Beyond Blog Design

Do More Than Just Blog

Backups

Optimization, Vulnerabilities, Hackers, Oh My! An Explanation of the Crazy WordPress Events of the Past Month

By

wordpress vulnerabilities

The WordPress Twilight Zone…

It has been a really busy month?for WordPress and WordPress users. It’s enough to freak a person out.

But don’t. I know how out of control you can feel when you rely on technology to take care of itself, and it’s been doing a really good job of it until BAM it’s not.

 

You know that saying, “A little information is a dangerous thing?”

 

March 11th?the WordPress SEO by Yoast vulnerability.

The news spread fast, and regular blogging folks like you and me were really worried. So worried, in fact, that WordPress decided to push the update themselves. Which meant your WordPress SEO updated itself automatically before you even knew what was happening.

That was awesome, only that “little information” made people even more sure it was a “huge problem” and I even heard people dissing WP SEO. Say it isn’t so!

Here’s how the vulnerability worked:

…an outside hacker can?t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php‘ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.
Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL. (Hacker News)

 

In english? Basically the only person who could hack this vulnerability was someone who was already an Admin. Or someone who was tricked into letting someone be the Admin. And even so, no one would have had time. They found it so fast, it was as if it never happened.

April 20th A Dozen Vulnerable Plugins

You can pretty much bet you were using one of the plugins on this list: Jetpack, WordPress SEO, All-in-one SEO, Ninja Forms, Google Analytics, you name it, it was probably on the list.

This was another really weird thing….plugin developers use?information on WordPress code from what is called the WordPress Codex. If you have ever Googled a WordPress problem, and you wind up on a WordPress.org page, you are in the Codex.

The Codex is a great place if you understand code. It’s a scary place if you don’t.

Here’s the skinny. Code changes, which is a really good thing. Because the more code stays the same, the easier it is for hackers to figure out how to exploit it.

A few months back, the WordPress Codex was updated and changed a bit of code. The code fixed a possible open door. The problem was that developers were using copies of the Codex that still contained the old bit of code.

But.

A hacker would have to know about this vulnerability to use this vulnerability. But since WordPress was notified immediately, once again they pushed an update. Most of you had your plugins updated before you even realized what was going on.

April 27th Zero Day Vulnerability – WordPress

So, today. WordPress 4.2.1 was released to repair a vulnerability which allowed commentors to inject code that can take over a web server. Pretty scary. But the thing is, it’s WordPress’s job to keep you safe. And once again, they were on it.

In the course of the update, it also scanned for any malicious looking comments and removed those. So once again, you’re all good.

 

WordPress has got your back.

I’m a pretty big proponent of WordPress, as you have probably figured out. The truth is, as with computers, WordPress doesn’t make mistakes, users do. I know, harsh. Don’t throw anything at me *she says cowering* I’ve caused the white screen of death many times in my WordPress existence. Truth be told? It was never WordPress’s fault.

The people who work for Automattic (WordPress) are obsessed, really obsessed with WordPress. Many WordPress users are obsessed with WordPress and hang out in the WordPress forum just so if you have a question, they can answer it. For free. No one will ever let something slip in undetected because all day long they eat think and breathe WordPress.

WordPress vulnerabilities are going to happen. Hackers suck, and they aren’t going to stop trying to steal your stuff.

Don’t panic. I know it’s been crazy. But instead of thinking of the crazy as bad, think of the crazy as good. (That should be my motto.) The fact that it’s been one update after another means that everyone out there is looking out for YOU. Me too. I’m looking out for you too. Shoot me a line, day or night if you’ve got a question.

And don’t forget! If you have a backup plan and security you’re golden no matter what!!!

[bctt tweet=”You’ve entered the WordPress twilight zone! But don’t worry, they’ve got you covered.”]

3 Easy Steps To Secure Your Blog

By

3 easy steps to secure your blog

One of my favorite jobs, is tweaking and fixing people’s blogs. I love to dig into the code, pick things apart, isolate the problem and then fix it.

I love it so much that sometimes I get lost in the looking and the researching and the fixing.

But one thing stops me cold every. single. time. I pop on someone’s blog and they have no security.

Look. I get it. You’re a small blog, or you think you are. You think no one would bother hacking you. You are dead wrong.

The best blogs to hack are the little ones, you know why? They have no security.

It’s no skin off your back to lock up your site, and I’m going to make it easy for you. How about instead of giving you choices I just tell you what I do?

I am already going to assume you have an airtight password, if you don’t please go read this post on how to create a Bulletproof Password.?And that you are keeping your plugins updated, if not, read this post about updating your plugins.

[bctt tweet=”Forget the choices. I’ll just tell you how to secure your #WordPress site?in?3 easy steps.”]

3 Easy Steps to Secure Your Blog

 

1) Install WordFence

Wordfence is the #1 free security plugin on WordPress and there is a reason for that.

You don’t have to understand anything to use it. Out of the box it will do its job.?But it doesn’t hurt to run through the tutorial and change a few settings. Just grab a cup of coffee or tea, plan to sit in front of the computer for 20 minutes and get her done.

The best thing is the Wordfence scan. WordFence automatically runs a scan of your site. It will find any malicious code or possible breaches. And when it does, guess what? It’s also going to tell you what to do about it. Can it be any easier?

 

2) Install Login Lockdown

Login Lockdown does just what you think. It locks someone out who tries to login too many times.

The #1 way hackers try to get in to your site is by running a program that adds /wp-admin to the end of a URL, when it happens upon a WordPress site it just starts hammering it with passwords until it gets in.

Login Lockdown says “You did not just try to login to this site 20 times, you are outta here!” I suggest changing the attempts to 5, unless you run a forum, because I’m pretty sure you won’t forget your password 20 times in a row.

 

3) Install a backup plugin.

Because when all else fails, you’re still okay if you have a backup.

If you’re going for free ones, may I suggest Updraft Plus Backup and Restoration?

I have noticed a lot of blogs are running WP DB Backup, in your plugin menu it will read WordPress Database Backup by Austin Matzko, please, please delete it and either use Updraft or the “real” WordPress Database Backup.?The one by Austin Matzko has not been updated in over two years and poses a HUGE security risk.

 

My advice? Don’t say I’ll do this later, do it now. If you know me, my broken record is my favorite hobby blog got hacked when it was getting 60 page views a day, it was teeny. In the end, it was pay thousands of dollars, or shut it down. I shut it down.

It’s better to never have to even have that conversation.

And remember, I am always around for a free 30 minutes, even if you want to use it to get some help installing these plugins.

There is also the Plugin Checkup that has saved a lot of bloggers quite a few headaches, I also throw in a page speed analysis with suggestions on how to fix it.

I’m always here, my mission is to help bloggers while staying in their budget. Let’s talk.

[contact_button]