Tag Archives: wordfence

Don’t Read Terms, Just Agree

Posted on by

Terms of Service Resulting in Spam is Quick Way to Get Your Site in Trouble

stack of dictionaries

Yes, we know they are long. Yes, it can be as exciting to read as reading the dictionary.

Yes, most of the time they are pretty standard. But what about when they aren’t?

We’re talking about Terms and Conditions or Terms of Service. You know, those things you have to click “I agree” to before proceeding–on just about everything on the internet these days.

It is easy to get lazy. Especially when you have read a bunch of them and they all seem to be the same. Pretty much verbatim the same, in fact.

But there are people who, whether intentionally or not, will provide you with a ‘service’ that can actually harm your website. Sometimes you won’t even know it. But Google and other search engine bots might. They might actually interpret it as spam or something else that is against their policies–and that is a big problem.

And that’s where the problem begins.

Case in point is the 404 to 301 Plugin, but it isn’t the only one. And to their credit, the authors of this plugin have theoretically already fixed the issue that was causing the main problem with Google.

So, read the terms of service or terms & conditions. If you don’t understand what it means or the implications, then wait before you install. Talk to someone you trust who can advise you.

Mistakes can happen, even when you are careful. So monitor your website’s health. Keep backups in case you need to “roll back” your site to an earlier date. Consider a security software.

This isn’t meant to scare you, just alert and educate. You can’t be expected to know everything about your business and the internet, too. That doesn’t mean you shouldn’t have a website. It just means sometimes we have to get help from someone else.

After all, just because I can watch a YouTube video on how to fix my car, paint my house, or trim the trees in my backyard, it doesn’t mean that it is necessarily a good idea. I might save myself some money–or I might make more money by focusing on my business and paying someone else to take care of these things.

Neither way is inherently right or wrong. Just be smart about it. Do you enjoy learning new things–go for it. But if you are frustrated or overwhelmed, or not having the success in your business that you want, and deserve, then focus on that.

Read the blog post by WordFence security for more info.

Top WordPress Website Security Tips

Posted on by

How to Prevent Hackers from Entering Via Biggest Risk: Your Plugins

hacked_website_how_compromised

Although most website owners and managers who have had the unfortunate experience of being hacked don’t actually know HOW their site was compromised–of those who do, over 50% know it was from a plugin.

Does that mean that you should not use plugins on your website? Of course not, they are part of the beauty of WordPress websites. Plugins add specific functions to our websites without the website owner having to know a whole bunch of code.

Plugins play a big part in making WordPress as popular as it is today. As of this writing there are 43,719 plugins available for download in the official WordPress plugin directory. That is an incredible selection of plug and play software. But you obviously need to be careful with them, as plugin vulnerabilities represented 55.9% of the known entry points reported by respondents.

How do you take advantage of plugins while simultaneously being smart about your WordPress website security?

Keep Plugins Current

We know it can seem like a hassle when you have to update your plugins all the time. But that hassle is so minor compared to the hassle of getting hacked–cleaning up your website, lost time, lost revenue, lost clients, lost business potential. It is definitely worth it.

So when you get a notice that your plugin has an update available, it is a good idea to update. (We do recommend making regular backups of your website as well. Your plugin update may not work with your existing theme, for example. So you want to have a recent backup before you update plugins.)

Get Rid of Abandoned Plugins

If you have a plugin that has not been updated in at least 6 months you should seriously consider a different plugin. This is generally a sign that the developer is no longer supporting the plugin, otherwise known as having abandoned it. That means no one is looking our for your WordPress website security at all. A perfect way for a hacker to get in.

Less is More

Use as few plugins as you can to get the job done. If you have deactivated the plugin, take it off your site. If you don’t need it, don’t upload it–or get rid of it.

Use Reliable Plugins

Many plugins are available from the official WordPress site, but not all are. Don’t let a hacker trick you into loading an open doorway for them to get into your store.

How do you know if a site is reputable or not? Here are the suggestions from Wordfence, the WordPress website security software that we use and recommend.

  • Eye Test – Is the site itself professionally designed and uses clear language to describe the product? Or does it look like it was thrown together quickly by a single individual?

  • Company Information – Does the site belong to a company with the company name in the footer?

  • TOS and Privacy Policy – Do they have terms of service and a privacy policy?

  • Contact Info – Do they provide a physical contact address on the contact page or in their terms of service?

  • Domain Search – Google the domain name in quotes e.g. “example.com”. Do you find any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the quoted domain name in your search and see what that reveals.

  • Name Search – Do a Google search for the name of the plugin and see if any malicious activity is reported. Add the phrase “malware” or “spyware” to the search which may reveal forums discussing a malicious version of the theme being distributed.

  • Vulnerability Search – Do a search for the theme or plugin name or the vendor name and include the word “vulnerability”. This will help you find out if any vulnerabilities have been reported for the product you’re interested in or for the vendor. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible vendor who is actively maintaining their product when problems arise.

Plugins are certainly not the only source of hacking. In order to protect your website and maintain a level of internet security here are some additional pointers:

Select your usernames and passwords with care. Make them unique and different: don’t use the same one for all your sites, make them hard for someone to guess.

Use some sort of website security. We use Wordfence, we appreciate the training and education they provide, along with common breaches to look out for. It is available in a free version and a paid version. The paid version doesn’t cost much and we find that it saves us enough time that it is worth it–but start with the free account if you want to try it out.

There are other options out there as well, so whether you use Wordfence or another product–protect your internet asset one way or another. We don’t get paid for recommending them, it is just who we use.

Thanks to our friends at WordFence for the original article, which can be read on their blog here. The graphic is from the same article.

Is Your Website Safe from Hackers?

Posted on by

WordPress Users Take Note of Security Updates

If you have a website then you may very well be using WordPress. We love it, it is easy and flexible, and one of the most popular website platforms around.

That being said, as with any website, it is important to be sure that your site is secure. The last thing you want to do is find that someone has hacked into it…

Read this article from Wordfence, one of the specialists in WordPress security.

WordPress Security January Roundup: Core XSS and 4 Plugin vulnerabilities