Use of Social Media in the MENA region

It all started with Tunisia, where the Arab spring rose and generated international following using the social media platform. International people and agencies were on a watch, and kept their eyes wide open for latest updates. The latest updates on news and the Arab spring came strictly using the social media platform. The more thorough they studied the Arabs world access news and information, the more the rate of the credibility of information source.

Harris interactive has conducted one-on-one interviews with an estimated 10,000 Adults, ranging from 18 and above. Media based questions were the main topic on interest, from blogging to online banking and gaming – with heavy use of digital platform such as the internet.

An American based university in Qatar, by the name of Northwestern University, has conducted a research and posted that the ratios of positive input was at a much higher level than the negative ones.

With Tunisia and Egypt overthrowing there dictatorship regimes in 2011 with the use of social media and blogging sites. Television reminds the most important source of news and information in all the MENA regions with the exception of Bahrain and Qatar. Qatar uses more than 2 million cell phones in a country that has a population of less than 2 million. Qatari people also have a whopping 35% usage of tablets than any other country surveyed according to the CIA factbook. Internet reliance is the lowest in Egypt after conducting a research on the internet penetration level and the illiteracy in the country.

In the next picture we can see the level of perceived reliability of TV, internet and the Newspaper:

Amongst all the people surveyed in the countries where the revolution has occurred. Egypt and Tunisia, the outlook is bleak for all media with the exception of Television. With countries like Bahrain, Qatar and Lebanon relying on TV and giving faith in reading the newspaper as a credible source. UAE, in the other hand received high reliability ratings from all regional and western outlets and enterprises. Even though the local news is strictly government-owned, all respondents still favored these sources and considered them reliable sources of information.

It’s become cliché, hearing that the Arab unsprings has been ignited by social media, but that does not make it less of a fact. Social Media has been a powerful force in Arab countries.

From all the Arab countries that have been surveyed, Tunisians and Bahrainis rate amongst the highest in the MENA region, averaging to about more than 4 hours daily of social media use and engagement.

Most of the Arab regions use the internet of upto 90% in each of their respective countries. UAE coming in with the highest rate of usage regarding the wirelesshandhelds.

Facebookremains the highest and most popular social network in the Arab countries surveyed with 95% users are active on the network. With just about 45% using twitter and Google+, with 1 out of every 7 using instagram.

When it comes to online freedom of expression, the Arab countries favored that fact.

HOW TO PICK SAFE PLUGINS FOR WORDPRESS

You got your WordPress site up and running, and now you are ready to rule the web. But WordPress would not be what it is without its endless plugins.  How could you possibly know which of plugins available are safe to be installed, and which could eventually turn out to be a Trojan horse? In this article, I will dedicate the first part on tips on how to check if a plugin is safe, and the second one on some recommended useful plugins for your site.

Safe plugins

Here is my short list of tips on how to evaluate if a plugin is safe and useful:

·         First decide what functionality you need to add to your WP site and then visit the official WP plugins page located at http://wordpress.org/extend/plugins/ . You can find plugins on other sites as well, but it is highly recommended (and safer) to always install your plugins from the WP official page.

·         Check the ratings of the plugins available – and like with every feedback oriented decision, make sure that you read through the lines. Look for  ratings  4.0 or higher and make sure that enough people have commented on a specific plugin. After all 2 comments who have rated a certain plugin with 5.0 are not really statistically reliable factor to make your decision.

·         Check the authority of the author –  perform a quick research whether or not the authors of the plugin have created other plugins. And sure thing, review the ratings of these plugins as well. On a separate note just because a developer only has created one or two plugins, it doesn’t mean that the plugin is bad,  indeed there are some very good and safe plugins created by developers that have previously developed just a plugin or two. But in case the plugin ratings, number of downloads, or last update date do not look too convincing dig further and try to find out more about the author of the plugin.

·         As you probably already know that  ‘update’ is a key word for WordPress (and not only), another indicator for a “safe”  plugin is how often the plugin is updated – you can check when the plugin was last updated directly via your admin account or from the official WP site. If the plugin hasn’t been updated recently, there is a real possibility it will not be compatible with your site, thus it is preferable to avoid it.

·         Check whether the plugin has been tested with the current WP version – for most plugins this information is provided on the official WP plugin site, and could be easily accessed on the main description page of the plugin.

·         Number of downloads – though not a metric you should solely rely on, the plugins with high download count are in most of the cases safe plugins to be implemented on your site.

·         ‘Word of mouth’ – if you have friends operating WP sites, that you believe are experienced enough then you can check for recommendations or feedback on specific plugins.

·         Once you have narrowed down the plugins of interest,  Google them!  Many people are discussing  WP security, so search for phrases such as ‘wp plugin security’, ‘wp plugin security issues’, ‘wp plugin security breach’ (replace plugin with the name of the plugin you are researching about). If a specific plugin is insecure, chances are there will be traces in the net explaining why and how, and all the information that you need in order to make safe and wise decision.

With all the above being said, you should be able to select the right and safe plugins for your site. As we were writing this article we have decided to evaluate couple of plugins closely.

You can refer to the plugin list below as our Top 10 Editorial Choice:

o    Exploit Scanner – This plugin will scan all your files, posts, and comments for anything that will look as a malicious code. In case there are hidden spam links (for example via CSS), Exploit Scanner will find and report these links.

o    WordFence Security – As its name suggests, its main function is to secure your content. This is done via firewall, anti-virus scanning, malicious URL scanning, and it also scans original files against WP repository versions and in case there are any modification, they will be detected and reported. Another really cool feature is the login attempt limiter. You can set your own number of unsuccessful login attempts after which the visitor will be blocked from login in your WP site. This can be extremely helpful especially due to the nowadays increasing number of brute force attempts against WP sites.

o    nrelate – This plugin shows related content on your posts page. Your readers will be provided with relevant information easily digested. You are given a vast choice of styles to pick from, and if you prefer to make your own, you could do this as well.

o    Akismet - in case you receive get a lot of “spam comments”, Akismet is your savior. This plugin checks each comment and automatically rejects any spam like comments – saving you a lot of time and resources. For personal blogs the plugin is free, but for Businesses and commercial sites, a paid subscription is required.

o    JetPack – This plugin connects your WP site with WordPress.com. It includes features such as the WP.me URL shortener; simple concise site stats; integration with and automatic posting to social media platforms such as Twitter, Facebook, LinkedIn, mobile theme and many more. The plugin includes also grammar, and spell check.

o    W3 Total Cache – this plugins aims at your site’s performance. Te main focus is on improving server performance, caching every aspect of your site, and overall contributes to the load time of your site.

·         WordPress SEO by Yoast – This plugin will  assess your blog posts – the same way the search engines will see your blog, whether your posts are too short or too long, and will provide you with useful SEO optimization tips. It also provides you with Page analysis which will check your meta description, XML SiteMaps, RSS optimization, Social Integration, etc. Overall this is a must have plugin for your WordPress Kit.

·         WPtouch – with the increasing usage of mobile phones for site browsing, it is very important to make your site user friendly for all mobile devices. This plugin helps you exactly with this task by transforming your regular site into a mobile version by giving it a mobile ‘touch’, still allowing your customer to choose if they prefer to see the site’s regular theme.

·         NextGEN Gallery – With more than 6 million downloads, NextGen Gallery is one of the best gallery plugins. You can easily upload, manage, edit, and display your image galleries, add watermarks, re-size thumbnails, create slideshows styles and many more.

I hope that you found the above information useful. If you would like to share your comments, or recommend a safe plugin, please comment in the section below or contact me directly at lovetto@prism-me.com

Worried how to create a secure word press site? Here are some suggestions

Although generally considered as a CMS only for managing blogs, WordPress, in fact is a very powerful platform that can be used to create your entire site without the need of any additional applications. Its ease of use, large community always ready to help, and an impressing variety of plugins has made WP a preferable choice for many webmasters. At the moment WP holds around 15-20% of the ‘market’. However, regardless of  its ease of use – it is also one of the weakest platforms when it comes down to security.

NOTE: We have just updated this article with a new link which shows you how to password protect your “wp-login” page in orderto get better protection against brute force attacks:

This article covers some of the most important changes you should consider in order to secure your WordPress site:

1. Update your WP regularly- I know you have heard a lot about updating regularly your WP, including all installed plugins. Updating your version and installed plugins is of vital importance to the overtall WP security. When a new version of WordPress is available, users are informed via an automatic message; there will be also a warning in your WP admin area.  When a new WP press version or new version of any installed plugins is available – you should proceed with any recommended updates IMMEDIATELY. You can do this with a few click from the top note in your admin panel informing you that there is a newer version available -> Please Update Now -> Update Now. All of our customers, using cPanel control panel, will also receive an additional reminder from our application installer tool Softaculous if there is an outdated version of WordPress installed under your hosting account.
2.  Select your plugins very carefully - the advantages of an open community are endless but what you need to know is  that adding random plugins can be a security threat to your site. The problem comes not necessarily due to malicious intentions of the plugin creator, but mostly due developer’s lack of experience or secure web site development knowledge. We find this point so important that we will dedicate our next article on how to choose your WordPress plugins.

3. Remove disabled and NOT needed plugins – Now, another step is to make sure that you remove all the plugins that you do not need anymore and you have disabled. Disabling the plugins does not mean that they are removed from the server, thus if you simply disable them, you leave a door open for potential attacks. Depending on your WP version you can either remove the plugin from using the DELETE link next to the plugin (you first need to disable it) ; or for older versions you can remove the plugins by logging to your site via FTP, going to the directory where the plugin is installed and then delete the folder with      all the files from the server. This applies to the themes as well, in case you don’t need a certain theme, delete it from your admin panel (Appearance -> Themes). It is recommended to perform this on a regular basis because it is almost automatic to install and later disable a plugin, and you could easily forget about this which could cost you your site being compromised.

4. Select strong account & admin passwords  – This so essential that we have created a whole separate article focusing on strong passwords. You can check some tips on how to create your unbreakable password here .

5. Login Limiter – it is very common to break a user account via brute force password attack. It means that in a very short period your login page will be bombarded with different combinations of usernames and passwords. You can prevent this from happening by setting a login limiter. There are certain plugins that you can use for this such as Limit Login Attempts.

6. Disable user registration – If you do not need users to register on your site, make sure that you disable this option. You can do so from your admin panel and then from theSettings menu disable the ‘Anyone can register‘

7. Limit the IPs that can log into your admin account  - this is another measure you can take in order to secure your site. The easiest way to do this is by using a plugin that will limit the IPs allowed to access your admin account.

8. Remove the WP version info from your site– When you install WordPress it automatically adds the version to the header of all your blog pages. Removing it is important, because if you leave it freely published on your site, you make the life of a potential hacker much easier. You should remove it from the page header meta, and since it is also contained in the readme.html file, renaming (removing) this file as well could do the trick. If the version is still shown add this line in your theme’s functions.php file<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

9. WP security keys – If you do not have such keys, make sure you add them. These WordPress security keys, also known as Secret keys, will further protect your password by adding ‘salt’ to it thus making it very difficult to  be broken. You can create your own, but it is recommended to use the WordPress random generator. Once you have these keys, you should go to your wp_config file and place them accordingly

define(‘AUTH_KEY’,        ‘put your key here’);

define(‘SECURE_AUTH_KEY’, ‘put your key here”);

define(‘LOGGED_IN_KEY’,   ‘put your key here”);

define(‘NONCE_KEY’,       ‘put your key here”);

define(‘AUTH_SALT‘,        ‘put your key here’);

define(‘SECURE_AUTH_SALT, ‘put your key here”);

define(‘LOGGED_IN_SALT,   ‘put your key here”);

define(‘NONCE_SALT’,       ‘put your key here”);

When you change these keys, all of your users will be asked to re-login. With the new versions of WordPress, these keys are added automatically, but it is better if remove the default keys created during the WP installation, and replace them with new ones.

10. Disable html in the comments – certain html code is allowed such as <b> to make your comment bold, <a> for referring to link, etc. If you do not need this as an option, it is better to remove it. You can do so by adding this line:

add_filter( ‘pre_comment_content’, ‘wp_specialchars’ )

to your theme’s functions.php file

11. Stop search engines from crawling your WP admin area – make sure that the search engines do not crawl and index your admin directories. This is done by simply adding the ‘disallow’ statement in your robots.txt file. In case you do not have such file on your site, you should create one, and place it in your hosting account public_html folder. The file should look like:

Disallow: /wp-admin/

Disallow: /wp-includes/

We hope you found the above summary on overall WP security useful. Some of the steps above could be implemented within minutes, some will take longer and require more technical knowledge. Even if you manage to apply only the basics and easy recommendations at the end you will have a more secure WP site, and piece of mind.

I hope that you found the above information useful. If you would like to share your comments, or recommend a safe plugin, please comment in the section below or contact me directly at lovetto@prism-me.com

How to Protect your Wordpress Website login against Brute Force Attack

What is a brute force attack and how to protect yourself against it ...

Brute-force attack is a way for someone to guess your account password by using a trial-error method. During a brute-force attack in a very short of time a high number of possible passwords are tried against your account. Brute-force attack methods are sophisticated in the sense that all possible combinations, of letters, numbers and special symbols are tried against your account password.

Most of these attacks are automated, and executed from one or many computers or powerful servers. Depending on the computing power, and the number of computers from which the attack is initiated, the brute-force attack can be a very serious threat for every site and web application.

The best friend for every brute-force attack is a weak account password. Passwords such as “123456″ and “pass” can be easily brute-forced in the range of minutes! Number one rule is tonever use a week/dictionary based password – please, refer to the following blog article “How to select a strong password” for more information on this subject. Changing (where possible) your default site administrator username to a non-standard/non-dictionary word can also help significantly for the overall brute-force attack security.

The brute-force attack method is gaining significant attention and is becoming number one threat for most of the popular web applications. We have taken the time to describe some of the more effective way to combat these attacks depending on your application:

WordPress brute-force attack security:  

. Add a plugin to restrict the login attempts –a fact you should carefully consider is that by default WordPress will not provide you with a login limiter. Which is why it is up to you to add such plugin in order to protect your site. A plugin you can check is the Limit Login Attempts plugin which main goal is to do what its name suggests – limit the login attempts.

2. Pick a strong password – it is essential that your administrator and account password is very strong, preferably 12 characters in length.  Changing the default WP administrator username from ‘admin’ to something else is also a key. For more information on how to pick a strong password  please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site.

3. Change your password every few months, and do not use previously used passwords.

4. Change your WP Security keys along with changing your password. This will prompt all users to have to re-log in to your blog which will enhance your blog security. More information on how to change the WP security keys (salt) you can find in this blog post.

5. Review your log files – check your hosting log files, for multiple requests to your wp_login.php file. If you find something unusual, immediately change your password, and security keys. If you find certain IP, or as it is in most cases, group of IPs that are constantly accessing your wp_login.php page or your wp-admin section, that means that you are under a brute force attack and you should take extra measures to secure your WP blog.

You can find more WordPress security tips in our designated to WP blog post.

Joomla! brute-force attack security:

1. Select a strong password – For more information on how to pick a strong password please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site. 

2. Use extensions that could help you to secure your site against brute-force attacks, such as Securitycheck or Max Failed Login Attempts. The idea is to limit the number of computers (IPs) which can access your Joomla Administrator login page, and limit the number of allowed failed login attempts. If you notice computer IPs that are constantly being blocked for wrong logins, that means that you are under a brute-force attack and should take extra measures to protect your site.

3. Review your log files – your web site access log contains a lot of useful information. In case you notice that there are unusual “Gets”, and “Posts” to your administrator login page, then certainly you are under a brute-force attack and you must change your password, and install a login limitter plugin for your Joomla.

You can find additional Joomla security tips in our designated blog post.

Drupal brute force attack security:  

1. Selecting a Strong Password – For more information on how to pick a strong password  please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site.

2. Add a CAPTCHA module to your login form which will ensure better protection since it will serve as a second wall to a brute-force attack. We recommend the CAPTCHA Drupal module, which will provide you with various of configuration options.

3.  Install additional security modules – you can use the Drupal Login Security module, which will serve as a login limiter or use Secure Password Hashes which will add extra ‘salt’ to your passwords, and provide your Drupal with an additional shield.

Ecommerce Security

Protect your Magento site from brute force attack

1. Use a strong password – For more information on how to pick a strong password  please refer to the article How to select a strong password. Selecting a strong password is essential not only for your administrator password, but for all passwords needed for your site.

2. Use a customized admin URL – by default this is yoursite/admin, and every hacker wanting to break your account will start with it. In order to prevent this from happening you should follow these steps

1. Open your /app/etc/local.xml configuration file

2. Locate <![CDATA[admin]]> and replace ‘admin’ with the path you would like to use. For example if you change it to mylocalplace, the admin path will become /mylocalplace

After you have changed this URL, refresh your Magento cache – use an FTP client to delete the content of the var/cache/ directory and that’s it.

3. Restrict admin access only to certain IPs – you can do this via your .htaccess/web_config file. This will ensure that only known IPs will have access to your admin area.

4. Require SSL for all login pages - since Magento is used for e-commerce, the data is usually very sensitive. This is why it is recommended all login details to pass through a secure connection.

Final thoughts:

When adding protection against brute-force attacks, you should keep in mind two very important factors. The first is that this type attacks are after your password (user or admin passwords), trying to guess it by using different combinations, and variations. Meaning that you should make sure your password is strong and that you change it on a regular basis. It is also essential to change your default Administrator username – since most brute-force attacks use the standard for a given application Administrator username and rarely the attacks are trying to guess your Administrator username and password at the same time.

The second factor is that in most cases the brute-force attacks will trigger a lot of false login attempts – which can be seen either in your hosting account “access log” files, or if the application you use provide a dashboard where you can review your login history. If the application you are using for your site allows for login limit protection or there are extra “login limiter” plug ins available that can be installed, you should activate/install them ASAP.

We would love to hear your comments, and thoughts on this very important matter. Please, share your thoughts with us in the section below. I hope that you found the above information useful. If you would like to share your comments, or recommend a safe plug in, please comment in the section below or contact me

Prevent Website Hacking...How to build a more secure password for all your online accounts !

A few days ago Prism published a list with the worst passwords where as expected you can find words such as ‘password’ , ‘123456’, ‘dragon’, ‘sunshine’, etc. As obvious as it might be not to set your password to  ‘password’, many people still do  - taking the chance of anyone guessing their passwords and gaining access to their accounts and services. The focus of this article is teaching the readers and our clients on how to create a stronger password.

Selecting a good password is critical and it depends at parts on the product for which the password will be used.

For most hosting products & services the following minimum criteria must be meet:

• Linux Web Hosting with  cPanel control panel: the password requirement is  a minimum length of 6 (six) characters.

Wordpress websites

dynamic website design

• 

• Windows Web Hosting with WebsitePanel  control panel: the minimum password length must be 8 characters one of which must be a number.

• For Windows Web Hosting – email server  Smarter Mail the requirement for email password is at least 8 characters in length and a maximum of 20; other requirements is at least one special symbol, and a combination of upper and lower case letters.

• For Windows Private JVM (Tomcat) manager NGASI you will need to select a password with at least 8 characters; the password needs to include also special symbol.

As you can see from these requirements your “good password” at the very least should be 8 characters long.

Below are some good practices on how to pick a strong and more secure password for your products and services:

1) Find a word that has a certain meaning for you and then replace all the vowels with special symbols and numbers – for example ‘a’ with ‘@’, ‘o’ with ‘0’, etc. This replacement doesn’t have to follow any rules available on the net, as long as you are able to remember it.

Do not be tempted to use the numbers on your phone to replace the letters. Though this technique is part of the Leetspeak (replacing letters with numbers) it is pretty easy to be hacked. And in any case, do NOT use your username or your first name as a base for your passwords! I know it is tempting, but this is the first thing a hacker would try if decided to break your account.

For example: grapefruit becomes Gr@p5fru#t … not bad, right?

2) Select a password length with which you feel comfortable with. You will be requested for at least 6-8 symbols in most of the cases, so pick a pass longer than that. The rule of thumb is that the longer the password, the more difficult it is to be hacked. The most common length is 8 characters, but you should try to make it longer if possible (and if you can remember it). A good and is way to extend the length of your pass it to add numbers to it. Make sure that the sequence of numbers is easy for you to remember, and do not use your birthday as a sequence or the last 4 digits of your phone (since it can be easily guessed) – you can pick a date or a number that has some meaningful for you, for example the year in which you bought your first car or you have started your first job.

For example: bicycle could become B#cycle2003 (don’t forget to include at least one special symbol and one upper case letter)

3) Another often recommended method is shortening a sentence into a word. How does this work? You make up a sentence which is very easy for you to remember and then you take the first letter or the first two letters of each word and create your “good password”. You can even create your own algorithm – for example you can take the first and the last letter of each word, or the first letter from the first word, the second from the second word and so on. The only limitation here is yourself and with which codes you will feel most comfortable. If you decide not to substitute a letter with a number, you can always add one at the end.

For example: ‘My first pet was named Jessy’ becomes m*ftptwsndJ*1

4) Once you have shortened your sentence in a single word, you can create different combinations and use them for different services/accounts

For example: the word m*ftptwsndJ*1 can become “m*ftptwsndJ*1fb” or “m*ftptwsndJ*1gmail”

5) Instead of shortening words you can simply add couple of words together using a special symbol. For example: Jessy and orange can become “J52sy&0r@ng5″. Here I have used & as the link between the words and have replaced ‘e’ with 5, ‘a’ with @, ‘o’ with ‘0’ and the double ‘s’ with 2s which is one way to represent double letters.

6) Use upper and lower cases – you can pick a word such as “grapefruit” and you can change every second letter to be capital. In this case “grapefruit” will become “gR@P5FrU#T”

7) Use misspelled words – especially if you tend to make a mistake when entering your password, you can take advantage of this.

For example: grapefruit can easily become grapwfruti, which will turn into gr@pwfrut#1

As a summary to be considered good password it has to be at least 8 characters long; contains both upper and lower case characters, and has special symbols and numbers in it. It’s a good advice not to keep your password stored in your computer or on a piece of paper because you never know in which hands it might fall into. Try to memorize one strong password, and use different variations of that password for different accounts. If you can trust your memory the best way will be to have different passwords for your most important accounts and even better to change them on a regular basis. How many passwords you would have mainly depends on the risk you are willing to take and on the number of passwords you feel comfortable remembering.

In any case, I think that we all agree that we should not use the word ‘password’  for any of your services and online accounts. If you are in love with this word and insist on using this word, only a couple of changes are needed and you can end up with your “dream” password. For those of you, who have very complex passwords, good job; for the rest, now is the perfect time to change your existing passwords so that nobody can crack your accounts, or at least make it very difficult to do so.

Just so that I can support  the above password examples , I have tested each of them with the  Password meter tool from http://www.PasswordMeter.com – here the results of these tests:

Password	Score	Complexity
Grapefruit	8	Very Weak
Gr@p5fru#t	93	Very Strong
Gr@pwfrut#1	91	Very Strong
gR@P5FrU#T	98	Very Strong
Bicycle	8	Very Weak
B#cycle2003	100	Very Strong
m*ftptwsndJ*1	99	Very Strong
m*ftptwsndJ*1fb	100	Very Strong
J52sy&0r@ng5	100	Very Strong
Password	8	Very Weak
P@2sW0Rd	84	Very Strong

Now that you know how to select a good password we recommend that you take your time and update all of your account service passwords. We do strongly encourage all of our clients to pay specific attention to the following passwords: Control Panel, FTP, Email, Database,  and at highest importance to any remote management services such as SSH or Administrator RDP access (for VPS and Cloud Clients).

   

We hope that you find this article useful. We would love to hear your comments and feedback in the comments section below. or contact us directly