Earlier this morning I received an email claiming that one of the domains I manage was in danger of expiring. It looked very suspicious and questionable right off the bat. However, to more gullible people who might not scrutinize such an email, there is a legitimate appearance to it.
As popular as Duplicator is, I’ve never used yet on the dozens of websites I’ve migrated from or to my server over my career. I’ve had great success with both All-in-One WP Migration and Backup Guard for moving websites. They each offer a premium version, however, I’ve had no problems using the free options for either. At some point, I plan to purchase one of them with a developer license, since there is a little extra legwork required for importing databases into the new server.
Having a distrusted SSL certificate is much worse than having none at all. While Chrome displays a not secure message for websites still using HTTP, it will all but prevent visitors from viewing websites with broken SSL certificates. A red triangle with an exclamation is shown in the URL address bar and on a blank page with a stern warning. If your website is facing the issue it should be fixed immediately.
You should always exercise caution when receiving emails requiring you to submit information or perform an action. Usually, phishing emails are targeting bank accounts or other financial institutions. Even if an email looks legitimate, if there is doubt, always make a phone call to the institution that the email appears to be from.
This is news to me. Before coming across this article I had never heard of HSTS (HTTP Strict Transport Security). Now that I have an understanding of the purpose and benefits it provides, there really isn’t a reason not to implement it. Unless of course, for some strange reason you plan on removing HTTPS and your SSL certificate from your website.
The majority of WordPress website administrators shouldn’t be freaking out. Basically, your security has to be pretty lax in order for the sequence of events to take place for a complete system takeover. Any good admin knows to install a firewall application for WordPress. There are several plugins available that are fairly easy to set up. I suggest All in One WP Security & Firewall if you’re looking for a robust solution.
The nice thing about these security updates is that they should be automatic unless explicity configured not to update. This certainly comes in handy when you manage dozens or even hundreds of WordPress websites for clients. Not having to manually update each site lessens the time (and risk) for a patched exploit to be abused on older installations. If you generally use the same admin email across all of your websites, you should get a notification about a successful automatic upgrade for those sites. It’s a welcomed reassurance that your sites are safe from a potentially dangerous vulnerability.
Last year, Chrome slowly began to implement the “Not Secure” message on non-https websites. Specifically, where a contact form was present. Now, no matter what page a user is on in Chrome 68, that message will be clearly visible. Thankfully, it isn’t as shocking as some predicted. There is no giant red x or stop sign next to the warning. I think that visual cue alone would have even made a bigger impact.
If it weren’t for the fact that “Author” privileges are needed for this attack, this bug would be huge. Usually, the WordPress team are very quick to correct flaws that have been pointed out to them. It’s hard to believe that this particular flaw has not been fixed since it was first discovered in November.