Critical Site Update for WordPress 4.2 with Scripting Vulnerability

Critical Site Update for WordPress 4.2 with Scripting Vulnerability

Combine a popular web site platform (WordPress) with a user base where a good percentage lacks technical expertise and add to that malicious intent.  The result? A wide swath of sites that are vulnerable to attack.

This is the situation with WordPress.  The official site boasts corporate and celebrity users such as People, Motley Crue, and CNN.  This is true.  There are many multi-million dollar corporations, publications, and applications that run on the WordPress platform.

However, it is also true that a lot of users of the self hosted version of WordPress are casual users.  The ease of use of the platform, as well as the familiarity through the free sites on wordpress.com, drew a wide range of users.  Beyond the hobby bloggers, there are small businesses that had a site built on WordPress based on their developer/designer’s recommendation and then never looked at it again.

This chart by Built With shows almost half of the sites on the internet are using WordPress.

sites using wordpress

This chart by W3Techs shows the percentage of WordPress installations using each platform.  As you can see, a little over 30 percent of the installations are still running on version 3 or lower.

wordpress versions usage

 

What this tells me is that an awful lot of those 14 million sites are sitting out there unmanaged and wide open for attack.

I’ve mentioned before that outside of content and design, if you don’t have someone on staff that manages and maintains your web site, a web site maintenance service plan is often a good idea.  An excerpt of a previous article.

Open Source platforms like WordPress, Joomla, and Drupal are wonderful in that they allow the individual blogger and small business person to have world class sites. The downside to that is that since the code is open to all, it is also open to those who explore it to find vulnerabilities to maliciously hack your site.

When people contact me to recover their site after it’s been hacked, most of the time it is because they didn’t keep the platform up-to-date. There can be occasions when someone purposely tries to take a site down and overcomes security measures.

But the reality is for most of our web sites, hackers just don’t care that much about coming after you specifically. They are just looking for opportunity to do damage and most of the times are choosing the path of least resistance to do so.

Not keeping your site up-to-date or monitoring add-ons for security issues is like driving your car to the center of town, leaving the keys in the ignition, the doors, open, and blaring the words “Come take me.”

This past week has been a good illustration of this.

Last week, security notifications went out on a vulnerability in WordPress 4.1.1 and earlier  that allowed cross site scripting.

The issue was not only with the WordPress core platform, but the vulnerability was also found in plugins and themes.  Envato Marketplace sent out an email on Saturday warning their users of the possible exploit.  They encouraged all their vendors to check for vulnerability in extensions and to modify and patch them.  I received emails from theme and plugin developers warning of the problem.

Version 4.2 came out to patch that vulnerability.  Almost immediately, another vulnerability was discovered in the update that fixed the previous one.

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.

Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.

“If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors,” Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy, wrote in a blog post published Sunday evening. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

A nightmare waiting to happen ranking right up there with the experience of my friend Stephanie after someone went after her attempting to hijack her accounts and succeeded with her Facebook page.

An update to WordPress 4.2.1 that fixed this vulnerability was released hours ago.  If the automatic updates are set on your site will have already updated.

 

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

A few hours ago, the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnönen.

WordPress 4.2.1 has begun to roll out as an automatic background update, for sites that support those.

For more information, see the release notes or consult the list of changes.

Download WordPress 4.2.1 or venture over to Dashboard ? Updates and simply click “Update Now”.

The danger is for those who don’t have a system in place for back-ups and updates and who maybe haven’t checked their site in awhile.

Next Steps

If you’re reading this and asking yourself, “What do I do now?”

  1. Back up your web site.  It is a good idea to keep a series of back ups on hand in case it is necessary to take your site back to a previous version.
  2. Update WordPress
  3. Update the installed plugins and themes.
  4. Research any plugin that an update wasn’t prompted after updating to the latest version of WordPress for vulnerability issues.  Plugins that are outdated or where the development has been abandoned can be a huge issue.

If you need help with your site, either or update or recovery or an ongoing WordPress maintenance service plan, contact us.

 

Do You Need a Web Site Maintenance Service Plan?

Do You Need a Web Site Maintenance Service Plan?

You may be saying, “I have a web site and we add/update content every once in a while.  Why would I need a web site maintenance service plan?”

Content management systems are amazing things.  They allow a web site to organically grow, added to by the average user.

The downside to CMS program is that there are a lot more pieces than a static HTML site. Just as a CMS based web site can grow organically as a garden does, just like a garden, a web site takes continual updates and maintenance.  This is exclusive of content updates.

To illustrate, I’ll share what I did to one of my personal sites. I had multiple domains running on one installation of WordPress Multisite.  I never do this on client sites, and I am constantly telling people to back up their web sites, but I was on the phone, trying to multi-task and without stopping to back up the site, I hit the “Update” button on WordPress.

Big Mistake.

It completely messed up the WPMS installation.  I might have been able to recover it except for that the original installation was from 8 years ago when WPMU was a separate platform.  There were a few carryovers from that, which I think contributed to the problem. I didn’t have the most recent backup.  Directly editing the files and database to recover it wasn’t working.  The host tried to revert the site with the backup they had . . . which didn’t work as the database was too large.

It was a complete mess.

You can export a blog on a WPMS installation to convert it to a standalone version.  However, all of the instructions to do so assume that the WPMS installation is functioning when you do so.

Mine wasn’t.

What I ended up doing is:

  • Created a standalone WordPress installation for each domain
  • Exported the database (of an old backup)
  • Identified the blog ID for each domain
  • Copied the images and uploads for each domain into the new installation
  • Separated the tables for each domain into their own SQL file.
  • Renamed each the tables for each domain in the new SQL file.
  • Edited the options table in each domain SQL file for the new standalone installation.
  • Imported the revised SQL file into the new WordPress installation
  • Double checked the settings for each plugin and deleted those that weren’t being used.

For 10 different domains. All of that because I didn’t take five minutes to back up the web site before I hit update.

Open Source Means More Vulnerability

Open Source platforms like WordPress, Joomla, and Drupal are wonderful in that they allow the individual blogger and small business person to have world class sites. The downside to that is that since the code is open to all, it is also open to those who explore it to find vulnerabilities to maliciously hack your site.

When people contact me to recover their site after it’s been hacked, most of the time it is because they didn’t keep the platform up-to-date. There can be occasions when someone purposely tries to take a site down and overcomes security measures.

But the reality is for most of our web sites, hackers just don’t care that much about coming after you specifically. They are just looking for opportunity to do damage and most of the times are choosing the path of least resistance to do so.

Not keeping your site up-to-date or monitoring add-ons for security issues is like driving your car to the center of town, leaving the keys in the ignition, the doors, open, and blaring the words “Come take me.”

The moral of all this is keep your site updated.

Things Change

Sometimes it’s not as catastrophic as what I described in my first example, but the truth is with every platform core or plugin update that you do, there is a risk of a conflict between the new files and the existing plugins.

With the majority of hosts switching to PHP 5.3 as the server defaults, sites with deprecated coding had issues. Or sometimes files are corrupted during an update. Sometimes things just stop working.

Last week, I had two sites with compatibility issues after updates.  The first was a WordPress site with several custom post types.  The permalinks for one custom post type stopped working due to a conflict with another third party plugin.

The second was a site on Joomla with a membership component that stopped creating new accounts after an update to the core Joomla platform. A very big deal.

These types of things usually take you by surprise and it is something that you just have to be prepared to handle.  If you don’t have someone on staff that is able to troubleshoot an issue, then have a reliable contractor that you can go to.

An ounce of prevention is worth a pound of cure Benjamin Franklin

Familiarization Takes Time

Which brings me to my next point, I may be familiar with the platforms, but unless a site is a plain vanilla install, before I can trouble shoot an issue I first have to familiarize myself with the site including what plugins are installed, how the settings are configured, and any custom features or coding.

This all takes time.

If someone calls because of a crisis with their site and I’ve never looked at it before, it is going to take time to get familiar with it before I can fix the issue.  Having someone that can monitor and maintain it on an ongoing basis is usually much cheaper than waiting until disaster strikes.

Another situation similar to this is when I developed the site for them initially, but I haven’t maintained it since and other people have done various things to the site.  That also takes time to research.

Proactive Maintenance

Even if you are comfortable updating the content on your site yourself, unless you are also comfortable handling the technical details and troubleshooting when problems arise, it is a good idea to have someone monitoring your site for potential issues.

It is so critical that we do not even offer web site hosting anymore to clients unless we have a maintenance agreement in place.  The potential risk of having out-of-date and unmonitored sites on our server just isn’t worth it.

What Is a Web Site Maintenance Plan?

web site maintenance service plan can include a variety of things, but the most basic level of service includes updating the core platform and plugins of the site, backing up the site, monitoring for uptime and security issues, and resolving conflicts when they arise.

Get Started with a Web Site Maintenance Service Plan

If you need a go-to person for your web site, contact us.

WordPress Maintenance Service Plans  Joomla Monthly Maintenance Service Plans

Preparing for a Redesign:  Looking to the Past

Preparing for a Redesign: Looking to the Past

Over the past month, I’ve talking about different reasons why it might be time to redesign a site.  I covered the process of the overhaul of our own site and the three main options for mobile friendly web sites.

If you’re at the point where you’ve decided, “Yes, I need to redesign our site,” before you go any further and starting thinking about what you want, stop for a moment and look at what you have.

Ideally, the next rendition of your business web site should go a step further than where you are now.  That’s the goal.  But don’t throw out what is already working well in the process.

Before you talk to a web developer about new colors and technologies, look at the data of your existing site and answer the five following questions:

Hopefully, you have a statistics program such as Google Analytics installed on your site collecting data.  If so, the answers to these questions are as simple as pulling up a few charts.  If not, every hosting service should have one, if not several, statistics programs available in the hosting control panel.  The statistics will not be as accurate as a program like Google Analytics, but it will give you an overview of the traffic coming to your site.

Five Questions to Ask Before a Site Redesign

#1 How are people currently coming to your site?

How are people coming to your web site.  Are they coming directly to the url by offline promotion?  Are they finding your site through search?  If so, which keywords are they using to search and which page are they arriving at?  Are they coming through email links?  Social media sites?

What pools of traffic is your site already capturing well?  This is important to know because you don’t want to lose ground you’ve already gained by drastically changing something that is working well.

#2 How are people currently using your site?

Are people primarily using it for information and then completing the order offline?  Are they checking for weekly specials?  Having you engaged your users in a community?

How long does the average user stay on your site?  How many pages do they view?  What is the path they take through your site?  If you have goals site up in your tracking program, what is working well?

#3 What does your current web site do really well?

What does your current web site do really well?  What do you really love about your existing site that you can’t do without in the next one?

#4 What does your current web site not do?

What does your current web site not do?  Is there something that really frustrates you when using it?  Is there something that is continually causes hangups, either for your customers or your staff, that you do not want to repeat?

#5 What are the priorities for your new web site?

Make a list of features you would like to have in your next site and prioritize them in order of importance.  Along with this, determine your budget.  Keep in mind that a web site that is developed with a view towards future expansion can be built on over time.  If your wish list is bigger than your current budget, realistically consider what the “must have” items are and plan for addition of the other items in stages.

 

Do you need a new look for your web site?  Contact Us.

10 Signs Your Website Might Be Due for a Redesign

10 Signs Your Website Might Be Due for a Redesign

There are two main groups of people I work with for web development:  those who have an existing web site and those who have never had a site.

Those who have never had a web site before very often do not understand the scope of what is involved in developing and maintaining a web site.    What they look for in their first web site is not usually what they look for in the subsequent versions of their sites.

It’s kind of like when you bought your very first computer.  You didn’t know what you needed, so you relied primarily on recommendations of those who already had one.  The next time you upgraded your computer, you  knew what was important to you and the focus in your purchasing decision was made on those factors rather than the recommendations of other people.

As you use your site, you figure out what is important to you and your business.

It isn’t necessary to constantly redo your web site, but just as we remodel our homes, upgrade our smart phones, and replace our computers, over time a web site redesign comes due.

Below are 10 signs that your web site might be due for a redesign.

#1 Flash based site

Flash at one time was cool but it was never a good idea.  Unless you are in the entertainment or gaming industry, just stay away.  Heavy load times, uncrawlable content, and incompatibility with most mobile devices make this a no go.

#2 What Was Once a Great Idea Really Wasn’t

The very first web site I ever created was on AOLPress with floral divider bars and animated gifs.  Sometimes there are things that we think are cool at the time, but really aren’t and never were.  If there are remnants of that on your website, it might be time for a new look.

#3 Little to No Content

Images and videos are engaging; however, priority number one is content on your site . . . words on the page.  If the extent of the content on your site is a bullet point list of services, it may not be an aesthetic redesign that you need so much as an examination of how your web site is incorporated into your marketing strategy as a whole.

#4 Hasn’t been updated in 15 years

If your site hasn’t had new information posted in a significant amount of time, as with the point above, it might be time to examine why that is.  Is it because no one in your business knows how to update the site or is it because the web site is considered ancillary to or an afterthought of your overall marketing strategy?

I actually came across a web site a few days ago that had been a “Coming Soon – Under Construction” page since 1997.  At that point it would be better to just put up one page with a company name and phone number.

#5 Barriers to Use

Is the web site too difficult to use?  Some of the reasons for this could be that the site is a static site requiring the manual addition of pages; a site that is based on a proprietary system that limits extending the functionality; or a site that just too complicated for the user.  If it is the latter, a determination needs to be made whether the best option is staff training, hiring a third party company for updates, or making the switch to another platform.

#6 Company Focus Has Changed

The services and focus of a business can evolve over time.  What was the primary revenue source of your company when your web site was first launched may not be the primary source today.  Or maybe there is another area of your market that you want to target.  If that is the case, the structure and focus of your web site should reflect that.

#7 Scattered, Unorganized Content

When you have a web site and are actively using it, it is very easy to let the content and focus get away from you.  Some web sites have a problem of not enough information.  The opposite can also be a problem if not organized.  Ideally, every page, every piece of content should be furthering one of your organization’s goals.  Regardless of how someone comes across your site, are they getting the message you are trying to send?

#8 Dysfunctional Platform

A lot of the web site redesigns I do are because the platform the existing site is on is now dysfunctional.  Something about it just doesn’t work anymore for the business.

That happens.  Things change.

Web sites are like houses.  Once you build them they still need maintenance and upkeep.   There comes a time when certain systems become obsolete and have to be replaced.

#9 User Functionality Needed

Another reason a business will overhaul their web site is if additional user functionality is needed.   If your web site is currently on an up-to-date CMS like Drupal, Joomla, or WordPress, you don’t necessarily need to redo the whole site.  That individual functionality can usually be added.

However, if your site is one of those drag-and-drop, DIY web site builders, the site is probably going to have to be rebuilt from the ground up to get the features you want.

#10 Need a Mobile Friendly Site

As I mentioned in my article last week on mobile web site options, having a mobile friendly web site is increasingly important.  Studies have shown that between 30 and 50  percent of all internet traffic is through mobile apps.

If your site is older than three year, the odds are the layout is not optimized for mobile.

 

Does your web site need an overhaul?  Contact us.

Mobile Web Site Options for 2014

Mobile Web Site Options for 2014

The online marketing environment has changed dramatically over the past few years.  It’s not just about your web site, it also includes social media.  It’s not just about textual content; it’s also about communicating through images and video.

And it’s not just people sitting at their desk and doing a search on their computer for information and services, but they are sitting on their patio looking for information on their tablets, or on their couch browsing information on their smart TV’s, or looking up information on the run . . . literally . . . through their smart phones.

To be competitive, your web site has to accommodate the browsing habits of your target market.  For small businesses that don’t have an IT team solely dedicated to developing a site and internet applications, the question is how to best do that most efficiently in a cost effective manner.

Three Options for Mobile Sites

There are three main options to providing a mobile friendly site for visitors.

Mobile Only Site:

The first option is to have a completely separate web site for mobile visitors.  When a browser comes to your regular site, there is a directive included in the theme that identifies the “user-agent” or device that is accessing the site.  If it is a mobile device, the visitor is automatically sent to the mobile version of the site.

The mobile site was most frequently hosted on a subdomain of the site.  For example, if I was using this method for this site (which I’m not,) it would be at m.legacymarketingservices.com.

At that address would be a site completely targeted towards the mobile visitor, the theme, the content, all optimized for mobile.

There are companies that completely focus on providing “mobile sites” for businesses who don’t have one for a monthly fee.  Except for the additional monthly cost, this is actually the fastest and easiest way to get a mobile site for your business.

At one time, this was the recommended way by Google to accommodate mobile visitors. At least it was one of the recommended ways recommended by Google. Different people in different areas of Google had varying recommendations, but as the separate subdomain was recommended by Matt Cutts, who is the main spokesperson for Google search, it was the recommendation most people followed.

Beyond the user experience, the other consideration was that Google implemented a separate user-agent, or search bot, in December 2011 specifically targeted to crawl mobile optimized content. Someone doing a search on a desktop and one doing a smartphone could come up with completely different search results.

It’s not just site content and links, yes; your site theme can affect your rankings in search.

It wasn’t until June 2012 that Google came out with one consistent recommendation on how to implement a mobile strategy.  The “best practice” recommendation was not a separate mobile site, which was the path most early adopters had taken at this point.  But more on that later.

Cons of a Mobile Only Site

Setting aside search and what Google likes for mobile, the biggest downside of this method is that the browser detection doesn’t always work.   There can be mobile devices that aren’t recognized that are still served the desktop site, which defeats the whole purpose.

The other issue is the majority of the time a phone-sized theme is served regardless of the browser size of the device that is accessing it.

For example, the screenshot below is of the Painting with a Twist site that uses browser detection to determine which site to send a visitor to: the mobile site or the regular version.  It works, but since I accessed the site with a tablet, a lot of screen space is wasted.

Painting with a Twist mobile display on a tablet

Mobile Only Template

In database driven sites, those running on some time of content management system, the theme (the way the site looks) is separate from logic (how the site works) and the content (what the site says.)

With the template oriented method, the site logic will switch the theme used to serve the content depending on how the user accesses the site.

Different platforms accomplish this differently.  In Joomla, the extensions sh404SEF has a built in feature allowing you to choose a mobile friendly template.  For WordPress, there are multiple plugins, both paid and free, that will switch themes.

Pros of Template Switching

The pros of this method are that unlike the mobile only method, there is only one site to manage and one version of the content.

Since the theme is optimized for mobile viewing and only mobile viewing, it can be designed to load faster and fine-tuned for a mobile experience.

Cons of Template Switching

Like the mobile only option above, sometimes the browser detection doesn’t work properly and the visitor isn’t switched to the mobile version when it should.  Also, while most of the template switching plugins display very well for phones, depending on the plugin the view for other devices such as tablets may not display as well.

Responsive Design for Mobile Devices

As I mentioned at the beginning of this article, mobile means more than just phones.  A responsive web site design is on that change the display depending on the size of the viewport accessing it.

It is about the size of the screen, not the device accessing it.

This has become the most widely accepted standard for mobile and nondesktop device design over the past two years and the method Google recommended in their June 2012 statement.

There are people who disagree and holdouts for both other options, but particularly for the small business owner, I think this is the best solution, both in terms of implementing it as well as maintaining it.  All of the sites we have designed since 2013 have used a responsive theme.

Cons of Responsive Design

The main criticism of responsive design is that the load time and files necessary are much larger than a theme that is solely dedicated to mobile.

This is true.  There will be tradeoffs in whichever method you choose.

Have you migrated your site to one that accommodates mobile?  If so, which option did you choose?

Need a site that is mobile friendly?  Contact Us.

Importing Word Content to Joomla or WordPress

Importing Word Content to Joomla or WordPress

Many people use Microsoft Word to create content and articles, after all, it is a word processing program.

However, problems arise when they want to import that content into a web page.  If you’ve never looked at HTML source code for a site, you may not know the difference . . . but trust me . . . anything that comes out of Word is a mess when it gets to the web.

Not only does it clutter up and slow down your site with unnecessary code, but the garbage code can also break your site’s design layout.  I recently received a support request for a client because a section on her site was messed up.  The client had posted a new article, pasting the content from Word, and a mangled site was the result.  I had to go into the article itself and strip out all the Microsoft tags to get it to work.

Pasting from Word

You should never copy and paste content from Word directly into your content management system.  The WYSIWYG editors for WordPress and most of them for Joomla have a “Paste from Word” icon feature.

paste from word

  1. Copy your content from Word.
  2. Click the “Paste from Word” icon and a dialog box will appear.
  3. Paste your content into the dialog box and hit save.

This will normally strip all the Microsoft junk code from your content.  However, some editors have configuration settings for what gets stripped and what doesn’t.  If that is the case (such as with the JCE editor for Joomla),  you may need to test the settings until you get just the right combination.

With any content management system (CMS), you platform theme is going to contain a stylesheet that specifies what each element of your site should look like, resulting in a cohesive look.  You do not want font and style tags in your content, because that will override the theme settings.

Fast and Easy with Dreamweaver

If you have a copy of Dreamweaver, my favorite way to prepare content for the web is by pasting the Word content into a blank HTML file in design view.  It usually does a pretty good job of converting the format to properly structured paragraphs.  Then I copy that and paste it directly into the WYSIWYG content editor in the CMS.

Final Tips

If you have a site with a layout that was fine but is suddenly out of whack, check first your most recently added content.  Look for any extraneous tags.  That will most likely be the culprit.