In the News – Facebook leaks personal data of millions of users

Every month a big company or government department suffers a major IT security breach. This month Business Insider has exposed the online leak of 533 million Facebook users’ personal details in a low-level hackers forum. While it doesn’t include passwords, it does include phone numbers, full names, locations, email addresses, and biographical information. Security researchers say hackers could use the data to impersonate people and commit fraud. 11 million of these users are in the UK.

You can check if your personal data has been exposed by looking at this website – HaveIBeenPwned. It is owned by Troy Hunt, Microsoft regional director and MVP, a respected member of the security community, so you can trust this site with your details.

WordPress Summary

There have been no security problems with WordPress Core files since October 6 months ago, and there have been very few issues with WordPress themes. However, there have been a lot of plugins with problems and many of these have been high risk.

Future Reports

We’ve been doing this security blog for the last couple of years because of the scale of this problem and the need to inform. Too frequently we have been asked to help small business owners to fix their hacked websites so we are well aware of the issues. Most of these could have been avoided by regularly updating their plugins and themes.

However, security reporting is not our main business focus so we will be scaling back on this. There are plenty of specialist security companies who provide regular update information. Please see ‘Sources of Information‘ at the end for links to these.

Most Hacks Can Be Easily Avoided

The main reason WordPress sites get hacked is out-of-date plugins and themes. The time to detect them is usually over 200 days, according to most studies! Patches can be applied to prevent most of these website hacks. You should make logging and monitoring an essential part of your WordPress security strategy – along with updating, backing up and security hardening.

Recent WordPress Issues Requiring Updates

See below for new WordPress plugin and theme security vulnerabilities disclosed in March/April.

WordPress Core

WordPress 5.7 came out on March 9, 2021 and represents Phase 2 of the Gutenberg project. It is a major version release of WordPress core that includes 68 features and enhancements, 127 bug fixes, and more. This bundles seven of the last major Gutenberg plugin releases into core functionality. It brings even more improvements to the WordPress block editor functionality and user interface. There is also progress towards the Gutenberg Project’s ambitious goal for Full Site Editing (FSE) with the block editor.

Here are a few examples of the improvements –

  • Upgrade a Site From HTTP to HTTPS With a Single Click
  • An Easier Way to Send Password Reset Emails/Links
  • Import/Export Enhancements
  • Lazy-loading iframes
  • Improvements for Full-Site Editing Flows + Built-in Support
  • Enhancements for Reusable Blocks

Auto-updates are an important option in the WordPress core. This is very helpful, but please note the following important points –

  • Not all premium plugins or themes may support the new auto-updates (at first)
  • Scheduled/automatic backups are more important than ever now. You need a way to roll back your site in case an update breaks something.
  • An updating service is one way to manage this. They check and fix any breaks for you.
  • By default, auto-updates are turned off. You’ll have to enable auto-updates for all your plugins and themes.

WordPress Themes

This is the last time we are going to list all of the themes that need updating. We will be doing very brief summaries in future. If you want to see full details, we recommend the following sources –

UPDATE these if you are using them

  • All Thrive Themes Legacy Themes – Critical
    Affected Themes: Rise, Luxe, Minus, Ignition, Focusblog, Squared, Voice, Performag, Pressive, & StoriedExample
    Versions below 2.0.0 have Unauthenticated Arbitrary File Upload and Option Deletion vulnerability. The vulnerability is patched, so you should update to version 2.0.0.

WordPress Plugins

This will be the last time we list all of the plugins that need updating. We will be doing very brief summaries in future. If you want to see full details, read our Sources of Information section at the end of this blog –

UPDATE these if you are using them

  • Abandoned Cart Lite for WooCommerce – Medium – versions below 5.8.6
  • AccessAlly – High – versions below 3.5.7
  • Advanced Booking Calendar – High – versions below 1.6.8
  • Advanced Order Export For WooCommerce – High – versions below 3.1.8
  • BuddyPress – High – versions below 7.2.1
  • Controlled Admin Access – High – versions below 1.5.6
  • Cooked Pro – Medium – versions below 1.7.5.6
  • Defender Security – Medium – versions below 2.4.6.1
  • Dokan – Medium – versions below 3.2.1
  • Elementor – Medium – versions below 3.1.2
  • Erident Custom Login and Dashboard – Medium – versions below 3.5.9
  • Facebook for WordPress – Critical – versions below 3.0.4
  • Five Star Restaurant Menu – High- versions below 2.2.1
  • Flo Forms – Critical – versions below 1.0.36
  • Forminator – Medium – versions below 1.14.8.1
  • GiveWP – High – versions below 2.10.0
  • Goto – Tour & Travel – Medium – versions below 2.0
  • Ivory Search – Medium – versions below 4.6.1
  • Mapplic and Mapplic Lite – High – versions below 6.2.1 & 1.0.1
  • Paid Membership Pro – Medium – versions below 2.5.6
  • Patreon WordPress – High – versions below 1.7.2
  • PhastPress – Medium – versions below 1.111
  • Pie Register – High- versions below 3.7.0.1
  • Quiz And Survey Master – High – versions below 7.1.14
  • Realteo – Medium – versions below 1.2.4
  • Related Posts for WordPress – Medium – versions below 2.0.4
  • SecuPress Free & Pro – Medium – versions below 2.0
  • Social Slider Widget – Critical – versions below 1.8.5
  • Style Kits – Medium – versions below 1.8.1
  • Super Interactive Maps – Critical – versions below 2.2
  • SuperStoreFinder – Critical – versions below 6.5
  • The Plus Addons for Elementor Page Builder (Premium Version) – Critical – versions below 4.1.7
  • Thrive AB Page Testing – Medium – versions below 1.4.13.3
  • Thrive Apprentice – Medium – versions below 2.3.9.4
  • Thrive Comments – Medium – versions below 1.4.15.3
  • Thrive Dashboard – Medium – versions below 2.3.9.3
  • Thrive Headline Optimizer – Medium – versions below 1.3.7.3
  • Thrive Leads – Medium – versions below 2.3.9.4
  • Thrive Ovation – Medium – versions below 2.4.5
  • Thrive Quiz Builder – Medium – versions below 2.3.9.4
  • Thrive Ultimatum – Medium – versions below 2.3.9.4
  • Thrive Visual Editor – Medium – versions below 2.3.9.4
  • Tutor LMS – High – versions below 1.8.8
  • Under Construction, Coming Soon & Maintenance Mode – Medium – versions below 1.1.2
  • User Profile Picture – Medium – versions below 2.5.0
  • Vertical News Scroller – Critical  – versions below 1.17
  • Virtual Robots.txt – Medium – versions below 1.10
  • WP ERP – Medium – versions below 1.7.5
  • WP File Manager – Medium – versions below 7.1
  • WP GDPR Compliance – Critical – versions below 1.5.6
  • WP Page Builder – Medium – versions below 1.2.4
  • WP Project Manager – Medium – versions below 2.4.10
  • WP Super Cache – Critical – versions below 1.7.2
  • WP Travel – Medium – versions below 4.4.7

REMOVE these until a security fix is released

  • Business Directory – Medium
  • Business Hours Pro – Critical
  • Database Backups – High
  • Easy Form Builder – Critical
  • JH 404 Logger – Critical
  • MapifyLife – Medium
  • N5 Upload Form – Critical
  • SEO Redirection – Medium
  • VM Backups – Medium
  • WooCommerce Help Scout – Critical
  • WordPress Related Posts – Medium
  • WP-Curricul Vitea Free – Critical

How to Minimise Risk

There are a number of measures you can take to minimise the risks to an acceptably low level –

  • Manage your web server carefully
    • control access
    • configure properly for security as well as performance
  • Update your WordPress software regularly
    • check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
  • Backup your website files – this will enable a quick recovery when you get a problem
    • use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
    • find a web host who provides automatic daily backups for you as part of their service
  • Change your passwords regularly
    • don’t re-use the same password
    • use capitals, small case, numbers and symbols
    • use a minimum of 8 digits
    • quickly change any shared logins and passwords when staff leave
    • remove access permissions if and when they are not needed
  • Run security software
    • use secure web hosting with built-in malware scanning (like Skylime!)
    • choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
    • use WordPress security logging
    • subscribe to and set up a firewall service such as Sucuri
    • regularly run an anti-virus scanner designed for websites

* * TIP * * – a password manager will make managing passwords much easier

 

Sources of Information

Pin It on Pinterest

Share This