Getting Professional – Securing a domain for your email to improve your business

July 14th, 2014 @ 12:00PM - 0 Comment(s)

It is all too easy to register a free email account to launch your business, but if you’re looking for a professional option then your own dot com is a must have. There are many reasons why you should get your own dot com for your business emails, but here are a few.

vip_blog_getting_professional

Professional Branding

The perception of a business is often the first thing people look at, and with an @hotmail.com address it is hard to look professional. When a potential client contacts you, or you respond to them, their perception of your business will be greater when it comes from a uniquely branded email address. By using your own dot com, such as jsmith@professionalpainters.com.au, you’re pushing a unique and established brand name to create an impressionable first contact.

Trust with your clients

Many of the popular free email services are targeted by automated spam bots to sign up to services for use of mass spam delivery. This impacts on the reputation of that email product and can result in some spam and malware filters ignoring emails sent from that provider. As a result, if you’re relying on that platform to send your emails, you may find yourself unable to deliver them to many of your recipients for hours or even days.

By opting for your own dot com email address on a dedicated email hosting platform, you’re less likely to run into this sort of issue. If your business relies on worry free sending and receiving, you cannot afford to leave your email delivery in the hands of a free host which can be so easily impacted by spammers.

Compliance and Security

The question is whether everything you want to do now or into the future is allowed through use of a free email account? The question is likely no. Using a free email provider raises eyebrows over security and compliance matters as they can be an easy target for hackers. If you’re hosting financial or federal data from a free email provider, is that something you need to reconsider on both a compliance level (is it legal?) and security level (is it secure?). By taking out your own dot com and hosting it from a reputable Australian Email and Web Hosting provider, you’re taking the steps needed to help meet the needs of your business.

Memorable

Lastly, if you have your own business email address it’s a lot more memorable – it’s easier to remember jsmith@professionalpainters.com.au than jsmithprofessionalpainters@gmail.com. It rolls off the tongue.

It’s a no brainer right?

When it comes down to it, a domain name registration whether it’s a .COM or a .COM.AU costs no more than a couple of dollars per month to give you:

  • Professional Branding
  • Trust with your clients
  • Compliance
  • Security
  • Memorable

Bundle your domain name registration with a Web Hosting service which includes Email, or with a dedicated Email Hosting product, and you’ve increased it to the cost of a coffee per month. That’s not too much to ask for a more identifiable email address which your clients can trust.


Security – WordPress MailPoet Plugin

July 2nd, 2014 @ 03:12PM - 0 Comment(s)

Continuing on from our Security – WordPress 101 article we posted a few days ago, we just became aware of a significant vulnerability which may affect some users. It has recently been revealed that a popular WordPress plugin, MailPoet, which has been downloaded by more than 1.7 Million WordPress users contains a fatal flaw which provides unrestricted access to a users entire website. The particular vulnerability was made public via a Securi blog post which confirmed the worst:

This bug should be taken seriously, it gives a potential intruder the power to do anything he wants on his victim’s website. It allows for any PHP file to be uploaded. This can allow an attacker to use your website for phishing lures, sending SPAM, host malware, infect other customers (on a shared server), and so on!! – Daniel Cid, Securi CEO (2014).

If you are running MailPoet, it is absolutely critical that you update this plugin to the latest release (2.6.7) as ALL previous versions contain this vulnerability. This highlights the sheer importance of keeping on top of your WordPress updates (or any CMS for that matter).

vip_blog_wordpress_security_101

Does this vulnerability exist in other plugins?

In a way there is the potential. This vulnerability came about through the poor assumption that WordPresses admin_init hooks for it’s admin directory are secure; that is, only to be executed by administrative users who have logged in. Unfortunately that’s not true and any call to /wp-admin/admin-post.php can utilise this admin_init hook without being an authenticated user. The unfortunate reality is that it’s quite possible other plugin makers have made this same incorrect assumption which allows their plugins to be vulnerable as well; this probably also explains why we see the ‘admin-post.php’ file targeted by automated bots so frequently.

So the bottom line here is that you should keep on your toes for any Content Management System (CMS), Plugin and Theme updates to avoid being the next victim of a hack. We’d also recommend locking off access to your /wp-admin directory, if at all possible, to just the select IP Addresses who need access.

One Final Note – TimThumb

Just in case you missed it, and you’re one of the majority who utilises a WordPress Theme or Plugin which relies upon TimThumb (and there’s alot of you) please make sure you run all of your updates as a critical vulnerability was found just last week. For more information see http://seclists.org/fulldisclosure/2014/Jun/117


Introducing .gift, .guitars, .ink, .link, .photo, .pics, .sexy, .tattoo and .xyz

July 1st, 2014 @ 05:33PM - 0 Comment(s)

We’re pleased to announce 8 brand new TLDs that are available for purchase right now! For a full price list or to register your new domain name, head to https://ventraip.com.au/domain-names

New TLDs available to VentraIP Australia clients right now!

 


Security – WordPress 101

June 30th, 2014 @ 12:00PM - 0 Comment(s)

WordPress is one of the worlds most popular Content Management Systems (CMS) largely due to it being so easy to install, customise and get your website online; but one does not simply ‘run’ WordPress. As it is so widely used it’s an easy target for hackers looking to cause trouble or maliciously gain access to your data, so it’s paramount that you take the necessary steps to secure your website and your data.

vip_blog_wordpress_security_101

Keep WordPress Updated

Keeping your WordPress up to date is the single most important thing when running this platform, or any CMS for that matter. Every 1-2 months you will typically find there is a core WordPress update to apply which addresses security vulnerabilities, so it is critical that you keep on top of this.

If you opt to install WordPress on your VentraIP service using Softaculous or Installatron, be sure to enable the automatic update function as this will take care of this matter for you.

Plugins

Plugins are a particularly vulnerable part of any WordPress installation in many ways. Firstly not all plugins are legitimate, make sure that Google your plugins before installing them to identify if they are legitimate, still in active development and have no known vulnerabilities. Installing a plugin which isn’t trusted, could lead you to you being impacted on by malicious developers who have ulterior motives.

As with your core WordPress installation, you absolutely must keep all of your plugins up to date; an out of date plugin is another vulnerability.

Finally, if you’ve installed a number of plugins in the past which you no longer need, uninstall them. If you’re not using the plugin(s) then you have an additional unnecessary point of of weakness there, so just uninstall it.

Themes

These function exactly the same as plugins. Only install trusted themes, always keep them up to date, and when you no longer need old ones make sure they are removed.

Admin accounts – username and password

The default username for WordPress’ primary administrator user is ‘admin’, don’t keep this as is. Always change your administrator username to something else, this simply makes it harder for hackers to guess your administrator username, making it more difficult to brute force your WordPress.

In addition to your administrator username, it’s important to choose the passwords you use carefully; this means using combinations of upper and lowercase characters, numbers and if possible, symbols. Always use passwords longer than 8 characters and if possible, change them every few months. Never store your passwords in plain text anywhere and never share them with untrusted people, particularly via email or IM.

Lastly, be sure to change your password every few months.

Limit access to your WordPress Admin login

Your WordPress admin area (wp-admin) will often be targetted by automated bots trying to hack their way in, so it’s a good idea to lock it off. If you haven’t installed a WordPress admin lockdown plugin, try setting up the following your .htaccess:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.xxx$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.xxx$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

In this example you will change “123\.123\.123\.xxx ” to match your IP Address(es); locking down access to wp-admin to just your location(s).

Log admin logins

Using a WordPress plugin such as Simple Login Log, you can be alerted to all login events via email. A simple way to keep a check on what’s happening.

Appropriate File Permissions

This is a bit of an advanced one, but definitely important. Don’t have any 777 permission sets chmodded on your files, if you’re unsure what this means you can simply run the Permissions Fixer within your VIPControl. Furthermore, ensure you set your WordPress config file (wp-config.php) or your Joomla config file (configuration.php) to a chmod of 600 to avoid it being read – apply this same rule to other CMSs as well. To set the CHMOD on your configuration file you may do so using cPanel’s File Manager or FTP.

Moving your wp-config.php out of reach

wp-config.php, as above, is where your WordPress configuration data is stored. By default WordPress will actually look within it’s installation directory and one directory above it for this file. If you have installed your WordPress to /home/youruser/public_html as your primary website, move your wp-config.php into your /home/youruser folder and this keeps it out of reach of most.

Backups

Taking backups doesn’t stop you being hacked, but it provides you a fall back if you do. If you are hacked, for whatever reason, a backup allows you to restore your website to a functional state before the hack – it is then absolutely critical that you then identify how you were hacked in the first place and then patch it, to avoid a repeat.

So with this in my you need to ensure you regularly take your own backups, don’t just rely on the automated webserver ones. By taking your own periodic backups and storing them on your own computer, you’re giving yourself peace of mind that you have your data secure for disaster recovery. Always take backups!

The final word

These are just some of the ways you can secure your WordPress setup, and many of these tips can be applied to many other CMS platforms, but it’s by no means covers all of your options. If you’re serious about security, and we hope you are, we encourage you to apply each of these recommendations and seek out additional options such as keeping your own computer secure.