Daily ArchivesSeptember 9, 2021

WordPress has announced that it’s joined HackerOne, a platform for researchers to responsibly disclose security vulnerabilities.

HackerOne provides a consistent interface for reporting vulnerabilities and reduces the amount of time developers waste responding to common issues, freeing them to focus on security improvements. The HackerOne platform is used by many large organizations for vulnerability reporting, including Twitter, GitHub, and Dropbox.

HackerOne can be used to responsibly disclose serious vulnerabilities for several of the WordPress project’s software products, including WordPress itself, WP-CLI, BuddyPress, and bbPress. Third-party WordPress plugins are not included in the program.

Alongside the adoption of HackerOne for security issue reporting, WordPress has also introduced a bug bounty program with support from Automattic. Bounties will be paid for the responsible disclosure of serious vulnerabilities.

Software of any complexity has bugs in its code. If it becomes popular, hackers and criminals will attempt to find and exploit security vulnerabilities caused by those bugs. Those two facts are the cause of many of WordPress’ security problems. Only misconfiguration and mismanagement cause more issues.

Criminals exploit WordPress vulnerabilities because there’s money to be made. Every WordPress site represents server resources and an audience, both of which are valuable to criminals — and there are many millions of WordPress sites in the world, giving criminals an enormous incentive to discover vulnerabilities.

On the other side are the white hat security researchers, WordPress users, and developers, who work to discover and patch vulnerabilities before criminals find them. WordPress users and the developers who build and rely on WordPress have an obvious incentive to responsibly disclose vulnerabilities, as do security researchers whose reputations are built on their ability to protect users — Sucuri is a prominent example we’ve mentioned on this blog many times before.

But there’s also a large contingent of independent developers and researchers who have no real incentive to look for vulnerabilities or report those they do find. Some — those on the border between hacker and researcher — could make money exploiting vulnerabilities. Some might disclose the vulnerability irresponsibly, leaving developers and users to scramble to release a patch before it’s exploited. Others might sell the vulnerability to criminals.

Bug bounties are intended to give researchers a reason to do the right thing. If they find a vulnerability and disclose it responsibly, they’ll be rewarded for their contribution. Companies like Google and Facebook run huge bug bounty programs that have paid out millions of dollars because they know the cost of a data leak or exploited vulnerability could be much higher.

Responsible disclosure in this case means letting the developers know about the vulnerability with enough information to reproduce the issue and a proof of concept. It also means giving the developers a reasonable amount of time to release code that fixes the problem and for users to upgrade.

After returning from the incredible Stockholm, it is time to recap this epic event.

Just before the main event, Magento organized a Contribution Day at Nordic Web Team offices. We spent the entire day coding with Magento core engineers trying to improve the Magento 2 platform, and our work led me to submit a pull request on GitHub to add a small feature to the CLI.

#Magento Contribution Day kick off at @nordicwebteam office #MM17SE pic.twitter.com/anj63mLkY2

— Max (@maksek_ua) May 29, 2017

The day started early in the morning in Münchenbryggeriet, otherwise known as the Brewery Conference Center because of its history as an old brewery.

Hanna and Jonas from Nordic Web Team opened the event talking about the benefits of Meet Magento association both for merchants and for developers, showing us some fascinating numbers about Magento 2 adoption and ongoing plans for the platform, like the new office in China.

The @meetmagento association is opening their first China office in Shenzhen #MM17SE pic.twitter.com/PSjMkjbjtZ

— philwinkle (@philwinkle) May 30, 2017

Ben Marks opened with tips for developing a store interface that accommodates the diverse needs of an international audience. For example, if merchants want to reach customers in China, then they must adapt their store to use phone numbers as login credentials instead of usernames or email addresses.

The venue was then divided into a technical track and a business one. Philip Jackson kicked off the business talk, and Peter Jaap did the same for the technical track by talking about the growing integration of VR into eCommerce.

After a quick networking-and-coffee break, we went back to the talks, where Nordic Web team presented a particularly interesting talk about Kubernetes and Magento 2.

After a busy morning, we broke for lunch over many conversations with merchants and integrators about the present and future of the platform. For the most part, we agreed Magento 2 is now a solid and easy-to-use platform. Even better, Magento is now in a position to receive direct feedback and assistance from its developer community, who is dedicating to quashing bugs and constantly improving the code.

I spent most of the afternoon in the technical track, and I was fortunate to catch a presentation from Ivan Chepurnyi, former Magento architect, called “Challenges of Architecting Magento 2.0 Customizations.” Afterward, Ivan and I squared off against Max Yekaterynenko and Ben in a game of table soccer. What Team Max-and-Ben may have lacked in skill, they had in enthusiasm, scoring three goals against themselves in the process. Good game, Max and Ben – start practicing for a rematch next year!

After the match, Fredrik Blanco presented his talk about machine-learning using an example from a live Magento store. Though the data set was small, he showed how machine-learning can predict user behavior and increase sales by cross-selling related products.

My time approached, so I refueled with more tea before jumping into the new bin/magento feature, which gives developers the easy convenience of performing everyday tasks from the command line.

Next was Max Yekaterynenko, head of community development, who had by now recovered from his defeat in table soccer to present about Magento 2 architecture. He was followed by Sergii Ivashchenko of the heralded TheIrishStore.com, who talked about how to make the most of crons, cache, and indexers in Magento 2.

Hanna and Jonas then returned to the stage to close the event, giving everyone a welcome chance to to rub elbows with other attendants while sampling some local craft beers and delicious Nordic cuisine.

I can’t close without giving a shoutout to our host Henrik Silver. A mentalist and mind reader, his charisma and ability showed us that magic is not dead and not only for kids. During dinner, he left us speechless and blew away our mortal minds.

Finally, a warm thank you to all the attendants and sponsors, especially to Nordic Web Team for organizing this event. I enjoyed my time in Stockholm and am eager to come back for Meet Magento Sweden 2018 – now off to Italy for MageTitans IT in Milan on June 9!

The first thing a prospective WordPress site owner has to decide is where to host their site. There is plenty of advice on the web about how to choose a hosting provider for WordPress. As you might expect, some of that advice is accurate and worth reading, and some of it is so misleading it should never have been published.

Entrepreneur Cam Secore recently published an article on Business2Community that asks whether it really matters which web hosting company you choose. After all, WordPress is a PHP web application and all it really needs is a standard LAMP stack — something every web host is capable of providing.

While Secore makes some good points, it’s worth responding in detail to a few of the less well-considered claims in his article.

Minimum Requirements

“The host needs to have at least PHP 5.2.4 installed and they must use MySQL 5 databases (the version numbers might change in the future) … If you are comparing hosts, then I can guarantee you that at least 9 out of 10 will match these minimum requirements, so that doesn’t help answer our question.”

Technically, this is correct. Those are the minimum versions of PHP and MySQL that WordPress will run on — although it won’t run well. The problem is this: PHP 5.2, 5.3, 5.4, and 5.5 are no longer supported by the PHP project, and PHP 5.6 is nearing the end of its life. No version of PHP older than 5.6 receives fixes for any security vulnerabilities that are discovered, and in the years since older versions of PHP reached end-of-life status, there have been a lot of vulnerabilities.

It would be a very bad idea to host a WordPress site on an unsupported version of PHP. No responsible web hosting company would host a new WordPress site on a version of PHP older than 5.6. It should not inspire confidence if a web hosting provider is incapable of providing a modern software stack.

The situation is similar with MySQL: all versions of MySQL older than 5.6 are not supported and should not be used.

WordPress.org advises that all WordPress hosts support at least PHP 7 and MySQL 5.6.

Resources And Performance

“The CMS just needs 4MB of space, and even active blogs (dozens or hundreds of 1,000-word posts) will just need about 50MB to 100MB of disk space. While unlimited disk space is vague, you can usually expect to get 1GB or more (usually more), which makes this more than enough.”

Secore makes some interesting claims here. When downloaded and uncompressed WordPress takes up about 30 MB of disk space, and that’s before any themes, plugins, content, or the database are added. It’s safe to say that these figures are not accurate.

But of more importance than resources is performance. Secore is right to say that any old web host can provide a functional version of WordPress with sufficient resources to serve a few dozen pages a day, albeit slowly. They’ll cram hundreds of sites onto a low-end dedicated server and charge peanuts.

But any blogger, business, or eCommerce merchant who cares about performance isn’t going to settle for that. Consistent low-latency delivery of web pages from hosting that won’t fall over when traffic spikes into triple-digits is vital to providing a positive experience for web users — and that takes care, technical expertise, and a commitment to building the best possible hosting platform for the application.

Support

Secore doesn’t address support, but for many WordPress hosting clients it’s the most important differentiating factor between a capable web host and a great web host. Low-grade web hosts can’t afford to support their clients beyond the absolute minimum. A responsive and experienced support team can make a huge difference to the WordPress hosting experience and to the success of a WordPress-based business.

Conclusion

“So, does it really matter which host you use? Kind of, but not as much as you would think. While you need a host that will meet the minimum requirements, this describes most modern hosts.”

We’re confident that Hostdedi’ clients know different. If you’re looking for WordPress hosting, find a provider who can give you an up-to-date, performance-optimized, and secure software and hardware environment and who will support you as you build your site and as it grows.

OneLogin, a popular single sign-on service, has announced that sensitive data was leaked from its infrastructure during an attack. OneLogin, which is used on many WordPress sites and Magento eCommerce stores, has confirmed that the leaked data could include user information, passwords, API keys, secure notes and other data that could be used compromise user accounts on other services.

If you use OneLogin with your WordPress site, you should have received an email from the company with advice about how to mitigate the risk. If you haven’t received an email, you should log into your OneLogin account for further details or take a look at this post on WordFence, which details some of the lengthy list of mitigation steps that OneLogin advises site owners to implement.

OneLogin is a single sign-on provider. SSO allows a user to log-in to many services with the same ID and password. The most visible manifestation of a single sign-on service is Facebook’s social logins, which allows people with a Facebook account to log-in to thousands of sites and eCommerce stores using their Facebook account.

As you might imagine, to make single sign-on work, the service provider needs to store some data that, if leaked, would be very bad news for anyone using the service. Towards the end of last month, an attacker got hold of AWS keys for one of OneLogin’s US regions. The attacker used those credentials to access servers in the region. OneLogin didn’t notice the breach for seven hours, which is more than enough time to exfiltrate a lot of damaging information.

Security best practices mandate that sensitive data is kept encrypted while at rest on the server. The data stolen from OneLogin was encrypted, but according to the company’s announcement, the attacker also compromised “the ability to decrypt encrypted data.”

The compromise of OneLogin secure notes is particularly worrying, because it’s often used by server administrators to store sensitive network passwords.

If you use OneLogin’s WordPress Single Sign-On plugin on your site, you should immediately follow the mitigation guide provided by OneLogin to reduce the likelihood that your site and any associated servers will also be compromised.

May’s breach was the second in the last year. In August 2016, the company was forced to warn customers that their secure notes may have been compromised.

Although OneLogin is particularly suited to larger enterprise organizations, it’s not the only provider of a WordPress-compatible single sign-on service. Depending on your needs, you might want to take a look at the single sign-on service included in the Jetpack plugin collection, which allows WordPress users to sign-in to self-hosted WordPress sites with their WordPress.com credentials.

SAML Single Sign On by miniOrange is closer to OneLogin in functionality, and is compatible with a wide range of single sign-on Identity Providers, including Google Apps, Azure, Okta, and Salesforce.

Talk to anyone starting a blog and I bet most people have a dream that their blog turns into a business. And they hope their business will allow them to work anywhere and live all over the world. The lucky few are the ones that get to make it work. To own a thriving business and get to pack their bags and just go.

Andrew and his wife, Meredith are currently living that dream. I recently had the chance to speak with Andrew from his home in Ireland about their business Love and Lavender. I also chatted about how he and his wife were able to capitalize on each of their skill sets and have huge successes with their online business. Andrew’s background is in the Canadian national police force, but he is also a self-taught coder. His wife had an online veil business. When they had the opportunity to expand with Love and Lavender they jumped all in and haven’t looked back.

They are now living in Ireland and doing a lot of traveling. Andrew has extensive knowledge of business practices and online marketing and they write many content articles to make sure their site is at top performance. They truly love being able to work on their business from anywhere in the world.

As I was looking at their website I even made a purchase for my friends wedding! Their advice is top notch and they really seem to have their finger to the pulse of the wedding industry.

If you thought that owning one site wasn’t keeping them busy enough, they also run Classic Veils and Groom Ties to complete their wedding industry offerings. Andrew even gave a teaser that he might be willing to take on client work building websites. And if you look at the three he has created for his own company, you can see why!

All three of these business websites are easy to navigate even though there is a ton of information to dig through. The pictures are perfectly matched to the subject materials and with all of this the design is still streamlined and modern.

When asked about Hostdedi and using Managed WordPress, Andrew said, “We are not moving anytime soon.”

Andrew loves the ease of managing all of his businesses in one easy to use Managed WordPress portal. He says, “as an online business owner, not having to worrying about downtime of my WordPress site is one reason I switched to Hostdedi.”

He continued, “and of course, their friendly support team have always been extremely quick to solve any issues. It certainly gives me peace of mind to know I am in skilled technical hands.”

WordPress, along with most other content management systems, uses a database to store state. State is the things the content management system knows about, including the content and its organization, and user data. There are many different types of database, but WordPress uses one of the most popular open source SQL-based databases, MySQL.

SQL is a language used to build the databases tables, to put data in them, and to get data out. It looks like this:

INSERT INTO TABLE VALUES (13, 'Phoenix', 'AZ', 33, 112);

You can think of the current state of a database as the totality of every SQL query it has run. In fact, when you backup an SQL database, that’s what you get: a dump of the SQL required to transform a new and empty database into the backed-up database (plus some other data).

As you can imagine, it’s important to make sure only authenticated people and programs are allowed to make queries to a WordPress site’s database. If an attacker can send SQL to the database, they can delete, create, or modify data — and that data is WordPress’s view of its world.

For example, we want only a few trusted people to have admin permissions on our WordPress site. We tell WordPress who those people are and WordPress puts their details in the database. If an unauthorized person can tell the database, via an SQL query, to create a new admin user with a password of their choosing, they can take over the site.

Of course, there are many safeguards in place to stop this happening. The database will ignore requests from unauthorized sources. But the content management system needs to be able to make changes to the database.

WordPress stands between the user and the database. Authorized users interact with WordPress, and WordPress sends information to the the database. Users never send requests direct to the database.

However, sometimes developers make mistakes. Imagine a developer creates an input box on a WordPress site so that users can enter their email, which is sent to the database to be stored. The only thing the input box should allow to be sent to the database is a valid email address. But a malicious user might try to use the input box to send something different, like an SQL query.

The vast majority of the time, input like that is rejected by validation in the browser, and made safe by escaping and sanitization. If the attacker is very lucky, the developer may have made a mistake, allowing the SQL to be sent directly to the database, which is definitely not something we want to happen.

SQL injection vulnerabilities are rare, but serious. From the perspective of the average WordPress user, the best way to avoid SQL injection attacks is to only install themes and plugins from trusted sources, and ensure that the WordPress site and its plugins are regularly updated — updating will fix any SQL injection vulnerabilities that have been discovered and reported to WordPress and plugin developers.

Imagine you are on a trip of a lifetime, maybe a safari in Kenya where you are guided along in a private vehicle while exploring an elephant orphanage. Island hopping in the Galapagos, swimming with turtles, spotting iguanas and blue-footed boobies (yes, they really exist). Or even meandering through the countryside of France sampling local wines with 12th-century buildings as your beautiful and historical background.

Now, imagine not having to plan any of these trips. All of these once in a lifetime experiences are at your relaxed fingertips with Jen Hoddevik, The Travel Yogi, at the helm.

She has created 12 unique retreats in 12 incredible destinations. Each retreat is perfectly crafted for the region and Jen says she really makes sure that her groups are experiencing the culture not just staying on a resort.

If you noticed the name, The Travel Yogi, then you might be wondering if these trips have anything to do with Yoga. The answer to that is, yes.

At the beginning of her business,  Jen says her retreats were all about the yoga. She really wanted to make the yoga practice at the cornerstone of the retreats. Over time it has evolved into amazing experiences that involve yoga, but a lot of other terrific things as well.

What she really likes about the groups who choose to travel with The Travel Yogi is they are all like-minded in one regard. They might range from beginner yogis to experts, but they all have one desire: to experience an adventure together.

When Jen and I spoke we talked a little about Hostdedi and our Managed WordPress, and mostly she doesn’t have to think about her hosting. Her site works perfectly and it loads quickly. She is really happy she found Hostdedi and can’t imagine trusting her business anywhere else.

WordPress sites constantly evolve as new content is published, new pages are created, and plugins and themes are installed or removed. Most of the time, those changes are for the good and don’t cause any problems for the health of the site.

But WordPress is a complicated piece of software, and, as with any complex system, it’s hard to predict how the parts interact. Any modification can cause a regression, a change for the worse. That’s why I like to run through regular health checks on any WordPress site I’m managing.

If something is wrong, I want to know about it sooner rather than later, so it’s not enough to deploy a site that works wonderfully and leave it at that. Every month or so, I run a series of tests to reassure myself that all is as it should be.

Performance

Site performance can be affected by any number of factors. Perhaps a new plugin interacts badly with existing functionality, introducing latencies to page load times. Maybe a CDN the site relies on to load JavaScript libraries isn’t as quick as it once was.

I use Pingdom Tools to perform a comprehensive scan of the site’s performance from various locations around the world. Pingdom provides the information I need to identify performance regressions and their likely cause.

Security

Last year, a security researcher published a list of eCommerce stores infected with credit card swiper malware capable of capturing card numbers and sending them to criminals.

Many of the stores had been infected for months.

It’s impossible to be completely certain that your WordPress site hasn’t been infected with malware or otherwise compromised. Prevention is better than cure, but if preventative measures have failed, I want to know about it as soon as possible.

There are several WordPress malware scanners available, but Sucuri’s free SiteCheck does the job quickly and well.

Links

Links have a tendency to break and 404 errors are a common occurrence on sites that change frequently. They’re bad for both user experience and search engine optimization. I use the excellent Broken Link Checker plugin to scan for broken links so I can repair or redirect them.

Backups

I’m going to assume everyone reading this article makes regular backups of their WordPress site and keeps those backups for an appropriate amount of time.

But going through the motions of keeping a backup isn’t enough. Site owners should also verify that backups are actually being made and that they’re viable. There’s nothing quite so frustrating as trying to restore a site from an earlier backup only to find it empty, corrupt, or otherwise useless.

To check backups, I do a full restore of a recent backup on a brand new WordPress installation. It’s possible to do this manually or with your existing backup plugin. It’s not really important how you check backups, but not checking them can lead to nasty surprises.

Altogether, running through these steps takes no more than half an hour, and I find the peace of mind well worth the time invested.

One of the things I love the very most about running an online business are the possibilities. You can basically dream up any idea and turn it into a business. A real money making business all on the internet.

What is more difficult to accomplish is taking a business that is providing your living and then deciding it just doesn’t make you happy and changing that business is a bit harder. Pivoting in business is imperative. Especially on the web. Customers, technology and your own ideas can shift quickly leaving you in the lurch.

Having this special finesse to pivot from a successful business to another successful business is hard to come by.

A finesse possessed by someone who would come up with a movement called #FtheHustle. She is wide open, honest and vulnerable, sharing her stories of struggle and success has helped build her audience.

TheWPChick.com, Kim Doyal, has reinvented herself a few times in her lifetime. She has successfully shifted her business from building sites to now being a digital marketing expert.

She tells me this shift happened when she just focused on being herself and let her personality shine. She started her podcast in 2014 and by focusing on what made her unique and the relationships she made, her business changed and her happiness improved.

By simplifying her business and focusing on what she knew best she released a membership on content marketing and with a partner is launching a web app for lead generation, called LeadSurveys.

She found her strategic partner through her podcast. He reached out to her after listening to her and they came up with a way to use surveys and a little bit of conditional logic that will help target specific customer desires.

LeadSurveys is a simple and clear way to use personalized marketing.

Kim has even seen a lot of success with live-streaming. A great example with her success with using live-streaming and video is recently she did a live stream in the pool. In one month she did 3 live stream videos and more than doubled her podcast downloads. In one month!

The only thing that was different was the live-streaming.

The engagement that she gets through her Content Creators Facebook group really brings a lot of satisfaction to her work. She loves hearing stories from the community she has created and continues to help people grow their own online personas.

Her own personal call to action has become, “keep doing business as only you can do.” She just shows up every day and uses her own voice to connect to her audience. Kim believes being herself is the only thing that sets her apart from others do the exact same thing.

Ultimately what makes you relatable? Kim thinks, “you only gain clarity through doing.” She says no one ever sees your failures, so just keep showing up and you will find your knowledge value that you can share.

Kim talks to a lot of people in the WordPress industry and in a lot of cases people feel like hosting is the “necessary evil,” but she says she cares enough about her business to put it on good hosting.

That is why she chose Hostdedi. When you rely on a website for your livelihood, you must choose a hosting company that will be a partner.

Following several months of development, WordPress’s forthcoming new editor — named Gutenberg for the inventor of the printing press — is available as a plugin.

The plugin is still being developed and is nowhere near finished. WordPress hosting clients should not install Gutenberg on their production sites, because it’s likely to break things. That said, Gutenberg is well-worth taking a look at if you’re interested in the future of WordPress. Anyone who spends a lot of time in the WordPress editor is going to experience substantial changes to their writing workflows when Gutenberg is rolled into WordPress Core.

If you do take Gutenberg out for a spin, its development team are eager to hear about any bugs you find. You can report bugs on the project’s GitHub page.

Gutenberg has come a long way since we last wrote about it in February, and it’s worth spending some time thinking about the motivation behind the new editing experience and the problems Gutenberg is intended to solve.

As a writer, the writing and editing experience is important to me. If I wanted to, I could write everything in HTML, but burying the content in a forest of formatting and structuring markup isn’t ideal. The current WordPress editor offers an abstraction on top of the HTML approach, allowing writers to interact more naturally with their text while also providing much needed functionality like embeds, dividers, and other features that writing on the web makes necessary.

But, although WordPress offers a good enough editing interface, today, there’s room for improvement. Most of the features WordPress makes available to writers aren’t easy to find — they’re not discoverable in designer parlance. Using them takes writers out of the flow of their work to research shortcodes or futz around with formatting.

Gutenberg is intended to make it easy to both write and format a page in complex ways without having to reach for fragile shortcodes. With a few clicks and a bit of typing, it’s possible to create web pages that look like this.

The major change is from linear editing to a block-based experience. The page is divided into blocks, and each block has its own formatting options, controls, and positions on the screen. Making changes to a block is as simple as clicking in the block and editing it. Naturally, plugins will be able to add more blocks in the future.

One of the basic principles of web design insists that content should be kept separate from presentation, because it’s better to be able to control each independently. As a writer, I often choose to write in Markdown because I want to spend the least possible time messing around with formatting, leaving me free to focus on the message I want to communicate to readers.

Gutenberg mixes presentation and content, but it does so in a way that doesn’t impose much of a cognitive burden on writers. It also makes the WordPress editing experience intuitive to people who have grown up with WYSIWYG environments. We’re probably a few months away from Gutenberg being integrated into WordPress Core, but I for one am looking forward to being able to build beautiful layouts without shortcodes in an elegant modern editing environment.