In WordPress 4.7.0, a new API was introduced that turned out to be insecure.
The new REST API, which is enabled by default in all WordPress 4.7.0 releases, can be used to modify posts without having administrator rights.

This is every hacker’s dream! With automated injections, modifying posts could lead to millions of sites displaying unwanted text, advertisements, and links.

Silence is golden

The WordPress developers were informed of the vulnerability by a major security company. From that moment on, the developers worked tirelessly to test and fix the vulnerability.
To prevent hackers from gaining an advantage, they kept knowledge of the vulnerability quiet and implemented a forced update. It was only a week after the update was released to millions of sites that the news became public.

What is a forced update?

This forced update is different from any regular update. Normally, you can choose whether you want to update WordPress automatically or not.
This update to 4.7.2 was forced and applied even to websites with “automatic updates” turned off.

Who disables automatic updates?

You would expect that automatic updating only has advantages. You don’t have to pay attention to updates yourself, and your website never falls behind.

But sometimes, the plugins you use are not up to date, or there are no more updates provided for the plugins.

At that moment, the new WordPress release may conflict with your plugin, causing the plugin to stop working or display errors on your website.
And if you don’t notice it because the update was done automatically…

What does WPbeveiligen do with updates?

For websites with 2-5 plugins, it is relatively safe to allow automatic updates. However, when it comes to websites with 8-20 plugins, we prefer to perform updates manually, especially for plugins. While updating, we check the website to ensure everything is still functioning correctly. If an error occurs, we can immediately identify the cause.

Is it necessary to secure WordPress with a plugin?

By default, WordPress is relatively secure, and any XSS hacks are neutralized in updates. However, the plugins and themes developed by others have vulnerabilities that allow hackers and automated scripts to gain access to your website.

Securing WordPress starts with hiding and securing your admin area. Through the admin area, a hacker can do whatever they want, such as creating new posts and pages and injecting ads into your content or layout.

But… I have hosting security, right?

The hosting provider’s role is to protect against DDoS attacks and ensure the server functions properly. They implement security measures such as firewalls and brute-force protection, primarily focused on safeguarding the server itself. The server’s security software is NOT designed to protect Content Management Systems.

This is because certain permissions and freedoms are required for a Content Management System to edit, create, and delete files.

Protection against hackers? My website isn’t that popular!

Out of a thousand websites, 999 are discovered by automated scripts through Google and get infected with a virus. So even if your website is for a local fishing club, the automated script doesn’t discriminate and will still inject malware.

Malware? Virus? Hackers? Injection?

These terms can be confusing! Isn’t a virus for computers? Like the Windows viruses in the early 2000s? Explanation: A server hosting your website is a “stripped-down” computer with only an operating system like Linux. Linux has fewer viruses that work due to root protection. However, with WordPress, it’s different.

And isn’t malware something in my browser? Explanation: Malware is short for Malicious Software. It refers to the scripts/software that hackers place, or rather “inject,” on your server.

Injection is a term from medicine, right? Explanation: It involves taking a piece of code and releasing it on the server, which then spreads to various directories and files.

Hackers are intruders who primarily work with electronics. In this case, they spend days experimenting with a known vulnerability and target their virus to exploit that vulnerability.

Can a plugin stop all of that?

Not just “any plugin,” but the enhanced iThemes Security PRO NL can. This plugin has undergone years of development, testing, updates, and improvements in both the United States and the Netherlands to make hackers’ lives more difficult and protect your WordPress website.

How does the plugin work?

Against viruses: The security plugin restricts write and execute permissions on important files, making it more difficult for viruses to spread and modify critical files.

Against malware: Malware has certain characteristics and often executes commands that this security plugin can block.

Against injections: Injections are often attempted through the navigation bar, and this security plugin blocks suspicious injections and long codes that hackers try to inject into your website.

Against hackers: Hiding the LOGIN admin screen and implementing two-factor authentication are some of the most important preventive measures. Additionally, this security plugin hides various features that hackers exploit to gain access to your website, such as user information, database details, WordPress version numbers, and more.

In summary…

It is essential to secure your WordPress website against attacks, viruses, and malware. The iThemes Security PRO NL plugin offers the best protection for WordPress. We have been using this plugin for years and cannot imagine operating without it. Can you?

WordPress maintenance? Is that necessary?

It’s not a moped, after all.

It doesn’t rust, since when do you need to maintain digital data?

In the article below, we will explain why you need to maintain your WordPress website and guide you through the process of updating your website in 5 steps.

Updating is 80% of the maintenance WordPress websites need.

Maintaining WordPress against cybercrime

WordPress, especially the plugins, are constantly tested by hackers for vulnerabilities. And unfortunately, they succeed 🙁

Hackers have been making a living for years from the income generated through advertisements and products promoted via hacked websites.

The advertising industry is worth millions, just look at the ads on YouTube, television, newspapers… they are everywhere!

And cybercrime, as they call it, is still on the rise!
Why is that? Because the internet has global reach, from the office to the couch with a smartphone. People of all ages can be reached and are primarily active online.

Note: we are talking about automated hacks here. These are programmed once and then executed thousands of times a day by a computer.

1) Maintaining WordPress: Backup

First, make a backup of your entire website.

You can easily do this with UpdraftPlus, with just a click of a button, you have a backup! The free version is sufficient, and the premium version offers even more features.

2) Maintaining WordPress: Update WordPress

Start by updating WordPress itself.

This can usually be done within WordPress itself, but if it fails due to file permissions or other errors, you can manually replace WordPress on the server using an FTP program like FileZilla.

3) Maintaining WordPress: Update Plugins

Update the plugins and check if your website is still working.

If you want to be extra cautious, update your plugins one by one. This may take longer, but it avoids a lot of trouble if there are issues with a new update of a plugin.

Did you know that we can handle the updates for you monthly?! That saves you a lot of effort. We also update more frequently when vulnerabilities in plugins are discovered.

4) Maintaining WordPress: Update the Theme

Update the theme, but be aware that it may disrupt the appearance of your website.

PRO TIP: Check the release log of the theme first; it often happens that only updates with visual adjustments are released. You don’t have to apply those updates every time.

Update your theme only if there are security updates.

For more information, you can also refer to the article Updating WordPress, the ultimate guide.

5) Maintaining WordPress: Don’t Give Hackers a Chance

Not all plugins and themes are adequately maintained by developers.
This allows hackers to exploit vulnerabilities in plugins and inject unwanted advertisements and other viruses into

your website.

Free plugins are sometimes not updated because the developer is too busy with other work.
Premium plugins are not always updated on time because developers are not always aware of vulnerabilities in their plugins.

What you can do to prevent hacks

Vulnerabilities in plugins and themes are inevitable. It is important to minimize the opportunities for hackers.

This can be achieved with a good security plugin for WordPress.

The security plugin does the following:

1. Limits file permissions in sensitive folders and files
2. Filters injections through vulnerable plugins
3. Sends notifications when your website unexpectedly changes
4. And more!

A security plugin is not a luxury; it is essential to protect your website against hackers and hack bots.

Maintaining WordPress: The Easy Way

We work with WordPress 7 days a week. We have the expertise, passion, and knowledge to keep hackers out and maintain the security of WordPress websites.

For a small monthly fee, we maintain, update, and secure your WordPress website.

Convenience and security above all!

The surprise remains great when we mention that there are daily attempts to hack a customer’s WordPress website.

My website? Out of all the websites out there?

We will try to explain it as simply as possible without getting into too technical details.
(Most of our blogs go into such detail that even hardcore programmers can’t follow anymore)

They are trying to hack your website!
This is logical because:

1. Tens of thousands of scripts are active day and night on hackers’ computers and infected websites.
   These scripts have one purpose: to search for WordPress files/websites through Google and then perform a standard number of requests (hack attempts).
2. If your website is discoverable on Google, then a Hackbot will find it too!
   A computer can perform millions of calculations per minute, so imagine the reach of such a Hackbot.
3. The scripts are ingeniously crafted by former programmers.
   The scripts executed by the Hackbot are highly sophisticated.
4. All plugins you use leave traces in the source code of your website, which provides a foothold for a Hackbot.
5. There is a lot of money to be made by hacking WordPress websites.
   They can inject advertisements on your website.
   They can engage in link building through your website to boost their own website’s ranking on Google.
   They can change your payment details on WooCommerce to their own. (PayPal)
6. WordPress is Open Source and available for free download, along with thousands of free plugins.
   They can thoroughly examine those plugins and search for vulnerabilities.
7. Currently, 40% of all WordPress sites do not have an antivirus plugin.
   It’s only with an Antivirus plugin that you can see how many hack attempts are made.
   You can also see how many false attempts are blocked.
8. Criminal activity is significant, very significant. Especially online, as the perpetrators can remain “anonymous”.

Every website that can be found on Google is simply facing attempts to break in. Files and URLs are being tested.

Think of it like a criminal checking if your backdoor is open.

At the time of writing, we have over 200 articles, many of which cover methods to prevent hackers from gaining access.

Do you want to secure your website?

We ensure that your website does not allow unwanted visitors (hackers and hackbots). They are registered, blocked, and cannot execute their scripts on your website!

We offer a comprehensive service/maintenance package so that you no longer have to worry about your website!

Click here if you want to leave the maintenance and security of your website to WPbeveiligen.