WP Minder

WordPress Problems

3 Common WordPress Vulnerabilities and How to Prevent Them

by Leave a Comment

WordPress is the most popular content management system (CMS) in the world, powering over 39% of all websites in 2021. But despite its increasing popularity, even long-time WordPress users are often unaware of common security issues that put their site at risk…

Three very common vulnerabilities of WordPress sites include:

  • Outdated plugins and themes
  • Abandoned plugins
  • Outdated WordPress core

A WordPress “vulnerability” is a flaw in the software (in plugins, themes, or WordPress itself) that makes your site more susceptible to attack. A WordPress vulnerability can allow an attacker to execute arbitrary code on your site or bypass authentications, which can lead to major data loss or site defacement

Vulnerabilities in WordPress can be exploited by attackers using a variety of techniques, including SQL injection (where a hacker tries to access a WordPress dashboard by injecting malicious queries into the SQL database) and cross-site scripting (where hackers upload malicious Javascript code to a site, usually designed to trick users into sharing sensitive data).

If you’re using WordPress, this post will teach you how to protect yourself against these very common problems. And thankfully, that’s pretty easy to do.

#1. Outdated Plugins and Themes – The Top Reason Sites Get Hacked

Research consistently shows that plugins are the main way that a site gets hacked – usually over 50% of all hacker entry points involve plugins. And Sucuri’s 2019 Hacked Website Report found that over 44% of sites they worked with had at least one vulnerable plugin.

And plugins are critical – the ability to add a huge array of features to your site with plugins is one of the things that makes WordPress so wonderful!

Yet many WordPress users don’t seem to realize that plugins and themes are actually software – just like software on your phone or computer – that has to be updated from time to time. The longer the plugin or theme has been around without an update, the more likely it’s going to have issues, either with security vulnerabilities or by no longer playing well with the newer version of WordPress on your site. You’re asking for trouble by avoiding updating plugins on your site.

What To Do About Outdated Plugins and Themes

Updates Available
Updates are available

Make it a habit to login to your WordPress dashboard at least once per week and check for any available updates to plugins and themes. Just run the available updates you see in your WordPress dashboard – that’s all you need to do (making sure that you have a fresh backup available first, especially if you’re running complex plugins like WooCommerce).

This is simple, rarely results in any problems with your site, and is one of the very best ways to protect your site. And if an update does cause a problem – that’s what backups are for.

For commercial plugins and themes, make sure you keep those licenses updated, otherwise you’ll lose the ability to update the plugin or theme (making your site more vulnerable to hackers) and miss out on bug fixes and new functionality.

Also make sure you’re using a security plugin on your site that provides malware scanning. Automated scanning is best because it can be set up to alert you when a problem is found so you can take care of it quickly. But a manual scan is also fine if you can remember to do it when you check for updates.

If eventually you no longer need a plugin, deactivate it and remove it. Keeping an unused plugin on the website is still providing a potential entry point for malware.

A Special Word About Updating Themes

In my experience, once in a while I’ll run across a client’s site where the theme is wayyyy outdated. That’s a warning sign, and typically shows up where the site’s developer did not properly use a child theme for modifications and the site’s owner was either told not to update it or is prevented from updating it by a code change. If changes were made directly to a purchased commercial theme, it can’t be updated without losing all those modifications, and that’s bad news.

If you’re in that situation, unfortunately you really need a new, correctly-built theme for your site. The longer you wait, the more risk you’re taking on that the site could be a target of hackers or will stop working well with the current version of WordPress.

#2. Abandoned Plugins

An abandoned plugin is one where the developers no longer actively maintain it and haven’t made any changes to it in over 2 years. That means it’s not tested for compatibility with current versions of WordPress, and is also not checked for bugs. If problems have been found, they haven’t been fixed.

The longer the plugin has been around without an update, the more likely it’s going to have issues, either with security or by no longer playing well with the rest of your site causing it to break or behave oddly.

Having these on a site makes me uncomfortable, because I know it puts the entire site at risk, and it’s an unnecessary risk!

There are some very popular abandoned plugins that used to be go-to’s that are still installed on hundreds or thousands of websites. For example, the WordPress plugin called Limit Login Attempts was great in its time. It helped prevent Brute Force attacks, where the hacker would try random username/password combinations until they found the right one.

However, Limit Login Attempts hasn’t been updated by its developer in over 9 years. It’s still installed in over 800,000 WordPress sites! That’s a potentially big problem waiting to happen.

What To Do About Abandoned Plugins

The View Details block
For plugins, this is the View Details block.

For plugins that you notice haven’t had an update in quite a long time, go to the Plugins page of your site. Under each plugin you’ll usually see a ‘View Details’ link in the Description section. Click it and it will show you when the plugin was last updated and WordPress version compatibility. If a plugin hasn’t been updated in the last 2 years, it’s a good idea to begin looking for a replacement (or if you no longer need it, just remove it).

Fortunately, it’s usually pretty easy to find a replacement that does what your old plugin does if you still need that functionality. Just be careful to check your site once you replace a plugin to make sure that it’s working correctly. That goes for removal too – check your site after removing an unneeded plugin.

 

#3. Not Keeping your WordPress Installation Updated to the Latest Version

When you have a WordPress site, you quickly learn that WordPress gets updated a lot. A major WordPress update may happen a few times per year, and it’s always a little bit scary because they usually involve some significant changes. Minor updates happen much more frequently.

The good news is, WordPress core is typically much more secure today than the plugins which are created mostly by third-parties, and successful attacks on WordPress core are quickly fixed by patches. That’s why there are so many updates to core. WordPress core has gotten more secure (less reported security issues) in every major version.

You should always use the latest version of WordPress because it will include the latest round of security fixes, as well as any new features. The latest version also tends to have some performance improvements.

What To Do About Outdated WordPress Core Files

The answer is simple, and the same as for outdated plugins and themes. Make it a habit to visit your WordPress dashboard at least once per week and check for updates. Before you click that update button, be sure you have fresh backup in place.

For the major updates (like 5.4, 5.5, 5.8) I typically wait about a week. There are always bugs associated with these big updates and it’s better to give it time to have these problems fixed before doing the update on your own website.

Especially if you haven’t updated WordPress in a while, make sure you have a fresh backup first, and check your site for any problems after the update.

Conclusion

In this post, we’ve gone over three very common WordPress vulnerabilities and how you can protect your site and your customers against them. If you’re using WordPress for your website, it’s more important than ever to make sure your site is secure!

And don’t forget that it’s critical to have a regular backup of your site stored safely away from your hosting account. Having that fresh backup can save the day – not having it can cause a catastrophe if something happens to your website.

How We Help You

WP Minder’s daily WordPress vulnerability checks help us stay on top of any plugin, theme or WordPress problems that arise on your site. They are just part of the comprehensive security measures we put in place for our Care Plan clients – and that includes redundant offsite backups made daily so we always have a fresh copy of your site in case disaster strikes. We also fix issues that may arise as a result of an update at no charge.

To see which WordPress Care Plan would be the best fit for your site, take our 5-question quiz.

Weekly Links Roundup – WooCommerce Shipping, WordPress Comments, RSS Feeds

by Leave a Comment

Here’s our latest selection of curated WordPress and web marketing links to help your business thrive.

I’m building a WooCommerce site for a client right now and needed a way to set up shipping by weight ranges. There are commercial plugins that do this, but I found a great free one that works fine for my client’s needs. WooCommerce Weight-Based Shipping lets you add a series of rules for free shipping, subtotals, shipping destinations, all based on order weight.

Do you allow comments on your WordPress blog? Comments can be great – they can help build and tie a community of site fans together. But they can also have a dark side. If your blog comments are overrun with spam or trolls and you just want it to stop, learn how to disable comments completely, or conditionally as you see fit. This post also covers how to delete existing comments, shorten the available commenting period, and more.

If you have a blog, are you sharing that blog so people can read it elsewhere? Like an RSS reader. Here’s an interesting post about RSS feeds and whether they are ‘giving away content for free.’ I agree with the author… you want people to read your blog, right? Encouraging people to subscribe to your RSS feed is a way to help more people see your writing. And that’s a good thing.

As a followup, here’s a review of the best RSS readers and news aggregator services. If you’ve never used one, try signing up and subscribing to some feeds.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – WP Minder, Installing Plugins, Knowledge Bases, Gutenberg

by Leave a Comment

Here’s our latest selection of curated WordPress and web marketing links to help your business thrive.

My website is down! What do I do? Here’s a post that answers that question. Or, if you were a WP Minder client, you’d just let us know (most likely we’d know before you do with our uptime monitoring) and we’d get you up and running quickly with no fuss on your part. But for you DIYers, learn 8 things to check when your WordPress site is down.

(Check out our WordPress Care Plans if you’d like to learn more about WP Minder and use coupon code WPMNP10 to get 10% off your monthly subscription.)

Let’s get really, really basic for a minute… Here’s a post on how to do one of the most important WordPress tasks: installing a plugin. Learn three ways to install a plugin! Bet you didn’t know there were three ways…

A knowledge base on your website can be a great way to provide a lot of information on your products or services in a highly-organized and easy-to-use tool. Here’s a review of four top knowledge base plugins for WordPress and information on how to get started creating your own.

You’ve probably used or at least encountered the Gutenburg editor in WordPress by now. Love it or hate it, it’s here to stay. And if you do use it, you’ve probably notice problems in either its capability limits or just the experience of using it. Here’s something that may help: a guide to 10 of the best plugins to extend Gutenburg. These plugins offer more blocks to give you more layout functionality. I’ve used CoBlocks for clients who like using Gutenberg.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – Calendar Plugins, Tour Booking, Maintenance Mode, SMTP

by Leave a Comment

This week’s top WordPress and web marketing links.

Calendar plugins are a big and sometimes confusing topic – there are a lot of them. Some are free and some paid. How do you choose the best one for your particular job? This review of top calendar plugins for 2019 might help. It’s a little different because it includes plugins for appointment and rental bookings – not just the typical event calendar.

And speaking of bookings… my client is a tour guide in Peru and was looking for a plugin to handle tour bookings. That was harder to find than I thought, but I came up with two options that look promising, and that we’re going to try.  Check out WP Travel or WP Travel Engine. You can also use WooCommerce for this purpose.

Sometimes you may need to ‘close’ your site to do some maintenance or handle an emergency. Here’s a post on how to put your site into ‘maintenance mode,’ with or without using a plugin.

Finally… Not getting the expected notification emails from your WordPress site? That’s so irritating, isn’t it? The reason is most likely that the host server is not set up for PHP mail(), or it’s set up incorrectly, or it’s being flagged as spam by the receiving server because PHP mail() is not industry-standard and can lack proper authentication. The fix is to use SMTP (Simple Mail Transfer Protocol) to send those notifications instead. This post will show you how.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

Weekly Links Roundup – WordPress 5.0, Audio and Video Players, Powerpoint, Internal Links

by Leave a Comment

This week’s top WordPress and web marketing links.

Today (Thursday Dec. 6) is supposed to be the (rescheduled) day for the WordPress 5.0/Gutenberg drop. Nothing yet and it’s afternoon… but when it happens, here are some handy links about Gutenberg, the new WordPress editing tool.

  • Should you update to WordPress 5.0 right away? I say no. Personally I would wait until January to give WP and plugin/theme developers time to deal with Gutenberg issues – it is not ready for prime time. I will not be updating client sites until then – I’ll be using Classic Editor instead. Here’s what Yoast says about updating.
  • Do I have to use Gutenberg? No – if you prefer the old editor, install and use the Classic Editor plugin – learn how to do this. You can try Gutenberg when you’re ready, on your terms.
  • What exactly does Gutenberg do? Here’s a guide to everything Gutenberg.

Switching gears, here’s a big review of the 15 best WordPress audio and video players. This is brand new and not super-thorough or in-depth on each plugin, but is a good place to start if you’re looking to add audio or video to your WordPress site and need a quick overview of current options.

If you’re a Powerpoint fan (are there any, still?) then you might have a need for this… I was asked a few weeks ago to embed a client’s Powerpoint in WordPress and I’d never done that before. Here’s a guide to embedding Powerpoint in WordPress; the Embed Any Document plugin they mention worked perfectly. It also embeds Word, Excel, PDF and Illustrator files.

And finally, some SEO stuff. You may not know that internal links (links between pages and posts in your own website) are very important! They help drive users deeper into your site to the places you want them to go. They show search engines what pages are most important (the ones with the most internal links!). And they help ensure that search engine crawlers can reach every page on your site. Learn more about internal links and why you really need to audit them from time to time.

Did you find this information useful? Please share with your friends and colleagues! And comment below with questions or observations.

 

Weekly Links Roundup – WordPress Headaches, Remarketing, Restaurant Sites, Font Awesome

by 1 Comment

This week’s WordPress and web marketing links.

The top three most-mentioned WordPress pain points are performance, security, and updates that break sites. I hear you. These are all things I deal with for myself and for clients on a daily basis. Here’s an infographic on the biggest WordPress headaches for 2018. If you need help with them, please let me know. We do performance analysis and optimization, security audits, and manage site updates for our clients – minding your site so you can manage your business.

A few of my clients do remarketing (displaying ads to people who have already visited and/or interacted with your site or social media account or mailing list). Others are not familiar with the concept. Here’s a good primer on both Google and Facebook remarketing.

Though this particular article is targeting developers, it may be helpful to you if you’re thinking of starting a website for your restaurant. As always, if you need help with project discovery, consulting, design or development, please contact me.

Font Awesome icons are great – they look good, there are thousands to pick from, and because they’re not images you can resize them freely with no quality loss. Adding Font Awesome icons to WordPress is pretty easy – here are three methods.

And finally – May was the 15th anniversary of the release of WordPress. Here’s the original announcement. Happy Birthday, WP.