Security Alert: 3 WordPress Plugins Need Upgraded ASAP

Written by Bec on January 15, 2015 – 7:04 PM -

It may be a New Year, but the hackers haven’t taken a holiday. Thanks for the heads-up from the Wordfence Security team!

1. The popular Pods content development framework for WordPress has a XSS and CSRF vulnerability. This was fixed in version 2.5 which was released on 30 December. Please upgrade immediately. (plugin is popular with over 200,000 downloads)

2. The CformsII plugin suffers from a remote code execution vulnerability via unauthorized file upload. Please upgrade immediately to version 14.8 which contains a fix if you’re using this plugin. (plugin has approximately 20,000 downloads)

3. The Banner Effect Header plugin has a XSS and CSRF vulnerability . This has been fixed in version 1.2.7 so upgrade if you’re using this plugin. (plugin has approximately 20,000 downloads)

Please use the links to download newest versions and upgrade immediately if you are using any of these plugins.


Tags: , , , , , , ,
Posted in Blog Plugins & Widgets, Blog Services, Security Issues, Wordpress | No Comments »

Free SSL and Web Encryption in Summer 2015

Written by Bec on November 19, 2014 – 6:51 PM -

Yesterday, November 18th, the Electronic Frontier Foundation (EFF) announced a project that will make SSL and encryption on the web completely free. They have created a non-profit organization called the Internet Security Research Group (ISRG) in collaboration with Mozilla, the University of Michigan, Cisco, Akamai and Identrust.

The ISRG are launching a project called Lets Encrypt which will be making free SSL certificates available for any website starting Summer 2015. But they go further than that. It has always been fairly technical to install an SSL certificate and so Lets Encrypt are creating applications for platforms like Linux and other web hosting operating systems that let you install and activate SSL for your web server with a few keystrokes.

So the net result is that, starting Summer 2015, not only will SSL for any website on the Net be completely free, but you will also be able to install and activate SSL on your site with just a few keystrokes and no payment.

Wordfence has put together a detailed blog post showing the impact of not using SSL with some additional details about this important announcement including the EFF’s video explanation of the project. This has a big impact on WordPress users because the net result is that SSL will be the default for all well maintained WordPress websites by late next year.

Help spread the word because this is a major change for many WordPress websites who currently do not use SSL.


Tags: , , , ,
Posted in Articles & Tutorials, Blog Program Tools, Blog Services, Security Issues, Wordpress | No Comments »

Arrggh! My Site Has Been Hacked!

Written by Bec on February 1, 2014 – 2:38 PM -

Why me?” you ask – because they can. I’m just now recovering from a bot hack that infected EVERY site on my server, not just the blogs. As one of the host techs explained: bots look for vulnerabilities to exploit, and once they get hold of an isp with vulnerable files, they insert malicious code that launches more bots to search for more sites/isp’s to infect. Once they have control of your machine, it’s used along with other compromised systems for all sorts of evil cyber manipulations, such as sending out thousands of spam emails or using your system for DDOS attacks against sites that bring them down, or compromise them in some manner.

Where you are using WordPress there is a tighter ftp permission strategy your host can put into place that still lets you use a program like InfiniteWP to manage all of your blogs from one login location and/or do your upgrades from the admin panel and is more secure than any other method. Just ask your host to set permissions that “make the files writable by the web user“. A single location to do your upgrades from will let you keep WordPress, plugins and themes current, which is a major, and necessary, method of keeping your site secure!

The other thing my host has done is setup a security popup that requires a user name and password before it even lets you get to the actual wp-login.php page. It’s a global popup that works for all of the blogs on the server so any bot sniffing out your admin login has to get past that popup login first.

The other security measures I’m doing include installing this Plugin: Wordfence … crazy a** simple to configure, doesn’t get heavy handed with your system, and emails you immediately if: a file changes, someone attempts to use the admin login, and a host of other potential attack scenarios that you can tell it to throttle or ban and for how long if such and such occurs. It also hides your WordPress version, which is something hack bots search for in order to exploit outdated cms versions. Wordfence also “learns” from other WordPress sites if there is an attack, and automatically blocks a known attack method to any site, anywhere in the world that is using Wordfence automatically. Check out the video on their site to learn more of what it does to secure your WordPress sites.

It can also scan your theme and plugins (just check mark them under Wordfence – Options). Both InfiniteWP and Wordfence plugins are free, upgrades are an optional purchase, and so far I haven’t found anything that I have needed that would require me buying any addons.

Another way to check ALL of the themes you have under wp-content/themes for malicious code is to install Theme Authenticity Checker (tac). Once it’s activated, go to your Appearances and click tac and it will take a few seconds to compare your files to the originals at WordPress. It then tells you if it has found added code and on what file. Some may be OK, as in you edited your theme on the actual .php files, but more often than not, it returns base code 64 hacks and a cleanup is in your immediate future. And for Plugins there is this free WordPress security plugin checker.

And I can not stress this enough – DO NOT go to “free theme” websites and install a theme without using the Theme Authenticity Checker plugin on it to ensure it’s clean! TAC will check every theme under the themes folder, it does not have to be an active them to have it scanned. Best bet is to buy a legit pro theme, or find a theme on WordPress that works with the latest WP versions.

Just some tips:

1. Record Keeping – Keep a folder on your hard drive named for each of your domains. Open notepad or Word, put your email address and password and your admin user name and password, and then save it to the folder. Within each folder download your .htaccess, wp-config.php, and the themes folder for that site immediately after you have the site setup the way you want it. Also keep a zipped copy of the original, unedited theme, in that folder. If you make theme page changes, re-download the freshly edited page(s) to the themes folder so it stays current.

2. Backups – Keep at least two backups of your site in the folder at all times, or perhaps create a special email addy to have backup emails sent to on a regular basis. I like to schedule a backup weekly and have it emailed to me. If a backup becomes necessary, you can go with whatever is most recent, the one you made, or the one your host made. I use the WP-DB-Backup plugin, but there are a number of different ones available, and all for free. Just search for new backup plugins inside your admin panel or at WordPress.org. And yes, it takes a couple minutes to move the backup to your hard drive, but trust me on this, it will take a whole lot more of your time to restore and cleanup a slew of hacked sites. AND/OR… use InfiniteWP and do your backups within it.

3. Secure CHMOD Settings – After a site is setup and your theme and plugins are installed go through the root files, the root directories, and the wp-content/theme and plugins folders and make sure you have returned all 777 chmoded files back to their original chmod setting. Making theme edits in the Admin is fine, so is backing up your site to your server using WP-DB-Backup, or setting the permalinks status for the htaccess … just chmod to 777 for the 30 seconds you need to do them and then immediately re-chmod via ftp.

4. 777 Is A Security Risk – I no longer use ANY plugin or theme that requires a file or directory be always left open and writable using a 777 CHMOD setting … look for a different plugin or theme that doesn’t have this security breach built in from the get-go. Your host can also set your site to work with 775 chmod instead of 777. Just ask them and then change any file or folder that has 777 to 775 via ftp. This has to be done on a per site basis.

5. Use Strong Passwords! – Go right now and change all of your admin logins to NOT use admin. Create a new administrative login using something other than admin, and then create or generate a password that isn’t your birthday or the dog’s name!

Just go to Users, create a new administrator name and password, give it administrator status (*important*), save it and then log out. Now log back in with the new user and password and go back to Users and delete the old admin. Be sure to assign all posts to the new admin name! Once that is complete, open Wordfence Options and select where it says you want it to ban anyone trying to create the default “admin” user name.

6. Cleanup old scripts & databases. If you aren’t using a script, delete it and the database it rode in on! I prefer to have my host do this, and it takes only a couple of minutes for them to make this happen when I provide the database name in my support ticket. (which is on the wp-config.php file you saved to the domain name folder – remember?)

7. More Spring Cleaning – Remove unused plugins and themes and get those non-renewed or sold domains, databases and content removed from your server. This includes deleting the default themes WordPress installs if you are not using them!

Why? you may ask. I was wondering if there was a problem with unused files so I asked my host to get clarification. Response: “Say you’ve cleaned up your blog or website, but didn’t delete the unused files. If the hacker knows he has injected code into an unused plugin or theme on your site, he can tell it to activate and start the hack process all over again.” Enough said!

I can’t promise your sites are now perfectly secure, but I know I’m sleeping much better now that I have these safeguards in place!

~~ Happy Blogging!

Update: I’d like to share this article Malware Removal Checklist for WordPress as it contains even more things to look for, to secure your sites than what I’ve already posted.

 


Tags: , , , , , , , ,
Posted in Articles & Tutorials, Blog Plugins & Widgets, Blog Program Tools, Security Issues, Wordpress | No Comments »
RSS