Saturday, March 12, 2016

Some notes on (my) website safety ratings from various sources





Recently, I’ve checked into the website safety tags posted by a couple of Internet security programs on my own sites.  There are a few issues which I will look into, but let me summarize what I see so far.

So far, Kaspersky has left all my sites as gray, as apparently it doesn’t rate “amateur” sites.  On one Windows 8 machine, I have Trend Micro, and Trend right now is not showing ratings (maybe I haven’t tweaked enough).  McAfee has always rated me green.  Most of the time MyWOT is OK, but I do show a lot of unknowns.

My legacy sites (“billboushka.com”, on Unix and doaskdotell.com, on Windows Server, both on Verio) come up as fully “green” on Webroot (“very low risk” or “malicious links” or “payloads”). 

 These sites are not updated often now, and that could be an issue.  The “billboushka” has an old Wordpress blog which has not been updated, so I am surprised that doesn’t get flagged.
  
Of my 16 blogs on Blogger, the blogs that are not connected to an external URL come up as green. 

However, two of the three (books and movies) come up as grayed-green, which means a slight risk of malicious risks or payloads.  The “Bill Boushka” blog which has the name "billboushka.me" comes up orange, which means a more enhanced risk (I’m reminded of the NCOA classifications for risk of severe storms – “marginal”, “slight”, “enhanced”, “moderate”). Furthermore, both Wordpress sites (“billsmediareviews.com” and “doaskdotellnotes.com”) show a grayed-green (essentially “slight”) risk, which is not as good as very low risk.

I cannot explain these risks definitively.  But one idea that seems consistent is that Webroot does not like site redirection of blogs to other URL’s.  Another is that it also looks with suspicion on the international “.me” suffix (Montenegro).  I used domain names that “Google domains” would automatically assign me.  Since “billboushka.com” is an existing (if not currently updated) domain, it had to give me an international (slightly more expensive) TLD for that blog name.

However, on the Wordpress, I checked a friend’s site with a similar setup and found Webroot had marked it green.  But that person was using Dreamhost as a service provider, whereas I use BlueHost.
As far as I know, my two modern Wordpress domains do have the latest versions of Wordpress and plugins with all security enhancements.  I have Askimet to scan for comment spam.  A few spammy-looking comments are allowed, and I have allowed a few to be published that contain ordinary links to commercial household products (from overseas).  Maybe I shouldn’t do that.  One just one occasion, about eight months ago, one spammy pop-up comment got published without moderation, which I had to remove.  I think the vulnerability that allowed that to happen has been fixed.

I am seriously considering making major simplifications to my domain name setup, including consolidating many blogs or sites into fewer, with more material on Wordpress.  I will look into all these matters further, particularly to see if one hosting company has better security than another, or if there is an issue with the multiplicity of my own names. 

It does not appear that the website safety insists of offering “https”.  Of course, this is mandatory if doing e-commerce, which I may do myself in the future (right now it is all out-sourced).  It is significant that Blogger, when redirected to a domain name, does not offer https (but it does when staying within Blogger).  I hope Blogger can fix this. 

It does not appear that the use of Adsense affects safety ratings.  But third party ad-ons available for Blogger might, as could some issues with various Wordpress plug-ins and templates.

I tried a few of my sites in Norton Safe Web, and found they had not been rated.
 
None of the sites give warnings (from Webroot, Trend, or Norton) when I go to them.  However, I know of one incident where a book publisher's site gave a phishing warning from Norton,, only on older versions of Windows, that turned out to be false.  

No comments: