August 7, 2016

Action Required: DAP Security Update

Share this

Website security is not about running a perfectly secure site but it's about reducing the risks. No business is too small to be hacked. If you run an online business, you simply cannot afford to take your website security lightly. It's not something you can put off for later.

There are simple steps that you can take right now to make your WordPress website more safe and reduce the chances of it getting hacked. You'll find my wordpress security tips here.

In this post, I've shared tips that will help you greatly improve the security of your DAP-Powered membership site. It’s worth your time to review these security tips and implement them on your site.

1

Stay Current

WordPress gives you the freedom to install and activate any plugins & themes of your choice on your website. While this gives you the power to expand and scale your business, it's your responsibility to be smart and careful about your choices because if not, you might end up losing a lot more than you gain.

Hackers just need to exploit vulnerability in one of your plugins or theme to inject malicious code and then use it to take full control and wreak havoc on your site.

Don't go wild installing plugins and themes just because you can. Only install plugins and themes that you absolutely need and use. Get rid of everything else. Stay current with your WordPress version. Use the latest version of plugins and themes.

2

Upgrade to the Latest Version of DAP

There are many reasons for running the most current and stable version of DAP:

  • Security Updates
  • Bug Fixes
  • Updates (to Existing Features)
  • Performance Improvements
  • Compatibility (WordPress, plugins, themes, php, server etc)
  • New Features

We consistently add/update security features in DAP to better protect your DAP -powered membership sites. It's one of the many reasons to stay current with DAP. Do not run outdated/old versions of DAP. Upgrade to the latest stable version. You'll find the latest version of DAP in your member's area.

If you are a DAP platinum (monthly) member, we offer FREE upgrades/installations. Just open a support ticket requesting upgrade, and we’ll take care of it for you.

If you’re not a DAP platinum member but need our help to install/upgrade DAP, click here to purchase install/upgrades.

If you’re running an outdated version of DAP because you've run out of support/upgrades access, click here to renew your access to upgrades/support.

If you want to install it yourself, you can use our Easy Installer plugin to install / upgrade DAP. If the easy installer does not work due to permission issues on your site, you can use FTP to upload files.

3

Change DAP Admin Password Regularly

After your install DAP (or after we install it for you), be sure to login to your DAP admin dashboard and change the "DAP Admin Account" Password.

Find your DAP Admin Account:

Login to your DAP admin dashboard, visit Members=>Manage page. You'll find a "Welcome, [ADMIN NAME]" message at the top.

Click on the [ADMIN NAME] hyperlink. It'll bring you to Edit Member page where you can find all the admin account details. The "Account Type" is set to "A (Admin)" for admin accounts. You can update your DAP admin password on this page.

Be sure to update your DAP admin password regularly. When DAP is installed initially, an admin account is setup with a default password. Make sure to update the password right away after the installation for security reasons.

4

Protect Exception.Log File

If there are any unexpected errors or uncaught exceptions on your server, your webhost will generate an exception.log file. You'll find this file in the folder where the exception occured. The problem with this file is that it'll open up your site to potential attack by hackers because this file can expose your database credentials to the world.

While you may not be able to prevent the generation of this file, you can add a few lines of code to your .htaccess file to prevent access to this file. You'll find .htaccess file at the root folder of your site. Add the following lines of code to your .htaccess file (at the top of the file) to protect exception.log file:

 # Protect the exception.log file

<Files exception.log>

Order Allow,Deny

Deny from all

</Files>

Also edit your .htaccess under the "dap" folder on your site and add the same lines to it. Add it at the top before all other lines of code in that file. After you add the lines to .htaccess, visit the home page of your site to be sure there are no errors.

If you don't want to mess with the .htaccess file, please contact your webhost. They can update it for you.

5

 Disable file_uploads in PHP Settings

This is one of the MOST effective ways to prevent hackers from uploading malicious scripts to your site.

If you disable file_uploads feature in your php settings (your webhost can do it for you), it'll make it a lot harder for hackers to upload malicious scripts to your site.

This has helped us immensely with our own website security.

You still need to take all other necessary steps to protect your site.

Disabling file_uploads in your php settings won't eliminate the need for all other security measures. It'll just make it harder for hackers to upload malicious scripts to your site (even if they find a vulnerability in one of your plugins or theme).

However, before you do this, you need to be aware of a few things:

If you disable file_uploads, you'll have to be prepared to do a little bit of extra work! You can no longer upload media files (images etc) via your WordPress dashboard. You'll not be able to update WordPress, your plugins or themes directly via WordPress dashboard.

So what does this mean for you ?

A little more hassle...

You'll be compromising ease-of-use for a lot more security and peace of mind.

  • You'll have to schedule your updates (plugin updates, theme updates, wordpress version update etc) because you can no longer do it whenever you want. Just have your webhost re-enable file_uploads whenever you want to update plugins/theme etc. After you're done with the updates, have them disable it again.
  • You’ll have to be prepared to use FTP or File Manager (in your Webhost cpanel) to upload media files. If file_upload is disabled, you cannot upload images via WordPress file uploader. Just use ftp or file manager to upload image files to your server and then instead of using the WordPress Post => Add Media => "Insert Media => Upload files" feature to upload media files to your server, just insert the full URL of the image file using WordPress post/page => Add Media => Insert from URL.

So yes, it’ll result in more work for you but it's worth it.  For us, it has been MORE than worth it. It has helped us a great deal with our website security.

How do I disable file_uploads?

On most webhosts, you can easily disable file_uploads from your webhosting cpanel. If not, just contact your webhost to help you make the update.

6

Never set file/folder permission to 777

If you set your file/folder permission to 777 for whatever reason and then forget to change it back, your website will become an easy target for hackers.

Just restricting file/folder permission can go a long way in securing your site. The general rule of thumb for file/folder permissions is:

=> 755 for folders

=> 644 for files.

You can set the file permission of your wp-config.php file and /dap/dap-config.php file to 600. This will allow you to harden security, but if you've plugins that update wp-config.php,  they might report an error. So be sure to test and make sure there are no errors if you decide to make this update.

If you’re not sure how to change permissions, please contact your web host. They can help you with the update.

7

ACTION REQUIRED:  VERY IMPORTANT : Paypal Security Update

If a hacker is able to inject malicious code to your site through a vulnerability in your theme or one of your plugins, they can take control of your database tables, scripts, update the settings and make it do whatever they want it to do.

DAP does not store Credit Card, SSN or other security sensitive data. But if a hacker is able to attack your database tables, they can update your Paypal Business Email and Paypal Identity Token settings in dap_config table and change it to their own paypal business email. Now, you'll likely not find out about this right away because your website will not go down in this type of attack. Everything will look fine from the outside. But the payments from your customers will start going into the hacker's account! 

The good news is we've updated DAP scripts to prevent this type of attack!

While we cannot prevent hackers from finding a vulnerability in one of your plugins or themes and injecting malicious code to your site, or prevent them from taking control  of your sales page etc, we can FORCE the "DAP-generated Paypal Payment" buttons to always use your Paypal Email!

1. Find the dap-config.php file. To find dap-config.php file, ftp to your site. You will find dap-config.php file under the "dap" folder on your site.

2. Add the following lines of code to your /dap/dap-config.php file :

define('PAYPAL_BUSINESS_EMAIL','REPLACE_THIS_WITH_YOUR_PAYPAL_BUSINESS_EMAIL');


define('PAYPAL_API_TOKEN','REPLACE_THIS_WITH_YOUR_PAYPAL_IDENTITY_TOKEN');

You can add these lines of code towards the top after the php start tag (<?php). You can get the values for these fields from your DAP Admin -> Setup -> Config page -> Paypal Section. OR you can get it from your Paypal account.

PLEASE NOTE:

1. You only need to add these lines to dap-config.php file if you use "DAP-Generated Payment Button for Paypal" or offer "Paypal" as a payment option via the DAP Shopping Cart.

If you use "Paypal hosted buttons", you don't have to add these lines to /dap/dap-config.php file.

2. You need to upgrade to DAP v5.1.3 & DAP LiveLinks v2.0.6 to use this security feature. Even though this version is currently in beta, it's stable. We'll be making this version (dap v5.1.3/LL v2.0.6) FINAL in a couple of days. So you can go ahead and upgrade to this version now.

3. If you're a DAP platinum/monthly member and use DAP-Generated Paypal buttons, but are not sure how to edit the /dap/dap-config.php file, no worries! We'll do it for you! Just send us a support ticket with your ftp and DAP admin credentials and we'll make the update for you.


8

Change permission of your dap-config.php file to 444

Secure your config files. Change file permission of /dap/dap-config.php file to 444.

If you want to edit something in the /dap/dap-config.php file, you'll have to change permission back to 644, but after you complete the update, switch the permission back to 444.  If you're not sure how to update permission (via ftp or file manager), please contact your webhosting support. They can update the permission for you.

After you change permission of /dap/dap-config.php to 444, login to the DAP admin dashboard just to make sure that you're able to navigate the admin pages without any unexpected errors due to permission update. If there are any unexpected errors, revert back the permission to 644.

9

Remove these scripts for additional security

There are some scripts in the "dap" folder that are required for 3rd party integration, however, we recommend that you delete the integration scripts that you don't need and just retain the ones you need.

In the next release of DAP, we are going to remove all the integration scripts from core dap download. We'll make the 3rd party integration scripts available as a seperate zip file.  You can upload just the scripts that you need to your site. This is to prevent hackers from trying to gain access to your membership site via a third party integration script.

Please NOTE:   do this ONLY if you're familiar with FTP / File Manager and if you can locate the files listed below in your dap folder.  If you are a DAP Platinum / Monthly member, you can open a ticket with your ftp details, and we'll do it for you for free.

The name of the script will tell you exactly which 3rd party system it integrates with . For e.g. dap-aweber.php is used for aweber integration, If you don't use aweber, you can delete it.  The dap-wsopro.php script is used for Warrior+ integration, if you don't use it, delete it.  This is the full list. Delete the ones that you don't need.

dap-1sc.php
dap-1shopcart.php
dap-2co.php
dap-alertpay.php
dap-aweber.php
dap-bulkImport.php
dap-cb.php
dap-clickbank.php
dap-clickbank-6.0.php
dap-clickbank-2.1.php
dap-clickfunnels.php
dap-clicksure.php
dap-dealguardian.php
dap-digiresults.php
dap-drip.php
dap-ejunkie.php
dap-emailorder.php
dap-ezchain.php
dap-getresponse.php
dap-gocardless.php
dap-idevaffiliate.php
dap-infusionsoft.php
dap-infusionsoft-optin.php
dap-jvzoo-autologin.php
dap-jvzooipn.php
dap-nanacast.php
dap-paygear.php
dap-paykickstart.php
dap-plimus.php
dap-pwc.php
dap-samcart.php
dap-silentpost.php
dap-stripe.php
dap-thrivecart.php
dap-thebusinesscampus.php
dap-ultracart.php
dap-VBImport.php
dap-warriorpayments.php
dap-worldpay.php
dap-wsokeygen.php
dap-wsopro.php
dap-zaxaa.php

If you don't use Paypal to sell, delete "paypalCoupon.php" file from your dap folder.


Also delete this file:  

/dap/admin/simpliqtheme/assets/misc/uploadify.php​


If you use the DAP EasyInstaller plugin to install/upgrade DAP on your site, you can delete the DAP EasyInstaller plugin after the installation/upgrade is complete and re-install it whenever you need it again.


WordPress Advanced Security & Performance Package

There are a lot of great security plugins like Wordfence, iThemes Security, Sitelock, Sucuri etc that can lock things down and greatly help with WordPress site security.

Wordfence Security is the only WordPress security plugin that can verify and repair your core WordPress installation, Themes and Plugins, even if you don’t have backups.

We use both Wordfence Security and iThemes Security plugin to protect our WordPress websites. While they do have some overlapping security features, they also offer some unique site protection features that provides us with the comprehensive security that we need to protect our website against malware and attacks.

If you decide to use both, do not enable the same protection feature in both as it can cause conflict between these plugins and result in unexpected errors.

All these security plugins are highly customizable and provide several options to lock down your site. You can fine tune the config settings to patch up and lock down 95% of all commonly known vulnerabilities, risks and security holes.

If you’re overwhelmed with all this and would like to hire someone to help out with fully securing your web site, the good news is... we offer a full-fledged security package ourselves where we'll take care of everything for you. It's certainly a big time and money saver.

So if you're worried your website security, need help to beef up security and don't want the hassle of figuring it out yourself, then just go ahead and purchase our WordPress Advanced Security and Performance (WASAP) package.

We'll customize and fine tune the various configuration options in these plugins to make sure that 95% of all commonly known vulnerabilities, risks and security holes are completely patched and locked down!

Questions?

Site security is not about risk elimination. It's about risk reduction.

If you've any questions/concerns about site security or other membership site questions, please join my Free, Private Facebook group for Membership Site users.