Yesterday Wordfence Security posted that 6.7% of all attacks they see on WordPress sites come from hacked home routers. Today they posted a tool on their website you can use to scan your home router and make sure it is closed to attacks. Click the link to read more and scan your router now.
Many of my client’s websites have been showing an error in the admin dashboard stating “An automated WordPress update has failed to complete! Please notify the site administrator.”
I have done some research and it seems that this error is appearing after you have run the WordPress updates (any updates) and there is a new version of WordPress. I believe this error is being generated on any Godaddy WordPress hosting sites because Godaddy will automatically update the WordPress core files yet WordPress is trying to update itself.
Just be patient…. it takes a few days for Godaddy to process the updates across the WordPress Hosting servers. Once WordPress is updated the error will disappear.
Okay, I get it. People want your business so they target your website on the internet, send an email in the hopes that they can drum up some new business…. but seriously when you read their email to you offering their ‘service’ sometimes it’s almost laughable. They either didn’t even bother to look at your website or they used a robot to search for forms on websites and generate it automatically.
Look at the nice email I just received through my website contact form:
Subject: Web Design For Business
I’m sending a quick note regarding your website. I can make changes (aesthetically / design) so your site will convert more visitors into revenue by allowing your website to be mobile friendly for phones and tablets including more focus on your “call to action” areas.
I would just need to know if you’re open to checking out information about a website re-design. Would you be open to seeing more info and a quote for what I would like to accomplish?
Thanks and let me know
This mail is sent via contact form on Wanna Web Design
Maybe, just maybe Shelby should have taken a look at my website and see what I do … LOL 🙂
I received in the mail a notification of one of my domains expiring. The title said ‘Domain Name Expiration Notice’. Now you might think that this is normal getting a domain renewal form in the mail. But what you don’t know is it isn’t from the company I host with! The title is deceiving, in this fast paced world people see the title, see the form and think they have to provide their credit card to renew their domain. But if you don’t take the time to read the letter, you will miss the line:
“As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months. When you SWITCH TODAY (there it is) to xxxxxxxxx, you can take advantage of our best savings.”
Further down in the letter it does state in bold “This notice is not a bill, it is rather an easy means of payment should you decide to switch your domain name registration…”. This company is a little more straightforward with what their intention is… to take your domain name from your current host. Some letters sound much more vague so you aren’t quite sure if it is a real renewal form or not.
I have received many calls and emails from clients of mine who tell me they have received such a letter and I just tell them to ignore it.
So if you don’t recognize the name of the company sending you a Domain Name Expiration Notice, then it probably isn’t yours. Call your web developer first and check with them. Chances are it isn’t your hosting provider.
* Your provider will most likely send you emails a month in advance reminding you to renew.
Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.
The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.
To date, this is the list of affected plugins:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.
For more information please go to Sucuri.net
I would like to thank Cindy from Wanna Web Design for creating our great website. We are very happy with the end result and could have not chosen a better person to create our website. Cindy was very patient with us and took time to explain the process step by step.
Stephanie Rodrigues – VR Plumbing Inc.
This was posted on my Facebook page and I just have to share it…. for all the web developers out there! Go to http://theoatmeal.com/comics/design_hell
What you need to know about the serious ‘bug’ affecting (not so) ‘secure’ servers:
A “serious vulnerability” has been found in the software that often encrypts your user name, password and banking information when you log into “secure” websites, as indicated by the little lock icon in your browser.
The “Heartbleed bug” has the potential to expose huge amounts of private data, including user names, passwords, credit card numbers and emails, since it was found in a popular version of OpenSSL software code. The code is used by over two-thirds of active websites on the internet to provide secure and private communications, reported a website set up by security researchers to provide information about the bug.
The software code is also used by many email and chat servers and virtual private networks.
The bug allows “anyone on the internet” to read the memory of systems protected by the bug-afflicted code, compromising the secret keys used to encrypt the data, the researchers reported.
“This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Tests by the security researchers who discovered the bug showed that eavesdropping via the bug is undetectable.
“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication,” they wrote.
The bug was discovered independently by security engineers at the Finnish internet security testing firm Codenomicon and Neel Mehta of Google Security. It is found in a version of the code that has been used by internet services for more than two years.
The researchers say they don’t know if any cybercriminals have discovered and exploited the bug.
Patched version available
A patched version of the software code was released Monday when the bug was disclosed, but it still needs to be incorporated into the actual operating systems and software that use it. Then it must be installed by the owners of the affected internet services. All that may take some time.
Meanwhile, as a user, what can you do to ensure the web services you’re using are safe? Italian security researcher Filippo Valsorda has created a tool that lets you check whether a website has the Heartbleed vulnerability.
Valsorda noted that the site sometimes generates a false negative, probably because it is overloaded, but testing a vulnerable site over and over will eventually give a positive result. “The red result takes precedence over all the others and is certain,” he wrote.
Yahoo patching its services
As of Tuesday morning, the tool suggested that Google, Microsoft, Twitter, Facebook, Dropbox, and Amazon remain safe, but Yahoo.com is vulnerable.
“Please take immediate action,” the site says, directing users to the Heartbleed FAQ.
By 3 p.m. ET, Yahoo said it had successfully patched the bug on its homepage, search, mail, finance, sports, food, tech, Flickr photo and Tumblr blogging services.
“We are working to implement the fix across the rest of our sites right now,” a Yahoo spokesperson wrote in an email.
The official name of the Heartbleed bug is CVE-2014-0160, and it affects OpenSSL versions 1.0.1 to 1.0.1f, but not earlier or later versions. It was nicknamed “Heartbleed” because it was found in a part of the code called the “heartbeat extension.”
As of April 8, 2014, support and updates for Windows XP are no longer available. Don’t let your PC go unprotected.
What is Windows XP end of support?
Microsoft provided support for Windows XP for the past 12 years. But the time came for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences.
As a result, technical assistance for Windows XP is no longer available, including automatic updates that help protect your PC. Microsoft has also stopped providing Microsoft Security Essentials for download on Windows XP. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC is secure because Microsoft is no longer providing security updates to help protect your PC.)
If you continue to use Windows XP now that support has ended, your computer will still work but it might become more vulnerable to security risks and viruses. Internet Explorer 8 is also no longer supported, so if your Windows XP PC is connected to the Internet and you use Internet Explorer 8 to surf the web, you might be exposing your PC to additional threats. Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows XP.
For more information please visit Windows official website.
As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.
A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.
If you’re using the free or paid version of Wordfence you should have the option to “Participate in the real-time Wordfence security network” under ‘Other options‘ enabled. This will immediately block any attack originating from an IP address that has attacked other WordPress sites using Wordfence. This is an effective defense against this kind of attack.
We recommend that until this passes you monitor your WordPress websites closely for unusual activity including logins, account creation or changes to the public facing website.