Archive for the ‘Security Issues’ Category
The team at Wordfence security has been working on an online training program for webmasters and developers that will teach you how to secure your WordPress sites.
Today we are launching the WordPress Security Learning Center. It includes tutorials from beginner to advanced and developer level. Everything from WordPress Security basics, security threats and attack types to guides for developers to help them avoid writing vulnerabilities and to penetration test their own code.
The Learning Center is a completely free resource. No registration is required and absolutely no payment is needed. We have put this together as a resource for the WordPress community to do our part to help secure WordPress as a platform.
Click here to visit the WordPress Security Learning Center and start learning how to secure your website and your online presence.
Wordfence Founder & CEO
Tags: Wordfence Security Program, wordpress security, WordPress Security Learning Center
Posted in Articles & Tutorials, Blog Services, Security Issues, Site News, Wordpress | No Comments »
It may be a New Year, but the hackers haven’t taken a holiday. Thanks for the heads-up from the Wordfence Security team!
1. The popular Pods content development framework for WordPress has a XSS and CSRF vulnerability. This was fixed in version 2.5 which was released on 30 December. Please upgrade immediately. (plugin is popular with over 200,000 downloads)
2. The CformsII plugin suffers from a remote code execution vulnerability via unauthorized file upload. Please upgrade immediately to version 14.8 which contains a fix if you’re using this plugin. (plugin has approximately 20,000 downloads)
3. The Banner Effect Header plugin has a XSS and CSRF vulnerability . This has been fixed in version 1.2.7 so upgrade if you’re using this plugin. (plugin has approximately 20,000 downloads)
Please use the links to download newest versions and upgrade immediately if you are using any of these plugins.
Tags: Banner Effect Header, Cforms II, hacker, plugin, Pods plugin, security alert, wordfence, Wordpress
Posted in Blog Plugins & Widgets, Blog Services, Security Issues, Wordpress | No Comments »
Yesterday, November 18th, the Electronic Frontier Foundation (EFF) announced a project that will make SSL and encryption on the web completely free. They have created a non-profit organization called the Internet Security Research Group (ISRG) in collaboration with Mozilla, the University of Michigan, Cisco, Akamai and Identrust.
The ISRG are launching a project called Lets Encrypt which will be making free SSL certificates available for any website starting Summer 2015. But they go further than that. It has always been fairly technical to install an SSL certificate and so Lets Encrypt are creating applications for platforms like Linux and other web hosting operating systems that let you install and activate SSL for your web server with a few keystrokes.
So the net result is that, starting Summer 2015, not only will SSL for any website on the Net be completely free, but you will also be able to install and activate SSL on your site with just a few keystrokes and no payment.
Wordfence has put together a detailed blog post showing the impact of not using SSL with some additional details about this important announcement including the EFF’s video explanation of the project. This has a big impact on WordPress users because the net result is that SSL will be the default for all well maintained WordPress websites by late next year.
Help spread the word because this is a major change for many WordPress websites who currently do not use SSL.
Tags: Electronic Frontier Foundation, free SSL certificates, free web encryption, Lets Encrypt, wordfence
Posted in Articles & Tutorials, Blog Program Tools, Blog Services, Security Issues, Wordpress | No Comments »
Have you setup Clonebox by BetterCGI yet? If you are an affiliate webmaster and/or a paysite owner then you should look at having a remote backup of your sites. The Clonebox team does multiple backups of everything on your server, so let’s imagine your physical host server location goes down, burns down, washes away in a tsunami, or you’re hit by a hacker and your daily backup was made by your host two minutes AFTER you got hit … with Clonebox you’re still online and doing business! The price for this kind of security and disaster prevention is priceless, yet very affordable with Clonebox.
Clonebox: Automatic Backups for your Servers and Websites
Automatic: It copies your data while you sleep
Efficient: It copies just the changed data incrementally saving bandwith
Smart: It monitors your site and notifies you in case something bad happens
Flexible: Choose between Full Server Clone and Data-only backup
Affordable: Check out their low price backup plans
Also be sure to checkout the Strongbox security system from BetterCGI.com. It protects your web business from stolen passwords, password sharing, brute force attacks, and site rippers who post stolen copies of your site.
Strongbox is pro-active in protecting your website properties. Each day, the BetterCGI group spider analyzes all known password sites, retrieving tens of thousands of compromised passwords. As a subscriber to their proactive spider service, your system will be notified immediately when one of your passwords is posted on a password site.
The Strongbox security system will then disable that password even before anyone is able to use it to access your site. You can also have the Strongbox system email you to let you know which username was found posted on which password sites.
What others have to say:
About Strongbox. Get it. It’s one of your best investments. You’ll earn back the costs within a day if you are a small-medium (paysite owner).- Michael @ Femjoy/Joymii
From ShowMe69 – have used strongbox for 6yrs+ and nothing else out there compares…period!!!
Click Here to learn more about how these two Better CGI products can provide peace of mind with their top notch security systems.
Tags: BetterCGI, brute force attacks, clonebox, password sharing, paysite security, server backups, stolen passwords, Strongbox, website security
Posted in Adult Scripts/Software, Security Issues | No Comments »
“Why me?” you ask – because they can. I’m just now recovering from a bot hack that infected EVERY site on my server, not just the blogs. As one of the host techs explained: bots look for vulnerabilities to exploit, and once they get hold of an isp with vulnerable files, they insert malicious code that launches more bots to search for more sites/isp’s to infect. Once they have control of your machine, it’s used along with other compromised systems for all sorts of evil cyber manipulations, such as sending out thousands of spam emails or using your system for DDOS attacks against sites that bring them down, or compromise them in some manner.
Where you are using WordPress there is a tighter ftp permission strategy your host can put into place that still lets you use a program like InfiniteWP to manage all of your blogs from one login location and/or do your upgrades from the admin panel and is more secure than any other method. Just ask your host to set permissions that “make the files writable by the web user“. A single location to do your upgrades from will let you keep WordPress, plugins and themes current, which is a major, and necessary, method of keeping your site secure!
The other thing my host has done is setup a security popup that requires a user name and password before it even lets you get to the actual wp-login.php page. It’s a global popup that works for all of the blogs on the server so any bot sniffing out your admin login has to get past that popup login first.
The other security measures I’m doing include installing this Plugin: Wordfence … crazy a** simple to configure, doesn’t get heavy handed with your system, and emails you immediately if: a file changes, someone attempts to use the admin login, and a host of other potential attack scenarios that you can tell it to throttle or ban and for how long if such and such occurs. It also hides your WordPress version, which is something hack bots search for in order to exploit outdated cms versions. Wordfence also “learns” from other WordPress sites if there is an attack, and automatically blocks a known attack method to any site, anywhere in the world that is using Wordfence automatically. Check out the video on their site to learn more of what it does to secure your WordPress sites.
It can also scan your theme and plugins (just check mark them under Wordfence – Options). Both InfiniteWP and Wordfence plugins are free, upgrades are an optional purchase, and so far I haven’t found anything that I have needed that would require me buying any addons.
Another way to check ALL of the themes you have under wp-content/themes for malicious code is to install Theme Authenticity Checker (tac). Once it’s activated, go to your Appearances and click tac and it will take a few seconds to compare your files to the originals at WordPress. It then tells you if it has found added code and on what file. Some may be OK, as in you edited your theme on the actual .php files, but more often than not, it returns base code 64 hacks and a cleanup is in your immediate future. And for Plugins there is this free WordPress security plugin checker.
And I can not stress this enough – DO NOT go to “free theme” websites and install a theme without using the Theme Authenticity Checker plugin on it to ensure it’s clean! TAC will check every theme under the themes folder, it does not have to be an active them to have it scanned. Best bet is to buy a legit pro theme, or find a theme on WordPress that works with the latest WP versions.
Just some tips:
1. Record Keeping – Keep a folder on your hard drive named for each of your domains. Open notepad or Word, put your email address and password and your admin user name and password, and then save it to the folder. Within each folder download your .htaccess, wp-config.php, and the themes folder for that site immediately after you have the site setup the way you want it. Also keep a zipped copy of the original, unedited theme, in that folder. If you make theme page changes, re-download the freshly edited page(s) to the themes folder so it stays current.
2. Backups – Keep at least two backups of your site in the folder at all times, or perhaps create a special email addy to have backup emails sent to on a regular basis. I like to schedule a backup weekly and have it emailed to me. If a backup becomes necessary, you can go with whatever is most recent, the one you made, or the one your host made. I use the WP-DB-Backup plugin, but there are a number of different ones available, and all for free. Just search for new backup plugins inside your admin panel or at WordPress.org. And yes, it takes a couple minutes to move the backup to your hard drive, but trust me on this, it will take a whole lot more of your time to restore and cleanup a slew of hacked sites. AND/OR… use InfiniteWP and do your backups within it.
3. Secure CHMOD Settings – After a site is setup and your theme and plugins are installed go through the root files, the root directories, and the wp-content/theme and plugins folders and make sure you have returned all 777 chmoded files back to their original chmod setting. Making theme edits in the Admin is fine, so is backing up your site to your server using WP-DB-Backup, or setting the permalinks status for the htaccess … just chmod to 777 for the 30 seconds you need to do them and then immediately re-chmod via ftp.
4. 777 Is A Security Risk – I no longer use ANY plugin or theme that requires a file or directory be always left open and writable using a 777 CHMOD setting … look for a different plugin or theme that doesn’t have this security breach built in from the get-go. Your host can also set your site to work with 775 chmod instead of 777. Just ask them and then change any file or folder that has 777 to 775 via ftp. This has to be done on a per site basis.
5. Use Strong Passwords! – Go right now and change all of your admin logins to NOT use admin. Create a new administrative login using something other than admin, and then create or generate a password that isn’t your birthday or the dog’s name!
Just go to Users, create a new administrator name and password, give it administrator status (*important*), save it and then log out. Now log back in with the new user and password and go back to Users and delete the old admin. Be sure to assign all posts to the new admin name! Once that is complete, open Wordfence Options and select where it says you want it to ban anyone trying to create the default “admin” user name.
6. Cleanup old scripts & databases. If you aren’t using a script, delete it and the database it rode in on! I prefer to have my host do this, and it takes only a couple of minutes for them to make this happen when I provide the database name in my support ticket. (which is on the wp-config.php file you saved to the domain name folder – remember?)
7. More Spring Cleaning – Remove unused plugins and themes and get those non-renewed or sold domains, databases and content removed from your server. This includes deleting the default themes WordPress installs if you are not using them!
Why? you may ask. I was wondering if there was a problem with unused files so I asked my host to get clarification. Response: “Say you’ve cleaned up your blog or website, but didn’t delete the unused files. If the hacker knows he has injected code into an unused plugin or theme on your site, he can tell it to activate and start the hack process all over again.” Enough said!
I can’t promise your sites are now perfectly secure, but I know I’m sleeping much better now that I have these safeguards in place!
~~ Happy Blogging!
Update: I’d like to share this article Malware Removal Checklist for WordPress as it contains even more things to look for, to secure your sites than what I’ve already posted.
Tags: infinitewp, plugin security checker, prevent hacks, schedule weekly backups, server security, theme authenticity checker, wordfence, wordpress database backup, wordpress security
Posted in Articles & Tutorials, Blog Plugins & Widgets, Blog Program Tools, Security Issues, Wordpress | No Comments »
Did you know you could find yourself infected by bugs after frequenting dating chat rooms while looking for love? No, I don’t mean an STD, but some bad bot infections can be just as hard to eradicate. Cybercriminals are using malicious bots to troll chat rooms to harvest personal information, while others crawl the net harvesting email addresses (SPAM Bots), your Instant Messaging information (SPIM Bots) and Zombie Bots are even taking over your computer! They use these zombie computers to coordinate large scale attacks where all the zombie computers act in unison, carrying out commands sent by the bot net owner.
Malicious File-sharing Bots are programmed to take the user’s query term (i.e. a movie or song title) and respond to the query stating that they have the file available and provide a link to it. In reality, the bot takes the search query term, generates a file by the same name (or a similar name), and then injects a malicious payload into the fake file. The unsuspecting user downloads it, and unknowingly infects their computer when they open it up.
Another malicious bot is called a FRAUD bot. Fraud Bots are programmed to attempt to obtain financial gain for their creator. This can be accomplished by generating false clicks to a revenue program, or create a multitude of fake users for sweepstakes entries or even generate fake votes for something the creator is for or against.
To protect yourself and your computer system you should look into using a second opinion malware scanner to take a look at your system to see if your primary antivirus or anti-malware scanner might have let something slip onto your system undetected.
Virus and malware developers are deliberately coding their malicious malware to evade detection by many of the major virus and malware scanners on the market. The thieves use encryption, stealth techniques, and all types of black art coding to hide their computer takeover payloads.
You should Google any second opinion scanner program you are thinking of using to make sure it is legitimate and not a scam program known as scareware. You need to be very careful when selecting one because some malware developers will produce fake anti-virus products that will actually introduce malware into your system rather than removing it. Many of them have very convincing names and may have very sharp looking websites that lure you into using or purchasing their malicious software. One such scareware program is Antivirus Security Pro, a computer infection from the Rogue.WinWebSec family of rogue anti-spyware programs. Don’t download or install it! And you should never buy an anti-virus program from a website popup or a link sent to you in an email. ALWAYS go the the software’s official site to make purchases once you’ve checked that they are legit!
Here are a few legitimate scanner programs for you to look into.
1. Malwarebytes Free and Paid versions. Malwarebytes products have a proven record of protecting computers by completely removing all forms of malware, including viruses, Trojans, spyware, adware and rootkits. When it comes to the safety of your computer, Malwarebytes provides the ultimate in protection from the cutting edge of technology!
2. Hitman Pro Free and Paid versions. Hitman Pro is a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti virus software, firewalls, etc.).
3. Kaspersky TDS Killer Anti-rootkit Utility A free tool that focuses on the TDL variety of root kits that are very sophisticated and extremely difficult to detect and remove.
Tags: adware, Antivirus Security Pro, cybercriminals, fraud bots, hitman pro, identity theft, Kaspersky TDS Killer, malicious bots, malware, malwarebytes, scareware, second opinion scanner, spam bots, spim bots, spyware, Trojans, viruses, zombie bots
Posted in Articles & Tutorials, Security Issues | No Comments »
If you run multiple WordPress blogs on multiple domain urls, or manage multiple sites for clients, then I don’t have to tell you what a major headache it is to be constantly trying to keep them upgraded and secure. The security hacks that happen with older WP installations has certainly brought my server to its knees on more than one occasion. What the hacker does is to search for blogs that have NOT updated as they know that those blogs are still wide open to perform their evil deeds. In short, the quicker that you are able to upgrade to the latest versions, the less chance you have of being hacked.
And if you think that it wouldn’t happen to you, do a search on Google for Hacked WordPress Blog and you will see over 2 and a half million reports of other people having had it happen to them. It was just such a situation where malicious code had been injected into my sites that prompted me to start looking again for a program that would allow me to manage all of my WordPress sites from one location.
Some years ago, when I was running over 15 WP blogs, (now over 80) I knew I wanted to be able to bulk upgrade the WordPress CMS as well as any plugins and themes. I wanted to setup auto backups, track and view Google stats, manage users, spam, comments, settings, add posts, edit posts, clone sites, manage media … Yes, I wanted every feature I have on my individual blog Admin panel available as a bulk website management feature so that I no longer had to login to every website to perform all of the maintenance they require. It was taking up too much of my time … time that would be better spent in expanding my multi site empire!
Unfortunately no one had written a comparable, centrally located, WordPress management admin panel system program or plugin yet, but all of that has changed! Now there are several WordPress Management Software solutions and I’ll give a brief overview of the ones I’ve found.
First I’ll discuss the programs that require you to signup and login to their website to use/lease the software. While trials are available for free, most free options after the trial become limited and you’ll need to pay a monthly fee based on the number of websites you manage.
1. CMS COMMANDER
CMS Commander has every tool you could possibly want, and some you probably didn’t know you wanted. Besides WordPress, CMS Commander enables you to bulk manage your WordPress sites, as well as your Joomla, Drupal, and phpBB websites. You can manage comments, clone sites, create new users, install one-click updates of WordPress, plugins and themes, and compare Google Analytics stats across all of your blogs. CMS Commander also has several advertising options, legal API content sources, SEO tools, the ability to import PLR articles and manage the popular WP Robot plugin. And of course it lets you setup the basics: create and schedule posts and do backups of all your WordPress websites. CMS Commander also includes content generation tools and auto-posting features. Price: Plans start at $4.95 per month for up to five websites. There is a 30 day free trial with all features functional, and if you opt to just use the free option thereafter it will have some of the bulk features locked.
2. WP REMOTE
Another program where you login to their site to setup and manage your blogs is WP Remote. WP Remote is free, with additional features in their Premium version which starts at $5 for one site and up to $149 for 50.
Monitor unlimited sites for Free
Easily update WordPress Core, Plugins and Themes with a single click
Download a snapshot of your site
Automatic backups to our servers, your own S3 or Dropbox
Automatic Plugin, Theme and Core updates
Daily notification emails of all available updates
Keep a record of site activity
Manage and install Plugins and Themes right from within WP Remote
3. MANAGE WP
ManageWP is a muliple WordPress management program that includes one-click access to your websites, bulk site monitoring, backup, publishing, and other bulk maintenance features. Easily see which of your sites have themes and plugins that need upgraded. With Manage WP you can update all of your plugins, themes or the basic WordPress version with just one click. Get uptime monitoring, traffic alerts, SEO analysis, Google Analytics integration, and more. You can even manage your sites from your smartphone with their free iOS app. Price: Free plan for up to five websites; with paid plans, choose how many websites you want to manage.
Update WordPress Plugins, Themes and WordPress Core Versions in bulk
Apply consistent Security settings across all your sites.
Analyze and Optimize your WordPress databases.
Centrally manage your WordPress backups.
Login to your WordPress sites automatically – no more remembering passwords.
It’s free to create a iControlWP account – you have no commitments. Get Started With A Free, Unlimited Trial for 30 days. They do not have tier pricing. It is a flat $.60 cents (USD) per site, with a 5 site ($3) minimum, per month and you pay for extra features when, and if, you need them.
5. WP Pipeline
Easily perform updates of your WordPress themes, plugins and versions with WP Pipeline. If you want to upload a new theme or plugin to one of your blogs or to multiple blogs, then you can do this in just a few clicks from your dashboard. You can also deactivate plugins or themes in the same way. This works the same way with either single themes or plugins or multiple themes and plugins. If you want to create a new blog with a particular set up, then you can do this from the main dashboard in just a few clicks. You are able to create and save multiple profiles which are based on blogs that you already have. This is particularly powerful if you want to set up a large number of blogs with the same setup. WP Pipeline is a download that you install. Price is based on the number of sites you want to use with it. Basic 5 site license is $27. Standard for up to 100 sites is $67, and Pro is for unlimited sites at $147.
6. WP MultiNetwork Management Plugin
Want a centralized management system for WordPress Multisites (now known as MultiNetwork)? WP Multi Network is a plugin that adds a network management user interface for super admins in a WordPress multisite environment. Turn your multisite installation of WordPress into many multisite networks, all surrounding one central user base. With WP MultiNetwork you can create new networks of sites, allowing for many site, network, and domain arrangements. Price: Free
7. Infinite WP
InfiniteWP allows you to manage multiple WordPress sites with single master login and features one-click updating as well as management tools for your plugins and themes. It also has instant backup and restore capabilities. The basic features of InfiniteWP are free, but expanded features are available for purchase. There are currently 12 available add-on modules that start at $49. At the time of this post the site is offering 10% and up to a 30% discount. InfiniteWP is a software download that you install on your own server, so you own the program and any modules you may decide to purchase.
The Infinite WP is the program I am currently testing for my own web blog management. I’ll let you know how I like it, and what, if any, additional modules I felt were needed.
Tags: blogs organizer, bulk management tools, bulk wordpress management, cms commander, iControlWP, Infinite WP, manage multiple wordpress sites, manage wordpress sites from one admin panel, Manage WP, wordpress management software, WP Multi Network Management, WP Pipeline, WP Remote
Posted in Articles & Tutorials, Blog Plugins & Widgets, Blog Program Tools, Blog Services, Security Issues, Wordpress | 1 Comment »
WordPress 3.3.2 is available now and is a security update for all previous versions.
Three external libraries included in WordPress received security updates:
Plupload (version 1.5.4), which WordPress uses for uploading media.
SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.
Tags: security update, Wordpress 3.3.2
Posted in Security Issues, Wordpress | No Comments »