WordPress website owners are always cautioned to keep their installations of WordPress, plugins and themes up to date. But when a plugin hasn’t been maintained or updated from the developer’s end, potential exploits threaten everyone who has it installed.

Being someone who grew up in the 90’s, I still love video and audio cassettes. But as the world progressed to new technologies, the companies making the cassettes kept updating their technologies and methods too, and for good reason. No matter how I loved the uniqueness of magnetic tape, even I understood that it had its faults. It was time to move on.

 

The charm of old cassettes lingers

 

Most of the time, WordPress works in the same way too. The minute a problem is identified, developers work to release a fix for it, whether it’s an add-on or something on WordPress core.

This is why almost every piece of advice on the internet about ‘security practices for WordPress’ always first mentions that WordPress site users have to update every element on their site.

But what does one do when the technology itself isn’t updated, and after a vulnerability has been reported? The possibilities this opens up to hackers, are endless, which makes this a particularly alarming situation.

What makes it worse, is the fact that not many novice WordPress site owners know what to do when a plugin/theme/widget hasn’t been updated from the developer’s side. This became the most relevant, when El Rincón de Zerial’s security blog reported a cross-site scripting vulnerability in W3 Total Cache, at the end of September.

About W3 Total Cache

W3 Total Cache is a WordPress caching plugin that helps sites load faster. A website’s load time, as any website owner knows, affects its reputation, views, and business. The faster it loads, the better it is perceived by its visitors. This is why caching plugins are so widely used in the WordPress community.

W3 Total Cache in particular, had over 1 million active installs when the vulnerability was declared.

 

A screenshot of W3Total Cache from https://www.w3-edge.com
A screenshot of W3Total Cache from the W3 Edge website

 

This was because it had features that made it considerably better than other caching plugins, according to those who used it. Not only did the plugin caches every aspect of the WordPress site, from the HTML elements to objects in WordPress sites’ database, it also cached mobile cache well. Most other caching plugins only cached the HTML elements of a page, making their performance considerably lower.

The plugin, according to its page on the WordPress.org repository, has been used and trusted by companies websites AT&T, mashable.com, and pearsonified.com, amongst others.

About W3 Total Cache’s vulnerability

When the XSS vulnerability was reported, users of the plugin had already been complaining about support-related issues for six months, and had received no response  from the team that had developed it.

To add to this, the previous major ‘update’ to the plugin was only a simple change that made sure the plugin was compatible with the then latest versions of WordPress. Understandably there was concern over the potential damage this vulnerability could wreak if it was exploited.

But this wasn’t the first time the plugin had displayed vulnerabilities. Just as with any other plugin, W3 Total Cache had its share of loopholes, that were sometimes exploited, as with the case of other caching plugins like WP Super Cache too.

The good news

The silver lining in this situation, was the fact that the original developers of the plugin released an update six days after the vulnerability was disclosed. And not only did the update feature a patch for not just this exploitable loophole, but also another four more that were disclosed by SecuPress. Moreover, it also introduced a number of new features.

The bad news

However, a number of users of the W3 Total Cache who updated their versions of the plugin have reported that it breaks their sites, or renders some features useless.

What to do in case of an outdated plugin

This brings us to the most important course of action. When faced with a plugin or theme that is obviously out of date:

  1. Disable the plugin/theme until an update addressing the vulnerability has been released
  2. If it’s not a premium plugin or theme, follow its support forum on WordPress.org
  3. If an update with the patch for the vulnerability takes more than 48 hours to come through since the vulnerability is announced, try and contact the developer informing them about the vulnerability and quoting your sources.
  4. In the meanwhile, try and find alternatives that are compatible with your site in order to keep your site fully functional.
  5. If the update takes more than a month to come through, you could ask the community if someone would like to adopt the theme/plugin. Obviously this procedure has steps that you will have to follow, after communicating the problem to both, the WordPress team, and the community.

This is why it’s important to always have a backup plan: you never know when a plugin is going to stop being updated.

After all, a number of contributors are developers who contribute to the community as a hobby. It takes a lot of time and effort to not only create a plugin, but to identify how to patch up vulnerabilities and do it according to the best security practices as well.
Moreover, when the plugin/theme is actually updated, you never know if it’s going to break your WordPress site. Reliable backup solutions that allow you to test your backups before they go live on your site, are not just an option in such cases… they’re a necessity.

 

WordPress is the fastest-growing, most popular CMS in the world because of its user-friendly features, but this also puts a target on its back. Why is WordPress popular with hackers?

 

WordPress is a popular hacker target

 

Whether it’s a simple blogger writing about college experiences, or the Time Magazine, WordPress is the choice CMS for anyone looking to publish content on a website. And for good reason too: WordPress is not only Open Source, it’s extensible, flexible and it’s also supported by a community that actively contributes.

How popular is WordPress?

WordPress is currently the most used, and the fastest-growing CMS in the world. And according to data from W3Tech for August 2016, 246 WordPress sites were added to the internet every day.

 

WordPress' growth for August 2016, according to W3Tech's data
WordPress’ growth for August 2016, according to W3Tech’s data

 

By September 2016, this number had only increased:

 

WordPress' growth in September 2016, according to W3Tech's data
WordPress’ growth in September 2016, according to W3Tech’s data

 

This illustrates the rapid pace at which WordPress is growing, and that the rates of its use have continued to grow. Considering all the features that make WordPress popular, it’s not surprising how the CMS got to this position, and why it will grow more rapidly.

After all, the CMS is Open Source meaning that it is transparent to anyone who wants to learn how to use it effectively, while also offering a number of alternatives that help make it convenient, extensible and functional. What makes it the most popular amongst other Open Source CMSes like Joomla and Drupal, though, is the fact that it is more user-friendly. WordPress requires lesser technical knowledge than any other Open Source CMS, and is a lot simpler to use in that regard.

 

WordPress’ popularity makes it an obvious target

WordPress started out as a publishing platform that only needed basic technical knowledge to handle. This is what made WordPress popular. However, it didn’t stop at that. The more users it acquired, the more was created for it by the community. The add-ons created made WordPress more flexible, and more functional. This meant it became more widely used.

Data from W3Techs shows that of all the websites in the world, 54.6% don’t use a CMS at all.
Of the rest that do rely on a CMS (45.4%), WordPress powers 26.7%, meaning it is the base for 58.9% of all websites that run on a CMS.

 

WordPress is the most popular CMS according to W3Techs
WordPress is the most popular CMS according to W3Techs

 

Having more users than any other CMS put a target on WordPress’ back… similar to how the Windows Operating System was targeted when it was still new.

Back then, since the OS was so widely used, hackers targeted vulnerabilities that the developers hadn’t foreseen. This ensured that more users could potentially be affected by a single hack. All the hackers needed to do, was to ensure that the malicious files were made accessible to the users. With WordPress this isn’t a concern since all a hacker has to do, is to find a way to automate an exploit.

Most hacks are automated, which means they don’t need the hacker’s intervention. The hacker only programs a crawler bot to run malicious code when it finds vulnerabilities that allow it to run. The bot then replicates the exploit on other sites that have the same common vulnerability. This could lead to millions of sites getting compromised at a time.

 

Reason #1: Wide scope, more damage

According to WordPress, there are about  22.9 million page views on WordPress sites per month. This makes WordPress an attractive target for hackers’ attacks. The way they see it, the more the audience, the more the potential damage an attack can incur.

Hackers perform exploits for a number of reasons, so the scope of this damage can vary, but what they aim for, is to gain the most out of a single exploit; whether it is visibility, information or resources.All it takes to hit the jackpot, is one unique, undetectable exploit.

One example of this, was the case of TimThumb (an image-to-thumbnail resizing plugin) which was so popular that a number of themes had it bundled with their offering. So users didn’t even have to install the plugin for their site to be vulnerable. If they were unaware that theme being used on their WordPress site was using the plugin then they would be sitting ducks. When it was exploited, a number of users got hacked because they didn’t even know that they had the malicious code on their sites.

Moreover, with attacks like Cross-site Scripting (XSS), all it takes for malicious code to propagate, is people simply visiting the infected sites, or using them. Attacks like these maximise the range of the damage, and spread exponentially.

 

Reason #2: WordPress has all sorts of users

WordPress sites can host anything from a forum to an e-commerce site, with the help of add-ons (plugins, themes and widgets). This makes the CMS extremely popular amongst users.

Even those who are code-illiterate can perform basic modifications to their site, and publish content. However, what most users don’t expect, is the amount of work, and technical expertise it takes to maintain a WordPress site. Maintaining a fairly secure WordPress site requires great attention to detail, and perseverance, especially since simply updating an add-on on the site could lead to the whole site crashing. Not performing the update, on the other hand, would leave the site vulnerable to attacks. Users, therefore have to acquaint themselves with the basics of a WordPress site, such as the parts of a site, what they contain, and how to test updates before updating them… Or at least invest in a WordPress backup solution that is reliable, and sensible. However, since a considerable portion of the WordPress community of users doesn’t have the technical know-how or time required, they are easy targets. What makes this scenario worse, is the fact that a large portion of the community are novices who are ignorant of how hacks work, or what could make a website insecure.

Another factor to consider, is that WordPress users with the right amount of technical know-how they can modify their installations of WordPress to suit their needs. Those who don’t have the expertise or time, however, rely heavily on plugins for added functionality. This leads to vulnerabilities, since not every plugin or theme is coded according to WordPress standards. This allows hackers a lot of room– any one outdated plugin could be exploited easily. And again, if the plugin is widely used, then all they have to do to exploit multiple sites is identify the sites that use the vulnerable version and replicate the exploit.

 

Reason #3: WordPress has all sorts of developers

Since it runs on the Open Source philosophy, WordPress has everyone from the community contributing code to it, from novices to experts.

This means users who have only just started experimenting with code, contribute alongside hobbyists, expert developers, and third-parties too (who code premium add-ons made available on websites like ThemeForest). Every contributor can access resources from the community, such as the WordPress Codex, forums, and other websites, but there is no way to make sure that the contributors follow them. This obviously means there is room for error, which makes WordPress a low-hanging fruit for hackers.

Added to this, WordPress runs on a ‘security through transparency’ model, which means that everything: every vulnerability, where it was found and security patches are all announced to the community. Hackers, therefore, don’t even need to put in the effort to find vulnerabilities or how they work. All they have to do, is scan the WordPress community for news, and put two and two together to exploit websites that are still vulnerable. The situation is exacerbated by the fact that WordPress users, due to maintenance issues, don’t usually update to patches as fast as they should.

 

So is WordPress safe?

Going back to our Windows analogy, in spite of the system quickly adapting, people still perceive it as being insecure when compared to Linux-based Operating Systems. This is because hackers target it since it has the most users. The same applies to WordPress.

All of the reasons mentioned above do not mean that WordPress is in itself vulnerable to attacks; in fact, there haven’t been any major exploits on WordPress core because of how stringent quality control is with the core.

However, more vulnerabilities are reported on WordPress, because of how ‘security through transparency’ on WordPress works. This gives an illusion that the CMS isn’t safe, but to be fair, there is no such thing as a secure website. WordPress is susceptible to hacks because of a number of factors, such as the varied demographic of its user and developer base, but following simple security measures eliminate a number of risks, and entry points.

Since hacks are such a prevalent threat, the wisest security measure, would be to invest in an intelligent malware scanner and hack cleaner designed especially for WordPress, like MalCare.

 

Data centers have struggled to cope with natural disasters. Hurricane Sandy brought forth enterprising stories of efforts not in the disaster management plan. Do you know how your WordPress site is affected in a natural disaster and how your data center is affected by it?

You may wonder why we may be talking about an issue which may not affect your hosting service or your business as often as other hosting issues. However, not only is the damage to infrastructure, and power supply real, it may also be more severe than other minor glitches which may occur operationally. This means more downtime and more losses.

 

Natural disasters cause data centers much damage and downtime.
Natural disasters cause data centers much damage and downtime.

Research reveals that data centers are still affected by natural disasters with many not operating in conditions which could continue operations after a natural disaster. This means that you if your WordPress hosting provider’s infrastructure is compromised then your sites are too. If you backup with your hosting provider then you may just have lost all your data.

Natural Disasters

You know of the damage Hurricane Sandy wreaked once it reached land. It hit Manhattan, a region densely populated with data centers; and many of them were forced to rely on generators and fuel deliveries. However, others had to allow their data centers to shut down after the power backup was exhausted.

How One Data Center Avoided Power Outage during Hurricane Sandy

Peer1, had its center in Manhattan when Hurricane Sandy hit. However, reportedly, they could not rely only fuel deliveries to help them because their fuel pumps located in the basement were taken out when when water entered them. This made the fuel in their fuel tank inaccessible. Peer1 staff, volunteers and employees reportedly carried small quantities of fuel by hand, up 18 flights of stairs to keep a fuel tank on the floor filled. This meant that an entire night and morning for tiring work to keep the center up and running through the storm. Peer1 survived the storm with some improvised initiatives which were not part of their disaster recovery plan. Their action also meant that their clients did not have to experience outage.

However, this is not a case with all data centers. Hurricane Sandy took down another data center- DataGram, and websites like Gawker, Gizmodo, The Huffington Post and BuzzFeed experienced downtimes.

While the staff of Peer1 took extraordinary measures and were able to think on their feet, you cannot count on such measures to work every time. During Hurricane Sandy some data centers were submerged with the IT equipment severely damaged. Others, like in the Peer1 example protected their servers but were affected due to power supply being cut off. Natural disasters have a domino effect and can adversely impact you data center even though the infrastructure of the data center itself may not be directly harmed.

When data centers began reporting on the the damage caused by the floods some users were naturally disappointed about the level of preparation. If facilities are not designed to operate during floods or earthquakes then there is not a lot you can do in a couple of days or even a week to change that; especially when the intensity is dire.

Accidents

However, sometime even planning is not always helpful. Even if a data center is built with the natural elements in mind, it may not cover against accidents. No, we are not talking about human errors when people reboot or spill drinks or mix up cable connections; but more along the lines of a welding accident which led to an Amazon data center; which was not yet in service, to catch fire. Accidents like that happen and it is not something one can prepare for, although it may have been avoidable.

Not all cases are that clear cut though. It was reported that a person driving a SUV fell unconscious behind the wheel when his blood sugar level dropped. The vehicle continued to accelerate and crashed into a wall and knocking the generator inside it. It was the building Rackspace was using to house power generators for their data center. The unexpected power failure threw a spanner in the works for both Rackspace and their clients. As a result of the accident some users experienced hours of downtime. Rackspace ended up paying US $3.5 million in refunds, reportedly.

What This Teaches Us About WordPress Backups?

One client of Rackspace, following the incident, was quoted as saying, “We’ll work hard to further diversify our systems”. Perhaps this is the best lesson to take away from not only the above story but this article. A disaster recovery plan after all is meant for such circumstances. For all the above mentioned reasons, you’ll need to have a disaster recovery plan which is precisely that. A viable, rehearsed, and reliable plan which can recover your data in the case of a disaster that renders your hosting provider completely inaccessible. Having an effective and independent WordPress backup service like BlogVault protecting your data would be a worry-free solution.

The competitive hosting space and the increasing cost of downtime all mean that having your WordPress site down is becoming more and more expensive. A web host’s success and your WordPress site’s uptime are dependent on having reliable power supply and power backup.

 

Your website's uptime and your web host's success depends on a reliable power supply and power backup.

 

Nowadays, when power supply and data centers are the topics in focus, it is generally around the increasing demand for storage space, increase in power consumption by data centers, and thereby increase in carbon footprint, etc. This over and above the fact that data center hardware has gotten more efficient so have their operations.

However, WordPress site owners also have a parallel and pressing issue at hand. Data centers usually boast of 99% uptime or 100% uptime. This is because they are usually aware of the cost to site owners due to downtime. The data on cost of downtime is growing all the time and not only are business owners becoming increasingly aware of this point; so are web hosting services. Hence, the promises.

Apart from this, frequent downtime and delays in page loading cause users to forego purchases they would have otherwise made. This goes for the percentage of people willing to engage with your brand online as well. As a result your company’s online reputation takes a hit.

Although many factors go into delivering good WordPress hosting, it is dependent on having reliable power supply and power backup. This is because power supply is key to not only powering the servers but also the cooling systems that regulate temperature and security systems in the data center.

Power supply in a data center has to power

  • Servers
  • Air handlers / Cooling / Heating
  • Generators & UPS system(backup)
  • Lighting
  • Fire suppression system
  • Alarm system

While each of these components have their own set issues and failure rates, we won’t even get to that discussion without power supply and backup.

Parts of a WordPress hosting center’s power supply and power backup which can go wrong:

Power Supply

  • Power generator
  • Backup power generator

Power Backup

  • UPS
  • Batteries

The reason for a backup generator is obviously redundancy. Having a backup helps, in case the power supply fails. In addition to this, hosting providers have a power backup system with UPS.

Power outages can happen due to a myriad of reasons- from the expected, to the less probable ones.

  • Bad/Outdated hardware
  • Expired battery
  • Insufficient cooling
  • Natural Disasters & Accidents
  • UPS failure during maintenance
  • Not performing power failure tests

There is a need to perform regular checks to not only ensure that the hardware is in good condition but also that the system is functioning as expected.

Testing Power Backup Systems

Usually power backup needs to be able to power the entire data center when it is off grid or completely unplugged. It may take several hours before power supply is restored. Also, power backup needs to kick in as soon as power supply is down. Testing if the infrastructure in place is capable of this is important.

The boxes to Tick

Making sure the batteries are functional and charged is important. Batteries have a shelf life and a limited life cycle. They need to be replaced periodically. This comes under maintenance and good hosting providers always run these tests to make sure that the hardware and software in place to control these systems are functioning as expected rather find it out as a surprise during power outage. This means that testing the power backup system by simulating power outage.

Performing checks after maintenance or after replacing batteries also takes care of any loose connections or hardware issues that may have occurred during maintenance.

From maintenance errors to failures, accidents and natural disasters. You can’t discount any factor and must be prepared for all contingencies.

Failures: A simple hardware failure like a generator fan can trigger a power outage. When the generator is Amazon’s then clients Hootsuite, Quora and Pinterest experience difficulties. No data center is too big a name or too small in size to avoid experiencing issues with its power supply. It is good to be prepared.

Natural Disasters: Natural disasters almost always cause power outage. In the aftermath of Hurricane Sandy,  Peer1 employees had to form a human chain to carry fuel up 18 flights of stairs to their generators in order to keep the power on and ensure that the data center is up and running.

Accident: In another case a series of perfectly aligned coincidences resulted in an accident which knocked out Rackspace power generators costing the company 3.5 million dollars in refunds and its clients were left experiencing unexpected downtime for hours. (link to natural disasters and accidents)

Backup Your WordPress Site

The competitive hosting space and the increasing cost of downtime all mean that having your WordPress site down is becoming more and more unaffordable. Apart from just money, it can affect your reputation, SEO (Google Rankings), and increase drop off rates. This is the reason you will need to rely on WordPress backups with best practices, like BlogVault, to reduce dependency on your web host as well mitigate costs occurring from when your WordPress site goes down.

WordPress offers countless themes and plugins to its users, all of which have resulted in an exponential expansion of WordPress functionality, without changing its core structure. Today, whatever it is you wish to do with your website/on your website/to your website, there’s a plugin/theme for you to work with.

To the untrained eye, all plugins and themes appear the same, well coded or not. It takes an experienced programmer to distinguish between a plugin or theme that’s well-built and one that’s not. In most cases, you get what you pay for; if a plugin or theme is free/cheap, there’s a reason for it – the plugin/theme could be outdated, buggy, bloated, or unsecure. Of course, this does not mean that expensive themes and plugins are infallible and perfect – no plugin/theme is. Therefore, it is always wise to exercise caution while trying out a new theme or plugin on your site for the first time.

How much harm can a badly written code cause?

A low quality code, or an improperly tested code, more often than not results in a poor user experience; it has the potential to hurt the entire WordPress ecosystem. One of our customers, A. Hanna of the Saudi Arabian Cultural Mission in New Zealand, ran into a bit of trouble recently when his website, one fine day, displayed a fatal error at the bottom of the page. Even after restoring to an older backup version of the site, the fatal error was still present. Clueless as to the reason behind the error, and worried sick about his website, he wrote to our Support team at BlogVault.

screenshot of the fatal error
The Fatal Error that appeared on Customer’s Site

On analyzing the situation, our support team found that the theme used by the creator of the website had an RSS feed coming from another website, which was giving out a fatal error. The root cause of the problem however was that the code handling the RSS feed had a bug, which surfaced when the fatal error occurred. In a nutshell, the theme had a faulty code, which caused the website to display the fatal error. Although this issue was out of their scope, our support team went the extra mile to advice the customer on how to resolve the bug and get things sorted.

code snippet screenshot
The Code Snippet that was causing the Issue

Now, if one minor bug in your theme can give you so much pain, imagine what a badly written theme could do! The same goes for plugins too. Remember, a theme that looks good or a plugin that sounds great does not necessarily have to be properly coded. As the age-old adage goes, do not judge a book by its cover.

So what should you do?

For starters, before purchasing any theme/plugin, do a thorough background check of its source – read as many reviews as you can; see what other users have to say about the theme/plugin that you’re interested in. These offer tell-tale signs as to whether or not you’ll have a good experience with the theme/plugin. Also, make sure that the theme/plugin is well-documented, so you have ample instructions on how to configure it. Further, it is advisable to check when the theme/plugin was last updated, and if it’s well supported.

The Last Word

Themes and plugins are powerful in terms of what they can do to your website – they can make or break it. Anything can happen when you install a new plugin/theme on your website. Every plugin you install and every theme you activate, is a potential security risk to your site. So do yourself a favour and make a complete backup of your website before clicking on ‘Activate’.

How to reduce your bounce rate by over 40% (or at least how we did it!)

In fact, it was so radical that even the prospect of AB testing it had to be thrown out of the window, it’d be like apples and oranges, and so we took a deep breath, popped her out of the door and waited to see what happened… gulp.

Read more: http://wpmu.org/how-to-reduce-your-bounce-rate/

Learn If WordPress Is Secure

One of the most common questions that people have when they are thinking about using self hosted WordPress for their website revolves around whether or not WordPress is secure. When you’re running a website for either personal or business reasons, you want to make sure that your site isn’t vulnerable to attacks.

Read more: http://www.learnhowtousewordpress.com/learn-if-wordpress-is-secure

Serve your WordPress site 10x faster

You might be thinking to yourself, this guy is trying to sell some type of miracle snake-oil potion. How could it be so easy to speed up your WordPress site? The truth of the matter is that most of the time we don’t take advantage of many of the resources available to us. Most WordPress users are delivering uncompressed content to visitors of their sites.

Read more: http://www.benjaminbradley.com/serve-your-wordpress-site-10x-faster/