Please allow me to share with you some of that experience in terms of what you should do should you find your site is hacked.

First, backup your site.  Even though the site is hacked, you want to have a backup should you have to undo any of the clean up steps, and have a fresh start at cleaning up.

If your site is based on WordPress, Joomla, Drupla, or any other database-driven method, be sure to include a backup of the database as well as the files in your HTML directory structure.

Second, If any of the hacked areas include defaces or other visible clues (or even in your face writings), then take screen shots of those areas.  Basically, you want to document what you know about your site being hacked.

Third, contact your hosting provider technical support giving them as much information as you know along with any screen shots and notes you’ve taken to date.

If your hosting provider cares about you as a person, and cares about your site, they will do what they can to help you clean up from the hack(s) on your site.  Depending on how quickly they are told, they might be able to review server log files to identify how the hacker(s) gained access and when such access was gained.

Some hosting providers do have the right to charge for clean up per their terms of service; prior to asking them to do any work, ask them if their help in the case you are facing will be done freely.  If yes, move forward; if not, then find out the charges involved and make a decision as to how much you need their help.

In any event, you should still notify your hosting provider so they know you know; AND, that the intent is to clean up the site as quickly as possible.

The main reason you want this notification (even if you are going to clean up the site yourself, or use another party) to the hosting provider is to ease any effort the hosting provider might make against you if they receive pressure to shut down your site.

Fourth, if you are unsure of how long the cleanup will take, put your site in maintenance mode so your site is not infecting others (or has less of a chance to infect others).

Fifth, scan any device (mobile, PC, etc.) you or any authorized person who has access to the site for virus AND malware / spyware.  Anti-virus software will often not find any malware, and anti-malware software will often not find any virus.  You need to run two different scans — one for viruses using an anti-virus program; and another for malware using an anti-malware program.

I recommend NOD32 for anti-virus and malwarebytes.org for anti-malware.

Sixth, change your passwords — FTP, SSH, control panel, WordPress, etc. 

Read Revealing the secret of creating secure passwords that are easy to remember and hard for hackers to crack if you want to learn about using pass phrases as a means to create relatively secure passwords. 

Seventh, now you are ready to go through your site and database (if database driven) to find and remove the hacks / defacement.

FTP / SFTP to the site and grab the .htaccess file along with all php and html to start the review.

While there, make sure the .htaccess file and .php files are chmod 644 (most FTP clients allow you to see / set permissions. 644 = _rw_r__r__ where r=read and w=write).

If you see any file with 777 — _rwxrwxrwx (the preceding _ will be a “d” for directories), then note the file name and that file will have a higher priority for being checked for hacks / malware.

Review the .htaccess file (it is a text file) for any redirects that should not be present; it there are redirects, check if the redirect is local (i.e. on the same server your site is on) or external (pointing to a site off the server).

If internal, then the directory and files that the redirect is pointing to need to be reviewed.

i.e. you might see a redirect like “includes/ice/ice.js” and then go to the includes/ice directory and see a number of .php and .htm[l] files present you didn’t put there (but the hacker did). Then that entire directory tree can be backed up (play safe), and deleted.

Then check for all files you grabbed for (in the above example) stuff like

Or you might see in the HTML a php encode base 64 statement…

Now, based on what you see, clean up might be as (relatively speaking) editing the various files to remove what was injected.

Lastly, once the site is backup and running clean (no more hacks, malware, defacement present), then (if you are running WordPress) review http://codex.wordpress.org/Hardening_WordPress and http://blog.softlayer.com/2012/tips-and-tricks-how-to-secure-wordpress/ to see what additional security you can put into place for your site.

If you are running WordPress, two of the better plugins we’ve found for security are Better WP Security and WordFence Security.

Now, you might find yourself on the find malware, hacks, defacement step and be lost.  If that’s the case, you might want to reconsider either having your hosting provider get involved in the clean up, or contracting a person or firm to do the clean up for you.

If it comes down to getting outside help, while you are free to try to find the cheapest person or firm to hire, I would recommend choosing integrity over price; you want someone who is going to do their best for you, rather than trying to beat a clock to make your pocket book feel better… with the cheapest choice, you often get what you paid for — and the site clean up make make things worse off.

Contact us if you have any questions.

What does it really mean when a data center provider states they offer managed servers?

Most of the time, especially when the statement is coming from a company that owns multiple data centers, “managed servers” means the servers are managed when you ask for management within the limits of their terms of service.

Business owners and managers may be in for a rude awakening when they find out their server or sites on their server have been hacked; then when they ask their provider about it, find out that hardening the server was not included, or they only did an initial server hardening but no follow up to keep the server hardened.

Server management falls into two categories:  proactive and reactive.

If you want peace of mind for your hosting experience, you want proactive management.

If you are not sure what your proactively manages or does not manage, ask them. 

Ask them what they proactively do at what frequency through what period of time.  Get specific with questions such as when is a server hardened?  How often are operating system updates checked and applied?  How often are logs reviewed?  What are your procedures for notifying me if I have a near full hard drive partition?  If you notice one of my sites being aggressively attacked?  If you see an error from one of my sites in an error log? … and so on.

Dynamic Net, Inc. is a full managed hosting provider of proactive managed dedicated servers, proactive managed vps servers, proactive managed shared hosting, and proactive managed reseller hosting.

Contact us if you have questions on our proactive managed hosting services.

Over the years, we’ve helped various business owners and managers to become PCI Compliant.

To those who have not gone through the PCI Compliance process, the road to having their first PCI Compliance certificate can look long, hard, and daunting.

This article is meant to take away the sting, especially for first time business owners and managers, by revealing the process of becoming PCI Compliant.

Like many things in life, gaining PCI Compliance and keeping it is a process.  Let me first cover some common questions and definitions; and then we’ll get into the heart of the matter.

What is PCI?

What does it mean to be PCI Compliant?

What if I  have online forms or an online cart that uses a third-party processor like Authorize.net, Paypal.com, Verisign Payflow Pro, Google Wallet, or the like?  If my credit card processor is already PCI Compliant, don’t I inherit their compliance?

What are the steps an owner of a web site goes through to become PCI compliant?

1. Determine your merchant level.
2. Determine your validation type.
3. Complete and report an attestation of compliance and self assessment questionnaire (SAQ) annually.
4. Complete and report results of all external vulnerability assessment scans (all public facing IP addresses used to process, view, or handle credit card data require scans) performed by an approved scan vendor (ASV) quarterly.
5. Create and update an information security policy annually.

What is a merchant level?

The merchant level is based on transaction volume for the organization.

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of a merchant’s Visa transactions (inclusive of credit, debit and prepaid).

What is a validation type?

The Payment Card Industry classifies level four merchants into five different validation types. The following chart from the Payment Card Industry website gives an explanation of the levels:

Source: https://www.pcisecuritystandards.org/merchants/self_assessment_form.php

What questions can I expect to be asked on the self assessment questionnaire (SAQ)?

While the exact questions or wording of the questions may vary from assessor to assessor, the following are the types of questions you can expect to be asked:

• What is the approximate number of credit card transactions you process per calendar year (this goes towards merchant level)?
• What is the legal business name of the credit card processing company you are using? (i.e. authorize.net)  If you are using several, you will be asked to list each one.
• What is the legal business name of your Web hosting provider?
• What is the name of the shopping cart you are using?
• What is the legal business name of the data center where your servers are rented or co-located?
• If you are using point of sale terminals, who is the legal business name of the manufacturer?  What is the make and model number?
• If you are using a payment application what is the legal business name of the payment application vendor?   What is the name of their software?  What version of the software are you using?

What is a PCI Compliance scan?

What is an information security policy?

By now, you might be feeling overwhelmed; and, you might be thinking, does it have to be this hard?

The process of getting and keeping PCI Compliance can be overwhelming IF you try to eat it in one bite; break down the process into easier to eat bites, and it is not that difficult.

PCI Compliance is a dance between multiple dancing partners.  Let’s start breaking down the process by looking at each party, and who is responsible for what steps.

Here are the parties and pieces involved in the dance:

• The merchant — you.
• The hosting provider.
• The ecommerce application (i.e. shopping cart) being used.
• The payment gateway (i.e. authorize.net) being used.
• Your web site in terms of any forms and other applications you have installed on the site.
• The approved scanning vendor.
• Your bank.
• Potentially, a PCI Compliance company that acts as a holding company for information on your compliance (i.e. Trustwave does this for a number of banks where you can upload various security documents attesting to your PCI Compliance).

Let’s look at this dance from multiple angles based on your potential partners.

Best Practice – Each PCI Compliance dance partner fits the PCI Compliance theme and individually a strong entity

You are still you, the merchant.  In your office or home office set up, you are using best practices for security for your network / wireless network along with best practices for how you maintain customer information including any credit card information.  This includes, but is not limited to having a firewall, anti-virus which is kept up to date, anti-malware which is kept up to date, a shredder, and pc’s with strong passwords with zero paper trail as to passwords.

Your site is being hosted with a managed hosting provider like Dynamic Net, Inc. who is also PCI Compliant; and understands the ins and outs of PCI Compliance.

You are using a PCI compliant, PCI-DSS certified shopping cart like ShopSite or Prestashop.

You are using a PCI compliant payment processor like authorize.net

Your web site applications such as WordPress, Drupal, and Joomla are up to date including any themes and plugins.

You are using SSL with a secure certificate (digital ID); and any form the public can interact with is forced to use SSL (https).

You are using an authorized scanning vendor such as SecurityMetrics.com or Trustwave.

In the above dance, the very first PCI Compliance scan from your authorized scanning vendor (ASV) should be clean — you are on your way to PCI Compliance; just file the online forms as provided by the ASV with your financial institution or PCI Compliance holding company partner.  In the worse case, you may need a second scan due to the ASV IP addresses needing to be white listed or a configuration change on the ASV end.

The key for becoming PCI compliant quickly involves making sure each partner in the PCI Compliance dance fits. Weak dance partners typically mean the PCI Compliance dance (process) takes longer, and in some cases outright fails.

Contact us for more information.

The hard part when it comes to choosing a hosting provider when you have approximately 32,000 hosting providers in the United States alone tied to various groups saying, I’m using so and so for web hosting is commonly falling into the lull of not reading the fine print, not taking the time to do one’s homework.

You might be a member of the LinkedIn WordPress group or a similar business or hobby group; and ten or more people share to go with so and so provider; they’ve been with them for x period of time, and they are happy.

You check out so and so providers site, it looks clean, and they advertise so much disk space and bandwidth… wow, you are really going to get your money’s worth… so you think.

Your site starts off small, and everything appears to be working well.  You might even join the band wagon sharing with others, use my host; look at all I’m getting for just $ per month.

Now for some house keeping… almost all businesses fall into one of two categories for how they choose to compete against others in their field of business.

The majority of the hosting providers in the world compete on price.  And that way of competing involves a number of dirty little secrets.

One of the dirty little secrets you may never run into if your site stays small — small in traffic usage, small in CPU usage, small in disk usage, and so on.

If your site does grow, you may find yourself in a bind with the provider for whom you thought you were getting so much value for the dollar just looking at all of the resources they advertise for such a cheap price.

Yet, as your site grows you are most likely going to face problems you would not have thought about in advance.

inode limit – WOW, I thought I had so much available disk space.

Cheap hosting providers, to keep their costs low, will place limits on the number of inodes they allow per hosting plan.

Value hosting providers such as Dynamic Net, Inc. provide unlimited inodes.

CPU limit, RAM limit, process limit — what happened to my online store?  Why are my online sales down?

On March 7, 2012 there was a post in web hosting discussion forum about a popular, cheap hosting provider titled, Issues with ____________ Throttling? (hosting provider name removed to respect their privacy).

Cheap hosting providers, to keep their costs low, will use either home grown operating systems and tools or operating systems like CloudLinux to severely limit the amount of CPU, RAM, and processes available to a site.

Value providers such as Dynamic Net, who do use CloudLinux, will have limits high enough to allow any normal site usage including being on the home shopping club and various TV shows like QVC; and what limits are in place are high enough ceilings to catch only misuse.

If you were hunting for physical office space, a home, an apartment, etc. you would want to see the place, look at the neighborhood, check out the surrounding businesses.  You would carefully review any lease or rental agreement.  You would leave very little (if anything) to chance.

Why not take a more serious, proactive approach to your hosting needs?

While you may not be in a position to visit a facility or the office of the provider (not all providers own the data center where the equipment is located), you could call or email; and dig deep with questions that go beyond what’s advertised as being a part of a particular hosting plan.

The bottom line is will the hosting provider allow you to grow your business easily without ever holding you hostage?  Will they be there for you over the years whether your business is growing, or sad to say down sizing?

Contact us if you have any questions about our managed hosting services.  We compete on value because we know you and others like you matter far more as human beings than wanting to be the cheapest or among the cheapest provider around.

Three external libraries included in WordPress received security updates:

• Plupload (version 1.5.4), which WordPress uses for uploading media.
• SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
• SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

Thanks to Neal Poole and Nathan Partlan for responsibly disclosing the bugs in Plupload and SWFUpload, and Szymon Gruszecki for a separate bug in SWFUpload.

WordPress 3.3.2 also addresses:

• Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances, disclosed by Jon Cave of our WordPress core security team, and Adam Backstrom.
• Cross-site scripting vulnerability when making URLs clickable, by Jon Cave.
• Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs. Thanks to Mauro Gentile for responsibly disclosing these issues to the security team.

These issues were fixed by the WordPress core security team. Five other bugs were also fixed in version 3.3.2. Consult the change log for more details.

Download WordPress 3.3.2 or update now from the Dashboard → Updates menu in your site’s admin area.

In the “new normal” economic climate, our customers often seek to the best ways to be frugal, getting the absolute most value for any time or money invested.

Let me share with you some steps you can take on a shoestring budget that will increase the exposure you get on your web site over time.

First – Blog on a consistent basis.

Write about subjects for which you have passion, a level of experience, and tie into the goals of your web site.

If you are using WordPress, I recommend the AuthorSure plugin which helps you take advantage of how Google ranks verified authors.

The more you publish, the more you are tied to what you publish (by appropriately using rel=author, rel=publisher, and so on), your web site, your articles, and your blog will gain in popularly over time.

I strongly recommend the WordPress Editorial Calendar plugin to make it easier for you to create an editorial calendar to help you keep an appropriate blogging pace (consistency over time matters more than trying to do it all at once).

Second – Tweet what you blog

Once you are happy with what you’ve blogged, then tweet about it including a link to the blog article.

Make sure that you use appropriate twitter hashtags to make it easy for what you tweet to be found. 

Prior to using a hashtag, I recommend you search on the hashtag to see if your article will be a fit.  You can use multiple hashtags with each tweet.  However, do be careful not to overuse hashtags; typically one to three is enough.

Third – Facebook what you blog

If you are wearing multiple hats as an owner or employee of a small to medium business, then take advantage of easily publishing from your blog to FaceBook using RSS Graffiti.

Once you set it up, you walk away knowing that as you publish your blogging articles, RSS Graffiti is automatically publishing those articles on the Facebook page(s).

Fourth – Google+ what you blog

If you find an way to automate publishing your blog to Google+, especially a WordPress blog, please let me know.  For now, post about your blog article on your personal and company Google+ pages.

Fifth – Post about what you blog in an appropriate LinkedIn group and other forums for which you consistently participate

Consistency matters always without exceptions is one of the phrases and practices we shared with our daughter and other family members.  It applies to all areas of life.

Find groups on LinkedIn and elsewhere where you can actively participate with on a consistent basis.  Consistency and the quality of your participation matters more than the quantity (volume) of groups or forums.

Share what you blog about with the group(s) and forums being careful to avoid turning a given post into a blatant advertisement.

Over the years, I’ve found the more often you do your best to serve and help people, over time those same people will come to respect you, trust you, and seek to do business with you as they are able.  Focus on being a servant, and being helpful.

Lastly, almost all forums — and do this as well for your emails — allow you to have a signature line; while the number of lines you can use vary, the average tends to be around four to five lines. 

Use those lines wisely including a link to your website and blog.

Take the above steps, consistently, within a frequency where you can be consistent in your quality, and over time your web site exposure will increase as well as your search engine rankings.

Contact us if you have any questions.

One way to increase your blogging audience is to publish the articles you write on your blog to your Facebook fan page(s) or personal page.

Let me share with you one of the ways you can publish your WordPress blog articles to Facebook without the need for a WordPress plugin, or setting up a Facebook application.  In a future blog article, I will cover If This Then That as another alternative to publishing your blog articles on Facebook.

RSS Graffiti makes it easy to share your blog posts, Twitter updates, YouTube videos and other social activity with your friends and fans on Facebook. You can use RSS Graffiti with any website or social application that has an RSS/Atom feed.

To add the RSS Graffiti application to Facebook, browse https://apps.facebook.com/rssgraffiti/

You can easily add various sources to publish to your Facebook fan pages or your personal Facebook page.

Below is a live, as of March 29, 2012, example of two publishing plans — one for our company Facebook fan page, and the other for my personal Facebook page.  You are allowed to set up a number of feed sources; the RSS Graffiti 2.0 beta includes the ability to pull posts from twitter users as well as twitter hash tags.

RSS Graffiti 2.0 Beta overview page

First, if you don’t have one already, create a publishing plan.

RSS graffiti 2.0 Beta Publishing plan settings

Next, adjust your target by left clicking on the target link.

RSS graffiti 2.0 Beta Target Settings basic tab

You can chose to target a specific fan page, or your personal page; and whether you are posting on behalf of a specific fan page or from your personal page.

You can decide from three different methods of posting from Standard (the default) to Compact to Status Updates (with or without a link).  As you select each one, the preview on the bottom changes to reflect what a post might look like when published.  Personally, I find the “Standard” (default) works best.

Once you have your target set up, then add a source.

RSS graffiti 2.0 Beta -- add new source

Here is an example of a fully set up source for publishing our WordPress blog to our Facebook fan page:

RSS Graffiti 2.0 Beta Source Settings basic tab area

Did you catch how the feed URL of http://www.dynamicnet.net/feed/ can be transformed to http://www.dynamicnet.net/blog/ ?

Where I find this feature most useful is if you have a feed URL like http://feeds.feedburner.com/illbehonest-global-site-updates and you would rather direct visitors who click on the source URL (web page) to go to http://www.youtube.com/user/illbehonest instead.

In the source settings advanced tab, you can adjust the formatting of the message, as well as pick the start date for publishing (right now the label is cut off date; but the actual functionality is start date).

RSS graffiti 2.0 Beta Source settings advanced tab area

Try experimenting with different formatting; I’ve found the “Same as the Item’s Title” to be helpful; you might have a different experience.

Once you have a source to target set up, and turned on, try it out by creating some blog articles — live or test ones you later delete.

If you are one of our managed hosting customers, and have questions about connecting your WordPress blog you host with us to one of your Facebook fan pages or your personal Facebook page, contact our customer support department for free help.

My grandmother died when I was in my thirties.  Well over twenty years of hearing her state she was going to die soon numbed me to the reality that she would die when Jesus called her until the reality hit, she died.

Those of us who work with IP addresses daily have heard about IPv4 addresses running out for well over a decade.  You soon start to think, the IPv4 shortage isn’t as bad as it is made out to be… until reality hits.

Before I write anything further, since most of you don’t work day to day with IPv4 addresses, let me go over some things.

Last February, ARIN announced that IANA has handed out their last /8′s (16 million) of IPv4 addresses.

When that happened, stricter rules went into effect for those doing business with ARIN.

ARIN now requires parties asking for additional IPv4 addresses to prove they, and their customers, are efficiently using at least 80% of their existing IP address.

In the past, Data centers and ISP’s would order a projected years worth of new IP address at a time.   Since February of last year, they are only able to order a three month supply.

Each time they ask for more IP addresses, they have to bring with them a stack of paperwork showing that previous allocations are being efficiently used; audits are involved.  Larger data centers and ISP’s are being forced to hire additional staff just to deal with the paperwork and audit requirements.

What counts as efficient use of a dedicated IP address does vary, but more and more the variance is tightening as the world gets closer to having no more unused IPv4 addresses. 

Currently, the largest data centers and ISP’s consider the only valid use of a dedicated IP address in a web hosting environment to be for a digital ID also known as a secure certificate.

Some providers, like Rackspace.com, actually require customers to have an active (non expired) secure certificate on hand for them to release a dedicated IP address to the customer.  Other providers, like SoftLayer.com, will take the time to do an audit with you to see if there’s any way to make use of previously acquired IPv4 addresses.

Does does this impact hosting providers?

Typically, the hosting provider does not have their own data center; they rely on co-location or renting servers from data centers and ISP’s.   The hosting provider receives the IP addresses they need for their customers from the same place they have their servers (some who co-locate have large enough IP address banks that they can deal directly with ARIN).

More and more when a hosting provider now goes to their data center / ISP for new IP addresses, just as the data center / ISP has to go through an audit to prove efficient use of IP addresses, so does the hosting provider.

What about the owner of a hosting site?  How does the IP shortage impact the average consumer of hosting?

Prior to the growing IP crunch, it was ok for any site to have a dedicated IP address for whatever reason. Some of the reasons used in the past are as follows (along with a “–” note as to why those reasons are no longer valid):

The average site owner should not be impacted for some time.  Hosting consumers who currently have a dedicated IP address they are not using efficiently, may — when push comes to shove — be asked to give up the IP address for someone who does have a valid use for one.

What can you do now to  help with the shortage of IPv4 addresses?

Check if you are on a shared IP address or if you are using a dedicated IP address; you can ask your hosting provider if you are not sure where to look for this information.

If you are on a shared IP, congratulations; you are helping to conserve IP addresses.

If you are on a dedicated IP address, then review how you are using it.  Do you have a secure certificate (digital ID) for https for your site?  Is it current or did it expire?  If the secure certificate is current, congratulations as you are making proper use of your dedicated IP address.  If not, then think about either renewing the secured certificate or giving back the dedicated IP address to be used by someone who really needs it.

Contact us if you have any questions.

Resources:

https://www.arin.net/resources/request/ipv4_depletion.html
http://en.wikipedia.org/wiki/IPv4_address_exhaustion
http://tech.slashdot.org/story/02/07/03/1352239/craig-silverstein-answers-your-google-questions – 5) Google and IP address
http://www.mattcutts.com/blog/myth-busting-virtual-hosts-vs-dedicated-ip-addresses/

If you are an author of any kind — blogger, writer, content developer web site maintainer, etc — you want what you write to have the best opportunity to show as close to the top when a person uses Google with a question that covers whatever you wrote.

While there are commercial (i.e. paid) search engine optimization (SEO) companies that might be able (there’s never a guarantee) have your work listed higher, there is something you can do yourself by taking advantage of the latest change at Google regarding authorship.

Google is currently testing content tied to authorship.  You can read authorship in Google search engine results on the Google Support page dealing with this subject.

The set of tasks going through the process of making sure your site and blog home page uses rel=publisher, the posts and pages you write uses rel=author or rel=me; and that you’ve properly connected this to a Google plus profile where you’ve pointed out the locations (web site areas) for which work is being published under your authorship / name.

The Google plus side is easy.  Per Google’s Help article covering the Google Plus Profile contributor to area, you simply sign into your Google plus profile, click on “Edit Profile”, and then click on “Contributor to” to add as many areas for which you contribute publishing as an author.

If you are using WordPress for your site and blogging activity, the rest of the steps are very simple thanks to the developers of the free AuthorSure plugin for WordPress.  Russell and Liz do a fantastic job at supporting this plugin; and there are a lot of tutorials for using it at the main AuthorSure plugin web site.

Installing the plugin, going through the settings, updating the WordPress user (aka author) profiles including the “Extended Biographical Info” if you went with the extended summary can be done in less than fifteen minutes.

The end result is your site, blog home, and blog pages are now using the appropriate rel=publisher, rel=me, and rel=author settings; AND,  what you write socially will now have a greater impact on where you rank in Google.

Now that you’ve heard the ending, let me share some background to why I wrote this article.

It started with asking a question in one of LinkedIn‘s WordPress groups, ” Question on Social media replacing SEO as Google makes search results personal http://www.poynter.org/latest-news/media-lab/social-media/159102/social-media-seo-google-makes-search-results-personal/“

I received the following answers from respected people in the know:

I did verify what was being said and written with my own tests; and at least for now, properly using Google Plus authorship settings does make a very nice difference to how your articles are ranked.

In the days before this was published, Google Analytics Update Connects Social Marketing With The Bottom Line was just released.  So yes, Google is tying it all together; be sure to get in the game by using the authorship tools available to you.

Contact us if you have any questions.

P.S.  If you are a managed hosting customer, and want us to install and setup AuthorSure for you, just call or put in a support ticket; we will perform the work at no charge.

If you are a security nut, then you might be using a secure, encrypted, method to track passwords per application / device. 

But what about others who do care about security, but are experts in other areas (just not security)?  Paper notes here and there, sticky notes here and there… a disaster for internal security (a fellow disgruntled employee, the cleaning person, etc.) waiting to happen.

I would like to share a thought process recently shared in the WordPress LinkedIn group concerning security.  Dan Knauss was kind enough to share https://xkcd.com/936/ (see the screen shot below).

Using four random common words combined for a password is easy to remember, and hard to break

The concept is that you would pick four words that you can combine and find easy to remember to form your password.

Now, the caution points I would share from a security expert point  is as follows:

The combination should be at least 12 wide (i.e. all the letters combined are at least 12 characters wide).
Since social engineering (i.e. the process of a hacker getting to know you personally either directly or indirectly — which today can just be accessing your LinkedIn profile, FaceBook page, and so on) is still widely used, the four words you pick should not be words that someone who reads what you publish (write) or verbalize can easily guess.

For example, I know someone who makes it very well know their favorite color is purple and they love horses.  While most hacking today is random (making everyone a potential target), if someone where to purposely target my friend, they have two words — purple and horse(s) — they can use to test breaking in.

Use an application like SplashID, Password Keeper, or the like which can securely store and encrypt your passwords.  Be careful of where the actual data is stored.

Contact us if you have any questions.

Where you shocked to see some chefs merely reheating food in a microwave, using canned soup, and other prepackaged or precooked items rather than the chefs being chefs — cooking using fresh ingredients, and making meals from scratch?

A lot of the excuses from the owners, managers, and chefs focused around saving time, and what amounted to being penny wise and dollar foolish.

I guess after seeing those shows, I shouldn’t be surprised by how many WordPress users want a control panel or means to auto install WordPress for them in the fewest clicks possible with one click being optimal.

What’s wrong with an automated installation of WordPress?

There are several areas of the WordPress installation that most automated tools do not cover adequately.  Those areas are as follows:

Automated installation systems typically do not give you the control over having a secure mySQL database password, most do not turn on PHP error logging, most may not set up the proper temporary directory for PHP sessions, most use a stock .htaccess file if they create one at all, some may use salt and others may not, and so on.

I don’t know about you, but I want to know about the material going into the foundation of a site or blog I’m going to be working on and maintaining.

If you want the best foundation for your WordPress site or blog, be sure to take the time to do it correctly and securely.

Managed hosting customers of Dynamic Net, Inc. can ask our support department to manually install WordPress for them at no charge.

Contact us if you have any questions.

One of the projects we consistently use and recommend is Ryan’s Advanced Policy Firewall by R-fx Networks known as APF

While we do customize the implementation of APF as well as BFD (making some core changes to allow us to integrate APF into our other managed security offerings), one of the issues we run into from time to time with APF is that if local DNS resolution is not working when the server is rebooted, a server will hang at starting APF.

Most of the time this issue can be resolved by making sure local DNS resolution is perfect on reboot.

Sometimes an easy fix is editing /etc/resolv.conf to make use of the data center’s recommended name servers; other times it might be using the free DNS service of OpenDNS or Google.

What about the co-location customer or customer of a small mom and pop data center who cannot assist with how the server integrates with the data center network on a local DNS basis

Well, then you are stuck with a decision of whether to use APF or not, or reboot the server without APF; then someone has to remember to start up APF once local DNS resolution is working.

The latter part is not a good option for security, and the former doesn’t fit for customers who want an integrated picture that includes APF and BFD.

I did ask Ryan about the issue about a year ago (this problem doesn’t crop up often), and Ryan’s reply is accurate and makes sense:

Until now, we’ve worked around the issue using standard techniques, one of which is mentioned above (change what is in /etc/resolv.conf), until recently where one of our long standing customers got a good deal on a MAC-based server; and put it in a data center where everything is “you are on your own other than ping, power, and pipe (which is more typical than not).

While it would be extremely easy and convenient to put the burden of this problem on the customer and the data center they picked, I was determined to not to go through status quo motions.

The crux of the matter was local DNS resolution.  How could I test it where the test itself would not hang or otherwise take long to run?

Creating the test is easy, comment out all entries of /etc/resolv.conf

Yet, the common tools recommended over the years such as host and nslookup to check for DNS issues (local and external) do not appear to have a way to control time out other than how often it will retry.  Comment out the entries in /etc/resolv.conf and then run host or nslookup against a valid public domain name, then wait… and wait… and wait… and wait… Hmm… isn’t that what is causing the APF problem?

Well all this thought about “digging into local DNS resolution” brought me to the dig command.  dig is a part of the bind-utils package available for CentOS through yum installation (yum install bind-utils -y).

Looking at the dig man pages, I saw you could pass a time out and number of tries and retries as part of the command structure.  Would this work quickly enough to test local DNS resolution?

Using dig +time=1 +tries=1 +retry=0  yahoo.com, I was able to test response times on various servers when local DNS was down as well as up.  The response time appeared to be acceptable within less than or equal to two seconds.

I wrote a test script to test my theory and create a framework for what might be used to restart APF if it was down because it was never set up to start on reboot (to avoid hanging on reboot).

Running through the test proved the concept, but now what… think, think, think.  While I could write a wrapper and put it in /etc/rc.local (which is part of the boot up sequence), I would prefer to have the server running a little bit longer, even if by a few minutes; which also meant avoiding using a sleep command.

Then I remembered that we recently created a System Integrity Monitor — S.I.M. — add on module just a few weeks ago to test for IP addresses which became unbound from the network interface.  I wrote about that adventure in the elusive hunt to protect against IP blackouts.

Now that I had the code to check if local DNS is working, incorporating the code as part of another S.I.M. add on module was easy.

While the real test will come from our client with the MAC doing a controlled reboot of his server (we have APF turned off for reboot), testing the add on module is as simple as doing the following:

• Everything running fine — APF up, local DNS working –> run sim -s
• service apf stop to shut down APF –> run sim -s
• service apf stop to shut down APF and edit /etc/resolv.conf to comment all name servers –> run sim -s
• service apf stop to shut down APF and edit /etc/resolv.conf to uncomment all name servers previously commented out –> run sim -s

When you are happy everything is working, and want to have APF come up after reboot (not during when it might hang), then run “chkconfig –levels 0123456 apf off” to turn off apf from starting on reboot.

Since Ryan MacDonald is kind enough to share S.I.M. with the world, I thought it would be nice to share dni_apf.mod with other R-fx Network fans.

Please contact us if you have any questions.