Most Hacks Can Be Avoided Easily

It’s out-of-date plugins and themes that are the main reason WordPress sites get hacked. Most studies of breaches show that the time to detect them is over 200 days! Most of these website hacks could be avoided by applying a patch that was already available. You should make logging and monitoring an essential part of your WordPress security strategy – along with updating, backing up and security hardening.

See below for new WordPress plugin and theme security vulnerabilities disclosed in February.

In the News

Every month a big company or government department suffers an IT security breach. This month the Scottish Borders Council sent three emails with all recipient email addresses visible to multiple individuals – https://www.bbc.co.uk/news/uk-scotland-south-scotland-56112734. This is a data privacy breach.

WordPress Core

No new WordPress core vulnerabilities have been disclosed this month. WordPress version 5.6.2 was released to fix a few bugs introduced in WordPress version 5.6.1.

Auto-updates are now an option in the WordPress core. But please note the following important points –

  • Not all premium plugins or themes may support the new auto-updates (at first)
  • Scheduled/automatic backups are more important than ever now. You need a way to roll back your site in case an update breaks something.
  • An updating service is one way to manage this. They check and fix any breaks for you.
  • By default, auto-updates are turned off. You’ll have to enable auto-updates for all your plugins and themes.

WordPress Themes

  • Wyzi versions below 2.4.3 have Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, so you should update to version 2.4.3.
  • Multiple Parallelus Themes versions below 2.0 have a Reflected Cross-Site Scripting vulnerability. The vulnerability is patched, so you should update to version 2.0.

WordPress Plugins

UPDATE these if you are using them –

  • Ninja Forms 3.4.34
  • Post SMTP Mailer/Email Log versions below 2.0.21
  • Better Search versions below 2.5.3
  • Theme Editor versions below 2.6
  • Customer Service Software & Support Ticket System versions below 5.6.0
  • Custom Banners versions below 3.3
  • Process Steps Template Designer versions below 1.3
  • eCommerce Product Catalog versions below 3.0.18
  • Backup Guard versions below 1.6.0
  • Responsive Menu versions below 4.0.4
  • Orbit Fox by ThemeIsle versions below 2.10.3
  • WP Content Plus versions below 3.2
  • QuadMenu versions below 2.0.7
  • YITH WooCommerce Gift Cards Premium versions below 3.3.1
  • Photo Gallery by 10web versions below 1.5.69
  • Web-Stat versions below 1.4.1
  • NextGEN Gallery Pro versions below 3.1.11
  • Paid Membership Pro versions below 2.5.3
  • Ultimate GDPR & CCPA Compliance Toolkit versions below 2.5
  • NextGen Gallery versions below 3.5.0
  • Map Block for Google Maps versions below 1.32
  • uListing versions below 1.7
  • Super Forms versions below 4.9.703
  • Modern Events Calendar Lite versions below 5.16.5
  • Ivory Search versions below 4.5.11
  • WP Editor versions below 1.2.7
  • MStore API versions below 3.2.0
  • Popup Builder versions below 3.74
  • Name Directory versions below 1.18
  • Like Button Rating ? LikeBtn versions below 2.6.32

REMOVE these until a security fix is released –

  • Testimonial Rotator
  • Zebra_Form Library 
    • Teaser Maker
    • Ad Swapper
    • Drug Search
    • WP Inimat
  • Contact Form 7 Style
  • Gift Voucher
  • Ultimate Maps by Supsystic
  • Pricing Table by Supsystic
  • Newsletter by Supsystic
  • Membership by Supsystic
  • Digital Publications by Supsystic
  • Data Tables Generator by Supsystic
  • Contact Form by Supsystic
  • Backup by Supsystic

How to Minimise Risk

There are a number of measures you can take to minimise the risks to an acceptably low level –

  • Manage your web server carefully
    • control access
    • configure properly for security as well as performance
  • Update your WordPress software regularly
    • check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
  • Backup your website files – this will enable a quick recovery when you get a problem
    • use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
    • find a web host who provides automatic daily backups for you as part of their service
  • Change your passwords regularly
    • don’t re-use the same password
    • use capitals, small case, numbers and symbols
    • use a minimum of 8 digits
    • quickly change any shared logins and passwords when staff leave
    • remove access permissions if and when they are not needed
  • Run security software
    • use secure web hosting with built-in malware scanning (like Skylime!)
    • choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
    • use WordPress security logging
    • subscribe to and set up a firewall service such as Sucuri
    • regularly run an anti-virus scanner designed for websites

* * TIP * * – a password manager will make managing passwords much easier

 

Attributions

Pin It on Pinterest

Share This