The new feature from Imunify360 works by analyzing login attempts to WordPress sites and checking the passwords used against a database of known weak passwords. If a login attempt is made with a weak password, the user is redirected to a password reset page instead of being allowed to log in similar to the one shown below:

This preemptive approach significantly reduces the risk of successful brute-force attacks, ensuring that WordPress accounts remain secure against such vulnerabilities.

It represents our ongoing commitment to providing secure, hassle-free hosting environments for our valued customers. Stay secure and ahead of threats with our latest security enhancements!

In this guide, we’ll show you how to block bad bots with minimal effort using .htaccess. Let’s get started!

Automatic Bot Blocking for ChemiCloud Customers

If you’re a ChemiCloud customer, you’re already protected! We have custom security rules that automatically block known resource-draining bots, including:

• PetalBot
• MJ12bot
• DotBot
• SeznamBot
• 8LEGS
• Nimbostratus-Bot
• Semrush
• Ahrefs
• AspiegelBot
• AhrefsBot
• MauiBot
• BLEXBot
• Sogou

If you actively use services like Ahrefs and need access, our support team can disable the relevant rule for your account. Just reach out—we’re happy to assist!

Identifying Bad Bots

Before blocking bots, it’s important to identify them. You can do this by analyzing your website’s log files. While interpreting logs takes some practice, you can also use log-parsing software to simplify the process.

A quick Google search can provide tools to help analyze logs, or you can use Excel for manual filtering based on patterns in requests. Once you identify the problematic bots, you can block them using different methods:

• Blocking via Request URI
• Blocking via User-Agent
• Blocking via Referrer
• Blocking via IP Address

Before applying these methods, make sure to research the bot in question. A simple search can reveal whether it’s harmful or useful.

Blocking Bad Bots with .htaccess

Blocking via Request URI

If your logs show suspicious query patterns, such as:

https://www.example.com/asdf-crawl/request/?scanx=123
https://wwww.example2.net/sflkjfglkj-crawl/request/?scanx123445

These requests likely have different user agents, IPs, and referrers. The best approach is to block requests based on recurring patterns. Common elements in the above examples include:

• crawl
• scanx

To block such requests, add this to your .htaccess file:

# Block via Request URI
<IfModule mod_alias.c>
    RedirectMatch 403 /crawl/
</IfModule>

To block multiple patterns, use:

# Block via Request URI
<IfModule mod_alias.c>
    RedirectMatch 403 /(crawl|scanx)/
</IfModule>

If the pattern appears in the query string (after the ? symbol), use mod_rewrite instead:

# Block via Query String
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (crawl|scanx) [NC]
    RewriteRule (.*) - [F,L]
</IfModule>

Always test your site after applying these changes!

Blocking via User-Agent

If a bot repeatedly accesses your site under a specific user agent, block it with:

# Block via User-Agent
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_USER_AGENT} (EvilBotHere|SpamSpewer|SecretAgentAgent) [NC]
    RewriteRule (.*) - [F,L]
</IfModule>

To add more bots, use a pipe (|) separator:

RewriteCond %{HTTP_USER_AGENT} (EvilBotHere|SpamSpewer|AnotherOne|YetAnother) [NC]

To test, use online tools like “Bots vs Browsers.”

Blocking via Referrer

If spammers or scrapers access your site through certain referrers, block them with:

# Block via Referrer
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^http://(.*)spamreferrer1\.org [NC,OR]
    RewriteCond %{HTTP_REFERER} ^http://(.*)bandwidthleech\.com [NC,OR]
    RewriteCond %{HTTP_REFERER} ^http://(.*)contentthieves\.ru [NC]
    RewriteRule (.*) - [F,L]
</IfModule>

The last RewriteCond should not include [OR] to properly terminate the condition.

Blocking via IP Address

Blocking by IP is useful in specific cases, though many bots use rotating IPs. To block a single IP:

# Block via IP Address
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REMOTE_ADDR} ^123\.456\.789\.000$
    RewriteRule (.*) - [F,L]
</IfModule>

To block multiple IPs:

# Block multiple IPs
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REMOTE_ADDR} ^123\.456\.789\.000$ [OR]
    RewriteCond %{REMOTE_ADDR} ^222\.333\.444\.555$ [OR]
    RewriteCond %{REMOTE_ADDR} ^111\.222\.333\.444$
    RewriteRule (.*) - [F,L]
</IfModule>

For blocking a range of IPs:

# Block a range of IPs
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REMOTE_ADDR} ^123\. [OR]
    RewriteCond %{REMOTE_ADDR} ^111\.222\. [OR]
    RewriteCond %{REMOTE_ADDR} ^444\.555\.777\.
    RewriteRule (.*) - [F,L]
</IfModule>

This example blocks:

• All IPs starting with 123.
• All IPs starting with 111.222.
• All IPs starting with 444.555.777.

Final Thoughts

Blocking bad bots helps protect your website’s resources, improve performance, and prevent unwanted activity. While ChemiCloud provides automated protection, you can fine-tune bot blocking based on your specific needs using the methods above.

If you have any questions or need assistance, our support team is here to help!

That’s why we have introduced a new Malware Scanner & Removal tool that will save our customers time and money when it comes to fighting the ever-growing malware threat.

Imunify360 powers the malware scanner & removal tool.

Essential Pre-requisites Before Using The Malware Scanner

• The Malware Scanner & Removal Tool is free on Turbo and all Reseller Hosting Plans. If you’d like to upgrade your web hosting plan to a Turbo or Reseller plan, please open a ticket from your Client Area, and our team will be happy to make that happen for you! If you’re a VPS Hosting customer, you can get this helpful tool as an add-on.
• Scheduling scans is currently not supported. Scans must be manually initiated from your cPanel > Imunify360 App.
• You don’t have to keep your cPanel open during the scan.
• The scan results will also be emailed to the cPanel Administrative Contact. Please ensure your email address in cPanel is up-to-date. If you are unsure or unfamiliar with how to update that email address, you can review our Knowledge Base article on the subject here.

What is the Malware Scanner & Removal Tool?

The Malware Scanner & Removal Tool is an application that we have added to your cPanel, which allows you to scan your web hosting account for files that may be infected with Malware. These infections commonly infect PHP files or scripts vital to a CMS’s normal functioning, such as Drupal, Joomla, or WordPress.

Overall, the tool is a comprehensive security application and utilizes highly tailored and integrated components for web server security.

How Does The Malware Scanner & Removal Tool Work?

The Malware Scanner & Removal Tool references an off-site database of known and highly probable malware infections and compares the files on your web hosting account to those known to be infected using machine learning and Cloud-based heuristics. The tool can detect the most sophisticated attacks, including the infamous zero-day and distributed brute-force attacks, and delivers robust and comprehensive protection for your web hosting account.

Using machine learning, it can compare the PHP files of a “clean version” of that file and extract precisely the malware, leaving your original files intact and undamaged.

How can the Malware Scanner & Removal Tool Help?

The Malware Scanner & Removal Tool can help you by saving you time, as it can quickly scan your website(s) and clean them of any infection. This tool can also save you money, potentially, as you may have had otherwise to hire a developer or 3rd party security service to clean your website and make it safe again.

Why Does a Website Get Infected With Malware?

Below are some possible reasons your website may have been infected with the malware:

• Vulnerable Website Code: Just like good products and designs attract visitors to your website, lousy code attracts hackers like moths to a flame. Your website may often contain deprecated functions known to be vulnerable to some attacks. Hackers often search for these functions and exploit websites with these vulnerabilities for their gain.
• Lack of Input Sanitization: A website has multiple input forms, such as the search bar, login area, comments boxes, registration areas, and more. If the inputs captured by the website aren’t sanitized, they often allow a hacker to add lousy code. This is an easy way to enter the website without much effort. Attacks like this include XSS (Cross-Site Scripting) and SQL Injection.
• Outdated Plugins: If your site runs on WordPress, you’re probably running plugins to help with forms, SEO, insert and manage Media, and more. The developers of these plugins spend copious amounts of time on them, and a good developer pushes regular updates. It’s up to you to keep your plugins up to date, as it’s possible an update was pushed because an exploit was found in the version of the plugin you’re running, and you got infected because you didn’t update that plugin.
• Not using CAPTCHAs: No one likes CAPTCHA, but its impact on spam from forms cannot be denied. It’s essential to use CAPTCHA because it adds a layer of protection to the form it’s being used on, such as comments and login forms. This layer of protection acts as an additional barrier for your site, and not using them is possibly asking for trouble.

How to Run a Malware Scan in cPanel Using Imunify360

Step 1: Log in to your cPanel. There are many ways to do this, but the sure-fire easiest way is to log in to your Client Area, then open your cPanel.

Step 2: Scroll down to the Security section of your cPanel and open the Imunify360 application.

Step 3: The Imunify360 application will load. To run a new scan, click the “Start Scanning” button.

A modal window will appear asking you to confirm you want to start the scan. Click “Yes, Start Scan” to proceed.

The scan will be added to the queue:

When the scan is finished, you will receive an email message to the Administrative Contact email set for the cPanel account under which you ran the Malware Scan.

• Please ensure your email address in cPanel is up-to-date. If you are not sure or are not familiar with how to update that email address, you can review our Knowledge Base article on the subject here.

How to Cleanup Files Infected with Malware in cPanel

Step 1: Log in to your cPanel. There’s a lot of ways to do this, but the sure-fire easiest way is to log in to your Client Area, then open your cPanel.

Step 2: Scroll down to the Security section of your cPanel and open the Imunify360 application.

Step 3: The Imunify360 application will load and the Malicious Files discovered in the scan will be listed. See below:

Step 4: Let’s take a look at our available actions for these files. Under the actions column, we have 3 icons.

• The eye icon (view file) allows you to view the file that is infected and examine it’s code/content.
• The broom icon (cleanup file) will clean the selected file and rid it of the malware infection.
• The cog will give you the option to add the infected file to the ignore list. This can be helpful if the file is listed and you know it to be a false-positive.

In this case, I have 5 files that are infected, as indicated in the image above. I want to go ahead and clean all of these files. To do that, I’m going to select all of them using the checkbox in the top left of the list of files, then click the green Clean up all button.

After clicking Clean up all, a modal window will appear with a warning and notice with the following information:

• Original (infected) files backup will be available for 14 days after the cleanup was performed. You’ll see “Cleaned” and “Removed” items in the Malicious Files table until that backup is removed.
• Any quarantined files will be restored from quarantine during cleanup.

A message will appear stating the cleanup has started.

Step 5: After the cleanup finishes, you will see a list of the files that were infected and the Status of them will have changed to Content Removed.

And just like that, Immunify360 has removed the malware from the account.

How to Use the Proactive Defense Mode in the Malware Scanner & Removal Tool

The website Malware Scanner & Removal Tool features an advanced tool called Proactive Defense that can help make PHP-based websites more secure by terminating PHP scripts with malicious activity occurring in them, including insecure WordPress plugins and any other outdated and unpatched applications which can be easily compromised.

You can access the Proactive Defense mode by clicking “Proactive Defense” from the row of options at the top of Immunify360.

The default mode of operation for Proactive Defense is disabled. However, if you choose to enable it, please note the following:

When enabled, you have the choice of the following 2 mode settings:

• Log only – this will only log suspicious events.
• KILL Mode – this will terminate the script as soon as an attack is detected and guarantees the highest level of protection.

The table beneath the Mode settings will list the detected events and the ignore list if you have placed any events on ignoring.

Frequently Asked Questions about the Proactive Defense Option

Q: Can Proactive Defense prevent the malicious activity of cron jobs? Can the cron job execute in a way so the Proactive Defense module is not loaded?

A: Proactive Defense is a PHP module that should execute any time PHP script is executed including running PHP using a cron job. Note that hackers can create a cron job with PHP script started from custom php.ini to skip loading Proactive Defense. To prevent this from happening, we recommend using exclusively HardenedPHP where the Proactive Defense component cannot be skipped by using custom php.ini.

Q: Are there any restrictions for use with different PHP handlers?

A: Proactive Defense can work with any PHP handler provided the PHP version 5.4 or higher.

Q: Can I benefit from Proactive Defense if I have Cloudflare WAF enabled for my website?

A: Cloudflare WAF and other WAF check only HTTP requests and not the actual PHP execution. As a result, Proactive Defense adds another layer of protection to your site.

Q: What is the difference between Proactive Defense and other services like Wordfence?

A: Most security tools like Wordfence are tailored for a single CMS (e.g. WordPress) and work only for hosting accounts they are installed for. In addition, they are signature-based, so they cannot block PHP script execution proactively.

Q: Will Proactive Defense affect my website’s performance?

A: It slows down PHP script execution by approximately 3-5%. This means that if the script was loading 0.2 seconds before, it will now take around 0.206 seconds.

Strong Password Guidelines

Creating a secure password

Things to keep in mind:

1. Use a different password for each website.
2. Use at least 8 characters.
3. Use one or more of each of the following:
   1. lower-case letters
   2. upper-case letters
   3. numbers
   4. punctuation marks and other symbols (!@!#$%^&*()
4. You can use lookalike characters to protect against people who may glimpse at your password:
   1. O as in Oscar and the number 0.
   2. Lower-case l and upper-case I.
   3. The letter S and the $ sign.

Things to avoid:

1. Using the same password for every website.
2. Using words you can find in the dictionary.
3. Passwords shown as “example strong password”.
4. Personal information, like names and birthdates.
5. Keyboard patterns, like qwerty and 12345. Particularly avoid sequences of numbers in order
6. Common acronyms.
7. A password made up of one character type, such as all numbers, all upper-case letters, all lower-case letters, etc.
8. Repeating characters, such as cccc3333.

Tips for creating memorable passwords:

While passwords that are easy for you to remember are also less secure than a completely random password, following these tips can help you find the right balance between convenience for you and difficulty for hackers.

1. Create a unique acronym for a sentence or phrase you like.
2. Include phonetic replacements, such as ‘Luv 2 Laf’ for ‘Love to Laugh.’
3. Jumble together some pronounceable syllables, such as ‘iv,mockRek9.’

Keep your password secret!

1. Never tell your password to anyone (this includes significant others, roommates, coworkers, etc.). If you need to grant someone access to your server, set up a separate username and password for that person.
2. Never write your password down, especially not anywhere near your computer.
3. Do not store your password in a plain text file on your computer.
4. Never send your password over an unencrypted connection – including an unencrypted email.
5. Periodically test your current password.
6. Update your password every six months.

Struggling with security issues? ChemiCloud is the hosting solution designed to save you time! Check out our web hosting plans!

Password Management Tools

Password Management Tools

If you create a new, randomly generated password for each website you sign up for, you’ll end up with a lot of passwords you need to remember. It would be nigh impossible for any human to do this, which is why through the miracle of technology, we have the password manager

At ChemiCloud, our top recommended password manager is Bitwarden.

Why? Because not only is it entirely FREE, it’s also open-source software, which means anyone can examine the codebase the application runs on and see if it’s spying on you. The source code for Bitwarden is hosted on GitHub and everyone is free to review, audit, and contribute to the Bitwarden codebase.

We believe that being open source is one of the most essential features of Bitwarden. Source code transparency is an absolute requirement for security solutions like Bitwarden.

Bitwarden is available for all major web browsers, operating systems, and mobile operating systems. Lock your passwords and private information with end-to-end AES-256 bit encryption, salted hashing, and more today!

Additional Password Management Tools:

1Password – 1Password is very similar to Bitwarden but is not free. The premise of the application is otherwise the same, it saves your passwords and auto-fills forms for you with the login credentials needed.

Random Password Generators

If you are going to use a web-based password generator, the best one is from Random.org.

Why?

Random.org’s password generator is the best web-based password manager because the randomness used comes from atmospheric noise, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs to generate a random password.

The passwords generated by this form are transmitted to your browser securely, via SSL, and are not stored on the random.org server.

Another great site is GRC Perfect Passwords. Every time this page is displayed, their server generates a unique set of custom, high-quality, cryptographic-strength password strings which are safe for you to use.

What makes passwords generated from the GRC site perfect and safe?

Every password generated using this site is entirely random (maximum entropy) without any pattern, and the cryptographically pseudo-random solid number generator we use guarantees that no similar strings will ever be produced again.

Also, because this page will only display itself over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this page was custom generated just now so you will not be cached or visible to anyone else.

Therefore, these password strings are just for you. No one else can ever see them or get them. You may safely take these strings as they are, use chunks from several to build your own if you prefer, or do whatever you want with them. Each set displayed is totally, uniquely yours — forever.

Without a Content Security Policy, the browser will just load all files on the page without considering their source, which could be a harmful site. That puts the site and visitors at higher risk of malicious activity.

What browsers support Content Security Policies?

All major browsers offer full or partial support for Content Security Policies.

However, in the event that someone’s using a really old browser, the Content Security Policy won’t be applied. Content Security Policies are backward compatible which means that older browsers are still able to view webpages that are protected by said Content Security Policies, and vice-versa.

What directives are supported in a Content Security Policy?

There are many directives available to website owners who want to implement a Content Security Policy. A server can also define which directives within its own security header. The following list outlines the directives available for use along with their description:

• default-src Define loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback),
• script-src Define which scripts the protected resource can execute,
• object-src Define from where the protected resource can load plugins,
• style-src Define which styles (CSS) the user applies to the protected resource,
• img-src Define from where the protected resource can load images,
• media-src Define from where the protected resource can load video and audio,
• frame-src Define from where the protected resource can embed frames,
• frame-ancestors Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
• font-src Define from where the protected resource can load fonts,
• connect-src Define which URIs the protected resource can load using script interfaces,
• form-action Define which URIs can be used as the action of HTML form elements,
• sandbox Specifies an HTML sandbox policy that the user agent applies to the protected resource,
• script-nonce Define script execution by requiring the presence of the specified nonce on script elements,
• plugin-types Define the set of plugins that can be invoked by the protected resource by limiting the types of resources that can be embedded,
• reflected-xss Instructs a user agent to activate or deactivate any heuristics used to filter or block reflected cross-site scripting attacks, equivalent to the effects of the non-standard X-XSS-Protection header,
• report-uri Specifies a URI to which the user agent sends reports about a policy violation

The above directives can all be used when Creating a Content Security Policy, depending on what you want to accomplish.

How to Create a Content Security Policy

Considering the number of directives in the list in the above section, there’s a lot of options available for Administrators to create their Content Security Policy. A CSP format is defined as Content-Security-Policy: policy. The following shows a few examples for configuring your Content-Security-Policy header.

This CSP will allow scripts from both the current domain (defined by 'self') as well as https://www.google-analytics.com.

Content-Security-Policy: script-src 'self' https://www.google-analytics.com

The default-src directive set to https: will allow the browser to load the resource from any origin using https://.

Content-Security-Policy: default-src https:

This CSP allows for any resource to be loaded from the current domain as well as any subdomain of example.com (both HTTP and HTTPS).

Content-Security-Policy: default-src 'self' *.example.com

The following CSP makes use of the frame-ancestors the directive which defines which sources are allowed to embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>. To allow only your site use the following.

Content-Security-Policy: frame-ancestors 'self'

Ports can also be defined in content security policies. This example restricts resources to be loaded only from https://www.keycdn.com using port 443.

Content-Security-Policy: default-src https://www.keycdn.com:443

The first part of this example default-src 'none'; tells the browser not to load any resources from any sources. While the second part script-src https://www.keycdn.com tells the browser to allow scripts from www.keycdn.com over https://.

Content-Security-Policy: default-src 'none'; script-src https://www.keycdn.com

For a detailed list of examples and references, visit content-security-policy.com.

You can also use this really cool tool called cspisawesome.com to easily create a CSP specific to your site’s needs.

Testing Your New Content Security Policy

Once you’ve determined how you want to define your Content Security Policy, it’s time to put it to the test and make sure it works as described on the tin.

For testing purposes, instead of defining your CSP as Content-Security-Policy: you may use Content-Security-Policy-Report-Only: instead. This won’t enforce the policy rules on the web page but will simply provide you with feedback as to how the policy will react.

This example uses the following CSP. For Nginx users, this snippet is placed within the configuration file.

add_header Content-Security-Policy-Report-Only: "default-src 'none'; script-src http://wordpress.keycdn.net";

For Apache & Litespeed users, the following would be placed in the configuration file

Header set Content-Security-Policy-Report-Only "default-src 'none'; script-src http://wordpress.keycdn.net;"

Once this CSP has been set on your origin server, you can open up your browser’s console and will see feedback based on the directives set.

When you’re happy with the results of your CSP, you can remove the Report-Only section of the header so that the Content Security Policy will be taken into affect.

CSP Reporting

Now that you’ve got your Content Security Policy properly configured and in place, your site will be much less vulnerable to XSS attacks. However, in the event that the Content Security Policy does trigger an unwanted action, the report-uri directive can be utilized to keep track of any activity that is in violation of the Content Security Policy.

Using this directive, the browser will post a JSON formatted report to the defined URL of your choosing. This directive can be appended to the end of your Content Security Policy like this:

Content-Security-Policy: "default-src 'none'; script-src https://example.com; report-uri https://report.example.com"

When a report is triggered, it will look something like this:

{
    "csp-report": {
        "document-uri": "https://example.com",
        "referrer": "https://malicious.com",
        "blocked-uri": "https://malicious.com/assets/js/xss.js",
        "violated-directive": "script-src https://example.com",
        "original-policy": "default-src 'none'; script-src https://example.com; report-uri https://report.example.com"
    }
}

Once Reporting is properly configured, you will be able to keep a closer eye on which sources are in violation of your new Content Security Policy.

If you enjoyed this tutorial, then you’ll love our support! All ChemiCloud’s hosting plans include 24/7 support from our amazing support team. Check out our Web hosting plans and have your website migrated today!

What is CORS?

CORS, also known as Cross-Origin Resource Sharing, allows resources such as JavaScript and web fonts to be loaded from different domains than the origin parent domain, or in simpler terms, the site you’re visiting.

These days, it’s really common to use this, but a few years ago due to security reasons, fonts, AJAX/XML HTTP Requests were traditionally restricted to the same-origin policy, prohibiting their use between domains. This is no more, however, and with the use of CORS, the browser and origin-server can communicate with each other and determine whether it’s safe to allow a CORS request.

Why use CORS?

CORS was implemented due to the restrictions we previously mentioned. This policy limited certain resources to interact with only the resources from the parent domain. This came with good reason since AJAX requests were able to perform advanced functions such as POST, PUT, DELETE, and more, and this jeopardized the security of a website. Therefore, the same-origin policy increased website security and helps prevent abuse.

However, in some cases, it’s beneficial to enable CORS as it allows for additional freedom and functionality for websites. This is true in cases where websites and icons are often requested from a different domain. In cases like these, with the use of HTTPS Headers, CORS enables the browser to manage the cross-domain content by either allowing or denying it based on the security settings.

HTTP Request Headers Used in CORS

When a domain is requesting to interact with a resource on another domain, request headers are added from the first domain in order to use the Cross-Origin Resource Sharing feature. These are the HTTP request headers that may be associated with the requesting domain.

Origin
Access-Control-Request-Method
Access-Control-Request-Headers

HTTP Response Headers Used in CORS

The domain whose resources are being requested can respond to the first domain with the following HTTP response headers based on what configuration options are set.

Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Allow-Methods
Access-Control-Allow-Headers

Simple CORS example

Here is an example of CORS when a browser requests a resource from another domain. Let’s say google1.com makes a request to google2.com for a particular resource. CORS uses HTTP Headers to determine whether or not google1.com should have access to those resources. The browser automatically sends a request header to google2.com with:

Origin: http://google1.com

Google2.com receives that request and will respond back with either:

Access-Control-Allow-Origin: http://domainx.com
Access-Control-Allow-Origin: * (meaning all domains are allowed)
An error if the cross-origin requests are not allowed

Example of CORS In Preflight

When specific and more complex requests are performed, the browser will insert additional preflight requests to validate whether they have the appropriate permissions to perform this action. A request is preflighted if any of the following conditions are met:

1. It uses an HTTP method other than GET or POST.
2. Custom headers are set.
3. The request has a MIME Type other than text/plain.

Here is an example of a preflight request:

Origin: http://google1.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-Custom-Header

If google2.com is willing to accept the action, it may respond with the following headers:

Access-Control-Allow-Origin: http://google1.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: X-Custom-Header

CORS Browser Support

CORS is supported by all major browsers. If your browser doesn’t support it, you should upgrade your browser.

• Blink- and Chromium-based browsers (Chrome 28+, Opera 15+, Amazon Silk, Android’s 4.4+ WebView, and Qt’s WebEngine)
• Gecko 1.9.1 (Firefox 3.5, SeaMonkey 2.0) and above.
• MSHTML/Trident 6.0 (Internet Explorer 10) has native support.
• MSHTML/Trident 4.0 & 5.0 (Internet Explorer 8 & 9) provide partial support via the XDomainRequest object.
• Presto-based browsers (Opera) implement CORS as of Opera 12.00 and Opera Mobile 12, but not Opera Mini.
• WebKit (Initial revision uncertain, Safari 4 and above, Google Chrome 3 and above, possibly earlier).
• Microsoft Edge All versions.

Spotting CORS Errors

You will more than likely notice there is an issue related to CORS on your site if certain fonts or assets aren’t loading properly. If you’re using a CDN, this issue is likely to occur whenever you decided to disable the CORS option in your Zone File settings. However, if you notice something isn’t rendering properly on your site, you can use the Google Chrome DevTools to help troubleshoot the problem.

Once you open the DevTools, navigate to the Console panel. You might see other warnings and errors there, but what you will be looking for is something similar to the text in the image below:

This error is saying the fonts located at the origin are blocking the origin (i.e. google.com) due to CORS. Therefore, since the origin isn’t allowed access, the fonts can’t be pulled from the origin to the CDN.

jQuery with CORS

Partially due to the ability to perform advanced requests, cross-domain AJAX requests are forbidden by default. With the use of CORS, however, you have the option to better define which methods are enabled. This helps increase website security while having the ability to use features that are otherwise inaccessible.

Font Awesome CDN

Having CORS enabled is required to properly display Font Awesome icons when a CDN is implemented. If CORS is not enabled, the Font Awesome icons will not work and will look similar to the image below:

Enabling CORS on the Origin Server

If you want to handle CORS settings server-side, you have the option of configuring CORS on the origin server. To enable CORS for static resources, such as CSS, fonts, JavaScript, and images, add the following code to your server using your .htaccess file:

Apache

<IfModule mod_headers.c>
    <FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css|js|gif|png|jpe?g|svg|svgz|ico|webp)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
</IfModule>

LiteSpeed Server

# Images and General graphics

<FilesMatch "\.(gif|png|jpe?g|svg|svgz|ico|webp)$">
SetEnvIf Origin ":" IS_CORS
Header set Access-Control-Allow-Origin "*" env=IS_CORS
# Webfons

<FilesMatch "\.(ttf|ttc|otf|eot|woff|font.css|css|woff2)$">
Header set Access-Control-Allow-Origin "*"

Nginx

location ~ \.(ttf|ttc|otf|eot|woff|font.css|css|js|gif|png|jpe?g|svg|svgz|ico|webp)$ {
    add_header Access-Control-Allow-Origin "*";
}

Quick CORS Security Notes

The same-origin policy does not allow for websites to communicate with each other’s resources which can greatly limit a site’s functionality. For this reason, CORS Is a great feature for minimizing security risks involved with web script sharing, while being able to utilize resources outside of the origin domain.

Having the ability to select which domains are allowed access to which resources also gives you granularity to the resource sharing capability. When configured properly, CORS can easily integrate with other web services while keeping your website and customers secure.

This knowledgebase article will help you understand what the cautionary message indicates and how to resolve this security warning.

Common Signs Your Site May Be Blacklisted by McAfee SiteAdvisor

Some big signs your site may be infected with something include:

• The McAfee WebAdvisor presents an error saying the site is risky or is insecure.
• You see a lot of spam links and redirects in your Google Search Console.
• Website files and images seem to have changed and you haven’t made the changes.
• Your web host has notified you of malware infecting your website.
• Your anti-virus or anti-malware software prevents you from visiting the site in your browser.

What Do These McAfee SiteAdvisor “Blocks” Look Like When They Happen?

Typically when McAfee has blacklisted a site and you try to access it using Chrome, or another browser using a computer protected by McAfee, you’ll see a screen that looks similar to the one below:

What Does This Mean & How Can I Resolve It?

This error indicates McAfee has placed the website you’re trying to access on their blacklist. More than likely, the site is infected with malware.

You may have the option to continue to the website, or depending on McAfee’s perceived severity of the problem with the website, you may not be able to access it at all without whitelisting it in your McAfee WebAdvisor Control Panel.

Other Examples Of McAfee SiteAdvisor Blacklist Warning Messages

The major browsers, Chrome and Firefox, use the Google Safe Browsing API to help people steer clear of websites they suspect to be infected or compromised. Other browsers, however, may not display the warnings in the same way as Chrome or Firefox, and they may not be using the Google Safe Browsing API. Here are some examples of the various ways other browsers may warn you about a potentially compromised website:

• This website may harm your computer.
• This site may be hacked.
• Deceptive site ahead.
• This website has been reported as unsafe.
• The site you are trying to access contains malware or harmful programs.
• Phishing attack or site detected.
• The page you are trying to access is attempting to load scripts from unauthenticated or unsecure sources.
• Warning: Potential Security Risk Ahead.

How To Resolve McAfee WebAdvisor Warnings

Websites lose 95% of their traffic (if not more) when a service like Google or McAfee WebAdvisor blacklists a site. They (McAfee) aren’t out to get you personally, it’s just that McAfee has a duty to protect users of it’s software from potentially dangerous websites.

Checking The Safe Browsing Status Of Any Website

McAfee has a method to check the Safe Browsing status of any website here. You should be aware of this tool as it’s pretty helpful in checking on sites you maintain periodically, rather than being informed by the users after it happens.

Get Google Search Console

Google Search Console, formerly known as Google Webmaster Tools, is an absolute must when it comes to managing how Google interacts and indexes content on your website. Google Search Console is the first step in getting Google’s attention, i.e. getting your business or website in their search results, and on other Google platforms, such as Maps.

If your site is blacklisted, you’ll need to use the Google Search Console to inform Google you’ve taken the appropriate steps to remove whatever “infection” or “compromise” your site had and are ready for them to review your site for removal from their blacklist.

To remove the blacklist warning, you need to let Google know that you have completely cleared the infection. To do this, you must have a Google Search Console account (formerly Webmaster Tools).

To verify ownership of your website in Google Search Console:

• Open Google Search Console.
• Click Search Console and sign in with your Google account.
• Click add a site and enter your website’s URL, then click continue.
• Verify your site using their recommended method or alternate methods options.
• Click add a site, then verify.
• Review the Security & Manual Actions section to review any warnings, and resolve as necessary.
• If you have warnings to resolve, you will be given steps to resolve them and notify Google you have fixed the problem and are requesting a review of your website for removal from their blacklist.

You should determine what exactly is blacklisted by Google. On the Google Search Console page for your website, click on Security Issues and you will find the URLs that are being detected. If the URL is a directory, each folder and page below it must be checked for malware.

Scan Your Website

There are numerous free tools online you can use to scan your site and identify the malware or “infection” causing McAfee to flag the site. Two of the best are listed below:

To scan your website for hacks and blacklist warnings using Sucuri SiteCheck:

• Visit the Sucuri SiteCheck website and enter your website URL.
• Click Scan Website.
• If the site is infected, note any payloads and file locations found by SiteCheck.
• Click Blacklist Status to see if you’ve been blacklisted by other authorities besides McAfee SiteAdvisor.

If SiteCheck is able to find something wrong with the website, this can help narrow your search. you can also use other tools such as UnmaskParasites.

For Content Management Systems, such as WordPress or Joomla, you can safely rebuild the site using new copies of your core files and extensions directly from the official repositories. Custom files can be replaced with a recent backup—as long as it’s not infected.

How to Request a Removal from McAfee SiteAdvisor Blacklist

To request a review of your site on McAfee to remove the blacklist:

Struggling with malware issues? ChemiCloud is the hosting solution designed with reliability and security in mind! Check out our web hosting plans!

• Visit the ticketing service for McAfee SiteAdvisor.
• Choose McAfee SiteAdvisor/WebControl (Enterprise) from the list.
• Type in your URL and click Check URL.
• Review the Reputation and Categorization for your site.
• Click Submit URL for Review.

Determine When And Why This Happened

Common causes of infected / compromised websites which are blacklisted include:

• Outdated Plugins
• Outdated App Installation, i.e. you are running an old version of Drupal, Joomla, or WordPress.
• Not using CAPTCHAS on areas where there is user input, such as form fields, login fields, comment & review fields.
• You can ask your Web Host to restore your website to a date prior to this date. Following the restore, you would want to login to your website’s admin area and immediately update your app and/or plugins to the latest versions to prevent the hack from taking place again, if it was caused by an outdated website app, like WordPress or Drupal version, or an outdated plugin.

Preventing This From Happening Again

Preventing your website from being hacked or compromised isn’t a task that requires your attention 100% of the day/night. However, you should definitely be mindful of some basics when it comes to website security:

Invest in Rock-solid Web Hosting

Every web host out there should take security very seriously. The reason why it is essential that you choose a web host you can rely on for your business.

Here at ChemiCloud, we use CloudLinux on our servers, which allows us to use a virtualized file system for each account and completely isolating it. A significant advantage of it is that if one user account becomes compromised, the malware infection does not spread to the other accounts hosted on the same server. What’s more, we’ve partnered with Imunify360 to provide with a secure and reliable web hosting platform. It’s multi-layered defense architecture ensures precision targeting and eradication of malware and viruses.

This way we are adding an extra layer of protection compared to our competitors.

Perform regular backups

Make backups. Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything bad happens.

Most hosting providers now provide backups. ChemiCloud’s web hosting plans have free automated backups, that are stored offsite, allowing to be quickly restored so that you can rest easy knowing your data is safe!

Always keep your web application version and plugins up to date

Keep plugins and integrations you have enabled on your website updated. If you use any specific plugins that are developed by 3rd parties or small developers, it might be wise to follow their social media and note if they post anything about an update being pushed out for the plugin/app.

If you are using WordPress, enable auto-updates for your plugins and themes. This is a super helpful feature that was recently released in WordPress that will save you a lot of time.

Use CAPTCHAs

We recently published a blog on what CAPTCHAS are, why they are important, and how to setup WordPress CAPTCHA. CAPTCHAS keep robots from sending code with nefarious purposes through your contact forms, review forms, login / password reset forms, and comment fields.

Use Smart Usernames and Strong Passwords

Be wise when it comes to your username and password for your administration dashboard. Avoid using a username as “admin” and always choose a complex password. Don’t use “admin” as your username but instead use a unique username for the administrator that is not related to your domain name.

Make sure to choose a complex password. Alternatively, you can use an online tool like 1Password Password Generator.
If you are managing multiple sites, it is prudent to use different passwords. The best way is to use an online password manager such as 1 Password, which offers a free subscription.

Disable directory listing

By default, when your web server does not find an index file (index.php or index.html), it automatically displays an index page showing the files and folders in that web directory.

This could make your site vulnerable to attacks by revealing the critical information needed by hackers to take advantage of a vulnerability in a WordPress plugin, theme, or your server in general.

Just add the following line in the site’s .htaccess file located in the root directory of your website.

Options -Indexes

If you are a ChemiCloud customer, we have you covered. By default, the directory listing is disabled on our servers.

Use HTTPS for Encrypted Connections (SSL Certificate)

One of the most neglected ways to harden your WordPress website is to install an SSL certificate and run your site’s URL’s over HTTPS.

Many Web Hosting providers, including ChemiCloud, offer free SSL certificates with Let’s Encrypt.

Summary

The security and integrity of your website should be your top concern as a website administrator. If you are running an online store, having your website blacklisted will scare off existing and new customers alike and cause your website to fall to the bottom of Google Search Engine Result Pages, or *gasp* to page 2 of the results.

By taking simple steps to keep your website up to date and secure, such as updating plugins, using secure passwords, and making good use of CAPTCHAs, you can ensure your website won’t end up on a Google Blacklist. But, if it does, this article will help you get off that list and get back on track!

If you know any other security tips that may help, please feel free to let us know in the comments area.

This knowledgebase article will help you understand what the various cautionary messages mean and how to resolve these security warnings.

Common Signs Your Site May Be Blacklisted

Some big signs your site may be infected with something include:

• Google Search Engine Result Pages say “This site may be hacked or infected with malware”.
• You see a lot of spam links and redirects in your Google Search Console.
• Website files and images seem to have changed, and you haven’t made the changes.
• Your web host has notified you of malware infecting your website.
• Your anti-virus or anti-malware software prevents you from visiting the site in your browser.

What Do These “Blocks” Look Like When They Happen?

Typically when Google has blacklisted a site and you try to access it using Chrome, or another browser that utilizes the Google SafeSearch API, you’ll see a screen that looks similar to the one below:

These warnings can also appear in a number of different ways in search results:

“This site may be hacked”

You and those searching for your site may see This site may be hacked in their search results. This message is used to inform them that Google suspects a bad actor or “hacker” has made changes to the code on the website or has added a bunch of new pages full of spam text or links.

What Does This Mean & How Can I Resolve It?

Google’s official explanation for this warning is: “You’ll see the message “This site may be hacked” when we believe a hacker might have changed some of the existing pages on the site or added new spam pages. If you visit the site, you could be redirected to spam or malware.”

Google has excellent documentation on resolving this particular warning here.

“This site may harm your computer”

What Does This Mean & How Can I Resolve It?

This message informs users and visitors to your site that Google believes the website has been compromised by bad actors or “hackers” and the changes they’ve made to the site distribute and install malware on the computer visiting the site. Proceeding to visit the site may cause damage to the integrity of the device accessing the site, which can include all sorts of attacks or tricks to get the user to install software that could be ransomware.

It’s good to know Google’s accuracy rating on sites they suspect of being harmful is pretty spot-on. Also, this classification in the SERP gives visitors a big red image, like the examples above, when visiting the site in any browser that uses the Google Safe Browsing API (Chrome, Firefox, among others).

Google has excellent documentation on resolving this particular warning here.

Other Examples Of Blacklist Warning Messages

The major browsers, Chrome and Firefox, use the Google Safe Browsing API to help people steer clear of websites they suspect to be infected or compromised. Other browsers, however, may not display the warnings in the same way as Chrome or Firefox, and they may not be using the Google Safe Browsing API. Here are some examples of the various ways other browsers may warn you about a potentially compromised website:

• This website may harm your computer.
• This site may be hacked.
• Deceptive site ahead.
• This website has been reported as unsafe.
• The site you are trying to access contains malware or harmful programs.
• Phishing attack or site detected.
• The page you are trying to access is attempting to load scripts from unauthenticated or insecure sources.
• Warning: Potential Security Risk Ahead.

How To Request a Removal from Google Blacklist

Websites lose 95% of their traffic (if not more) when Google blacklists a site. They (Google) aren’t out to get you personally. Google has a responsibility to protect users of it’s software (such as Chrome, or the Google Safe Browsing API) from dangerous websites that show up in Google’s Search Results.

You should also know that websites which are repeatedly blacklisted are only eligible for a review from Google to be removed from their blacklist once every 30 days. This can be detrimental to the viewership of a website, so be sure if you’re blacklisted once not to let it happen again.

Checking The Safe Browsing Status Of Any Website

Google has a method to check the Safe Browsing status of any website here. You should be aware of this tool as it’s quite useful in checking on sites you maintain periodically, rather than being informed by the users after it happens.

Get Google Search Console

Google Search Console, formerly known as Google Webmaster Tools, is an absolute must for managing how Google interacts and indexes content on your website. Google Search Console is the first step in getting Google’s attention, i.e. getting your business or website in their search results and other Google platforms, such as Maps.

If your site is blacklisted, you’ll need to use the Google Search Console to inform Google that you’ve taken the appropriate steps to remove whatever “infection” or “compromise” your site had and are ready to review your site for removal from their blacklist.

To remove the blacklist warning, you need to let Google know that you have completely cleared the infection. To do this, you must have a Google Search Console account (formerly Webmaster Tools).

Verify ownership of your website in the Google Search Console

• Open Google Search Console.
• Click Search Console and sign in with your Google account.
• Click add a site and enter your website’s URL, then click continue.
• Verify your site using their recommended method or alternate methods options.
• Click add a site, then verify.
• Review the Security & Manual Actions section to review any warnings, and resolve as necessary.
• If you have warnings to resolve, you will be given steps to resolve them and notify Google you have fixed the problem and are requesting a review of your website for removal from their blacklist.

Struggling with malware issues? ChemiCloud is the hosting solution designed with reliability and security in mind! Check out our web hosting plans!

You should determine what exactly is blacklisted by Google. On the Google Search Console page for your website, click on Security Issues and you will find the URLs that are being detected. If the URL is a directory, each folder and page below it must be checked for malware.

Determine When And Why This Happened

Common causes of infected / compromised websites which are blacklisted include:

• Outdated Plugins
• Outdated App Installation, i.e. you are running an old version of Drupal, Joomla, or WordPress.
• Not using CAPTCHAS on areas where there is user input, such as form fields, login fields, comment & review fields.

You can use the Google Search Console to determine when Google first noticed the compromise. In the Google Search Console by clicking the Security tab, you will be able to filter thru the warnings to determine when Google picked up the first instance of your website being compromised or infected.

Using the date Google first picked up the “infection”, you can do a couple of things:

You can ask your Web Host to restore your website to a date prior to this date. Following the restore, you would want to login to your website’s admin area and immediately update your app and plugins to the latest versions to prevent the hack from retaking place, if it was caused by an outdated website app, like WordPress or Drupal version, or an outdated plugin.

Preventing This From Happening Again

Preventing your website from being hacked or compromised isn’t a task that requires your attention 100% of the day/night. However, you should definitely be mindful of some basics when it comes to website security:

Invest in Rock-solid Web Hosting

Every web host out there should take security very seriously. The reason why it is essential that you choose a web host you can rely on for your business.

Here at ChemiCloud, we use CloudLinux on our servers, which allows us to use a virtualized file system for each account and completely isolating it. A significant advantage is that if one user account becomes compromised, the malware infection does not spread to the other accounts hosted on the same server. What’s more, we’ve partnered with Imunify360 to provide with a secure and reliable web hosting platform. It’s multi-layered defense architecture ensures precision targeting and eradicating malware and viruses.

This way, we add an extra layer of protection compared to our competitors.

Perform regular backups

Make backups. Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy if anything bad happens.

Most hosting providers now provide backups. ChemiCloud’s web hosting plans have free automated backups stored offsite, allowing them to be quickly restored so that you can rest easy knowing your data is safe!

Always keep your web application version and plugins up to date

Keep plugins and integrations you have enabled on your website updated. If you use any specific plugins that are developed by 3rd parties or small developers, it might be wise to follow their social media and note if they post anything about an update being pushed out for the plugin/app.

If you are using WordPress, enable auto-updates for your plugins and themes. This is a super helpful feature that was recently released in WordPress that will save you a lot of time.

Use CAPTCHAs

We recently published a blog on what CAPTCHAS are, why they are important, and how to setup WordPress CAPTCHA. CAPTCHAS keep robots from sending code with nefarious purposes through your contact forms, review forms, login / password reset forms, and comment fields.

Use Smart Usernames and Strong Passwords

Be wise when it comes to your username and password for your administration dashboard. Avoid using a username as “admin” and always choose a complex password. Don’t use “admin” as your username but instead use a unique username for the administrator that is not related to your domain name.

Make sure to choose a complex password. Alternatively, you can use an online tool like 1Password Password Generator.
If you manage multiple sites, it is prudent to use different passwords. The best way is to use an online password manager such as 1 Password, which offers a free subscription.

Disable directory listing

By default, when your web server does not find an index file (index.php or index.html), it automatically displays an index page showing the files and folders in that web directory.

This could make your site vulnerable to attacks by revealing the critical information needed by hackers to take advantage of a vulnerability in a WordPress plugin, theme, or your server in general.

Just add the following line in the site’s .htaccess file located in the root directory of your website.

Options -Indexes

If you are a ChemiCloud customer, we have you covered. By default, the directory listing is disabled on our servers.

Use HTTPS for Encrypted Connections (SSL Certificate)

One of the most neglected ways to harden your WordPress website is to install an SSL certificate and run your site’s URL’s over HTTPS.

Many Web Hosting providers, including ChemiCloud, offer free SSL certificates with Let’s Encrypt.

Summary

The security and integrity of your website should be your top concern as a website administrator. If you are running an online store, having your website blacklisted will scare off existing and new customers alike and cause your website to fall to the bottom of Google Search Engine Result Pages, or *gasp* to page 2 of the results.

By taking simple steps to keep your website up to date and secure, such as updating plugins, using secure passwords, and making good use of CAPTCHAs, you can ensure your website won’t end up on a Google Blacklist. But, if it does, this article will help you get off that list and get back on track!

If you know any other security tips that may help, please feel free to let us know in the comments area.

A hotlink occurs when someone is directly linking content from your site to another site and uses your bandwidth to serve the files. For example, when someone is displaying an image hosted on your server on their own web pages. You can use this Hotlink protection security feature in cPanel in order to prevent this from happening.

How to enable HotLink Protection in cPanel

This tutorial assumes that you are already logged into cPanel.

To enable hotlink protection in cPanel, follow the steps below:

Once logged into cPanel, head up to Security > Hotlink Protection.

1. Click Enable. A new page will open that displays the Allowed referrers and Protected extension lists.
2. Click Go back.
3. To allow specific sites to hotlink to your website, add their URLs in the URLs to allow access menu.
4. To block direct access to files of specific types, add those file extensions to the Block direct access for the following extensions text box.
   • For example, to block all .jpg images, add .jpg to the Block direct access for the following extensions text box.
   • When you block these file types, others cannot hotlink those types of files from your website regardless of any other settings.
5. To allow visitors access to specific content through the URL, select the Allow direct requests checkbox.
   • For example, if you enable this option, a visitor could enter http://www.example.com/folder/example.jpg as a URL to access the example.jpg file.
6. To redirect requests for certain content, enter the URL to which you want to redirect your visitor in the Redirect the request to the following URL text box.
7. Click Submit.

How to Disable hotlink protection in cPanel

To disable hotlink protection, click Disable.

RewriteEngine on
# Remove the following line if you want to block blank referrer too
RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^https?://(.+\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|bmp)$ - [NC,F,L]

RewriteRule \.(jpg|jpeg|png|gif|bmp) https://example.com/blocked.png [R,L]

SSL mixed content occurs when your site is loaded over a secure HTTPS connection, but other resources on your site (such as images, icons, videos, CSS, or JavaScript) are loaded over an insecure HTTP connection at the same time.

This is called mixed content because both HTTP and HTTPS resources are being used to display the same page at the same time, but the initial request was secure over HTTPS protocol. As a result, the major web browsers will display warnings about this type of content to indicate that the page you are accessing contains insecure resources.

In other words, these warnings may cause your website visitors to question the security between your website and their computer. You can prevent this issue from occurring by configuring your site to only serve secure content.

What Causes Mixed Content Warnings?

Mixed content warnings usually appear once you have forced a redirect from HTTP to HTTPS for your site.

In addition, here are some other cases of what might cause a warning:

• Web developers sometimes use absolute paths (http://domain/style.css) in the site’s code to link to resources like CSS and JavaScript instead of using relative paths (/style.css).
• Images have hardcoded URLs (http://domain.com/image.png) that point to HTTP.
• You are using HTTP versions of external scripts. (Hosted jQuery, Font Awesome, etc.)
• You are using embedded video scripts using HTTP instead of HTTPS.

How to Find Mixed Content?

An easy to use online resource for finding mixed content on your site’s page is Why No Padlock?

You will just have to enter the URL of the page where you are receiving mixed content warnings and Why No Padlock will automatically scan for mixed content.

How to Fix Mixed Content Warnings

Follow the simple steps below to fix SSL mixed content warnings. This assumes you have already done the following:

• Installed a free Let’s Encrypt SSL certificate
• Forced a redirect from HTTP to HTTPS

“Upgrade Insecure Requests” is a CSP (Content Security Policy) directive that allows you to tell to a web browser that all the resources on your website must be accessed via HTTPS.

Struggling with security issues? ChemiCloud is the hosting solution designed with reliability and security in mind! Check out our web hosting plans!

Your resources will automatically be requested on HTTPS by the client/browser, without any mixed content warning.

Upgrade Insecure Requests is supported by Mozilla Firefox, Google Chrome, Microsoft Edge, Opera, Android, Chrome for Android, Safari.

To implement this, you only need to add the following lines of code to your site’s .htaccess file:

# BEGIN Fix SSL Mixed Content Warnings
<ifModule mod_headers.c>
Header always set Content-Security-Policy "upgrade-insecure-requests;"
</IfModule>
# END Fix SSL Mixed Content Warnings

Now let’s go back and access your website. Notice how it redirects us to the secure version, and we see a secure lock symbol in the location bar.

That means we’re using a secure connection to the site and that all the resources on the site are loaded over https.