Why is WordPress a target?
WordPress is very popular and drives roughly 1 in 3 of all websites on the internet. This makes it a primary software target for hackers looking for vulnerabilities to exploit. Thankfully there are also large teams of software experts dedicated to detecting and fixing problems before they are exploited. One example is www.ithemes.com.
In June/July no WordPress vulnerabilities in the core files were disclosed.
Zoner – Real Estate WordPress Theme (version 4.1 and below) is vulnerable to a Reflected XSS and Stored XSS attack. This should be updated to version 4.2.
There are a lot of plugins with disclosed vulnerabilities in June/July. Most of these have been updated to fix the issues.
Ecommerce plugins were as follows –
- Advanced Woo Search
- Facebook for WooCommerce
- User Email Verification for WooCommerce
- WordPress Ultra Simple Paypal Shopping Cart
There are many others including several that I use regularly. Plugins of particular note (greatest usage) were as follows –
- All-in-One WP Migration
- Coming Soon Page & Maintenance Mode
- Easy Digital Downloads
- Messenger Customer Chat
- Paid Memberships Pro
- Shortlinks by Pretty Links – Best WordPress Link Tracking Plugin
- Support Board – Chat And Help Desk | Support & Chat
- Ultimate Member
- WebP Express
- WordPress Download Manager
- WP Google Maps
- WP Statistics
- WP-Members Membership Plugin
- Yoast SEO
Hitting the Headlines in June/July
- Capital One – personal information was downloaded on over 100 million customers. A former AWS employee hacked an AWS server that was misconfigured.
- NASA – the Jet Propulsion Laboratory servers were compromised. An unauthorized Raspberry Pi device was used to connect to them. This gave the hacker access to the Deep Space Network array of radio telescopes and other systems.
Major Software Fixes
Elsewhere, major security flaws in software were found (and fixed) in –
- Apple Watch Walkie Talkie app – a vulnerability that allows an attacker to eavesdrop on conversations.
- Kubernetes – the open-source container that is managed and created by Google.
- Linux and FreeBSD – these open-source operating systems run most of the internet. The two Linux and one FreeBSD are all TCP based denial of service attacks. Netflix discovered the problems and shared the fixes.
- Evernote Web Clipper Chrome Extension – misconfigured code could allow a hacker to steal personal information.
- Vim and NeoVim – terminal text editors.
- Zoom – The video conference company Zoom had a vulnerability on the macOS version of their app
- 9Apps – a third-party app store that is popular in India. ‘Agent Smith’ malware replaced portions of other Android apps code with its code. Google detected and removed all affected apps before anything could happen.
Is Your WordPress Website Vulnerable or Secure from Hacking?
Basic Fact – 100% Security Doesn’t Exist
Your website is NOT secure from hacking, and 100% security is not possible on the internet (or anywhere, really). As we can all see, the big companies cannot totally prevent hacking, so it follows that small companies cannot either.
Effective Measures to Minimise Risk
There are a number of measures you can take to minimise the risks to an acceptably low level –
- Manage your web server carefully
- control access
- configure properly for security as well as performance
- Update your WordPress software regularly
- check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
- Backup your website files – this will enable a quick recovery when you get a problem
- use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
- find a web host who provides automatic daily backups for you as part of their service
- Change your passwords regularly
- don’t re-use the same password
- use capitals, small case, numbers and symbols
- use a minimum of 8 digits
- quickly change any shared logins and passwords when staff leave
- remove access permissions if and when they are not needed
- Run security software
- choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
- subscribe to and set up a firewall service such as Sucuri
- regularly run an anti-virus scanner designed for websites
* * TIP * * – a password manager will make the passwords aspect much easier