By Jeffro on November 15, 2011
VaultPress has announced that the latest edition of the plugin now supports WordPress Multisite. This has been a killer feature that owners of large multisite installs have been waiting for. VaultPress will automatically backup each site that is installed within the network. However, it must be noted that only the Network’s main site will have their users table, plugins, and themes backed up. For non-main sites, VaultPress will not backup users, plugins, or themes.
The money maker for VaultPress lies within the fact that each site within the network will require it’s own subscription as if they were individual sites. There is not a plan that specifically covers multisite installations. Unless the sites within your network are making you some decent cash, this could potentially wipe you out from month to month and you’ll need to decide as a site administrator how much that peace of mind is going to cost you. On the flip side, the way they have structured their plans allows you to only backup the most valuable sites within your network providing you with more flexibility.
With regards to plan pricing, Pete Davies responded to a comment by Donnacha regarding a sliding pricing scale. It looks like it’s an opportunity that could be tapped into in the future.
Posted in News | Tagged Plugins, security, services, vaultpress |
By Jeffro on November 15, 2011
bbPress has released version 2.0.1 which is considered a maintenance release. However, if you have anonymous posting enabled, you’ll want to upgrade as soon as possible as this release addresses an issue where anonymous posters could potentially be able to edit topics and replies. If upgrading from 2.0, try upgrading through the dashboard as you would with WordPress as 2.0 introduced easy upgrades.
Posted in News | Tagged bbPress, forums, Plugins, security
By Jeffro on November 1, 2011
Sucuri Security has a great post that begins to review the aftermath of the massive exploitation of the TimThumb image re sizer script. According to their calculations, about a million pages have been compromised by the script but when filtering down their results for the past thirty days, there were over 200,000 results. The exploitation of the script is still an ongoing problem and will most likely continue to be for the foreseeable future. If you think an old version of the TimThumb script is on your server, use the TimThumb vulnerability scanner plugin.
The TimThumb exploitation event is interesting in that so many websites became compromised despite the issue not being relevant to the core of WordPress itself. I wonder if there are any other popular scripts or dependencies that plugins or themes use that could end up in the same situation? ∞
Posted in News | Tagged exploit, images, security, timthumb |
By Jeffro on October 13, 2011
Chris Liversidge of Search Engine Land gives an explanation as to why WordPress is not his platform of choice when it comes to multinational search. I was with him up until the point he discussed security where he states that WordPress is plagued by frequent security updates. This is not true. Security within WordPress has gotten better with time, not worse and it’s not like we’re updating WordPress every two weeks. I’m not sure what Chris wants in a CMS platform. One update a year? One update every 3 months that fixes security vulnerabilities instead of getting that fix immediately? ∞
Posted in WordPress | Tagged platform, search, security, wordpress |
By Jeffro on October 10, 2011
Generally common sense material listed in the article but it’s always good to remind people about these techniques. As far as I’m concerned, just being in the know and having the awareness of what’s going on is half the battle.
On a final note, while website security can seem daunting and intimidating, it’s something that should be approached from a standpoint of keeping aware and in the know such that, if issues do arise on your website, you are able to calmly resolve the issue and get your website back to where it was, knowing full-well the scope of the security measures in place.
via – Four Ways To Improve Security On Your WordPress Site
Posted in WordPress | Tagged common sense, security, techniques, tips |
By Jeffro on September 5, 2011
Not sure if any of the plugins or themes you have installed within your WP-Content directory contain the outdated version of TimThumb? Good news, there is a simple plugin that not only scans your content directory for the outdated version of the script, but also provides a link to quickly upgrade to the newer version. After installation, you’ll find the options page within the Tools menu. After running the scan on WPTavern for the first time, these were my results:
This plugin is especially useful to those who have more than a few themes or an abundant number of plugins installed as it checks the entire contents of the WP-Content directory. According to a post within the plugins support forum, it has not gone through specific testing with WordPress Multi-Site but the author sees no reason why it wouldn’t work.
Posted in Plugins | Tagged plugin, security, timthumb |
By Jeffro on September 5, 2011
Joost de Valk who is pretty popular these days, especially after the release of his Yoast SEO Plugin tells us the story of how one of his sites was hacked because a theme containing the TimThumb vulnerability was not updated. If that were not interesting enough, Joost shares a statistic that doesn’t surprise me one bit. According to Joost, after he releases an update to his plugins, he rarely sees more than 20% of the user base upgrade within the first week.
We, as a community, need to get better at that.
I agree. People such as myself have harped on the fact that people need to start upgrading their WordPress installs sooner rather than later once an update has been released. I don’t have the numbers to back it up but I’m willing to bet that thanks to the easier upgrading processes built into WordPress, there is a larger number of people updating within the first week compared to when users had to manually upload the updated files to the server.
As if keeping abreast of updates for WordPress were not enough, users have to be vigilante on knowing when there are updates for both plugins and themes. Despite WooThemes publishing the information on their website regarding the security flaw and the associated fix, Joost still became a victim one month later. It seems as though KNOWING about the update is at least half the battle. Therefor, what do you think is the best way or ways to keep users abreast of updates for plugins and themes, especially as it relates to security releases? As it stands, the only time I know of when a plugin or theme needs to be updated is when I’m at the dashboard screen and I see the notifications. Should there be a built-in function in WordPress that plugins as well as themes can use to send email notifications to administrators when an update is available? Or, do we rely on plugin and theme authors to individually come up with ways to help their user base keep in touch with updates?
Posted in News | Tagged Plugins, security, Themes, updates |
By Jeffro on October 28, 2010
There’s been a lot of hype around a new tool that was released not too long ago called FireSheep. In a nutshell, FireSheep is an extension for FireFox that monitors the airwaves of public Wi-Fi to sniff out login credentials to popular websites such as WordPress.com, self-hosted WordPress installations, Twitter, Facebook, and more. Once those credentials have been located, FireSheep makes it easy for you to use them in order to gain access to someones account. In all actuality, this vulnerability is nothing new and has been around since the days wireless access was created. The only way to protect yourself from this vulnerability is to use an encrypted connection between your machine and the web server. This is typically handled via SSL.
If you want to protect your credentials for your self hosted WordPress installation, the following Codex article, Administration Over SSL is a good start. I’ve also learned thanks to Otto that the WordPress app for iPhone is also at risk from having credentials sniffed out because the app uses the XML-RPC protocol. Even using the app over 3G instead of Wi-Fi does not protect the data from sniffing.
We have a thread ongoing within the Tavern forum talking about FireSheep and data sniffing in general. As Otto points out, when in doubt, use encryption.
Posted in WordPress | Tagged firesheep, security, ssl |
By Jeffro on May 5, 2010
Over the weekend, numerous users on GoDaddy shared webhosting accounts reported that their sites had been hacked with injected malware. Neowin.net was able to get a hold of GoDaddy’s security expert Todd Redfoot who explained what happened:
GoDaddy reassures customers that the attack was via WordPress and not an attack on the GoDaddy servers themselves. The coordinated attack on WordPress was formed in a botnet-like attack, which targeted outdated versions of WordPress, however, the exploit was not found in version 2.9.2. In some instances, users not running WordPress were also hacked, but did have an active or inactive WordPress installation on their account. In as many cases, users were unaware that an installation of WordPress was present on their account.
So in this instance, GoDaddy was not specifically attacked but sites using WordPress on their servers were. This is another lesson that upgrading ASAP to lessen the chance of these types of exploits affecting your site is imperative in maintaining a healthy website.
On a related note, a couple of the U.S. Department Of Treasury websites have been hacked as well. These sites are located within the Network Solutions hosting system which explains the compromise. According to NetSol:
This past weekend, an application that we support on our hosting platform was exploited as we were in the process of fixing it. We believe we have fixed the issue and we were able to contain the number of potentially affected websites to less than 250.
Discussion regarding the hacks affecting the various webhosting companies is ongoing in the following WPTavern forum thread.
Posted in News | Tagged godaddy, hacks, hosting, security |
By Jeffro on May 4, 2010
Time and time again, when I would read an article about WordPress security or how to harden an install, I would see mentions of limiting the amount of times someone can try to log into an account. I’ve never put much thought into the idea but I’ve finally installed a plugin to help lessen the chance that someone will correctly brute force my password. By default, WordPress does not limit the amount of times a user can try to login with an incorrect username or password. Someone could use a script that tries a dictionary attack on the wp-login page if they know the administrator username to gain access. This is why it is very important to either delete and create a new administrator account after a successful install or place the default admin account into the Subscriber role.
The plugin I used is called Limit Login attempts. The plugin was created by Johan Eenfeldt and provides a simple way to limit anonymous login attempts. Limit login attempts is very easy to configure. I can edit how many retries are allowed, how many minutes the lockout should last, how many lockouts are needed before an even longer lockout time is put into place, and how many hours can go by before the retries are reset. For WPTavern, I’ve configured 3 retries, 20 minute lockouts, and 4 lockouts increase the time from 20 minutes to 24 hours. I can also view the number of lockouts that have been issued since the last time the counter was reset.
However, the thing I like most about this plugin is that I can tell it to notify me when someone has triggered a lockout. I’ve configured it to log the IP address and email me after 1 lockout. You can view the lockout log file at the end of the configuration page complete with the users IP address and the username they tried to login with. Not 24 hours after I installed this plugin did I receive a notification of a lockout.
As you can see from the image, someone tried four times unsuccessfully to log into WPTavern.com with the username of admin. I was quite surprised to see a lockout notification so soon after installing this plugin. I don’t keep a close eye on my log file so this is a good way of knowing this particular event is occurring. However, I’ve only received one lockout notification so far. I have to say, this is one of those types of plugins that everyone should have installed on their site, even if it’s just to be notified that someone is trying to break in.
Posted in Plugins | Tagged lockdown, plugin, review, security |
Page 3 of 5« First«...234...»Last »
VaultPress has announced that the latest edition of the plugin now supports WordPress Multisite. This has been a killer feature that owners of large multisite installs have been waiting for. VaultPress will automatically backup each site that is installed within the network. However, it must be noted that only the Network’s main site will have their users table, plugins, and themes backed up. For non-main sites, VaultPress will not backup users, plugins, or themes. 
