With recent headlines on the news with large ‘out of date’ computer systems becoming infected with ransomware we thought it good to provide a timely and important reminder as to why you should not neglect your WordPress install. What we are saying is true of any script you install on your web hosting – it’s just a fact that the vast majority of installed scripts on our Shared Hosting Platform is WordPress so we felt we should focus on that.
Your WordPress Website is made up of a number of parts and the three most important are:
- The WordPress Core
- Your Theme
- Your Plugins
The WordPress Core
The Current WordPress Version is 4.7.5 and was released on 16 May 2017
The latest version was a security fix released to fix six known security issues:
- Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
- Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
- Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
- A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
- A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
- A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
If you have not updated your WordPress Core Version to 4.7.5 your website is currently vulnerable to the above six issues.
** If you do not understand the six issues they are serious & we can assure you the hacker will **
Your Website Theme
There are thousands of themes available including free themes and commercial themes from vendors such as Themeforest. The theme is sometimes a neglected part of your WordPress Website. You may regularly update your WordPress Core but never update the theme.
The Avada Theme is a popular theme with over 300000 worldwide downloads. You can see this theme here.
If you check the WPScan Vulnerability Database you will see this theme has had three security concerns since 2014: https://wpvulndb.com/themes/avada and that the latest version is 5.1.5.
If you are running a WordPress website with Avada on 5.1.4 or lower then your website is vulnerable to (depending upon what version you are using – see database link for specific details):
- Stored Cross-Site Scripting (XSS) & CSRF – discovered on 2 May 2017
- WordPress Slider Revolution Shell Upload – discovered on 3 May 2015
- WordPress Slider Revolution Local File Disclosure – discovered on 17 September 2014
Your WordPress Plugins
Plugins are great. They allow you to add additional functionality to your WordPress website and there are thousands of plugins available for virtually any feature you can think of. It’s good practice to only use the plugins that you need and to do a little research around the plugin you intend to use – is it from a reputable vendor and how many people use it. Also check to see if there are regular updates (especially if a free plugin where the creator would not have a financial incentive to update it regularly).
We strongly recommend you search for any plugins you have installed in the WPScan Plugin Vulnerability Database here and ensure the version of the plugin you are using is up to date and therefore not vulnerable to any known issues reported in this database. Failure to keep your plugins up to date leaves your website vulnerable to malware.
Who can help secure my WordPress Site?
We recommend you speak to your web developer or the Web Development Company who set up your website and they should be able to assist you.
If you do not have a Web Developer presently we offer a WordPress Management Service as a product add on and from now until the end of August 2017 we are offering 25% discount on the retail price for as long as you have the plan. The discounted price is £48.75 + VAT per year. As part of this service we will do the following:
- Bring your WordPress Core up to date
- Bring your WordPress plugins up to date
- Perform a weekly check for any new updates and apply them (after taking a backup)
- Audit your site and remove any malware we find
- Add additional security features and plugins to help keep your site secure
- Audit your site for speed and performance and optimize it for better load times
- Assist in bringing your Theme up to date (as long as you give us logins where you bought the theme)
- Help with basic WordPress development questions
- Discounted hourly rate should you have any advanced WordPress development needs on your managed website and your web developer cannot assist.
**For copyright reasons we will only bring a commercial theme up to date where you can provide us logins for the website where you bought the Theme.
Frequently Asked Questions?
Why Update? Does your Firewall not secure me?
We run the Atomic Secured Linux Firewall Product on our Shared Hosting Platform. This product has a very good web application firewall that is regularly updated to help protect against such vulnerabilities but your website is still vulnerable and only updating your site will fully ensure the reported vulnerabilities are patched.
Some large Web Hosts Auto update WordPress on their Shared Hosting Platforms
We’re aware that one large web hosting provider have a script that they actually made public that will automatically update WordPress across a server fleet. We don’t believe this is a good solution as many times when plugins, themes or WordPress Core is updated the website breaks. Sometimes an existing plugin is not compatible with a new core version and need swapped out with an alternative similar plugin, sometimes a web developer has added some custom code to the site and the update breaks it. We actually tested one such script about a year ago (we built a temporary server and restored a shared server to is for testing) and a lot of websites were broken after the auto update. We’re therefore going to keep the auto update under review but for now we won’t be jumping on the automatic update bandwagon.
Can I do these updates myself?
Absolutely! Our WordPress Management is not rocket science and you are just paying for staff time with your small annual fee. We’re experts in this and manage thousands of websites and we believe £48.75 + VAT is a small price to pay for additional peace of mind. However if you want to do this yourself some free software you may want to explore is InfiniteWP that will allow you to see what scripts and WordPress installs are out of date. Plugins such as iThemes Security will help secure your website from the outset and plugins such as Wordfence will be useful if you do have a compromised website you need to clean up. Shield is another security plugin we are aware of (we know the developer) but we’ve never used it. We recommend before you update your WordPress that you take a fresh backup in case the site breaks. You can generate a backup from your cPanel and download it and store it locally with a couple of clicks. This means should your update break your website you can put it back to how it was just before you started and our technical team can help with the restoration.
My WordPress is really old – will it update?
The best thing to do in this instance is to pop a support ticket in for the attention of our WordPress Team. The WP team are in the office regular UK business hours between the hours of 9am and 5pm. The team manage thousands of websites so they will know quickly if they anticipate any issues with the update.
How long will it take to get updated?
Once you sign up for our discounted WordPress Management Service for £48.75 + VAT our team will get to work within 24 hours at getting your site updated. They will reach out to you if they anticipate any issues.
Our WordPress Management service is headed up by Russell Crawford, who recently took part in a discussion at WordCamp Belfast in a panel specifically talking about speed and security of WordPress installations.
Check out the video here if you’d like to learn more: