Daily ArchivesSeptember 9, 2021

My client’s website was hacked via an outdated WordPress plugin.

In “Steps to Fix and Prevent a Hacked WordPress Site”, you learned how to fix a client site after a hack. The steps in that blog came from two real-life scenarios, and today we will look more closely at one of them: an outdated plugin that opened the door to hackers.

I’ll explain how the issue was discovered, steps to fix it, and how to be more proactive with your client sites by taking preventative measures. Read More »

Versions of All In One SEO Pack older than 2.3.7 are vulnerable to a serious cross-site scripting vulnerability that could allow an attacker to take over a WordPress site. All In One SEO Pack users should immediately update the plugin to the most recent version, which contains a patch to remove the vulnerability.

All In One SEO Pack is among the most popular WordPress plugins, with over a million active installations. The plugin includes numerous features for enhancing a WordPress site’s search engine optimization and security.

The vulnerability, first reported by David Vaartjes, is a persistent cross-site scripting vulnerability. Cross-site scripting vulnerabilities are among the most common security problems on the web. They occur when an attacker finds a way to inject arbitrary JavaScript code onto a website. Because JavaScript on a page is implicitly trusted to access data associated with that page, including authentication cookies, the injected code can be used to send sensitive information to servers under the control of the attacker.

While every developer knows that user input should be sanitized and encoded such that it can’t be executed if it’s displayed on an HTML page, it is challenging to block every potential path by which that might happen, which is why XSS vulnerabilities are so common.

In this case, the vulnerability is associated with All In One SEO Pack’s Bot Blocker functionality. Bot Blocker is responsible for filtering requests from a predetermined list of bots, programs that access a site for reasons that may not be compatible with the wishes of the site owners. The undesirable bots are detected based on the user agent string or referrer data and sent 404 page rather than the page they requested. Part of the Bot Blocker’s functionality is to record blocked requests for later review by the site’s owners.

Unfortunately, the data contained in those fields was not properly sanitized, so code embedded within the user agent or referrer headers is output in an executable state within the admin interface. If an admin user opens the page listing the requests, their browser will execute the injected code, potentially sending the admin user’s authentication cookie and other sensitive data to the attacker. If that happens, the attacker is in a position to take over the site.

The Bot Blocker functionality is not activated by default, and if you have not activated it, your site is not vulnerable to the attack, however, we recommend that WordPress users update to the most recent version of the plugin anyway.

It’s been more than a year since the release of Magento 2.0 — an almost complete rewriting of the enormously popular eCommerce application, and yet many eCommerce retailers have yet to upgrade.

I understand why. An eCommerce store is the central plank of any modern retail business, and those businesses depend on the reliability and availability of their Magento store. If a store based on Magento 1 continues to work, and continues to be supported with security patches, it might be hard to see why an eCommerce retailer should invest the time and energy to update.

After all, many of the features available in Magento 2 are made available in Magento 1 through extensions, and a store that has worked well for several years shows no obvious sign of needing an update.

But, an “if it ain’t broke, don’t fix it” approach isn’t appropriate where software is concerned. There will come a time when older versions of Magento are no longer supported. We’ve seen what happens to old and unsupported WordPress sites, and on a long-enough time-frame, the same thing will happen to Magento stores.

What’s So Great About Magento 2.0?

There are far too many improvements in Magento 2 to cover them all, but let’s have a look at a few stand-outs.

• Performance — Magento 2 offers full-page caching, CSS pre-processing, and many other low-level changes to the application that allow it to perform better while using fewer resources.
• Mobile-friendly — Magento 2 is designed for a mobile world. It’s easier to create a truly great mobile retail experience when your eCommerce store is designed from the ground-up with responsiveness in mind.
• Streamlined Checkout — Magento 1’s checkout experience was bad, but the eCommerce world has changed, and so have user expectations. Magento 2 provides a streamlined, elegant checkout process that helps encourage sales and reduce cart abandonment.
• Improved search — Solr was Magneto’s search stalwart for many years, but it wasn’t without limitations. Elastic is faster, easier to configure, and integrates better with Magento.

There’s No Going Back

The features I just mentioned are all compelling, but the best reason to move to Magento 2 is that technology doesn’t move backwards. Magento 2 is engineered for the modern web, using modern web technologies. It’s an almost complete rewrite based on modern design and development best practices, and all future improvements to the Magento ecosystem that leverage modern web technologies will be focused on Magento 2.

If you don’t move to Magento 2, you don’t have access to the most modern eCommerce platform, and you deny your business the efficiency, performance, and innovation that could take it to the next level.

Last year’s release of Magento 2 was a massive rewrite of the application on which tens of thousands of eCommerce businesses are built. The update brought Magento in line with modern web technology, and gave the Magento team a solid foundation to build on. With the release of Magento Enterprise Edition 2.1, we’re beginning to see the fruits of that work.

eCommerce store owners are sometimes reluctant to update as rapidly as they might — they value stability more than new features, which is understandable, but it should be remembered that new versions of software don’t just bring new features, they bring security updates that help keep eCommerce stores safe from criminals.

Site Staging And Preview

Magento Enterprise Edition 2.1 considerably improves the process of staging and previewing upcoming changes to a store. Changes to products, categories, and promotions typically involve multiple stakeholders within an eCommerce company, ranging from management to marketing. The new preview interface gives merchants a range of tools for creating, staging, sharing, and previewing changes before they’re applied to the live site. A timeline dashboard makes it easy to see upcoming updates so that team members can effectively collaborate.

One of the nicest features is the ability to preview promotions throughout the checkout process, which allows retailers to iron out potential problems before customers are exposed to them.

In-Context Checkout

This is a simple but effective change to the way PayPal checkouts are handled. Instead of being redirected to the PayPal site, checkout now takes place entirely on the eCommerce site, streamlining the checkout process and reducing the chance that a purchase will be abandoned before it’s completed.

Improved Search

Search is at the heart of the modern eCommerce experience. In Magento Enterprise Edition 2.1, the Solr search platform has been replaced by Elasticsearch, a powerful modern search platform based on Lucene. Elasticsearch brings improved search performance, better scalability, and it is much better able to handle large product catalogs.

Elasticsearch also offers improved configurability, allowing eCommerce merchants to attribute weightings that can lead to more relevant search results. Elasticsearch is also good news for non-English eCommerce sites; it supports searching in 33 languages out of the box.

Magento 2 was a significant move forward, bringing all manner of performance and technology improvements that eCommerce retailers and Magento’s developers can build on over the next few years. Magento Enterprise Edition 2.1 is a solid demonstration of the power and flexibility that Magento 2 brings to the table.

Images make up a large chunk of the bandwidth used by most websites. That makes them an obvious target for optimization. Any reduction in the size of images can have a positive impact on the performance of a website.

Over the last couple of releases, WordPress has introduced several new image optimizations that happen by default. I’ve found that some WordPress users don’t quite understand what is being optimized and what isn’t. An understanding of how WordPress optimizes images is important if site owners are to maximize the opportunity for performance gains, so let’s take a look at what WordPress does with the images you upload to your site.

Responsive Images

Responsive images were introduced in WordPress 4.4. They allow WordPress to serve images that are the right size for the screen on which they will be viewed. There’s no need to send an image 2000px across if it will be displayed on the screen of a 4-inch phone.

WordPress has always generated multiple copies of uploaded images in various sizes, but they were only used when the theme called for smaller images — thumbnails are the obvious example. WordPress now uses the images to provide a responsive experience for visitors.

The main limitation of WordPress’ responsive image implementation is that the image sizes generated by WordPress may not be ideal. WordPress’ developers added an extra size — medium — when they implemented responsive images, but the range of sizes may not be appropriate for every design. It’s up to theme developers to make sure that the right image sizes are being generated.

Image Compression And Optimization

WordPress has always carried out some optimizations on the images it generates, but there were changes in WordPress 4.5 that users should be aware of.

Increased Compression

By default, images are created with a quality of 82 rather than the previous 90. The numbers are given to the underlying image processing library and indicate how high the quality of the image should be, with 100 being the best.

The reduction in quality is largely theoretical. The images look almost identical to the untrained eye. However, images produced at the lower quality use much less storage space and bandwidth.

Metadata Stripping

Most images contain metadata that isn’t useful to a person looking at the image in a blog article or page. The metadata carries information about the image that is useful in various ways — copyright information, color information, data generated by the camera — that don’t benefit the casual website visitor.

WordPress will now strip out much of that data by default.

What WordPress Doesn’t Do To Optimize Images

In addition to understanding what WordPress does to images, it’s useful to know what it doesn’t do.

Plenty Of Metadata Left

Some of the metadata in images is useful to some people — photographers, for example, aren’t happy if EXIF data is removed. In fact, WordPress doesn’t strip all the metadata from the images it creates. The following data is left alone: EXIF, xmp, and iptc data, and icc and icm color profiles.

If you want to stop WordPress stripping any metadata, you can use the image_strip_meta hook, as explained here.

Your Original Image Is Not Altered

When you upload an image, WordPress creates several versions of that image with different sizes, depending on defaults and theme settings. The increased compression and metadata stripping happen when the new images are being generated. They’re not applied to the original image, which remains the same. If you want the original image, which may well be sent to users, to be optimized, you’ll have to do it yourself with a tool like ImageOptim or a WordPress plugin like EWWW Image Optimizer.

Over the last few years, WordPress has become much better at image optimization, and for the most part, users can just go with the defaults.

One of the best ways to generate revenue from a WordPress site is to offer subscriptions for premium content. For general interest sites, offering subscriptions usually isn’t the best way to go, but if your site offers valuable information to an audience prepared to pay for it, then charging for access can offer better returns than advertising or affiliate marketing.

However, it’s not enough to just throw up a paywall and start charging. Audiences who have become used to getting content for free expect substantial added value for their payment. Bloggers who take this route should ensure they offer a premium service to go along with the premium price tag.

Don’t Be Afraid To Experiment With New Types Of Content

Text is the heart of the blogging experience, but — with some exceptions — a successful premium membership site relies on a mix of content types that might include:

• Video
• Podcasts
• Email newsletters
• Ebooks
• Courseware

Moving beyond blogging might be daunting, but most longer written content can be thought of as an extension of blogging. Podcasting and video production is more involved and time-consuming, but podcasts are relatively simple to create if you’re a decent public speaker. For many informational membership sites, video doesn’t have to mean expensive — some of the most successful membership sites focus primarily on screencasts, which can be made with a PC, a microphone, and inexpensive (or free) software.

Investing in new content types has the added advantage of exposing your content to new audiences. As a personal example, I find nothing more boring than reading Apple tech blogs, but I very much enjoy listening to podcasts like ATP.

Offer More Payment Options

This might seem like obvious advice, but many membership sites only offer PayPal as a payment option. Some people neither have nor want to use PayPal. By limiting the number of payment options, a membership site stops people who would happily pay becoming members. Fortunately, this problem is solved relatively easily with plugins like Restrict Content Pro, which offers numerous payment options.

Make It Fast

Performance is an important component of offering a premium experience for paying users. No-one enjoys waiting for slow web pages, and that goes double if they’re paying for the privilege. Out-of-the-box, WordPress is a speedy content management system, but there are several strategies site-owners can take to improve performance.

Choose The Right Hosting.

If you opt for the cheapest hosting, it’s not going to provide the best experience. I’m not suggesting you opt for a dedicated server unless your traffic justifies it, but a specialist managed WordPress hosting company that cares about performance can make a massive difference.

Use Caching

Caching can consistently improve the speed at which content is made available to users. Historically, caching has been problematic for membership sites because the default is to bypass the cache for logged-in users. Plugins like WP Rocket allow for the caching of content sent to logged-in users, so be sure to activate that option if you want your members to have the best possible experience.

Take Advantage Of A CDN

Content distribution networks take your static content and distribute it to edge-nodes located closer to your members than the server your site is hosted on. CDNs enhance performance by reducing the latency caused by distance — with the added bonus that some of the load is lifted from your server.

Test Until You Get It Right

Nothing you do to improve the experience you offer members makes a bit of difference unless you have evidence that it really does make their experience better. A/B testing will allow you to make incremental changes to your site, while measuring the effect each change has. Testing helps you implement changes that have the desired effect, and stops you pursuing strategies that are good in theory, but offer no real benefit. A/B testing is complex subject, which we have written about in more depth elsewhere on this blog.

Always Look For The Next Improvement

Without mindful progress towards making the experience your site offers better, it is unlikely to flourish over the long-term. The best way to retain members is to keep things fresh and give them new reasons to renew their membership.

When the Customizer was first introduced to WordPress a few years ago, it was intended as a simple interface for making changes to WordPress themes. Even non-technical users could tweak themes and see the results in real time without having to commit changes and preview them on the front end.

However, the Customizer didn’t go quite far enough. It’s great for small changes, but because all changes made in the Customizer are ephemeral — they are lost as soon as the user navigates away from the Customizer — it’s of limited usefulness.

A new proposal, which stands a reasonable chance of being included in the next versions of WordPress, aims to fix the problem of ephemeral changes and make the customizer much more useful.

In much the same way that WordPress autosaves drafts of posts, the new proposal would enable the Customizer to save changes so that it’s possible to resume editing sessions. The simplest benefit of persistent changes — Customize Changesets is the official name — is that WordPress users won’t have to make all their changes in one session before deciding to commit to them. They can come back later, and they can even switch to another theme in the Customizer and have their work saved.

However, there are other useful benefits to the new behaviour. It will also be possible to share Customizer changes. As things stand, if you wanted to collaborate on changes with your business partner or a client, they’d have to be in the same physical space looking at the same monitor. With Customize Changesets, each saved set of changes is represented by a URL, which can be shared with other users of the same site.

Less Need For A Staging Site

We’ve discussed staging sites on this blog several times. A staging site is a copy of a WordPress installation that’s used to try out changes before they’re released into the world on a live production site. Changes to a staging site are, of course, persistent. I usually recommend that WordPress users create a staging site when making any significant change to their site.

If they just want to tweak the color of an element, the Customizer is fine. For a series of multiple changes: changing the font, tweaking some element colors, and adding a little custom CSS, I’d advise a staging site rather than the Customizer. That goes double if there’s any collaboration involved.

If the new Customize Changesets work well, I might consider making those sort of changes within the Customizer rather than using a staging site. Staging sites take time to set up, and more time to integrate the changes back into the live site.

Of course, for complex changes, a staging site will still be a necessity. The Customizer is not intended for in-depth alterations to a WordPress site.

There’s never any guarantee that proposed features will make it into WordPress Core, and even less guarantee when they’ll make it. But I’m excited by Customize Changesets — they promise a better customization experience for non-technical users than WordPress currently offers.

With the number of CMS vulnerabilities reported over the last few years, site owners might feel they are under siege. Online criminals love nothing more than a juicy vulnerability in a popular content management system.

The underlying motivation of most criminals is easy to understand — they want to make money.

The online criminal economy is huge. Successful hackers — now more like organized crime syndicates than the traditional hacker in her basement — do what they do because it’s profitable. Online crime is a business like any other: any effort has to be justified by the revenue it generates.

Hackers don’t want to expend more effort breaching a site than they can make from it. Unless your site stores large amounts of private information or data valuable to a person willing to pay for it, it’s unlikely that it will get the individual attention of a serious criminal. The average business site or blog is not Ashely Madison or Mossack Fonseca.

Online crime at this level is a volume business. It pays because the hacker can exploit hundreds or even thousands of sites for their botnet or as a malware distributor. It doesn’t pay if they have to spend hours or days engineering complex targeted exploits.

That’s why most attacks against WordPress sites are essentially automated. Bots scan the web looking for sites with known vulnerabilities that are easy to exploit. The bots vary in sophistication, but, for the most part, if your site makes life difficult for the automated scripts hackers use, they’ll move on to an easier target. After all, there are thousands of sites that aren’t secure.

As Sucuri point out in their recent Website Hacked Report, the majority of security breaches happen because of outdated plugins or user error. Properly configuring your WordPress site according to security best practices and keeping it up-to-date will usually be enough to discourage the vast majority of attackers. It would cost too much time and money to breach a properly secured site, so they don’t bother trying beyond an initial probe.

With a little effort, you can make your WordPress site so secure that criminals aren’t willing to invest the time and effort. In fact, by following best practices, you can make your site secure enough that even targeted attacks aren’t successful.

How can you make your site too expensive for hackers?

• Update WordPress and all plugins as soon as a new version is released.
• Make sure the underlying operating system is up-to-date. We’ll take care of that for you on most hosting accounts.
• Move the login page of your WordPress site so that bots can’t easily find it.
• Don’t advertise the version number of your WordPress installation.
• Ensure that all users — especially administrators — use long random passwords to prevent successful brute force attacks.
• Use Two-Factor Authentication where possible.

If you follow these rules, and choose a hosting company that is diligent about updating and securing the underlying hosting environment, the vast majority of automated attacks against your site will fail and attackers will move on to easier pickings.

I’ve written on this blog before about using WordPress to “blog your book”. Today, I’d like to focus on using WordPress as a book publishing platform. When you blog your book, you write blog articles with the intention of turning them into a book at some point — the book is a collection of blog articles. That’s not how most writers go about creating a book. They write the book behind closed doors and publish it when it’s done.

You might be thinking, why would I want to use WordPress unless I intend to let the world see my work in progress? WordPress is a powerful content management system, which makes it an ideal environment for managing the materials — text and media — that constitute a book. Additionally, the plugins I’m about to discuss turn WordPress from a web publishing platform into a tool that can produce beautiful ebooks and PDF books that can be sent to a printing company.

Using WordPress to manage book creation workflows isn’t just a benefit for writers; publishers can leverage WordPress’ excellent user management features with the book creation tools we’re about to discuss to create efficient workflows for building, designing, and creating books from multiple authors. Authors, editors, and publishers can interact within WordPress, and once the “manuscript” is complete, it can be exported to whichever format the publisher desires.

There are several plugin options that will turn a WordPress installation into a book publishing platform, but I’m going to limit myself to a couple of examples: both of which are free and open source.

PressBooks

PressBooks is both a plugin and a platform based on the plugin. The plugin is open source, which means any writer or publisher can install it on their WordPress installation.

PressBooks makes it relatively simple to build a book, enter the metadata associated with it, and export to a format of your choice, including mobi, epub, and PDF. It includes several excellent templates that can be used to output a professional quality ebook.

While PressBooks is a powerful tool, its creators would much rather you use their hosted platform than a self-hosted WordPress, and that’s clear from the level of support you’ll get for the free open source plugin.

Anthologize

Anthologize is an excellent alternative to PressBooks. Developed with support from a number of educational establishments, it’s not the best looking plugin I’ve ever seen, but it does provide all the tools a writer or publisher needs to build and export books from within WordPress.

I’m a fan of Anthologize, but I’ve relegated into second position below PressBooks because development seems to have languished, the most recent versions of WordPress are not supported. Although there’s a strong chance it will work on a modern WordPress site, I won’t advise people to build on a project that isn’t actively maintained.

If you want a way to combine the power of WordPress as a content management system with book creation and export tools, hopefully you’ll find what you need in one of the plugins we’ve discussed here.

Magento eCommerce stores are high value targets for online criminals. Thousands of dollars a month pass through even small stores, and although the vast majority of those stores use external payment processors, malware embedded in the store’s pages could still be used to steal data as the user enters it. Using an external payment processor means you have no database of credit card numbers to steal, but that doesn’t necessarily prevent the exfiltration of sensitive data entered into on-page forms.

Typically, the process of steal sensitive data relies on the exploitation of an existing vulnerability. Hackers use that vulnerability to inject malware into web pages. The malware harvests, or swipes, the data as users enter it, either sending it directly to the criminals’ servers or storing it somewhere on the Magento store’s server for later collection.

Hackers often want to minimize the number of times they connect to a store to retrieve data because those connections can be a tell-tale sign of a security problem. If store owners scrutinize logs and find that their pages regularly make unauthorized connections to a third-party server, they’ll become suspicious and start looking for malware. To reduce the chance of being caught, criminals often store the stolen data on the store’s server and transmit it in batches or use their ability to access the store’s files to collect it.

Obviously, criminals can’t just stash the data in a file called “stolencreditcardnumbers.txt”, so they go to great lengths to obfuscate the data. One of the favorite methods is to hide the data in an image file. It’s relatively easy to insert arbitrary data within most common image formats. If the images are loaded in an image viewer, they’ll appear to be perfectly valid.

In an interesting spin, Sucuri recently discovered a hacked Magento site where the image being used to store the stolen data was displayed on the site’s pages. It was an image of a product the site sold, and there’s no way a cursory examination would have revealed that it was full of stolen credit card numbers.

This technique is a double win for criminals. There’s almost no chance the store owners will discover the deception, and it’s easy for the data to be collected. Rather than using their access to the server, which increases the chances of discovery, the attackers can simply visit the page where the image is displayed.

The best way to avoid exposing shoppers to the risk of having sensitive information stolen is to prevent criminals from gaining access in the first place. If they can’t exploit a vulnerability on a store, they can’t inject their swiper code.

Updating is key here. Updates don’t negate the chance of being hacked, but they substantially reduce it. Make sure that your Magento store and any extensions you use are regularly updated.