Quick course: Killing your WordPress in 10 steps

/0 Comments/in

Destroying your WordPress is not that difficult; we’ll teach you how to do it in 10 steps:

  1. Install as many plugins as possible; the more, the better. And never update them!
  2. Use your first name as the username for logging in.
  3. Choose your domain name as your password with some numbers.
  4. Try out various themes and keep them all.
  5. If you find comments with strange links on your site, log in and click on them!
  6. Share your FTP credentials with everyone on a forum! (Yes, it really happens…)
  7. Never update WordPress.
  8. Don’t use any antivirus on your computer and click YES on every internet popup.
  9. Let a teenager install your website because they know a lot about Windows!
  10. Choose the cheapest web host; the one for 1 euro per month must have an up-to-date server, right?

It may seem exaggerated, but we encounter these above 10 points on a daily basis.

Learn from it and avoid these mistakes!

My WordPress has been hacked. I download 5 antivirus plugins!

/0 Comments/in

“My WordPress site has been hacked. I download an antivirus plugin, and maybe another one, and one more…”

And fixed?

No, there are several good plugins available. Think of iThemes Security and WordFence, or Sucuri, Acunetix, All in one security… there are many!

But what these 5 plugins don’t do,

They cannot break down hackers’ code, they don’t evaluate code. At most, a security plugin can show you code that may not belong on your site.

The free plugins

A free plugin lacks many features like scheduled scans, backups, and more.

The Premium plugin

A premium plugin has many more features, such as scheduling scans so you are quickly informed of hacks, and blocking hackers and hack scripts.

But when it comes to removing hacks…

Even if you download 5 security plugins… once your site is hacked, it’s not easy to get rid of it.

Why 5 security plugins won’t help you much if you are already hacked

  1. The database information has been extracted from the wp-config and is being used to execute new injections on the database
  2. The FTP credentials may be known, and no plugin can help against server-level privileges
  3. The plugins do not recognize new hack codes as “dangerous” or as an open door for hackers

In conclusion

Secure your WordPress site before it gets hacked. Prevention is better than cure!

 

15 claims and myths about Google

/0 Comments/in

The number of articles describing what you should or should not do to create a website that ranks well in Google is countless. Hundreds of websites claim to know what Google’s advanced search engine truly expects from a website.

The best source is Google itself, which occasionally provides information about its search engine. However, you will never know everything because that would lead to search engine fraud. Programmers who know exactly what Google does would abuse that knowledge. For example, they could target keywords that are unrelated to the website’s content.

Claims and Myths About Google

There are many myths and claims about the system that Google’s search engine uses to determine search results and rankings.

Here are 15 of these myths or truths, along with an explanation of why this information is spread:

1. Google compares colors in the CSS: Some experts claim that Google compares text and background colors, and if they are the same, Google might interpret it as an attempt to hide text and deceive the search engine.

2. Google no longer uses meta-tags: Some optimization experts who don’t achieve desired results assert that Google no longer uses meta-tags to determine website content.

3. Google bans websites with 18+ sector words: It’s believed that Google maintains a blacklist of words it doesn’t want to see on a website, especially those related to adult content or deceptive promises.

4. Google considers the age of a domain: Experts believe that Google looks at the age of a domain, the domain holder, and the website’s activity.

5. Google factors in website loading time for ranking: Websites with slow loading times might be ranked lower by Google, according to some experts.

6. Google values pages with links to other websites or internal articles: Websites that link to other relevant websites or internal articles provide better user navigation, which Google may reward.

7. Google requires a minimum of 400 words for “important” articles: Some experts claim that webpages with at least 400 and up to 600-700 words are more relevant and informative.

8. Google prefers pages with text formatting: The use of H1-H3 tags and text formatting like bold, italic, and underline can improve readability for readers.

9. Google uses a scoring system to determine website importance: According to search engine experts, Google assigns PR (PageRank) values that influence other websites’ ranking.

10. Google uses previous searches as a basis for new search results: Some believe that Google stores the search history of an IP address to tailor better search results.

11. Google counts the number of words on a page and uses the most common words as meta-tags: This myth suggests that Google generates search keywords/meta-tags based on the most frequently used words on a webpage, especially if they are hyperlinked.

12. Google dislikes inline styles: Experts argue that inline styles (CSS code placed in HTML) can hinder website performance.

13. Google values blogs with varied content: Websites that frequently update content are thought to be favored by Google.

14. Google has penalty systems and a sandbox: Experts claim that Google has penalty systems, watch-lists for monitoring stolen content, and a sandbox for indexing new websites.

15. Google reads Divs for functionality: The names of Divs such as add-space, banners, and leader-board may lead Google to view the website as focused on earning money rather than providing important information.

More PageRank and Fair Optimization for Your Website

The facts and myths beyond these 15 points are even more technical and require in-depth explanations.

We have the knowledge and experience to help websites rank well in Google. We use proven methods and do NOT use PageRank boosters.

If you want a website that performs well in Google, feel free to contact us!

WordPress under control?

/0 Comments/in

Blocking hackers to keep your WordPress website safe with iThemes Security PRO NL is crucial.

Did you know that the log files of iThemes Security PRO NL provide valuable insights about your website?

The log files give you visibility into file changes, login attempts, accessed pages, and more!

“Why is it so important to have insight into file changes?” you might wonder. Let me explain:

File Changes

The file changes feature shows you which files have been modified or added. It’s possible that your WordPress website might be affected by an injection due to a vulnerable plugin or your own actions. Sometimes, plugins or themes that were considered secure might get exploited later due to newly discovered vulnerabilities by hackers.

iThemes Security PRO NL blocks many threats, but it doesn’t always prevent plugins from writing files. Otherwise, certain plugins wouldn’t be able to function correctly.

If, at any point, a malicious file is found on your server, you won’t have to spend days searching through all the directories and files and examining the code. Instead, you can simply open the log files.

What you can see in the log files of iThemes Security PRO NL:

  1. Date of the change
  2. Which files were modified
  3. Which files were added
  4. The complete path to the file

Knowing which files were modified can save you a lot of trouble if you’re hit by a hack or injection. You can take prompt action and understand exactly what happened!

Additionally, you can also see login attempts and which files are being sought after. The files listed under the 404 tab are often accessed by hackbots searching for vulnerabilities in your WordPress.

In conclusion, the iThemes Security PRO NL provides you with useful insights to keep your WordPress website under control. In various other articles on WPbeveiligen, you can learn how to prevent file modifications and automate the blocking of hackers and bots effectively.

Is my premium plugin safe?

/0 Comments/in

A brief explanation about premium plugins

Premium plugins require a one-time or annual payment. With the cost involved, one might expect these plugins to be more secure.

However, it all depends on the mindset of the plugin’s developer. Some invest significant effort in securing the plugin, while others focus solely on development to maximize profits.

Therefore, a premium plugin is not necessarily safer than a free-to-download plugin.

One disadvantage of premium plugins is that hackers dedicate more time to finding vulnerabilities in such plugins. They know that websites using paid plugins are often business websites or other important websites, as they have been invested in.

Hackers’ goal is not to take down the website but rather to send spam or place advertisements (link building and traffic) using the domain.

Important tips when using premium plugins

  • Purchase them legally; downloading illegal versions for free often includes hacks and backdoors for hackers.
  • Regularly update the plugin to the latest version.
  • Ensure that updates and licenses do not expire after one year if it restricts your ability to update the plugin.

 

Delete comment spam in WordPress

/0 Comments/in

What is comment spam?

Comment spam is the term used for unwanted comments on your blog. These comments are usually unrelated to the topic and often contain links to products on other websites.

Delete all comment spam at once

All comments are stored in a database, and this plugin clears your entire comment table in the database with just one click.

Note: You will lose ALL comments at once.

Selectively remove spam comments without plugins

You can adjust the display of the number of comments in your admin panel. Click on “Screen Options” when you are in the comments section of your WordPress admin and set the number displayed to 50 or 100.

manage comments

Then you can select all messages (at once) and deselect the comments you want to keep. This depends on the ratio of spam to the number of messages you want to keep.

select all comments

Prevent comment spam via WordPress settings

WordPress has a settings page for comments where you can set a higher threshold for posting comments. For example, you can set to mark any comment with more than 1 link as spam or require users to register before commenting.

WordPress comment settings

Plugins to stop comment spam

There are several plugins that can help prevent comment spam, such as Akismet, which is already included with every WordPress installation.

iThemes Security PRO NL also has a good feature to effectively stop comment spam. The PRO version has a reCAPTCHA option, allowing you to add a captcha requirement to the comment form.

Additionally, you can use reCAPTCHA for new registrations and the login panel.

Important!

Never click on a link in a comment when you are logged in!

As an administrator, you have certain rights to make changes in WordPress, and hackers know that. There are JavaScript codes/links that execute certain actions in the background when clicked!

Solving comment spam, contact spam via phpMyAdmin

There is another way to remove spam using phpMyAdmin, which is very effective, and you can be selective for comments with different statuses.

First, make a backup of your database!!

Delete all approved comments:
 DELETE from wp_comments WHERE comment_approved = '1'
Delete all pending comments:
 DELETE from wp_comments WHERE comment_approved = '0'
Delete all marked as spam comments:
 DELETE from wp_comments WHERE comment_approved = 'spam'
Delete all comments in the trash:
 DELETE from wp_comments WHERE comment_approved = 'trash'

 

If you need assistance in solving spam problems, whether preventive or if your own website is sending spam, contact us.

Interview with a hacker, “hacking for fun”

/0 Comments/in

This is an interview with a hacker who has been active in hacking websites and applications for several years. The hacker wishes to remain anonymous, and we will therefore not mention any name.

How did you start hacking?

It all began years ago when I was 16. I read about taking over someone’s Windows PC to play pranks like opening and closing the CD-ROM drive remotely. Then I learned about shutting down the PC, which also seemed fun. But it quickly became boring as I couldn’t see the person’s reaction. Also, back then, there weren’t as many laptops, and most of them didn’t have webcams, which I would have liked to see at that moment.

That sounds relatively harmless, but I understand you have been involved in other activities in recent years.

Yes, the feeling of having power over someone or “breaking in” was quite addictive. Eventually, I started sending keyloggers via email, allowing me to receive weekly emails with everything they typed. But even that became dull, as there wasn’t much interesting stuff to read.

And then you started hacking websites?

Well, not directly, as it was quite challenging to learn, and everything online changed so fast. It actually started with an acquaintance who had a website. Just for fun, I tried some login credentials, and he used his own name as the user and password, which he used everywhere, even for games, etc.

So, just for fun, I changed a few words on the website.

With someone you knew personally?

Yes, just for fun, harmless… I only changed a few words, giving the information a different twist.

How did you progress to the point where you started seriously intruding into other people’s websites, I assume strangers?

Well, intrusion… I’d say they left the backdoor of their website wide open, and I just walked in. And they weren’t strangers because the first websites I started hacking belonged to people I didn’t really like. My former employer and a few individuals who deserved it. I mean, it’s still quite decent, right? I didn’t physically harm them but just took them down a peg.

I only modified their websites. I deleted all the pages and uploaded my own page with a nice picture.

It’s really that simple once you’re inside the server.

Aren’t you afraid they might catch on or report you to the authorities?

They have to find me first. I have a way to be “invisible” on the internet without leaving my IP address, etc.

Are you still very active? Should I think about one website per week, per month, or…?

No, not at all. Occasionally, when I have free time, I turn on some hacking software and try to get into a website. Sometimes, I even email them. I politely tell them they have a vulnerability and how to fix it. But most of the time, I don’t get paid for it, even though I provide my Bitcoin address. Not even a tip for the effort, so it’s more fun to hack a well-known or popular website and mess around with it.

Thank you for the interview.

You’re welcome. It’s also nice to share sometimes. Most of what happens on the internet is anonymous because I prefer to keep everything private from acquaintances. They usually wouldn’t understand anyway.

Knowledge and experience takes years

/0 Comments/in

I often encounter programmers who have a hack on their website or their client’s site and then search on Google for how to remove that hack. They supplement their programming knowledge and try to restore and secure the site with that information.

However, no matter how much they read and apply from the internet, the hacks keep coming back.

This makes me think that knowledge and experience take years to build.

And I experienced this…

When I was young, I had a vintage bike, a manual moped. It didn’t run properly and couldn’t reach the expected speed. I did a lot of research on the internet and worked on it extensively, but nothing seemed to solve the problem.

During one of the test rides, an old man in his 80s, hunched over, shouted, “Your mixture is too rich, you’re burning too much oil.”

I said, “No, it’s fine, I know what’s in the tank!”

The old man said, “I can hear that it’s running too rich. You should put less oil in your fuel.

Later, it turned out that the wrong mixture had been added to the tank, which wasn’t suitable for that specific type of moped. (There was still a separate oil reservoir on the moped that required a small amount of oil, allowing it to run on different fuel.)

Various people around me (including the previous owner of the moped) couldn’t figure it out, but this man heard it from the sound of the engine!

That is knowledge and experience!

Waarom EVEN EEN HACK VERWIJDEREN niet realistisch is

/0 Comments/in

Ik hoor het iedere maand wel 1x: ,,kijk even op de server of je wat tegenkomt en verwijder HET dan”.

Dit is zelfs een vaak toegepaste strategie van webbouwers, die neuzen door de server heen, verwijderen wat en gaan er dan vanuit dat de hack wel weg is.

Is het vreemd om te denken dat een hack 1,2 of 3 bestanden bestaat?

Denken dat de hack uit enkele bestanden bestaat is niet eens zo heel gek. Ik begrijp het idee!

Helaas werken kwaadaardige hackers erg fanatiek aan een lek, een hackscript of stuk malware.
Onderdeel van hun hackscript is vaak lijn code die naar de hoofdmap verwijst, en malware plaats in iedere onderliggende map.

Een extra kopietje van het script, kost niets extra hé!
De server werkt wel..

Hacks boven de PUBLIC_HTML?

Ja mensen, het is mij ook overkomen voordat ik met een checklist ging werken. Ik maakte de website 10x schoon, brandschoon. Alles IN de public_html, httpdocs.
Maar die ratten zetten de malware helaas ook boven de public_html als daar schrijfrechten zijn.

Och, die paar mapjes in een WordPress website.. toch?

Je verbaast je misschien, want een standaard WordPress installatie.. waar de plugins en thema’s nog bijkomen bevat al meer dan 3000 bestanden en 307 mappen!!

Huh waar dan? Nou, ga maar na, de hoofdmap waar WordPress in staat begin je al met 3 mappen:
wp-admin + wp-content + wp-includes
> wp-content > plugins / themes / upgrade / languages
> Uploads / jaartallen / maanden /

12 mappen per jaar, doe dat eens 6 jaar lang.. 72 mappen! Alleen al in de uploads map.

EEN GIGA VERSTOPRUIMTE dus. En er hoeft maar 1 mapje te zijn met een actief stuk code waardoor hackers zo naar binnen blijven lopen. De zogenoemde backdoor.

Backdoors – Klein, vals, maar een GROOT gevaar!

Even vertaald, de achterdeurtjes.
Die maken nieuwe WordPress administratoren aan, geven belangrijke data door aan hackers. Ze maken letterlijk alles mogelijk!
En zo’n backdoor, dat hoeft maar 5 regels code te zijn in een bestandje.. of wanneer je het in base64 opbouwt.. 1 regel code. (code hieronder ter voorbeeld, deel van een backdoor)

In de meest brutale backdoors komen we zelfs telegram bots tegen, die sturen de nieuwe gegevens van klanten, aankopen en admins direct door. Waardeloos!

Hackers-truc: valse mapnamen

Je moet niet verbaasd zijn als je mappen tegenkomt die er niet horen, maar wel heel legitiem lijken.
Zelfbedachte mappen (niet te verwarren met zelfbedachte moppen) die sprekend lijken op legitieme mappen, en ook nog eens leeg lijken te zijn of gevuld met de “juiste” bestanden..
> root
> index
> uplaods / 2023
> wp-apmin

valse mapnamen

Daar moet goed naar gekeken worden. Even met de muis langs alle mappen neuzen en “wat” deleten werkt niet.

101 andere trucs

Er zijn zoveel trucs, en ik zie wekelijks nieuwe voorbij komen. Backdoors, fishing, spamming, datadiefstal…
Hopelijk begrijp je nu wel dat “EVEN door de bestanden lopen en verwijderen wat je tegenkomt” geen optie is.
In ieder geval, geen goede optie!

Je website hack-vrij laten maken

Heb je een WordPress website: klein, groot, zakelijk, webshop die je VOLLEDIG hack-vrij wilt laten maken?
Dat kan! Dat doen wij.

Meldt je website aan voor hack-herstel

WordPress security – The pyramid

/0 Comments/in

WordPress Security is like a Pyramid

the pyramid of WordPress security

The Base is WordPress
At the top of the pyramid, it all begins with the programmer/designer who sets up your WordPress website.

Securing Just One Part is Useless!

Focusing on one aspect, such as having a good programmer/designer, secure passwords, or the latest updates, won’t be enough. As you can see from the pyramid, it’s just one part of the whole.

A Truly Secure WordPress Website

To achieve a genuinely secure WordPress website, you need to secure all aspects.

We will help you, step by step, to make each part of the pyramid secure so that your WordPress website is truly protected!

  • The Programmer/Designer
  • The Theme
  • The Plugins
  • The Hosting
  • The User
  • WordPress Itself

The Programmer/Designer

A good WordPress website developer will use no more than 8-10 plugins. Each additional plugin is an opportunity for hackers, as not all plugin developers are experts in security.

This is where knowledge comes into play; the programmer/designer needs to be aware of the risks associated with each additional plugin and should consider coding certain features instead of relying on plugins.

However, bear in mind that a programmer/designer may take longer to create functions without using plugins, so the budget may need to increase! You can’t expect a programmer to build a fully functional website for a small amount (150-300) and also ensure top-notch security. (Also, not every programmer who charges a lot of money is necessarily good!!)

The Theme

Whether it’s premium or free, it doesn’t matter.

Really?

Premium themes are more frequently targeted by hackers because they prefer to hack sites that involve money. Premium plugins are commonly used, and hackers know that.

In short, being premium is not a guarantee. Do some research to see if the theme is listed in this database.

The Plugins

As shown in the pyramid, plugins play a significant role in the website’s security, with more than 36.3% of the website’s security depending on them.
Plugins are “third-party made,” which means they are developed by individuals in their basement or by teams launching a plugin.

Do you know who made your plugin? And do they have expertise in security?

There are 44,273 plugins available for free download on WordPress.org.

This is a fantastic offering! Plugins such as:

These are excellent plugins that can transform WordPress into an online shop or marketing machine!

However, once they gain popularity, hackers download the plugins and search for vulnerabilities. Once found, they create a script that scans websites for the presence of the targeted plugin and then executes a script to fill your website with ads, advertising the hacker’s products. Often, these products are related to Viagra, as it apparently sells well??

The Hosting

Hosting is where your website resides. This is known as a “data center.”

Sounds cool, and it is. High-tech computers are running to serve your website.

Well, high-tech… they are actually expensive stripped-down computers!
Powerful processors and ample storage ensure that websites are served quickly when a visitor requests them.

What is the host’s responsibility?

The host must ensure that the server software is up to date. The websites are displayed via a computer running Linux or Windows, and these should not get infected/hacked. This rarely happens, which is why this accounts for only 9.09% in the pyramid.

What does a good host do?

A good host wants to keep their high-tech computers fast, meaning they ensure that websites are being visited while hacker scripts are not active. Sometimes, a hosting company might ask you to keep all WordPress plugins up to date.

Or they might even take your WordPress website offline!

If your website is busy sending spam or launching attacks on other servers/computers of the host, they may take your website offline to stop this disruptive behavior.

The User

wordpress user you

What You, as a User, Can Do

  • Keep your plugins, theme, and WordPress up to date
  • Choose passwords that are not easy to guess
  • Don’t leave unnecessary plugins or themes on the server
  • Avoid clicking on links while logged in as the website’s administrator

WordPress Itself

The developers behind WordPress, who continue to offer it for free, are very active. They release new WordPress updates on a monthly, and sometimes even more frequent, basis to address new hacker tricks.

WordPress itself is a good and stable system! It was launched in May 2003 and has been in development for over 10 years.

Did You Know?

There is a Dutch security plugin that takes care of 80% of these aspects for you!

iThemes Security PRO NL

This plugin helps you set up

the server/hosting, enforces the use of strong passwords, keeps hackers out, secures directories, stops brute force attacks, secures your admin area, and provides an overview and control over your website!

Please note that some Dutch words/phrases (e.g., programmer, theme, plugins, hosting, user, WordPress) have been left untranslated for context and clarity.