Yesterday the vulnerability was announced. If you’re a RealBasics maintenance client using All in One SEO Pack your site is already protected and the plugin fixed.
Today, All in One SEO Pack plugin team has released an emergency security update that patches two critical privilege escalation vulnerabilities and one cross site scripting (XSS) flaw, discovered by security researchers at Sucuri, a web monitoring and malware clean up service.
More than 73 million websites on the Internet run their websites on the WordPress publishing platform and more than 15 million websites are currently using All in One SEO Pack plugin for search engine optimization.
Don’t get us wrong: All in One SEO Pack is a great tool backed by responsive developers so they released an update that closes the vulnerability very quickly. The risk is that current users may not get the message, log into their websites, and perform the update. Keeping your software up to date and security scanned are just two of the core benefits we offer hear at RealBasics.com.
If you’d like this kind of coverage give us a call – (206) 390-8082.
There’s so much to like about the new WordPress 3.9. If you’re a RealBasics maintenance client your site’s already been backed up, security checked, optimized, and updated to 3.9. (If you’re not a maintenance client then give us a call!)
- Much more mobile friendly interfaces!
- Improved visual editing — better format options, more mobile friendly.
- Add photos by dragging and dropping from your desktop! (No “Add Media” button required for most images!)
- Easy image editing too! (Resize just by dragging to name just one new feature!)
- Gallery previews (no more guessing what’s in the big yellow box!)
- Paste text formatted from your favorite word processors, email, even other websites! (No more “Paste from Word!”)
- Lots of behind-the-scenes features for the techies and nerds at RealBasics.com and elsewhere.
We say check it out.
On the other hand if you’re already one of our service customers your software’s already updated and your site is secure.
Here’s the warning from the good folks at WordFence
WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role. More info available on the National Cyber Awareness System: CVE-2014-0165
WordPress Vulnerability: The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. More info available on the National Cyber Awareness System: CVE-2014-0166
What to do about the above: Make sure you are running the newest version of WordPress, version 3.8.2.
The post also warns of a vulnerability in the TwitGet plugin. If you use it you’ll want to upgrade that too. Or have us do it for you.
Of course we do more than keep your website up to date. We keep it backed up, run multiple security scans, give you access to premium plugins and themes at no extra cost, keep an eye on your server and database performance, and provide up to an hour of consulting, training, and even post scheduling and gallery management! Give us a call.
Head’s up for WordPress users on rumors of a new variation on an older scam. It’s especially tricky right now because the newest versions of WordPress actually do send you email saying (truthfully!) that it’s automatically updated itself. Here’s how one person reported the issue:
USING WORDPRESS? Beware of a VERY legit looking email going around that says your site has been updated to WordPress 3.8.2. Do NOT click the link, it’s to steal your info!
I got the email and so did a friend who unfortunately clicked on it!
I manage dozens of WordPress sites but haven’t seen this specific scam yet (I expect to see them soon.) But late last year a similar message about a “required database update” was making the rounds.
The security rule of thumb in all instances of email solicitations to log in, to provide personal info, etc. is to
- Ignore the links — don’t click on them and don’t copy them down
- Close the email
- Navigate to the correct URL into your browser either from memory (if it’s a site known to you) or after finding the real URL via Google/Bing.
- Log in
If the notification was legitimate your WordPress site (or bank, or Netflix, Gmail, Amazon, etc.) will let you know. Follow those instructions, not the ones in the email.
Same as for phone calls from alleged banks, utilities, etc. by the way: scams are so prevalent that basically no legitimate company representative will ask for your personal info, login info, or credit information in a phone call they initiated.
Summary: Unless we’ve contacted you individually via phone or email your site doesn’t use security certificates and so it’s not directly affected by the widely reported Heartbleed internet-security bug.
Details: When a security bug is reported as straight news in the New York Times it’s probably pretty serious. And the newly reported OpenSSL “Heartbleed” bug, which may have compromised passwords and security certificates for more than 60% of servers hosting secured websites, definitely counts as serious!
What does this mean for RealBasics clients?
From a personal standpoint we’re likely all in the same boat. Yahoo!, Google, and numerous other major, major websites we use every day were certainly vulnerable, and those vulnerabilities may have been exploited. Keep your eye on the news for what to do about that.
From a website owner’s perspective, especially if RealBasics, LLC, built, fixed, or maintains your website the answer is… your actual site is safe. You’ll likely still want to change your passwords for your hosting company (e.g. GoDaddy, BlueHost) to keep anyone from logging into your hosting account. But your actual website is going to be fine.
If you subscribe to our Maintenance Plan then you’re further protected in the following ways:
- We regularly backup your site to the canonical “secure remote location.”
- We regularly run multiple security scans on your site.
- We regularly update your core website software, your plugins, and themes.
Again, this doesn’t mean your personal information on other sites, including possibly the company that hosts your website is safe. But, again unless we’ve contacted you directly, at least the website we’ve built, fixed, or maintained for you is secure.
Here are some other
Short version: Keep your website up to date — the older your CMS (e.g. WordPress, Drupal, etc.) the more time hackers have to reverse engineer and hack it.
Full disclosure and partial sales pitch: Our monthly maintenance plan includes timely updates to your site’s core software, plugins, and themes. It’s not all we do, but as the following article points out there are benefits beyond having the latest features, bells, and whistles.
Full technical version by ace computer security blogger Bruce Schneier here
Security Vulnerabilities of Legacy Code: An interesting research paper documents a “honeymoon effect” when it comes to software and vulnerabilities: attackers are more likely to find vulnerabilities in older and more familiar code. It’s a few years old, but I haven’t seen it before now. The paper is by Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: “Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities,” Annual Computer Security Applications Conference 2010.
Source: Schneier on Security
Check out the Simple Strong Password Generator website.
There’s a link on the page explaining why four simple lower-case words is more secure than a shorter, harder to remember one with lots of upper case letters, numbers, and “special” characters. (Tip: for most modern systems like Google, Facebook, WordPress, and the like a spacebar is a special character anyway.)
Tip: The password in the image above is just an example — don’t use it for your own password because it won’t be random. Instead just click the link and a new password suggestion will be waiting for you. Don’t like the first one? Refresh that page and it’ll give you a new one.
Yes, you can definitely manage and update your WordPress website from your smart phone, tablet, or other mobile device!
The folks at WPBeginners have a nice tutorial the WordPress for Apple devices. The official WordPress apps for other devices work pretty similarly.
And of course if we build you a website we’ll be delighted to show you how to update it with your own mobile devices!
After years of building websites that are easy for their owners to maintain and update I’ve come to a big realization: not everybody WANTS to maintain and update their sites!
Actually the big realization came when I pulled into one of those 15-minute oil-change places. Yes, I COULD change the oil myself, and would even be relatively easy for me to change it, the maintenance shop is just better equipped and better prepared.
And it’s not just the time it takes to actually change the oil. There’s buying the oil, finding a place to drain it, changing into suitable clothes for crawling under the car, getting out the tools, and cleaning up after.
With that in mind RealBasics.com, is now offering service contracts for backups, upgrades, upgrades, and more!s
Over at the WordFence blog, Mark Maunder explains why it’s important to enforce strong passwords on your website: f someone hacks your site and downloads the user database table they can crack your encrypted passwords at their leisure We can fix that and here’s why that matters!
“Why do I care, my site has already been compromised?” you might say. The issue is that many users have the bad habit of using the same password across multiple websites and that’s why the hacker grabbed your password file and is throwing significant resources at brute-forcing it: So that they can gain access to the real treasure-trove of Gmail accounts, LinkedIn, Facebook, Hotmail, Quicken, Paypal, eBay and all the other valuable accounts out there that let them steal real money from real people who are members of your website.
This is why, even if you have brute force protection on your site, you should enforce strong passwords: To protect your customers other accounts on the Web in the worst-case-scenario of your site being compromised and your wp_users table being downloaded.
Meanwhile you might be saying “What other users? It’s just me here!” Ok, so they only have to crack one password then — yours! And if you use the same password elsewhere, or if you use an easily-recognized password pattern (e.g. hi-mom-gmail, hi-mom-twitter) then they’ll still be able to get into your other accounts.
When RealBasics builds your website we make sure your user’s password are easy to remember but hard to crack. And if you sign up for our maintenance plan one of the adjustments we can make is to make your passwords more secure.