There have been a few notices out this week about security threats to WordPress sites. Hopefully your site hasn’t been affected and therefore you won’t have heard about them! (If you have been affected, you will be interested to know how to resolve any issues – so read on!)
In the News…
Popular Themes and Plugins attacked over 13 million times
On December 9th WordFence announced they had blocked 13.7 million attacks on themes and plugins within the previous 36 hours!
Four plugins in particular were affected. These were:
- Kiwi Social Share
- WordPress Automatic
- Pinterest Automatic
- PublishPress Capabilities
These have all since been patched so, if you are using any of these plugins and weren’t affected by the attack, make sure you update your site asap! Now, in fact.
Likewise, if you’re using a theme published by the Epsilon Framework, you should drop everything that you’re doing and updated now too.
A Major Attack on GoDaddy Customers – and Customers of High-Profile Resellers
This follows on from a huge security breach in November, affecting many sites hosted on big players that includes GoDaddy and their managed hosting resellers: TSOhost, Domain Factory, 123Reg, Heart Internet, Host Europe, and Media Temple. This particular breach affected over 1.2 million customers who had their security and secure FTP account credentials hacked. Anyone who was affected received notification from their hosts about it – and luckly, in most cases, the hosts took steps to repair the damage, regaining access to site and resetting security credentials – but who needs that kind of drama!
An XSS Vulnerability in the WooCommerce Preview E-mails Plugin
Protecting your Site
It’s all very well knowing about issues like this – and it doesn’t exactly instill confidence! – but security threats and vulnerabilities are a part of website ownership, just like the common cold is a fact of daily life! The important thing is not to worry about it and to make sure you’re doing all you can to prevent your site being one of those affected. Here’s how.
Use a Secure Username and Password
Are you using “admin” for your login and your name and date-of-birth for your password? Maybe you’re using a simple password for all your online accounts. Whether it’s yes to one or all of those questions, using a strong username and password are your first line of defense. If you struggle to manage your own system for creating secure passwords, you should start using a password manager. You can use free versions of tools like LastPass or the version that comes with your internet security and antivirus software, like Kasperksy. These can be used to generate super-secure passwords (the kind you dread having to type!) and also to populate the password fields for you/ you just have to login with your master password.
Keep your Themes and Plugins Updated
Regular maintenance means keeping your website up-to-date. Most plugins and themes need updating, some more often than others. If you have a simple site without many plugins and no pagebuilders, like Elementor or BeaverBuilder, you can probably get away with automatic updates. For more complicated sites, you probably don’t want to do that because you can create new problems with plugin conflicts, so a more cautious approach is needed. Update them often. Update them now!
Have a Backup Schedule for your Site
Check with your host on the situation for backing up your site: some will require an extra charge but for many it’s a standard feature. If your site is installed using Softaculous (in cPanel) you can set a backup schedule for each WordPRess installation and choose whether this goes to your server or to an external Cloud storage account, such as Google Drive. Off-server backups are definitely worthwhile because servers can go “pop” too – and even a server company with a solid reputation can be caught out, as recently happened with the fire at the OVH data centre in Strasbourg. Oops.
Another soluton for off-site backups is a plugin like UpdraftPlus. You get the option to save backups locally or you can connect to Dropbox, Drive, etc. All well worth it in the event that you needed to roll back your site.
Use a Reputable Security Plugin
There are various ways to do this, using plugins or WordPress manager tools. You can use these to scan for threats and also to limit login attempts or mask known URLs and therefore access to plugins and folders.
Install an SSL Certificate
If your site is still using HTTP in the website address, it’s time to change it to HTTPS. There are various ways to do this and I wrote about it in this blog post about installing an SSL certificate. This is an important step so, if you’re not sure about doing this yourself, get n touch for help. Having a valid SSL certificate also means you get the little padlock symbol next to your site address in Google Chrome, so it gives peace of mind to visitors, counts towards the credibilty for your site when Google is ranking it, and also protects any private information that you or your clients transmit via your site – so it’s essential for any ecommerce transactions or when you have contact forms.
What if my site has been attacked?
If you’ve already fallen victim of one of these attacks, firstly, don’t panic! The how of doing this is worthy of an entire blog post in itself so I won’t go into details here. In short, you have various options, including restoring the site from the last good backup OR using one of the malware cleaning programs that are out there. In almost all cases (there will always be exceptions!) you will be able to get your site back.
And if you have been hacked before and haven’t worked through all the steps above, why are you still here? Make the changes outlined above, then breathe.