As we discussed in my last post, there are people confused by whether WordPress is still Safe. It is, the WordPress software is well maintained and has a loyal community supporting it.
However, from time to time, a plugin or a theme (or a file within a theme) gives WordPress a bad reputation.
I wanted to talk a little about two examples:
A Good Plugin Turns ROTTEN: Social Media Widget Plugin
There was a particular plugin that went bad. The name of it is ‘Social Media Widget' (social-media-widget) Plugin – it does not mean all social media plugins are bad. It is just the one by this unfortunate name.
This plugin has been hacked.
Sucuri‘s blog wrote: “We discovered it is being used to inject spam into websites and it has also been removed from the WordPress Plugin repository.”
I don't have this on my list of must have plugins, but over the years, a couple of people have asked me about it. I believe I have contacted those of you I knew had asked about it, and told you to remove it immediately.
But just in case you ever tried it on your own, or through a recommendation, please be aware, there is a known hackers script within it.
The story goes: The guy who created this plugin sold it. The company who bought it, supposedly, hired someone to work on it and that person infected it with a hacked code.
So, if you have the plugin called Social Media Widget Plugin remove it immediately and head over to Sucuri.net or another scanning tool, to scan your site and make sure you aren't infected.
Themes with potential problems: TimThumb Vulnerability
Some of you may have had a file in your theme that was a problem about a year or two ago. The file name was TimThumb.php. If you did, you may have received a call/email from me or you were on a hosting plan that replaced the file for you. Most reputable hosting companies handled it for you.
Recently, we have been noticing that our clients' sites with the largest number of brute force attacks (which we are blocking with security plugins) also are sites with the TimThumb file in it.
So, I am suggesting you consider moving to a different theme, if possible. If you don't have a heavily customized theme, you can simply move to Twenty Twelve, which works nice and has a lot of advanced features for a free theme. It is also the default that comes with WordPress, so you know they are making sure it is OK.
Remember, if you do change themes, you may have to reassign sidebars and widget areas, loose some features or have to reinstall a logo or background. So plan it out, back it up and then make the move.
If you don't want to move to a different theme, then you should check with your hosting provider to see if they have a newer version of the TimThumb, to replace yours. Or do some research online. If I hear anything more, I can let you know, if you email me.
Some final notes:
As with any kind of software (WordPress and plugins are software), if you are on an older version – even one version behind a security release, you are at risk. This means you should do a complete backup and upgrade to the newest version to keep your site safe and up to date.
What if you do a monthly backup? Why do you need to backup before upgrading?
I get asked this question, so wanted to address it here.
Sometimes hackers put in ‘dormant' scripts or codes, they sit there undetected by you. So, if you find out on the 15th of the month that the hacker found a vulnerability in a plugin – or whatever – and put the code in on the 3rd, but your last backup was the 1st of that month, any new content you have added could be lost forever.
A backup is only as good as how clean and recent it is.
This is why I am always telling you it is important to have a backup and upgrade maintenance plan in place. For the clients whose sites I maintain, I keep at least 52 backups. I keep a year of of weekly database backups and a year of monthly complete site backups.
Most of you guys either do this process yourself or hire me to do it for you. But unfortunately, I know there are a few of you who have not backed up or upgraded when you were supposed to – this includes your plugins and themes, and WordPress installation.
Whether you want to believe it or not, the hackers don't really care who you are, they are just looking for easy targets. So don't make yourself an easy target!
They are looking for the easy targets, especially with this current round of large scale hacks. As far as anyone can tell – and everyone is trying to figure it out, from your hosting company to WordPress to the news outlets – these hackers are specifically looking for those of you who have not made your site secure with your username and password. But also, as the examples above show, your plugins and themes can make you vulnerable, as well. Keep Safe. And when I have news, I will share it, if not hear on Facebook or Twitter.
Take some easy steps to make your site safer than 99% of the others out there – change your username and password and backup and upgrade your site. I wrote about it in a post about Is WordPress Still Safe?