Phishing email is a type of fraud where an attacker send a fraudulent email by masquerading sender email as looks like it sent from official website. For example our domain is ekomersial.com:
Official: John <firstname.lastname@example.org> Phising: John <email@example.com>
Phishing is dangerous if not observed carefully. Steps to mitigate phising email on platform:
Android Click on sender name to reveal sender email address.
Roundcube Webmail 1. Click on cogwheel icon on left. 2. On Preferences > Displaying Messages. Switch on Show email address with display name. 3. Click Save button.
Thunderbird Sender email address automatically displayed behind sender name as Sender Name <firstname.lastname@example.org> format.
Now sender email address displayed along with sender name. We can check the domain if the email is from official website. If you found phishing email, do not click any link and delete the email immediately.
Brute force attack is password hacking method by guessing every possibilities. We can use Recaptcha to prevent brute force. Recaptcha use adaptive challenges to prevent bot from login and register on your website.
This simple checkbox is easy for human, hard for bot.
Recaptcha isn’t just for login. Recaptcha also useful for filtering spam comments. So that only legitimate users will be able to comment.
Security is our top priority. All of our web development packages included Recaptcha for your website security.
How do you usually close Android app? Press home button? Do you know the app is still running on background?
To check running apps on Android press menu button on bottom. If there are too many apps running will slow down phone and drain battery.
It is a good habit to close app every after use. Rule of thumb is only keep one app running at a time. Unless you are doing transaction between apps. This way you use battery efficiently and last longer.
Sometime we would want to disable Acrobat Reader update for compatibility issue. Ie: Indonesia’s SPT eform require 32 bit Acrobat Reader. On 64 bit computer auto update can overwrite it to 64 bit version without confirmation. To keep 32 bit version we have to disable auto update.
Some of our clients that use free email have complained that they were spoofed. Since anyone can register free email, it is very easy to be spoofed. For example:
Hurricane company have email: email@example.com
John create a look alike email: firstname.lastname@example.org and send email to Hurricane’s customer. If not careful, the customer will think that they got email from Hurricane company.
Gmail have billions of users thus it is very hard to find available good email address. You might end up with email like email@example.com. With domain email, you can create a clean and easy to remember email address like firstname.lastname@example.org.
Using domain email have many benefits:
Authentic. Domain email is less likely to be spoofed.
Looks professional. Increase customer trust and sales.
Good email address. Exact real name as email address.
Drive traffics to website. Clients can follow website from email address.
Whatsapp allow everyone to invite you to group by default. Even worse Whatsapp doesn’t have approve or reject confirmation button for group invitation. When anyone invite you, you instantly in the group. This sometime can be annoying when some random peoples invite you to unrelated group.
To override this default behaviour, you can change in privacy setting:
How long is your password? 8? Most of site today require minimum password length of 8 characters. How long it take to crack the password by brute force? The result might shock you.
It only need 5 hours to crack a 8 characters password. Minimum is just a minimum. We need more length for a more secure password. Combining lowercase, uppercase, number, symbol dramatically increase numbers of variation to guess. Each characters added to password boost crack time exponentially.
We need to choose sustainable password that crack time exceed owner’s lifetime. That is 12 characters.
Remember, over years, password weaken as computational power increase. We may need to increase minimum password length in the future.
Windows 7 has been end of life since January 14th, 2020. As the result, some software such as Outlook began cease to work. Encryption is always update to improve security. As it update, old encryption became obselete.
Clients facing encryption issue on Windows 7 Outlook can use www.thunderbird.net as mail client or event better upgrade to Windows 10. Use unsupported OS can be potentially dangerous. Although Windows 10 come with native mail client, we also recommend to use Thunderbird on Windows 10. Thunderbird is more stable, lighter, and faster.
There are cases that Whatsapp account being hacked. Whatsapp account is linked with phone number. If our sim card somehow terminated due to inactivity, provider can recycle the number and sell it to others. If the new user install Whatsapp, it instantly gain our account access.
It is better to add additional layer of security by setting two factor authentication. To set Whatsapp two factor authentication:
Open menu by clicking three dots button on top right corner.
WordPress’s security is good by default. But no system is safe. There are several steps that must be done to make WordPress secure:
After installed WordPress, wp-config.php permission is somewhat set to 666. This can be potentially dangerous as wp-config.php can be overwritten by hacker. You must change wp-config.php permission to 400. To change file permission easily using cPanel file manager:
Login to cPanel.
Click File Manager icon.
Click wp-config.php file. Click Permissions menu.
Check only Read on User colom. The result is 400.
XMLRPC is a Remote Procedure Call method that uses XML passed via HTTP as a transport. With it, a client can call methods with parameters on a remote server and get back structured data.
XMLRPC has been a part of WordPress since beginning. XMLRPC enable communication between WordPress and other applications. The code is stored in xmlrpc.php file in the root directory.
Since the REST API was integrated into WordPress, xmlrpc.php is no longer used. XMLRPC introduce security vulnerabilities. Hacker can do DDoS attack by sending large numbers of pingback. This could overload your server and make your site timeout. Each xmlrpc.php request send username and password. Hacker can send brute force attack. There is a chance they could eventually hit on the right one, giving them access to your site to insert, delete, or damage your site.
To disable xmlrpc.php, add following code in your .htaccess file:
Deny from all