This particular exploit really hits close to home. WP Cost Estimation & Payment Forms Builder is a premium plugin that I’ve been using on this site for over a year. It’s a fantastic plugin that has allowed me to customize packages for web design and SEO clients. Before you check, yes, I’m already updated to a secure version.
Similar to Gutenberg, this WSOD feature seems like a great idea on the surface. However, unintended consequences (like Gutenberg’s compatibility issues) will surely cause more harm than good. While it’s extremely frustrating and embarrassing to have a website crash, part of the job of a web host is to troubleshoot and remedy the issue asap.
In previous blog posts, I've briefly mentioned using Pyxsoft Anti Malware for actively monitoring my server for attackers. In essence, it's a security plugin for Web Hosting Manager for servers that run CentOS or CloudLinux. Features include blocking potential malicious uploads (authorized - such as from a form; or via an exploit) and brute force protection (like repeated WordPress login attempts). The plugin also can scan your server for malware automatically or upon request. The Pyxsoft team claims that their database has over 4 million virus definitions! Having used Pyxsoft Anti Malware for the better part of 3 years for...
If indeed this attack was carried out by a former employee, it has to be one of the dumbest of all time. Jail time and fines are certain to follow for the perpetrator. I’m sure many of us have been unfairly treated by a former boss or two. However, that doesn’t excuse such behavior as to destroy property and harass or intimidate that company’s clients.
There is no reason NOT to upgrade your PHP version to 7.x. It’s faster, more secure and has features that some plugins and themes require anyhow. Perhaps the only websites running a lesser PHP version are those that haven’t been updated in ages. If that’s the case, there is a good chance that the theme being used has been abandoned which would necessitate a redesign.
The key takeaway from this report is that more vulnerabilities doesn’t necessarily mean more attacks. Given WordPress’s large and increasing footprint, it isn’t that far-fetched to expect more vulnerabilities. Just think of all the plugins and themes out in the wild. How many of those have been abandoned? Furthermore, how many websites sit idle, not receiving updates for months or even years.
PHP 7 has been out for a couple of years now. At this point, most webmasters should have made the transition from PHP 5. The performance gains alone should be reason enough for switching. However, now that version 5 is reaching the end of support, now is the time you MUST upgrade.
Earlier this morning I received an email claiming that one of the domains I manage was in danger of expiring. It looked very suspicious and questionable right off the bat. However, to more gullible people who might not scrutinize such an email, there is a legitimate appearance to it.
As popular as Duplicator is, I’ve never used yet on the dozens of websites I’ve migrated from or to my server over my career. I’ve had great success with both All-in-One WP Migration and Backup Guard for moving websites. They each offer a premium version, however, I’ve had no problems using the free options for either. At some point, I plan to purchase one of them with a developer license, since there is a little extra legwork required for importing databases into the new server.