Two Simple Things You Can Do To Protect A WordPress Site

by | Apr 9, 2016 | Security | 0 comments

Computer Secure
Computer Secure

Image Credit: CanStockPhoto

This week’s article is dedicated to Annette Schunk of CoachingWithAnnette.com, who recently helped me realize that I was looking a bit too high for the “metaphysical” magic that was already around me

When I was in my late teens and early twenties, I was going through a bit of an all-out hacker phase that had me dreaming of parlaying my nerdness and social ineptitude into elaborate code, exploits, backdoors and sexy bond-ish cyber espionage that was geared towards getting me some fast cash and perhaps even faster women…

Kid Cannabis

Image Credit: Kid Cannabis / Crush Films

…I mean, I figured: If I had to be THAT guy, then it should at least be working IN my favor, somehow. As to what actually happened, it was something more along the lines of this:

(The “Code”, “Exploit”, and “Backdoor” parts we’re trivial. The matter of translating that into the “Sexy Bond Life” was the part that almost always misfired 🙁 )

Anyways, my one “bible” of choice, that I regularly referred to was: Hacking Exposed: Network Security Secrets and Solutions, Second Edition:

Hacking Exposed

Image Credit: hackingexposed.com

If memory serves: One of the early chapters of that book started off with some very telling advice that went along the lines of the following:

If you can take only one lesson from this book, let it be the following: “Keep your software up to date”. If you can take a second lesson away, let it be this: “Don’t run unnecessary services”.

Since having owned that particular book, all but those two sentences in are now a big blur to me. They stuck with me and perhaps in small ways molded things I’ve done in my tech career since, like stopping to run updates on software whenever I get notifications without thinking much about it, if at all.
Fast forward to now, and the mainstream media is flooded with one… news… story… after… another… about the “Panama Papers”: A data dump of information on where a bunch of high powered well-to-dos hide their money to keep from paying taxes on it. Taxes that technically don’t exist in the first place, but that’s a conspiracy theory for another page on another day.
What brought this matter to the tech street with one… news… story… after… another… is the realization that the flaw in the site that was supposed to be responsible for this information, A WordPress site at that, was found in outdated software that could have been easily updated. At the risk of rehashing too much already posted information, and being fingered for plagiarism, if you want the further specifics of what software was depreciated and aging, you can check out the articles below that I went over:

Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal (Wordfence.com) – https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
Outdated and Vulnerable WordPress and Drupal Versions May Have Contributed to the Panama Papers Breach (wptavern.com) – http://wptavern.com/outdated-and-vulnerable-wordpress-and-drupal-versions-may-have-contributed-to-the-panama-papers-breach
Panama Papers hack: Unpatched WordPress, Drupal bugs to blame? (theregister.com) – http://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/

What I think I can, and will, safely go over with you here is the very simple and basic process of keeping your WordPress sites and plugins up to date

WordPress Itself

When the WordPress software itself has an update ready, it will be pretty hard for you to miss it. If you don’t have your system at least notifying you when updates are available, the next time you log into you admin console there will likely be some kind of front page notification waiting for you. Prior to this site being updated to the current version, I recall there being a full page splash screen, complete with a video waiting for me to talk about all of the exciting new features waiting for me when I did upgrade..
..mind you, they didn’t say “if” if upgraded, but “when”
To be clear: The system won’t outright force you to go through with any major update, but unless you have a really specific reason not to, you’d be well advised to go through with it as soon as you can.

Your WordPress Plugins

The very first step to properly maintaining updates on your plugins is to be sure that your using plugins that will be regularly updated in the first place. This starts at the plugin “store”:

WP Admin PLugin Store

regardless of what you’re looking for specifically, each plugin displayed will provide you with four pieces of pertinent information at the bottom of its “Card”:

  • User Rating w/ Number of Ratings
  • Number of Active Installs
  • Last Time of Update
  • Compatibility notice with your current version of WordPress

I did some quick searching and found a listing that would give an example of a good plugin to at least kick around:

Good PluginTaking a brief look at just the information below: This plugin has a 4.5/5 rating after 70 reviews, over 10k active install, was last updated pretty much at the time of this writing (as least on the day of) and its compatibility checkout with the recent version of WordPress, which im currently running and was checked against. If your looking for a plugin with these numbers, or something reasonably close to them, then you can safely assume that you’re going to be working with something that will be regularly supported on at least some level in the near future.

Now, lets look at a card from another plugin I sourced that you may at least want to step back and raise an eyebrow at before pulling it down to your site, or even someone else’s:

WPBackend_Plugins_13

So, if we investigate the specs on this plugin: Its has a 4/5 rating after 69 reviews, which is comparable with the aforementioned one, and it has over 3k active installs, so this is something that’s “been around the block” as it we’re. However, if we look at the “Last Updated” item, its showing “6 Months Ago” which should be a very large red flag to you or anyone else looking at it. If the developer in question hasn’t bothered to do anything with this plugin in that time, its not likely that it will just get picked back up anytime soon if ever and you should strongly consider looking for an alternative that will provide some similar functionality. In the time that i’ve been working with WordPress and WordPress plugins, I have yet to come across one that was providing a service so explicit or esoteric that it could not be found in some other competing plugin from a different developer.

The other red flag with this plugin, which may-or-may-not be as big an issue, depending on the context is the notice: “Untested with your version of WordPress“. This, combined with the matter above pretty much rates this plugin as trash in my book, but if everything else with this plugin was on the up-and-up, and this matter was the only thing against, I would start asking myself some questions like:

  • Did WordPress itself just go through a major update? If so, then an update may be in the works.
  • Is the developer a trusted one who can be reached or has other plugins that are good?
  • Do I really like the plugin enough to give it a bit of a try anyway?

Ive put these questions to myself before with other plugins and have answered ‘Yes’ to at least one of them and things worked out rather well, so if you come to this point in rating a plugin, just keep that in mind.

When there are updates to be had for your plugins and themes, there are two places in your admin console where you will see a notification, both of which will be in the upper-left hand corner of your browser window:

WP Admin Update

Either of these links will lead you to the update control console of your website:

WP Admin Updates

As the first line of text says, you can simply check off the “Select All” box and have your site process all of the updates in one fell swoop, but if you only have a handful, and can put aside about 5-10 minutes, you may want to consider going through each one at a time to see if there are update issues with any particular one. I recently went through this process myself and found a problem with updating the UpdraftPlus plugin that I remedied by simply uninstalling the version I had on my site and freshly installing the newer version from the wordpress plugin “store”

Your WordPress Themes

If your theme of choice came directly from WordPress’ own batch, available updates will be shown in the same update window as for the plugins, just closer to the bottom under the “Plugins” section. The process for updating themes is otherwise as straightforward as it is for plugins. However, the one thing you should keep in mind is that a theme update will sometimes do away with any custom settings or tweaks you made after the initial install so you’ll want to be sure to have backups of your pages to reinsert after the fact if you need to.

If you got your theme from a third party, then I would suggest going to their site to get more specific information on how they handle update notifications and the specific of updating their own themes. As a general suggestion: You may want to consider working with Parent/Child theme combinations in this respect. As the name suggests: A “Parent” theme is a theme that you would install to your site first as a base. Afterwards, you would then install a second “Child” theme on top of that where you build your actual site and make your tweaks. One company that I’ve recently been acquiring theme from, specifically for my own sites and clients is StudioPress (www.studiopress.com), but if you google “Child Themes” you will easily find other reputable outfits to choose from

Taking Out Your Garbage

Even in a more perfect world where you we’re staying on top of updates with all of your themes and plugins, over time, its conceivable that you could install things in one place and then install similar functional plugins in other places without giving much concern to the first item. WordPress does allow you to “Deactivate” plugins that you’re not using (or think you’re not using) and this is a good short-term measure for troubleshooting immediate issues. In the long-term, however, if there is something in your backend that your certain that you’re not doing anything with, it would be in your better interest to just remove it completely for the sake of there being one less potential door or window for a cracker to slip in.

This Weeks “TL;DR”

In closing, I will leave you with a slight revision of the sage advice that was imparted to me so long ago:

  • If you take and keep just one piece of information from this article let it be this: “Keep your software, themes, and plugins up to date”
  • If you can take and keep a second piece let it be this: “Dont leave unused or unnecessary plugins installed on your site

Thanks for reading.

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.