CarmaBlog

 Version française disponible

WordPress is one of the most popular CMS (Content Management System). That popularity also means that it is a target of choice for hackers.
In this article, I will give you some tips to keep your website secure and avoid being attacked.

1. Use latest versions

This is true for WordPress itself but also for all your extensions. There are new versions available regularly. If a plugin has not been updated for a while, it is probably not maintained anymore and you might need to remove or replace it. This is also applicable for your theme.
The version of PHP is also important, check with your hosting provider that you are running the latest version of PHP (7.X), especially the versions 5.X won’t be supported by the end of the year.
Also, note that the more extensions you have installed, the more risk you are taking, as your WordPress configuration will rely on more 3rd party code. You should only keep the plugins that you really need. If a plugin is disabled, don’t keep its source code and remove all its associated files.

2. Use secure login details

Never use the default admin user. If you do, disable this account and create your own account with a personalized username.
Choose a strong password. If several users are managing your website, make sure the permissions are valid and avoid giving the admin permission to everyone.

3. Scan your website

This is an easy and quick way to find vulnerabilities and see if one of your plugins is vulnerable or not. You can use these 2 online tools:

• WordPress Security Scan (my favourite with a detailed report)
• WPScans

4. Use .htaccess files to protect your directories

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow.

For example, in /wp-content/uploads, I have created the following .htaccess:

# Deny access to everything by default
Order deny,allow
Deny from all

# Allow access to media files
<FilesMatch "\.(jpg|jpeg|png|gif|bmp|zip|rar|pdf)$">
    Allow from all
</FilesMatch>

This config ensures only media files are accessible from the browser, any JavaScript, PHP files will be discarded. It is not 100% bulletproof as only the extension is checked, but it is better than nothing.

To avoid execution of malicious PHP in some folder (e.g. in /wp-includes), you can create another .htaccess file with the following content:

<Files *.php>
Order allow,deny
Deny from all
</Files>

5. Review file and directory permission

Make sure the critical files (wp-config.php, php.ini…) are not writable publicly, only readable. Only owners should be able to write.

6. Use security headers

You can check which security headers you currently use with this online tool.

At the root folder, update the .htaccess file and add:

# Extra Security Headers
<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "sameorigin"
	Header set X-Content-Type-Options "nosniff"
	Header unset Server
	Header always unset X-Powered-By
	Header unset X-Powered-By
	Header unset X-CF-Powered-By
	Header unset X-Mod-Pagespeed
	Header unset X-Pingback
</IfModule>

In wp-config.php, add:

/** Extra Security */
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
header('Referrer-Policy: no-referrer-when-downgrade');
header('Content-Security-Policy: upgrade-insecure-requests');
header('Feature-Policy: autoplay \'none\'; camera \'none\'; encrypted-media \'none\'; fullscreen \'none\'; geolocation \'none\'; microphone \'none\'; midi \'none\'; payment \'none\'; vr \'none\'');
header_remove('X-Powered-By');
header_remove('Server');
header_remove('X-CF-Powered-By');
header_remove('X-Mod-Pagespeed');
header_remove('X-Pingback');
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

7. Do not expose too much information

At the root folder of your website, in php.ini, add the line:

expose_php = Off

Your current version of PHP will not be exposed.

8. Backup your website regularly

Last but not least! You don’t need a particular software or extra plugin to achieve this.

• With your favourite FTP tool (e.g. Filezilla), save all the files available on your server.
• For the database, use the available MySQL backup feature. Many hosting companies provide access to phpMyAdmin, an online tool.

I recommend doing a backup every month, and keep the history of the last 6 backups somewhere safe. Of course, it depends on the volume of articles you are writing and how critical is your data.

That’s it! If you have done all the above, your website should be more resilient to attacks. In the worst case, you should be able to recover easily.

Happy safe blogging!

 Version française disponible

For this first article of the year 2018, I will present 3 financial services proven and used by myself for several months, even years. They allow me to make significant savings on my foreign currency transactions by avoiding the high fees of traditional banks. This article is in no way sponsored, but I have allowed myself to include some referral links.

For those who know me or follow me, it’s been a while since I live in England, 3 years already! I also travel abroad to discover new countries, new cultures and incidentally escape from the London Fog…

After arriving in England, I quickly needed to open a local bank account where the currency is, of course, not the Euro, but the Pound Sterling.

To deposit money into this account (while waiting for my first pay), I had to transfer money from my French account to my English account. In the pre-Brexit era when the Pound was very strong, it was a little painful… And like if it was not enough, my bank would also take its share with a rather exorbitant fee on my transfer. To avoid being ripped off twice, I looked on the Internet and browsed some forums looking for advice. I quickly decided to choose TransferWise.

The principle is simple and based on common sense. British people sometimes need euros, for example when they travel in Europe; conversely, European people need pounds when they come to England. TransferWise allows you to link these requests by acting as an intermediary. The company has accounts in different currencies and distributes the amounts between people. For example, for a transfer of 1000 euros to a British account (so about 900 pounds at the moment), the system may need 2 people (one person who wants to convert 400 pounds in euros and another who wants to convert 500 pounds in euros) or 3 people (who want to convert 300 pounds in euros each) or 9 people (who want to convert 100 pounds each). I guess you understand how the system works!

Once the account of TransferWise is registered with your traditional bank (this may take some time depending on your bank) and the transfer has been made from your original account, you will receive the money quickly in your destination account (usually in 1 day).

You will not be charged because your original account and the TransferWise account are using the same currency. It’s not a big surprise that TransferWise will charge a fee, but almost insignificant (e.g. 5 euros for a transfer of 1000 euros). You can do a simulation on their site, the fee is proportional to the amount transferred.

More recently, TransferWise has set up the borderless account. With this “multi-account” you can receive transfers in different currencies in a transparent way, you just need a click to activate a currency and get your corresponding local bank details (IBAN / BIC) that you can then forward to to the person who owes you money. Since April 2018, you will receive a debit card so you can use it to pay anywhere with your borderless account.

It is important to note that the transfer is executed at the market rate. Since you decide when you want to make the transfer, it is wise to do it when the rate is the most advantageous for you. In my case, it was much more interesting to make pound-to-euro transfers before Brexit.

Also in my example, I mentioned the Pound and Euro exchange, but many currencies are supported: the Swiss Franc, the US Dollar, the Japanese Yen, etc.

Feel free to look for yourself and use my referral link to open your account (and your first transfer will be free).

If you can use TransferWise for money transfers between accounts, how can you manage your expenses on the spot when you are travelling around the world? Who has not already paid a high fee when withdrawing abroad or when paying the bill at a restaurant? Who has not already made a large withdrawal at an ATM to avoid fixed costs, taking the risk to walk around with a large amount of money?

Opening a Revolut account makes perfect sense. It’s an online bank, which means that you won’t find any physical offices, you manage everything yourself from the application on your smartphone: from changing the PIN code to the deactivation of the card, or the change of your address. Revolut is free, you just have to pay a small fee (5 pounds or equivalent in your currency) to receive your multi-currency debit card at home, unless you use my referral link to avoid entry fees.

You can convert currencies in advance from the application to ensure your exchange rate (advanced use) or it will be automatically calculated in the country according to the current rate and usage of your card (personally, I find it sufficient). The exchange rate is very low and matches the interbank rate (it is therefore a very low rate close to the real one without extra fee).

Revolut strongly advises its customer to keep an account in a traditional bank in case the card is not accepted, it is a Mastercard so it should not be a problem, but you will probably be happy to have your good old Visa card on hand, just in case.

The mobile application is well made with a breakdown of your expenses by category, an instant notification on your smartphone for each expense (useful for a contactless payment to verify the amount), the possibility of refunding another person instantly or share an expense easily.

I take the example of trips abroad, but nothing prevents you from using it every day by topping up your card regularly. You will be able to see your expenses by category, month after month, and refine your budget.

Wondering where is the scam? Well, it’s like TransferWise, there is not really a catch! But there are withdrawal and card payment limits (daily, weekly and monthly). Frankly, unless you travel for 6 months a year or you are really bad at spreading out your expenses, it should be enough for you. It is still possible to subscribe to the premium option to increase the limits and access additional services.

Revolut is a young, fast-growing company available in several countries. New features are added every month (cryptocurrency exchange, insurance, credit, etc.).

Again, feel free to have a look for yourself and use my referral link to open your account for free. There is very little chance for you to regret it.

Monzo is also an online bank. It provides a very similar service to Revolut, so you will receive a Mastercard card to make payments in different currencies at the interbank rate.

I must say that I use it for longer and more regularly than Revolut. Unfortunately at that time, the service is only available in UK. Unlike Revolut, there is no charge to receive the card, there is no premium option available, and it’s totally free. However, there is a waiting list to open an account (a few weeks at most).

They are still in a beta test phase, but it’s been a year since I am with them, I had no problem. It’s a bit like Gmail which has been in beta for years… However, it is possible that Monzo change its business model and start charging its users when their customer database will be big enough, hard to say, but as long as the service is free, you may just try it!

Unlike Revolut, Monzo focuses exclusively on the multi-currency expenses and reporting aspect, you won’t find any insurance, crypto exchange or other services. But what it does, it does it very well! Personally I find the smartphone app a little more convenient. They have limits too, but higher than on Revolut.

In my case, using both services and having 2 debit cards indirectly raise the limits. Also, it is possible that a Revolut card does not work in a place abroad, while it works with Monzo, and vice versa.

Last but not least, Curve is also an online bank. The main benefit of this card is that it allows you to group all your cards in one, like a wrapper. If you do not want to take all your cards with you all the time: Revolut, Monzo or any other professional or personal cards, it is possible to use only one: the Curve card. From the application, a simple tap is enough to select the card that will be active. It’s efficient and will make your wallet a little lighter. Note that there may be some limitations in case of disputes, but this will be suitable for everyday use. And since it’s free, why not giving it a try?

You can use my referral link to open your account and get £5 for free. Use code “EKGQQJQN” at sign up.

Once is not custom, I did not look at the technical side, but the post is still about new technologies in the banking system, I hope you’ve found the reading interesting. It also shows that small startups (Fintech) can move the lines of the banking landscape and shape our future. It is critical for traditional banks to constantly innovate to stay in the race, not sure they have all made the shift in time, and the customers of yesterday are no longer the young people of today.

And perhaps you will embrace online banking through your smartphone and even save some money… At least I don’t see any reason not to try!