The Ultimate Opencart Security Practices and Malware Removal Guide

This OpenCart security guide will help you to protect your store from hackers & how you can fix your hacked OpenCart website

The Ultimate Opencart Security Practices and Malware Removal Guide

OpenCart is an easy to use open source e-commerce platform for aspiring entrepreneurs. Its uniqueness lies in the user’s minimal interaction with the underlying technology. It’s strikingly customizable UI adds to its virtues. Given its stunning features and open-source integration, it is an open target of millions of hackers every day. We at Astra have helped so many OpenCart Customers who were affected by severe malwares and needed help with their OpenCart Security Practices. In today’s times, The cyberspace is plagued with hackers, security of your OpenCart Store should be a priority of the highest order. We have prepared a comprehensive guide on Opencart Security Practices to help you keep your OpenCart Store super secure. This guide will help you implement all the OpenCart Security Practices step by step.

Basic Security Steps

These are the simplest steps for OpenCart Store hardening, They may sound basic, but they aren’t supposed to be neglected in any case. We advise you to follow all the steps in our OpenCart Security Practices guide for the maximum security of your store.

Delete the install folder

Deleting the install folder is advised by OpenCart immediately after installation. You should delete the install folder as soon as possible as there is a huge risk of it being exploited by hackers. OpenCart will warn you in the administration if the install folder is not deleted.

Follow these simple steps to delete your install folder;

  1. Using an FTP client, log in to your server
  2. Navigate to the web root, (usually /public_html or /var/www/html folders.
  3. Delete the folder named ‘install’ in this directory by right-clicking on the folder and selecting ‘Delete’.

Directories Safeguarding

Admin Folder:

As the name suggests admin folder is the control panel for store’s administration. Anyone who can access the admin folder can manipulate sensitive information about customers, products and the store settings in general. Hence, it is vital to secure the admin folder and make it tough for unauthorized users to locate or access it. To make your admin folder hackproof follow these steps:

Renaming the Admin Folder:

  1. Log into your hosting account cPanel or FTP
  2. Navigate to the folder containing the “admin” folder. It is usually the “public_html” or “/var/www/html” folders.
  3. Right click on the “admin” folder and choose the “rename” option from the dropdown
  4. Enter the new folder name for the “admin” folder. Use an uncommon name which is hard to guess and completely unrelated to your business.  (For eg: “STA22R1”, “ROCKETSCIENCE74851”)
  5. Now, edit the /admin/config.php and replace ALL instances of the word ‘admin’ with the new folder name you have chosen in the above step.

Here is a more detailed tutorial on how to rename your admin folder.

Add .htaccess file & .htpasswd:

It’s advised to have additional security mechanisms incorporated, in case hackers are able to locate the admin folder. Using .htaccess allows you to block a certain amount of web traffic. It can be configured in a way that the store can only be accessed from the admin’s IP address.

Steps to add a .htaccess file:

      1. Login to your store using via FTP/SFTP.
      2. Navigate to the folder which is to be protected.
      3. Create a .htaccess file, and place the following code in the file.

Also, the important thing to note is that it gets applied to all subdirectories in the admin directory, by default.

Code for .htaccess in admin folder, Basic OpenCart Security Practices.

Using a .htpasswd file will create an extra step of authorization and demand an additional unique password for the approved administrator to access this directory. You can generate an .htpasswd for your OpenCart store here using our own .htpasswd file password generator.

Catalog Security

The Catalog can be secured using the traditional .htaccess file, similar to the one we used in the admin folder. File match can be useful for shielding important file types of your OpenCart store. File types such as .php and .txt. The following code can be used for .htaccess in your catalog folder:

Note: After setting the catalog folder .htaccess file, All the template, php & text files will have selective access.

Securing the System folder

In the system folder, only two specific files need to be protected. Those two files are called. logs/error.txt and 
start_up.php. Using the logs/error.txt file a malicious attacker can figure out the server’s functioning and can use it for his benefit.

By using a .htaccess file for the system folder one can secure the system folder from unauthorized access. Use the following code for the .htaccess file in your system folder:

Intermediate Security Steps

These are the next level of OpenCart hardening steps.

Configuring File Permissions

By setting up file permissions for the critical files, a user can direct the server on how to provide access/handle requests for these files. It is advised to use 644 or 444 to protect your OpenCart store against file overwriting, malware attacks. 644 provides reading as well as writing options, whereas 444 provides read-only access.

We advise you to have 444 file permissions for these specific files:

  • config.php
  • index.php
  • admin/config.php
  • admin/index.php
  • system/startup.php

Be Cautious while using 3rd Party Plugins

Many times e-commerce store users install plugins for added functionalities, this third-party plugin can potentially contain malware or instigate vulnerabilities into your OpenCart store. Many third-party open-source plugins can be configured to be the carrier of malicious payloads. Hence, we recommend you to be careful while using software or plugins of uncertain origin.

Only install extensions from trusted developers

Like any other popular CMS, OpenCart also has its own marketplace for extensions. To be safe from adversities, download extensions from trusted OpenCart developers only. If any extensions have these things mentioned under the download button:

It means the extension was developed from in within the community and the developer who made these plugins can be trusted.

Water-Tight/Ultimate Security Steps:

Disable dangerous PHP functions

PHP or Hypertext Preprocessor is a server-side scripting language used in backend web development. If used in the incorrect way with or without intent, it has the capacity of wrecking up the entire web server. This can be a major cause of concern.

In php.ini there exists a setting known as, disable_functions which is often unnoticed. It allows you to disable certain functions for security reasons. You can use the following code to disable dangerous php functions:

disable_functions = "show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, eval"

Note: Certain risky functions like eval, shell_exec is used by developers for legitimate functions also, so be careful while disabling them.

Avoid using tools like Adminer, File Manager, Unzipper

We sincerely advise you to refrain yourself from using tools like Adminer, File manager, Unzipper. Although most developers tend to use these tools, they are considered a security risk if left unattended on the public domain. Hence, If you plan to use them, do delete them after you’re done using them.

Use a Web Application Firewall

WAF is an application that sits in front of your application to protect it from multiple attacks. These attacks include Cross Site Scripting(XSS), SQL Injection, File Injection, Server-side attacks to name a few.

One of the best option available at your disposal to prevent your OpenCart website is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your OpenCart website.

Malware Removal

One of the simplest malware removal techniques is the Core file integrity analysis. For immediate help refer to our detailed guide on OpenCart Malware Removal here.

Core file integrity analysis

All of the OpenCart core files should not be modified unless done through OCMOD/VQMOD for valid reasons. The quickest and the simplest method to analyze the integrity of your OpenCart core file is using the diff command in a Linux terminal. If you aren’t comfortable with command line operations, you can manually check your files using a secure FTP client.

Opencart Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading

The Ultimate Drupal Security Practices and Malware Removal Guide

This Drupal security guide will help you to protect your website from hackers & how you can fix your hacked Drupal website

The Ultimate Drupal Security Practices and Malware Removal Guide

If you own a site, you probably know how distressing it is to lose your precious data overnight. As a crawling malware succeeded in making a hole in your weak Drupal security Structure. So, Astra is back with another useful article to save you from sleepless nights and distressing thoughts. Now, let us move to the scene where a Drupal site has been hacked. Let us understand the types of hacks, their symptoms, the process of Drupal malware removal and the ways to prevent them in the future. With this guide, your Drupal security will improve tenfold. It is everything you need, in case you were wondering how to restore your site after a brutal cyber attack.

Introduction to Drupal Security

Wikipedia defines Drupal as a free and open source content management framework written in PHP. It enjoys the title of being the third most popular content management framework in the market only after WordPress and Joomla. Because of the versatile nature of Drupal, variant sites can work on it efficiently. And thus it is being used by big corporates and enterprises. To name a few famous users of Drupal, we can safely include NASA, Harvard University, Tesla and Nokia.
But, when it comes to the question of Drupal security, these sites seem to live under a cloud. Although, it must be mentioned here that the Drupal security structure is reputed to be a really hardened one. There have been negligible malpractices with its sites till now. The vulnerability of its sites getting infected lies mainly with the cross-site inscription(XSS). Still, it must not be forgotten that no site is completely hacked proof. Thus, this article “Drupal security and Drupal Malware removal guide”.
Coming to the issue of Drupal site getting hacked, you surely need to figure out a way for the Drupal Malware Removal. No worries! Astra is happy to help.

Types of Drupal Hacks

Hacking is a broad area, which makes it an arduous task to classify it into numbers and types. Having said that, we are presenting you a list of only the trending hacking types that are found to be the current craze amongst the hackers.
First things first, before getting into the details of Drupal malware removal and safety guidelines, it is of extreme importance to learn a bit about the hacks on rising in Drupal or other CMS(s). Here is a short list of the hacks and their Drupal Malware Removal process.

Drupal Malware Removal in SEO Spam

For sites with high-quality content and fairly good popularity, there comes unwanted threats and exploits. Drupal surely is one popular website and houses a huge number of other large and important sites. This, invariably, makes it easy prey for the spammers. SEO (search engine optimization) spam is one such hack used primarily to get undeserved visibility in search engines. It is done by manipulating the indexes. Further, it is also used to spread phishing content online.
Moreover, the hacker uses the website as a host to send spam emails, to collect user data and to execute a number of other malpractices. These practices no doubt, have serious consequences. Losing the control of the site, modification or misuse of user database are only a few examples. In addition to the data loss, the reputation of the website is put to stake too. In severe cases, the site also loses its valuable customers.
A similar case was seen when Drupal was infected with the Pharma hack recently, where SEO spammers used its vulnerabilities to redirect users to pages selling viagra and cialis. This SEO spam is known as Black Hat SEO. Another famous example of SEO spam is Japanese SEO Spam. In this spam, the spammers hijacked google search results and displayed Japanese words in the titles and keywords.
Pharma Hack
Japanese SEO Spam

Drupal SEO spam symptoms

To check whether your Drupal website has been attacked, look for the following symptoms:
  • Unusual, slow, or abnormal site behavior
  • Modified files like-page.php, nav.php, etc. index.php, drupal.
  • Added new pages like leftpanelsin.php, cache.php, etc.
  • Edited xmlrpc.php in order to escape detection by webmasters.
  • Usage of base64 encoding to obfuscate code.
  • Files are hidden under /images folder to skip detection.
  • Altered page name as .somefile as an attempt to avoid being seen.
  • A difference in search results of Google, Mozilla, Bing, etc as a result of the spam.
  • Unauthorized new users on the Drupal dashboard.
  • New nodes from an unauthorized user.

Drupal Malware Removal Process

If it is found that your site is behaving in the manner specified above, Follow the next steps vigilantly to undo the damage that has been forced.
  • Scanning: Scan your website with modules like Hacked!, git etc to know the status of the hack. Also, analyze your website with the help of google webmasters tools to check for an unusual web traffic increase. Check out for new, unfamiliar codes in your files. Have a look at the following sample of codes which redirects your website to that of the hacker’s                                       
    <ul id="menu">
    <li><a href= attackerdomain.com">Something1 </a></li>
    Hackers also hide their code in tobase64 avoid detection as the attackerdomain.com looks like: YXR0YWNrZXJkb21haW4uY29t making it hard to detect the attacker domain.
    Similarly, in order to search for base 64 encodings in files the grep command is helpful as following: find . -name "*.php" -exec grep "base64"'{}'\; -print &> b64-detections.txt This piece of code basically searches into the .php files of your choice for base64 encodings. The results of which is saved in b64-deTtections.txt files. You can, finally, use an online resource to decode this and get a clear picture of the misdoings to the site.
  • Cleaning: Malpracticers often leave loopholes in a site to get access repeatedly. The common backdoors are hidden under several PHP files, these include, base64, system. assert, st_rot13, create_function etc. Remove these backdoors manually.

  • Securing: Restore authentic backup files. Update every theme and module of your website. Disable plugins with obsolete modules. Install good copies of modules from the Drupal’s site. This will remove all the loopholes left by the hacker.

Drupal Malware Removal in Admin Hack

Another very problematic hack is named Admin hack. It is exactly how it sounds, a hack where the attacker gets access to the details, passwords, keys, and powers of the admin of the site.
Once getting hold of the powers an admin enjoys, they have the control to Change/delete/manage/reset passwords from there. They can also add unverified members, or send spam emails as an imposter of the admin, modify modules/ core coding of the site.

Drupal Admin Hack symptoms:

  • Unusual, slow, or abnormal site behavior
  • Multiple admin users added to Drupal.
  • Infected and malicious files with uncommon names added to the public_html folder
  • Several files copied to the website
  • A new file called  ext.php added to folder/drupal-admin which gives the power to hackers to upload dangerous PHP files to the ‘drupal-admin directory’.
  • Re-infection of the website almost immediately.
Security warning by the Hacked! Module in Drupal

Drupal Malware Removal Process

  • Scanning: Scan your website with modules like Hacked!, git, etc to know the status of the hack. Check index.php, drupal-admin/index.php to see if they have been modified. Scan for new, unfamiliar files in the server or/drupal-admin folder. The files that you may find are: Marvins.php ,db_.php, 8c18ee, 83965, admin.php, buddy.zip, dm.php
  • Cleaning: Delete unknown Drupal administrator accounts from the user’s page. And also the codes that add malicious admin user(s). Remove all the PHP files from your ‘uploads’ directory. Clean the admin user database manually so as to get rid of the unknown users added.
  • Securing: Restore authentic backup files. Update every theme and module of your website. Disable plugin with obsolete modules. Install good copies of modules from the Drupal’s site. This will remove all the loopholes left by the hacker.

Drupal Malware Removal in Redirection hack:

Redirection hack is something every internet user must have experienced at some point in their surfing history. But, when you are a website owner, to have your users redirect to spam sites is literally a nightmare. In Redirect spam, a spammer redirects visitors of a particular website to spammy and malicious sites.
As for Drupal, it is a popular and growing site, and thus a desired target for the web crawlers. Drupal redirect hack is another convenient yet unscrupulous way for the hackers to use this progressive site as a door to redirect visitors to their sites. These sites usually have little or zero relevance to the search opted for.

Drupal Redirection Hack Symptoms

Admin hack could be identified easily by the following symptoms:
  • An unusual increase in web traffic.
  • Clicking links on your website homepage redirects to spam.
  • Unwanted ads or pages open up on your website as a result of the hack.
  • The Appearance of unknown nodes and files.
  • Spam content in search engine results. Blacklisting by search engines like Google, Bing etc.

Drupal Malware Removal Process

The Drupal Malware removal for this kind of hack can be done as follows:
  • Scanning: Check for alien files added to your website with Drupal modules like Hacked!, git, file integrity, etc. Scan for any new, unverified user entries. Look out for any fishy tables like Sqlmap. To show all the tables simply use the command. show tables;. The attacker might have also created new user entries and gained admin privileges. To check that use: Select * from users as u AND u.created > UNIX_TIMESTAMP(STR_TO_DATE('Oct 15 2018', '%M %d %Y ')); Here, it will display all the users created after 15 October 2018.
  • Cleaning: Remove all the unfamiliar files from your server manually. Clear your cache using the following command: drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7). Also, Edit the .htaccess file as follows: order allow, deny allow from all deny from env = spammer SetEnvIfNoCase Referer ". * (Poker | credit | money). *" Spammer </ Limit> This piece code block users from accessing the pages with links like poker, credit etc based on identifiers (HTTP referrers)
  • Securing: Restore authentic backup files. Update every theme and module of your website. Block access based on its own identifier (HTTP REFERRERS). Rewrite Engine On RewriteBase / # allow referrals from search engines: RewriteCond% {HTTP_REFERER}!. * xyz \ .com /.*$ [NC] RewriteCond% {HTTP_REFERER}! ^ Http: // ([^ /] +) google \ .. * $ [NC] Continue replacing the phrase google with all the search engines like yahoo, bing etc. you wanna allow. # Conditions for don`t wanted referrals RewriteCond% {HTTP_REFERER} ^. * Loans. * $ [OR] Continue replacing the word loan with the spam words like viagra, porn, etc you wanna block.
Note: Know more about Google Blacklist Removal.

Enhancing your Drupal Security

Now that we have applied the Drupal malware Removal, it is time that we guard it against any future mishaps. The following tips will help you in enhancing your Drupal security structure to the maximum level.

Updating:

It is incredible how just updating and resetting your websites and modules reduces its vulnerabilities by a huge extent. New versions are nothing but patched and mended loopholes in your Drupal security structure. It is only prudent to use it for it to possess lessened security threats. The Latest version of Drupal can always be downloaded from Drupal’s official site drupal.org.

Unique Usernames and Passwords:

This is probably the most underrated of the security measures. But, the importance it holds could not be emphasized more. Most people opt for simpler usernames and passwords their memory could retain easily. This is one dangerous practice. Using your own name, word admin as usernames is a big NO. 123456789, or word “password” are way too simple and easy-to-crack passwords. One security loosened is one opportunity provided. Make sure you go for unique and strong usernames and passwords.

Backing up with frequent Backups:

In times, such as a brutal cyber attack, only backups has got your back. Undermining the importance of timely and regular backups will cost you dearly. DO NOT overlook the value and necessity of backups. Drupal’s official site has all the backup related information, you can always take help from there. Backups will prove to be a savior if you lost your valuable data in an unfortunate cyber hack.
Restricting Permissions:

Giving permissions with a vigilant eye is one hack to protect your site against any malware attack. Stopping any bots, pages etc which are extraneous will add to your site’s security majorly.

Using Drupal Modules:

Drupal security modules promise a more secured structure, in fact, its popularity is attributed to its security excellence. Using Drupal modules will work for your benefit. Some modules are as follows:

1. File Permissions:

Since Drupal is an open CFS, anyone can read and write codes in it. But, this allowance should be optimized carefully. To have a secured site, you must check if the permissions for opening, reading and altering these files is reasonable and not too liberal. Again, this module is easily found on the Drupal’s website.

2. Sanitizing output:

In order to prevent XSS infection to your sites, it is necessary to sanitize and filter the HTML outputs. Sanitization can be done with various modules available in Drupal, such as Twig Templates, Javascript(jQuery) and drupal.checkplain(). To learn more about Sanitizing of texts, visit Drupal.

3. File integrity check module:

This Drupal module allows you to scan the website and the modules attached. It periodically checks for any divergence in the current state of the website as compared to the original authentic version you feed into it. It then alarms you, if, modifications or loopholes in different modules or core module is found. You can check this facility on Drupal itself or click on the link https://www.drupal.org/project/file_integrity for direct access.

4. Coder:

The coder command checks your site’s codes against set standards. It suggests the best practices for coding. It also highlights any violations in coding standards done in your site.

5. Captcha:

The captcha module’s sole purpose is to block login attempts by automated bots lurking on the internet sphere. With this module, you are invariably going to increase your Drupal security.

Conclusion

We hope Astra had your queries answered and problems solved to a great extent. Be safe and dodge any cyber attack by keeping your site super secure with this guide. Be smarter than the hackers and apply the recommended steps very carefully.

Drupal Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading

The Ultimate Moodle Security Practices and Malware Removal Guide

This Moodle guide will help you to secure your Moodle website from hackers & how you can fix your hacked website.

The Ultimate Moodle Security Practices and Malware Removal Guide

If you are a teacher or a student then you must have heard about Moodle. It is one of the most popular learning management systems in the world. It has over a hundred million users, which makes it an attractive target for hackers and exploiters. Instances of hacking and defacing Moodle based services are becoming more common now. These incidents call for an awareness regarding Moodle security. By knowing about the various security threats and adopting some basic safety measures, you can easily protect your Moodle platform.

Understanding the security

To understand the security of your web application, you need to understand the various types of users of your Moodle based application. Based on that you can custom fit your Moodle security system.

  • Administrators: Administrators will have all privileges such as for changing all the settings, create and access various courses; modify all language packs and also the users. They can also execute shell and PHP codes. Administrators in Moodle applications can be restricted in certain areas by hardcoding certain settings in the config.php file.

  • Teachers: Teachers are the ones responsible for designing courses, enrolling and teaching students. They will usually require permissions for uploading files and submitting html texts, for creating and managing activities and access information such as grades and personal information of students. Files containing flash, JavaScript and other scripts are generally considered security risks. However, these files are commonly used by teachers and removing them is not possible. There is always a certain amount of risk when considering the privileges the teachers have.

  • Students: Students are the main participants in the courses. They will generally require the following permissions:
    • For posting formatted texts along with inline images and attachments
    • For uploading binary documents (files that contain text and the formatting in binary form)

  • Guests: Unregistered guests can be spammers or hackers trying to find backdoors or insert one into your application. Try to disallow them from uploading any type of files or submit any type of text. Sites having user sign up via email must be careful of spammers and numerous other types of attacks.

What types of attacks are we dealing with?

These are some of the common attacks:

  • Unauthenticated and unauthorized access
  • Cross site request forgery
  • SQL Injection
  • Cross site scripting
  • Data loss
  • Command line injection
  • Session fixation
  • Denial of Service
  • Brute force login
  • Confidential and configuration information leakage
  • Social engineering

The following provides a closer look at a few common attacks

  • SQL Injection: Any attacker can delete all the data in your application using SQL Injection attacks, especially when your code fails to clean the parameters properly. In Moodle 2.0, the concatenation of strings is completely avoided and instead it would pass an array of values to the database with the SQL. To protect your web application from this type of attacks, use higher level dmlib methods, such as get_record, this will eliminate the need for you to create SQL yourself. Use place holders wherever you need to insert values into SQL statements.

  • Cross-Site Scripting: In Moodle, users can type in HTML which in turn is displayed on the website. Thus, if the content has any hidden JavaScript, the user can have full access of everything on the page. Moodle helps in preventing cross site scripting by cleaning the input, dividing the input into various categories and by providing specific JavaScript guidelines for users. When the data comes in, using the optional_param or required_param functions, you can be sure of the input data. Moodle also divides the input into four categories: plain text, labels as plain text, HTML content by any user and HTML content input by trusted users. Depending on the input data type, users can choose the output function to display them. Also, while sending data to JavaScript, users should follow the Java Script guidelines and put the content in an external file. Then, communicate with the file by using $Page->requires->js_function_call or $Page->data_for_js functions. These functions encode all PHP data before passing it to JavaScript.

Past security flaws

Security loopholes in the past let attackers to enter into the system. Developers have patched them since, but they provide useful insights into how attackers exploit the vulnerabilities. Some of these are:

  • The /badges/mybackpack.php file had a vulnerability that allowed setting the URL of badges, while it should be restricted only to the Open Badges backpack URL of Mozilla. There was a possibility of blind SSRF via requests by the page in this vulnerability.
  • The capability named “Managing Groups” earlier was missing the “XSS Risk” flag. This capability was to be available only to trusted users, thus it was assigned to managers and teachers by default.
  • To prevent login cross site request forgery, the login form was not protected by any token. This was a serious risk since this can allow attackers to steal data or change the passwords.
  • During importing “drag and drop into text” questions in quizzes, it was possible to inject and execute PHP code from within the questions. Infected questions or questions from untrusted sources could use this vulnerability to enter and cause harm to the application.

These were a few vulnerabilities in Moodle that were fixed. They are the perfect example to show how attackers can leverage various backdoors and bugs to exploit the system. Being vigilant about such gaps in your Moodle security helps in quickly resolving them and securing them.

An in-depth analysis of an attack

The following is an example of Code Injection through a major vulnerability in Moodle. RIPS Code Analysis detected a vulnerability that allowed users with the role of a Teacher to perform code execution within the application.

The attacker and the attack:

Any user who is assigned the role of a teacher can exploit this vulnerability. One can also escalate their role with the use of any other gap in the security. Any attacker with this knowledge can run arbitrary commands on the operating system running the Moodle’s server.

The vulnerability:

Moodle has a feature that allows teachers to enter mathematical formulas. Moodle then evaluates these formulas with randomized values that prevent students from sharing their answers. After inserting random values in the formula, Moodle calls the eval() function on the formula which evaluates the answer. To prevent eval() from executing harmful codes, the developers have introduced a qtype_calculated_find_formula_errors() function which is a validator function. Moodle evaluates this function before the eval () to detect malicious code.

Moodle security vulnerability

The vulnerability in Moodle

Bypassing the security:

In the following code snippet, line 1939 will allow only specific characters (-+/*%>:^\~ The expression to bypass the security[/caption]

The fix:

On informing Moodle about the vulnerability, they proposed several patches. The first patch was to blacklist any formula that initiates a PHP comment. However, this patch was exploitable with a more sophisticated payload. The second patch was designed to prevent nested placeholders. However, this patch was also unable to completely prevent the malicious formulas from getting through. The third patch combined the ideas of the first two patches. But, in this patch if an attacker targeted the import feature present in the quiz component, then the attacker will be able to reimport a malicious XML file to take control of the $dataset argument. This will let them nullify the placeholders. Thus, this will result in the malicious code getting through like the earlier patches. Fortunately, the fourth patch was release and Moodle claims that this is the fix for this vulnerability.

Moodle security patch

Modifications in the second patch

How to tighten your Moodle Security

Securing your web applications is necessary to protect your web applications from common attacks. There are a few general requirements and safety steps which everyone should follow for stronger Moodle Security.

  • Have a separate administration backend:

    • Along with having a separate backend for administrator, using strong passwords is also a necessary step. Most users keep the default administrator password as “admin”. This lets attackers an easy way into the application. Make sure to use a strong password with a variety of alphanumeric characters. Also, enforcing a password policy will further strength your Moodle security. Moodle offers an option to set password policy which will let users set stronger passwords.
  • Avoid storing any sensitive information in the web application:

    • Storing sensitive information within the application will result in huge loss during an attack. Also, keeping regular backups of all information of the application is a good practice. The backups will let you restore your defaced or damaged application. In case of any infection you restore a fresh copy of all the important files and folders.
  • Prefer encrypted communication by using SSL:

    • Apart from using SSL for communication, using HTTPS for user login will protect the user’s information. It will be difficult for attackers to extract usernames and passwords of your users. You can enable HTTPS login by following some simple steps. In Settings, select Site Administration and within the Security option activate the HTTP security.
  • Try to log all user actions:

    • Tracking user actions helps in inspecting suspicious activities in the application. Along with tracking the actions, setting appropriate folder and file permissions is also important. This will prevent unauthorized users form accessing sensitive files and folders. Avoid configuring permissions with 777; instead using 750 or 755 is more secure.
  • Always keep your Moodle updated:

    • As mentioned above, there might be vulnerabilities that are revealed by developers and users. These vulnerabilities are patched up in the newer versions. Thus, updating your Moodle will help you protect your application. Each new version comes with better security and tools. Using outdated or unsupported versions will put you at a higher risk of attacks.
  • Avoid any 3rd party plugins or browser extensions:

    • Uninstalling unused plugins is a good way to keep your application safe. You can check all the courses which use plugins in Moodle. You can do this by going to Site Administrator, then Plugins, click on Activities, where you will find Manage Activities. Once you find out the plugins you are not using anymore, uninstalling them is a good idea for Moodle Security.

If you need some assistance

Protecting web applications can be tricky sometimes and attackers keep coming up with newer methods to get into the system. Thus, being vigilant will save you a lot of hassle. However, protecting your web application all on your own can distract you from the important stuffs. This is where Astra comes in to assist you in safeguarding your application so that you can concentrate on the more important aspects. With their wide range of security features and tools, Astra can protect your application round the clock from any type of attacks. With their state-of-the-art dashboards and security threat detection systems, you will get all the data regarding any attack on your application. So, if you want the best Moodle security without any hassle, then Astra is the right choice for you.

Moodle Security Suite​

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading

The Ultimate Joomla Security Practices and Malware Removal Guide

This Joomla guide will help you to secure your Joomla website from hackers & how you can fix your hacked website.

The Ultimate Joomla Security Practices and Malware Removal Guide

With each passing year, online security is becoming a riskier domain. While the number of online businesses and users are increasing rapidly, so are the risks associated with these operations. Hackers are getting smarter in circumventing security measures and are resorting to newer ways of probing for vulnerabilities.

Content management systems remain one of the most exploited systems by hackers globally. Out of the various CMSs used by businesses worldwide, WordPress, Joomla, and Drupal occupy the largest market share. Businesses running on these CMSs are often eye candy to online fraudsters who exploit security holes to steal data, credit card information or alter the website.

Joomla is one of the largest and the most popular open source content management system which is widely used by online businesses. Joomla has a large user base, and the popularity has brought the CMS in the radar of attackers and malicious programmers. As a result, Joomla encounters a wide range of security-related issues.

Astra has put together an exhaustive guide on how you can identify and track potential vulnerabilities and follow some basic guidelines to completely secure your Joomla site to run a hassle-free online business: 

Basic Security Steps

Here is a list of some basic security steps to follow to secure your Joomla site:

  1. Stay up-to-date: Failure to patch an outdated extension or outdated core is the amajor reason why Joomla sites get hacked. Always check your control panel for available updates and make sure that you are running the latest Joomla version.
  2. Check extensions for vulnerabilities: You can check your Joomla site for vulnerable extensions by visiting the extension manager in your Joomla backend and enlisting all non-Joomla components, modules, templates, and plug-ins you have installed.  Enter each extension into the Joomla vulnerability database to check for that version’s vulnerability. Apply any patches needed to fix a vulnerable extension or template.
  3. Security Notifications: It is important to sign up for security notifications. Joomla’s two e-mail notification services notify members when a new vulnerability is discovered or when a vulnerable extension has been identified.
  4. Strengthen admin password: Easy passwords are easily hacked by hackers by using brute force attacks. Thus, all administrator accounts must contain strong passwords which are complex to hack.
  5. Use good hosts: Using a budget host puts your Joomla site to risk as hosting requires technical skills and investment in that skill. Do not give in to free hosting as these you may run the risk of not having your server configured for Security, making it easier for hackers to compromise your Joomla site.
  6. Check PHP version:  Joomla is powered by PHP which is also vulnerable to security shortfalls at times. Thus it is recommended to run a secure version of PHP. You can check your version, go to the “System” menu item and at the bottom open “System Information” which will tell you your PHP version.
  7. Remove old installations and files: Check and remove any not-so-important PHP files which pose a security risk, backups that expose information like database dumps, older versions or backups of your site in subdirectories. A publicly available older version even if not linked to your site exists as a security threat.

Recommended Security Steps

Implementing the following security practices will protect your Joomla site from the majority of attacks:

  1. Regularly update Joomla Version, Extension & Plugins: A secure Joomla site is one which is updated regularly. Every version update is released with security enhancements and bug fixes. An outdated version of Joomla or any other outdated extensions/plugins can sneak in hackers.
  2. Use Strong Passwords: Weak credentials can be ultimately leaked through Brute Force and act as common security holes, thus leading to compromised security. Easily guessed passwords and default admin accounts make it easier for perpetrators to gain illegal access to your Joomla website, thus exposing it a host of malicious activities.  A long length password with multiple characters makes it for a secure passcode than a  shorter one.
  3. Periodic backups: Regularly backing up the archives of your files and databases saves your back in case anything goes wrong. Some extensions like the Easy Joomla Backup provide automatic scheduled backups which can later be restored in case of data loss resulting from a hack.
  4. Restrict access to Admin Page: Perpetrators often resort to brute force attacks on easily guessed admin login pages. Thus it is imperative to restrict access to your administrator area. It is advised to not use a default admin login page URL, rather replace it with a specific name. Moreover, the admin panel must be password protected. Extensions like Admin tools, RSFirewall etc allow a Joomla site owner to change their login page URL
  5. Security Extensions: Using security extensions go a long way in securing your Joomla site. These extensions, when configured with your site properly, allow you to block any kind of malicious activity and cover up security holes. extensions allow you to block hacker attacks and close security holes of your Joomla site.
  6. Using Two-factor Authentication: A two-factor authentication code (commonly known as the One time password: OPT) makes your Joomla site even more secure. Even if your password is guessed or leaked, one still has to go through an authentication code to gain illegal access of your account.
  7. Be wary of corrupted downloads: Never download premium extensions, plugins or any items for free from unauthenticated or unofficial sources. Plugins from an unknown source may be corrupted or contain malware, which may harm your site. Do not consider saving money here, rather spend on authentic sources.
  8. SSL Certification: Whenever a user logs into a site, his/her credentials are sent to a server sans encryption. By using an SSL certificate, these credentials will be encrypted before sending to the server. In this way, an SSL certification provides an additional layer of protection to your Joomla website.
  9.  Disable FTP Layer: FTP layer is generally not needed in Joomla and it is disabled by default. It is necessary to keep it so, as an enabled FTP layer is a major security hole in Joomla sites.
  10. Proper File and Directory Permissions: Always manage permissions to files and directories, and never give full access of permission 777. Never give full access or permission 777, but rather use 755 for folders, 644 for files and 444 for configuration.php files 

WaterTight/Ultimate Security Tips

  1. Joomla Security Extensions: There are a wide variety of excellent Joomla extensions which not only secure your site but also provide an array of functionalities like periodically scan for vulnerabilities, limit or block security threats, block malicious networks, enforce stronger passwords, look for file change patterns,  block common security threats through a firewall, to name a few. Some popular Joomla extensions are:
    • ACL Manager: Helps to discover & fix issues with your Joomla assets (permissions) table / ACL.
    • AdminExile: Allows you to conduct Brute force detection, blacklist and whitelist IPs.
    • QuickLogout: Allows you to get rid of logout confirmation prompt to ensure people log out.
    • Securitycheck Pro: A global protection suite which is designed to protect your Joomla website without affecting server speed.
    • jomDefender: CSRF prevention, remove Joomla PHP header, Admin password prompt

    You can also scan your Joomla site with Astra’s Website Malware and Security Scanner. 

  2. Block Bad Bots: Bad bots, scrapers, and crawlers are constantly lurking on websites and drastically reduce your bandwidth. Abovementioned security extensions can work to block these bots, but at times it is needed to do so at the server level.
  3. Secure Connections: Always ensure your connections when connecting to your Joomla site are secure. Use an SFTP encryption ( if provided by your web host ) or SSH. If you are using an FTP client the default port for SFTP is usually 22.
  4. Search Engine Friendly URLs: It is always recommended to enable search engine friendly URL and conceal the file names like index.php from appearing in your URL structure. This enables you to conceal essential information and prevent hackers from unearthing any vulnerabilities.
  5. HTTP Security Headers: To protect your Joomla site against online attacks and vulnerabilities, add HTTP security headers. These provide an additional layer of security and can be configured on your web server. Typically, these headers instruct your browser on how to handle your site’s content. Below are six common HTTP security headers we recommend implementing and or updating:
    • Content-Security Policy
    • X-XSS-Protection
    • Strict-Transport-Security
    • X-Frame-Options
    • Public-Key-Pins
    • X-Content-Type

Malware Removal Steps

Certain common indicators like Blacklist warnings by Google and other search engines, abnormal browser behavior, modified files, and the presence of malicious new users in the Joomla dashboard exhibit a hacked Joomla website. Mentioned below is a guide to identify and clean your hacked Joomla site:

Download Astra’s Secure Coding Practices Checklist for Developers

  1. Identify hack

    Scan your Joomla site to identify malware locations and malicious payloads. Astra’s integrated Joomla security ensures timely monitoring and identification of a hacked Joomla site. Thereafter, check for any modified files including your core files. You can do so by manually check your files via SFTP.

    Audit for malicious user accounts and administrators. In case your Joomla site shows as blacklisted by Google or other website security authorities, you can check the security status of your Joomla! website by using their diagnostic tools. To check for Google transparency, visit the Safe Browsing Site Status website where you can view

    • Site safety details which give information about malicious redirects, spam, and downloads.
    • Testing Details which inform about the most recent Google scan which discovered the malware.

    Make use of free security monitoring tools like Google Webmasters Central, Bing Webmaster Tools, and Norton SafeWeb to check security reports for your website.

  2. Fix hack

    On gaining information about potential malware location, compromised users and threat assessment, opt for a full website clean. Compare infected files with previous backups to assess the extent of modifications and remove malicious changes. Clean hacked Joomla database by using a database admin panel, such as PHPMyAdmin or tools like Search-Replace-DB or Adminer.

    Next step would be to secure all user accounts. Often hackers leave multiple backdoors so as to again gain access even after a website has been cleaned. Backdoors are embedded in legitimate-looking files usually but located in the wrong directories. Therefore, it is imperative to thoroughly cleanse your files from backdoors else there is a threat of re-infection.

  3. What to do Post hack?

  • The first step to follow post cleaning the hack is a Joomla update. One of the primary reasons why sites get infected is using outdated versions of sites which are easily vulnerable to malpractices. Updates essentially remove vulnerable extensions and fill in security holes thus providing you with a secure environment.
  • Currently, Joomla version 3.x is the most stable major version as they are still actively developed. Those using 1.x and 2.x branches should immediately switch to 3.x and keep the core files updated.
  • It is advised to update all Joomla core files, components, templates, modules, and plugins. Also, reset all passwords to avoid getting reinfected if hackers gained access to your credentials. Ensure that you’ve set up two-factor authentication on user accounts. Also, practice the least privilege and give limited access to people who need to do a particular job.
  • Post-hack, it is also advised to reinstall all extensions to ensure they are functional and malware residual free. In case you have deactivated themes, components, modules, or plugins, it should be removed them from your web server.
  • After cleaning your hacked Joomla site, make a backup. Having a good backup strategy is at the core of the best security practices. Store your backups in an off-site location, as storing them on a server can also lead to a hack.
  • Lastly, it is advised to scan your system with a good antivirus. There is a possibility of system compromise if a user with an infected computer has access to your website. Protect your site using a website firewall which basically shields your site from any malicious users or malware threats from the web. Astra’s Web Application Firewall mitigates against any online threats and keeps malware at bay.

Wish to know more about how to protect your Joomla site from online threats? Visit Astra’s Joomla protection plan to know about securing your site while you do business.

Joomla Security Suite​

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading

The Ultimate Prestashop Security Practices and Malware Removal Guide

This Prestashop security guide will help you to protect your Prestashop website from hackers & how you can fix your hacked store website.

The Ultimate Prestashop Security Practices and Malware Removal Guide

Prestashop is one of the most popular e-commerce shopping cart software in the market, mostly catering to small and medium-sized businesses. It has retained its place as among the top players in the global Retail E-commerce Software market. PrestaShop is known to be quite secure yet, Prestashop Security remains a concern for business owners as it’s still targetted by hackers who exploit vulnerabilities. In this Ultimate PrestaShop Security Practices Guide, we aim to educate you with basic knowledge about enforcing security steps in your Prestashop installation. This PrestaShop Security Practices Guide also includes tips for malware removal.

Basic Prestashop Security Practices

There are several basic steps you can implement to secure their Prestashop, irrespective of your technical knowledge.

  1. Use the latest version of Prestashop: Keeping an updated Prestashop is of paramount importance as newer versions regularly tackle impending vulnerabilities, add new features, contain bugfixes and other necessary fixes. While the update process may be cumbersome, not to forget that your store goes into maintenance mode and generates lesser traffic, it is smart to spend some time on updates than deal later with hackers and data theft.
  2. Set up secondary password protection: It is an intelligent practice to set up a server-side password for your back office folder to further limit the access to it.  This would require adding the extensions: .htaccess and a .htpasswd file, which works on only Apache servers and would essentially protect your folders and respective sub-folders. Here is a detailed tutorial on how to secure admin folder with HTTP Authentication (.htpasswd & .htaccess).
  3. Use strong passwords: It is recommended to use complex passwords by mixing letter numbers and special characters. Another reliable option is using a password generator or a passphrase, which is not only easier to remember, but also much harder to crack, even if a hacker employs a brute force attack or dictionary attack
  4. Remove no longer useful install files: After installing or updating PrestaShop, make sure you delete useless default files like the /install folder. Some other files which can be rendered useless are the README.md file, the CONTRIBUTING.md and CONTRIBUTORS.md files, and the /docs folder along with all its content.
  5. Block direct access to your templates: Using a using a .htaccess file, disallow access to your theme’s files/templates. The following code snippet can be used to do that:
    <FilesMatch "\.tpl$">
    order deny,allow
    deny from all
  6. Update server software: It is strongly recommended to always update your server’s applications: PHP, MySQL, Apache. That’s because a non-updated PHP code makes your server vulnerable.

Intermediate Prestashop Security Practices

Following best practices can help you further secure your store from online fraudsters

  1.  SSL Encryption: Using an SSL certificate is one of the most common security measures. An SSL certificate encrypts all data passed to and fro from customer to web server.
  2. Create Backups: Having a backup is paramount as in worst case scenario all your data could be lost. A Backup copies all of your website settings, database, and content which can be restored later. It is recommended to either backup your store or let your hosting company do it as most hosting plans include weekly backup services.
  3. Using Cookies: Using cookies to store your visitor’s information can help you nab fraudsters and stop consequent malicious attempts. You can enable cookie usage and turn on the option called “Check the IP address on the cookie.”, which checks whether IP of visitors matches its browser cookie IP.
  4. Front office security: This is Prestashop’s default feature which can be enabled in the Preferences section. This provides every customer session a unique URL to secure the customer’s added information and refrain it from use in another browser or computer
  5. Themes and Plugins: Always be cautious about the source of your installed theme/plugin. Download without hesitation the themes or plugins approved and verified by platform developers. Those downloaded from unreliable sources may induce malware into your system.
  6. Security Plugins: Installing a few security plugins can go a long way in improving your Prestashop store protection. These are
  • Key Manager module – Creates a unique key for every product that was purchased by a customer;
  • Anti Fraud for orders module – A plugin which checks for fraudulent ordering
  • No CAPTCHA reCAPTCHA module – Adds captcha to your store.

WaterTight/Ultimate Prestashop Security Practices

  1. Change File Permissions: Ensure that you give correct permissions to your Prestashop hosting account’s files and directories. The proper permissions for files are 644 (rw-r—r–) and for directories are 755 (rwxr-xr-x).
  2. Disable Dangerous PHP Functions: Your Prestashop installation harbors some PHP files which are not really needed and can pose as a security risk. Thus, it’s advised to disable them by putting the following rule in the php.ini file for your account: disable_functions = proc_open,phpinfo,
    show_source,system,shell_exec,
    passthru,exec,popen
  3. Enable Security Tokens: Security tokens is another feature which improved Prestashop’s security. Although it is enabled by default, it is highly recommended to keep so. To enable security tokens, go to the Preferences tab of your store’s admin panel and ensure that the option Increase Front Office security is set to Yes.
  4. Secure account details: In Prestashop, one can use ciphering to secure account details. Two different ciphering algorithms exist in the backend of your Prestashop: Rijndael with mcrypt and the custom BlowFish class. To alter the algorithm, click on the admin panel’s Preferences tab, navigate to Performance sub-tab, and scroll down to the section.

Malware Removal Steps

You may have adhered to the above precautions to ensure your Prestashop Security, yet a malware attack took place. In such cases, it advised to immediately implement the following steps

  1. Check for infection: First and foremost check for the location and date of infection. You’d need to login to your ftp and scan the directories. Malicious attacks usually start from one of the following places:
  • modules/homepageadvertise/slides
  • modules/homepageadvertis2/slides
  • modules/productpageadverts/slides
  • modules/columnadverts/slides
  • modules/simpleslideshow/slides
  1. Once the malware is placed the above locations, it is highly likely that the attacker could put a backdoor on your server. Therefore it is essential to check the above folders for the presence of any other files than images or index.php.

  2. Restore clean backup: It is a good practice to keep regular backups of your server, in case your website gets hacked you’ll be able to restore the hack-free version and apply security patches. In case you are lacking a backup, retrieve one from your hosting provider. Once you’ve restored a backup, update your theme to the latest version.
  3. Scan and clean site: In case you lack a clean backup, you’ll need to scan your infected site and clean it from malicious code. Once a hacker has established a backdoor or multiple backdoors (in case one is removed during the manual update), he can use it regain access to your site. These backdoors can be added as new files in your server or as part of existing core files of Prestashop or modules. Hence, it is paramount to perform a full site scan and take necessary measures to eliminate all backdoors.
  4. Alter access data: Before moving forward with a clean site, change all passwords on your website.
    • MySQL database access data
    • ftp data
    • hosting panel/cpanel access data
    • ssh access data
    • your back office users access data

Like every other store management system, Prestashop too is vulnerable to various online threats. To thwart an attacker’s attempt, it advisable to follow the abovementioned basic precautions and ensure a safe functioning of your Prestashop site.

Worried about your Prestashop store’s safety in light of recent online threats? Contact Astra for a comprehensive security scan of your site.

Prestashop Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading

The Ultimate PHP Security Practices and Malware Removal Guide

This PHP security guide will help you protect your PHP based store from hackers & how you can fix your hacked store website.

The Ultimate PHP Security Practices and Malware Removal Guide

PHP is a widely used language in almost every CMS powered by the open source community. Even commercial sites like Facebook use PHP which clearly shows its widespread popularity. However, the downside is that PHP web apps are also among one of the most targeted by attackers on the internet. Unfortunately, writing secure code is not as widespread as it should be. It invariably gives hackers a gold mine to exploit. Multiple sites have been compromised in the past due to lax PHP security. Therefore, this guide aims to guard you against PHP malware infections and teach you how to do Custom PHP, PHP Security & PHP hack removal techniques.

How to do custom PHP to improve PHP Security?

A good PHP developer should never trust user input and therefore all functionalities should be designed around this. Writing secure code is a habit which comes a long way in making web applications more convenient for the end users. If you are a self-help person who loves to build a PHP application on your own then, some safe coding practices must be followed. These practices are applicable for developers to increase the PHP security.

PHP Security: Preventing Cross-Site Scripting

XSS if fairly common with not only PHP but every other kind of web pages. The prime cause for such common vulnerabilities like XSS and SQLi is developers trusting user input. Developers should remember never to trust user input while coding. This fact alone can secure the majority of the code. XSS can be used by the attacker to manipulate the users through JavaScript. Attacks can range from phishing pages to defacing the site! To prevent an XSS vulnerability, use htmlspecialchars() function of PHP while coding. Moreover, ENT_QUOTES flag of this function can deal with both, the single and double quotes entered by the user. An example code snippet of a search query is given below for reference.

$search = htmlspecialchars($search, ENT_QUOTES, 'UTF-8');
echo 'Search results for '.$search;
Also, to prevent DOM-based XSS avoid using URI fragments at all. Moreover, do not use the following properties and functions of the native API:

  • innerHTML
  • outerHTML
  • document.write

PHP Security: Preventing SQL Injection

SQL injection is another example of trusting user-supplied input in PHP pages. SQLi can have devastating consequences for the database of your site. This attack gives the database access to an attacker. In some cases, the attacker can only read the sensitive info from tables like passwords. Whereas in other cases, the attacker may even manipulate the database and upload reverse shells on the web server.

To prevent SQLi attacks, using already prepared statements while building the web pages is a must. Apart from improving security, already prepared statements can also save time for a developer as the SQL query needs to be parsed at once. However, it can be run many times with the same or different parameters. The following is an example of implementing prepared statements is PHP.

$stmt = $dbh->prepare("INSERT INTO Users (Uname,Address,City)
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

Now, the same prepared statement could be used for repeated inserts i.e. to add multiple rows into the table, add the following code below the code snippet given above.
// inserting one row
$txtNam = 'one';
$txtAdd = 'India';
$txtCit = 'Delhi';
$stmt->execute();
// insert another row with different values
$txtNam = 'two';
$txtAdd = 'USA';
$txtCit = 'California';
$stmt->execute();
//... and so on!
Also, make sure to encrypt the sensitive contents of the database like passwords. The password_hash() function of PHP could be used to encrypt the data. Whereas the function password_verify() helps in confirming that the given value corresponds to the hash stored in the table.

PHP Security: Preventing Cross-Site Request Forgery

CSRF vulnerability in your PHP application can potentially allow an attacker to manipulate users into performing unwanted actions. These include deleting a page or updating user password without the consent of the end user. To protect your users from CSRF attacks, use random tokens. These token would be unique for each user. Therefore, when a user clicks on a malicious link which tries to perform a CSRF attack, the request will not be processed automatically due to an invalid token. Make sure it is random otherwise, the attacker could figure out the pattern. A simple implementation is given below.
$randomtoken = md5(uniqid(rand(), true));
Also, if you experience problems with the HTML layout, use Base64 encoding. This can be implemented by the following command:
$randomtoken = base64_encode( openssl_random_pseudo_bytes(32));
After CSRF protection token is generated, make sure to add this to the session variables i.e. ’ />
Also, ensure that every form contains a security token and it would be better if there is a different token for each form. However, it is noteworthy here that implementing multiple tokens in multiple forms can be problematic at times when a user opens multiple forms simultaneously. Therefore, try to use open source PHP classes and libraries for CSRF protection token implementation.

PHP Security: Preventing Session Hijacking

Session hijacking allows an attacker to take over the identity of verified users. There are multiple attacks like XSS, Network eavesdropping which allow an attacker to steal the session info. The transparent session ID feature in PHP further aids this type of attack. Firstly, ensure that the directivesini_set() are at the beginning of every script. This is to override any global settings which may be present. Add the following lines of code to your php.ini file:
ini_set( 'session.use_only_cookies', TRUE );
ini_set( 'session.use_trans_sid', FALSE );
In the first line of code, session.use_only_cookies prevents info leakage by the transparent session ID feature in PHP. This feature forces PHP to manage the session ID using a cookie thus disabling the $_GET['PHPSESSID']. Also, the second line of code turns off thesession.use_trans_sid Thereby avoiding leakages of session ID in all URIs returned. However, it is noteworthy here that the users may still be vulnerable to DNS and proxy attacks. It is also necessary to add a cookie timeout and generate a unique random session ID for each session. The timeout can be set by,
setcookie("myCookie", $value, time() + 3600);
This code ensures that the cookie expires in the browser within an hour. Alternatively, you can set a cookie to expire as soon the browser closes. Also, avoid using cookies to store serialized data. As it can be used by attackers to add variables to your scope. Remember to use the session_regenerate_id() of PHP function to regenerate a new user session id whenever a user logs out or changes status.

PHP Security: Preventing File Inclusion Attacks

Remote File Inclusion (RFI) and Local File Inclusion (LFI) attacks are widespread on the PHP web apps, which is a threat to PHP security. These vulnerabilities are also related to unsanitized user input, which allows an attacker to execute code. The prime cause behind these attacks is the failure of code to securely parse “include” statements. Thus, the web app itself builds a path to malicious executable code. This is later on loaded and run based on an attacker-controlled variable which could be a malicious cookie or a vulnerable request parameter. Most of the time, LFI and RFI attacks are used to deface sites, however, they can also be used for data exfiltration and DOS attacks.

Therefore, it is advised to the developers to avoid improper use of PHP functions like include, include_once, require, require_once, etc. When the include function takes a request parameter as input, without verifying input, the attacker can provide any file parameter and it will be executed. This could be an IP address, port number or even a filename. The best practice to remove LFI and RFI vulnerabilities is to not allow remote file includes via specifying a URL instead of a local file path. However, this option is disabled by default. Simply change the following flag to OFF in your .htaccess file to eliminate RFI attacks:
allow_url_include=Off
Now, in order to mitigate the risk of LFI attacks, disallow input provided by the user from getting ahead and on to any file system or framework API in your PHP web app for execution. According to OWASP, maintain a whitelist of acceptable filenames. Thereafter, use an identifier other than the actual file name to access that particular file. This would eliminate the risk of file inclusion attacks and boost PHP security.

PHP Security: Implementing The Content Security Policy

PHP Security: Implementing The Content Security Policy
Most of the browsers today have a security feature known as The Content-Security Policies. This means that the browsers will obey the author of the web page as to where from the JavaScript and other resources can be loaded and executed. Majority of attacks like XSS and JavaScript Injection use the web page to run their own malicious code. The attacker injects script or HTML tabs somewhere to load malicious code from their own domains. Therefore, a content security policy in the header ensures that the browsers don’t execute such malicious requests. To enable content security policy in your Apache server, add this code to the .htaccess file:
Content-Security-Policy-Report-Only: script-src 'self'; report-uri http://example.com/csr-reports
This script-src ‘self’ tells the browser to block code execution from other domains. Also, the report-uri directive will inform you about a policy violation rather than blocking it. This means you can double check before blocking so that there are no more of such scripts.
Content security policy can be enabled for other servers too by various methods. You can also use web pages to implement the content security policy. This can be done via a tag in the element of the page. See the code snippet given below for reference.
content="script-src 'self' https://apis.google.com">

PHP Security: Safe Practices for Administrators

Web admins are the custodian of their PHP security. Therefore, the administrators should ensure that the site is compliant to security practices. Small practices like never using the default passwords or keeping site updated can prevent the hassle of PHP hack removal after an infection. Some key takeaways for the administrators to increase PHP security are:

Use Secure Socket Layer(SSL)

SSL encrypts the communication between your PHP site and the customers. This means that the end users are protected from eavesdropping attacks. Moreover, most of the customers today look for a valid security certificate before visiting a site. Therefore, get a valid certificate from a certificate authority to boost PHP security. Also, after implementing SSL on your PHP site, ensure that the site always forces the users to HTTPS. This can be done by adding the following code to your .htaccess file.
# Redirect HTTP to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Set Permission

Setting permission for PHP file means authorizing users to read, write or execute a PHP file. This security setting can be implemented using the chmod() function of the PHP. This function takes two inputs. One is the name of the file whose permissions need to be set and second is the three-digit number which defines those permissions. Out of this three digit number:
  • Primary digit denotes permissions granted to the owner of the file.
  • The second digit denotes permissions granted to the owner group of the file.
  • And the third digit denotes permissions granted to everyone else.

To further clarify, look at the code snippet given below.

<?php
$fn = './test.txt';
chmod($fn, 0644);
Here, the chmod defines permission as 644. The digit 0 before 644 indicates PHP to interpret this as an octal no. Now, the digit 6 means the owner can read as well as write to the PHP file. While the rest of two digits written as 44 indicate that the group owner, as well as everyone else, can only read the PHP file.

Disable Dangerous Functions

Some PHP functions need to be avoided to maintain PHP security. These functions were originally designed for legitimate purposes which are now widely exploited by the attackers. The functions can also provide root access to the attackers, therefore, avoid using functions like assert(), shell_exec(), system(), passthru(), show_source(), highlight_file(), proc_open(), and pcntl_exec(). These dangerous functions can be easily blocked. Simply open the php.ini file and search for find disable_functions, then replace it with the following command:
disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”
This command would cover almost all such dangerous functions. Don’t forget to restart the server in order to let these changes take place.

Turn Off Error Reporting

Errors can leak sensitive info about your server. This could range from software version to file locations!. Therefore, it is advisable to turn off the error reporting of your PHP website for end users. In order to do this, add the following code to your php.ini file:
display_errors=Off
However, you may still need to check the errors by yourself to fix critical issues. In order to accomplish this, use the following code:
log_errors=On
error_log=/var/log/httpd/php_error.log
The second line of code here would save the errors to a specific file i.e. php_error.log in this case. Similarly, change the path and name of the file where errors are to be saved.

How to do PHP Hack Removal?

PHP Hack Removal: Database Cleanup

The database is often targeted to breach PHP security. Remember to take a complete backup of the database before starting the cleanup process. In case something goes wrong, it would be used to rollback the changes. Begin the comprehensive database cleanup by searching for malware keywords. For instance, the PHP/apiword malware contains a signature in the form of a variable called wp_cd_code. Similarly, other malware strains would contain similar signatures which need to be searched for. Manually it may become cumbersome, therefore, use phpMyAdmin for PHP hack removal. Multiple such keywords can be searched for using this freeware.

Thereafter, delete the malicious contents from infected tables. Also, remove any new software or script which may have had access to the database in the recent past. Don’t forget to verify if the site is functional after database changes.

PHP Hack Removal: Identifying Infected PHP Files

Before starting file cleanup to boost your PHP security, it would be necessary to check for infected files. It is highly likely that the PHP files which have been modified by the attacker in the recent past have been used to inject malware into the site. To search for any recent PHP file modifications, log in to your SSH. Now via command line execute the following:
$ find ./ -name "*.php" -type f -mtime -2
This commands here would list all the PHP files modified in the past two days. Alternatively, an FTP client could also be used to list the file modifications column separately. Most of the popular CMSes which use PHP contain some core files which affect the functionality of the platform. These files generally need no modification and are crucial for PHP website security. A modification of the core files is an indication of infection. To check for any such issue, first, download a copy of the CMS on your local machine. Thereafter, use the diff command to compare the freshly downloaded files to the ones present on your server by executing the command:
diff -r InfectedDir OriginalDir

PHP Hack Removal: Cleaning infected files

This command here recursively compares the two directories. No core file modification is a sign of accep PHP: Cleaning Infected PHP Files
Malware detection may be tricky for average web admins. At times the infection may be hidden in core files or obfuscated. In an attempt to clean up the infection, Web admin may break the site. Therefore, first and foremost it is crucial to take a complete backup of the site. Thereafter, delete or comment out the suspicious code. Attackers tend to use various techniques to hide the code from average human eyes. The malware may be using some kind of encoding like the base64 to look gibberish to average humans and thus evade detection. Such code can be detected using the following command:
find . -name "*.php" -exec grep "base64"'{}'; -print &> output.txt
This command would scan all the PHP files for base64 encoded code. This code would be saved inside the output.txt which can be later analyzed for malware. Base64 encoded code inside the PHP files can be decoded using online services. Also, the web admins need to search for the keywords like “Obfuscation provided by FOPO – Free Online PHP Obfuscator”. This here is an indication that the PHP malware is a FOPO variant which can be de-obfuscated using online tools for analysis. However, it is noteworthy here that some addon/extension/plugin developers may be using FOPO for genuine purposes. There is an exhaustive list of PHP malware signatures which cannot be summarised in this one article. Therefore, in case the infection is reoccurring or you are unable to determine the cause of infection, seek professional guidance.

PHP Hack Removal: Dealing with Hidden Backdoors and Infections

The intent of attackers to inflict maximum damage to the PHP web applications. Therefore, once the server is compromised, attackers modify the PHP files and inject backdoors. These backdoors are basically a malicious code which can provide unrestricted access to the attacker in the future thereby defeating the whole concept of PHP security. Such backdoors are not easy to spot owing to the complex nature of the code.

Therefore, it is advisable to use a security solution like Astra for automatic malware and backdoor removal. Astra firewall would ward off any infections in the future while its cleanup engine would ensure that no backdoors are left behind. With Astra experience your PHP website security on steroids.

Take an Astra Demo now!

Magento Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading
Magento Malware & Hack Removal guide

The Ultimate Magento Security Practices and Malware Removal Guide

This Magento security guide will help you to protect your Magento store from hackers & how you can fix your hacked store website.

The Ultimate Magento Security Practices and Malware Removal Guide

Magento Security Guide- Why do you need it?

If you own an online marketing website, then it possibly is powered by Magento. Currently, according to some reports, there are about 50,000 websites using Magento. Magento is an open sourced platform for e-commerce. It supports millions of retailers and allows them to grow their business using the various features of the platform. As with all other popular innovations on the internet, this one is also plagued with repeated attacks and security concerns. If you have your website built on Magento, then hacking attempts on your website must be common. To deal with them you need to be prepared. This Magento Security Guide contains all the information and ways you can arm yourself with to protect your website.

Basic Security Steps

The basic steps are the ones we tend to really ignore. However, taking care of these steps will surely make your website a bit safer. Some of these are:

  • Use strong passwords & change default admin username

    Using strong passwords may seem to be a redundant advice. However, not everyone follows this advice.  Longer the password, harder it is to crack. Ensure that the password has a mixture of uncommon words and expressions, which will protect it against dictionary attacks. Along with passwords, you must also change the default admin name. Most of the times, keeping the default admin makes it easier for hackers since they only need to crack the password. When setting up an account in Magento, change the default username. You can also change them after setting up the account. You just need to go to “System” and then click on “My Account”.

  • Use two factor authentication

    Using two factor authorizations is becoming common nowadays and for good reasons. Simply logging with a username and a password might not be enough. Two step authorizations is an addition layer of protection that adds another level of security to your website. Most of the two factor authorization consists of sending an OTP to the registered mobile number.

  • Have a backup plan

    The security of your website may be strong but having a backup of all your data is a good idea. Staying prepared for all circumstances is necessary for the safety of your website. In case of emergencies, you can easily upload the backup files and get your website back online.

  • Update everything

    Hacking methods are improving every day and staying updated with them is a pressing necessity. Magento has a very active community of developers. They produce newer versions of the service with improved security features. Thus, you must be using the latest version of Magento. If you are using any plugin then make sure that you update them regularly. Avoid using any plugin or extension that does not have periodic security updates. The updates fix any previous vulnerability and prevent them for getting exploited by attackers. You can do it by going to “System” and then clicking on “Magento Connect”. Login again to confirm and then scan the account. This will reveal all the plugins that require an update.

Recommended Security Steps

The following steps will help you secure your website from most of the basic threats. These are the areas which require necessary attention of the owner. Most of these settings are set to default settings and hackers tend to exploit those. Thus, the following steps are important in this Magento Security Guide:

  • Custom path for admin panel

    Most of the users leave the admin path to the default path and this enables attackers to launch attacks such as session management attacks and broken authentication attacks. To change the default admin name, you need to follow the below steps:

    1. Locate the local.xml file in /app/etc
    2. Search for M
    3. Rewrite the “admin” to an username of your choice
  • Hiding directory indexing

    The default setting allows others to simply view the entire directory using the URL of your website. This lets attackers launch simple attacks on your website since they will be able to access all the core files of Magento. To hide the directory, you simply need to add the following lines in the .htaccess file:

           Options -Indexes

  • File permissions

    File permissions are the most ignored area in securing websites and thus needs to be covered in this Magento Security Guide. You can protect important files and folders from attackers using appropriate file permissions. You must ensure that the permissions are not too strict. Since, it will cause errors in the working of the website. Below are some of the suggested file permissions for Magento:

    1. Directories: Suitable permission may be 500 for all directories. This gives the web server user permission to read as well as execute.
    2. Files: The permission for files can be set to 400. Since, this permission prevents any user from altering the files. This protects the files from attacks which overwrite the files.
    3. The var/ and media/ directories: The permission, if set to 700, gives complete permissions to the owner of the website and no one else.
    4. The var/ and media/ files: 600 will be the suitable permission for the files. This allows the web server user to read and write the file contents.

Water Tight/Ultimate Security Tips

Apart from the usual security steps, you also need to look after the few minor changes that are important. These changes can be the difference between a hacked website and a secured one. Thus, being an integral part of this Magento Security Guide.

  • Restrict access to admin according to IP

    If you find threats originating from certain IP addresses, you can single them out and block them. This will prevent them from accessing your website and launching any attack against your website. You could add the code below in your .htaccess file:

    Magento security guide code for blocking IP

    Code for .htaccess

Remember that several ISPs have assigned dynamic IP address to users and thus it may cause problems. You can use this process in case of static IP addresses.

  • Using encrypted connections

    Whenever there is a data transfer between the servers and you, there is a chance that someone may hijack the data. Since, the data is transferred in plain text if you are not using HTTPS connection. Moreover, the intercepted data may contain important and sensitive information that the attackers can use to cause damage. Thus, encrypting your site with HTTPS/SSL which will also make your site PCI compliant is a good idea. This will result in the site becoming more popular among the users due to its heightened security. To do this, follow the steps:

    1. Go to System-> Configuration-> General-> Web
    2. In the field containing the URL of your website, change “http” to “https”
    3. Enable the options “Use secure URLs in Frontend” and “Use secure URLs in Admin”
  • Lowering the risk of SQL Injection

    Magento provides necessary security features to escape SQL Injection attacks. However, using a firewall or a security service such as Astra can help you make the security watertight. Astra has several features such as File Injection Protection make your website safe from external threats.

Malware Removal Steps

Malwares are sneaky and you can never be too careful of them. If you find malware in your website, then the following steps will help you remove them. Malware removal procedures form an integral part of any Magento Security Guide since you need to know how to remove them.

  • Manually removing the malware from the files

    When a malware infects a file, they most often cause changes in the file which are visible. By analyzing the changes made in the files, you can detect the malware infection. Once you have detected it, you need to remove the malware. To do this, you can follow the below guidelines:

    1. Have a clean backup ready.
    2. Search all the files for known malwares or malicious payloads.
    3. If there are any recent changes then ensure that they are legitimate.
    4. During the core file integrity check, review the files that the diff command flags.
    5. If any malware is present, then replace them with a clean file from the backup.
    6. Run tests to check if the website works correctly.
  • Cleaning hacked database tables

    This segment offers you steps to clean your database since it as an important part of the website.

    1. Have a clean backup of your database handy.
    2. Look for suspicious content such as spammy keywords and links.
    3. Manually delete all such content.
    4. If needed replace the parts of the database tables with a clean copy.
    5. Test the website to check if it works correctly.

You can also check your database for known malicious PHP functions. Before making any changes verify that they are not genuine files by Magento itself.

  • Hidden backdoors

    Malwares often create backdoors that allows hackers to enter the website whenever needed. Most of the time, attackers hide backdoors in new files that look like genuine Magento files. They can also hide them in core places such as the footer area.

After removal of all malware, make sure to change the usernames and passwords. To be completely sure of the safety of the website you can enlist the use of website security such as Astra. They run scans on the entire website and sniff out skillfully hidden malware and backdoors. With security features such as Website Firewall, Malware Cleanups, they can remove all traces of threat from the website. Using Astra to secure your website is a smart move.

Magento Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading

The Ultimate WordPress Hack Cleanup Guide

This WordPress malware cleanup guide will help you to protect your WordPress website from hackers & how you can fix your hacked website.

The Ultimate WordPress Hack Cleanup Guide

A sad reality for website owners and webmasters is that their running website could be hacked. We have saved people from getting their website hacked and have helped them clean their hacked WordPress websites. We have come up with another effort by building this comprehensive WordPress hack cleanup. Not to mention how bad it can be for your business and readership but being safe on the internet today from malicious attacks is again a task in itself.

Few Things to Know Before We Start

First and foremost, no matter what platform you use: WordPress, OpenCart, Drupal, Magento or any other CMS – it can be hacked. If hacked, you lose search engine rankings, get blacklisted by Google, expose your readers to malware, loose sensitive information, or rather you lose customers.

If your’s is not just another website then security must be your first priority. You need to have following things correct in place:

These things are good if you aren’t hacked, but chances are. Probably, it’s too late as of now as you’re reading this article.

Let’s dive into our WordPress hack cleanup guide and be considerate enough to follow this guide step by step to super secure your WordPress website.

Diagnose Hack

It’s really important for you to identify and diagnose your hacked website. Locating all such areas where malicious code would sit in your application. It could be in core files, database tables, logs and many other places. Be considerate enough to thoroughly follow WordPress hack cleanup guide.

Check core files

Most of the core WordPress files should never be modified. Understanding WordPress structure is very crucial in order to compare existing core files to the ones present in a fresh install.

A very quick way to do this is by using “diff” command in the terminal in Unix-like systems:

$ diff -r /Desktop/WordPress/wp-includes /public_html/your-site.[com]/wp-includes

Check Recently Modified Files

It is another possibility that recently modified files are the ones that have been hacked. Follow these steps to identify recently modified files:

  1. Log into your server using FTP or SSH terminal.
  2. If using SSH, you can use “find” command to list all files modified in the last 10 days:
    $ find ./ -type f -mtime -10
  3. If using FTP client, you can review last modification to every file.
  4. List the files that have been modified and check those for hack activity.

Check Diagnostic Pages

In case your website has been blacklisted by search engines then you can use their respective diagnostic tools to check the security status of your website. Following are some important tools:

Hack Cleanup

As now you have locations where malware’s located then the best bet now would be to clean the malware. We suggest you take a back-up before you start to clean the malware. Be considerate enough to follow the steps below to completely clean your WordPress website that makes this WordPress hack cleanup guide, a wonderful guide!

Clean hacked files

If the infection is in your core files, you can simply remove the malware manually. Don’t change content in wp-config file and wp-content folder (your application might break down).

Core .php files can be directly replaced with the files that you get in the fresh install. Get all .php core WordPress files. You can download the .zip and get all the files that are there in a fresh install.

Follow these steps to remove malware infected files:

  1. Collect recently changed files and confirm users about the change they made.
  2. Restore infected files against the files in fresh WordPress install.
  3. Even for theme files, you can simply replace malicious code by comparing to the original theme files or contact your theme distributor.

Note: I know it’s sometimes difficult checking all files for malware but “diff” and “grep” commands are handy when comparing files.

Clean hacked database tables

To remove malware/infection from hacked tables you need to be cautious enough so that your application doesn’t go down. Also, don’t forget to take a back-up for your application.

Follow these steps to remove malware/infection from database tables:

  1. Sign into your database admin panel (possibly phpMyAdmin)
  2. Take a back-up from your database (Select table and export your sql database)sql export database - WordPress hack cleanup
  3. Look for suspicious content(javascript code, hash codes etc.) and delete particular rows.
  4. Test if the site is still working fine or not. If yes, congratulations you’ve cleared all malware in your database tables.

Check User Accounts

It is really important to check users who are associated with your application. If you see an unauthorized user logged-in or any person who shouldn’t be using your application then restrict his access and restrict him from using your application. Follow the steps below so as to remove non-authorised users:

  1. In your wp-admin dashboard, go to Users->All Users.
  2. In the window, select the user (who shouldn’t be there) and expand “Bulk Actions” dropdown and select “Delete” and then “Apply” the settings.user changes - WordPress hack cleanup
  3. Do the above steps until all your users are authorized to use your application.

Note: If you allow malicious users to continue to use your application then every effort from this WordPress hack cleanup guide goes waste.

Check Image Files

Next step would be to check your image files. Hackers include malware code in image files and in a way acts as a backdoor. Since the malicious code(php) is kept as meta-data/comments in image files and later application is exploited using the injected code. The worst scenario would be to upload a web shell on your site and the hacker gets access to your server.

All possible images on a WordPress website would be:

  • Favicon icon (favicon.ico attack)
  • /wp-uploads
  • User’s profile picture

Delete Hidden Back-doors

It is very common for hackers to leave a backdoor (script/software on your server) to exploit your application. Back-doors can either be in your theme folder or your plugins folder or anywhere in your server.

There is a list of functions in PHP that come handy when writing backdoors:

  • eval
  • exec
  • strrev
  • assert
  • base64
  • str_rot13
  • gzuncompress
  • stripslashes

Note: These functions are also used by plugins/themes legitimately for their product development. You will need to understand the code and the application itself so as to remove backdoor.

Concurrently, check the application if it’s broken or not. If it’s broken then simply understand that a required function has been changed.

Check for Malware Warnings

You should visit respective search engine’s webmasters to check if you’ve been blacklisted by them or not. Here, are few important links:

Post Hack Precautions

Below are some must do things in this part of WordPress hack cleanup guide for water-tight security. If you think that once the malware is clean then hackers cannot do anything! Sorry, you are mistaken! :)

Check for Updates

Now you’ve cleaned all the malware from your site then it is the time when you super secure your application and check things from ground zero. Here, another must do the thing is to replace /wp-admin folder, /wp-includes from the one you get in a fresh WordPress install.

Next, always make sure that all plugins that you use are up-to-date. For that just log into your WordPress admin and click Dashboard > Updates. Make sure all your plugins are up-to-date.

update plugins - WordPress hack cleanup

WordPress Hardening and Best Security Practices

The very next step is to harden your WordPress website. Listed below are some really important security steps to have water-tight security for your application.

  • Modify database prefix
  • Disable xml-rpc in WordPress
  • Automatically logout idle users
  • Limit login attempts
  • Protect your wp-admin area
  • Check file permissions
  • Implement two factor authentication

You can look at our Comprehensive WordPress security guide.

Use a Web Application Firewall (WAF)

WAF is an application that sits in front of your application to protect it from multiple attacks. These attacks include Stored and Reflected XSS, SQLi, File Upload, Directory traversal to name a few.

One of the best option available at your disposal to prevent your WordPress website is to use a Website Firewall, like Astra. Our Security Suite helps to automatically secure your site and virtually patch software by preventing malicious requests from ever reaching your website. Since you made it so far, we offer you a discount for ASTRA with this WordPress hack cleanup guide.

WordPress Security Suite

"Excellent service, I am sleeping like a baby since I got it."

Excellent service, always responding super fast when I need them, and never had any problem with hackers since I'm with Astra.

Continue reading