What if I want to use a plugin or theme that is leaky?

/0 Comments/in ,

You have just created a beautiful website with a nice theme and various plugins, and then your website gets hacked!

That’s incredibly frustrating! It has happened to us dozens of times too, even with all the knowledge we have.

What if it turns out that your plugin or theme has a vulnerability, and the developers are not taking any action, even after being informed about it? Even when you’ve paid for the plugin or theme, the developers might not respond to your requests for fixing the vulnerability.

Why don’t developers take action?

Theme developers are not hackers or security experts; their main focus is often on making as much money as possible. This might sound harsh, but unfortunately, it’s the reality.

What can you do now?

You have two options:

  1. Replace the vulnerable theme or plugin with a new one.
  2. Ensure that the vulnerable plugin cannot cause any harm.

Executing Step 1

You remove the vulnerable plugin or theme from the server using an FTP program to ensure that the vulnerability is completely removed. Then, you look for a new theme or plugin and hope that it does not contain any of the 4000+ known vulnerabilities.

4000+ vulnerabilities? That doesn’t sound good!

Let’s put it into perspective:

There are 42,565 free plugins and approximately 30,000 paid plugins. Since 2003, there have been around 150+ WordPress releases, many of which were for security reasons.

The security within WordPress is well maintained, unlike some third-party plugins or themes.

There are countless free WordPress themes, and the number of premium themes is also extensive. WordPress itself is still free!

This wide availability of themes and plugins attracts both users and hackers from all around the world.

Executing Step 2

Unfortunately, this cannot be easily fixed with just one security plugin, as such plugins may not restrict file permissions on the server level to function correctly. In this case, you need to ensure that a vulnerability cannot make server-level changes.

You can do this by removing write permissions from certain folders so that the vulnerability cannot modify them.

What does a vulnerability in a plugin or theme do, actually?

Often, it does nothing until the person who knows the vulnerability starts giving it commands. This can be achieved through browser injections or input fields (XSS).

Conclusion

It’s ultimately your choice whether you completely replace the vulnerable plugin or theme, hoping that these extra efforts and costs will increase security, or if you “freeze” the website temporarily so that it continues to work as it does now.

Do I need to keep up with WordPress update?

/0 Comments/in

The developers of WordPress are very active and sometimes release updates as frequently as monthly.

And that’s just for the updates addressing “potential” security issues discovered by the community. If you look at the release log, you’ll see that there have been numerous updates for WordPress.

WordPress takes prompt action when they discover a new vulnerability that could be exploited. This is a good practice!

However, it’s not always the case for plugins and themes. Some premium plugins and themes are not updated regularly, even when vulnerabilities have been known for months. These vulnerabilities are sometimes reported on forums, accessible to any hacker.

Should you update WordPress with every release?

It is advisable to keep WordPress updated regularly, but immediately updating right after every release comes with its own risks. Sometimes, new releases may introduce errors or issues in your WordPress. It’s not unwise to wait a few days before updating to ensure it is a security update or just includes “fancy” features for bloggers.

Help! I encountered an error after updating!

It’s not uncommon to encounter errors after updating. It could be due to insufficient server space or incomplete updates caused by a server outage. If you face this situation, you can manually upload WordPress via FTP.

My website is at risk!

You might receive alarming emails from your hosting provider stating that something is wrong with your WordPress site and that there are files posing a risk. These emails are sometimes generated by hosting software that detects not only hack files but also potential vulnerabilities.

However, a “potential vulnerability” doesn’t necessarily mean that your WordPress is compromised if it’s well secured. Since these notifications do not consider the security measures you have in place, they can be unsettling.

Ways to stay worry-free:

1. Regularly back up your website: Backups can help you restore your website in case of any issues caused by vulnerabilities.

2. Update WordPress regularly: Especially when there is a security release.

3. Use a limited number of plugins: Every plugin increases the potential for vulnerabilities, injection points, or XSS attacks.

4. Secure your website with a professional security plugin: A good security plugin like iThemes Security can enhance the protection of your WordPress site.

Remove hack files from WordPress

/0 Comments/in

You can recognize from the names of the hack files that they are related to programming; about 50% of the hack files have a logical structure that a programmer would develop.

Some of the most common hack files:

  • test.php
  • cache.php
  • files.php
  • options.php
  • view.php
  • diff.php
  • start.php
  • plugin.php

Note: These files can also exist in WordPress, so don’t remove them solely based on their names.

How do you identify if it’s a hack file?

In about 90% of the cases, the file contains a messy jumble of code—a base64-encoded code without any logic or formatting.

code example

Where can you find these hack files on your site?

They can be found in any directory. Although the “uploads” directory is a favorite target because it’s often writable, a hacker/hackbot can place files throughout your entire website.

If you want to systematically remove the files:

First, make a backup!

You can divide your WordPress website into 5 parts:

  1. WordPress core (try to refresh it completely)
  2. The plugins directory
  3. The themes directory
  4. The uploads directory
  5. The container directories

The plugins directory

This directory should only have an index.php file and the plugins. Refresh the plugins wherever possible, or check the modification dates to find the hack files.

The themes directory

This directory should also have an index.php file and one theme. Remove the themes that you don’t use!

The uploads directory

There should be NO PHP files in this directory. You can remove any PHP file.

The container directories

The “wp-content” directory usually contains only an index.php file and the directories mentioned above (2, 3, 4).

The “languages” directory should only contain language files and no PHP files.

The “upgrade” directory is used only for temporary upgrade files and is usually empty.

In conclusion

Removing all the hack files is a significant task and requires considerable knowledge.

And that’s not even considering the lines of hack code that are injected into your existing files. You can find these by checking the modification dates, and this code is often placed above or below the original code.

The more you know, the easier it is to remove hack files.

Good luck!

The invisible iFrame hack

/0 Comments/in

The “Invisible iFrame Hack” is one of the most effective hacks known.

Why is the iFrame hack so effective?

The iFrame spans across the entire browser width and height. So, wherever a visitor clicks, they will be redirected to the hacker’s advertising campaign.

But wait, there’s more…

The iFrame is controlled with a cookie and is displayed only once. Scanners, including you or security personnel, will see the site only once, creating the illusion that the problem was temporary or has been resolved.

Most people will simply think they might have clicked incorrectly and will hopefully return to your website.

The impact of the hack

Some visitors, maybe 1 out of 1000, might mistakenly believe they are in the right place and end up purchasing a service or product from the website where they weren’t supposed to be. This is exactly what the hacker, the creator of the script, aims for.

A small piece of code in a JS file

A JavaScript file (JS file) is supplemented with a piece of code that places an iFrame over your entire website. Despite your efforts, you might not find it easily as it’s just a small piece of code added to an existing file that belongs to the site.

When decoded by Sucuri, it looks like this:

click code

An effective method to remove the hack

You could search through your JS files, but the best approach is to replace all JS files with new clean ones that you download from the official WordPress website or your theme provider.

Preventing an iFrame hack

Of course, you don’t want the hack to reappear in your WordPress website a week later. To prevent this, update all your plugins, theme, and WordPress to their latest versions.

Additionally, use a reliable WordPress security plugin to enhance your website’s protection.

A spam file in my site, fortunately no problem?

/0 Comments/in

Sometimes, as web programmers, we are unaware if a problem lies with our internet connection or the website itself, leading to a slow website loading time of 5-10 seconds.

How to Find the Cause

You can easily identify the cause using the website http://tools.pingdom.com/ (free at the time of writing). After entering your website address, you’ll see global information, the number of requests, page load time, and page size at the top of the website.

speed test

What Slows Down Your Website?

The website’s speed depends on the slowest file, causing delays.

Fortunately, the mentioned website also shows how long it takes to load a file and the file’s size. By comparing this information, you can identify whether the issue is due to a large file or slow code execution.

 

Errors in code and files not in the right location consume significant loading time on the server.

A fantastic tool to test your website and determine which files need optimization!

And for programmers…

Using Google Chrome’s Element Inspector

You can also see the website’s speed using Google Chrome’s element inspector, found under “Network.”

speed inspector chrome

Now that you know how to identify the cause of slow loading, you can optimize your website.

Tips to Speed Up Your Website

  1. Create appropriately sized images using Photoshop.
  2. Deactivate and remove unused plugins.
  3. Review errors with the element inspector and fix them.
  4. Ensure links to files are correct.
  5. Enable a caching plugin like WP Super Cache.
  6. Use a security plugin to ban bots (fake visitors).
  7. Load as much code as possible from your own domain instead of external sources.

Less is more!

10 ways to keep WordPress secure

/0 Comments/in

Keeping WordPress secure is crucial for web designers and website owners. WordPress, as a base, is relatively secure, and regular updates are released to address security vulnerabilities in collaboration with the WordPress community. However, additional steps are necessary to prevent hackers from exploiting any weaknesses. Here are 10 ways to keep WordPress secure:

1. Update regularly: Ensure that you update WordPress regularly, especially for security releases. Check the changelog to see what security issues are addressed in each update.

2. Use strong passwords: Avoid using weak passwords like domain names or simple numbers. Brute-force attacks often target these weak passwords.

3. One website per hosting package: Avoid hosting multiple WordPress installations on a single package, as a compromised website can easily affect others.

4. Customize your CMS: Hackers know the standard WordPress installation, so customize the admin URL and hide sensitive information.

5. Be cautious with plugins: Only install reputable plugins with positive reviews and a good number of downloads. Limit the number of plugins to minimize potential vulnerabilities.

6. Perform backups: Regularly back up your website to have a clean version in case of any issues.

7. Set file permissions correctly: Ensure that the wp-config.php and .htaccess files have the proper permissions to prevent unauthorized access.

8. Restrict server access: Configure the server to deny access to certain folders to prevent hackers from exploring potential vulnerabilities.

9. Purchase premium plugins and themes: Avoid illegal downloads, as they may contain backdoors or malicious scripts.

10. Use a security plugin: A reliable security plugin can handle many of the above tasks, such as securing server directories, logging activities, blacklisting suspicious users, checking files for hacks, and blocking suspicious requests.

Remember that preventive measures are essential in securing WordPress. Following these steps can significantly reduce the risk of a security breach. As the Dutch saying goes, “voorkomen is beter dan genezen” (prevention is better than cure).

What exactly is JQuery? Is it safe?

/0 Comments/in

JQuery has been in use since 2006, yet many programmers still find it challenging to use. However, JQuery is an excellent library of JavaScript actions that can be easily used by any programmer. It allows you to perform dynamic actions on website elements with just a few lines of code.

Here are some key facts about jQuery:

1. jQuery is free to use by any programmer.
2. It is widely accepted by 90% of browsers.
3. jQuery can be used to manipulate the DOM and CSS.
4. It is a library of code that needs to be loaded into the website.
5. Many major websites, including Google, use jQuery.
6. Over half of all websites online use jQuery.
7. jQuery contributed to the decline of Flash on websites.
8. jQuery is fast, lightweight, and suitable for mobile devices.
9. It is regularly updated to stay compatible with the latest browsers.

The difference between jQuery and jQuery minified is that the standard jQuery library is well-documented and includes spaces and enters for better readability. On the other hand, the minified version (jquery.min.js) is stripped of any comments or explanations, resulting in a smaller file size and potentially faster loading times.

As for the updates, jQuery started with version number 1.0 in 2006, and new releases have been introduced annually or even more frequently. The latest release at the time of writing is version 2.0. It’s worth noting that jQuery dropped support for Internet Explorer 6, 7, and 8 in April 2013 and later added support for various new versions of Opera and Safari.

Some common dynamic functions in jQuery include manipulating CSS by dynamically adding and removing classes, and resizing and repositioning divs. These simple functions alone can achieve a lot on a website.

Is jQuery safe? While jQuery files are generally safe, JavaScript files, in general, are targeted by hackers and hack scripts due to their dynamic and loaded nature. To ensure security, make sure that the files are not modifiable by others.

However, since many jQuery scripts are loaded externally, it is essential to be cautious about the source from which the data is coming. External scripts can be vulnerable to alterations by the source at any given time.

Finding a hack in a JS file is similar to PHP files, where the malicious code is usually placed at the beginning or end of the code, and it is often encoded with numbers and characters without formatting.

In conclusion, jQuery is a powerful and widely accepted library that makes dynamic web development much more accessible. However, like any other technology, it’s essential to ensure proper security practices while using it.

How fast does my website load?

/0 Comments/in

You can easily find out whether the slow loading of your website is due to your internet connection or the website itself using the website http://tools.pingdom.com/ (free at the time of writing). After entering your website address, you will see global information, the number of requests, the load time, and the page size displayed clearly at the top of the website.

snelheid test

The speed of your website depends on the slowest file. That’s what you might be waiting for sometimes. Fortunately, the website mentioned above also shows how long it takes to load a file and the size of that file. You need to compare this information to get a good indication of whether the issue is with a file that is too large or if the code is significantly slowing it down.

Errors in code and files that are not in the correct location can take up a lot of time during server loading. This tool is a great way to test your website and see which files need to be optimized to make the website faster!

And for the programmers among us…

You can also see the speed of a website using the “Network” tab in the element inspector of a browser like Google Chrome.

snelheid inspector chrome

Now that you know how to identify what is slowing down your website and how many seconds it takes to load, you can optimize your website.

Here are some tips to make your website faster:

1. Resize large images using Photoshop.
2. Deactivate and remove unused plugins.
3. Review errors with the element inspector and fix them.
4. Ensure that links to files are correct.
5. Enable a caching plugin like WP Super Cache.
6. Use a security plugin to ban bots (fake visitors).
7. Load as much code as possible from your own domain instead of externally.

Remember, less is more when it comes to website speed optimization!

WordPress installation issues

/0 Comments/in

As passionate WordPress programmers, we are well aware that installations do not always go smoothly. While WordPress itself is reliable, external factors can sometimes require adjustments or manual settings.

Here are some common installation issues and their solutions:

WordPress Installation Problem #1

The wp-config.php file cannot be written to.

Solution: Copy the wp-config-sample.php file and remove the “-sample” part from the filename. Then, manually add the MySQL database information to the file. You can find the wp-config.php sample file in the httpdocs directory, where the wp-config.php file should be placed.

WordPress Installation Problem #2

The admin system is not functioning correctly, showing error pages, or indicating missing files.

Solution: It is likely that you uploaded a WordPress download to the FTP, and some files were not transferred to the server or were incomplete. To resolve this, copy the files again to the server, overwriting the existing files to ensure complete files are in place.

WordPress Installation Problem #3

The admin system was working after installation, but it hangs after adding plugins.

Solution: A plugin is causing the error, and it may seem impossible to deactivate it since you cannot access the admin system. The best approach is to rename the plugins. Add a hyphen to the plugin’s folder name on the server. This will make the plugin inactive, and you will know which plugin is causing the error. Sometimes, plugin development lags behind the latest WordPress releases, leading to compatibility issues.

WordPress Installation Problem #4

After completing the installation, when creating a new post, you are unable to upload an image.

Solution: Sometimes, the uploads folder is not immediately writable, which is essential for uploading images. Navigate to httpdocs > wp-content > uploads, right-click on the folder, and choose File Permissions or CHMOD. Set the write permissions (usually 777), and the issue is likely to be resolved.

WordPress Installation Problem #5

You cannot change the permalinks because the .htaccess file is missing or not writable.

Check if there is a file named “.htaccess” in the httpdocs directory of your hosting/server space. This file is crucial for permalinks. If it is missing, create a new file and set its permissions to 777. Generate the permalinks in your admin panel under Settings > Permalinks. Once done, remember to set the permissions to 444 (read-only) to prevent hackers or hackbots from redirecting your website.

5 Problems and 5 Solutions

These are some common problems and their solutions. If you encounter other issues or need assistance, we have been working with WordPress for years, primarily focusing on restoring and securing WordPress websites. Feel free to contact us for availability, as restoring and securing WordPress websites is our priority.

A WordPress webshop with WooCommerce

/0 Comments/in ,

WooCommerce is indeed one of the most popular and widely used webshop plugins for WordPress, and it has gained its reputation for being a powerful and versatile solution for creating online stores. Here are some key points about WooCommerce:

What is WooCommerce?

WooCommerce is a webshop plugin for WordPress that is available for free. It allows users to turn their WordPress websites into fully functional online stores. Due to its popularity, there are numerous plugins available that further extend the functionalities of WooCommerce.

How to Install WooCommerce

You can find WooCommerce in the plugin database of WordPress, or you can download it from the official WooCommerce website. Installing WooCommerce is a straightforward process, but it requires proper configuration after installation.

Keeping WooCommerce Secure

While WooCommerce itself is a stable plugin for building webshops, it is essential to keep your WordPress website secure to prevent potential hacks. If your WordPress website gets hacked, a hacker can manipulate your WooCommerce webshop in various ways, such as stealing user information or adding their own products to your shop.

The downside of using free webshop software like WooCommerce is that anyone can download it and explore potential vulnerabilities to exploit or inject malicious code. Therefore, it is crucial to have robust security measures in place on your website.

A reliable security plugin, such as iThemes Security PRO, can help protect your website by blocking suspicious injections, blocking users or bots after a certain number of login attempts, preventing hacking attempts, hiding your WordPress admin panel, and keeping track of server activities.

WooCommerce and SSL

WooCommerce supports various Payment Gateways, which are payment methods that allow buyers to pay easily through your website using options like PayPal or iDeal. However, these payment gateways involve the transmission of critical customer data through your website to the bank.

To ensure that this sensitive information does not fall into the wrong hands, it is crucial to set up an SSL certificate. With an SSL certificate, your website will have an HTTPS link that securely encrypts the data before sending it over the internet. Even if intercepted by cybercriminals, the information remains encrypted and unreadable.

A Solid Start with WooCommerce

Before adding products and launching your webshop online, it is essential to set up WooCommerce securely. Just like you wouldn’t open a physical store without securing the backdoor, ensuring proper security measures for your online store is equally crucial.

By taking the necessary security precautions and using WooCommerce responsibly, you can have a solid foundation for building a successful and secure webshop on your WordPress website.