Starting in the fall of 2018, sites that have a Symantec SSL certificate installed will show up as a non-secured site. According to Wordfence, these will have to be replaced soon in order for your site to show up as a secured site and these SSL certificates will be valid. WordFence released a statement for a better understanding of what a Symantec SSL is, how you can check and the steps you need to do to update your certificate and not drop in rankings or your site be targeted as unsecured.
On September 13th, 2018 WordFence release statement says:
This is a final reminder that legacy TLS certificates issued by Symantec, including those issued by authorities like Thawte, Geotrust, and RapidSSL which used Symantec as a central authority, will be distrusted by both Google Chrome and Mozilla Firefox beginning in October. Apple products have partially distrusted these certificates and plan to also distrust the full set of certificates at some point in Fall 2018. Digicert has acquired the Certificate Authority (CA) and its infrastructure, and is issuing free replacement certificates for all affected customers. If you have already replaced your certificate, no action is needed.
Mozilla has estimated around 1% of the top million websites are still using certificates which will no longer be accepted by most web browsers in the next month, despite the year of warning. If you are currently using Firefox or Chrome, you can simply visit your website and check the browser console (Ctrl+Shift+J in Windows and Linux, or Cmd+Shift+J on Mac for Firefox and Cmd+Option+J for Chrome) to see if your certificate is in danger of being distrusted. If you use Firefox Nightly or Chrome Canary you may already see the standard “Invalid Certificate” warning rather than your site.
Example warning from the Chrome console for a site with an affected certificate
Why Is This Happening?
When we last reminded our users about this 6 months ago, questions like “Why do browser vendors care?” and “Why is this happening?” filled the comments section of the post.
Browser vendors care because these certificates are used to verify you are connecting to the server you intended. Without getting buried in technical details of public key cryptography and certificate chains, this is done by having a pool of central authorities that verify an issued certificate goes to the proper owner of a website. Your computer has a list of trusted authorities stored on it, and compares every certificate it sees to this list. This means that, in addition to encrypting the data in transit between you and the server, you can also be assured that you are communicating with the correct server. This prevents actions such as a Man In The Middle (MITM) attack, where a malicious actor attempts to intercept or alter traffic between a user and a server.
The challenging part of being a Certificate Authority (CA), like Symantec was, is properly verifying who is being issued a certificate, which leads us to why this change is taking place. Back in 2016, users noticed Symantec issuing certificates against certain guidelines, and posted this information to a Mozilla security mailing list. This was the latest in a series of problems with the Symantec CA. After much discussion between other major CAs, the decision was made to distrust Symantec and remove it as an authority. If you’re curious about further technical details, the majority of this discussion was conducted via public mailing lists available online.
This is a final reminder, as the next upcoming browser releases will entirely distrust these certificates. Please check your site and replace the certificate as needed!
See the full article release of Reminder: Popular Browsers To Distrust Symantec SSL/TLS Certificates Starting In October
If you are hosting your site on Secure Hosting WP, then check out the SSL certificates available for your site that are valid and will be coming this fall. If you have any questions or need your site moved to Secure Hosting WP, then feel free to contact us.
Lots of updates going on with WordPress lately. WordPress needs to be updated on an ongoing basis to keep up with new features, work out bugs, and update for security reasons.
This month WordPress updated to version 4.9.6 and plugins and themes will follow.
Always update your site with the newest version of WordPress,
Update your plugins (one at a time and check your site after each one to troubleshoot any problems),
Update your themes (one at a time and check your site after your main theme plugin to troubleshoot any problems),
You can find the latest WordPress Download Version here.
If you have any problems, please contact us.
In the past few days the City of Atlanta has been hit with a ransomware attack. Several major computer systems that provide city services have been encrypted by an attacker. The attacker is demanding $51,000 worth of bitcoin to decrypt the systems, and the city has not yet ruled out paying the ransom. The attack occurred five days ago, and as of this writing, the systems remain inaccessible.
Yesterday, Mayor Keisha Lance Bottoms held a press conference to chat about the problem. So far the mayor and her team seem to be doing a great job of putting together a coordinated and multipronged response to deal with the incident.
What struck me about the conference is that it was the kind of conference a city holds when dealing with a physical disaster. The mayor actually described it as a “hostage situation” towards the end of the conference. This is the tangible impact of a cyber attack on a local government.
The City of Atlanta is working with the Secret Service, FBI, Department of Homeland Security and academic and private institutions, including Georgia Tech and SecureWorks. They have completed the investigation and containment phase of the incident response and have moved on to the restoration phase where they work to bring critical systems back online, but at this time the affected systems are still encrypted.
- Many of Atlanta’s systems have now been down for five days, though critical systems such as police, fire, rescue, 911, water services and airports are operational and continue without interruption. The departments affected include:
- Department of City Planning and Office of Buildings: Processing times are longer than normal.
- Office of Zoning and Development: Processing times are longer than normal.
- Office of Housing and Community Development: Office is unavailable to process disbursement requests.
- Municipal Court: The Department of Corrections has switched to a manual ticketing system for defendants who have been arrested and taken into custody. No “failure to appear” for court will be generated at this time and all cases will be reset.
- Department of Watershed Management: Online bill payments and in-person bill payments are down.
Mayor Bottoms has described this as: “Bigger than a ransomware attack. This is an attack on our government, which makes it an attack on all of us.” She goes on to say that “what has been attacked is digital infrastructure. As elected officials, we tend to focus on things people see. But we have to make sure that we focus on the things that people can’t see and digital infrastructure is very important.”
The city does not currently have a time estimate for when they will get all of their systems back up and running. They are working around the clock, and they are actually concerned that some of the team that has responded to this incident may burn themselves out, so they are managing that aspect of the task, too.
They have confirmed that it was a remote attack that compromised their systems. The city was reportedly hit by the SamSam ransomware. This ransomware variant has made the attackers $850,000 since December 2017. According to CSO Online, the city had many services exposed to the public, which could have provided an attacker with a point of entry, including “VPN gateways, FTP servers, and IIS installations.” Many services had SMBv1 enabled, which has known security issues.
One thing I found interesting about the mayor’s comments was an analogy she used. She uses as an example an old truck she had. She didn’t think she had to replace it until she was in a wreck. And then she had to replace it. Her analogy makes it clear that the city should have updated their security posture before this incident occurred, and now that it has occurred, they are forced to take action to resolve the issue and secure their systems going forward, but at great cost and inconvenience.
I think this is a valuable lesson, and something that WordPress site owners should take to heart. It is important to be proactive when it comes to securing your systems and educating yourself about cybersecurity. Don’t wait until you get hacked before you take action. If you have a WordPress website, install a malware scanner and firewall like Wordfence and use our blog, learning center and Wordfence documentation to empower yourself and secure your website. We have also written about ransomware as an emerging threat to WordPress in the past.
Ransomware mainly targets desktop systems. To protect your home or office systems from a ransomware attack, take the following steps:
Ensure you have regular backups and that those backups are offline. They must not be accessible from the workstation that is being backed up to ensure that ransomware cannot also encrypt your backups when you get infected.
Install the latest security patches for Windows, OSX, Android, iPhone and any other operating system that you use. Along with backups, this is the most effective thing you can do to protect yourself.
Install any application updates, especially browser updates. Make sure you are not running an old vulnerable browser, or else simply visiting a compromised website can infect you.
Install a desktop antivirus solution and ensure it has updated virus signatures, or alternatively, enable Windows Defender, which is free.
Do not open attachments or downloaded files from untrusted sources. Avoid using file attachments completely if you can, and use cloud services like Google Docs instead.
Do not click links in emails from people you do not trust.
To see the full post and story and more information visit Wordfence PSA: Lessons From The Atlanta Ransomware Situation
Of course, spam emails are everywhere. You know, you get them on a daily basis in your spam box if your email account marks them as spam, but sometimes they go right into your inbox. So what is going to keep you safe from these annoying spam emails? How do you know the difference? What are the best practices for managing accounts and if these are legitimate emails or not?
When it comes to managing your account, beware of spam emails that try and hack or system or make you pay to other sources by giving in to their scare tactics. Here is one example of an email that we have received and we try and give this warning out as much as possible. we get calls all the time from clients asking about these types of emails and why are they asking for money. This isn’t only email accounts, but we have seen these types go through snail mail (to your actual mailbox) asking to pay up or else! Both spam! trash them!
How to manage your account without getting spammed?
First of all this email was marked as spam. Sometimes an email system doesn’t always catch them and mark them as spam. So just because it went to your regular email, doesn’t mean it isn’t spammed.
Who is the email from?
As you notice in the email screenshot, They didn’t buy their domain from that service.
When if your domain due?
Usually, they try these scare tactics months before a domain is actually due. if you do not know when your domain is up for renewal, always go to the original source you registered your domain with and check your account there. This should be the ONLY source to go to renew your domain.
Never click on a link in any of these emails.
This is a way for them to get into your system and even hold your account as ransom. We have stepped in on rescues of people clicking on these links and suddenly they have a screen browser take over if people who want to access your system and you will pay them to remove the spam they just installed in your system.
Don’t confuse your website system and your local operating system as the same thing. There are various ways we have talked about securing your WordPress site will be effective. Getting your local computer system hacked is a different ballgame and can be costly to remove or it could break your whole system and you may lose all your content. However, if you are working on a website from your local computer, yes now they can access just about anything now including your website.
If in doubt of a suspicious email, it is best to leave it alone and ask someone professional who would know.
Best practices for keeping your local computer safe?
- Login DIRECTLY to manage an account for ANY service you use!
This could be a website, PayPal, Banking, Purchasing sites, ANY website where you manage an account, always login direct and don’t click links in an email that you are unsure of.
The best way to help email services combat spam is to report emails that are spam that have not been marked spam yet. They receive these and monitor these email reports, so use the service!
- Use the scroll over method for links in emails!
Just to be on the safe side and you think an email is legit (and maybe it is), always scroll over a link in an email and verify that link in the bottom of the browser. Some use tinyURLs so you won’t be able to see the exact string, in this case……go to the first suggestion and login DIRECTLY to an account.
These three suggestions will help you continue to use a safe practice for all of your information.
One last thing is we suggest you use security on any device you are using to help warn you and keep your system secure. Look for further news about how to keep your local system secure. Subscribe to our site by clicking the bell on a page so you can receive these types of tips, news, and reminders.
Secure Hosting WP Team
Subscribing to specials, updates, security information just got easy!
The team at Secure Hosting WP wants to make sure we make securing your WordPress or any other platform you choose on Secure Hosting WP as easy as possible now by giving you desktop or mobile push notifications when you subscribe. Even if it is simply to remind you that you need to keep up with your updates and when they are released. No other hosting keeps you informed with such an easy way of reminders.
Securing your WordPress site, hosting, other content management platforms is always of high priority for us at Secure Hosting WP.
These awesome visual reminders, we think, will help you stay informed and on top of managing your WordPress (or many other platforms we offer) in your account. If you don’t have to host with Secure Hosting WP, you can still subscribe.
We make it easy to subscribe!
When you go to Secure Hosting WP, you will be prompted to subscribe. We encourage you to do so to get latest specials, security updates and more without having to constantly check back on the site! It’s that easy!
If you choose not to subscribe at your first visit (you may be on a public computer somewhere) then you can always choose to later subscribe by clicking the GREEN bell.
If you ever want to unsubscribe for whatever reason, even if temporary, just visit the site, click the bell and unsubscribe. You can always subscribe again whenever you want!
We promised a dedication to making your experience as easy as possible for all of our supported domain and hosting clients. This is just one way we keep YOU up to date.
We hope as we are coming up with such great tools to use for subscribers, you will find out how we really roll at Secure Hosting WP.
We know that sometimes starting up a small business and including a budget for a website doesn’t always cross your mind! Some hosting companies want an annual hosting cost up front which could really dig into your pocket for upfront costs of having a website.
How to get hosting for WordPress Sites on a monthly Budget?
With Secure Hosting WP, we have made the exception and want you to be able to start or keep your online presence in an affordable way. For some, it might be easier to budget your hosting on a monthly basis instead of coming up with upfront annual costs for hosting. That’s why we offer Managed WordPress Hosting and cPanel hosting packages with a monthly payment option. Just select which hosting option you need and add to your cart. Once you check out, then select from the drop-down selection if you want to choose the annual payment or a monthly payment.
We want to see you succeed with your website, so giving this extra monthly hosting option will get much more started and fit into an affordable monthly hosting budget.