Pinterest Stumbleupon Whatsapp
Advertisement

If I told you that there’s one place you can go to get peace of mind that your website is secure, would you believe me? Well you should, because there is. It’s called Detectify.

I’m the kind of website owner that has always sort of been in denial. It can’t happen to me. Why would anyone ever want to hack my site?

Well, all those delusions came crashing down around my head in 2011 when the main PHP file of my home page was replaced with a web page announcing that the site had been successfully hacked. Not only was it a shock to realize that someone had actually replaced a file on my web server, but it was a very big blow to my pride. What kind of idiot allows his website to get hacked?

The reality is that over time my WordPress blog had become outdated, and increasingly vulnerable to attack as hackers scoured the Internet hunting for older version of WordPress with known, unpatched vulnerabilities. Major fail on my part. So, recently I finally finished updating my blog to a brand-spanking new theme. Confident that I had nothing to worry about in the security department, I didn’t even bother checking whether the theme or any of my installed plugins had any known security issues. It wasn’t until I came across Detectify that I realized just how close my blog was to being attacked and potentially hacked, once again.

Installing Detectify

Sure, there are other security scan plugins Give Your Website A Thorough Security Check With HackerTarget Give Your Website A Thorough Security Check With HackerTarget As the internet evolves and the systems it’s running on become harder to hack, you’d think websites would be hacked less! In fact, the opposite is true, with the number one problem lying not in... Read More you can use on your site, but Detectify is just so easy to set up and use, even for a novice. Detectify is a combination plugin and web service. The first step, as is usually the case with web services – you’ve gotta sign up.

detectify1The next step is to download and install the Detectify Plugin. This is a pretty simple plugin, but it gives the web-based security app the ability to tap into every aspect of your blog and analyze it for security flaws. Detectify searches for things like local and remote file inclusion, DOM or other cross site scripting problems, PHP array path issues, remote command execution and much more. You can see all of the vulnerabilities that Detectify searches for on the plugin page.

Advertisement

detectify2
Once you’ve signed up for the service and the plugin is installed, the last step is to confirm your installation by typing the verification key you receive via email into the field in the plugin. Then you’re all linked up and ready to roll.

Running a Detectify Scan

Once your site is linked, you’ll see it show up in your list of available domains on  your online Detectify account. You can sign up to scan multiple domains if you like.
detectify3
When you’re ready to launch your website vulnerability scan, just click the Scan button and let it do its job.  A few recommendations at this stage: try to run the scan during a time when your site has the least traffic. Detectify will be crawling and scanning files on your site, so there will be a little bit of performance hit due to that processing.

detectify4

Secondly, give the service the time it needs to do all of that crawling and scanning. It isn’t going to be a quick 30-60 minute job, unless your website is puny. Odds are for a medium sized blog you’re looking at over 6 hours. For a large blog, many more.
detectify6
The best option for most people is to launch the scan before you go to bed, and you’ll have the results waiting for you in the morning. In my case, despite my brand, shiny new theme and running the latest version of WordPress, I discovered that I had several warnings related to the security of my blog.

detectify7
Clicking on the Report button will take you to the page with the scan details for your domain.

Understanding Your Scan Results

The first dashboard page basically gives you an overview of how many files were scans, the types of files scanned and how long it took to scan them.
detectify8
That’s every single file on your server, so if you have a lot of media files, you better believe the scan is going to take a long time. The reported results also detail the exact breakdown of scan time so you can see what part of the scan consumed the most processing time. In my case Crawling How To Build A Basic Web Crawler To Pull Information From A Website (Part 1) How To Build A Basic Web Crawler To Pull Information From A Website (Part 1) Read More and Exploitation testing made up the bulk of scan time.
detectify9
The report will also give you a history of last scans you’ve run, with discovered vulnerabilities. As you fix issues on your site, you can return here to make sure that your new scans reflect an improving situation with your site, rather than an increasing number of issues.
detectify10
Of course, the best part of Detectify (and the whole point of using it really), is the detail section, which outlines very specific issues that were discovered on your site.

Fixing Your Site’s Security Issues

So here’s the thing that saved me. There were a few warnings that made me realize my site had lingering issues despite the fact that I had just upgraded everything and thought I was high and dry. One of the first warnings wasn’t too serious, but was related to the fact that the PHP install on my Apache server offers an “Easter Egg 10 Fun & Surprising Operating System Easter Eggs 10 Fun & Surprising Operating System Easter Eggs Find hidden hilarity and otherwise odd stuff, built right into the operating system you're using. They're hiding in plain site, in software you use every day, and when you find them you'll be delighted –... Read More ” that could allow would-be hackers to identify what version of PHP I am running by checking which icon displays when the icon Easter Egg code is appended to my site URL.

detectify11
I was unknowingly allowing the PHP version to be revealed, which also reveals to hackers where to hunt for vulnerabilities that can be used to hack into my site. I wasn’t very happy to see this (I had no idea about these Easter Egg codes).

detectify16

The nice thing about the Detectify report is that even if you aren’t a web designer or programmer, the explanation of the problem and the recommended solution is easy enough to understand that you could easily fix most of the discovered issues yourself.

Detectify discovered a second vulnerability related to how I had left the Username permalink on WordPress to enumerate values, allowing hackers an easy way to siphon out user links and running through password hacking algorithms to uncover an account with a weak password.
detectify12
A third vulnerability that Detectify found was related to an old plugin that I had installed on the site, and a JavaScript library vulnerability buried deep inside one of the demo folders inside that plugin. I had absolutely no clue this folder even existed on the server – but there it was, a vulnerability just waiting for some hacker to come along and exploit.
detectify13
And there I was thinking that I was standing strong with an impenetrable website. Again, Detectify provided very clear and easy to understand resolutions to each vulnerability warning.

Informational Security Issues

Detectify takes security a step further by providing you with informational security issues on your site. These are mostly very minor issues that aren’t exactly security problems, but could be ways that hackers could obtain more information about your website, providing them with research tools to find known vulnerabilities in what you do have installed on your web server.

detectify14
You can fix these if you’re a real stickler for security, but most of these are just recommendations. You aren’t in serious danger if you decide to forgo most of these.

I noticed these results even included the fact that the crawler was able to discover email addresses in plain text on my site. It even included a list of all addresses found – mostly pulled from old comments.
detectify15

What was amazing is that through the years I thought I had blocked all posting of email addresses to the site. Detectify advised me otherwise, and listed every single email address discovered.

Could my site have been hacked had I not used Detectify and corrected those warnings? Possibly. That’s the thing about website security. You may think that the issues that do exist on your server aren’t “serious” enough to warrant your time and energy, but all it takes is one resourceful and motivated hacker to research that security hole, and then take the time to actually exploit it.

When you’re spending countless hours building up a website How To Build Your Own Website In Minutes Without Any Coding Skills How To Build Your Own Website In Minutes Without Any Coding Skills As the Web grows, and it does so dazzlingly fast, the need for a web presence is becoming more pressing. In many parts of the world, you simply must have a web presence in order... Read More that you love, and investing ungodly amounts of cash on web hosting and other website expenses, the last thing you need is some slimy hacker destroying everything you’ve ever built. So, install Detectify. Scan your site. Resolve those issues. Trust me, you’ll be glad you did. I know I am.

Leave a Reply

Your email address will not be published. Required fields are marked *