Avoid 60% of Hacks Easily

Outdated plugins and themes are the #1 reason WordPress sites get hacked. And most breach studies show that the time to detect a breach is over 200 days! 60% of website hacks could be avoided by applying a patch that was available. Logging and monitoring should be an essential part of your WordPress security strategy – along with updating, backing up and security hardening.

See below for new WordPress plugin and theme security vulnerabilities disclosed in December.

In the News

Every month a big company or government department suffers an IT security breach. The big one revealed this month is the SolarWind netware update breach, giving access to multiple US government departments and US companies – https://www.theguardian.com/technology/2020/dec/17/us-government-cyber-attack-hack-russia.

WordPress Core

No new WordPress core vulnerabilities have been disclosed this month. However, a new major version of WordPress core was released. WordPress 5.6 includes several new features and improvements. We recommend updating after a couple of weeks or so, allowing time for theme and plugin developers to update their products.

Auto-updates are now an option in the WordPress core. But please note the following important points –

  • Not all premium plugins or themes may support the new auto-updates (at first)
  • Scheduled/automatic backups are more important than ever now. You need a way to roll back your site in case an update breaks something.
  • An updating service is one way to manage this. They check and fix any breaks for you.
  • By default, auto-updates are turned off in 5.5. You’ll have to enable auto-updates for all your plugins and themes.

WordPress Themes

  • ListingPro versions below 2.6.1 have an Unauthenticated Arbitrary Plugin Installation/Activation/Deactivation & Unauthenticated Sensitive Data Disclosure vulnerabilities. The vulnerability is patched, and you should update to version 2.6.1.
  • Wibar versions below 1.2.1 have an Authenticated Stored Cross-Site Scripting vulnerability. The vulnerability is patched, so you should update to version 1.2.1.

WordPress Plugins

UPDATE these if you are using them –

  • Contact Form 7 versions below 5.3.2
  • Limit Login Attempts Reloaded versions below 2.16.0
  • Pagelayer versions below 1.3.5
  • Ultimate Category Excluder versions below 1.2
  • Directories Pro versions below 1.3.46
  • Total Upkeep versions below 1.14.10
  • Redux Framework versions below 4.1.21
  • Simple Social Media Share Buttons versions below 3.2.1
  • Envira Gallery Lite versions below 1.8.3.3
  • WPJobBoard versions below 5.7.0
  • WP Google Map Plugin versions below 4.1.4
  • BuddyPress versions below 6.4.0
  • Events Manager versions below 5.9.8
  • Age Gate versions below 2.13.5
  • Profile Builder versions below 3.3.3
  • Paid Memberships Pro versions below 2.5.1
  • Themify Portfolio Post versions below 1.1.6
  • Easy WP SMTP versions below 1.4.3

REMOVE these if you are using them until a security fix is released –

  • Canto
  • DiveBook

How to Minimise Risk

There are a number of measures you can take to minimise the risks to an acceptably low level –

  • Manage your web server carefully
    • control access
    • configure properly for security as well as performance
  • Update your WordPress software regularly
    • check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
  • Backup your website files – this will enable a quick recovery when you get a problem
    • use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
    • find a web host who provides automatic daily backups for you as part of their service
  • Change your passwords regularly
    • don’t re-use the same password
    • use capitals, small case, numbers and symbols
    • use a minimum of 8 digits
    • quickly change any shared logins and passwords when staff leave
    • remove access permissions if and when they are not needed
  • Run security software
    • use secure web hosting with built-in malware scanning (like Skylime!)
    • choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
    • use WordPress security logging
    • subscribe to and set up a firewall service such as Sucuri
    • regularly run an anti-virus scanner designed for websites

* * TIP * * – a password manager will make the passwords aspect much easier

Pin It on Pinterest

Share This