WordPress vulnerabilities can be prevented

Because WordPress is the #1 CMS, it is a target

With popularity comes exposure. WordPress powers about 32% of all websites. It is the most popular CMS (content management software) around with 33% dominance according to W3 Techs. WordPress sites belong to both small and medium sized businesses as well as large enterprises. That makes WordPress a giant target for hackers and bot nets.

via GIPHY

According to Imperva‘s yearly analysis, the greatest number of vulnerabilities in WordPress come on the plugin side. “On the content management system (CMS) front, WordPress vulnerabilities have tripled since last year, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category.” 

WordPress.org includes more than 54,262 plugins in their repository. Many of these plugins are incredibly useful and help extend functionality of your site. However, it is not at all unusual for plugins to be abandoned or not updated if the developer of that plugin loses interest or time to manage it. Sometimes plugins get forked to keep them up to date by others in the Open Source community, but just as frequently, they are left to languish. You may even have some of these outdated ones in your website.

Image showing out of date WordPress plugins in the repository
Examples of way out of date plugins in the WordPress repository.

When was the last time you audited the plugins you use on your site?

Regular updates of your plugins can prevent opportunities for hackers and bots to inject scripts or add malicious code. These bad actors know when there are opportunities to cause havoc and they have their networks scanning WordPress sites looking for them.

How do I update my WordPress Plugins?

Image - Example of how pending plugin updates are signaled in your WordPress dashboard
This is an example of how WordPress signals you that there are plugin updates pending.

Login to your site and proceed to your Dashboard and open the Plugins panel. You may see red numbers indicating how many updates you have pending to plugins on your site. Upon opening the Plugin panel, you may see yellow highlighted notes per each plugin which has a new version. Below you can see an instance of this type of note for Jetpack. You can click the hyperlink to learn what the new version details are or you can click the update now hyperlink to update immediately.

 

Example of a message on a plugin telling you that there is an update.
This image displays the note from the plugin developer that there is a new version of Jetpack available.

It is important to check which plugins have updates and to make a whole site backup prior to doing anything. Only then do we recommend updating your plugins. Upon upgrading, check how your site functions. It is not uncommon for upgrades to cause an issue with compatibility of other plugins.

Unless the update addresses a security risk, you may wish to consider waiting until the day after a new release before updating your site. While developers test their plugins, some issues are only discovered after release, when a large number of sites are running the new version. If  it’s a major release, i.e. 5.x.x to 6.0, make sure you click the link to view the details so you can be aware of major changes that may affect your site.

How do you choose reliable plugins?

Choosing dependable plugins is pretty simple.

  • Look for plugins which have had several versions and which have many thousands of active installs.
  • Use plugins which have been tested for the most recent version of WordPress.
  • Check out the Reviews and see what others have to say about using the plugin.
  • Look at the plugin support forum to see what kinds of issues others are having and whether or not the developer is responding to issues and how promptly the response if provided.

Did you update when WordPress 5.0 came out?

Another important way to prevent vulnerabilities is to keep your WordPress version up to date. WordPress 5.0 released in December 2018. Because it was a major release, your WordPress software did not update automatically as it does for incremental updates. [Read more about automatic updates.] Did you update when 5.0 was released? If you did, then you have also recently received updates to the incremental updates. If you have not yet updated your website to WordPress 5.0, you should do so very soon.

Beyond plugins and WordPress versions

It is also very important to keep your theme updated. Themes can have vulnerabilities are well. You will get notes in your Dashboard > Appearance > Themes when you have theme updates. If you purchased a premium theme, be sure you are subscribed to them and get updates and notifications from the theme foundry which produced it. 

If you have customized your theme, be sure you did so using the Custom CSS tool in Appearance. This is only available if your theme supports this function in the Customizer

WordPress notes, “Starting with WordPress 4.7, you can now add custom CSS to your own theme from Appearance Customize Screen, without the need for additional plugins or directly editing themes and child themes. Just choose the Additional CSS tab when customizing your current theme to get started!”

If you have a child theme and you update the parent theme, your changes should be preserved.

Get professional assistance updating your website

If you are confused about when and what to update, please contact us. We specialize in WordPress and have resolved many issues for people who have sought us out for our knowledge.

Photo Credit: Photo by Luther Bottrill on Unsplash

Do These Things if You Are Moving to a New Host, or Upgrading Your WordPress Theme

Don’t try to move your website or update your theme without packing up the most essential items: Your WordPress database and all your posts and images.

Before you move your site, you must pack

It’s rare that someone chooses to move and leave all their worldly goods behind. But that’s exactly what some people do when they relocate their website to a new host or upgrade their website’s theme, or replace their existing static html site with a dynamic CMS based website.

There are two essential steps to prepare to move your site or change your hosting: back up and the creation of an inventory of all pages by creating a sitemap.

If you are going to undertake a hosting change you or your web developer must do these things in order to have an easy move.

Back up your site

By not backing up or copying your site’s content you risk losing it all in the transfer. Before doing anything, back up both your theme and your MySQL database if you have a content managed website.

You can use Filezilla to make copies of all your website directories and files, saving them to your hard drive. Or if you have a WordPress site, can use WordPress’ export tool to allow you to export all your data neatly.

Create a sitemap

Next, build a sitemap of your existing site capturing all URLs and relationships of pages to each other.

You can use Google’s Webmaster Tools to create a sitemap, or if you have a WordPress self-hosted site you can install the most popular WordPress plugin, Google XML Sitemaps. But what if your site is not a WordPress site? How do you create a sitemap? Either with Google’s Webmaster Tools or with an online tool such as XML Sitemaps.

After you move your site, you should create 301 redirects which will prevent the loss of your SERP (search engine results pages) referrals. [Read our post on the topic.] When you setup your new site, especially if you are not maintaining an exact copy of your previous site’s structure, need to set up redirects for every page which previously existed and which no longer exists in your new site.

As with preparation for any trip, your digital data needs good planning. And tidy packing. Happy Travels!

Photo By: Drew Coffman

WordPress Security Imperative

Hackers are after your WordPress self-hosted blog.

WordPress security must be scheduled

WordPress security must be top-most on your planning and regular maintenance. Ever wonder why keeping your WordPress based website version and your plugins updated is imperative? There are hackers out there who have more time on their hands than anything else. Merry pranksters, they want to see what they can do. Don’t allow your WordPress website to fall victim to them.

If you aren’t comfortable performing the updates, then get an experienced WordPress web developer to keep it updated for you.

ProBlogger provides a detailed explanation.

Update, update, update
Update WordPress. Update your plugins. Update your theme. Try to install these updates immediately after the alert apepars in your Dashboard. Here’s why.

Fixes to new bugs and security holes are always a big part of every update. The minute an update gets released, all the changes are announced in the official doc that goes along with the update. If a hacker wants to attack a site that hasn’t been updated yet, they just have to take a look at the document, do a little research and tackle the holes that the new version fixes.

Read the entire post at Secure Your WordPress Blog Without Touching Any Code : @ProBlogger.

Charleston PR & Design, LLC hosts WordPress websites and provides monthly software updates for all our clients. Our daily backups insure every hosted site can be restored. And if any breaking change breaks your site’s theme or functionality, we repair the break. That’s the type of insurance that you can’t do without.