WordPress vulnerabilities can be prevented

Because WordPress is the #1 CMS, it is a target

With popularity comes exposure. WordPress powers about 40.5% of all websites. It is the most popular CMS (content management software) around with 64.5% dominance according to W3 Techs. WordPress sites belong to both small and medium sized businesses as well as large enterprises. That makes WordPress a giant target for hackers and bot nets.

via GIPHY

According to Imperva‘s yearly analysis, the greatest number of vulnerabilities in WordPress come on the plugin side. “On the content management system (CMS) front, WordPress vulnerabilities have tripled since last year, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category.”

WordPress.org includes more than 58,000 plugins in their repository. Many of these plugins are incredibly useful and help extend functionality of your site. However, it is not at all unusual for plugins to be abandoned or not updated if the developer of that plugin loses interest or time to manage it. Sometimes plugins get forked to keep them up to date by others in the Open Source community, but just as frequently, they are left to languish. You may even have some of these outdated ones in your website.

Image showing out of date WordPress plugins in the repository — Examples of way out of date plugins in the WordPress repository.

When was the last time you audited the plugins you use on your site?

Regular updates of your plugins can prevent opportunities for hackers and bots to inject scripts or add malicious code. These bad actors know when there are opportunities to cause havoc and they have their networks scanning WordPress sites looking for them.

How do I update my WordPress Plugins?

This is an example of how WordPress signals you that there are plugin updates pending.

Login to your site and proceed to your Dashboard and open the Plugins panel. You may see red numbers indicating how many updates you have pending to plugins on your site. Upon opening the Plugin panel, you may see yellow highlighted notes per each plugin which has a new version. Below you can see an instance of this type of note for Jetpack. You can click the hyperlink to learn what the new version details are or you can click the update now hyperlink to update immediately.

Example of a message on a plugin telling you that there is an update. — This image displays the note from the plugin developer that there is a new version of Jetpack available.

It is important to check which plugins have updates and to make a whole site backup prior to doing anything. Only then do we recommend updating your plugins. Upon upgrading, check how your site functions. It is not uncommon for upgrades to cause an issue with compatibility of other plugins.

Unless the update addresses a security risk, you may wish to consider waiting until the day after a new release before updating your site. While developers test their plugins, some issues are only discovered after release, when a large number of sites are running the new version. If it’s a major release, i.e. 5.x.x to 6.0, make sure you click the link to view the details so you can be aware of major changes that may affect your site.

How do you choose reliable plugins?

Choosing dependable plugins is pretty simple.

Look for plugins which have had several versions and which have many thousands of active installs.
Use plugins which have been tested for the most recent version of WordPress.
Check out the Reviews and see what others have to say about using the plugin.
Look at the plugin support forum to see what kinds of issues others are having and whether or not the developer is responding to issues and how promptly the response if provided.

Did you update when the most recent WordPress update came out?

Another important way to prevent vulnerabilities is to keep your WordPress version up to date. WordPress 5.0 released in December 2018. Because it was a major release, your WordPress software did not update automatically as it does for incremental updates. [Read more about automatic updates.] Now we are at 5.6.2 WordPress version. Did you update when 5.0 was released? As of March 2020 slightly more than 20% of WordPress sites are running on versions older than 5.0. If you did, then you have also recently received updates to the incremental updates. If you never updated your website to WordPress 5.0, you should do so very soon.

Ensure your PHP version is supported and secure

If you are running on WordPress, the critical software underlying it is PHP. Versions older than 7.3 are no longer supported and are vulnerable. PHP is a scripting language that allows your website to be built with the data from your database. It is fundamental to WordPress and allows WordPress to function.

Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases.

After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports.

Beyond plugins and WordPress versions

It is also very important to keep your theme updated. Themes can have vulnerabilities are well. You will get notes in your Dashboard > Appearance > Themes when you have theme updates. If you purchased a premium theme, be sure you are subscribed to them and get updates and notifications from the theme foundry which produced it.

If you have customized your theme, be sure you did so using the Custom CSS tool in Appearance. This is only available if your theme supports this function in the Customizer.

WordPress notes, “Starting with WordPress 4.7, you can now add custom CSS to your own theme from Appearance Customize Screen, without the need for additional plugins or directly editing themes and child themes. Just choose the Additional CSS tab when customizing your current theme to get started!”

If you have a child theme and you update the parent theme, your changes should be preserved.

Get professional assistance updating your website

If you are confused about when and what to update, please contact us. We specialize in WordPress and have resolved many issues for people who have sought us out for our knowledge.

Photo Credit: Photo by Luther Bottrill on Unsplash

Crisis Prevention: Vulnerability and Risk Management

Posted by Cheryl Smithem

Animals comprehend their vulnerability. Vertebrates have a dorsal and ventral side. Our dorsal sides are our backs — from the Latin dorsum. Our ventral sides are our bellies. Unshielded, our bellies are one of the weakest points on a vertebrate animal.

Dogs showing submission roll onto their backs, displaying their belly to the dominant dog. Armadillos must roll into a ball to protect their vulnerable underside. Every animal species understands its vulnerable side and how to protect it.

What is your vulnerability?

Every business entity has a vulnerable side too. Learning how to protect your business by assessing risks and managing vulnerabilities is a wise investment.

If you do not assess risks and discover your vulnerabilities, you stand the potential to be ripped apart by unforeseen consequences.

How do you assess risk?

Assessing risk requires a systems approach and perhaps outside experts. There are professionals (such as our firm) who will help assess your risks. Experts from every area: financial, HR, IT, physical plant and electrical are all good to help assess your risk and propose safety measures to prevent loss. CPAs can assess your financial systems and identify weaknesses in your management of assets, both property assets and money. Human Relations consultants can help you by conducting background checks of potential employees. You can call on the fire department to assess your warehouse or office or storefront to protect you from fire threat. IT consultants can examine your ability to back up and secure vital information.

You may be a business with sales of $50 million a year or one with sales of $50,000 a year, but each is vulnerable. Physical / premises weaknesses, human / employee weaknesses, financial / information vulnerabilities, and reputation / public relations vulnerabilities are present in every business. Finding yours, making a plan and mitigating risk is crucial in order to be a mature business. Of course, there are many businesses who never undertake risk assessment. And they never have a threat or loss. And there are just as many caught unawares whose companies disappear overnight when the unthinkable happens. Do not hide from the opportunity to plan.

In the Carolinas, we live with the seasonal threat of hurricanes. Have you assessed your ability to weather a category five or lesser storm? Have you made sure you have all your IT systems backed up in the cloud? Are all your paper files stored above the one hundred year flood height? Do you have an emergency alert and notification system in place to inform your employees not to report to work in the advent of a storm? How will you notify them to return to work you are able to resume operations? Do you have business interruption insurance? We could go on and list multiple areas to examine.

Accept that every component of your business is vulnerable to loss, interruption of business, damage, or absolute breakdown. Now the question becomes, “What does it take for me to get back up and running?”

Involve every employee and manager in making an outline of what is essential and critical in order for them to work. Depending on your product or services, you may be able to all work remotely. If you are a manufacturer or hard-goods producer, you will need to outline how to get back into operation. This requires that you have agreements with vendors from outside our geographical area lined up to provide materials, support and services to help you get back up and running.

While you may object to going to these lengths now to assess risks and plan for interruption and recovery, planning now will save you money, time and ultimately your business.

A Crisis Recovery Lesson from Jeni’s Splendid Ice Creams

Posted by Cheryl Smithem

A crisis doesn’t always lead to a business meltdown

Lowcountry Local First hosts an annual all-day seminar with great presenters. Termed the Good Business Summit, the event provides insight to business owners about how to make their firms better.

High-profile business owners are invited to share lessons and information based on their own experience.

The 2015 Good Business Summit featured a presentation from Jeni’s Splendid Ice Creams company founder Jeni Britton Bauer.

As reported by The Post and Courier, Bauer frankly and openly discussed the challenges and the recovery process her business went through as a result of listeria contamination. The contamination caused business interruptions at her production facilities as well as massive recalls of products where were produced at contaminated facilities.

According to reporter David Wren, Bauer said,

“What has to change is how businesses view our responsibilities…“Do we rely on their periodics (inspections)? Do we rely on our health inspectors any more?” Absolutely no. Because we know that they are not experts in food safety, they are experts in the law and those are totally different things. The responsibility is on business … to make healthy things, to keep people healthy.”

Following a crisis, do things differently

Bauer is correct. When your business undergoes a crisis, you must do things differently in order to regain confidence from your customers and the public.

Let’s analyze exactly what Bauer did that is helping Jeni’s Splendid Ice Creams recover from this disaster.

Steps to crisis recovery

Own the situation. Admit that this event occurred. Convene your firm’s leadership or crisis communications / management team. (If you don’t have a crisis team, you need to put a pin in this and organize a team and a plan.) Make sure everyone on the team knows what their responsibility will be. Don’t try to hide or deny the situation. Help the public and your customers understand what occurred. In the instance of Jeni’s, Bauer could not hide because there were authorities involved, but rather than fight or deny, the went beyond what was called for and took control of the situation. She demonstrated corporate leadership and responsibility by stepping up.
Communicate transparently. Do not try to duck responsibility. Take action. If product needs to be recalled, do it. Jeni’s did and helped preserve their reputation. As quickly as possible, use the firm’s social media channels and website to communicate. Jeni’s CEO communicated at each step along the way.When one searches the Internet for the terms Jeni’s and recall, the first search results are those from the company’s own website. That’s real transparency. Hold a media conference if there are many media seeking information. Media are doing their jobs. They need to tell the public about the situation, and working with them will help you help them keep the facts straight.If legal questions are involved, you must consult your attorney and crisis communications consultant or public relations firm to be clear on the implications of press conferences, social media posts and website posts. Much of this may be clarified in advance as part of your crisis communications plan. You must be sure you are not compounding the crisis by communicating incompletely or with partial facts or allowing a bad situation to continue. You do want to observe privacy laws and be aware that in situations of healthcare, human resources and personnel, some facts may not be disclosed.
Call on subject matter experts to help review, analyze and present a third-party analysis of contributing causes. In Jeni’s case, they called in people to help them analyze their procedures and test.John Lowe said in a Jeni’s news release,“In addition to fixing every issue identified by the FDA, we have been working with them throughout this entire process, including having provided a thorough response letter detailing how we have fixed each and every concern identified in their inspection report. We dove in and made darn sure we fixed all of their concerns, and we brought in outside experts to help us find other areas of improvement to create a world class, safe environment for making our ice creams.”

While you may not care for what the third party may find or disclose, as long as you seek to remedy the flaws in process, procedure and performance, you can make things improve.
Demonstrate that procedures have changed and exactly how you are modifying your operations in response to the crisis. After the subject matter experts disclose their findings, give the public a plan indicating how each negative finding is to be addressed and how your firm will do things differently.Lowe noted that Jeni’s,
“…instituted test and hold procedures to ensure we are only providing safe ice cream…The ice cream we are producing…comes from an overhauled kitchen, a significantly more trained team working from new ground rules that enable a safer environment (such as not processing fresh fruit in the production kitchen, and not allowing work in our company garden prior to changing into production clothes).”

A crisis situation doesn’t have to mean the end of your business. You can prepare in advance. You can demonstrate change and improvement and go on to a new day as did Jeni’s Splendid Ice Creams.

Are you prepared with a crisis management team? Is your social media plan up to date and does it include crisis recovery and communications sections? Is your website within your control so you can easily post and share the firm’s progress during your crisis recovery?

If you don’t have these elements in place. we can help. We can audit and help your business prepare for the types of crisis which might more frequently occur in your industry.

crisis prevention