This is reprinted post from Wordfence, a vendor that we use on all of our sites. Search Traffic Now requires security plugins because of the nature of wordpress, being open source, and the fact that both humans and bots are trying to hack wordpress site approximately every 5 minutes. Moreover, when we host and manage your site, we do not stop with security plugins, our servers are all have special software designed to restrict malicious traffic, software to prevent server and website side intrusion and we also use 3rd party platforms like Cloudflare that offer another layer of security between the server, browser and website. This is an interesting article – please enjoy.
Do You Need a WordPress Security Plugin?
This entry was posted in General Security, Wordfence, WordPress Security on January 25, 2017 by Mark Maunder
At Wordfence we are a big team these days with millions of customers, and we think about security all day long. Sometimes we can get deep down the proverbial rabbit hole and forget about the basics. I recently overheard someone asking “Do I really need a WordPress security plugin?” and I realized this is a perfectly valid question. If you are not in the security industry, you might ask it. I know that many of you are well versed in security already – and WordPress security in particular. What I would like to provide you with in this post is a way to answer the question of “Do I need a WordPress security plugin?” to friends, family and colleagues that is both enlightening and easy to understand. If you are new to WordPress, I hope this post helps increase your understanding of WordPress security.
Physical Security compared to WordPress Security
Many people think about WordPress security in the same way that they think about physical security in the real world. In the physical world, we might build a facility like a bank that needs to be secured. We build barriers to entry and access controls as part of the construction project. Once the project is complete, we have a secure facility with walls, gates, secure entry and exit, cameras, access controls and human personnel to implement security procedures as people enter and exit. The physical construction does not change much over time, once the project is completed. You are unlikely to discover that the concrete you used to build a wall for your bank is now vulnerable and needs to be replaced. A wall is still difficult to penetrate and a locked gate with a guard is going to still be quite effective a few months from now.
It is easy to make the mistake of thinking about WordPress security in the same way. If you install software that is secure to power your WordPress website and you implement good security policy and controls, one might think a website would behave in the same way. In other words, one might think a secure website today should be secure a few months from now if it doesn’t change. That is not the case and I’m going to explain why. If you build a website using the newest software that has been verified to be secure and you implement good security policy, your website does not change, but the environment it is operating in changes. Attackers continually research the software that powers your website and vulnerabilities are eventually discovered in most popular online software.
Therefore the problem is that, while your website software starts off secure, it almost always ends up being insecure without anything changing on your website. It’s not your fault or the fault of the person who created your website. It is just the way of the online world. This differs from our building metaphor above in that a secure building doesn’t usually end up insecure a couple of months after being built without anything in the building changing. But a website does. In fact, this is an ongoing cycle. Vulnerabilities are discovered, attackers start using them and ultimately if you are a responsible WordPress site owner, you upgrade your site regularly to fix those vulnerabilities. Then new vulnerabilities are discovered in new versions and the cycle repeats.
The Time Gap Between Vulnerability Knowledge and Installation of a Security Fix
You might build a new website with the latest secure versions of WordPress and all of the relevant plugins and a theme. As time passes, vulnerabilities are discovered in your plugins, theme and the version of WordPress core you are using. Those vulnerabilities (or security holes) become public knowledge at some point.
There is usually a delay between when the vulnerability becomes public knowledge and when you get around to installing a fix. Even when a fix is automatically released by the WordPress security team, the vulnerability may have been public knowledge for some time. This was the case with the recent PHPMailer vulnerability, which took several weeks for a patch to appear in WordPress core and be automatically deployed. A WordPress security plugin provides many valuable functions, but at its most basic, a WordPress security plugin protects your website from attacks during the time it is vulnerable.
We do this in two ways. Wordfence provides a firewall that has rules that are constantly updated. At Wordfence, when we learn about a new security hole in software that you might use, we release a firewall rule to your site that allows Wordfence to block hackers from exploiting that security hole. The second way we protect you is by providing a malware scan. Wordfence detects thousands of malware variants. If the worst happens and somehow a hacker does manage to penetrate your website, Wordfence alerts you to the presence of malware on your website and even helps you find it and remove it. Our malware signatures are also continually updated. As many of you know, our Threat Defense Feed is what distributes new firewall rules and malware signatures to your Wordfence security plugin. Our Premium customers receive these in real-time. Free customers are delayed by 30 days.
Protecting You When You’re Vulnerable is What We Do
Wordfence provides many other security functions including two factor authentication, country blocking, brute force protection, rate limiting and more. But the most important function we provide is this: Wordfence protects your WordPress website once vulnerabilities are discovered in your previously secure website and before you have installed a fix. Most websites are hacked as a result of an attacker gaining entry by exploiting a vulnerability in the website software. By using an effective WordPress firewall like Wordfence with a real-time Threat Defense Feed, you are protected, even if your website suffers from a vulnerability. I hope this has helped provide a fundamental understanding of the most important reason you or someone you know needs a WordPress security plugin like Wordfence. As always I welcome your feedback in the comments below.
This blog is about wordpress security. While wordpress is the world’s most popular software for websites – as open source software it’s prone to hacks and attacks. Sadly, we, as web hosting and development companies spend far too much time worrying and working on being vigilant on behalf of our clients who rely on us. For clients of searchtrafficnow.com – you don’t have to worry – we are watching you site, updating plugins and putting features in place to keep your site secure. This post is designed to educate you a little about website security.
A recent study done by wordfence – a popular and good security platform shows the following.
Most Site Owners Don’t Know
The scary truth is that most website owners don’t know they’ve been hacked. Some sites go for days, months and years being exposes to some really bad stuff. Worse 61.5% didn’t know how the Attacker compromised their website. As you can see the most sites are compromised by plugins. These are software modules that developers use to provide varying enhancements to your site.
For the site owners who did figure out how the attackers entered, here is what the breakdown looks like:
In the balance of this post we’re going to focus primarily on the top two risks. Because if you can protect yourself against plugin vulnerabilities and brute force attacks, you are accounting for over 70% of the problem.
Plugins Are Your Biggest Risk
Plugins are what make wordpress so popular. There are over 43,000 plugins available for download in the official WordPress plugin directory. The average site should have 15-20 plugins so it’s a wonder why there are so many. The point is that it’s nearly impossible to monitor these plugins which, when not built properly or updated provide an easy back door for someone looking to exploit your website.
Wordfence provide some great tips for avoiding plugin hacks:
Keep them updated
Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. We recommend that you check for updates at least weekly. In addition we recommend that you pay attention to the alerts generated by Wordfence scans. Wordfence alerts you when your plugins need to be updated.
Don’t use abandoned plugins
You are relying on the plugin developer to insure that their code is free of vulnerabilities. If they are no longer providing updates there is a high likelihood that there are vulnerabilities that have not been fixed. We recommend avoiding plugins that have not been updated in over 6 months. For plugins you have already installed we recommend you conduct an audit at least quarterly to make sure none of your plugins have been abandoned by their authors.
Only download plugins from reputable sites
If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised or ‘nulled’ plugin.
How does a hacked website impact SEO
Websites can be hacked in many ways – most customers don’t even know they’ve been hacked until someone or some service tells them. Google has gotten better a not only finding hacked sites or sites with malicious code but also notifying the site owner assuming that they’ve set up Google Search Console (formerly webmaster tools).
If you’re set up with Google and they find malicious code they will notify you that they’ve found and will restrict traffic to the site until it’s fixed. Less than 50% of site owners realize that their sites have been hacked. Since only a small number of website owners properly set up any kind of website protection – the numbers of hacked sites are much larger than we can imagine.
In a recent survey by Wordfence, which we participated, showed some bad news. 66% of respondents stated that search traffic was impacted by a hack and 14% saw a traffic drop of over 75% or more. We’ve seen this happen several times and in each case – search traffic ranking – organic search and SEO dropped by a large amount – on average of at least 50%.
At a minimum – if google finds a site that’s hacked – it will restrict traffic to it until it’s cleaning. If you wait too long – it’s more than likely you will loose your website page rankings on google. The good news is that it’s pretty easy to be vigilant although nothing is full-proof. In addition to using Google’s search console, we utilize several methods to ensure hacking. On all wordpress sites we use Cloudflare, Wordfence, Plugins to hide logins on WordPress and always make sure our plugins are up to date. We will discuss this in the next blogs.
With proper protection we can find malicious code pretty fast and remove it before Google discovers it and thus avoiding any negative impact to website traffic, SEO and organic traffic.
Email marketing messages come in two different forms — HTML email and plain text email. What’s the difference between the two and which works better for your business? We use constant contact for our email marketing. We prefer HTML emails. Here’s why:
What is an HTML email?
An HTML email is what you typically see from other businesses and organizations. They contain images, colors, formatting, and often start with an email template. Take a look at this example of our Hints & Tips newsletter. Everything from the logo at the top, to the colors, image, and call-to-action button are only possible in an HTML email.
And plain text emails?
Plain text emails are exactly what they sound like. No bells or whistles here — just plain text without graphics, formatting, or buttons. Here’s that same newsletter example, this time shown as a plain text email:
Why do HTML emails give you an edge?
From the examples above, it should be pretty clear that plain text emails limit your options.Here are four main advantages of HTML emails:
1. Better email design
Creating a visual impact is key to successful email marketing. By customizing an email template you’re able to add your business’s colors and logo to reinforce your brand. Your product promotions become stronger when you can show images of your product and offer additional information through a clickable call-to-action. Here’s a great example from Taza Chocolate:
2. More conversions
Effective emails are easy to act on. With HTML emails, you’re able to format your message so the call-to-action stands out, and add clickable links so readers can easily engage with your message. The simpler you make it for your reader to act the more likely they are to do it.
3. Tracking capabilities
To really know how well your email performed, you need to track your results. Using an email service to send HTML emails gives you access to email tracking tools and reports so you can measure your audience engagement and determine what information resonates best.
4. Higher reader engagement
Your email readers typically aren’t looking to read paragraph after paragraph of information. They want to scan your email quickly, pick out the main points, and determine what’s important to them. Because visuals are processed faster than text, HTML emails help you get your message across more effectively. Also, with better formatting options you can break up large chunks of text or show information in a graph or table.
HTML emails made easy
With an email service like Constant Contact, you can choose from hundreds of professionally-designed email templates and customize your email to fit your business brand. If an email client cannot display the design version for any reason, your contacts will automatically be shown a plain text version.
You can also optimize your HTML version to avoid major discrepancies. Avoid common image mistakes. For example, don’t send an image-only email. Image-only emails are commonly associated with bulk spammers and could send your email to the spam folder.
A good rule of thumb is to make sure your message still makes sense, even if the images are turned off. To help, add an image description so that readers can understand what they should be seeing.
Here’s an example:
One of the set backs for using open source software like WordPress is exposure to potential hacking. That said, every software is vulnerable so wordpress is really no different. The difference is that because WordPress is open source it’s essentially a giant template system with plugins. The plugins are used for all the features that that you see on the site. Those plugins can be developed by companies or individuals. Rarely, but sometimes, these plugins can have a vulnerability that allows a hacker to penetrate the website. Since we use Wordfence – which a preemptive software to catch hacks we have less to worry about but we are vigilant nevertheless.
This is Wordfence’s weekly update for March 2016
We have several plugin vulnerabilities we’d like to bring to your attention this week.
First up is a backdoor that was added to the Custom Content Type Manager plugin. The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository.
It’s unclear whether the plugin author’s credentials were stolen or whether the malicious actor was granted access. The WordPress security team removed the malicious user account that added the backdoor to the plugin. They have also removed all malicious code that was added to the plugin and updated the version number so that users running this plugin will be prompted to upgrade.
If you are using Custom Content Type Manager, you will need to take the following steps to remove any infection and install the updated non-backdoored version of the plugin.
Update to version 0.9.8.9 of Custom Content Type Manager
The malicious code in this plugin installed a backdoor in WordPress core files. So run aWordfence scan on your site to check the integrity of your core files. The free version of Wordfence will do this. Make sure the option to compare your core files against the official WordPress versions is enabled. In the scan results, make sure that the following three files are not modified.
If any of the above files are modified, you can use Wordfence to repair them.
Change the passwords of all your users.
Delete any user accounts you don’t recognize. Check admin accounts in particular.
If a file called wp-options.php exists in your home directory, remove it.
The SP Projects and Document Manager plugin version 220.127.116.11 has multiple vulnerabilitiesincluding file upload, code execution, sql injection and XSS. Update to to version 18.104.22.168 immediately which contains the vendor released fixes and is the newest version.
If you are running Easy Digital Downloads, ensure you’ve updated to at least version 2.5.8 which fixes an object injection vulnerability. The current version is 2.5.9. The vulnerability was disclosed within the past week.
A vulnerability was publicly disclosed in the Bulk Delete plugin earlier this month that allows unprivileged users to delete pages or posts. The vendor has already released a fix so make sure that if you’re using the Bulk Delete Plugin, you’ve updated to version 5.5.4which is the latest version.
That concludes our vulnerability roundup for this week. Please share this with the larger WordPress community to help create awareness of these issues.
Google is hell bent on speeding up mobile search. There are billion reasons to do it. It’s all about the money. Face it – faster mobile website enhance the user experience. The faster, the better, the more we get to see and search. It makes perfect sense that Google would want mobile search to be faster.