Blogs

Ultimate Member WordPress plugin issued a patch for three critical and severe exploits that grant attackers total control of a site. Today it was announced that “critical and severe vulnerabilities” affect a WordPress community building plugin called, Ultimate Member was patched. This vulnerability is easy to exploit and gives the attacker administrator level access, meaning they can do whatever they want to the site. This is how Wordfence describes the seriousness of this exploit: “This vulnerability is considered very critical as it makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator. Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware.” Ultimate Member WordPress Plugin The Ultimate Member WordPress plugin is a form of community building plugin that allows a WordPress publisher to allow readers to become members who can receive various levels of access as well as interact with each other socially. It’s a solution that can also be used to restrict access to the content to registered users only and to grant various levels of membership privileges, like publishing to the site. Ultimate Member Vulnerability There are three exploitable vectors in the plugin and all three are privilege escalation exploits. A privilege escalation exploit is when an attacker can increase their user privilege. For example, if someone is registered with a site as a subscriber they can do things like read articles and comment on them. But with a an exploit they can elevate their site privileges from subscriber to an administrator level and thus grant themselves the ability to do whatever they want with the site. An authenticated privilege escalation exploit is when someone needs to have some kind of authentication, like a subscriber role. With an Unauthenticated Privilege Escalation exploit, a person doesn’t even have to be a registered user. The exploit affect the Ultimate Member plugin involved two unauthenticated exploits and one authenticated exploit. The Authenticated Privilege Escalation exploit allows a registered user to upgrade their privileges. The Unauthenticated Privilege Escalation exploit allows an attacker to use the registration form as an attack vector. These exploits are serious, rated critical and severe. Here’s how WordFence describes it: “…this vulnerability is considered critical as it allows originally unauthenticated users to escalate their privileges with some conditions. Once an attacker has elevated access to a WordPress site, they can potentially take over the entire and further infect the site with malware.” Update Immediately Don’t let Click Fraud take advantage of youStart a free trial with Clickcease and experience GoogleAds marketing in a fraud-free environment.

Tips on how to protect a WordPress site from getting hacked, including recommended security plugins. WordPress is a frequent target for hacking. Hackers are targeting the theme, the core WordPress files, plugins and even the login page. These are the steps to take to make it less likely to be hacked and to be able to recover easier if it should still happen. How Hackers Attack WordPress All sites on the web are under constant attack, whether it’s a phpBB forum or a WordPress site, all sites are being probed by hackers. It’s not unusual for a hacker to scan thousands of pages or try to login in hundreds of times a day. And that’s just one hacker. Sites are under attack by several hackers at the same time. Typically it’s not a person who is trying to hack you. Hackers employ automated software to crawl the web to probe for specific weaknesses in website. These automated software programs crawling the web are called bots. I call them hacker bots in order to distinguish them from scraper bots (software that is trying to copy content). Protect Your WordPress Site with a Firewall A firewall is a software program that blocks an intruder. In my opinion, the best WordPress firewall is a plugin called Wordfence. What Wordfence does is to check if a website visitor’s behavior matches that of an abusive bot. If the bot breaks certain rules, like asking for too many web pages in a short amount of time, Wordfence will then automatically block the bot. Wordfence is also programmed to allow legitimate bots like Google and Bing on the site. There are advanced features that let a publisher see what bots are attacking a site and to view where the bot is coming from, like if it’s bad bot coming from Amazon Web Services or Bluehost for example and then give you the ability to block the bot by their IP address, the entire IP address range or even by the fake user agent that the bot is using. Some bots pretend to be a person on Windows XP. So you can actually block all visitors with a user agent that displays Windows XP and stop those bots automatically. With one rule that a publisher creates with Wordfence, they can block thousands of hackers. Wordfence is a powerful tool on its own but some of the advanced features allows you to block even more hackers. And that’s with the free version of Wordfence. The paid version can block entire countries. So if you don’t have legitimate site visitors from certain countries, you can block every visitor that’s coming from those countries. Additionally, the paid version of Wordfence will protect you in advance from many compromised themes and plugins before those plugins are fixed. Once Wordfence researchers are aware of an exploit they will update their paid users to give them protection from those exploits, usually well before the exploit is patched by the compromised theme or plugin developer. Website Security Hardening Another free plugin that provides an additional layer of protection is called, Sucuri Security. Sucuri (owned by GoDaddy) helps harden the WordPress security to block bad bots from taking advantage of certain kinds of attacks. It also has a malware scanning feature that checks all files to see if they’ve been altered. Sucuri will alert you every time someone logs into your site, helping publishers to identify if a hacker is logging in. Sucuri can also alert a publisher if a file was changed, something that hackers do. These are the features of the free version of Sucuri: “Security Activity Auditing File Integrity Monitoring Remote Malware Scanning Blacklist Monitoring Effective Security Hardening Post-Hack Security Actions Security Notifications” The paid version of Sucuri includes a website firewall. Limit Logins to Your Site WordFence is able to block bots that are repeatedly filling in user names and passwords in the WordPress login page. But if you want to focus on limiting those logins, there is a plugin called, Limit Login Attempts Reloaded that allows publishers to automatically block all hackers who enter a set number of failed name and password combinations. For example, you can set it to block hackers after three attempts to guess the password. These are the features of the login blocker: “Limit the number of retry attempts when logging in (per each IP). This is fully customizable. Informs the user about the remaining retries or lockout time on the login page. Optional logging and optional email notification. It is possible to whitelist/blacklist IPs and Usernames. Sucuri Website Firewall compatibility. XMLRPC gateway protection. Woocommerce login page protection. Multi-site compatibility with extra MU settings. GDPR compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed). Custom IP origins support (Cloudflare, Sucuri, etc.)” The Limit Login Reloaded plugin provides a fast way to shut down hack bots that are trying to guess a password. Backup Your WordPress Site It is important to automatically create a daily backup of your website. Any catastrophic event that takes the site down can be recovered from with a backup. There are many backup solutions but the one that I have found to be immensely useful is called UpdraftPlus WordPress Backup Plugin. UpdraftPlus is trusted by over two million users, it’s a well regarded choice. It can be configured to email the backups every day or send them to a cloud storage location like Dropbox. I once accidentally removed all the theme layout files from a site, completely removed the look of the site. But I was able to restore the site to exactly how it was before by using an UpdraftPlus backup. It was easy to do and I was so thankful. Update all Themes and Plugins It’s important to always update all themes and plugins. WordPress provides a way to update all plugins automatically, which is convenient for publishers or businesses who don’t log in and do updates often. By enabling the autoupdate feature a publisher can be

Install WordPress Theme Using FTP Client Filezilla We can modify our WordPress site’s appearance and layout using WordPress themes. WordPress theme is a collection of templates and stylesheets used to define the appearance and display of a WordPress powered website. WordPress theme changes the look of our WordPress sites in an elegant way without changing the core functionalities of the site. Most WordPress Themes provide: The overall design and style of our site. Font styling. Colors. Widget locations. Page layouts. Styles for blog posts and blog archives. Additional stylistic details. There are several free and paid WordPress Themes available. You can download themes from the WordPress Theme Directory, those themes are checked and inspected, and are free for downloading or you can download the themes from third-party websites which offer free or paid WordPress themes. You can also download themes which are not available on WordPress Theme Directory from the third-party websites which offer free or paid themes and you can install the downloaded theme using Filezilla, an FTP client. The steps to installing a WordPress theme using Filezilla are listed below: Before installing a theme which is downloaded from a third-party site, consider the following: Evaluate whether you really trust the theme provider. Check out the reviews of the theme and the specific theme provider. Make sure the file is truly a .ZIP file once it’s downloaded. The prerequisites for this method are a .ZIP WordPress theme file, FTP hostname, username, password, and Filezilla. 1) Unzip the downloaded .ZIP theme in your local system. 2) Open Filezilla and enter the host, username, and password then click “Quickconnect”. 3) Select the target directory, “wp-content/themes,” on your web server in the right pane. 4) In the local site (left pane), locate the folder where you saved the theme. In this tutorial, we will use the hitchcock theme saved in the desktop. Then right-click on the “hitchcock” folder in the local site and click “Upload” 5) Now you have just uploaded the new theme in WordPress. Login to WordPress dashboard to make the theme in use. Then Go to Appearance > Themes. 6) You can see the uploaded theme was listed in your WordPress dashboard. 7) To activate the new theme, move the mouse pointer to the Hitchcock theme. The Activate and Live Preview button will appear. Click “Activate”. 8) Go to your WordPress site and see the newly activated theme.   If you need any further assistance please contact our support department.