Tag Archives: website vulnerability

Is Your Website Back Door Unlocked?

Posted on by

Over 300,000 Users May Have: Read Latest Website Security Update and Make Sure You are Locked Down

Website Security Updates from Internet Advertising that Works

The plugin User Role Editor has been reported to provide a backdoor way for your users to gain controls that you may not want them to have.

This popular plugin, which has more than 300,000 active installations has a serious vulnerability.

The vulnerability allows any registered user to gain administrator access. For sites that have open registration, this is a serious security hole.

As we mentioned in our post about Internet Security last month, it is important to keep your plugins current. Be sure to update your plugins immediately, and if you do have User Role Editor on your site be sure to upgrade to the latest version (currently that is 4.25.)

Read more of the technical bits on the WordFence blog post here

Top WordPress Website Security Tips

Posted on by

How to Prevent Hackers from Entering Via Biggest Risk: Your Plugins

hacked_website_how_compromised

Although most website owners and managers who have had the unfortunate experience of being hacked don’t actually know HOW their site was compromised–of those who do, over 50% know it was from a plugin.

Does that mean that you should not use plugins on your website? Of course not, they are part of the beauty of WordPress websites. Plugins add specific functions to our websites without the website owner having to know a whole bunch of code.

Plugins play a big part in making WordPress as popular as it is today. As of this writing there are 43,719 plugins available for download in the official WordPress plugin directory. That is an incredible selection of plug and play software. But you obviously need to be careful with them, as plugin vulnerabilities represented 55.9% of the known entry points reported by respondents.

How do you take advantage of plugins while simultaneously being smart about your WordPress website security?

Keep Plugins Current

We know it can seem like a hassle when you have to update your plugins all the time. But that hassle is so minor compared to the hassle of getting hacked–cleaning up your website, lost time, lost revenue, lost clients, lost business potential. It is definitely worth it.

So when you get a notice that your plugin has an update available, it is a good idea to update. (We do recommend making regular backups of your website as well. Your plugin update may not work with your existing theme, for example. So you want to have a recent backup before you update plugins.)

Get Rid of Abandoned Plugins

If you have a plugin that has not been updated in at least 6 months you should seriously consider a different plugin. This is generally a sign that the developer is no longer supporting the plugin, otherwise known as having abandoned it. That means no one is looking our for your WordPress website security at all. A perfect way for a hacker to get in.

Less is More

Use as few plugins as you can to get the job done. If you have deactivated the plugin, take it off your site. If you don’t need it, don’t upload it–or get rid of it.

Use Reliable Plugins

Many plugins are available from the official WordPress site, but not all are. Don’t let a hacker trick you into loading an open doorway for them to get into your store.

How do you know if a site is reputable or not? Here are the suggestions from Wordfence, the WordPress website security software that we use and recommend.

  • Eye Test – Is the site itself professionally designed and uses clear language to describe the product? Or does it look like it was thrown together quickly by a single individual?

  • Company Information – Does the site belong to a company with the company name in the footer?

  • TOS and Privacy Policy – Do they have terms of service and a privacy policy?

  • Contact Info – Do they provide a physical contact address on the contact page or in their terms of service?

  • Domain Search – Google the domain name in quotes e.g. “example.com”. Do you find any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the quoted domain name in your search and see what that reveals.

  • Name Search – Do a Google search for the name of the plugin and see if any malicious activity is reported. Add the phrase “malware” or “spyware” to the search which may reveal forums discussing a malicious version of the theme being distributed.

  • Vulnerability Search – Do a search for the theme or plugin name or the vendor name and include the word “vulnerability”. This will help you find out if any vulnerabilities have been reported for the product you’re interested in or for the vendor. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible vendor who is actively maintaining their product when problems arise.

Plugins are certainly not the only source of hacking. In order to protect your website and maintain a level of internet security here are some additional pointers:

Select your usernames and passwords with care. Make them unique and different: don’t use the same one for all your sites, make them hard for someone to guess.

Use some sort of website security. We use Wordfence, we appreciate the training and education they provide, along with common breaches to look out for. It is available in a free version and a paid version. The paid version doesn’t cost much and we find that it saves us enough time that it is worth it–but start with the free account if you want to try it out.

There are other options out there as well, so whether you use Wordfence or another product–protect your internet asset one way or another. We don’t get paid for recommending them, it is just who we use.

Thanks to our friends at WordFence for the original article, which can be read on their blog here. The graphic is from the same article.

Heartbleed Vulnerability

Posted on by
Reply

If your website is distributing SSL protected content then you need to be sure that your content is truly protected.

Thanks to our hosting service* for this information:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library which allows stealing the information normally protected by the SSL/TLS** encryption used to secure the Internet.

What versions of the OpenSSL are affected?

Status of different versions:

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Hostgator currently has patched OpenSSL for all Shared and Reseller servers.

You can check your website for Heartbleed vulnerability using the website shown here:

Heartbleed.Hostgator.com

To obtain more information regarding a VPS or Dedicated server, please contact us (Hostgator) for details.

Whether you have a SSL site or not, be sure to keep all your information current. If you use WordPress, keep you WordPress updated as well as all your plugins. We also recommend that you use an additional security plugin for added protection. Feel free to contact us if you have any additional questions.

 

*Yes, we are an affiliate of this company and we proudly use Hostgator for all of our sites.

**SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).