Is your home router hacked? How to check and what to do.

Is your home router hacked? How to check and what to do.

Tuesday morning Wordfence published a post showing how thousands of attacks we see on WordPress sites come from hacked home routers. In the past month alone we have seen over 57,000 unique home routers being used to attack WordPress sites. Those home networks are now being explored by hackers who have full access to them. They can access workstations, mobile devices, wifi cameras, wifi climate control and any other devices that use the home WiFi network.

Half of the internet service providers we analyzed have routers with a very specific vulnerability.

This vulnerability is known as the “misfortune cookie”. We will call it the MC vulnerability for short. It has been known for a few years and was first disclosed by CheckPoint in 2014. It is now being used to hack home routers. Using the tool below you can tell if you have the MC vulnerability.

The MC vulnerability exists in a service that your ISP uses to remotely manage your home router. That service listens on a “port” number, which is 7547. Besides the MC vulnerability, this port can have other vulnerabilities, one of which was disclosed a few months ago. Researchers have been discussing the dangers of port 7547 in home routers for a few years now.

Your ISP should not allow someone from the public internet to connect to your router’s port 7547. Only your ISP should be able to access this port to manage your home router. They have the ability to configure their network to prevent outsiders from accessing that port. Many ISPs do not block public access to port 7547.

You can use the tool below to determine if your port 7547 is open to the public internet. If it is, we suggest you contact your ISP and ask them to prevent outsiders from accessing that port on your home router. Even if you aren’t vulnerable to one of the two vulnerabilities we posted above, future vulnerabilities may emerge on port 7547. By blocking public access you will protect yourself and your home network.

Read the full article here

How to check to check your router

Use this free tool on Wordfence Security to check your router and see if it has been hacked or is vulnerable.

What to do with the results?

If your router is vulnerable, we recommend that you:
  • Immediately reboot your home router. This may flush any malware from your home router.
    Upgrade your router firmware if you can to the newest version. Close port 7547 in your router config if you are able to. (Many routers don’t allow this)
  • If you can’t upgrade your own firmware, immediately call your ISP and let them know you have a serious security vulnerability in your home router and you need help fixing it. You can point them to this blog post (the page you are on) and this CheckPoint website for more information. Let them know that your router has a vulnerability on port 7547 in “Allegro RomPager” that can allow an attacker to access your home network and launch attacks from your router on others.
  • Run a virus scan on all your home workstations.
  • Update all home workstations and devices to the newest versions of operating system and applications or apps.
  • Update any firmware on home devices where needed.

If you are not vulnerable, but port 7547 is open, we recommend that you:

  • Reboot your home router immediately. You may suffer from other port 7547 vulnerabilities.
  • Upgrade your router firmware if you can.
  • Close port 7547 on your router if you can. (Many routers don’t allow this)
  • Contact your ISP and let them know that port 7547 on your home router is accessible from the public internet. Let them know that port 7547 is used by your ISP to manage the router. It should not be publicly available. Suggest that they filter access to that port to prevent anyone on the public internet accessing it.

If you found this article helpful and would like more like it, take a look at our other Fresh Brews!

2017 The Year of Encryption Everywhere using a SSL – Time to get ready!

2017 The Year of Encryption Everywhere using a SSL – Time to get ready!

2017 is going to be probably the most secure year for website owners because Google released updates to force people to get site SSL ready.

In the coming year, Google’s browser (Chrome 56) will begin to show warning message as “Not Secure” to all HTTP sites to make the web safer and secure (less hackable) place.

SSL certificate is used to make the encrypted connection between browser and server. Therefore, Google has already moved their almost services over HTTPS encryption technology. Even WordPress has announced that they will no longer promote hosting partners until they provide SSL certificate by default in their accounts.

Don’t worry, we will be looking into some affordable ways to do this and making arrangements for installations.

Source: 2017 The Year of Encryption Everywhere using SSL certificates – Infographic

If you found this article helpful and would like more like it, take a look at our other Fresh Brews!

Why we use Divi by Elegant Themes

Why we use Divi by Elegant Themes

Thats right…we went all Divi! Some of us at Coffee web design have been in the web business for 15 years or more, doing web design. Our favorite theme to use and convert sites to is the Divi theme by Elegant Themes and we will get to why in a minute.

Our designer was ranging from design in Frontpage (oh this is ancient) to other page builders software over the years. While WordPress was making it own in the world of web sites, it had come a long way in development that we had to give it a try about 8 years ago. So, our designer started out on a mission to learn what WordPress was all about. Excited in learning a new program to help more small business owners, she could see the possibilities could be almost endless when it came to WordPress sites and keeping the cost low for clients. Also her background in years of web development as a project manager, she could see the lower cost instead of building sites from scratch which were usually out of price range for start up businesses, personal or small businesses.

When it came to design though, she loved doing her own custom design for clients. She liked giving them their own identity, just as a brand, in web design. WordPress has many many contributors that make out of the box designs. Your site though may look like Mo’s down the road though. She’s out doing custom design themes for WordPress clients.

Then came mobile!!

Then the Android and Iphone came out and things started going mobile. Our designer then had to go back and revamp themes for WordPress to also have mobile versions. What does that mean? This means that every site had to adjust to whatever mobile version you had and the position you were carrying your device to look at the site. This means a desktop version, tablet vertical, tablet horizontal, phone veritcal and horizontal. This now because of all of the revamps and versions that had to be “responsive” for devices, this started to drive up the cost again for clients.

Then we found Divi!

Divi is out of the box shell for designers and meets all of the requirements for responsive themes. Now we can lower the cost for our clients again and still give them a knock out design using Divi! We couldn’t be happier with the results and have gotten rave reviews for the designs we create for our Coffee Web Design clients. We have been even collaborated with other web companies and work with them on design using Divi while they manage their content.

Ease of use for clients!

As most WordPress clients, most people want to save costs and manage their WordPress site themselves. Not a problem and using Divi. With a unique drag n’ drop system with built in modules, Divi has been fun for some of our clients who add new content, update galleries and create new content all the time. Divi has many built in features that eliminate need for extra plugins. We always say, less is more when it comes to plugins. Support is great with Elegant Themes. They are fantastic about keeping Divi up to date and in compliance with what is required with search engines. Updates? they are always keeping us sitting at the edge of our seat, awaiting the next version of surprises available.

Most of our client now are converted to using the Divi theme and we will continue to build, design, and train people how to use Divi.

If you are using Woocommerce…great!! Divi is user friendly and options available for those who use Woocommerce for their online shop.

If you are looking for a new look for your web site and keeping costs down, just contact us for a free quote in converting over your existing theme to a powerful Divi machine of a deal!

Divi by Elegant Themes

14 Steps You Can Take Today For Better WordPress Security

14 Steps You Can Take Today For Better WordPress Security

a) Secure Your Admin Account

Never use obvious usernames and login credentials for your main Admin account. Instead, go with something that is more fun and difficult to crack and hack.

b) Use the Editor

It is risky to use your main Admin account to edit and publish new works, or whenever you are working with your content. This is especially so whenever you are using public Wi-Fi access.

Instead, consider creating a unique Editor account and start using that login for all the content work you are looking to do. Of course, you should ensure that the login is not obvious and will not be easily cracked and hacked.

c) Secure Passwords

Never ever use passwords that other people can easily guess. It goeswithout saying that you should force anyone who has access to your website to do the same.Include capital letters, special symbols like exclamation points, and numbers to make it more complex.


d) Limit Logins

Password guessing is a major issue as well. People and bots can make multiple attempts to guess your password/login combinations until they manage to get it right.

Therefore, you should consider using the login lockdown plugin to limit the number of times anyone can try to login into your account. Should they fail to do so after a couple of pre-specified tries, they will be blocked from having access.

e) Secure Your Machine

Apart from ensuring that your website is secure in and by itself, you might also want to take good care of all the computers and other gadgets that you usually use to access the WordPress website.

Key loggers typically use your keystrokes to recreate your password and login details. Similarly, direct FTP – based bots will get open FTP connections before uploading hacked files into your server.

To solve this situation and potential threat to your WordPress account, website, and blog, you should take better care of your computer. A good place to start would be by using the best antivirus software your money can buy.

There are also plenty of free options if your budget is tight. Make sure you avoid suspicious sites, and never open emails from someone you don’t know.

f) Update Regularly

Of course, it goes without saying that you opened your WordPress account simply because you were looking to accomplish something with it.

A highly detailed change log corresponds with every new WordPress release. In such change logs, all fixed bugs will be listed.

The solution to this problem, however, is quite simple. You just need to enable auto updates for your website. Alternatively, you can also perform manual updates whenever you get notifications requiring that you update your account.

g) Plugins

However, there’s more to updating the account than just that. You also need to ensure that your WordPress plugins are also kept up to date.

h) Backup

Although backups will not save your website from getting hurt, they are mandatory, especially if you are afraid that things might start going wild.

With a recent backup, you can easily restore your WordPress website back to how it was prior to the attack.

You can perform a WordPress backup using free plugins, including WP backup to Dropbox. Similarly, you should be able to create a backup through Backup Buddy. This plugin is a feature rich solution that will make your life much easier.

i) Get hosted

There are many other things you can continue doing to further bolster your WordPress security and safety. For instance, find the best web host your money can afford for you. Keep in mind that the cheapest hosting service may not have the best security.

The best hosting service will provide you with the WordPress security and safety you are looking for.

j) Download the Right Themes and Plugins

Accidental vulnerabilities are not your only enemies. There are also a number of intentional vulnerabilities that you can easily avoid.For instance, if you choose to download plugins from shady sources, they might feature source codes that are designed to specifically hack your WordPress website.

In such cases, you will have hacked your own website, albeit indirectly. This is also the same for themes.Therefore, consider checking the official plugin and theme directories at The downloads on these directories do not feature dangerous code.

For premium plugins and themes, on the other hand, you need to check the seller’s reputation online.

CodeCanyon and ThemeForest are generally safe on account of the thorough and lengthy review processes that every new plugin and theme is taken through.

k) Delete Unused Plugins

Some plugins might contain surprises which could hack your WordPress site. Sometimes, you will come across a couple of basic security vulnerabilities.

To ensure that your site is safe and secure, you simply need to remove every plugin that you do not use on a regular basis. Instead of just deactivating such plugins, delete them entirely.

l) Reduce Your Plugins

You should also consider reducing the total number of plugins you installed for your own WordPress security and safety.

You can also try using plugins to replace others with the same functionality. The best examples are jetpack plugins that can give you:

  • Contact forms
  • Image carousels and galleries
  • Links to related posts
  • Mobile themes
  • Social media buttons
  • Website states

m) Install WordPress Security Plugins

Most of the security plugins you will come across on WordPress are designed to ensure that your blog and website stay safe. This is affected through file permission control, firewall protection and database scans.

The most popular security plugins on WordPress include:

  • Acunetix WP Security
  • AntiVirus
  • BulletProof Security
  • Sucuri Security
  • Wordfence Security

One of the great things about these plugins is that they often work on autopilot. Once they’re installed, they do their job without the need for any input.

n) Guard against Attacks

Your WordPress account, website, and blog may be vulnerable to brute force attacks. When people are looking to mess up your website, they can either launch:

  • Surgical Attacks: Where they will look for vulnerabilities then explore them to laser precision
  • Brute Force Attacks: Where they attempt to guess your WP password until they are successful

To ensure that your site is protected from the latter, consider downloading and installing the BruteProtect plugin.

This plugin will ensure that anyone who tries to login into your account severally from an unidentified or strange location, or device, will be blocked effective immediately.

Final Thoughts

There are many other ways to protect your WordPress account. However, you can be sure that the above tips and tricks should keep you learning how to accentuate and strengthen your WordPress security and safety.

How do you keep your WordPress site safe from hacking? Let us know in the comments!

Source: How to Prevent Your WordPress Site From Being Hacked

The Current State of WordPress Security in 2016

The Current State of WordPress Security in 2016

Essentially, WordPress hacking and insecurity has been on the rise. The number of reported hacks is in the hundreds of thousands.

What about those that go unreported? Of course, you might be wondering why anyone would even want to hack your website. However, you should remember that most attacks are automated.

These days, hackers have created various bots before releasing them into the web to look for vulnerable websites, just like yours.

When hackers have thousands of sites in their control, they are able to use them for database scraping, mass email sending, and black hat SEO. To them, that’s pure gold.

So, before you start a blog it’s important to know that WordPress security is not automatic. Although WordPress is one of the most awesome platforms around, it does have its fair share of problems. As a user, you should take care of the most basic security and safety measures.

Proper Security Measures

Beginner’s Level

So, how do you go about doing this? Here are some tips:

  • Secure administrator account
  • Use your editor account purely for content work
  • Strengthen your WordPress password
  • Limit your login attempts
  • Secure your PC
  • Automatically update your WordPress
  • Update your plugins on a regular basis
  • Backup your website/blog
  • Only use legit web hosts
  • Download themes and plugins from well-known sources

Advanced Level

On the advanced level, you can do a number of things to further bolster WordPress security and safety. These include the following:

  • Deleting plugins you do not use
  • Reducing the total number of plugins you use
  • Installing well known security plugin
  • Protecting your website from brute force attacks
  • Using CloudFlare
  • Monitoring for Malware
  • Performing theme checks
  • Blocking trackbacks and pingbacks

Pro Level

Pros do more than just the above to ensure that their WordPress accounts, websites and blogs are safe and secure. They will, in most cases, do any or all of the following:

  • Generating new security keys
  • Changing the database prefix
  • Using .HTACCESS protection
  • Disabling XML-RPC
  • Disabling all PHP error reports
  • Tracking the WordPress dashboard
  • Watching their Google Console
  • Reading Sucuri
  • Checking out all un-secure plugins
  • Using SSL

So, how would you like to go about ensuring your WordPress security and safety? We are going to discuss the above points slowly but surely.

Source: How to Prevent Your WordPress Site From Being Hacked

How to Prevent Your WordPress Site From Being Hacked

How to Prevent Your WordPress Site From Being Hacked

WordPress security and safety is not something to joke about. If your blog site gets hacked, you will have to spend countless hours trying to fix things that you might not even understand.

Similarly, a hack could potentially make everything start performing in a weird way on your WP account, website, and blog.

At the end of the day, any sort of attack will give you a difficult time. However, you can guard against such attacks.

This is why we created this guide: How to prevent your WordPress website from getting hacked.

Here’s what we’re covering:How to Safeguard Your WordPress Site (Infographic)The Current State of WordPress SecurityProper Security Measures

14 Steps You can Take Today to Improve Your WordPress Security




Source: How to Prevent Your WordPress Site From Being Hacked

Pin It on Pinterest