Site Security – Is Your Site At Risk?

This past October, the WordPress security team used an internal feature to push a security update to a popular plugin. The ability to forcibly push an update was unknown to many, even among experienced developers.

a man sitting at a desk in front of a computer screen© South_agency | Getty Images

The bug found in the Loginizer plugin, used by more than a million sites, was categorized as one of the worst security issues affecting a WordPress plugin in recent memory, which is why the security team at WordPress felt the action was necessary.

Not everyone appreciated WordPress’s proactive approach, users complained on Loginzer’s forum and the WordPress.org site. Some were surprised to learn it was even possible to update a plugin with disabled automatic updates. Users complained in 2015 as well, after WordPress first used the forced update feature.

WordPress decided to push a security fix to thwart a dangerous SQL injection bug found in the plugin. The vulnerability could have enabled hackers to take over WordPress sites using outdated versions of Loginizer, which ironically provides security enhancements for the WordPress login page.

WordPress update

About two weeks later, WordPress rolled out the WordPress 5.5.2 security and maintenance release for WordPress core. This update contains ten security fixes, and WordPress recommends all users update their sites immediately.

As of 2016, WordPress powered about 34% of the 1.2 billion websites on the internet. A content management system (CMS), WordPress is preferred by web developers of basic and advanced skill levels, primarily due to its ease of use. With so many installs, it is a constant target for cybercriminals, and site owners around the world have fallen prey to a continual string of brute force and other types of attacks. These regular security updates from WordPress are critical to keeping these sites safe and available.

WordPress ecosystem

Not only does WordPress attract nefarious hackers, but it also attracts entrepreneurs. Companies such as Astra, iThemes, Sucuri, and Bullet have built their businesses on solving security issues for WordPress website owners.

Along with the ease of use of this popular CMS comes simple customization. No matter what type of site you wish to build, there is a plugin to provide ready-made customization. At last count, WordPress.org listed more than 58,000 solutions, but these plugins and themes are often the entry point for attacks.

WordPress, plugins, and themes are most often vulnerable to:

  • Brute Force Attacks - entering different username and password combinations until gaining entry.
  • Cross-Site Scripting - hackers entice victims to a site that contains malicious JavaScript codes.
  • File Inclusions - exploitation of vulnerabilities in the WordPress PHP code.
  • Malware - code injected into the site to facilitate, for example, unauthorized redirects or allow high-level access to your hosting account.
  • SQL Injections - attackers look for unsecured databases and access them using MySQL injections, which gives them control over all the data and enables them to create admin accounts or insert content into the database such as links to other sites that contain malware.

Related: This Expert Guide to Building a Professional-Quality WordPress Site

Why is your WordPress website at risk?

Most WordPress websites (all websites) are vulnerable because website developers and owners do not exercise best practices when it comes to security. Poor passwords are a primary point of vulnerability and quickly addressed, yet thousands of sites every day are breached because of weak, easy-to-guess passwords.

Simple passwords

To impede brute force attacks, create complicated passwords by using 12 or more characters, mixing symbols, letters, and numbers, and ensuring the password is unique to your WordPress site. Password vault applications such as LastPass and 1Password make this easy.

No authentication

Multi-factor authentication provides an additional layer of security that, when added to other best practices, will help keep hackers from accessing your website. There are several applications, such as Google Authenticator for your mobile device to authenticate authorized access attempts.

Unused plugins and themes

Other points of entry for WordPress websites are outdated plugins and themes. Though sites run faster with fewer plugins, many website owners install plugins, try them, and then choose not to use the feature they provide. The abandoned plugins are left behind and updates ignored. Over time, websites may accumulate dozens of unused plugins and themes.

Exercise caution when installing new plugins and themes. Always download from trustworthy websites such as ThemeForest, CodeCanyon, and WordPress.org. Use fewer plugins by choosing those with multiple functions rather than several single-function plugins.

Delete themes by logging in to your hosting account or using FTP software. Also, check the database for table orphans created by plugins you’re no longer using.

No security plugin

Every site should have a security plugin, and there are many good ones. These are your first line of defense should hackers attempt to access your site. You will often find Sucuri, iThemes Security, All In One WP Security & Firewall, BulletProof Security, Jetpack, SecuPress, Cerber Security, and Wordfence on top-ten lists along with other lesser-known options.

No hosting security

Many hosting companies have security features included or available as an add-on service. Configure the software (and your WordPress security plugin) for regular scans—daily is not too often—and to alert you of any anomalies.

A backup plan

While every website owner should follow security best practices, the chance of having a site hacked still exists. Backup plans are the fail-safe when all that can go wrong does. Enable regular backups based upon how often you make changes to the site. If it’s a daily task, create daily backups. Store them off-site and keep a week’s worth in case you don’t discover an attack right away and need to go back several days to find a clean backup.

The developers behind WordPress work tirelessly to keep websites safe, but owners must take responsibility for ensuring their software is up to date, and passwords are secure. In the same way WordPress has made developing sites easy, it has also made security as easy. Install updates, use complicated passwords, add authentication, and schedule backups to keep your site running and earning money.

This post originated on entrepreneur.com 

The Value Of Backups – WordPress

Our site was attacked recently with vicious malware that went deep into our website. No user information was taken, that wasn't the point of this nasty thing. The point was to redirect all of our visitors automatically to their junk. That junk could be either something to buy, or something that you would need to download in order for it to do its sinister duties.

As stated, there were no user accounts affected and no passwords or sensitive data stolen. It took many hours to finally remove all of the scripts, but it's finally done, thanks in large part to the team at IONOS.

I can't stress enough how important site security is. If you can afford it, buy it. Find the best site security package for your site and buy it. IONOS currently has a scan and remove security package for just $5.99/month. You can find that here.

Backing up your WordPress website is so vital to the success of your business. Setting up automatic backups are even better. We took some time off and one of the reasons this penetrated so deeply into our site was because our previous backup process stored data for 5 days. By the time we got back to work, it had been well beyond that, so our most recent backup was compromised. It is good practice to backup daily onto a local hard drive. Here at Royalty Online Business, that was a practice of the past, however, we chose (incorrectly) to go with a paid solution that just wasn't right for us.

There are great plugins out there, paid and free, that back up your website for you automatically and daily. A good choice would be to find a plugin that allows you to download the backups off of their servers. Do some research, make sure your information (and more importantly, your customers) is safe. Again, make sure you're saving local copies of your sites data on a safe and secure drive or server.

Lastly, keep your plugins updated.

This malware took advantage of a plugin that was not updated. Most plugin owners or businesses take security very seriously. When you have 800,000 people using your plugin, that is probably a wise thing to do. While there are options to keep plugins updated automatically, it is important to note that not all updates will work with your version of WordPress. Keep that in mind when updating your plugin. If it's a security patch, maybe disable your plugin until it's compatible with your version of WordPress.

Security is everything. Keep your business safe. Keep your customers safe.

Yoast – What is a progressive web app (PWA)? Why would you want one?

This article was originally published on Yoast. Click here to view the original article.

It’s been years since the beginning of the age of the smartphone. With it came the era of native apps. Apps continue to play a massive role in our daily life, and many business owners have asked themselves multiple times: should we have an app? Of course, the only answer to that is — it depends. Building and maintaining a native app is cumbersome and often quite expensive. Luckily, there is another option. This option combines the joys of a native app with the technology we use on the web: the progressive web app, a.k.a. PWA.

Edwin ToonenEdwin is a strategic content specialist. Before joining Yoast, he spent years honing his skill at The Netherlands’ leading web design magazine.

Avatar of Edwin Toonen

What is a PWA?

Twitter.com is a PWA

PWA stands for progressive web app. This is an app built from the web technologies we all know and love, like HTML, CSS, and JavaScript, but with a feel and functionality that rivals an actual native app. Thanks to a couple of smart additions, you can turn almost any website into a progressive web app. This means that you can build a PWA rather quickly, in regards to a native app that’s pretty difficult to develop. Plus, you can offer all the features of native apps, like push notifications, offline support, and much more.

Many sites you find online are actually a progressive web app. Take twitter.com, for instance. If you visit that site on your smartphone, you can install it to your home screen. Now, on opening the saved Twitter site, you’ll notice that it looks and performs just like a native app. There’s no browser window or nothing. There’s no difference in running it from an iPhone or an Android smartphone. Simply log in and you’re good to go. That’s a major benefit of building your web app with a PWA in mind.

PWAs are gaining popularity. Many big sites are PWAs, like Starbucks.com, Pinterest.com, Washingtonpost.com and Uber.com are actually installable on your home screen and offer a comparable experience to their native apps.

What’s the difference between a native app and a PWA?

A native app, like the ones you download from Apple’s App Store or Google’s Play Store, is often built in a programming language specific to that platform. So for iOS apps, that would be Swift and for Android apps, Java. If you want to build an app for those platforms, you need to know the technology. Yes, there are shortcuts, but these come with their own limitations. If you want to have an app on all the mobile platforms, you need to know all the different technologies. There’s no easy way to build one and publish it to all the stores out there.

Of course, there are ways to get the best of both worlds. A progressive web app, for instance. This runs in the browser and — once saved to the home screen — functions like a native app. It even gets access to the underlying hardware and software that the browser can’t access for safety reasons. If the PWA performs great, users will never know that they are using a web-based app instead of a native one.

There are some caveats, of course. While browsers have been quick to adopt the technology for this, there are still some limitations. On iOS, the technology needed works spotty in Safari. Apple doesn’t (want to) support everything yet, making it a bit of a chore to get the same exact experience everywhere.

What are the benefits of a PWA?

The main reason why everyone is chasing after apps is because they offer greater engagement. Users who install your app are your biggest fans and they are more likely to turn their usage into sales or signups. Thanks to push notifications it’s much easier to re-engage with users. Apps can offer an excellent experience that can do well for a brand.

We talked about some of the plusses of PWAs in this article, but here’s a short overview:

  • You don’t have to go through the process to get into different app stores
  • You can build PWAs with common web technologies
  • They are often cheaper to build
  • Since you’re turning your site into an app, you’ll have fewer code-bases to maintain
  • PWAs are responsive and work with many different screen sizes
  • PWAs are smooth, fast and lightweight
  • No need to hand off big chunks of money to Google and Apple
  • They work offline, unlike your regular site
  • PWAs are discoverable via search engines (which have a lot larger audience than app stores. Plus, if you want you can still get your PWAs distributed via app stores)
  • You can use push notifications to re-engage users
  • Installing a PWA can lead to higher engagement

Still, native apps win out sometimes. PWAs get deeper and deeper access to the operating system of a smartphone, but a native app can go deeper still. Plus, there are limits to what a PWA can do. For instance, PWAs are not the best choice when you want to build high-performance games.

All in all, it makes a lot of sense to think about having a PWA in your mobile strategy. But, the main question you should ask yourself is: does my audience want this?

Who’s this for?

Should everyone simply build a PWA and be done with it? No, consider your business and — more importantly — your target audience. Are they even using apps? Isn’t this an overly complex way of getting to what you want to achieve? Again, like everything, you need to research the needs of your audience. Ask yourself, what do you want this technology to do? Where are your users? Do they have a good data connection and solid hardware? How and where are they using your content? And do you think an app can help them do their job better?

PWAs are awesome and implementing them doesn’t have to be all that hard. But just because it’s easy doesn’t mean you should do it. If your audience has no need for it, why would you build one?

What are the SEO concerns of a PWA?

The PWA is inherently web-centric. It was born from the web and developed with search engines in mind to make discovery easy. Of course, you can make a progressive web app out of any-old site and it doesn’t take much to do so. However, many PWAs use JavaScript to build more complex functionality and while search engines have become apt at rendering JavaScript, it can still be a cause for concern.

When setting up a PWA, you have to make sure your JavaScript is accessible. Don’t block files for bots and make sure that links are available. To improve the rendering process you can make your JavaScript framework use server-side rendering.

Turning your site into a PWA doesn’t mean you directly improve the SEO of that site. If it makes sense to turn your site into a PWA, do so, but don’t do it for any perceived SEO benefits. If you have a great PWA, you are offering your users a fantastic user experience, which might make you one-up your competition. In this regard, it’s a good idea to take a look at them for your mobile SEO strategy.

What are the three main building blocks?

It doesn’t take much to set up a PWA. There are three things you need to provide before your site turns into a valid PWA.

  • A secure connection (HTTPS): PWAs only work on trusted connections, you have to serve them over a secure connection. This is not only for security reasons, but it’s also a very important trust factor for users.
  • A service worker: A service worker is a piece of script that runs in the background. This helps you determine how to handle network requests for your PWA, making it possible to do more complex work.
  • The manifest file: This JSON file contains information on how your PWA should appear and function. Here, you determine the name, description, icons, colors, et cetera.

 

Read the rest of this post at Yoast here...