WordPress Security: Keeping your website safe from hackers

Last night I watched a youTube video by Wordfence Security showing how quickly and easily hackers can login to your website through outdated versions of plugins.  The security specialist, Chloe Chamberland showed how a hacker can use a search on Google called “Google Dorking” to search for any websites that use specific plugins such as BBPress.  A list appeared that showed the version of the BBPress plugin. Using that, Chloe could see which website is using an outdated version of that plugin to gain access (already knowing the vulnerabiltity of the plugin and how to break in). Chloe showed how quickly she added a new user id to the wordpress admin asking for ‘subscriber’ access. Before she submitted it, she used a program to stop the code before executing and then added a script that changed her userid from subscriber to administrator. She then submitted the sign up form which created a new user account with administrator access, with full access to the entire website. All within 5 minutes.

So I have mentioned to many of my clients how important it is to run the updates regularly on your WordPress (and Joomla!) websites.  I give instructions for those who wish to do it themselves and I also provide a service where i will go into the website, run a backup, run all of the updates and test the website afterwards to make sure none of the updates caused a problem with the website.

I recommend running updates bi-monthly at the bare minimum, monthly is better, weekly is the best. 

Having added security is also very important to protecting your website. Over 1/3 of websites on the internet are built on WordPress. Hackers figure out where the loopholes are and very quickly can attach one or many sites for their own purposes.

Some hosting companies provide higher security with the hosting such as Siteground Hosting. It’s the number 1 recommended hosting company by WordPress.org. I have spoken to their technicians and have been advised that if the plugins are kept up to date, there is little room for hacking of their system. Other hosting companies offer added Security services. Godaddy offers Website Security Essentials which scans websites daily looking for malware and will clean up your site if they find it. If your website has been hacked, don’t despair, once you purchase the Website Security Essentials, you submit the website scan and submit a ticket to have the website cleaned. Within 6 hours your website is cleaned and back online. You can also purchase the pricier service of a Firewall which will block all hackers from accessing your website.

There are 2 free plugins you can install directly onto your WordPress website: Wordfence Security or All In One WP Security. I use both (not at the same time on the same website). Both offer a firewall, added login security, can be set up to run scans for outdated versions of plugins, will allow you to block IP addresses (All in One does this, it’s a premium feature on Wordfence Security), and a host of other security features. All in One WP Security also allows you to change the login URL.

The premium version of Wordfence Security will also clean a hacked website and then provide protection to your website for 1 year. If a known attack is hitting websites, they will provide an immediate update to protect against the hack. The free version will get the update after 30 days.

How to run updates through your WordPress Dashboard

  1. Sign in to your WordPress Admin dashboard.
  2. Run a backup of your website either through a plugin that allows you to roll back your website if you encounter a problem, or within your hosting account. Siteground Hosting cPanel offers Softaculous software to install WordPress applications. You can run a full database and file backup within Softaculous. Godaddy WordPress Hosting automatically runs a daily backup which you can restore in the hosting account.
  3. Hover over ‘Dashboard’ in the upper left, then click ‘Updates’ or at the top of the page there will be a circling arrow with a number that tells you how many updates are available. Click this to go to the updates page.
  4. Select one plugin at a time and click Update. I always write down the plugin and the version so if I encounter a problem with the update, I know which version was working before the update.  You do have to be careful running updates, if they were installed with your theme package, you should update your theme first, then update the plugins through the theme interface, otherwise it could cause a problem with the theme.
  5. Some plugins will state their is an update available, but because it was packaged within a theme, the new update might not be available until it comes with a new version of the theme. The Bridge theme comes packaged with the WP Bakery plugin. This is a premium plugin and updates are only available within the Bridge theme update.
  6. After plugins and themes are updated, test your website to make sure it is still functioning properly. If you encounter any problems, it might be best to contact your website designer or host to troubleshoot what went wrong and how to fix it.  There are occasions where plugins have to be deactivated to figure out which one broke the website.

Another Way of Hacking Your Site

In the same Wordfence Security video, Chloe Chamberland, Security Specialist, showed how a hacker can use the Comments feature to gain full access to a website. She used a test website and added a seemingly harmless comment on a blog post.  She had Scott Miller, another analyst sign in to the website and click a link she had included in her comment … something like ‘I really like your post, maybe you can like mine too’ with a link to another website. When Scott went to her website from his link, he clicked a button on the website which said ‘enter site’…. nothing visual happened. Let me reiterate nothing VISUAL happened. In the background when Scott clicked the link to Chloes’ fake website, he inadvertently ran a script which created a user account on his own website, Chloe now had full administrator access to Scott’s website. It was really scary to see how quickly it could be done. Thank goodness Chloe is on our side and uses her knowledge to protect us and update the Wordfence Security plugin to stop hackers from gaining access to your website. Chloe also showed how having Wordfence Security plugin installed on a website would prevent this hack and the first one I mentioned in the beginning of this post from even happening.

So a few final thoughts:

  • Run your updates regularly
  • install a firewall through your hosting company or install Wordfence Security or All in One WP Security and make sure the firewall is enabled
  • disable user registration on your website if you don’t need it
  • watch the following video for more info from the pros at Wordfence Security

 

 

 

 

An automated WordPress update has failed to complete!

Many of my client’s websites have been showing an error in the admin dashboard stating “An automated WordPress update has failed to complete! Please notify the site administrator.”

I have done some research and it seems that this error is appearing after you have run the WordPress updates (any updates) and there is a new version of WordPress.  I believe this error is being generated on any Godaddy WordPress hosting sites because Godaddy will automatically update the WordPress core files yet WordPress is trying to update itself.

Just be patient…. it takes a few days for Godaddy to process the updates across the WordPress Hosting servers. Once WordPress is updated the error will disappear.

Spam emails through your website

Okay, I get it. People want your business so they target your website on the internet, send an email in the hopes that they can drum up some new business…. but seriously when you read their email to you offering their ‘service’ sometimes it’s almost laughable.  They either didn’t even bother to look at your website or they used a robot to search for forms on websites and generate it automatically.

Look at the nice email I just received through my website contact form:

Subject: Web Design For Business

Message Body:
I’m sending a quick note regarding your website. I can make changes (aesthetically / design) so your site will convert more visitors into revenue by allowing your website to be mobile friendly for phones and tablets including more focus on your “call to action” areas.

I would just need to know if you’re open to checking out information about a website re-design. Would you be open to seeing more info and a quote for what I would like to accomplish?

Thanks and let me know

Shelby   🙂


This mail is sent via contact form on Wanna Web Design 

Maybe, just maybe Shelby should have taken a look at my website and see what I do … LOL 🙂

Beware of Domain Name Expiration Notices

I received in the mail a notification of one of my domains expiring. The title said ‘Domain Name Expiration Notice’. Now you might think that this is normal getting a domain renewal form in the mail. But what you don’t know is it isn’t from the company I host with! The title is deceiving, in this fast paced world people see the title, see the form and think they have to provide their credit card to renew their domain. But if you don’t take the time to read the letter, you will miss the line:

“As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months. When you SWITCH TODAY (there it is) to xxxxxxxxx, you can take advantage of our best savings.”

Further down in the letter it does state in bold “This notice is not a bill, it is rather an easy means of payment should you decide to switch your domain name registration…”.  This company is a little more straightforward with what their intention is… to take your domain name from your current host. Some letters sound much more vague so you aren’t quite sure if it is a real renewal form or not.

I have received many calls and emails from clients of mine who tell me they have received such a letter and I just tell them to ignore it.

So if you don’t recognize the name of the company sending you a Domain Name Expiration Notice, then it probably isn’t yours. Call your web developer first and check with them. Chances are it isn’t your hosting provider.

* Your provider will most likely send you emails a month in advance reminding you to renew.

fake-domain-renewals

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.

For more information please go to Sucuri.net

Testimonial from VR Plumbing Inc.

I would like to thank Cindy from Wanna Web Design for creating our great website. We are very happy with the end result and could have not chosen a better person to create our website. Cindy was very patient with us and took time to explain the process step by step.
Stephanie Rodrigues – VR Plumbing Inc.

Heartbleed bug may expose your private data

What you need to know about the serious ‘bug’ affecting (not so) ‘secure’ servers:

A “serious vulnerability” has been found in the software that often encrypts your user name, password and banking information when you log into “secure” websites, as indicated by the little lock icon in your browser.

The “Heartbleed bug” has the potential to expose huge amounts of private data, including user names, passwords, credit card numbers and emails, since it was found in a popular version of OpenSSL software code. The code is used by over two-thirds of active websites on the internet to provide secure and private communications, reported a website set up by security researchers to provide information about the bug.

The software code is also used by many email and chat servers and virtual private networks.

The bug allows “anyone on the internet” to read the memory of systems protected by the bug-afflicted code, compromising the secret keys used to encrypt the data, the researchers reported.

“This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Tests by the security researchers who discovered the bug showed that eavesdropping via the bug is undetectable.

“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication,” they wrote.

The bug was discovered independently by security engineers at the Finnish internet security testing firm Codenomicon and Neel Mehta of Google Security. It is found in a version of the code that has been used by internet services for more than two years.

The researchers say they don’t know if any cybercriminals have discovered and exploited the bug.

Patched version available

A patched version of the software code was released Monday when the bug was disclosed, but it still needs to be incorporated into the actual operating systems and software that use it. Then it must be installed by the owners of the affected internet services. All that may take some time.

Meanwhile, as a user, what can you do to ensure the web services you’re using are safe? Italian security researcher Filippo Valsorda has created a tool that lets you check whether a website has the Heartbleed vulnerability.

Valsorda noted that the site sometimes generates a false negative, probably because it is overloaded, but testing a vulnerable site over and over will eventually give a positive result. “The red result takes precedence over all the others and is certain,” he wrote.

Yahoo patching its services

As of Tuesday morning, the tool suggested that Google, Microsoft, Twitter, Facebook, Dropbox, and Amazon remain safe, but Yahoo.com is vulnerable.

“Please take immediate action,” the site says, directing users to the Heartbleed FAQ.

By 3 p.m. ET, Yahoo said it had successfully patched the bug on its homepage, search, mail, finance, sports, food, tech, Flickr photo and Tumblr blogging services.

“We are working to implement the fix across the rest of our sites right now,” a Yahoo spokesperson wrote in an email.

The official name of the Heartbleed bug is CVE-2014-0160, and it affects OpenSSL versions 1.0.1 to 1.0.1f, but not earlier or later versions. It was nicknamed “Heartbleed” because it was found in a part of the code called the “heartbeat extension.”

Source: http://www.cbc.ca/news/technology/heartbleed-bug-may-expose-your-private-data-1.2602610