Hi,
My website www.littleheart.net is blacklisted by avast. I have rebuilt the website from scratch and it is clean on all scanners.
Thanks,
Roger
Hi,
My website www.littleheart.net is blacklisted by avast. I have rebuilt the website from scratch and it is clean on all scanners.
Thanks,
Roger
http://retire.insecurity.today/#!/scan/8317c3e54da5f1866c4dba79946d3160530ddfd775fe001e0bca89fc12acb741
http://zulu.zscaler.com/submission/show/c5818e2ae6f6aec32658bb22d26727c1-1461650142
You state that you have built it from scratch, but there are some insecurities to be mitigated still.
again your CMS Wordpress is outdated and wrongly configured:
WordPress Version
4.4.2
Version does not appear to be latest 4.5 - update now.
Then you have made a configuration error that puts you at risk when someone finds access:
Warning User Enumeration is possible :o
The first two user ID’s were tested to determine if user enumeration is possible.
ID User Login
1 rebar rebar
2 None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.
jQuery libraries to be retired (zip file and keep for later reference):
-http://littleheart.net
Detected libraries:
jquery-migrate - 1.2.1 :-http://littleheart.net/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.11.3 : (active1) -http://littleheart.net/wp-includes/js/jquery/jquery.js?ver=1.11.3
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected
Bad R-Status here: https://securityheaders.io/?q=http%3A%2F%2Fwww.littleheart.net
I get a 301 back here: Status codes
These should normally all be the same.
GoogleBot returned code 301 to -http://littleheart.net/
Google Chrome returned code 301 to -http://littleheart.net/
In twentysixteen js I meet errors in that js code: Status codes
error: undefined variable html.className
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var html.className = 1;
error: line:1: …^
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3:
error: line:3: …^
error: undefined variable jQuery
error: undefined function $
error: undefined variable html.className
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var html.className = 1;
error: line:1: …^
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3:
error: line:3: …^
Various undefined like - undefined function e undefind variable n in wp includes code…
Also consider the auditing report issues : https://seomon.com/domain/www.littleheart.net/
When you do not know how to do this properly yourself hire someone with relevant knowledge and do not put your visitors at risk.
polonus (volunteer website security analyst and website error-hunter)
Unblocked
Hi,
I was very sick for a while and my maintenance got away from me. So now its up to date. I was a computer admin before I got sick so basically I know what I am doing. On a hosted site I have no visibility into what 1&1 does. I have a hosted site because, being very sick I assume they will take care of stuff. UGH!
so, I have updated to 4.5 I will check all the links you provided.
Is 1&1 a less than secure host? I have been with them forever and just started having these problems?
Thanks to the evangelists and volunteers!
Roger
And what the heck, I ain’t a professional anymore.
I am taking your good advice and buying a managed package.
Roger
Theres still alot of stuff to check:
https://securityheaders.io/?q=http%3A%2F%2Flittleheart.net%2F
Dated PHP: http://prntscr.com/axx4he
Apache isnt the best webserver, maybe take a look at LiteSpeed or NGinx.
Also you may want to add an SSL Certificate if possible and a CDN, preferrably Incapsula for CDN.
User enumeration is still possible, maybe take a look at the WordFence Plugin for WordPress.
A Guide to fix the headers: https://scotthelme.co.uk/hardening-your-http-response-headers/#server
Hi Rogbo,
Thanks for the good spirit. Yes you have all it takes to be a good website admin, and one who has website security at mind also.
As many are not trained with website security as a first priority and I should know as a proctor at a Higher Educational Institute for IT Studies, we will just fill you in with the particulars of a better security standard we aim at here. That means update and patch code, retire all vulnerable jQuery libraries for instance and zipfile for later reference. Check the server security on which the website is running and if the hosting party does a lousy job and will put you and your visitors at risk confront them with their incompetence. We still see a lot of DROWn vulnerability and BEAST and POODLE around, SRI hash tags missing for third party code, inline javascript and not running being neatly centralised. Servers are speaking out to loud to the global audience and attackers alike, let them silence that excessive server header info! Mind that you have nice generators online see: https://www.srihash.org/
When you go over the postings of what we flag here as insecurity and look at the postings of Eddy, Steven Winderlich, Para-Noid and others beside little old me that are into website security scanning, you may grasp what we are aiming at making the Interwebs a tad more secure place for us all to reside. Glad you came here and we like to thank you for reporting as others here in the community may also benefit from whatever info we share here.
All the best for the future and keep safe and secure and healthy both online as offline,
is the wish of,
polonus (volunteer security analyst and website error-hunter)