Would you still use WordPress as the start of a new website?

/0 Comments/in

WordPress vulnerabilities found in all versions up to 3.8 – updates needed, WordPress 3.9 still has a vulnerability, vulnerabilities found in WordPress 4.0, WordPress 4.1…

These news reports are becoming more and more common. As I mentioned in previous articles, WordPress occupies a significant part of the internet, making it a prime target for numerous hackers (read here why) especially when many websites are not up-to-date.

This naturally raises the question for both me and my clients:

Should you still use WordPress as the foundation?

The answer is still: yes

But…

The days when anyone with a little reading could put WordPress online, download a few plugins and a theme, and be done with the site and maintenance are over.

Has WordPress become worse?

WordPress has not gotten worse. WordPress is still in the hands of developers who work with dedication to improve the system.

Every time a vulnerability is discovered, they ensure that a security update is released. In short, the quality is still high, and the speed at which WordPress is updated has kept up with the need.

WordPress still features passwords, the database, and the user-friendly way to set up websites. WordPress continues to evolve and ensures that it remains one of the best functioning CMS platforms.

How can you safely use WordPress then?

WordPress itself is a good system, but there are certain “rules” you should consider when setting up a WordPress website.

There have been some “rules of the game” that have changed due to the many hacking attempts and various viruses circulating on the internet.

The “rules of the game” for WordPress in 2015

wordpress rules

  1. Use a maximum of 5-8 plugins
    Each plugin is a potential entry point for hackers. Some plugins are developed by programmers who are just looking to make a quick buck and don’t bother updating or securing them when exploits are found.
  2. Regularly update WordPress
    Not every update is related to security, so you don’t have to follow every update. Sometimes, it’s best to wait until the bugs in the update have been ironed out.
    Sometimes, plugin developers also need some time to update their plugins as they might be dependent on the code of the previous WordPress version.
  3. Choose a unique username, password, and screen name
    One of the first things a spambot tries is your screen name, website name, or variations thereof.
    In short: be creative and avoid using “dictionary words.” Mix in some numbers and capital letters.
  4. A security plugin like WordFence, Securi, or Ithemes Security is not a luxury
    These plugins allow you to easily set up whether every visitor can browse the folders of your server, whether the WordPress version is visible, where the admin panel is located, whether files are writable, whether long queries can be used through the navigation bar, whether multiple login attempts result in an IP ban, and more.
    To keep your WordPress website somewhat secure, you need one of these plugins.
    Note: You should configure them properly as well!
  5. Make sure you don’t have keyloggers on your PC
    Through small scripts from the internet, a page, or a browser add-on, they can capture and transmit your data. Use a good antivirus program on your PC.
    Tip: Avira has a good free antivirus scanner!

Akismet activated? Dolly activated?

/0 Comments/in

Akismet is one of the most commonly used plugins to combat comment spam. The plugin’s popularity stems from it being included by default in the WordPress plugins directory.

But let’s get back to Akismet – this plugin blocks comment spam.

Comment spam? What is that?

Comment spam occurs when scripts or bots leave irrelevant and promotional comments on your posts or pages.

Even if your article is about the moon landing, the spam comment might be promoting the purchase of shoes – in short, it’s comment SPAM.

Akismet has been installed millions of times and effectively addresses this spam issue.

It is worth mentioning that many websites do not use their comment section, making the plugin an unnecessary burden on the website’s speed.

So, think about it for yourself too!

If you have Akismet installed but never check it or update it regularly, then remove it!

Some older versions of Akismet had XSS issues (source).

Although there are few reports of problems and most users have the latest version thanks to the auto-updater, it’s important to reduce the number of plugins you use to avoid giving hackers an opportunity.

Do you have WordPress under control?

/0 Comments/in

Having control over your website is crucial, especially considering it can be a significant source of income and visitors. Knowing what is happening with your website day and night, including the type of visitors it receives, is essential for effective management.

Tools like Google Analytics or the Count per day plugin can provide valuable insights into your website’s traffic, showing you where visitors come from and which pages they visit. However, one notable observation is the presence of visitors who spend 0.0 seconds on your website. These are known as “bots” that visit your website solely to leave a link behind. They may visit your website around 40 times a day, but they do not engage with any content.

Additionally, some visitors may land directly on your admin panel, indicating possible hackers and hackbots. These are usually automated processes performed by computers, making up about 99.5% of such attempts.

It is reassuring to know that many hacking attempts fail, but it is essential to be aware of potential security threats. Being informed about the number of attempts to access your admin area and their sources is crucial.

Moreover, having visibility into the actions of successful hackers is essential. Understanding how they gained access, which files they modified, and their activities enables quick action and response.

Ithemes Security PRO is a powerful tool that can help you regain control and enhance security for your WordPress website. Some of its features include:

– Keeping track of login attempts to your admin area.
– Notifying you of successful login attempts.
– Monitoring IP addresses that excessively visit your website.
– Detecting IP addresses attempting to fish for admin addresses.
– Logging file modifications, additions, and deletions, with precise timestamps.

By leveraging Ithemes Security PRO, you can proactively monitor your website and detect suspicious activities promptly. This allows you to take action against potential threats before they escalate and helps prevent costly security issues.

If you haven’t already, considering using Ithemes Security PRO can significantly enhance your website’s security and provide you with peace of mind.

Do I need to keep up with WordPress update?

/0 Comments/in

The developers of WordPress are very active and sometimes release updates as frequently as monthly.

And that’s just for the updates addressing “potential” security issues discovered by the community. If you look at the release log, you’ll see that there have been numerous updates for WordPress.

WordPress takes prompt action when they discover a new vulnerability that could be exploited. This is a good practice!

However, it’s not always the case for plugins and themes. Some premium plugins and themes are not updated regularly, even when vulnerabilities have been known for months. These vulnerabilities are sometimes reported on forums, accessible to any hacker.

Should you update WordPress with every release?

It is advisable to keep WordPress updated regularly, but immediately updating right after every release comes with its own risks. Sometimes, new releases may introduce errors or issues in your WordPress. It’s not unwise to wait a few days before updating to ensure it is a security update or just includes “fancy” features for bloggers.

Help! I encountered an error after updating!

It’s not uncommon to encounter errors after updating. It could be due to insufficient server space or incomplete updates caused by a server outage. If you face this situation, you can manually upload WordPress via FTP.

My website is at risk!

You might receive alarming emails from your hosting provider stating that something is wrong with your WordPress site and that there are files posing a risk. These emails are sometimes generated by hosting software that detects not only hack files but also potential vulnerabilities.

However, a “potential vulnerability” doesn’t necessarily mean that your WordPress is compromised if it’s well secured. Since these notifications do not consider the security measures you have in place, they can be unsettling.

Ways to stay worry-free:

1. Regularly back up your website: Backups can help you restore your website in case of any issues caused by vulnerabilities.

2. Update WordPress regularly: Especially when there is a security release.

3. Use a limited number of plugins: Every plugin increases the potential for vulnerabilities, injection points, or XSS attacks.

4. Secure your website with a professional security plugin: A good security plugin like iThemes Security can enhance the protection of your WordPress site.

What exactly is JQuery? Is it safe?

/0 Comments/in

JQuery has been in use since 2006, yet many programmers still find it challenging to use. However, JQuery is an excellent library of JavaScript actions that can be easily used by any programmer. It allows you to perform dynamic actions on website elements with just a few lines of code.

Here are some key facts about jQuery:

1. jQuery is free to use by any programmer.
2. It is widely accepted by 90% of browsers.
3. jQuery can be used to manipulate the DOM and CSS.
4. It is a library of code that needs to be loaded into the website.
5. Many major websites, including Google, use jQuery.
6. Over half of all websites online use jQuery.
7. jQuery contributed to the decline of Flash on websites.
8. jQuery is fast, lightweight, and suitable for mobile devices.
9. It is regularly updated to stay compatible with the latest browsers.

The difference between jQuery and jQuery minified is that the standard jQuery library is well-documented and includes spaces and enters for better readability. On the other hand, the minified version (jquery.min.js) is stripped of any comments or explanations, resulting in a smaller file size and potentially faster loading times.

As for the updates, jQuery started with version number 1.0 in 2006, and new releases have been introduced annually or even more frequently. The latest release at the time of writing is version 2.0. It’s worth noting that jQuery dropped support for Internet Explorer 6, 7, and 8 in April 2013 and later added support for various new versions of Opera and Safari.

Some common dynamic functions in jQuery include manipulating CSS by dynamically adding and removing classes, and resizing and repositioning divs. These simple functions alone can achieve a lot on a website.

Is jQuery safe? While jQuery files are generally safe, JavaScript files, in general, are targeted by hackers and hack scripts due to their dynamic and loaded nature. To ensure security, make sure that the files are not modifiable by others.

However, since many jQuery scripts are loaded externally, it is essential to be cautious about the source from which the data is coming. External scripts can be vulnerable to alterations by the source at any given time.

Finding a hack in a JS file is similar to PHP files, where the malicious code is usually placed at the beginning or end of the code, and it is often encoded with numbers and characters without formatting.

In conclusion, jQuery is a powerful and widely accepted library that makes dynamic web development much more accessible. However, like any other technology, it’s essential to ensure proper security practices while using it.

The ease of habits

/0 Comments/in

I make use of people’s habits when hacking a site. For example, I exploit their tendency to use easy-to-remember usernames and passwords. People often use their first or last names, maybe followed by a birthdate, and sometimes add a few numbers.

We dislike complicated passwords because there are already so many we have to remember. I like to take advantage of these habits.

Another example of habits

When you think of a hacker, you may envision a stereotypical bad person. After all, who would want to learn how to break into someone else’s system?

And rightfully so, there are very few who would go to the trouble of hacking just to earn a living through hard work.

But they exist, white hat hackers

white hat

 

White hat hackers hack for the thrill, for amusement, without causing harm to a website with hacks. They approach companies and inform them about the hacks they found.

Or they simply help someone regain access to their site if they forgot their password.

Hacking sites can be a fun activity if you know what you’re doing. I do it for the entertainment, which is why I’ve become a guest blogger on wpbeveiligen.

For your convenience, you can call me Hacker Anno. Hopefully, you will learn from the tricks I will describe in the coming weeks, and understand that there are also good hackers out there.

Best regards,
Anno

Updates, implemented immediately?

/0 Comments/in

Updates are important. We won’t deny that!

But…

You want to avoid problems in general. What are the chances of getting hacked due to an outdated plugin, and how likely is it that a new plugin conflicts with other plugins or with WordPress itself, causing errors that make your website non-functional?

The chances are higher that your plugin encounters an error and your WordPress stops working due to conflicts with other plugins or WordPress than the chances of your website getting destroyed by a hack.

Examples

We often come across WordPress websites that stop working, for example, because themes with WooCommerce templates use code that suddenly doesn’t work anymore in the latest WooCommerce update. Suddenly, your online shop stops functioning!

Or plugins that were coded 2 years ago may not work with the latest version of WordPress.

Plugin compatibility can also be an issue. For instance, translation plugins may be coded to work together with certain themes, WordPress, and other plugins used at that time, but after a year, the code may no longer be compatible.

Plugins still need to be updated

We will never say that you shouldn’t update your plugins. But as a tip, we suggest updating them regularly after making a backup, and update them all at once, not for every single release but on a regular basis.

Unless you want to run a backup of your data and database with each release so that you can roll back in case of any issues.

A new release

A new release or update is tested in advance, but it can never be tested on all platforms with every PHP version that exists. So, if it is found to have issues, the feedback will be posted on forums, and the developer will release a new update. Therefore, it’s advisable to wait at least 3-5 days before updating a plugin or WordPress, so you avoid being in the test phase.

It’s just a tip, do with it what you want 😉

An error 500 in WordPress … now what?

/0 Comments/in

WordPress is essentially “foolproof.” You can set up a WordPress website as a beginner and play around with it freely. You can create posts, install themes, customize settings in WordPress, and more.

WordPress is designed to keep working no matter what you do with it.

The admin panel is separate from the website and the theme. It has a separate code in a separate folder.

And when you are in your admin panel, you can do various tasks without affecting the WordPress core.

But occasionally, Error 500!

Error 500?? What is that now.. and just when you uploaded some new plugins and your website was becoming amazing.

What now?

Error 500 is a server error, and as a result, your entire website, including the admin panel, is no longer visible.

Time to panic!

No, calm down. Think about the last plugin you installed. That plugin or sometimes even the theme is likely causing the server error, and you can solve this by deactivating that plugin.

How?

You need to rename the plugin. That is often enough for WordPress to stop using the plugin, which will make your website and admin visible again.

How do I rename a plugin when I can’t access it via the admin?

You have access to the server through your hosting package, either via a hosting panel or FTP details.

If you have a hosting panel

Do you have DirectAdmin or cPanel? There is likely a file editor in it that allows you to navigate to the plugins and rename the file.

The plugins are located in > httpdocs or www > wp-content > plugins

directadmin file aanpassen

If you have FTP access

Enter your server details in a free program like Filezilla, and you will be able to see the server folders in Windows/Mac style, making it easier to navigate and rename the specific plugin or theme.

Simply add a hyphen before the name of the plugin.

Filezilla naam aanpassen

That’s enough for WordPress to deactivate the plugin or theme, making your website visible again, and allowing you to manage the website!

And then you can continue playing around in WordPress to create the website just the way you want it 🙂

Quick course: Killing your WordPress in 10 steps

/0 Comments/in

Destroying your WordPress is not that difficult; we’ll teach you how to do it in 10 steps:

  1. Install as many plugins as possible; the more, the better. And never update them!
  2. Use your first name as the username for logging in.
  3. Choose your domain name as your password with some numbers.
  4. Try out various themes and keep them all.
  5. If you find comments with strange links on your site, log in and click on them!
  6. Share your FTP credentials with everyone on a forum! (Yes, it really happens…)
  7. Never update WordPress.
  8. Don’t use any antivirus on your computer and click YES on every internet popup.
  9. Let a teenager install your website because they know a lot about Windows!
  10. Choose the cheapest web host; the one for 1 euro per month must have an up-to-date server, right?

It may seem exaggerated, but we encounter these above 10 points on a daily basis.

Learn from it and avoid these mistakes!

My WordPress has been hacked. I download 5 antivirus plugins!

/0 Comments/in

“My WordPress site has been hacked. I download an antivirus plugin, and maybe another one, and one more…”

And fixed?

No, there are several good plugins available. Think of iThemes Security and WordFence, or Sucuri, Acunetix, All in one security… there are many!

But what these 5 plugins don’t do,

They cannot break down hackers’ code, they don’t evaluate code. At most, a security plugin can show you code that may not belong on your site.

The free plugins

A free plugin lacks many features like scheduled scans, backups, and more.

The Premium plugin

A premium plugin has many more features, such as scheduling scans so you are quickly informed of hacks, and blocking hackers and hack scripts.

But when it comes to removing hacks…

Even if you download 5 security plugins… once your site is hacked, it’s not easy to get rid of it.

Why 5 security plugins won’t help you much if you are already hacked

  1. The database information has been extracted from the wp-config and is being used to execute new injections on the database
  2. The FTP credentials may be known, and no plugin can help against server-level privileges
  3. The plugins do not recognize new hack codes as “dangerous” or as an open door for hackers

In conclusion

Secure your WordPress site before it gets hacked. Prevention is better than cure!