If indeed this attack was carried out by a former employee, it has to be one of the dumbest of all time. Jail time and fines are certain to follow for the perpetrator. I’m sure many of us have been unfairly treated by a former boss or two. However, that doesn’t excuse such behavior as to destroy property and harass or intimidate that company’s clients.
There is no reason NOT to upgrade your PHP version to 7.x. It’s faster, more secure and has features that some plugins and themes require anyhow. Perhaps the only websites running a lesser PHP version are those that haven’t been updated in ages. If that’s the case, there is a good chance that the theme being used has been abandoned which would necessitate a redesign.
The key takeaway from this report is that more vulnerabilities doesn’t necessarily mean more attacks. Given WordPress’s large and increasing footprint, it isn’t that far-fetched to expect more vulnerabilities. Just think of all the plugins and themes out in the wild. How many of those have been abandoned? Furthermore, how many websites sit idle, not receiving updates for months or even years.
PHP 7 has been out for a couple of years now. At this point, most webmasters should have made the transition from PHP 5. The performance gains alone should be reason enough for switching. However, now that version 5 is reaching the end of support, now is the time you MUST upgrade.
Earlier this morning I received an email claiming that one of the domains I manage was in danger of expiring. It looked very suspicious and questionable right off the bat. However, to more gullible people who might not scrutinize such an email, there is a legitimate appearance to it.
As popular as Duplicator is, I’ve never used yet on the dozens of websites I’ve migrated from or to my server over my career. I’ve had great success with both All-in-One WP Migration and Backup Guard for moving websites. They each offer a premium version, however, I’ve had no problems using the free options for either. At some point, I plan to purchase one of them with a developer license, since there is a little extra legwork required for importing databases into the new server.
Having a distrusted SSL certificate is much worse than having none at all. While Chrome displays a not secure message for websites still using HTTP, it will all but prevent visitors from viewing websites with broken SSL certificates. A red triangle with an exclamation is shown in the URL address bar and on a blank page with a stern warning. If your website is facing the issue it should be fixed immediately.
You should always exercise caution when receiving emails requiring you to submit information or perform an action. Usually, phishing emails are targeting bank accounts or other financial institutions. Even if an email looks legitimate, if there is doubt, always make a phone call to the institution that the email appears to be from.
This is news to me. Before coming across this article I had never heard of HSTS (HTTP Strict Transport Security). Now that I have an understanding of the purpose and benefits it provides, there really isn’t a reason not to implement it. Unless of course, for some strange reason you plan on removing HTTPS and your SSL certificate from your website.