WordPress Security : Get SMS alerts when your WordPress site is under attack

Few days back, my wife’s self-hosted WordPress blog was under Brute-force attack. Someone was relentlessly trying to get through the admin authentication page for almost 6 hours straight. I will give credit to a number of safeguards we have applied that kept the battle going so long. Based on the logs, it started somewhere around midnight while we were asleep and continued until early morning when an SMS notification on my mobile alerted me to put an end to it. When I told my wife about it, she wondered how on earth I came to know that her blog is under attack.

Talking about safeguards, the least you can do to secure your blog is to have a strong and unique password. I research a lot about password and share my findings on this blog. Go through this checklist to see if your password falls into the “weak” category. If you have a weak password, the battle will be lost much before it reaches Brute-force attack stage. I also wrote about various tools and techniques to generate and manage passwords and take the pain out of remembering the complex passwords.

There are a bunch of other things you can do to secure your blog/site. However, as the title suggests, we will focus on how to get SMS alerts when your WordPress site/blog is under attack. It takes around 15-20 minutes to set this up but it is well worth the effort.

To cook this recipe (no, I’m not talking about an IFTTT recipe here), you need two main ingredients.

  • Google 🙂
  • Limit Login Attempts plug-in for WordPress

We need to use number of Google services to cook it up. This includes Gmail (labels and filters), Google Calendar (notifications) and a Google Drive Spreadsheet with Google Apps Script to tie it all together. But first of all, you should install Limit Login Attempts plug-in for your self-hosted WordPress blog. This alone is good enough to give you a good night’s sleep. It is simple but powerful plug-in. You should read a short overview by wpbeginner (if you are in a hurry) or a detailed summary (recommended) by How To WordPress 2.0 about this plug-in.

If you have read any of the above posts, by now you must have understood that, Limit Login Attempt blocks the IP after a defined number of unsuccessful login attempts. It also provides an option to get email notification after a certain number of lockouts. Check this option to enable email notification to site administrator after 1 lockout so that you start getting notifications as soon as the attack begins.

As I mentioned Google in this recipe, I would recommend that your blog’s admin email account be managed by Gmail. So next, we need to configure your Gmail quickly.

    • Create a new label in Gmail and call it “sendsms”.
Create new label - Gmail
Create new label – Gmail
Create new filter - Gmail
Create new filter – Gmail
Apply label using filter - Gmail
Apply label using filter – Gmail
  • Now your Gmail is set. Every new email coming from [email protected] i.e. potential email notifications coming from Limit Login Attempts, will now have sendsms label applied automatically.
  • Next, we need to setup your Google Calendar so that it sends you SMS for the new events.
  • Open Google Calendar and go to Settings (Gear icon on top right corner).
  • Click on Mobile Setup tab and complete the setup by selecting your country, mobile number and received verification code.
  • You may create a new calendar or use an existing one. Go to Reminders and notifications for your calendar and check the SMS option for the new events. This will ensure that you get an SMS notification for every new event.

So essentially, what we are trying to bake here is that, for every email notification of lockout by Limit Login Attempts, we will create an event in Calendar upon which you will receive an SMS. How to make this happen? This is where this useful Google Apps Script from Tech Awakening is handy. This allows you to get SMS alerts for new and important emails on Gmail with Google Docs. This is what you need to do.

    • Make a copy of this spreadsheet. Just click on the link and select “Yes, make a copy” when prompted.
    • Select Tools and open Script Editor. This will open the Google Apps Script attached to this spreadsheet.
    • Select Resources and go to Current projects’s triggers.
    • We need to add a new trigger so click Add a new trigger link.
    • Select Time-driven, Minutes timer and every minute and save it.
Add a new trigger - Google Drive
Add a new trigger – Google Drive
    • You will get a pop-up asking for authorization. Click Continue to grant the necessary access.
    • Now click close and save the trigger again.

That’s it, it is all done. From now on, this spreadsheet in your own Google Drive will be monitoring your Gmail account every minute. As soon as the email arrives, which qualifies the filter we have created earlier, our new label sendsms will be applied . For every new email with this label, a new event will be created in your calendar and you will receive SMS notification for it.

Easily add custom search engines to Chrome, Firefox & Internet Explorer

I wrote a couple of articles that focus on adding the ability to search various Google services from the Chrome address bar. Chrome provides a number of ways to add custom search engines. If the site for which you want to add the search engine exposes an OpenSearch provider, then Chrome auto detects the search engine and automatically adds it. For e.g. this site exposes an OpenSearch provider. So if you visit chrome://settings/searchEngines and scroll down to Other search engines, you will see an entry for the webstruck search engine as shown below.

webstruck search engine for Chrome
webstruck search engine for Chrome

Firefox too auto detects open search provider for current site but does not add it automatically. Instead, when you click on the search box drop down, it shows an option to add it manually. Although Internet Explorer supports open search providers unlike Safari, there is no auto detection and no easy way to add custom search engines.

Add webstruck search engine to Firefox
Add webstruck search engine to Firefox
How to add a new custom search engine provider?

There are web services like Mycroft Project & searchplugins.net that host a huge list of useful custom search engine providers. You can add these to Chrome, Firefox and Internet Explorer easily with one click. Just search for the providers you are looking for at Mycroft Project or searchplugin.net and click to install. The search engine will be ready for use instantly. As explained later in this article, Chrome and Firefox allows you to edit a newly added search engine and provide keyword of your choice so that you can easily search from the address bar itself.

How do I create my own custom search engine provider?

By any remote chance if you do not find the search engine provider you are looking for, you can create one easily. Mycroft Project and searchplugins.net both provide the option to create a new search engine provider. You just need to enter a search URL and the name. The other default values should work just fine most of the time. If you are interested in details, Mycroft Project offers description for each field. Once the plug-in is ready, you can install it right away and test it. Although plug-ins created using above services work in Internet Explorer, there is another easy to use tool called EnhanceIE that works only for Internet Explorer although it also generates OpenSearch provider only.

How do I customize an existing search engine provider?

As mentioned above, Chrome allows you to edit all the details for a search engine very easily. Just right click in the address bar and select Edit search engines…. Here you can edit name, keyword and URL itself for each search engine provider.

In Firefox, you can click on the dropdown in the search box and select Manage Search Engines…. Firefox allows you to edit only the keyword for the search engine. If at all you need to edit the URL, you need to get little geeky. The search engines installed with the Firefox setup are put under Firefox installation directory like C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins. The search engines that are installed separately using the above techniques, reside under your Firefox profile folder. Type about:support in the Firefox address bar and click on Show Folder button next to Profile folder label. The search plugins will be located under seachplugins folder. You can open and edit these files in any text editor, as these are just XML files. You may refer to OpenSearch description document for details of each entry although most entries are self-explanatory.

How do I remove a custom search engine provider?

It is easy to remove search engines from all the three browsers we are discussing here. In Chrome, you can just click the X button when you hover over search engines in Manage search engines dialog. Firefox also provides Remove button in Manage Search Engine dialog itself. In Internet Explorer, click on Tools icon and select Internet Options. Select Programs tab and click on Manage add-ons button. Select Search Providers in the left pane to display a list of all search engine providers. Select the one you want to remove and click on the Remove button at the bottom.

Search your Gmail, Contacts and other Google services easily from Chrome

If you are a Chrome user and regularly use awesome Google services like Gmail, Calendar, Contacts, Drive, Bookmarks, Google Plus, Photos, YouTube, Maps, Play, News, Finance etc., then this tip is for you.

Few days back I wrote an article on how to search Google Drive files easily from Chrome (and Firefox). As pointed out by one of my readers, this technique can be easily extended to almost any search service that queries things via the URL. Another reader pointed out the easy way to add search engines to Chrome which is as below.

    • Go to the site for which you want to add a search engine
    • Locate the search box for that site and right click on it
    • Chrome shows a context menu called Add as search engine…
Google Chrome - Add as search engine
Google Chrome – Add as search engine
    • Select and it will show a pop-up with all the details filled in as below
    • Just click OK and your search engine is ready for use
Google Chrome - Edit Search Engine
Google Chrome – Edit Search Engine

For some reason though, this does not work with Google Drive search box. Google Drive search box does not allow right click and that is why we have to add search engine for Google Drive separately.

Although the above technique should work perfectly for some sites, sadly for Gmail or Google Contacts it does not work. The default URL populated is outdated and does not fetch results anymore. Below, I have listed correct URLs for the most useful Google services. I have added more to this useful collection from Brian Johnson.

Happy Searching!

Search Engine URLs for Google Services
Name Keyword URL
Gmail mail https://mail.google.com/mail/u/0/#search/%s
Google Calendar cal https://www.google.com/calendar/render?q=%s
Google Contacts contacts https://www.google.com/contacts/#contacts/search/%s
Google Drive drive https://drive.google.com/?#search/%s
Google Bookmarks links https://www.google.com/bookmarks/find?q=%s
Google Plus plus https://plus.google.com/u/0/s/%s
Google+ Photos photo https://plus.google.com/photos/search/%s
Youtube video http://www.youtube.com/results?search_query=%s
Google Maps maps https://maps.google.com/maps?q=%s
Google Play play https://play.google.com/store/search?q=%s
Google News news https://www.google.com/search?hl=en&gl=in&tbm=nws&authuser=0&q=%s
Google Finance finance https://www.google.com/finance?q=%s

Reduce tab clutter and memory consumption in Chrome with OneTab

As I read & research a lot on the Internet, I always look to improve upon my research workflow. Sometimes while doing my research around various topics, I end up opening a large number of tabs on Chrome. As we all know, Chrome is a real memory hog and it really slows down your computer as the number of open tabs grow. There are a bunch of TAB manager extensions available for Chrome which could help. But OneTab really stands out for me for a number of reasons. It is really simple to use and does what it says in really un-complicated manner. It is FREE as the developers have created it out of their own need and not to make money.

Save up to 95% memory and reduce tab clutter in Google Chrome.

OneTab
OneTab toolbar button

For me, OneTab solves two problems in one go. It helps me keep my browsing organized and reduce memory consumption very quickly. You can install OneTab from Chrome Web Store. Once installed, it will add a OneTab button to Chrome toolbar. Now whenever you are browsing, if you feel that your machine is slowing down due to too many open tabs, just click the OneTab button. All your tabs will be closed and a clean, elegant looking OneTab page will be loaded with links for all your tabs which were open before. Open Chrome Task manager (press Shift+Esc) and you will see that memory consumption is highly reduced. All the links (tabs) added to OneTab will be persisted even if you close the browser or shut down your machine.

Quick Tip

If you want to access your one tab page all the time and especially once you open the browser, you can simply pin this OneTab page (right click on the OneTab page tab and select Pin tab from the context menu). The OneTab page will now stay with you all the time like your other pinned tabs.
OneTab in action
OneTab in action
OneTab Page

Coming to OneTab page, here it has a number of things to offer. Restore all will restore all the tabs. Well, it does not hold your tabs in memory but simply preserves the URLs. So Restore all will open all those URLs in separate tabs. By default all the restored tabs will be deleted from OneTab page. But you can still keep those by using Options page. As for me, I won’t delete a tab unless I’m completely done with it. So I changed my option to Keep them in your OneTab list. Alternatively you may Lock the tab group which will prevent the tabs from getting deleted as you restore them. As the name suggests, Delete all will simply delete all the links/tabs from OneTab. Click on More… button and you have useful options to Name, Lock and Star the tab group created by OneTab. To stay organized, I always name my tab groups appropriately mostly based on my research topic. You can also name a tab group by clicking on the label that indicates the number of tabs. I also Star the important tab groups so that they always stay on top. One can also Lock the tab group to prevent it from accidental modification. Really well thought out and precise options. None of your tabs or browsing activity is transmitted to cloud unless you use Share as web page option. This actually takes all your tabs and creates a web page for you to share quickly with others. This option is available for individual tabs groups or all the tab groups at once.

Once you start opening a new set of tabs or start a new browsing session and click on OneTab button again, a new tab group will be created for you. You can easily drag and drop links/tabs from one tab group to another and this will be really useful to keep those organized all the time. You may also open a single tab by clicking on individual links. Similarly you may also delete a single tab by using a X button next to each link.

Next we will talk about OneTab context menu, syncing tabs across multiple devices & OneTab options.

Interesting concepts for strong but memorable passwords creation

Recently while doing my research around the topic of passwords, I came across a few interesting concepts. What makes those interesting is the fact that they intend to help us create a password that is tough to break but easy to remember. These concepts are namely Pass Phrase, Diceware, Password Haystacks & by now the very famous comic strip (see below) by xkcd. Don’t worry, the concepts are not as difficult to understand as they sound.

A pass phrase is a sequence of words or other text used to control access to a computer system, program or data.

Wikipedia, The Free Encyclopedia

 

In short, instead of using a difficult to remember and difficult to type passwords like H46R8TBXHY5D or iWb024#thM79, simply use a pass phrase “I Like 15th August 1947!” It is easy to remember and easy to type and almost takes the same amount of time to type. It also satisfies all the elements of strong password like upper case, lower case, numbers and punctuation.

Well, when it comes to memorable passwords, there is a long standing debate that pass phrases are easy to remember and difficult to hack. There are voices which do not really agree with this statement. They have some valid arguments as below

  • With pass phrases, the brute force attack will shift from character level to word level.
  • Users are more likely to pick up common phrases/quotes from books, popular movies or other proper nouns that are easily guessed, as the basic idea is to make those memorable. This makes hacking easier than ever.

You may be wondering how these concepts stated above are related. In order to take care of problems with pass phrases, experts have come up with solutions. The famous comic strips by xkcd shown below offers one such solution. In short, the idea is to choose random dictionary words instead of meaningful sentence. The random words are chosen from poll of common words which makes those easy to remember. If you are really interested in a nice and detailed explanation of it, I highly recommend you to read this article on agilebits blog.

xkcd : Password Strength
xkcd : Password Strength

Easily copy plain text from web sites using Chrome or Firefox

All of us face this problem every now and then. Say you want to copy some text from a website such as a flight schedule or a quote and paste it into Evernote, email or a Word document. Most often the result is formatted, HTML text when all you want is to copy plain text. This is really annoying. But if you’re using either Chrome or Firefox, there are a few easy to use extensions you can use to solve this problem.

Copy Plain Text for Chrome

If you are using Chrome, you just need to install Copy Plain Text extension for Chrome. Now select any text you want to copy, right click and choose “Copy … Unformatted” menu as shown below. One drawback, reciprocated by many reviewers of this extension, is that it also loses the New Line character when it copies the text. Nevertheless, it is a useful extension to have if you are using Chrome.

Copy Plain Text
Copy Plain Text
Copy Pure Text for Firefox

If you are using Firefox, you have a number of options like Copy Plain Text, Copy Plain Text – Jetpack, Copy As Plain Text and Copy Pure Text. All of these, more or less, offer similar functionality as expected i.e. copy plain text. Copy Pure Text stands out for me as it also preserves the New Line characters.

Copy Pure Text
Copy Pure Text

Use your own brain to generate and manage passwords

Safest vault to store your passwords is your own brain. Now if you could use it to generate & re-generate strong & a unique password for each of the accounts, services and software, you are saved of all the hassles with password managers. You can try and design an algorithm to generate a long enough password, which includes all the ingredients (upper case, lower case, numbers & special characters) of a strong password.

Most such algorithms start with picking up a base component which will be used for all the passwords. Then the base component is mixed/padded/prefixed/suffixed with a component which is specific to site or account for which password is being generated. Base component can be created by connecting first letters of a phrase which is easy to remember.

One such simple, step by step algorithm is described neatly by Loren Baxter in this blog post. This will give you a good idea on how this can be done.

Yaara Lancet also describes some interesting techniques at her post on makeuseof.com.

Get creative and design your own unique algorithm that should be complex enough to generate a password that is difficult to decipher and simple enough to recollect and regenerate the same password again and again for a given website. One little problem with algorithm based passwords is that, some weakly managed sites limit the characters you can use in a password.

My recommendation if you’re going for this approach is to refrain from a few things:

  • Don’t design your scheme around a website URL. A URL may change down the line and you may not be able to recollect the password based on it.
  • Try to have at least 2-3 different schemes for different sites. You won’t like to be in a situation where a weak site leaks your passwords letting hacker access all your important account as they just know the only scheme you are using.
  • Try and not to base your scheme on keyboard motor patterns as it may be difficult to reproduce on different keyboard layouts on various devices.

Lastly, I will leave you with few videos from various security experts to help you design your own easy to remember password generation scheme.

Another video from abc7.com which explains Password Haystacks concept in under 3 minutes.