Wordpress

The WordPress “virus” and how to stop it

April 13, 2013 in News and Updates, Wordpress by Rob  |  5 Comments

As you’re reading this, there’s almost a hundred thousand computers across the globe in an automated “botnet” attack against any WordPress installations they come across, trying to repeatedly guess the password of “admin” usernames, and a few variations of admin usernames, over and over hundreds of times per minute, until they gain access. Once they gain access, the code infects the installation with back door access and that site joins in the attack. It’s this behavior that causes me to label this attack the WordPress virus.

It’s affecting all web hosts, big and small, and some hosts have gone to extremes, locking out their own customers from their WordPress dashboards. Ouch! I wanted to raise awareness of the issue, communicate how Web Wizards is addressing the issue, and make some recommendations for site owners that want to secure their sites further. I want to clarify that this type of attack doesn’t mean WordPress is any less secure than any other platform, it’s simply more popular, and so it’s more targeted. Any platform can be attacked in a similar brute-force attack, and this WordPress botnet attack is similar to a botnet attack that happened in late 2012 against US financial institutions.

To manage this WordPress attack on our servers, our mighty system administrators have implemented specific firewall restrictions at the network level, so our servers are not affected by the load these repeated login attempts can cause. We’ve also implemented login limitations, so that any username attempt fails more than 3 times in 30 seconds gets blocked at the IP address level for one hour. We can adjust those timings as needed to what best protects the servers and your web sites. We’re doing everything we can to eliminate the threat before it reaches our servers, contain it if it does, and protect our servers and your sites from any performance issues arising from this attack.

To help further secure your site, the first and foremost thing you can do immediately is log in to your WordPress site and change the password on all Administrator role accounts to something very strong, using numbers, upper and lower case letters, and special symbols such as # $ % ! @ ^ & etc. For more details, see Selecting A Strong Password. (Do this with your email and FTP passwords, too, since those are always targets of automated scripts and spammers. Always use a strong password, and never on multiple sites.)

The next thing I’d highly recommend is using a free service such as Cloudflare.com or Incapsula to protect and speed up your web site. It filters web site requests through their security systems, as well as caching your images, javascript, and CSS files and distributes them on their network of servers around the world, making your files load faster, and your web site to use less bandwidth. If you’re using Cloudflare, they’ve confirmed that they already protect against this latest attack. Incapsula Tweeted that they are protecting sites as well.

There are other things you could do to help eliminate your web site from being subject to these types of attacks, such as making sure your WordPress installation does not use the username “admin”. You can’t change it within the WordPress dashboard, but it’s easy by editing the WordPress database itself using a tool like phpMyAdmin, details here.

You can also install any number of WordPress security plugins, such as Better WordPress Security. Using a plugin to ban IP addresses after failed logins is probably ineffective for this attack simply because the IP addresses are so numerous and change so frequently, it would cause more server load to process and block all those… and we’re doing more at the firewall and router level that these IPs should be blocked already.

 

Please leave a comment with your thoughts, and reach out if we can help you secure your WordPress site better. We offer WordPress consulting beyond our normal hosting support… we can migrate your web site to our servers if you’re not hosting with us, set up local caching plugins such as WP Super Cache, harden your WordPress site (see this codex.wordpress.org article), and we can help you set your site up on Cloudflare or Incapsula, too.

For more information on this attack, here are some other good posts: Krebs On Security, Sucuri Security,

 

Tighten Your WordPress Site’s Security With These Tools

March 19, 2013 in Featured Articles, Tips and Tricks, Wordpress by Rob  |  4 Comments

Recently there’s been more and more sites getting infected with malware via automated scripts because of weak passwords or insecure non-updated WordPress sites. Here’s a few tools and tips we recommend to secure your WordPress web site better.

First, start using a strong but memorable (so you’ll actually use it) passphrase for each site login. See this kxcd comic first to understand the point: http://xkcd.com/936/ Then go here to help you choose a nice, easy to remember, yet very strong passphrase: http://passphra.se/ I add the site name to the end, so the passphrase is different per site (in case one site gets hacked), i.e. “four buckets fly facebook”

Sucuri is amazing, go get their free WordPress plugin installed ASAP: http://bit.ly/sucuriwp It is a great preventative service. The paid service includes not only monitoring and alerting of malware, but the best part is it includes removal and recovery from malware infestations, no matter how many pages are infected.

Clean out old unneeded core files with help from this free WordPress plugin: http://wordpress.org/extend/plugins/old-core-files/ It removes old files that may still be vulnerable to attack.

Restrict your WordPress login to certain IPs. There’s a free plugin for that, too: http://wordpress.org/extend/plugins/limit-login-attempts/ Just be sure you don’t lock yourself out if your home IP address changes, maybe have multiple login IPs defined, in case one stops working.

To really lock down your site, use the free Google Authenticator WordPress plugin. It acts like a 2-part authentication random code key-ring devices, except it’s an app on your smartphone: http://wordpress.org/extend/plugins/google-authenticator/

Share your favorite security plugin, tip, or story in the comments, we’d love to hear from you.

Update to WordPress v3.5.1 Highly Recommended

January 25, 2013 in Featured Articles, News and Updates, Wordpress by Rob  |  1 Comments

WordPress version 3.5.1 is the first maintenance release of 3.5, and it fixes 37 bugs! It also includes three security updates that affect all previous WordPress versions. The major fixes include:

  • Editor: Prevent certain HTML elements from being unexpectedly removed or modified in rare cases.
  • Media: Fix a collection of minor workflow and compatibility issues in the new media manager.
  • Networks: Suggest proper rewrite rules when creating a new network.
  • Prevent scheduled posts from being stripped of certain HTML, such as video embeds, when they are published.
  • Work around some misconfigurations that may have caused some JavaScript in the WordPress admin area to fail.
  • Suppress some warnings that could occur when a plugin misused the database or user APIs.

WordPress 3.5.1 also addresses the following security issues:

  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions.
  • Two instances of cross-site scripting via shortcodes and post content.
  • A cross-site scripting vulnerability in the external library Plupload.

For the complete list of bug fixes, please consult the list of tickets.

If you’d like us to manage updating your sites and it’s plugins, we offer a low-cost monthly Managed WordPress service.

WordPress 3.5 Released: New Media Manager, Retina Support, Polished UI

December 13, 2012 in Wordpress by Rob  |  No Comments

The latest version of WordPress was just released, after a slight delay due to some bugs in the editor and such, but those have been all hammered out now. The new Media Manager got a major overhaul, so enjoy that. It also got some user interface polish, now supports Retina and HD displays, and some performance improvements as well. We’ve installed it and haven’t seen any issues, it’s looking amazing. Go update those web sites!

New Media Manager

(Here’s an interesting link to the wireframe overview of the new Media Manager user interface design from back in July: http://make.wordpress.org/ui/2012/07/30/media-wireframes/ )

Beautiful Interface

Adding media has been streamlined with an all-new experience, making it a breeze to upload files and place them into your posts.

Picturesque Galleries

Creating image galleries is faster with drag and drop reordering, inline caption editing, and simplified controls for layout.

New Default Theme

Introducing Twenty Twelve

The newest default theme for WordPress is simple, flexible, and elegant.What makes it really shine are the design details, like the gorgeous Open Sans typeface and a fully responsive design that looks great on any device.Naturally, Twenty Twelve supports all the theme features you’ve come to know and love, but it is also designed to be as great for a website as it is for a blog.

Retina Ready

So Sharp You Can’t See the Pixels

The WordPress dashboard now looks beautiful on high-resolution screens like those found on the iPad, Kindle Fire HD, Nexus 10, and MacBook Pro with Retina Display. Icons and other visual elements are crystal clear and full of detail.

Smoother Experience

Better Accessibility

WordPress supports more usage modes than ever before. Screenreaders, touch devices, and mouseless workflows all have improved ease of use and accessibility.

More Polish

A number of screens and controls have been refined. For example, a new color picker makes it easier for you to choose that perfect shade of blue.

Under the Hood

Meta Query Additions

The WP_Comment_Query and WP_User_Queryclasses now support meta queries just likeWP_Query. Meta queries now support querying for objects without a particular meta key.

Post Objects

Post objects are now instances of a WP_Postclass, which improves performance by loading selected properties on demand.

Image Editing API

The WP_Image_Editor class abstracts image editing functionality such as cropping and scaling, and uses ImageMagick when available.

Multisite Improvements

switch_to_blog() is now significantly faster and more reliable.

XML-RPC API

The WordPress API is now always enabled, and supports fetching users, editing profiles, managing post revisions, and searching posts.

External Libraries

WordPress now includes the Underscore andBackbone JavaScript libraries. TinyMCE, jQuery, jQuery UI, and SimplePie have all been updated to the latest versions.

What’s coming soon in WordPress 3.5

November 1, 2012 in News and Updates, Wordpress by Rob  |  1 Comments

WordPress.org has released details on the next version of WordPress, v.35, now in Beta 2 release. There are more than 200 contributors, and a few hundred changes and improvements to version 3.5. They are planning a December 5th release for WordPress 3.5, but here’s what’s coming…

Beta 1 includes:

In just three short months, we’ve already made a few hundred changes to improve your WordPress experience. The biggest thing we’ve been working on is overhauling the media experience from the ground up. We’ve made it all fair game: How you upload photos, arrange galleries, insert images into posts, and more.

  • Appearance: A simplified welcome screen. A new color picker. And the all-HiDPI (retina) dashboard.
  • Accessibility: Keyboard navigation and screen reader support have both been improved.
  • Plugins: You can browse and install plugins you’ve marked as favorites on WordPress.org, directly from your dashboard.
  • Mobile: It’ll be easier to link up your WordPress install with our mobile apps, as XML-RPC is now enabled by default.
  • Links: We’ve hidden the Link Manager for new installs. (There’s a Links plugin to add it back, but it’s so rarely used these days, it’s being removed from the core files.)

Beta 2 includes:

  • New workflow for working with image galleries, including drag-and-drop reordering and quick caption editing.
  • New user interface for setting static front pages for the Reading Settings screen.
  • New image editing API.

Features  for theme and plugin developers in beta 1 and 2 include…

  • External libraries updated: TinyMCE  3.5.6. SimplePie 1.3. jQuery 1.8.2. jQuery UI 1.9 (and it’s not even released yet). We’ve also added Backbone 0.9.2 and Underscore 1.3.3, and you can use protocol-relative links when enqueueing scripts and styles.
  • WP Query: You can now ask to receive posts in the order specified by post__in.
  • XML-RPC: New user management, profile editing, and post revision methods. We’ve also removed AtomPub.
  • Multisite: switch_to_blog() is now used in more places, is faster, and more reliable. Also: You can now use multisite in a subdirectory, and uploaded files no longer go through ms-files (for new installs).
  • TinyMCE: We’ve added API support for “views” which you can use to offer previews and interaction of elements from the visual editor.
  • Posts API: Major performance improvements when working with hierarchies of pages and post ancestors. Also, you can now “turn on” native custom columns for taxonomies on edit post screens.
  • Comments API: Search for comments of a particular status, or with a meta query (same as with WP_Query).
  • oEmbed: We’ve added support for a few oEmbed providers, and we now handle SSL links.

For all the details, see their site.

WordPress 3.4 Is Available

June 13, 2012 in Featured Articles, Recommended, Wordpress by Rob  |  No Comments

Yes, we’ve already updated our site! ;-)

The release of WordPress v3.4, dubbed “Green”, includes a few fun new features, and more importantly, some great performance improvements. View the short highlight video from WordPress.org, and read through the list of features and improvements shown after the upgrade, below.

Live Theme Previews

Try on New Themes

Gone are the days of rushing to update your header, background, and the like as soon as you activate a new theme. You can now customize these options before activating a new theme. Note: this feature is available for installed themes only.

Customize Current Theme

Satisfy your curiosity and try on a fresh coat of paint — you can also use the live preview mode to customize your current theme. Look for the Customize link on the Themes screen.

Custom Headers

Flexible Sizes

You can decide for yourself how tall or wide your custom header image should be. From now on, themes will provide a recommended image size for custom headers rather than a fixed requirement. Note: this feature requires theme support.

Choose from Media Library

Tired of re-uploading the same custom header image every time you check out a new theme? Now you can choose header images from your media library for easier customization.

Twitter Embeds

Share Tweets with Style

You can now embed individual tweets in posts. It includes action links that allow readers to reply to, retweet, and favorite the tweet without leaving your site. Just paste a tweet URL on its own line.

This works with URLs from some other sites, too. For more, see the Codex article on Embeds.

Better Captions

Basic HTML support has been added to the caption field in the image uploader. This allows you to add links — great for photo credits or licensing details — and basic formatting such as bold and italicized text.

Performance Improvements Under the Hood

There are hundreds of under-the-hood improvements in this release, notably in the XML-RPC, themes, and custom header APIs, and significant performance improvements in WP_Query and the translation system. The Codex has a pretty good summary of the developer features.

Faster WP_Query

Post queries have been optimized to improve performance, especially for sites with large databases.

Faster Translations

The number of strings loaded on the front end was greatly reduced, resulting in faster front page load times for localized installations. Also, better support for East Asian languages, right-to-left languages, theme translations, and more.

Themes API

WP_Theme, wp_get_themes(), wp_get_theme(). Faster, uses less memory, makes use of persistent caching.

Custom Header and Background API

Custom header and background API relocated into the theme support API.

XML-RPC API

A new WordPress API that supports custom content types and taxonomies, as well as dozens of other bug fixes and improvements.

External Libraries

jQuery, jQuery UI, TinyMCE, Plupload, PHPMailer, SimplePie, and other libraries were updated. jQuery UI Touch Punch was introduced.

Read all the details on the official blog announcement: http://wordpress.org/news/2012/06/green/

WordPress jumped 32%, powering 48% of top 100 blogs

April 24, 2012 in Featured Articles, News and Updates, Wordpress by Rob  |  No Comments

There’s no doubt that WordPress is the dominating content management system, powering well over 73 million web sites, per WordPress’ Stats, with about half of those being self-hosted.

Royal Pingdom released their 2012 update earlier this month, reporting that WordPress powers 48% of the Top 100 blogs, an increase of 32% from their findings just three years ago. Self-hosted WordPress sites make up 39% of the share, with hosted (both the free wordpress.com and WordPress’ SaaS VIP services counting as hosted).

Other platforms have therefore shrunk, with TypePad dropping the most, from 16% down to 2%. In addition to TypePad, I expect to see more and more people moving to WordPress from Drupal, Blogger, Movable  Type, & BlogSmith. So does Matt Mullenweg, founding developer of WordPress and founder of the company behind WordPress, Automattic, saying:

”The last few years we’ve really focused on both the usability and flexibility of WordPress, which has resulted in accelerating growth in both big and small sites. I expect even higher adoption among the largest sites and blogs over the next year.”

If you’re interested in making the switch to WordPress, we’d love to help you.

 

 

 

 

 

 

 

 

 

 

 

3 Surprising WordPress Uses Beyond Blogging for Business

April 9, 2012 in Featured Articles, Tips and Tricks, Wordpress by Rob  |  No Comments

WordPress Guest Blog Series

I am guest blogging for sister company Fandom Marketing on Blogging For Business, covering some unique WordPress topics.

Here’s a summary of a recent post, with the link to the full article:

WordPress powers lots of web sites and blogs such as CNN’s blogs, and can be extended with plugins to power more common advanced needs like e-commerce or portfolios, but here are 3 surprising uses of WordPress that aren’t typically thought of together with the WordPress platform. I hope this inspires you to add more features or functionality to your own web site above and beyond blogging for business, or migrate to the powerful WordPress platform if you haven’t already.

Read the full post at:
3 Surprising WordPress Uses Beyond Blogging for Business

How to Optimize RSS to Display Featured Blog Images

April 2, 2012 in Featured Articles, Social Media, Tips and Tricks, Wordpress by Rob  |  No Comments

WordPress Guest Blog Series

I am guest blogging for sister company Fandom Marketing on Blogging For Business, covering some unique WordPress topics.

Here’s a summary of a recent post, with the link to the full article:

Images are playing a bigger part of blogging, with themes that highlight the posts’ featured images becoming more popular, creating great visually appealing layouts. Even more so with the popularity of Pinterest and Facebook sharing, which uses an image from the page or post. Even with various methods for including specific Facebook OpenGraph code within your post, your content could be shared via other methods that don’t take the Opengraph information into account, like RSS and feed syndication or sharing services like the awesome DLVR.it or Feedburner.

Here’s a fairly simple way to include the featured image of your WordPress blog post in the RSS/Feedburner feed itself, so that services that syndicate or share via RSS, use it when posting to Facebook and other image-friendly sharing sites like tumblr or posterous, etc.

Read the full post at:
How to Optimize RSS to Display Featured Blog Images 

How to Set Up 301 Redirects to Maintain WordPress SEO

March 27, 2012 in Internet Marketing, Search Engines, Wordpress by Rob  |  No Comments

WordPress Guest Blog Series

I am guest blogging for sister company Fandom Marketing on Blogging For Business, covering some unique WordPress topics.

Here’s a summary of a recent post, with the link to the full article:

“WordPress SEO can be maintained when moving domains or redesigning your blog using 301 redirects. It’s a vital step to keep existing search engine links working. Follow these instructions to maintain your search engine optimization on your website or WordPress blog.”

Read the full post at:
How to Set Up 301 Redirects to Maintain WordPress SEO

Page 1 of 212