The nice thing about these security updates is that they should be automatic unless explicity configured not to update. This certainly comes in handy when you manage dozens or even hundreds of WordPress websites for clients. Not having to manually update each site lessens the time (and risk) for a patched exploit to be abused on older installations. If you generally use the same admin email across all of your websites, you should get a notification about a successful automatic upgrade for those sites. It’s a welcomed reassurance that your sites are safe from a potentially dangerous vulnerability.
Last year, Chrome slowly began to implement the “Not Secure” message on non-https websites. Specifically, where a contact form was present. Now, no matter what page a user is on in Chrome 68, that message will be clearly visible. Thankfully, it isn’t as shocking as some predicted. There is no giant red x or stop sign next to the warning. I think that visual cue alone would have even made a bigger impact.
If it weren’t for the fact that “Author” privileges are needed for this attack, this bug would be huge. Usually, the WordPress team are very quick to correct flaws that have been pointed out to them. It’s hard to believe that this particular flaw has not been fixed since it was first discovered in November.
Talk about dedication. I’ve had to deal with several cases of infected WordPress websites. The good news with spammy malware is that they generally don’t want to delete your existing content. It can be difficult to identify infected files and remove malicious code. I’ve used Eli’s Anti-Malware scanner plugin with great success to assist in removal of such code. It appears that this BabaYaga malware doesn’t play well with other malware and will remove them altogether.
I must’ve missed this news last month. I’m a huge proponent of anti-spam measures and contact form security. Especially Google’s recaptcha service. A form without captcha will almost certainly be pummeled with spam messages. This can make filtering out legitimate messages difficult as well as consume resources for your website and server. Over the last several years it has been standard to include Recaptcha for all of the contact forms on clients’ websites.
File this under the weak passwords category. This is not a hack or breach of WordPress’s systems. Rather, it is a matter of hijacking credentials for wordpress.com and utilizing jetpack to install a spam plugin on linked self-hosted websites. The most common trend sees usernames and passwords that were discovered through data breaches of other systems and then using that information to see if those credentials match up with a WordPress account. Since many people like to use the same username and password combination across multiple platforms, there was bound to be success in this method of attack.
When WordPress administrators are searching for a security plugin, usually Wordfence Security comes out on top. And for good reason. With over 2 million active installations across the community, it is by far the most popular security plugin. Does that mean it is the best? I think that is a matter of opinion. There is […]
Most people using the internet today understand that when they shop and purchase products from a website and enter sensitive information on a form (credit card and other personal info), they should only do so when that site is secure. Many web browsers make it easy to distinguish that by displaying a padlock, typically near […]
Approximately 28% of websites on the internet are using the WordPress platform. From small / mid-sized businesses to schools, hospitals, and even police departments, the range of WordPress sites has never been larger. I can’t help but guess when I first load a new site if it does, in fact, run on the platform. There […]
- Determining whether your business needs locally targeted pages
- Google’s new website to offer more transparency on its political advertisers
- Monitor your server on the go with WHM app
- Moz details their list of the top 6 tools for keyword research
- Google’s algorithm update appears to have impacted health & medical websites