WordPress vulnerabilities can be prevented

Because WordPress is the #1 CMS, it is a target

With popularity comes exposure. WordPress powers about 40.5% of all websites. It is the most popular CMS (content management software) around with 64.5% dominance according to W3 Techs. WordPress sites belong to both small and medium sized businesses as well as large enterprises. That makes WordPress a giant target for hackers and bot nets.

via GIPHY

According to Imperva‘s yearly analysis, the greatest number of vulnerabilities in WordPress come on the plugin side. “On the content management system (CMS) front, WordPress vulnerabilities have tripled since last year, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category.” 

WordPress.org includes more than 58,000 plugins in their repository. Many of these plugins are incredibly useful and help extend functionality of your site. However, it is not at all unusual for plugins to be abandoned or not updated if the developer of that plugin loses interest or time to manage it. Sometimes plugins get forked to keep them up to date by others in the Open Source community, but just as frequently, they are left to languish. You may even have some of these outdated ones in your website.

Image showing out of date WordPress plugins in the repository
Examples of way out of date plugins in the WordPress repository.

When was the last time you audited the plugins you use on your site?

Regular updates of your plugins can prevent opportunities for hackers and bots to inject scripts or add malicious code. These bad actors know when there are opportunities to cause havoc and they have their networks scanning WordPress sites looking for them.

How do I update my WordPress Plugins?

Image - Example of how pending plugin updates are signaled in your WordPress dashboard
This is an example of how WordPress signals you that there are plugin updates pending.

Login to your site and proceed to your Dashboard and open the Plugins panel. You may see red numbers indicating how many updates you have pending to plugins on your site. Upon opening the Plugin panel, you may see yellow highlighted notes per each plugin which has a new version. Below you can see an instance of this type of note for Jetpack. You can click the hyperlink to learn what the new version details are or you can click the update now hyperlink to update immediately.

 

Example of a message on a plugin telling you that there is an update.
This image displays the note from the plugin developer that there is a new version of Jetpack available.

It is important to check which plugins have updates and to make a whole site backup prior to doing anything. Only then do we recommend updating your plugins. Upon upgrading, check how your site functions. It is not uncommon for upgrades to cause an issue with compatibility of other plugins.

Unless the update addresses a security risk, you may wish to consider waiting until the day after a new release before updating your site. While developers test their plugins, some issues are only discovered after release, when a large number of sites are running the new version. If  it’s a major release, i.e. 5.x.x to 6.0, make sure you click the link to view the details so you can be aware of major changes that may affect your site.

How do you choose reliable plugins?

Choosing dependable plugins is pretty simple.

  • Look for plugins which have had several versions and which have many thousands of active installs.
  • Use plugins which have been tested for the most recent version of WordPress.
  • Check out the Reviews and see what others have to say about using the plugin.
  • Look at the plugin support forum to see what kinds of issues others are having and whether or not the developer is responding to issues and how promptly the response if provided.

Did you update when the most recent WordPress update came out?

Another important way to prevent vulnerabilities is to keep your WordPress version up to date. WordPress 5.0 released in December 2018. Because it was a major release, your WordPress software did not update automatically as it does for incremental updates. [Read more about automatic updates.] Now we are at 5.6.2 WordPress version. Did you update when 5.0 was released? As of March 2020 slightly more than 20% of WordPress sites are running on versions older than 5.0. If you did, then you have also recently received updates to the incremental updates. If you never updated your website to WordPress 5.0, you should do so very soon.

Ensure your PHP version is supported and secure

If you are running on WordPress, the critical software underlying it is PHP. Versions older than 7.3 are no longer supported and are vulnerable. PHP is a scripting language that allows your website to be built with the data from your database. It is fundamental to WordPress and allows WordPress to function.

Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases.

After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports.

Beyond plugins and WordPress versions

It is also very important to keep your theme updated. Themes can have vulnerabilities are well. You will get notes in your Dashboard > Appearance > Themes when you have theme updates. If you purchased a premium theme, be sure you are subscribed to them and get updates and notifications from the theme foundry which produced it. 

If you have customized your theme, be sure you did so using the Custom CSS tool in Appearance. This is only available if your theme supports this function in the Customizer

WordPress notes, “Starting with WordPress 4.7, you can now add custom CSS to your own theme from Appearance Customize Screen, without the need for additional plugins or directly editing themes and child themes. Just choose the Additional CSS tab when customizing your current theme to get started!”

If you have a child theme and you update the parent theme, your changes should be preserved.

Get professional assistance updating your website

If you are confused about when and what to update, please contact us. We specialize in WordPress and have resolved many issues for people who have sought us out for our knowledge.

Photo Credit: Photo by Luther Bottrill on Unsplash

Marketing and Management Tasks During Coronavirus and Social Distancing

Due to the spread of coronavirus, we are all experiencing slow downs in our businesses.

As people pull back from social contact and work from home their thoughts also turn to their families. New business is not top of mind these days and may not be for a while. Social distancing has limited face to face meetings and creative brainstorming sessions in the office. If you’re feeling a bit uninspired and lacking drive, we get it. But, there are some critical marketing tactics you can undertake to maintain contact with your customers.

Fine-tune your business now when you have the time

 If you have extra time on your hands, what can you do now that you haven’t been doing? What can you do to enhance your marketing? There are probably tasks which you’ve put off due to lack of time in the prior hectic months. Now is the time to get that list of “round to its’ out and dust it off and get to work accomplishing a whole array of tasks that will fine tune your customer outreach and improve your top of mind awareness.

Here are a number of projects you can work on now to enhance your marketing and business management.

  1. Work on your newsletter. People have more time on their hands right now and have time to  read and respond to your newsletters. If you have not told your clients what you are doing during this time of social distancing to support your staff, your vendors, and your customers your newsletter is a good vehicle for that. Have you changed your opening hours? Cut back on offerings? Changed your menu? Be sure your customers know.
  2. Survey the content on your website. When was the last time you reviewed your content with an eye to cleaning it up? How about the last time you reviewed which content was most consumed? Take this time to weed out low-performing content and observe your higher-performing content with an eye toward comprehending how you can replicate success for a related topic. Perhaps you’ve never created the content that you’ve always wanted to create for your website. Now is the time to do the research to find out what people search for when they’re seeking to solve a problem or issue for which your product or service is the perfect solution.
  3. Hold a Facebook Live event. Or InstagramTV event or post a video story on either Facebook or Instagram. People are spending more time on Facebook and other social media. Your followers get notification when you go live on Facebook and they might like to see and hear from you and get the news of what’s going on in your company. Since casual contacts at lunch or cocktails are curtailed for now, use the means you have to contact and connect with your clients.
  4. Create the YouTube video that you’ve always meant to create. Do you have a longer issue that you want to talk through? Or the solution for your customers most important issues? Create a video that can go on YouTube on your Channel. If you don’t have a channel now is the time to consider how people search for support and assistance on YouTube related to the products and services you sell. 
  5. Review your Google analytics data. Do you know what people consume when they visit your website? Do you know what order they go through your pages? How about what is your most important landing page? If you use the tools available to you with Google analytics you will get greater insights as to what content on your website is most helpful to your customers. 
  6. Review your search console data. Every website we build is connected to Google search console. Is yours? Within this tool you can find out exactly how people visit your website via search. You can find out what queries they use, what keywords they use, and where you rank for those. Maybe you’ve never taken a look at it before but now is the time to get familiar with it and learn more about this insightful data. 
  7. Add e-commerce to your website.  Now that people aren’t going shopping as much, what can you sell or offer on your website that people need and which you can deliver digitally or shop directly to them? In some cases you can simply embed an easy to use PayPal button to sell a single product. Or you might ask us to help you implement WooCommerce.
  8. Analyze your non-essential expenditures and cut back. With revenues slowing, it might be important for you to decide what expenditures your business can cut back on. It’s important to save money now.
  9. Revise your sales projections. Hopefully every quarter you review your expected income for the next quarter. Because none of us have a magic crystal ball, we can use our insights and our past experience to predict how the current situation may affect us.
  10.  Hold regular virtual staff meetings. In the absence of information people make up thoughts. Therefore, regular communication becomes vitally important in these times. Ensure your staff is continually well-informed.There are so many tools to allow you to hold online meetings but have you actually used them? If you have relied on face-to-face meetings to this point in time, now is the time to learn how to use virtual meeting platforms. From Zoom to Google Meet to GoToMeeting to join.me there’s a platform that will work for you. Some are free and some come at minimal cost. Test them out and figure which ones work best for you.

What else have you tried to keep on top of things during the coronavirus pandemic? Share your tactics and tasks so we may  learn from each other.

 

Photo by BRUNO CERVERA on Unsplash

Strong passwords help secure your site and your reputation

Some things are so important they bear keeping in mind. This evergreen post was initially published in 2012 and has been updated to make it current.

Without strong passwords, your site is open to thieves

We want to speak to you about the importance of using strong passwords.

In recent days, we have recorded thousands of separate attempts to access WordPress accounts on our servers. Undoubtedly there could have been more, as our security software is configured to send us reports when a user has been locked out after entering the wrong password multiple times. This is not a deliberate attack on our servers. Attacks like this go constantly, day in and day out, on every web server on the internet.

Resistance is futile without strong passwords

These attacks are carried out by networks of compromised computers known as botnets. An individual computer can be infected in various ways and become part of a network which is then used, without the knowledge of the owner, in endeavors such as denial of service attacks and password guessing schemes. There are literally thousands, in some cases hundreds of thousands of computers involved in a single network.

Our security software allows multiple retries before imposing a lockout or total ban on your IP address.

These attacks are not very sophisticated. They do not have to be, as there is zero cost to the attacker who is using someone else’s computer for the attack. These attacks often succeed because the average person does not use a strong password. The statistics on most cracked passwords from 10,000 Top Passwords make it obvious why these attacks work:

  • 4.7% of users have the password password
  • 8.5% have the passwords password or 123456
  • 9.8% have the passwords password, 123456 or 12345678
  • 14% have a password from the top 10 passwords
  • 40% have a password from the top 100 passwords
  • 79% have a password from the top 500 passwords
  • 91% have a password from the top 1000 passwords

Check to be sure your password is not on a list of the worst passwords.

Securing your site

Your minimum goal is to make sure you are not part of the 91% using the top 1000 passwords. It is not as difficult as you may think. You can have a reasonably strong password that is not impossible to remember.

Simple / common passwords are always tried first. Cute or unusual spellings are no replacement for a good password. While you may think that unusual spelling or replacing letters with similar numbers, i.e. secure spelled s3cur3, will make it hard to guess, someone else has already come up with it many times before and it is in the common passwords list. Simple, short, one word passwords just are not good enough. In this case, size matters.

Use either a totally random string of characters, such as this, FT3GvOUZn4WOZ077hL5B (make up your own, do NOT use this one), from my password generator, which requires a password manager to remember (which is what we do), or use at least two random words and at least one random number. Go ahead, write it down (but don’t reuse it anywhere else). You are not defending against someone that’s breaking into your office to search your desk, you are defending from automated attack by a botnet.

A great resource for generating random words is unique-names.com. Just open the page and pick two or three words from the list. Stick in one or two random two or three digit numbers between and/or after the words, and you have a password with extremely low odds of being on the list of guessed passwords. The words themselves are almost guaranteed to be on the list, so DO NOT use only one word. It is the particular combination of words and numbers which is strong. If you’d like to use a truly random number, ramdomwordgenerator.com has a true random number generator on their front page. Just enter a minimum and maximum, say 100 and 999, click Generate, and use the three digit random number you’ve just generated. Write your password down or enter it into your favorite password manager.

Manage your passwords

Should you wish to start using a password management system, there are several good ones reviewed at InfoWorld, both free and commercial. We prefer KeePass, but read the review and see which one works for you.

Changing your password in WordPress is easy. There’s a video at WordPress.tv showing how to do this. While this video was generated a number of years ago for WordPress.com, the basic functionality still applies and works for both WordPress.com and self-hosted WordPress.

One of the most important things to remember when using a password manager is that there is now a single password which grants access to all the others. It is imperative you use a very good password to access the password manager’s database. We recommend trying several words arranged into a memorable nonsense phrase (those random word lists at unique-names.com are handy for this). Again, size matters.

You may think, why should I worry about someone guessing my password, there’s nothing valuable on my website. What happens to your brand’s reputation if malware is installed on your site and all your visitors are infected? And what happens when Google marks your site as infected and posts that in conjunction with your URL? If your site spews malware, you’ll see all the hard-earned SEO efforts you’ve dedicated yourself to crumble.

Don’t share your login with others. If you must share with someone, so they can perform maintenance or install software or perform some action you have authorized, change your password after the task is completed.

Last, but extremely important, never, never, ever, reuse passwords. Once a password is guessed, the attackers will attempt to identify other accounts you own and try the password on all of them, like your online banking accounts. What about your domain registration? What would it cost your business, in money and reputation, if someone logged into your account at your domain registrar, and stole your domain? What if they then linked it to a pornography site?

Adding 2 Factor Authentication to your site

Adding two factor authentication (2FA) to your site is one way to add another layer of security. It uses something you know (like your password) with something you have (your phone for example which can generate or receive other login information.

WordPress writes:

Logging in with a password is single-step authentication. It relies only on something you know. Two-step authentication, by definition, is a system where you use two of the three possible factors to prove your identity, instead of just one. In practice, however, current two-step implementations still rely on a password you know, but use your Phone or another device to authenticate with something you have.

WordPress Beginner offers a tutorial on adding Google Authenticator as a 2 factor authenticator service.  Plugins for 2FA can be installed as well. Here’s one from techjourney.com about how to use Authy for 2FA on your site.

Make sure you have a strong password, and consider adding 2FA

We figure a word to the wise is sufficient. Create strong passwords. Don’t share them. And never resuse them. Your business and reputation depend on it.