WP Minder

Security

3 Common WordPress Vulnerabilities and How to Prevent Them

by Leave a Comment

WordPress is the most popular content management system (CMS) in the world, powering over 39% of all websites in 2021. But despite its increasing popularity, even long-time WordPress users are often unaware of common security issues that put their site at risk…

Three very common vulnerabilities of WordPress sites include:

  • Outdated plugins and themes
  • Abandoned plugins
  • Outdated WordPress core

A WordPress “vulnerability” is a flaw in the software (in plugins, themes, or WordPress itself) that makes your site more susceptible to attack. A WordPress vulnerability can allow an attacker to execute arbitrary code on your site or bypass authentications, which can lead to major data loss or site defacement

Vulnerabilities in WordPress can be exploited by attackers using a variety of techniques, including SQL injection (where a hacker tries to access a WordPress dashboard by injecting malicious queries into the SQL database) and cross-site scripting (where hackers upload malicious Javascript code to a site, usually designed to trick users into sharing sensitive data).

If you’re using WordPress, this post will teach you how to protect yourself against these very common problems. And thankfully, that’s pretty easy to do.

#1. Outdated Plugins and Themes – The Top Reason Sites Get Hacked

Research consistently shows that plugins are the main way that a site gets hacked – usually over 50% of all hacker entry points involve plugins. And Sucuri’s 2019 Hacked Website Report found that over 44% of sites they worked with had at least one vulnerable plugin.

And plugins are critical – the ability to add a huge array of features to your site with plugins is one of the things that makes WordPress so wonderful!

Yet many WordPress users don’t seem to realize that plugins and themes are actually software – just like software on your phone or computer – that has to be updated from time to time. The longer the plugin or theme has been around without an update, the more likely it’s going to have issues, either with security vulnerabilities or by no longer playing well with the newer version of WordPress on your site. You’re asking for trouble by avoiding updating plugins on your site.

What To Do About Outdated Plugins and Themes

Updates Available
Updates are available

Make it a habit to login to your WordPress dashboard at least once per week and check for any available updates to plugins and themes. Just run the available updates you see in your WordPress dashboard – that’s all you need to do (making sure that you have a fresh backup available first, especially if you’re running complex plugins like WooCommerce).

This is simple, rarely results in any problems with your site, and is one of the very best ways to protect your site. And if an update does cause a problem – that’s what backups are for.

For commercial plugins and themes, make sure you keep those licenses updated, otherwise you’ll lose the ability to update the plugin or theme (making your site more vulnerable to hackers) and miss out on bug fixes and new functionality.

Also make sure you’re using a security plugin on your site that provides malware scanning. Automated scanning is best because it can be set up to alert you when a problem is found so you can take care of it quickly. But a manual scan is also fine if you can remember to do it when you check for updates.

If eventually you no longer need a plugin, deactivate it and remove it. Keeping an unused plugin on the website is still providing a potential entry point for malware.

A Special Word About Updating Themes

In my experience, once in a while I’ll run across a client’s site where the theme is wayyyy outdated. That’s a warning sign, and typically shows up where the site’s developer did not properly use a child theme for modifications and the site’s owner was either told not to update it or is prevented from updating it by a code change. If changes were made directly to a purchased commercial theme, it can’t be updated without losing all those modifications, and that’s bad news.

If you’re in that situation, unfortunately you really need a new, correctly-built theme for your site. The longer you wait, the more risk you’re taking on that the site could be a target of hackers or will stop working well with the current version of WordPress.

#2. Abandoned Plugins

An abandoned plugin is one where the developers no longer actively maintain it and haven’t made any changes to it in over 2 years. That means it’s not tested for compatibility with current versions of WordPress, and is also not checked for bugs. If problems have been found, they haven’t been fixed.

The longer the plugin has been around without an update, the more likely it’s going to have issues, either with security or by no longer playing well with the rest of your site causing it to break or behave oddly.

Having these on a site makes me uncomfortable, because I know it puts the entire site at risk, and it’s an unnecessary risk!

There are some very popular abandoned plugins that used to be go-to’s that are still installed on hundreds or thousands of websites. For example, the WordPress plugin called Limit Login Attempts was great in its time. It helped prevent Brute Force attacks, where the hacker would try random username/password combinations until they found the right one.

However, Limit Login Attempts hasn’t been updated by its developer in over 9 years. It’s still installed in over 800,000 WordPress sites! That’s a potentially big problem waiting to happen.

What To Do About Abandoned Plugins

The View Details block
For plugins, this is the View Details block.

For plugins that you notice haven’t had an update in quite a long time, go to the Plugins page of your site. Under each plugin you’ll usually see a ‘View Details’ link in the Description section. Click it and it will show you when the plugin was last updated and WordPress version compatibility. If a plugin hasn’t been updated in the last 2 years, it’s a good idea to begin looking for a replacement (or if you no longer need it, just remove it).

Fortunately, it’s usually pretty easy to find a replacement that does what your old plugin does if you still need that functionality. Just be careful to check your site once you replace a plugin to make sure that it’s working correctly. That goes for removal too – check your site after removing an unneeded plugin.

 

#3. Not Keeping your WordPress Installation Updated to the Latest Version

When you have a WordPress site, you quickly learn that WordPress gets updated a lot. A major WordPress update may happen a few times per year, and it’s always a little bit scary because they usually involve some significant changes. Minor updates happen much more frequently.

The good news is, WordPress core is typically much more secure today than the plugins which are created mostly by third-parties, and successful attacks on WordPress core are quickly fixed by patches. That’s why there are so many updates to core. WordPress core has gotten more secure (less reported security issues) in every major version.

You should always use the latest version of WordPress because it will include the latest round of security fixes, as well as any new features. The latest version also tends to have some performance improvements.

What To Do About Outdated WordPress Core Files

The answer is simple, and the same as for outdated plugins and themes. Make it a habit to visit your WordPress dashboard at least once per week and check for updates. Before you click that update button, be sure you have fresh backup in place.

For the major updates (like 5.4, 5.5, 5.8) I typically wait about a week. There are always bugs associated with these big updates and it’s better to give it time to have these problems fixed before doing the update on your own website.

Especially if you haven’t updated WordPress in a while, make sure you have a fresh backup first, and check your site for any problems after the update.

Conclusion

In this post, we’ve gone over three very common WordPress vulnerabilities and how you can protect your site and your customers against them. If you’re using WordPress for your website, it’s more important than ever to make sure your site is secure!

And don’t forget that it’s critical to have a regular backup of your site stored safely away from your hosting account. Having that fresh backup can save the day – not having it can cause a catastrophe if something happens to your website.

How We Help You

WP Minder’s daily WordPress vulnerability checks help us stay on top of any plugin, theme or WordPress problems that arise on your site. They are just part of the comprehensive security measures we put in place for our Care Plan clients – and that includes redundant offsite backups made daily so we always have a fresh copy of your site in case disaster strikes. We also fix issues that may arise as a result of an update at no charge.

To see which WordPress Care Plan would be the best fit for your site, take our 5-question quiz.

Weekly Links Roundup – Clean Up Your Media Library, Remote Working Toolkit, WooCommerce Catalogs, Spamdexing

by Leave a Comment

Here’s our latest selection of curated WordPress and web marketing links to help your business thrive.

Do you have dozens (or hundreds? Or thousands?) of images in your Media Library that you know or suspect are no longer being used? All those extra images can slow down your site, first by taking up lots of extra space on your web server, and second by making backup files huge. Fortunately, there are some fairly easy ways to identify and remove them without having to go through every image one by one. Learn about how to clean up your Media Library without too many headaches.

A timely article called Make It Remote shares work-at-home knowledge gained over a decade of managing remote teams. This is a pay-what-you-want toolkit.

If you want to use WooCommerce as a product catalog instead of a sales machine, there’s an extension for that. I used this in a client’s site last week and it’s super-easy to hide the add-to-cart functionality and replace it with custom messages or links of your own.

Finally – all about spamdexing, where websites get hacked with injected nasty keywords and links to manipulate search engine rankings for another web property designed to rip people off. You can avoid being the target of one of these hacks by keeping your site up to date, using strong passwords, and using a good security plugin properly set up to scan your site regularly.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – Super Admin, Smart Slider 3, Media Cleanup, Hacked Sites Report

by Leave a Comment

Here’s our latest selection of curated WordPress and web marketing links to help your business thrive.

You may or may not be the super admin of your WordPress website – but what does that really mean? Here’s a good explanation of why you need to be careful when choosing a super admin.

Smart Slider 3 has been my go-to favorite slider for client sites for awhile now due to both its great array of tools and excellent support. Here’s an in-depth review of Smart Slider 3 and a head-to-head comparison with another popular slider, Soliloquy.

If you have tons of files in your Media Library but are not sure if they are all being used, try a Media Library cleanup. Word of warning – if you use a cleaner plugin make absolutely sure you have a fresh backup first!

Finally… Sucuri has release their Hacked Website Threat Report for 2019. Some of the major takeaways:

  • 56% of websites that were hacked had outdated core files – such as an outdated WordPress version.
  • 44% of hacked sites had more than one outdated component including plugins and themes.
  • About 60% of hacked sites were running on servers with outdated, unsupported versions of PHP.

Moral of the story – keep WordPress, plugins and themes up to date. And check with your host if you’re not using an up-to-date PHP version. You can use WP Health to see what PHP version your host uses.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – 2FA, Leaving Squarespace, PHP, WordPress Performance

by Leave a Comment

This week’s top WordPress and web marketing links.

It’s a scary world out there. You know how when you login to your bank’s website, they’ll typically send you a code on your phone to make sure it’s you? That’s called 2-factor authentication (2FA) and did you know, you can have the same level of login security on your own WordPress site? It’s a great way to improve overall security of your site. Here’s a guide to adding 2FA to WordPress with a free plugin called FIDO.

Squarespace is a popular hosted website platform suited to beginning website owners, but when you understand its limitations, you’re likely ready to upgrade to a more flexible platform that’s totally under your control. WordPress fits that description perfectly. But how do you move? Here’s a step-by-step tutorial on switching from Squarespace to WordPress.

If your host is using a very old version of PHP on its servers, you likely noticed a nagging popup in the WordPress dashboard around August 20 that encouraged you to update to a modern version of PHP. Users of servers with PHP 5.6 or older got this nag (about 43% of all users). WordPress recommends PHP 7.1+ now. Anything older than that is not being updated for security and is leaving your site at risk. The older the version of PHP, the more likely your plugins and themes will begin to fail due to compatibility issues. And, modern versions of PHP are much, much faster! Learn more about PHP and WordPress and why upgrading is so critical.

And why is website speed so important? Glad you asked – check this out. And get in touch if you’d like a Performance Audit to speed up your own WordPress site.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – Security, Google Maps, FooGallery, Why Blog?

by Leave a Comment

This week’s top WordPress and web marketing links.

I’ve had WordPress clients tell me they don’t worry about security or backups because their site is “too small to hack.” I beg to differ. It’s small sites with owners who have poor security practices that are frequently the target of hacks because they are so easy to crack! When a site owner doesn’t update WordPress/plugins/themes sometimes in years, or when they have simple login passwords, their sites are much easier to attack and use for malicious activity. If your site gets hacked and begins churning out spam or displaying links to porn sites or worse, gets defaced, your business’s trustworthiness and credibility will take a big hit. Don’t let this happen your business – read this quick post on why it’s important to harden your site. And check out our WordPress Care Plans if you want a partner to do this critical work for you. Our plans start at just $2 per day.

Maps are a great addition to your website when you have a brick-and-mortar location. And, you can add them to your WordPress site easily using either some manual code or a plugin. Learn how to add a Google map to your WordPress site.

FooGallery has been my go-to WordPress gallery plugin for several years. Besides being a full-featured responsive and flexible gallery plugin, they also have excellent support if you need it. FooGallery has a pro (commercial) version that includes more features, like a video galley option, but for my clients the free version usually works fine. Here’s a big comprehensive review of FooGallery so you can see whether it’s a good fit for your site too.

Finally, here’s an interesting take on the evolving purpose of blogging. How has blogging changed in the last decade or so? Do you find yourself writing more to teach others what you know, or to get a reaction out of them? Both purposes have value. Some food for thought…

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.