for coding complex art direction.

Imager X isn’t cheap, but considering the enormous importance of image optimization, unless you have a straightforward set of images to manipulate, it’s an investment you’ll be glad you made.

Lite: $49 for the first year; $29/year for updates after that
Pro: $99 for the first year; $59/year for updates after that

9. SEOMatic

SEOMatic is the SEO solution most Craft developers default to, including Pixel & Tonic themselves.

You’ll need to define the basics in its settings, and you may find yourself creating extra fields specifically for it to pull data from, but the handy progress bars on its dashboard page will give you an overview of what’s set and what needs to be done.

SEOMatic is another premium plugin, but implementing it is far simpler and cost-effective than digging through all those meta tags and XML files yourself.

$99 for the first year; $49/year for updates after that

Must-Install Craft CMS Plugins

The Craft ecosystem is rapidly growing, and the diversity of the plugins available increases as Craft is utilized for more and more sites.

But despite the lure of shiny new plugins, there are some tools that I return to again and again either because they elegantly fill a gap in the core Craft feature set or because I’ve tried them, and I trust them to be robust.

These are the plugins that I have found most useful in the last couple of years, and installing them is the first thing I do when I set up a new Craft installation.

Source

The post 9 Must-Install Craft CMS Plugins first appeared on Webdesigner Depot.


Source de l’article sur Webdesignerdepot

/par

Leadership Is About Growth, Not Brilliance

,
Does it ever cross your mind that praise can be negative? I guess not. After all, it looks harmless and seems to be quite effective. Conventional wisdom says that if you praise people, they are motivated to do better.
People who have been praised throughout their life by their well-meaning parents, friends, and teachers for their talent and smartness or those who have experienced extreme focus on talent and smartness throughout their childhood learn to value only intelligence. No wonder when these people enter the workforce, they continue to seek approval and demand praise every step of the way.
Every opportunity is a measure of their intelligence — do I look smart, how will I be judged, what if others find my ideas dumb. With a single-minded focus on validating themselves, all their actions are rooted in establishing their worth. Every mistake hurts their reputation and every failure is a reflection of their competence. They care less about learning and more about proving themselves. Their sense of morality sometimes takes a hit as they resort to brutal behaviors — demeaning others by yelling, insulting, controlling, or taking undue credit — all in an attempt to boost their self-esteem.
Carol Dweck, professor of Psychology at Stanford University summarised this unfortunate reality from Morgan McCall’s book High Flyers:

People often like the things that work against their growth. . . . People like to use their strengths . . . to achieve quick, dramatic results, even if . . . they aren’t developing the new skills they will need later on. People like to believe they are as good as everyone says . . . and not take their weaknesses as seriously as they might. People don’t like to hear bad news or get criticism. . . . There is tremendous risk . . . in leaving what one does well to attempt to master something new.

What Do Organizations Do with Such People?

They feed and promote this mindset. They praise people for their brilliant ideas conveying the message “we value talent and smartness.” They shower people with rewards and bonuses for their achievements communicating to everyone else around “all we care about is success.”
What happens when these people take on a leadership role? Their mindset of valuing brilliance above everything else amplifies leading to disastrous results. History is full of leadership fiascos with great promises that turned out to be the biggest disasters. This article from Malcolm Gladwell in The New Yorker is as valid now as it was 18 years ago. Describing the talent mindset at Enron and the consultants at McKinsey who wandered the hallways at the company’s headquarters, he points out “They were there looking for people who had the talent to think outside the box. It never occurred to them that, if everyone had to think outside the box, maybe it was the box that needed fixing.”
He also talks about the impact of an environment that values innate talent and what happens when times get tough and that self-image is threatened “They have difficulty with the consequences. They will not take the remedial course. They will not stand up to investors and the public and admit that they were wrong. They’d sooner lie.”
Really, is praising people for their intelligence and achievements the only way to develop people who will be the leaders of tomorrow? Is there a better way out?
What if we praised people for their hard work, for their ability to persist despite failures and setbacks, for taking initiatives to build new skills, for standing up to their mistakes, for believing in their growth, and implementing the right strategies to overcome their shortcomings. What does this kind of praise tell them?
It tells them the value of effort in building abilities. It teaches them the importance of implementing the right strategies to solve problems. It encourages them to seek help to make progress on their task. It creates a passion for learning that’s not driven by the need to look smart, but with a desire to cultivate skills, to stretch themselves to grow.
When these people take on leadership positions, this mindset guides them to put the well-being of the company and its people before their own needs, to place value on teamwork over individual accomplishment, and to foster growth and development of their people.

As growth-minded leaders, they start with a belief in human potential and development — both their own and other people’s. Instead of using the company as a vehicle for their greatness, they use it as an engine of growth — for themselves, the employees, and the company as a whole.
– Carol Dweck

Unlike leaders who pull their companies down with their focus on brilliance, these leaders lead their companies into greatness and gratitude filled in their own hearts and those of the people around them.
Choose your praise carefully as you will see the tremendous benefits in praising for growth over brilliance.

When Leaders Focus on Brilliance

They live in a world of personal greatness and entitlement, vie for labels, and will do anything to boost their image. Instead of building a long-lasting company, they spend time and money on enhancing their image.
With the constant need for validation, they use people in the company to feed their egos and showcase their superiority. Everything is about pleasing the boss. They surround themselves with people who boost their self-esteem. Agreement earns them admiration and disagreement is an attack on their intelligence. Instead of hearing people out, they punish dissent and shut people down.
They pounce at the less talented for their lack of intelligence and find those who are more talented than they are as threatening. They mistreat employees, yell, insult, control and abuse them into their way of doing things. They feel better about themselves by making other people feel worse. Employees worry about being judged all the time. When people are ridiculed for mistakes, they soon learn to keep their heads down, stop putting their critical thinking skills to use, and give in to groupthink.
Their belief in their superiority blinds them to see reality. They turn a blind eye to complaints, ignore warning signs, and fire people who tell them what they don’t want to hear. Their decision-making criteria are based on what would make them look good as opposed to what’s good for the company long term.

What happens when a leader refuses to confront the brutal facts? “The minute a leader allows himself to become the primary reality people worry about, rather than reality being the primary reality, you have a recipe for mediocrity, or worse. This is one of the key reasons why less charismatic leaders often produce better long-term results than their more charismatic counterparts.
– Jim Collins

Since success and failure are a part of their identity — success means they are smart and failure means they are not — they find excuses and blame others for failures instead of taking personal responsibility. Instead of investing in the future growth of their company, they play safe with fear of failure, become less responsive to challenges from competition, go with what’s tried and tested, and refuse to take risks. Why take up the challenge that can hurt their reputation? On the other extreme, they may not shy away from crossing ethical boundaries to beat the competition at all costs. Success is what they are after and it doesn’t matter how they get it.
With more focus on talent and less on potential, they do not invest in mentoring and coaching employees. Instead of putting practices in place to develop employees and help them collaborate together, they make them compete against each other.
Carol Dweck sums up their brilliant mindset “My genius not only defines and validates me. It defines and validates the company. It is what creates value. My genius is profit. Wow!”

When Leaders Focus on Growth

They operate with a learning mode. They don’t claim to be genius but promise to invest in development, their own development, and the development of their people. The drive and enthusiasm to grow their companies make them adopt long-term strategies over short-term tactics. They aren’t in the game to boost their ego or establish their self-esteem. It’s the pure joy of shaping the future of their company that excites and motivates them. More than prestige, they are in it for the challenge.
They understand that the path to success goes through failure. Why lose the opportunity that can drive their future growth? So instead of hiding behind their failures, they face them head-on. Failures don’t define their competence, they are glaring moments of self-reflection. They are opportunities to build skills, explore possibilities, experiment, and invest in the promise of a better future.
They lead with vulnerability. They accept mistakes to shift the focus in the organization from hiding mistakes to finding solutions. When they don’t know something, instead of pretending to hide their ignorance, they say “I don’t know”. These three powerful words show humility and self-confidence. To make decisions, they invite others to share their opinion which promotes the culture of constructive criticism. Since they do not connect their identity to their opinion, more value is placed on seeking the right answers which require open disagreements and championing flexibility of opinion over their sense of righteousness.
Difficult situations make them uncomfortable, no doubt. Instead of letting their discomfort get in the way of meaningful conversations, they embrace it. They choose to look past their discomfort in the value that these discussions provide — saving a lot of time that can be wasted due to stress and anxiety that comes from misalignment of expectations and lack of clarity of purpose.
They are tough but compassionate. They do not shy away from giving critical feedback while also challenging the people in their organization to step outside their comfort zone. They empower people to make decisions with the right channels of feedback to assist in better decision-making in the organization.
Leaders with the growth mindset operate with what Lou Gerstner, who turned IBM’s fortunes around by saving it from near bankruptcy said “Hierarchy means very little to me. Let’s put together in meetings the people who can help solve a problem, regardless of position.” Not blinded by reality, they focus on finding solutions that will push their company forward. This requires keeping an open eye to change in market trends, identifying and investing in future growth areas, and taking calculated risks.
With a focus on potential and growth, they invest in identifying and building future skills of the organization — skills that will be useful during difficult circumstances giving them an advantage over the competition. They foster productivity through coaching and mentoring, place value on teamwork by encouraging collaboration and defining shared measures of success.
Warren Bennis, a scholar, author, and widely regarded as a pioneer of the contemporary field of Leadership studies, writes in Organizing Genius:

Leaders are people who believe so passionately that they can seduce other people into sharing their dream.

His most admirable view on leadership says:

Good leaders make people feel that they’re at the very heart of things, not at the periphery. Everyone feels that he or she makes a difference to the success of the organisation. When that happens people feel centred and that gives their work meaning.

What kind of leaders think like this — those focused on brilliance or the ones driven by growth?
Previously published here.

Source de l’article sur DZONE

/par

If You Dare To Lead, Lead With Vulnerability

,

Just like a tortoise hides inside its shell and a porcupine’s sharp quills leap to attention when they sense danger, we human beings also put on protective armor when we feel threatened. Risky situations, anxiety from the unknowns, and the danger of being exposed evoke the same emotional response as the fear of being chased by a predator. 

We feel vulnerable. But instead of embracing vulnerability, accepting our fears, and leading with curiosity, we put on a shield of protection. We project confidence even when we are scared, speak with surety even when we are unsure, hide our mistakes with the fear of disapproval and avoid confrontation to save ourselves from the risk of emotional exposure. 

Source de l’article sur DZONE

/par

10 Reasons Your WordPress Site Will Get Hacked (and How to Stop It)

,

A hacked WordPress site is as damaging as having your home burgled. It can completely shatter your peace of mind and adversely impact your online business. 

Why do hackers target WordPress sites? The answer is relatively simple: WordPress is the single biggest platform for website creation these days, so there’s a larger base to attack; this attracts the attention of online criminals. 

So, how can a hack impact your website? 

Depending on the type of attack, your website could suffer any of the following:

  • It could be defaced completely;
  • It could load or operate very slowly on any device;
  • It could completely crash and malfunction;
  • It could display the dreadful “White Screen of Death”;
  • Its incoming visitors could be redirected to other suspicious websites;
  • It could lose all your valuable customer data.

This list is not exhaustive but you get the idea.

Now that we know how a successful hack can impact your website and online business, let us look at the top 10 reasons behind WP hacks and prevent them.

1. An Insecure Web Host 

Like any website, WordPress is hosted on a web host or server. Unfortunately, most site owners do not pay much attention to the web host they select and choose the cheapest they can find. For example, it is more affordable to host a website on a shared hosting plan — one that shares its server resources with many other websites like yours.

This can make your site vulnerable to hackers as a successful hack into any website on the shared server. A single hacked site can consume the overall server bandwidth and impact all the other sites’ performance.

The only way to fix this problem is to opt for a reliable host and a virtual or dedicated server.

Pro tip: If you’re already using a shared hosting plan, check with your hosts if they offer VPS hosting and make the switch.

2. Use of Weak Passwords

Weak passwords are the main reason behind successful brute force attacks that target your account. Even to this day, users continue to use weak and common passwords like “password” or “123456”; if you’re one of them, your website could land in trouble!

Guessing weak passwords allows hackers to enter the admin accounts where they can inflict the maximum damage.

How do you fix this problem? Simple, ensure all your account users (including admin users) configure strong passwords for their login credentials. With at least 8 characters, passwords must be a mix of upper- and lower-case alphabets, numbers, and symbols. 

For added safety, install a password management tool that can automatically generate and store strong passwords.

Pro tip: You can use a plugin to reset passwords for all your users.

3. An Outdated WP Version

Outdated software is among the most common reasons why websites get hacked. Despite being free to download, most site users defer updating their site to the latest version, for fears of updates causing their site to crash.

Hackers take advantage of any vulnerability or bug in an older version and cause issues like SQL Injections, WP-VCD Malware, SEO Spam & other major issues like website redirecting to another site.

How do you solve this problem? When you see a notification about an update on your dashboard, update your site as soon as possible.

Pro tip: If you are worried about updates crashing your live website, you can first test the updates on a staging site.

4. Outdated WP Plugins and Themes

Similar to the previous point, hackers also take advantage of outdated, unused, or abandoned plugins and themes installed on websites. With over 55,000 plugins and themes that are available, it is easy to install a plugin or theme, even from unsafe or untrusted websites. 

Plus, many users do not update their installed plugins/themes to the latest version or do not find the updated version. This makes it easier for hackers to do their job & infect sites.

How do you avoid this problem? As with the core WP version, update each of your installed plugins/themes on your site regularly. Take stock of all the unused ones and remove them or replace them with better alternatives.

You can update your plugins/themes from your hosting account.

Pro tip: We suggest setting aside time every week to run updates. Test them on a staging site and then update your site.

5. Common Admin Usernames 

In addition to weak passwords, users also create common usernames that are easy to guess. 

This includes common usernames for admin users like – “admin”, “admin1”, or “admin123”. Common admin usernames make it easier for hackers to get into admin accounts and control backend files in your WP installation.

How do you avoid this problem? If you are using any such usernames that are easy to guess, change them immediately to a unique username. The easiest way of doing it is through your hosting account’s user management tool, by deleting the previous admin user and creating a new admin user with a unique username.

As the first step, change the default username of your admin user and limit users who have administrator privileges.

Pro tip: WordPress has 6 different user roles with limited permissions. Only grant admin access to users who really need it.

6. Use of Nulled Plugins/Themes 

Coming back to the importance of plugins/themes, users have access to many websites that sell nulled or pirated copies of popular and paid plugins and themes. While these are free to use, they are often riddled with malware. They can compromise your website’s overall security and make it easier for hackers to exploit. 

Being a pirated copy, nulled plugins/themes do not have any available updates from its development team, hence will not have any security fixes.

How do you fix this problem? Simple, for a start, only download original plugins and themes from trusted websites and marketplaces.

Pro tip: If you don’t wish to pay for paid or premium plugins and themes, opt for a free version of the same tools that will have limited features but are still safer to use than the nulled version. 

7. Unprotected Access to wp-admin Folder

To take control of your site, hackers often try to break into and control your wp-admin folder in your installation. As the website owner, you must take measures to protect your wp-admin directory.

How can you protect your wp-admin folder? First, restrict the number of users having access to this critical folder. Additionally, apply for password protection as an added layer of security for access to the wp-admin folder. You can do this using the “Password Protection Directories” feature of the cPanel in your web host account.

Pro tip: Besides these fixes, you can also implement Two Factor Authentication (or 2FA) protection for all your admin accounts.

8. Non-SSL Website

You can easily migrate your HTTP website to HTTPS by installing an SSL certificate on your site. SSL (or Secure Socket Layer) is a secure mode of encrypting any data transmission between your web server and the client browser.

Without this encryption, hackers can intercept the data and steal it. Plus, a non-secure website can have many negative implications for your business – lower SEO ranking, loss of customer trust, or a drop in incoming traffic.

How do you fix this problem? You can quickly obtain an SSL certificate from your hosting company or SSL providers. It encrypts all data that is sent from and received by your website. 

Pro tip: You can get a free SSL certificate from places like Let’s Encrypt, but these provide limit protection that will only be sufficient for a starter site or small site.

9. No Firewall Protection

Lack of firewall protection is another common reason why hackers can bypass website security measures and infiltrate the backend resources. Firewalls are the last line of defence against hackers and work like the security alarm installed on your house. Firewalls monitor web requests coming from various IP addresses, including the suspicious (or bad) ones. 

They can identify and block requests that are known to be malicious in the past, thus preventing easy access for hackers to your website domain. Web application firewalls can thwart various attacks, including brute force attacks, XSS, and SQL injections.

Pro tip: A firewall provides much-needed security and is  your first line of defence. But it’s important to also have a malware scanner installed.

10. Lack of WordPress Hardening Measures

Typically, hackers target the most vulnerable areas or weaknesses within a WP installation, to illegally access or damage the website. The WordPress team has identified these vulnerable areas and has devised a list of 12 hardening measures recommended for every website.

A few of these include:

  • Disabling the File Editor;
  • Preventing PHP execution in untrusted folders;
  • Changing the security keys;
  • Disallowing plugin installations;
  • Automatic logout of inactive users;

How do you implement these hardening measures? While some steps are easy to understand, others require the technical expertise of how WordPress works. 

Pro tip: You can implement hardening measures on your own. However, some measures require technical expertise so in these cases, it’s much easier and safer to use a plugin.

 

Featured image via Pexels.

Source


Source de l’article sur Webdesignerdepot

/par

API Security Weekly: Issue #105

,

This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and more. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10.

Vulnerability: HashiCorp Vault

Felix Wilhelm from Google’s Project Zero has written a very detailed write-up on an authentication bypass he found in the Amazon Web Services (AWS) and Google Cloud Platform (GCP) integration of HashiCorp Vault. As a central storage of credentials, Vault makes an attractive target for attackers, and therefore a vulnerability in it is also very bad news. Looking for the silver linings, this attack was definitely quite advanced, and thus not easily exploitable.

Source de l’article sur DZONE

/par