Beyond Blog Design

Do More Than Just Blog

Self-Hosted

Optimization, Vulnerabilities, Hackers, Oh My! An Explanation of the Crazy WordPress Events of the Past Month

By

wordpress vulnerabilities

The WordPress Twilight Zone…

It has been a really busy month?for WordPress and WordPress users. It’s enough to freak a person out.

But don’t. I know how out of control you can feel when you rely on technology to take care of itself, and it’s been doing a really good job of it until BAM it’s not.

 

You know that saying, “A little information is a dangerous thing?”

 

March 11th?the WordPress SEO by Yoast vulnerability.

The news spread fast, and regular blogging folks like you and me were really worried. So worried, in fact, that WordPress decided to push the update themselves. Which meant your WordPress SEO updated itself automatically before you even knew what was happening.

That was awesome, only that “little information” made people even more sure it was a “huge problem” and I even heard people dissing WP SEO. Say it isn’t so!

Here’s how the vulnerability worked:

…an outside hacker can?t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php‘ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.
Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL. (Hacker News)

 

In english? Basically the only person who could hack this vulnerability was someone who was already an Admin. Or someone who was tricked into letting someone be the Admin. And even so, no one would have had time. They found it so fast, it was as if it never happened.

April 20th A Dozen Vulnerable Plugins

You can pretty much bet you were using one of the plugins on this list: Jetpack, WordPress SEO, All-in-one SEO, Ninja Forms, Google Analytics, you name it, it was probably on the list.

This was another really weird thing….plugin developers use?information on WordPress code from what is called the WordPress Codex. If you have ever Googled a WordPress problem, and you wind up on a WordPress.org page, you are in the Codex.

The Codex is a great place if you understand code. It’s a scary place if you don’t.

Here’s the skinny. Code changes, which is a really good thing. Because the more code stays the same, the easier it is for hackers to figure out how to exploit it.

A few months back, the WordPress Codex was updated and changed a bit of code. The code fixed a possible open door. The problem was that developers were using copies of the Codex that still contained the old bit of code.

But.

A hacker would have to know about this vulnerability to use this vulnerability. But since WordPress was notified immediately, once again they pushed an update. Most of you had your plugins updated before you even realized what was going on.

April 27th Zero Day Vulnerability – WordPress

So, today. WordPress 4.2.1 was released to repair a vulnerability which allowed commentors to inject code that can take over a web server. Pretty scary. But the thing is, it’s WordPress’s job to keep you safe. And once again, they were on it.

In the course of the update, it also scanned for any malicious looking comments and removed those. So once again, you’re all good.

 

WordPress has got your back.

I’m a pretty big proponent of WordPress, as you have probably figured out. The truth is, as with computers, WordPress doesn’t make mistakes, users do. I know, harsh. Don’t throw anything at me *she says cowering* I’ve caused the white screen of death many times in my WordPress existence. Truth be told? It was never WordPress’s fault.

The people who work for Automattic (WordPress) are obsessed, really obsessed with WordPress. Many WordPress users are obsessed with WordPress and hang out in the WordPress forum just so if you have a question, they can answer it. For free. No one will ever let something slip in undetected because all day long they eat think and breathe WordPress.

WordPress vulnerabilities are going to happen. Hackers suck, and they aren’t going to stop trying to steal your stuff.

Don’t panic. I know it’s been crazy. But instead of thinking of the crazy as bad, think of the crazy as good. (That should be my motto.) The fact that it’s been one update after another means that everyone out there is looking out for YOU. Me too. I’m looking out for you too. Shoot me a line, day or night if you’ve got a question.

And don’t forget! If you have a backup plan and security you’re golden no matter what!!!

[bctt tweet=”You’ve entered the WordPress twilight zone! But don’t worry, they’ve got you covered.”]

WordPress.com or WordPress.org? How to choose the right one for your blog

By

When I launched my blog?in 2012, I went about it like this: I Googled ?WordPress blog,? clicked a button?that said, ?get a free blog,? and I started rolling.

A year later, I realized I should have done more research. I wanted to change my site layout and add functions (like a hovering Pinterest button), and I realized (oh nooos!) I needed a ?WordPress.org blog? for that.

Getting a ?WordPress.org blog,? it turns out, really means downloading the free, open-source WordPress web software?and using a third-party hosting service?to get your site online.

WordPress.com, on the other hand, takes care of all that legwork for you. You don?t worry about hosting or serving up files, and your blog comes with a free domain that looks something like this: www.mynewblog.wordpress.com.

But when you hand over responsibility, you also lose control: your WordPress.com site will show ads unless you pay a yearly fee, and many upgrades, like hosting videos or buying a custom domain name for example, can get costly.

To add to the new-blogger confusion, when you?re working on your blog, the Dashboard (the place where you edit your blog from the back end) looks almost exactly the same no matter which avenue you take. Because WordPress.com runs on the same WordPress software as a self-hosted site, the user experience after setting up your blog isn?t that different.

Deciding between starting a free WordPress.com blog and self-hosted WordPress site is as simple as deciding how much freedom you want over your site?s look and feel, how much behind-the-scenes work you?re willing to do, and whether you want to monetize your blog.

WordPress.com Vs WordPress.org Comparison

 

1. How much control do you want over your site?s look and feel?

If you?re okay with an ?out of the box? theme [http://theme.wordpress.com/], WordPress.com might work for you. For an extra charge, you can customize some features, like fonts and background colors. Overall, though, you are limited when it comes to changing the design of your site.

If you?re looking at those themes and thinking, ?but I want my Instagram feed up higher and I?d like social media buttons above the top navigation,? you?ll want to go with a self-hosted WordPress blog so you can access your site?s layout and HTML.

2. What extra functionality do you want on your site?

Remember that anecdote about the Pinterest hover button I wanted? WordPress.com is always updating and adding new features, but you will have more control on a self-hosted site. Through WordPress.org, you?ll have access to libraries of plugins [https://wordpress.org/plugins/] that can add features like interactive calendars, social media sharing options, and RSS feeds?not to mention, Google Analytics?to your site. And by accessing your site?s code, your opportunities to add to and embellish features are unlimited.

3. Do you want to monetize your site?

?Oh wow, I have so many page views! Maybe I can make a little cash with ads!? Nope. Not if you?re on a WordPress.com site. They?re giving you a lot for free; it?s no surprise that you can only sell ads in WordPress-approved ways. On a self-hosted site, however, the world is your oyster?or, you know, your sales floor.

In addition, while, WordPress.com recently introduced new ways to sell on your site, eCommerce is more established and flexible with a self-hosted site.

4. How much can you spend?

Self-hosting is an upfront cost that ranges from a few dollars a month to closer to hundreds per year. But using a free WordPress.com blog and adding a lot of additional features can get pricey. Infographic cost comparison:http://howtomakemyblog.com/wordpress-com-org/

When it comes down to it, WordPress.com is a valuable tool for users looking for a free option, who don?t need to customize or make money off of their site. But getting a self-hosted site through WordPress.org provides the most flexibility, freedom, and opportunity for growth. And let?s face it, you?re going to want to use this site to become a moneybags, and WordPress.org allows more freedom for turning your hard work into cold hard cash.

What do you think? WordPress.com or WordPress.org?

 

This has been a guest post by the wonderful Randall of Crandlecakes and one of the awesome instructors at Skillcrush![bctt tweet=”To self host or to WordPress.com, check out these 4 reasons you might want to jump in! #WordPress”]