WordPress Plugin Supply Chain Attacks

Sam Harrelson on December 27, 2017

These are pretty popular plugins in the SEO world… I imagine lots more of these “supply chain attacks” exist due to older but still popular plugins being sold or leased:

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.

via Three Plugins Backdoored in Supply Chain Attack

Building a website is cheap, but not protecting it is costly.

Sam Harrelson on December 18, 2017

massive-brute-force-attack-dec18

We use Wordfence as a default on all new WordPress client sites that we create for good reason. Here’s a scary reminder that while building a website has become quick, easy, and relatively cheap your company / nonprofit / church / community group should not take WordPress security for granted with cheap hosting and no one overseeing these sorts of things:

This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat.

via Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC

Even Hackers Take Summer Vacations

Sam Harrelson on August 10, 2017

Pretty staggering July stats from Wordfence regarding attempts to log in to WordPress installs with guessed user / passwords. People still don’t use secure passwords (or more preferably a password manager)…

The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.

via The July 2017 WordPress Attack Report

Why Your Church or Nonprofit Website Needs Regular Security Updates

Sam Harrelson on April 6, 2016

hacked

One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.

It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.

Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.

If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.

This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:

“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.

That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”

Source: From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers

So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.

Don’t wait until it’s too late and have to deal with the ramifications.

Should You Use WordPress.com or Host Your Own WordPress Site?

Sam Harrelson on November 24, 2015

I am often asked by Harrelson Agency clients and potential clients if they should use a WordPress.com site or have us build and host a WordPress site for them. Money is often a main concern, as you can pay $100 – 120 a year for a pretty solid WordPress.com site without much fuss. A hosted WordPress site can cost anywhere from a few hundred dollars to thousands of dollars in building costs, and more for hosting and programming. As with anything, discuss the costs upfront with the agency or company building your site if you go the self-hosted route.

There are advantages to the “set it and forget it” style of a WordPress.com website financially, but there are also a few other variables to consider if you’re looking to have a serous presence on the web and translate that into bigger goals for your company. Remember, WordPress started off as a blogging platform. While you can manipulate a WordPress.com site into a more “professional” looking business or church or group site, it’s not always easy depending on your needs and skill level.

If you do self host, you can use custom / commercial themes, plus all other free themes that exist. You can modify, customize, or do anything that you’d like with your site. With WordPress hosting, you’re limited to a set of free themes that exist in the theme repository. Also, you can’t modify the CSS or other codes within the theme. If you’re looking to customize the site with scripts and customizations (as an author / speaker / consultant / business etc) it’s definitely advantageous to be on your own server. This includes everything from being able to do custom embeds of media to accepting payments to contact forms etc.

Simply put, there are (often mission-critical) things you can’t do with WordPress hosted sites that you can do with a self-hosted site.

Plugins are also a big deal, especially as the web matures. You can upload any free, paid, or custom plugin that you want with a hosted site. This allows you to really maximize WordPress’ potential as a content management system and expand that functionality. With a WordPress.com site, you’re not allowed to upload any free, paid, or custom plugins. Everything from search engine optimization (especially needed in 2015) to handling social media sharing to newsletter delivery to some really cool media handling plugins to how your site displays posts etc are covered. Here are a few popular plugins, but I have a standard 10-15 that I typically install on a new site and highly recommend for flexibility and security and making WordPress more than just a blogging platform.

Of course, spending $99 once a year is a nice idea and provides a sense of regular expense if you’re looking into a WordPress.com site with ads turned off and a custom domain (and a little extra storage). There is a higher initial cost for a WordPress hosted site (typically anywhere from $2,000 to $35,000 for most group, church or business sites depending on many variables). However, the cost of a self-hosted WordPress site over the span of a few years evens out and you get a much “nicer” custom experience that is built around your own brand. This also frees you up from being shackled to whatever changes WordPress.com might or might not make as it evolves as a commercial arm of the larger WordPress ecosystem, as we’ve seen just this week … although the changes are all very positive this time. I’ve never had a client want to go back to something like a hosted service after they realize the options available and how the site “pays for itself” over time.

Maintenance is a very big concern for security and speed reasons these days, or at least it should be an absolute top priority. That does require that you keep your site updated, have backups, keep SPAM controlled and keeping your site optimized. That’s something we do for clients, of course. WordPress.com frees you up from that worry or need for maintenance, so that’s a plus for that side of things. However, like everything else, it’s a tradeoff between convenience and the ability to make something truly “your own” in terms of appearance and functionality.

The biggest point I always make when comparing what we can do with what WordPress.com hosting offers is that I believe you really cannot maximize the potential of your site / blog / online presence / long term branding unless you have access to the additional functionality of plugins and the ability to maintain custom modifications (and get down to the nitty gritty code based level allowing for you to make the site look and act like you’d like for it to). Being able to take payments, offer audio / video / text media downloads etc are all big benefits of what we offer with a self-hosted site, but the biggest benefit is that it’s “your” site and belongs to you, whatever may come down the road.

Why WordPress Still Matters

Sam Harrelson on November 24, 2015

Good thoughts from Om here about the place of having your own website (whether it’s at WordPress.com or a self hosted WordPress installation for more flexibility) and feeding the beast:

Some Thoughts on the New WordPress.com and Mac App – Om Malik: “Most of those platforms are built to be silos, Facebook and Instagram being the worst offenders. Their approach is a threat to the open web as much as the rise of the app-centric internet. As someone who feeds the monster, I should have the ability to keep a copy of what I create. To stay relevant, WordPress.com has to become not only a publishing tool but also a means for me to route my sharing. Its role is that of an information router. I am looking forward to what talented developers do with the new capabilities of WordPress.com.”