Because of its popularity and the sheer amount of websites running PHP, it has a common underlying issue; while new versions of PHP are released regularly, it’s not updated on web servers around the globe nearly as often as it should be.
This poses a serious security problem for both the website and users visiting the website.
You can blame lazy web server (or network) admins, or slacking service providers or even website owners who run older websites not ensuring that their old website ‘plays’ nicely with newer versions of PHP.
If you’re not too tech-savvy, you may be asking “So what? Why should I even care if my WordPress website is running an older version of PHP?” The short answer is two-fold; 1) Security (the most important no-brainer answer) and 2) “Progress”.
“Security, got ya, but why should I care about progress?” you ask. There is a myriad of fundamental reasons why both your website and your PHP version should be kept up to date.
Firstly, the web and more importantly web technologies move at an astounding pace. As the months go by, incremental improvements are made to the scripting language, massive security improvements are made and more tools, features and optimizations become available to developers.
Web developers heavily rely on a scripting language such as PHP to deliver the end product to a user be it a web application or website.
Secondly, because of this tectonic shift between the web server, PHP versions and the code running on your website (ie. a WordPress CMS) it’s common for a CMS to get updated while the PHP version is left behind; usually decaying to a point where it becomes almost critical to update.
This is usually where the problems begin to occur as certain components / plugins / features cease to stop working on newer versions of PHP. This can become a very expensive and time-consuming exercise to try to align older code with modern versions of PHP. It’s something that could have been totally avoided if PHP was just incrementally kept up to date on your web server.
In fact, PHP 7.1 is on it’s way out too with PHP 7.2 reaching the end of it’s life span next year, around this time (no more security updates). Here is a handy chart to make sense of it all:
Going into 2020, one should be aiming for a minimum of PHP 7.3 (7.4 if possible) to avoid both headaches and heartbreak. If there is one thing I can ask you to take away from this; it’s the knowledge that not maintaining your PHP version can become a very costly lesson.
As the world changes and we become more reliant on the internet, people need to start protecting themselves – more now than ever before. In today’s modern world (and especially going beyond 2017), the average internet user needs to be more security conscious. Things like hacking and data leaks are on the rise and it’s only going to get worse from here and this has prompted me to write these tips for protecting yourself online.
Things like hacking, phishing, online snooping, using an infected PC, having you logins or identity stolen and malicious activities to name a few are ever increasing and there is hardly a week that goes by where some major vulnerability or flaw is discovered, massive amounts of personal data is leaked online or some major network or website has been hacked.
In this article, I’m going to talk about and give a few tips that you, an ordinary internet browsing citizen, can use to better secure themselves online and drastically reduce chances of being caught off-guard. Now, this isn’t a guaranteed list – it’s more of an opinion piece to get the average South African more security conscious. Below I’ve listed 10 things that you as a user can do, install or use to prevent becoming a victim online.
Tips For Protecting Yourself Online
1. Turn On Two-Factor Authentication
Add A Third Layer
The very first step you should take and quite possibly the most impactful in securing your online accounts is turning on Two-Factor Authentication for every online account you possibly can (or where it’s supported). Popular social media platforms such as Facebook, Twitter, Instagram and LinkedIn all support Two-Factor Authentication already and so do most online banking websites and gaming platforms.
What is Two-Factor Authentication? To put it simply, it’s an additional layer of security above your username and password. This is how it works: When you log into a website, you will either be SMS or presented a unique code via your cellphone/mobile device that you will have to input into an additional field on the login form.
Why would anybody want this? Well, for argument sake, let’s imagine your username and password are stolen by a hacker and they are trying to log into your online banking account or your favourite social media platform to access some personal information, wreak havoc or steal your identity. Sure, they have your login details, but they are going to hit a hard wall when they try to log into your account. You see, they don’t have the last remaining step in order to complete the login process… the unique code sent to your mobile device, which is securely in your possession. Two-Factor Authentication can take the form of an official app (from the developer) you download for Android/iOS, an SMS, an email or even a completely separate device that can generate a unique code for you.
Some websites and services I recommend turning this feature on:
Your Google Account (Gmail/Drive/Docs)
Your Microsoft account
Various gaming platforms like Steam, Blizzard Battle.net, PSN
LastPass (or any password storage sites)
Any accounts where you have cloud storage
2. Install A Trusted Antivirus
Skip Free, Go Premium
Any PC connected to the internet in 2017 and beyond should, without a doubt, have a really good Anti-virus running on their operating system. Possibly the oldest advice in the book, but still the most obvious is still definitely a large precautionary step you can take.
My personal advice is to ditch the free stuff – they usually always have a downside to using it in my opinion, from being bloated, loaded with nonsense tools, inability to do automatic definition updates or have very limited scanning functionality. Go for a premium, reliable Antivirus and fork out for the yearly license – trust me, as much as you may not like hearing that, it’s worth it! When it comes to using an Antivirus, free is definitely NOT better.
If you’re still using Internet Explorer (or an old version of any internet browser for that matter), stop immediately! Not only are you holding back the natural progression of the web with your old browser, you’re potentially exposing yourself to all kinds of exploits and hijacking attempts.
The web is constantly evolving, pushing forward using new web development standards, techniques and features implemented in modern browsers. By using an old browser, you’re not only subjecting yourself to limited accessibility (by not being able to experience new features or in some cases, entire websites), but you are open to being compromised online by an opportunist hacker.
Starting from Windows 10, Microsoft introduced Edge, a new web browser to replace the old (and much hated by Web Developers) Internet Explorer. Microsoft Edge has made some massive improvements and should be your immediate replacement if you don’t feel like downloading and installing a new browser. However, I urge that you use Google Chrome – arguably the most used (and preferred) Web Browser in use today. I personally recommend Google Chrome over Microsoft Edge as it’s a more superior and safer browser in my opinion.
You should be using: Google Chrome (or at the very least Edge on Windows 10). This goes for both your desktop and mobile device (use Chrome on mobile).
4. Take notice of HTTPS
Open your eyes
Stop what you’re doing right now and take a moment to gaze at the address bar in your browser. To the top-left of the address, does it say HTTP or HTTPS? I can bet you right now that it reads HTTPS. The S part at the end of HTTP meaning “Secure”. That’s right, this is a secure website and all traffic between you and this website is encrypted.
What makes HTTPS so much better than HTTP? For starters it’s secure. HTTPS verifies the website is the one that the web server should be talking to and prevents tampering by third-party apps and stops man-in-the-middle (MiTM) attacks by making a website more safe for visitors.
Unfortunately, many people (even some web developers) are of the opinion that HTTPS offers protection only to websites using sensitive passwords and other form data. This is not true. Even regular content benefit from the encryption (and it does).
From now on, every website you visit, I want you to check the browser’s address bar and notice that the website you’re on says “Secure” in the address bar. If it’s not secure, be wary as you’re browsing unsafe space.
Thankfully you can even automate and force your browser to use HTTPS all the time by installing an extension for your browser. There is a great extension called HTTPS Everywhere that takes care of this for you.
Online adverts – not only are they annoying, but they can be compromised (with or without intent) to serve malicious adverts that can infect a user’s PC. This has happened a few times in the past and quite frankly it’s unacceptable. Not only are adverts absolutely pointless to the user, but they take up precious bandwidth, screen space, show you nonsense and can be downright annoying. You don’t need them and thankfully there is a very easy remedy for getting rid of them completely. Install an ad blocker extension for your web browser. There are a handful of decent ones out there, but uBlock Origin is by far my personal recommendation.
All internet traffic relayed between you and your ISP can be intercepted and spied upon. That much is a fact. It can be snooped on by anyone tech-savvy enough or any organization that wants to know more information about you by your browsing activities. This can either be seen as a good thing (if you’re the government) or a bad thing (which it typically is), but ultimately, spying on someone’s internet traffic is never appreciated or wanted.
A way to deal with this and make it nearly impossible for anyone to know anything about what you’re doing online is to have your traffic encrypted so that even your Internet Service Provider doesn’t know what you’re up to. Now I don’t condone dodgy website browsing, so I’m purely speaking about this from an honest and concerned place; Nobody should be spying on your internet traffic and as an extra layer of online security, a VPN can go a long way to ensuring that your data is masked from prying eyes.
I’m going to say this upfront; avoid free VPNs. They either store all your information (making its purpose completely useless), expose you to other forms to malicious behaviour or have very poor performance. Instead, opt for something premium and reliable.
Watch this video from Techquickie to learn how VPNs work:
Gamers take note: In my experience, a VPN is not for you. I’ve found it to have a negative impact on online gaming as latency is increased causing you to have higher than expected pings.
My recommendation: NordVPN ($11.95 per month / +- R160 per month – they have a South African mirror)
7. Switch to a Password Manager
Keep it secure
I recently made the switch to LastPass, a very well-known and established password manager that offers a very good Free subscription to keep all my passwords safe. LastPass consists of 4 components; 1) the LastPass website, 2) a browser extension, 3) LastPass software installed on your PC and 4) a mobile app for your Android/iOS device.
What’s the advantage of switching to a Password Manager? Simple, you can keep all your passwords in one single repository behind a master username and password with two-factor authentication enabled. You can then change all the passwords to your various accounts to something so complicated that not even you will know what it is and simply use LastPass to auto-fill in the login fields for you. Not only will you only have to ever remember one set of login details ever again, but all of your accounts will have MUCH more secure passwords that LastPass has generated for you. (Not a fully recommended approach, but definitely one you can use)
Like installing an Antivirus, this is another no-brainer for everyone. Keep your copy of Windows up to date! This is critical especially as Windows exploits are on the rise and Microsoft is pretty much patching vulnerabilities on a near-weekly basis. If you are using an old version of Windows (anything less than Windows 10), you’re already asking for trouble. Support for Windows 7 and 8 are at the end of their support-cycles and Microsoft will not assist you with older versions going forward into 2018 and beyond.
Shell out for Windows 10 and always keep it up to date. Windows 10 is arguably the securest version of Windows to date (in my opinion) and going into 2018 and beyond, there is no reason you should be using anything older than 10.
PSA: Keep your Windows updated!
9. Stop Windows Spying
Windows 10 is a fantastic operating system and it’s really a pleasure to work with. Unfortunately, it’s got a bit of an issue talking back to Microsoft about what you do with your copy of Windows – this is referred to as telemetry.
Things you do like personal information, apps you’re running and user behaviour is reported back to Microsoft and while they promise this information is safe and is used to better enhance their product, it’s still not cool. Thankfully the guys over at O&O Software have developed a free application to deal with telemetry in Windows 10 and it’s called ShutUp10 – a completely free product you can install and use.
Using it is really simple and I recommend enabling the recommended telemetry blocks.
One of the best preventative ways to prevent a hack is to not have an account at all. Over the years, I’m sure you’ve accumulated a lot of online accounts that you either hardly use or have forgotten about. If you find yourself not using something like Twitter or Pinterest or perhaps some other online service (Instagram or your MySpace account?), maybe it’s time to close your account for good. Remember: hackers can’t access what isn’t there.
It might even be worth going on a social media / online accounts diet soon and culling all those online accounts you haven’t bothered to check in the last 6 months or 6 years – let’s face it, you’re probably never going to need them again and if you do, you can always re-open them.
Security is a massive concern for everyone. There isn’t too much to do once you’ve been compromised other than change your username and password, but nobody wants it to get to that stage.
Remember, always use a secure password and at the very least, all passwords you use should contain at least 1 capital letter, a number and a special character (like !#%^&*) ie. instead of password123 (just to be clear you should NEVER use this), try something like Passw0rd123% (also to be clear, don’t use this – your passwords should be a lot stronger – this is a baseline example).
Common sense also goes a long way;
Remember to NOT click on links in emails you don’t trust or remember.
Don’t install those additional components you don’t need when installing new software (nobody needs a new toolbar for their browser).
Always scan a USB flash drive through an antivirus.
Don’t insert any flash drives you are unsure about.
STOP connecting to free/public Wi-Fis.
Nobody wants to be a victim, however with the 10 tips I’ve mentioned above, I can assure you that your chances of something unwanted happening online will be significantly reduced.
Interestingly during the writing of this article (it takes me a couple of days sometimes), a very significant and serious security flaw came to light particularly targeting Wifi connections that make use of WPA-2. The flaw essentially allows exploiters to intercept, access and manipulate the data you send over Wifi. Do you want to know the scariest part? Virtually nearly every router and mobile device in existence today is vulnerable at the time of this discovery and announcement. Ok, so how can one mitigate this? For starters, using the points outlined above. Next step, would to completely stop using Wifi (especially public Wifi spots) until your router firmware or device is patched with a fix.