Securing Your WordPress Site: Top Plugins
Posted on by Beau AdkinsCategories How To, Security, Web Security4 Comments on Securing Your WordPress Site: Top Plugins

WordPress LogoWordPress is huge. It is currently the most popular blogging system in use, and it manages 22% of all new websites. We use it for our site, and I would personally recommend it to anyone thinking of creating a new website.

However, because it is so popular, it becomes a target for hackers. Right now, automated bots are crawling the web looking for WordPress sites to attack. If you take some time to protect yourself, you can greatly reduce your chances of having a problem.

With that, I decided it would be useful to share some of the tips and tricks I have learned to protect our site. There is too much for one blog post, so I will release others over time, but I will start with the most important ones.

So, here are my recommendations for the 4 best WordPress security plugins. All WordPress plugins are easy to install, but some may take some time to configure correctly.

  1. WordPress File Monitor Plus. This plugin is used to alert you anytime a file on your site changes. When a WordPress site gets hacked, what actually happens is the attacker adds one or more files to your site, or they alter one that is already there. A WordPress installation consists of hundreds of files, so it’s very easy to blend in and not be noticed. But with just one file, attackers have the ability to change your site however they want, including attacking your site’s visitors with malware, and eventually getting you banned from Google.

    WordPress File Monitor Plus will regularly check your WordPress installation for new files, deleted files, and changed files. If it finds anything, it will send you an email with details. It is your responsibility to read these emails to see if any changes are unexpected. For example, uploading a new image, or upgrading a plugin will cause an alert. If you see something you can’t explain, investigate it immediately. This plugin will not stop you from being hacked, it will only let you know when you are attacked, and help you clean it up.

    Out of the box, this one is pretty easy to set up. You just tell it how often to scan your files. But most likely, you will want to tell it which files to not scan. For example, if you have a caching plugin, it will cause the File Monitor to tell you things over and over. The best plan is to set it up with no excludes, and when the alerts start coming in, you can identify which directories to not pay attention to anymore. Eventually, it will only tell you about important changes.

  2. Limit Login Attempts. This plugin protects you from automated password guessers. If you install this plugin, it will let you configure how many tries someone gets at logging into your WordPress site before they are locked out for some amount of time. The guess count and lockout time are configurable. If someone guesses incorrectly too many times, you will be sent an email about it, and they will be stopped from trying again for some amount of time.

    So how useful is this? You would be surprised. Once you install this plugin, you will find out that there are automated bots that will find WordPress sites, and try to brute force the password. Without this plugin, they will eventually guess it. Depending on the speed of your server, they could guess hundreds of passwords a second. With this plugin installed, they may get 6 guesses every 2 days.

    This plugin is simple to install and configure. So you have no excuse.

  3. Secure WordPress. This plugin is more of a hardener. It does a lot of little things to make an attackers life harder. While none of these things make it impossible to be hacked, they will make hacking your site harder than hacking someone else’s, and that is usually enough.

  4. TimThumb Vulnerability Scanner. There is a library called TimThumb that people use to dynamically create thumbnail images for websites. It is used by millions of sites. In 2011, a vulnerability was discovered in it that allowed attackers to easily take over any site using it. The vulnerability has been corrected, but sadly old versions are still out there years later. This vulnerability is probably still the most common way WordPress sites get hacked. This plugin will automatically determine if you are using an out of date version of TimThumb, and if so, it will upgrade it for you.

Please let me know if these recommendations helped you, or if you know a WordPress plugin that belongs on this list.

The Motivation Behind Malware
Posted on by Beau AdkinsCategories Light Point Web, Security, Web SecurityLeave a comment on The Motivation Behind Malware

Money from malwareLast night I came across a sobering article from Brian Krebs of KrebsOnSecurity. The article talked about a specific crimeware author that is advertising that he is in the market to buy fresh new browser exploits, but the article had much more information than just that.

The Value of an Exploit Kit

For some background, a crimeware gang has written an exploit kit named Blackhole. Its purpose is to exploit vulnerabilities in web browsers to install a malware payload on victims’ computers. The Blackhole kit itself doesn’t much care what the payload is. Instead, the author of Blackhole will lease his creation to others, and let them supply the malware.

Think about it like a delivery service. If I have a new piece of malware that I want installed on lots of computers around the world, I could pay to have Blackhole deliver it for me. Blackhole doesn’t need to know anything about what it is delivering, its job is only to get it delivered (yes, exactly like Jason Statham in The Transporter).

What is amazing about this is how much it costs to lease Blackhole. A three month license is $700, and a yearly license is $1,500. The creators will even provide hosting for you for $200/week or $500/month.

But that’s not all. The authors of Blackhole have built something even better, a second kit called the Cool Exploit Kit. From the article, it seems like the authors’ newest (and therefore most valuable) exploits are reserved for the Cool Exploit Kit. Only after an exploit becomes known is it moved to Blackhole. Access to the elite Cool Exploit Kit runs $10,000/month!

Additionally, the authors put out a statement that they want to buy more new exploits for browsers and browser plug-ins. They announced that they have set aside an initial budget of $100,000 to buy exploits and vulnerability proof-of-concepts. They stated that they are only interested in purchasing exploits that have not been published and that they will not release this information to the public either. Therefore, the targeted software will remain unpatched indefinitely.

The Motivation Behind Malware

There is only one reason why someone would spend that kind of money to get malware delivered – because it will pay for itself. The article showed that one specific cybergang’s income from just one flavor of ransomware was almost $400,000 a month.

This shows a very dangerous combination of facts. Getting malware onto a victim’s computer is worth a lot of money, so people will pay handsomely for new exploits to make that happen. This makes exploits worth a lot of money, so people will be motivated to continue creating them.

Our Mission

All of this reinforces our motivation here at Light Point Security. The web is now the most common way for malware authors to infect a victim’s computer. Unfortunately, in many cases, such as with the Cool Exploit Kit, cybercriminals use unpublished vulnerabilities in browsers and browser plugins to infect a victim’s computer with malware. By the time the vulnerability is discovered and fixed by the good guys, it is too late. The bad guys have infected tons of computers, and have moved on to the next vulnerability.

We are building Light Point Web to stop not some, not most, but all of these types of exploits – even the ones that have not been made public.

Light Point Web Now Supports PDFs and Office Formats
Posted on by Beau AdkinsCategories Light Point Security Update, Light Point Web, Security, Web SecurityLeave a comment on Light Point Web Now Supports PDFs and Office Formats

Light Point Web Malware ProtectionRecently, we released an update to our servers that allow our users to view many popular document types through Light Point Web. To accomplish this, we are using the Google Docs Viewer. The Google Docs Viewer is a nifty little service from Google that can turn documents into normal webpages.

This addition will greatly enhance the security offered by Light Point Web. Previously, if a user of Light Point Web clicked on a link to a PDF file, the user would see our plugin screen. In order to view the document, the user would click the plugin screen, which would cause the user’s real browser to download and display the PDF file.

Light Point Web Plugin Screen
The Light Point Web Plugin Screen

While this functionality gave our users the ability to view PDFs and other files, it also exposed their computers to any malware that may have been hiding within that document since it required bypassing our security. PDF files can be very dangerous, as it is easy to embed malware within them. With this recent update, our users can now easily view documents without downloading them, which means these types of attacks will no longer be effective on our users.

How to Use the New Viewer

The new plugin viewer works automatically. Now, when you click a link to a supported file, such as a PDF, you will be sent to the Google Docs Viewer for that file. This gives you the ability to read the file without it ever touching your computer. At the top of each page there is a link under the “File” menu item to download the original file. Clicking that link takes you to the old plugin screen, which gives you the ability to open the file in your real browser, if you decide to.

Light Point Web Google Docs Viewer
Light Point Web with the Google Docs Viewer

What File Formats Are Supported?

There are quite a few file types supported by the Google Docs Viewer. Here is the full list. A quick rundown of the most common file types are:

  • Microsoft Word (.doc, .docx)
  • Microsoft Excel (.xls, .xlsx)
  • Microsoft PowerPoint (.ppt, .pptx)
  • Adobe PDF (.pdf)
  • PostScript (.eps, .ps)
  • Archives (.zip, .rar)
Windows Live and Hotmail Account Upgrade Email Phishing Scam
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Windows Live and Hotmail Account Upgrade Email Phishing Scam

There’s a Windows Live and Hotmail email phishing scam going around. The email attempts to trick victims into disclosing their Windows Live credentials and other personal information by claiming that a Trojan has been detected in the user’s Windows Live folders. The fraudulent email claims that the personal information is needed to upgrade the user’s email account with a 1024-bit RSA key anti-virus firewall, and that if the user does not comply, their email account will be terminated.

Windows Live and Hotmail Email Phishing Scam: Account Upgrade!!(Verify Now)

This phishing email claims to come from the Windows Live™ team. However, the email address associated with the account is – not exactly an email address I would expect to see from an official Windows Live communication. The subject line of the email is “Account Upgrade!!(Verify Now)”. Note the missing space between the second exclamation mark and the open parenthesis. That mistake was made by the spammers; it’s not a typo on my part.

The email reads as follows:

From: Windows Live™ TEAM (
Subject: Account Upgrade!!(Verify Now)

Dear Windows Live customer,

Windows Live™ MSN is faster, safer than ever before and filled with new ways to stay in touch. Storage space that grows with you means you shouldn’t have to worry about deleting your e-mail, and the new calendar makes it easy to share your schedule with family and friends. Due to increased spam and phishing activities globally, a DGTFX trojan virus has been detected in your windows live folders. Your email account will be upgraded with our new secure 1024-bit RSA key anti-virus firewall to prevent damage to our email servers and to your important files. Click your reply tab, fill the columns below and send back to us or your email account will be terminated to avoid spread of the virus.

* User Name:……………………………………..

* Password:……………………………………….

* Confirm Password:……………………………

* Year of Birth:…………………………………..

* Country Or Territory:………………………..

Note that your password will be encrypted with 1024-bit RSA keys for your password safety.

If you use Hotmail, MSN or Live! you’re using Windows Live. Your Hotmail address and password gives you access to the full suite of Windows Live services so you can stay connected with the people and things that matter to you online. Plan your next event, write a blog, create a discussion group, even get updates from other websites you use. – “Your Life, Your Stuff, All Together at Windows Live.” we wish to serve you better…

This Account Update will Improve our services to you.

You can access your Hotmail, Messenger and SkyDrive faster directly from your phone or phone’s web browser. For more info, see Get mail on your phone, Get Messenger on your phone, and Get SkyDrive on your phone. We remain focused on making Hotmail, Messenger, SkyDrive and your Windows PC the best that they can be. Note that this change has no impact on your ability to access Hotmail, Messenger, and Skydrive. Thanks for your understanding and patience as we update our services. Sincerely,

The Windows Live Team

Microsoft respects your privacy. To learn more, please read our online Privacy Statement.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

There are six links in this phishing email. Two of the links point to The other four links point to URLs in the form of*.

How to Identify a Phishing Email?

There are a few telltale signs that this is a phishing scam.

  1. It asks for personal information. No legitimate company, including Microsoft, will ever ask you for personal information via email. That includes your username, password and date of birth. This is the biggest red flag.
  2. It contains poor grammar, misspellings and looks unprofessional. If you receive an email claiming to be from a large enterprise, like Microsoft, with grammatical mistakes and misspellings, you can be sure it did not really originate from them. Large companies ensure that their emails look professional. In the case of this Windows Live phishing email, the subject line and from field are enough to give it away. Note the double exclamation marks and missing space in the subject line. Also note that the word ‘team’ in the from field is written in all capital letters. You don’t even need to click on the email to know it’s a scam.
  3. The sender’s email address is unprofessional. First, it’s from an MSN account, which anyone on the Internet can get for free, instead of from an official Microsoft domain. Second, the first part of the email address is ‘lbhughes100’, again very unprofessional looking (and suspicious).
  4. There is a sense of urgency. This pressures you into feeling like you need to take action right away, and do not have the time to research the legitimacy of it.

How to Protect Yourself From Phishing Emails?

Here are a few things you can do to protect your identity, and personal information, and avoid becoming a victim of phishing email scams.

  • If you receive an email message claiming to be from Hotmail, MSN or Windows Live, with the subject line Account Upgrade!!(Verify Now), or similar, do not open it and delete it immediately.
  • If you mistakenly open the email message, don’t click on any links in the email or download any attachments, and delete it right away.
  • To report spam, Hotmail users should click the “Junk” button. Non-Hotmail users should send an email to, or (depending on the originating mail domain: hotmail or msn or live), and attach a copy of the spam email.
  • Spread the word. Spammers get away with this because most people aren’t aware of these threats, so tell your friends by sharing a link to this post, or any other post on the topic.
  • Read and follow the most important steps for internet security to protect your computer from cybercrimes.

Have you received a similar email?

How Facebook’s Pay to Highlight Feature Can Lead to Scams
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on How Facebook’s Pay to Highlight Feature Can Lead to Scams

Facebook Pay to Highlight FeatureAccording to TechCrunch, Facebook is testing a new feature. One which I believe will only increase the already huge number of scams and malware present on the social networking site.

The new feature would allow users to pay to “highlight” their status updates in their friends’ news feeds.

Facebook spokeswoman Mia Garlick said, “We’re constantly testing new features across the site. This particular test is simply to gauge people’s interest in this method of sharing with their friends.”

Facebook is getting desperate. Their revenue is declining as a result of more users accessing it via their mobile devices, which do not display ads. Their IPO was a complete failure, and will lead to several lawsuits. I don’t blame them for looking at new ways to monetize their platform. However, what they are doing with these “highlighted” status updates is dangerous.

How Does Facebook’s Highlight Feature Work?

Currently the Highlight option is only being tested with a small sample group of users. And, it is only available for personal accounts, not brand pages. If you are part of the test sample group, when you post an update on Facebook you’ll see the Highlight option next to the Like and comment buttons. Clicking on Highlight will display the message below – giving you the option to highlight (spam?) your update in your friends’ news feeds.

Facebook Pay to Highlight Status Feature

“Highlight an Important Post. Make sure friends see this.”

Highlighted posts may appear higher in the news feed, stay visible for longer, and appear to more friends and subscribers. However, they won’t have any visual indicators that will make them standout (i.e. you won’t know which posts have been paid for, and which haven’t).

Facebook is testing various price points for Highlight, ranging from free to $1 to $2.

How Can Facebook Highlight Lead to Scams?

The Highlight option is a bad idea. It will only lead to more spam, scams and malware on Facebook, and trust me, there is already plenty of it on the social networking site.

Highlighted Posts Are Not Highlighted!

Really? Facebook wants to introduce advertisements into users’ news feeds without identifying them as such? Nothing good can come of this.

Right now Facebook’s algorithm displays your average status update to only 12% of your FB friends. But, by paying a couple of dollars you can ensure that more of your friends see your posts. This seems harmless until you think about the kind of posts people would pay to expose to more users.

People aren’t going to pay to tell their old high school classmates they’re watching the Kardashians, or cleaning dog puke off the carpet. They will, however, pay a nominal fee to advertise their blog or share their affiliate links. Anything were they think they can make their $1 or $2 investment back is fair game.

Now that we have an idea of the kind of posts that will likely be highlighted, let’s consider the fact that these highlighted posts won’t standout, but instead will blend in with the rest of the posts. Not only is this a shady business practice, but even worse, it will lead to an increase in spam as spammers learn to abuse it – not exactly great user experience.

The idea that the Highlight feature will only be available to personal accounts, not business pages, doesn’t make the spam argument any less real. The fact is, scammers are already creating fake Facebook profiles to get away with a host of malicious activities on Facebook; ranging from survey scams to more dangerous deeds like spreading malware.

Facebook Charging Scams Galore

There was a well-known Facebook scam going around tricking users into believing that Facebook would start charging. Those that were tricked into “liking” these scammy Facebook pages became targets of spam and other scams by these perpetrators.

Even after Facebook publicly announced they would not charge users to use their service, many still fell victim to the scam. Imagine how much easier it would be to con users if Facebook did start charging to highlight status updates. If implemented, the Highlight feature would open the door for scammers to explore new twists on the old favorite, Facebook Will Start Charging Scam, and also increase their success rate by creating confusion around a known Facebook feature.

What’s Next for Facebook Highlight?

Facebook hasn’t released many details about the Highlight feature. It’s still too early to tell whether it will ever come to fruition, or how it will evolve. However, based on the information we have so far, implementing it will only serve to degrade the user experience on Facebook. Let’s hope this one goes the way of the dodo.

It’s worth noting that Facebook recently implemented a similar feature, which they are calling Promoted posts, for brand pages. However, Facebook has yet to implement the Highlight feature for personal accounts.

What do you think of the Highlight feature? Would you pay to highlight your posts?

Light Point Web 2.0 Released
Posted on by Beau AdkinsCategories Light Point Security Update, Light Point Web, Security, Web SecurityLeave a comment on Light Point Web 2.0 Released

Light Point Web Malware Protection

Light Point Security has just released Light Point Web 2.0. The 2.0 release was basically the completion of the scrolling work started in the 1.2 update. Where 1.2 added client-side scrolling, 2.0 provides scroll-caching. Additionally, there were some client-side bug fixes to correct issues with the newest versions of Firefox.

If you are a current user, log in to to download the new installer. Note: you must be outside of Light Point Web to download.

What Is Scroll Caching?

As described in the 1.2 release post, when we added client-side scrolling, the user could now get instant scrolling feedback. The drawback, however, was that the user would simply see white for parts of the page that were just scrolling into view, but that the server had not yet told the client how to draw.

With scroll caching, the client software now sees much more of the webpage than the user can see in the browser. This lets the user instantly see the new parts of the page that are scrolling into view, without having to wait for an update from the server.

This change goes a long way towards making Light Point Web as seamless as can be. However, you may notice that some elements of some webpages behave differently. Some websites contain what are known as “fixed-position elements”. This means that if you scroll the page, these elements stay where they are. For example, the top-bar on Twitter.

Because we scroll the page as if its just a solid image, these fixed-position elements get scrolled as well. However, the server will quickly readjust, and correct your view. This is similar to how some smartphone and tablet browsers show fixed-position elements.

If you would like to try Light Point Web, you can sign up for a free trial here (no credit card required).

Twitter Now Supports Do Not Track Privacy Feature
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Twitter Now Supports Do Not Track Privacy Feature

Twitter Do Not TrackTwitter announced that it now supports the Do Not Track privacy feature in web browsers.

We commend Twitter for taking a step towards protecting their users’ privacy. In contrast to Twitter, other social networking sites collect and share as much of their users’ personal information as they can get their hands on. Some have also been making it increasingly hard for their users to figure out where the privacy controls are and what they mean *cough* Facebook *cough*.

However, it’s not just social networking sites – most major websites track their visitors’ behavior and then sell or provide that information to other companies. Websites, advertisers and others use tracking to learn about your web browsing behavior, including what sites you visit, things you like, dislike and purchase.

What Is Do Not Track?

Do Not Track is a privacy feature introduced by Mozilla and Stanford researchers that users can set in their web browsers. When Do Not Track is enabled, your browser will tell advertising networks and other websites and applications that you want to opt-out of tracking. It does this by transmitting a Do Not Track HTTP header every time your data is requested from the web.

The downside to Do Not Track is that websites are not obligated to honor it. Some websites have agreed to honor it, while other websites have decided not to, and simply ignore the request. Only websites that have agreed to honor the setting will automatically stop tracking your behavior.

The Do Not Track feature is supported by Firefox 5+, Internet Explorer 9+, and Safari 5.1+.

How to Enable Do Not Track in Firefox

Turning on the Do Not Track option in Firefox is easy.

  1. In your Firefox browser click on Tools > Options.
  2. Go to the Privacy tab.
  3. Check “Tell websites I do not want to be tracked” under Tracking.

Do Not Track Firefox Privacy Feature

Why Does Twitter Track My Browsing Activities?

Twitter collects data about what websites you visit in order to tailor personalized suggestions of who to follow based on your interests. It is in Twitter’s interest to encourage you to follow as many interesting people as possible. This keeps you coming back.

In Twitter’s own words:

We determine the people you might enjoy following based on your recent visits to websites in the Twitter ecosystem (sites that have integrated Twitter buttons or widgets). Specifically, our feature works by suggesting people who are frequently followed by other Twitter users that visit the same websites.

How to Disable Twitter Tailored Suggestions

In addition to enabling the Do Not Track feature in your web browser, you can also tell Twitter you do not want to enable Tailored Suggestions on your account. Doing so will also stop Twitter from collecting data about the websites you visit. The difference between the two is that by enabling Do Not Track in your browser you are telling all websites that honor the request to stop tracking you. Disabling the Tailored Suggestions in your Twitter account only stops Twitter from tracking your behavior.

To disable the personalized Tailored Suggestions in your Twitter account, do the following:

  1. Login to Twitter.
  2. Go to the Settings page. You can get to the Settings page by clicking the drop down arrow located in the Twitter header.Twitter settings page
  3. Scroll down to Personalization, and uncheck “Tailor Twitter based on my recent website visits”.

Twitter Personalization Tailored Suggestions

Do Not Track Limitations

The Do Not Track browser setting is a nice feature, and I’d like to see it gain more traction. However, since honoring the request is strictly voluntary, it’s very limited in its effectiveness. As you can see from the official list of companies that honor it, the current list is extremely small.

If you are serious about protecting your privacy you should add other tools to your toolbox. Obviously I’m biased, but I would recommend you try our browser plugin, Light Point Web. With Light Point Web, no website will be able to track you across multiple sessions, because we force it by deleting all tracking cookies. Light Point Web also offers other benefits, like true malware protection. If you are interested, we offer a 30 day free trial, and signing up only takes a few seconds (no credit card required).

What do you think of Twitter’s move to honor the Do Not Track preference? Does it make you trust Twitter more? What other companies would you like to see supporting Do Not Track? Have you enabled Do Not Track in your browser?

How to Botch a Security Vulnerability Discovery – WooThemes Case Study
Posted on by Zuly GonzalezCategories Case Study, Security, Web Security11 Comments on How to Botch a Security Vulnerability Discovery – WooThemes Case Study

Yesterday, Jason Gill disclosed a bug in the WooThemes WooFramework that allows any website visitor to run and see the output of any shortcode.

WooThemes is a popular WordPress theme maker that is used by thousands of websites. If you have a website powered by WooThemes, please update to the latest version right away.

This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.

It would be trivial to identify common insecure shortcodes and then attempt them against common WooThemes to attempt to run malicious code on the remote server.”

Jason goes on to say:

This is only “half” of the equation. I have already seen numerous hosting accounts compromised via a more malicious form of this attack which I have not published. In fact, finding a number of sites running WooThemes all compromised in the past 4 days via the contents of shortcode-generator/ lead me to take a quick look through the code to try to find the attack vector and I found this.

The response from the WooThemes folks to this security vulnerability was less than stellar. This is a case study into the mistakes made by WooThemes during this incident that should hopefully serve as a model for what not to do.

WooThemes Case Study

Mistake #1: Not providing a clear way to be contacted


After Jason disclosed this security vulnerability many people chastised him for doing so publicly, instead of privately contacting WooThemes. And while I agree with those sentiments, Jason points out that he searched for a security notice email address and didn’t find one. He added, “Even as a paying customer the only way to get support is via their public forum.”

In all fairness to WooThemes, I found this post providing customers with the and email addresses. They also seem to be very responsive via their Twitter account. So, although maybe not ideal forms of reporting a security vulnerability, there were ways to contact them privately to at least initiate the discussion. Now, I don’t know if Jason attempted these options first, and simply received no response.

In any event, the point is that although the above support email addresses are available, WooThemes must not have presented them in a way that a person smart enough to discover a security vulnerability could find. This should have been clearly spelled out on their website.

Mistake #2: Quietly releasing a patch to a security vulnerability

This is by far the most egregious mistake. According to the WooThemes folks, they had already fixed the bug and released an update by the time Jason publicly disclosed it.

However, it appears that they neglected to announce this new update to their customers, which meant that many of them continued to use the vulnerable version. I found no mention of the update or details about the security vulnerability on the WooThemes blog. And they apparently neglected to alert their customers via email as well.

What’s the point of patching a security bug if you don’t inform your customers? If they are unaware of the need to update they are unlikely to do so. That helps no one.

Jason points to a single tweet made at 5:30am by WooThemes as the only announcement made to customers about the need to update. “We found a minor vulnerability in the WooFramework, which we’ve just fixed. Please update to the latest version ASAP!” However, that tweet pre-dates the date WooThemes claims the patch for this security bug was released. So, it’s highly unlikely that tweet was related to this security patch.

[blackbirdpie url=”!/woothemes/status/192545687051829248″]

I don’t know why they neglected to inform customers about this. Maybe it was a simple oversight. Maybe it was intentional in the hopes that no one would notice. I don’t know. But the reason doesn’t really matter. What matters is that it happened, and the impression it gives current and potential customers about their security practices.

Mistake #3: Relying on their broken auto-updater

FaceplantThere’s no excuse for not alerting their existing customers of this security patch. However, their excuse seems to be that they rely on their auto-updater to push the updates to their customers. This is a flawed idea.

First of all, this requires their customers to 1) happen to log in to WordPress, and 2) care enough to install the update right away. This puts all the burden on their customers. This procedure may be fine for non-security related updates, but for critical security patches a business needs to be more proactive.

In fairness, usually it is the end user’s responsibility to install software updates. However, reputable businesses will inform their customers, as well as the general public, when a security update is released, what security issue it is fixing, and the severity of the vulnerability.

If people are unaware what the update is for, there is no urgency. Software updates sometimes break existing functionality. Therefore, unless it’s security related, there are those that don’t install updates right away.

“Additionally, even if the issue is patched, my link above still works – which means that the patch clearly isn’t working or hasn’t been applied to WooThemes own servers.”

Secondly, it just so happened that their auto-updater was broken during this time, and was not properly pushing out the updates. So, even if you did log in to WordPress (and usually install non-critical updates in a timely fashion) you would not have seen this update available.

The Perfect Storm

All of these mistakes combined, plus the fact that WooThemes’ servers have been under a DDoS attack for over twelve hours now is making for a very unpleasant time for the WooThemes folks.

The good news is that this has surely been such a trying time for them that they are unlikely to repeat these mistakes again. That means:

  1. Having a clear way for people to privately report security vulnerabilities.
  2. Promptly informing their customers when a security patch is available.
  3. Ensuring their updates are available to all customers.

Jason sums it up well:

The moral of this story is: WooThemes is a great company and makes a great product, but they have grown to the point where security needs to be a real concern. A proper channel to alert them of these issues, along with prompt and honest email notifications of updates to their customers (free and paid), and a publicly-accessible security/updates site (a la RedHat’s RHSA system) are all long overdue. This isn’t just a jab at WooThemes either – a review of almost any paid or free theme will surely come up with many issues like this.

What security lessons have you learned from your mistakes?

Verizon Phishing Scam Email Alert
Posted on by Zuly GonzalezCategories Security, Web SecurityLeave a comment on Verizon Phishing Scam Email Alert

I came across a Verizon email warning customers about phishing scams, and decided to share it. I found it interesting since a lot of companies don’t take such proactive measures to warn their customers of the dangers of online scams. Most of the time these emails are sent after the fact – after a company is aware of an ongoing phishing scam. So here’s an attaboy to Verizon!

Below is the Verizon email, in its entirety.

Dear Verizon Customer:

At Verizon, we want to help you increase your awareness and safety online. We’re sending you and other customers this reminder about preventing your data from falling prey to phishing scams.

Simply being aware that phishing schemes may pop up at any time in your email inbox is probably the best way to avoid falling victim to them. Phishing scams involve an official-looking email, supposedly sent by a bank or other company you do business with, often claiming to alert you to a problem with your payment or financial account. The email may ask you to provide critical account information by replying to the email or clicking on embedded Web links which will take you to a Web site that may appear legitimate, but is actually a malicious Web site set up to steal your information.

Spotting a phishing email or a bogus Web site is not always easy. Sometimes, it contains obvious spelling or grammatical errors. In other cases, the errors are harder to spot and there are no visible signs of foul play.

Here is a recent example of a phishing attack:

Verizon Phishing Scam Example

To avoid getting hooked by such bogus emails, here are some tips to help safeguard your personal information:

  • Do not open suspicious emails. Look for misspellings, awkward requests or inconsistent grammar.
  • A Web site link included in an email can make getting to a Web site easy, but it can also be used to send you to a malicious Web site.
  • If you have doubts about the authenticity of an email, do not click on any links in the email – instead, type the Web site or Web page address into the ‘address bar’ of your browser.
  • Never type sensitive personal information, such as social security and/or driver license numbers or account numbers and/or passwords, in a reply email.
  • Use spam filters to block suspicious emails.
  • Use anti-virus and anti-malware software to automatically detect and eliminate malicious software.
  • The best practice when you find a phishing email is to either immediately delete it or report it to the company or organization being impersonated. Like Verizon’s mailbox, many companies have set up an ‘abuse’ or ‘security’ mailbox to receive those reports and provide customer assistance.

Finally, in order to provide you with additional confidence in Verizon alert messages going forward, Verizon will be removing live ‘clickable’ links from any alert messages we send you regarding payment processing problems or credit card and/or bank account issues. You can continue to access and make changes to your account any time of the day or night at

Thank you for choosing Verizon.



How to Browse the Web Safe From Viruses for Free
Posted on by Beau AdkinsCategories Computer Security, Light Point Web, Resources, Security, Web SecurityLeave a comment on How to Browse the Web Safe From Viruses for Free

VirtualBoxToday, I’m going to walk you through the process of being able to browse the web in complete safety. The title of this post explicitly mentions “viruses”, but I’m using this as a more well-known moniker for the term “malware”. Malware is a more generic term which encompasses viruses, spyware, trojans, etc.

What I mean by “complete safety”, is that you do not have to worry about malware infecting your computer. It does not mean you are safe from being tricked into giving your banking passwords to a site that is only pretending to be your bank.

Step 1. Set up VirtualBox

The method I will be describing in this post relies on Virtual Machines for security. Think of a virtual machine as a fake computer inside your real computer. By using a virtual machine, you can perform tasks on a computer in a way that is completely isolated from your real computer. With this, you can browse the web inside the virtual machine, so that if you stumble on some malware, only the virtual machine will be infected. The virtual machine management software will also allow you to rollback all changes made to a virtual machine to a known state. Using these abilities correctly will allow you to browse in safety.

The first step is to install a virtual machine management software package, also known as a “hypervisor”. There are many different options for this, but I’m going to recommend VirtualBox. You can download and execute the installer from here. Just click the “VirtualBox x.x.x for Windows hosts” link (assuming you are using Windows). Once it is downloaded, just run the installer.

Step 2. Download Your Guest OS

Next, you will need an Operating System to use inside the Virtual Machine. You could install Windows as the Operating System, but you would need to buy a license. For a free alternative, I suggest installing Ubuntu. Ubuntu is a Linux-based Operating System. It is very high quality, and completely free.

When you download Ubuntu, you do not get an installer. Instead you get an “ISO” file. An ISO file is a bit-for-bit copy of a CD that you would use to install it on another computer. Its a rather large file. To start the download, go here and choose your version (either is fine). You need to remember where you download this file to.

Step 3. Set up Your Virtual Machine

Now that you have VirtualBox installed and an OS ISO file ready, you can create your first Virtual Machine. Start up VirtualBox (you probably have a shortcut on your desktop). Click the button at the top labeled “New”. Give your Virtual Machine a name, for example, “Browsing Machine”. Choose “Linux” as the Operating System, and the Version as “Ubuntu”.

Next, you need to select how much RAM to give this Virtual Machine. I would recommend 1 Gig at the least. Enter “1024” in the box labeled “MB”. This means 1024 Megabytes, which is equal to 1 Gigabyte. Note: you need to have more RAM than this on your computer. If you do not have more than a Gig of RAM on your computer, then unfortunately, you probably do not have system requirements to use virtual machines.

On the next screen, leave the default options (“Boot Hard Disk”, and “Create new hard disk”). Continue on to the “Hard Disk Storage Type” screen. Leave the default option of “Dynamically expanding storage”. On the next screen, leave the defaults in place and continue on.

VirtualBox SettingsOnce you get through all the options mentioned above, you will be returned to the main VirtualBox screen, but now you will see a new entry for your Virtual Machine in the pane on the left. Click on it to select it, and then click the “Settings” button at the top. In the settings dialog, select “Storage” in the left hand pane.

VirtualBox Settings Highlighted

In the center of the screen, click on the disk image labeled “Empty” under the “IDE Controller” entry. Next, on the right of the screen, click the disk icon next to the “CD/DVD Drive: IDE Secondary Master” entry, and in the popup, select “Choose a virtual CD/DVD disk file”. A file select dialog will appear. In this dialog, select the ISO file you downloaded in Step 2. Now click the “OK” button at the bottom of the settings dialog.

You are now back to the main VirtualBox screen again. You can now click the “Start” button at the top, to start your virtual machine. At this point a blank Virtual Machine will start, and it will begin the install process for your downloaded OS. It will ask you a lot of setup questions that I will not walk-through here.

When the Ubuntu setup process is finished it will tell you to eject the CD from the drive before continuing. Because this is a virtual machine attached to an ISO file, this is not possible. Ignore this, and keep going. You will see the virtual machine shut down, and then start up again. Once it has began starting again, click the “X” at the top right of the Virtual Machine’s window to close it. It will ask you how you want to close it. Choose “Power off the machine” and click “OK”. The virtual machine is now shut down.

VirtualBox Settings With ISO Mounted and Highlighted

Now that the virtual machine is off, we need to detach the ISO image we have set previously. Return to the settings screen, and on the left, select “Storage” as you had down previously. Next select the entry below the “IDE Controller” in the center. Finally, on the right, click the disk icon next to “CD/DVD Drive: IDE Secondary Master” and choose “Remove disk from virtual drive”. Finally, click “OK” at the bottom of the settings screen.

Step 4. Create a Restore Point

At this point, your Virtual Machine is a totally fresh install. You may want to take a moment to get the Virtual Machine customized to your liking. After you have done so, you should make a restore point, also called a “snap shot”. VirtualBox can use a snap shot to restore your virtual machine to a known state. For example, if you stumble upon an infected website, your virtual machine can become infected as well. But, you can then revert your virtual machine to its state from before the infection. It is like it never happened.

First, start your virtual machine using the “Start” button at the top of the VirtualBox window. Once your Virtual Machine starts, take a moment to do any one time customizations, such as installing a browser of your choice, upgrading software, etc. Once you are finished, shut the machine back down.

Back on the main VirtualBox window, on the upper right hand side of the screen, you will see an icon that looks like a camera, labeled “Snapshots”. Click this button to show you the snap shots. You will see an entry labled “Current State”. Just above it is another camera icon. Click it to take a snap shot. A dialog will appear that will ask for a name and description of this snap shot. Enter something useful meaningful to you, so you know what you have changed. Click “OK” to take the snap shot.

Once the snap shot is taken, you will see an entry with the name you choose for the snapshot, with a “Current State” entry below it. You now have your restore point.

Step 5. Browse the Web

You can now start your Virtual Machine and use it to browse the web whenever you want. The websites you visit in the virtual machine are isolated and separated from your actual computer. You may have some problems downloading files or printing things from within the virtual machine, so some tasks may have to be done on your real computer.

Step 6. Restore Your Snap Shot

Whenever you are done browsing, you should shutdown the virtual machine, and restore it to the snapshot created in step 4. The easiest way to do this is to simply click the “X” in the top right of the Virtual Machine to close the window. It will ask you how you want to close it. Choose “Power off the machine”, and check the box labeled “Restore current snapshot…”. This will turn off the Virtual Machine, and throw away all the changes you made since the snapshot was created.

Drawbacks of Using This Method

While this is an effective way to browse the web safely, it is not entirely painless. First off, using a virtual machine takes an enormous amount of resources. While the Virtual Machine is on, it will consume a large amount of memory, and maybe a lot of processing power.

Additionally, it can be frustrating to have your changes wiped out all the time. For example, if you add a bookmark to your browser, it will be lost when you revert.

It can also be annoying that it takes so much time to start the virtual machine. If you want to browse the web right now, waiting a minute or two for a virtual machine to start is painful.

Another Option

The method described above is basically the technology behind Light Point Web, except we do our best to shield you from the downsides just mentioned.

For example, we run the virtual machine on our computers, so your computer is not bogged down with it. We also integrate into your existing browser, so you are not prevented from changing settings in your browser or saving bookmarks.

Finally, our Virtual Machines are always running, so you do not need to wait for one to start when you are ready to browse.

If you are concerned about browser security, give this method a try. It is free, but it does take some time and effort. If you would rather someone else handle the work and headaches, give Light Point Web a try. We offer a free trial, so what do you have to lose?