Austin WordPress Meetup Notes — August 11. 2014
This Hands-On WordPress article has been extrapolated from August 11, 2014, Austin WordPress Meetup lead by Nick Batik, and attended by 16 Austin WordPress members, which mad for a lively and far-ranging discussion.
Basic WordPress Site Security Practices
The most effective WordPress security practices don’t change appreciably from one year to the next. Both WordPress beginners and experienced developer should make a habit of addressing the site security basics before addressing the more advanced processes and tools.
These tools and processes are ones that even non-programers can manage on their own, or can learn enough about them to make sure that the WordPress developer responsible for their site takes care of these basics as part of normal site maintenance.
As a site owner or manager who is concerned about ‘hardening’ your WordPress site you need to:
Install each WordPress update as soon it becomes available.
Keep the number of Plugins on you site to a minimum and ALWAYS DELETE – not just disable – those plugins no longer in use.
Upgrade the plugins on your site as soon as updates become available.
Choose difficult passwords and change them regularly.
Back up your site data daily, weekly or monthly, depending on how often information changes on your site.
- Use .htaccess to protect your WordPress site. — If you are not comfortable with code – ask your WP Developer to show you how to do this, or have your developer do it for you.
These are a WordPress sites owner or managers ‘tier one’ defense strategies. Once these site ‘hardening’ practices are in place, it is time to look at Security plugins to monitor your WordPress core files and traffic.
Before we address which Security Plugins are a good choice for the non-programmer, lets take a moment to understand why security is such a crucial issue to even the owner/manager of the smallest WordPress site.
The past few months have been a series of “Rock your WordPress World” events for our community. The rapid growth in the popularity of WordPress has made our sites tempting targets for hackers. The attackers have become more ingenious — sniffing out vulnerabilities in WordPress themes, plugins and even core code.
Sucuri’s excellent exploit detection team has made the security news with alarming frequency these past few months. Since in April, Sucuri has identified vulnerabilities in four very popular plugins that have nearly 20 million downloads.
On July 17th, 2014 zdnet.com had an extensive report about the resent security scares in the WordPress World. To read Violet Blue”s (tinynibbles.com, @violetblue) complete zdnet.com article go to: WordPress plugin vulnerabilities affect 20 million downloads.
The summary of the recent WordPress vulnerabilities as discussed in our Deep Dive Discussion meetup is as follows:
Since April, security company Sucuri has found serious security holes in the following WordPress plugins:
WPTouch (5,670,626 downloads),
Disqus (1,400,003 downloads),
All In One SEO Pack (19,152,355 downloads),
and MailPoet Newsletters (1,894,474 downloads)
The vulnerabilities in these plugins enable the attacker to access your site or blog and use them for activities like phishing lures, to send SPAM, act as an unwitting malware host, and/or id on a shared server, infect other sites. There is more, but you get the idea, undetected, these vulnerabilities are a nasty piece of work.
Please understand these newly identified vulnerabilities will negatively impact millions of WordPress bloggers and site owners — probably you…
If you are using any of these plugins, the good news is all the vulnerabilities have been patched in new versions of each plugin, check to see that you have the following current versions of each affected plugin — stop reading this article and update them now!
Current versions of each affected plugin are as follows:
In addition to the WordPress Plugin Trauma / Drama, the WordPress Community had another significant security wake-call earlier this month. On August 6th, 2014 Andrew Nacin posted the following notice:
WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.
This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated joint security releases.
WordPress 3.9.2 also contains other security changes:
Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
We appreciated responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.
Download WordPress 3.9.2 or venture over to Dashboard → Updates and simply click “Update Now”.
Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.)
Already testing WordPress 4.0? The third beta is now available (zip) and it contains these security fixes.
On August 7th, 2014 Sucuri’s Marc-Alexandre Montpas posted a warning concerning a critical vulnerability in the WordPress Custom Contact Forms plugin that allows an attacker to download and modify your database remotely with no authentication required When the plugin’s developers were non-responsive, Surcui contacted the WordPress Security team who were able to close the loops with the developer and get a patch released. If you’re a using the Custom Contact Forms WordPress plugin, you need to update it right away.
For full article go to: Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin.
SOURCES FOR WORDPRESS SECURITY NEWS
During one part of our discussion of the recent exploits, one member piped up and asked, “Where the heck to you hear about these exploits and security alerts?”
I promised that I would include some of these sources here. If you know more sources for WordPress security news, please add your sources to the comments.
- For an every day, what is happening in the WordPress Community, source check out WordPress Planet at http://planet.wordpress.org. This is an aggregation of blogs talking about WordPress from around the world.
- For official WP news, check out the WordPress Dev Blog found at http://wordpress.org/news/
- To receive the latest news from Sucuri in your inbox, go to Sucuri http://blog.sucuri.net/and sign up for their Blog.
- To get the latest security news from iThemes sign up for their blog at: http://ithemes.com/blog. Note: Austin WordPress Co-Organizer, Chris Wiegman joined iThemes last December and is the lead developer on the iThemes Security Plugin -formally Chris’ own WordPress Security plugin.
- I am a big fan of zdnet.com http://www.zdnet.com/ as a news source and subscribe to several of their newsletters. You might also follow Violet Blue@violetblue.
- As to following WordPress Security guru’s Tony Perez, Co-Founder, CEO @perezbox, Daniel Cid, Co-Founder, CTO @danielcid, and Chris Wiegam, @ChrisWiegman.
- Code Poet is a resource for anyone building WordPress sites. You can subscribe to get notifications and cool single subject ebooks at http://build.codepoet.com. (The eBook about WordPress Security is included in the resources at the end of this article.
WordPress Security Plugins
Before we address favorite security-related plugins we need to note that easy answers to security issues like really great plugins do not really help educate the average WordPress site owner/manager about the real and present dangers in the roiling WordPress Eco-system. Using a security plugin is OK, but you need to take responsibility for the safety of your site by learning and implement sound site safety practices.
WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords, and obsolete software. iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. Themes Security works to fix common holes, stop automated attacks and strengthen user credentials. With one-click activation for most features, as well as advanced features for experienced users, iThemes Security can help protect any WordPress site. There is a free and premium version available This plugin was developed and is maintained by Chris Wiegman member of the Austin WordPress Meet-up organizing team.
Wordfence is a leading cyber security solution for WordPress. They provide a complete anti-virus and firewall package for your WordPress website including two-factor authentication, a Firewall incorporating machine learning and tools to help recover from a hack. Wordfence Security is available free. Simply sign into your WordPress website, Go to Plugins > Add New > And search for ‘wordfence’ without quotes. Our premium version includes enterprise WordPress Security features like Two Factor Authentication and Country Blocking.
This plugin that will block any IP address that tries to flood or spam your website. It will limit the number of login attempts and monitor all live traffic. It’s being updated and maintained regularly, so you can count on it being on top of all your security issues.
Controlling Comment SPAM
A check is made that the checkbox has been checked before the comment is submitted so there’s no chance that a comment will be lost if it’s being submitted by a legitimate human user. To combat the new ‘learning’ bots, this plugin adds dynamically named fields to the comment form so each post has a differently named field and value.You can set the maximum amount of comments a user can have in the moderation queue to protect you from comment floods (provided you haven’t approved any of the spammer’s comments before)
This backup plugin can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more, see list below. With a single backup .zip file you are able to easily restore an installation. Please note: this free version will not be supported as good as the BackWPup Pro version.
There are, a number other free and paid backup plugins out there and every one has a favorite –choose one that works for you — but please install and use it on your site.
WordPress Security Services
If you decide that you want to “Job-Out’ your sites Security the number one recommendation would be Sucuri. They provide website monitoring, malware removal, and all the related website security services that you would need. Sucuri services include a site check scanner automatically scans your website to ensure it is clean of malware, suspicious redirects, iframes, link injections etc. You can manually set the frequency with which the scanner runs its tests for malware and blacklisting, content changes in the core files, WHOIS changes, and DNS changes. In addition to this, the security scanner also ensures that your website is not blacklisted by Google, Norton, PhishTank, Opera, SiteAdvisor, Yandex, and, of course, their own Sucuri blacklist. For additional information about Sucuri services and package-pricing go to https://sucuri.net.
WordPress Security Resources For Non-Programmers:
- Simple tutorial on how to password protect the WordPress admin area and fix the 404 error
We will close this summary of our WordPress Security for the Non-Programmer Deep Dive Discussion with the links of the various resources discussed during our discussion.
- Slide Deck for WordPress Security for the Non-Programmer
- Sucuri: Antivirus Signup | Malware Removal
- “Securi” wordpress latest vulnerability – Google Search
- WeWatchYourWebsite.com – website malware removal
- The Web’s Largest Community Tracking Online Fraud & Abuse | Project Honey Pot
- WordPress › Force Strong Passwords « WordPress Plugins
- StrongVPN.com – Providing high speed, unlimited bandwidth, multiple country VPN accounts for over 100,000 users. Since 1995
- WordPress Secret Key Salts