It’s been another busy week for WordPress security — first a large number of very popular plugins were found to be vulnerable to XSS (Cross-site Scripting) attacks due to improper use of a couple of commonly used functions. Then, an important security update for the WordPress core, version 4.1.2 was released. Plugin and theme authors the world over are no doubt still busily checking their code and updates to various plugins and themes are still rolling out as I write this post (though most have already been fixed and updated a couple of days ago).
Many WordPress users are probably wondering … why are there so many security patches coming out for WordPress? Is WordPress a safe platform for my website? … continues
I’ve posted about this on our Announcements page, but thought I’d mention it here too — all WP NET servers have been patched and tested as safe from the FREAK Attack SSL/TLS bug. We actually installed patches and tested a good couple of weeks ago, so we’ve been secure for sometime now.
The FREAK Attack affects browsers as well, so you should test all the web browsers you use.
An article recently published on ZDNet suggests that much of WordPress’s security woes are due to lack of knowledge on the part of the administrator. Security — an area that is often overlooked or left out of the budget altogether — if left unchecked, can make your website an easy target.
Frequently, if a handful of straightforward, proven security hardening measures had been completed, many sites would not have fallen prey to their attackers. … continues
An interesting article was recently published on ZDNet, highlighting the increasing risks associated with unmanaged WordPress hosting.
In particular, the recent vulnerability discovered in the ubiquitous Slider Revolution plugin (and the subsequent controversy about the management of it’s disclosure and patching) has raised important questions regarding WordPress management and security.
At what technical level, is it accepted that a website owner has the necessary know-how to secure a website, protect it against attacks and detect when problems occur? As WordPress becomes ever more popular around the world — so too does the need for focus on security, performance and scalability.
… security is an even bigger imperative. Many WordPress sites belong to people who don’t know jack about computers, let alone web site administration. These users are much better off with a WordPress environment in which their options are limited, but their safety protected.
In 2015, it will be more important than ever to ensure that your WordPress installations are secure and up to date.
Our NZ-Based Managed WordPress Hosting has been operating for 8 months now, and already there have been many occasions when our added level of WordPress support and expertise has given our customers security and peace of mind.
WP NET does not just host your site and leave it at that — we constantly monitor the WordPress eco-sphere for important security updates, emerging threats and other risks — and when they are discovered we inform our customers and patch our systems as soon as possible. Most other hosts are not even aware of these issues and resolving them is usually left to you.
Many WordPress sites are still vulnerable to some of these threats weeks or even months later.
WP NET also monitors your website uptime and performs regular malware scans, and if we notice any performance issues with your site, we’ll get in touch and work with you to make improvements.
So, ask yourself … can you afford not to use Managed WordPress hosting?
All our servers now have SSLv3 disabled to mitigate the recently revealed SSLv3 vulnerability, dubbed POODLE.
WP NET servers are NOT vulnerable to the POODLE attack.
Please note that this issue affects both servers and browsers, you should disable SSLv3 in your web browser as soon as possible.
For help with disabling SSLv3 in your browser go to: zmap.io/sslv3/browsers.html or scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/
For more information about the POODLE vulnerability, please read the following references:
Security vulnerabilities are happening more and more, again this week there are been two serious security issues revealed.
iThemes, creators of the very popular BackupBuddy and iThemes Security plugins have had their membership systems compromised, and it appears likely that hackers have gotten away with up to 60,000 users email addresses and passwords. If you are an iThemes customer, you should immediately reset your password — your previous password won’t work any more, as iThemes have disabled them — you must reset your iThemes membership password before you can access your account. If you are a user of Backup Buddy, iThemes Security Pro, iThemes Sync or iThemes Stash then this affects you. Please go to the iThemes website and reset your password now. … continues
On April 7 2014 a serious vulnerability was discovered in the widely used OpenSSL software — this affected many (many!) web servers across the world, requiring urgent patching.
As a precaution, it is also strongly advised that all SSL Certificates be reissued and all users change their passwords on system that used OpenSSL.
All WP NET servers have had patches installed and tested, and we have also reissued all SSL certificates used on our domains, including the Plesk Panel.
Test your domain for the OpenSSL HeartBleed Vulnerability
If you host a website and you use an SSL certificate on your domain, you should consider having the certificate reissued and reinstalled on your server.