WordPress vulnerabilities can be prevented

Because WordPress is the #1 CMS, it is a target

With popularity comes exposure. WordPress powers about 32% of all websites. It is the most popular CMS (content management software) around with 33% dominance according to W3 Techs. WordPress sites belong to both small and medium sized businesses as well as large enterprises. That makes WordPress a giant target for hackers and bot nets.

via GIPHY

According to Imperva‘s yearly analysis, the greatest number of vulnerabilities in WordPress come on the plugin side. “On the content management system (CMS) front, WordPress vulnerabilities have tripled since last year, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category.” 

WordPress.org includes more than 54,262 plugins in their repository. Many of these plugins are incredibly useful and help extend functionality of your site. However, it is not at all unusual for plugins to be abandoned or not updated if the developer of that plugin loses interest or time to manage it. Sometimes plugins get forked to keep them up to date by others in the Open Source community, but just as frequently, they are left to languish. You may even have some of these outdated ones in your website.

Image showing out of date WordPress plugins in the repository
Examples of way out of date plugins in the WordPress repository.

When was the last time you audited the plugins you use on your site?

Regular updates of your plugins can prevent opportunities for hackers and bots to inject scripts or add malicious code. These bad actors know when there are opportunities to cause havoc and they have their networks scanning WordPress sites looking for them.

How do I update my WordPress Plugins?

Image - Example of how pending plugin updates are signaled in your WordPress dashboard
This is an example of how WordPress signals you that there are plugin updates pending.

Login to your site and proceed to your Dashboard and open the Plugins panel. You may see red numbers indicating how many updates you have pending to plugins on your site. Upon opening the Plugin panel, you may see yellow highlighted notes per each plugin which has a new version. Below you can see an instance of this type of note for Jetpack. You can click the hyperlink to learn what the new version details are or you can click the update now hyperlink to update immediately.

 

Example of a message on a plugin telling you that there is an update.
This image displays the note from the plugin developer that there is a new version of Jetpack available.

It is important to check which plugins have updates and to make a whole site backup prior to doing anything. Only then do we recommend updating your plugins. Upon upgrading, check how your site functions. It is not uncommon for upgrades to cause an issue with compatibility of other plugins.

Unless the update addresses a security risk, you may wish to consider waiting until the day after a new release before updating your site. While developers test their plugins, some issues are only discovered after release, when a large number of sites are running the new version. If  it’s a major release, i.e. 5.x.x to 6.0, make sure you click the link to view the details so you can be aware of major changes that may affect your site.

How do you choose reliable plugins?

Choosing dependable plugins is pretty simple.

  • Look for plugins which have had several versions and which have many thousands of active installs.
  • Use plugins which have been tested for the most recent version of WordPress.
  • Check out the Reviews and see what others have to say about using the plugin.
  • Look at the plugin support forum to see what kinds of issues others are having and whether or not the developer is responding to issues and how promptly the response if provided.

Did you update when WordPress 5.0 came out?

Another important way to prevent vulnerabilities is to keep your WordPress version up to date. WordPress 5.0 released in December 2018. Because it was a major release, your WordPress software did not update automatically as it does for incremental updates. [Read more about automatic updates.] Did you update when 5.0 was released? If you did, then you have also recently received updates to the incremental updates. If you have not yet updated your website to WordPress 5.0, you should do so very soon.

Beyond plugins and WordPress versions

It is also very important to keep your theme updated. Themes can have vulnerabilities are well. You will get notes in your Dashboard > Appearance > Themes when you have theme updates. If you purchased a premium theme, be sure you are subscribed to them and get updates and notifications from the theme foundry which produced it. 

If you have customized your theme, be sure you did so using the Custom CSS tool in Appearance. This is only available if your theme supports this function in the Customizer

WordPress notes, “Starting with WordPress 4.7, you can now add custom CSS to your own theme from Appearance Customize Screen, without the need for additional plugins or directly editing themes and child themes. Just choose the Additional CSS tab when customizing your current theme to get started!”

If you have a child theme and you update the parent theme, your changes should be preserved.

Get professional assistance updating your website

If you are confused about when and what to update, please contact us. We specialize in WordPress and have resolved many issues for people who have sought us out for our knowledge.

Photo Credit: Photo by Luther Bottrill on Unsplash

Be original, avoid commercial WordPress themes

Are commercial WordPress themes worth the savings?

These days if you want a WordPress website, there are thousands of WordPress themes for sale on many commercial theme foundry sites. Purchasing one of them may seem the quickest way to the creation of a WordPress based site for your business. In some instances this might be the best option. And in some instances, it might not be the best option for you. Let’s examine the points to evaluate if you’re considering purchasing a theme for your WordPress site.

If you have a very limited budget, you might want to find a simple, easy to use theme. Or if you can be satisfied with the defined functions someone else created for a theme. Or if time is not on your side and you have to get something, anything up and don’t really have time to decide what will work best for your brand.

What should I consider when selecting a theme to purchase?

Things to consider when making the decision to use a commercially produced theme include are you completely happy with all the theme’s functionality? If you’re not satisfied with the way a theme provides staff listings, or ecommerce or projects, you can have a developer create a child theme for you which retains the primary traits of the parent theme and adds your modifications. You might use WordPress plugins to give the site functionality which the theme doesn’t include, but too many plugins can overload a WordPress site, slowing down load times. Having plugins on your site opens it up to issues called “breaking changes” — “A change in one part of a software system that causes other parts to fail; occurs most often in shared libraries of code used by multiple applications.”

Some themes will have hundreds of options, and come with preloaded content, but which of these options will you really use? Why opt for a WordPress theme stuffed with every known functionality under the sun? Trying to figure out how to use your selected options will make you feel like you’re banging your head on a brick wall and complicated software is more difficult to get right.

Documentation is often lacking in commercial WordPress themes. Before purchasing a theme, explore the documentation. If it is written with incomplete sentences, broken English or simply fails to convey the essential instructions of how to use it, you want to avoid it.

You should also explore the responsiveness of the theme’s developer, checking to be sure they respond to questions from purchasers. Do they update the theme regularly to keep it inline with WordPress’s developments? Do you get all those updates for the life of your site? Or do you have to purchase them in an ongoing process?

If you’re not going to do all the setup of your site yourself, ask the developers you consider using how they handle all of these concerns. Reflect on their answers and make your decisions appropriately. Remember that unless your developer is familiar with that “it will do anything” theme, it will take more time (money) for them to help you with it.

Why should I get a custom WordPress theme created for my website?

There are many reasons to have a very experienced, knowledgeable WordPress developer create a custom theme for your business website. Having your website purpose built for your business, to support your brand and provide precisely the required functionality your business needs is the best reason to get a custom theme coded for your WordPress website.

Advantages of a custom theme

A custom theme may be more expensive than a commercial theme set up by a WordPress freelance developer, but you’re not stuck with reverse engineering a theme’s functionality to get it to do what you require, or piling on plugins to make it do what you want. You will not have to worry about lacking instructions on how to to use a bloated, feature heavy theme that will go out of date the minute you install it.

Updating A Website: Making a Website Plan

 

They arrived full of hope

A group of open, smiling faces looked at me as I asked the question, “Has your website passed it’s sell by date?” We were gathered for a workshop sponsored by the Coastal Community Foundation in Charleston. Attendees were staff of non-profit organizations who were there to learn to plan or update their website so that it works well for their constituents and is true to the organization’s purpose.

All wanted better websites

Some in the group had crafted sites using free website builders like Wix and Google Sites. Some had outdated, legacy websites, created years ago by former staff or board members —built on platforms which shouted, “I’m from 1994.” Almost all of the sites had essential communications errors such as trying to cram too much onto a home page, or pages which lacked a purpose, or content that had not been updated in years.

Each one of these eager people were anxious to learn how they could take charge of their website so that the organization’s digital front door was welcoming and appealing. Each of them were working with limited budgets.

Planning time saves money

Over the course of our time together, everyone had “ah ha” moments about how they might improve their site. They all realized if they take the time to plan updates to their site, whether they work with website design / development professional or if they chose to go the DIY route, their planning will yield a lower cost, more user focused site that can support their organization’s goals.

As we worked together, I shared a presentation to help them work through some fundamental strategy questions and comprehend potholes, road blocks and missteps in planning, execution and design of a website.

Updating your website or planning a new site is not rocket science. All it requires is your focused time, comprehension of what your site visitors need and how you want to implement the site’s functionality. Your resulting strategy then yields insights that help you choose a template or theme or help a developer design your site. You just need to organize your thoughts and plan how each of your potential website visitors will use the site.

Start with:

  • Your website users
  • Figure out what each user needs or seeks that will prompt them to visit your site
  • Outline the functionality which will help each user get what they need

And then you plan your website content hierarchy so that every site visitor can navigate to what they need. Critical questions during your page content planning are three questions which address users’ needs:

  1. Where am I?
  2. What can I do here?
  3. Why should I care?

If each page addresses these questions, provides information and content designed to fulfill the specific requirements of that page’s audience and is true to your brand, you’ll have a winning site.

Download our tools to create a website plan:

If you find yourself stuck and not sure what to do to get a good website that works, give us a call.