Category Archives: Security

WordPress Security Tip: Update Regularly

Just because we look healthy doesn’t mean we are. Someone who looks to be in perfect physical condition can have a number of ‘invisible’ diseases or conditions. Likewise, (bare with me for a tree falling in the forest analogy for a moment), just because nobody sees the dust on the top shelf doesn’t mean it’s not there (as hard as I wish it not be true)! The same can be said for a website. Just because it looks good on the front end, doesn’t mean it is healthy or ‘dust-free’ on the back end. (Who wants a dusty back end, anyway?!)

Question: My website is working perfectly, and I can’t see any problems when I look at it, so why should I concern myself with available updates?

Updates are sometimes released because they include upgrades with new features, but they are often released because of a discovery about a vulnerability in the programming. Often that vulnerability is a security hole that was exploited by some mad genius and his team. As technology evolves, methods to implement and exploit that technology evolves. Maintaining a website is like owning the horse in the lead at the races – followed by hackers and evil geniuses just a neck behind. To stay in the lead, you have to keep your website on it’s “A” game, always. 

Conveniently, when you create a site with TrekVisual, we take care of the tedious updating stuff for you. You’ll not have to worry about having the latest release of anything, because we’re on top of it for you, so you can do the other important stuff, like running your business. Learn more about how our website monthly plan can make it a breeze to keep your site healthy.

Whether it’s your WordPress version, your PHP version or a plugin, you need to be sure your system is kept up to date, or you’re potentially a sitting duck. Don’t have time? Hire someone to do it for you, because the costs for not doing this will eventually catch up with you, and will end up costing more than paying for regular updates in time, money and frustration.

If there’s an update, there’s a reason. Update. Every time.

WordPress Security Tip: Don’t Install THAT Plugin!

One of the many ways you can contribute to the safety of your website is by refraining from installing that plugin – you know, the one that does that neat little thing you need it to do, but might have been developed in 1983? Just say no.

When we took a cruise this past spring, the toilet lid had a sign that asked ‘You want to flush WHAT?’ The little sign went on to explain how your thing-that-doesn’t-belong-in-a-flushing-toilet could stop up toilets for many people on the ship, including yourself…and toilet-less vacations do not make for a happy situation. (Only *I* could possibly create an analogy between flushing and website security.) That reminded me of how a ‘simple little plugin’ could cause damage on a much larger scale than might seem possible.

Just like in any profession, there are many levels of expertise in the world of PHP and WordPress developers. Even a plugin by a good-willed developer can cause major harm to a website if it’s written badly, includes outdated methods, has security holes, or all of the above by exposing your website to security vulnerabilities. It seems so small, so innocent, this nifty little plugin. It just does this one cool thing – how could it hurt? Believe me, just like a little virtual q-tip, one bad little plugin – harmless as it might seem – can quickly give you the ‘wish I hadn’t done that’ feeling.  Not only can it break your website and make it behave badly like curly hair on a rainy day, it can leave your website vulnerable to security issues. Did I forget to mention it can also make your webmaster a little richer? Yeah, that too.

TrekVisual website plugins have either been built by us, or have been purchased from reputable sources that we’ve worked with and trusted our business to for years. You won’t have to worry about finding plugins that are safe, because we take care of all that niggly stuff for you. (I decided today I love the word ‘niggly’ – it’s so much fun to say). If the plugin isn’t built by us, the TrekVisual team carefully evaluates plugins sourced from other companies, long before we make them available to you. We kick the virtual tires, if you will, so you can just enjoy the ride. If you’re building a custom website with us and will be using our website monthly plan, we’ve got you covered. You won’t have to worry about unsafe plugins.

How do you know if a Plugin is safe? That’s a difficult question to answer, in a way that would be helpful to someone who’s not a coder. The short answer is, you don’t.

You might expect a plugin listed in the WordPress repository would be safe. You might expect a plugin you have to pay for would be safe. You might expect a plugin that’s been around for a long time and has a lot of great reviews is safe. None of the above are always going to be the case.

There was a very popular script (called “TimThumb”) a number of years ago. A security hole was found and exploited, causing major havoc in the industry. The script was SO widely used by WordPress users that, as a result of the vulnerability attack, caused many people to question the security of building WordPress websites. The script itself was not malicious, by far, but an exploit was found and taken advantage of by hackers, making the script a major security risk to anyone who used it. Though it had a long history and a solid reputation, one vulnerability made it insecure.

Soon I’ll be writing about our favorite plugins here in the TrekVisual blog, so stay tuned for more!

Website Security – Are Free WordPress Themes Safe?

TrekVisual

You found a great WordPress theme, and it’s free! Hey, ‘free is for me’, right? Well, before you make the leap and install that theme, beware of the potential security risks. One of the most requested services I get from new clients is helping them with a hacked website, which quite often was the result of using a free theme for their WordPress site.

This is probably the biggest and most common website security breach of all time. It also happens to be the easiest website security mistake. There are tons of free themes out there you can download and install for your website. Most if not all of them come bundled with scripts and functions already written and set up. They’re advertised as ‘plug and play’. All you have to do is upload and you have an instant website (soooo not true as I explain in the article, “plug-and-play nightmare of ready-made ‘theme templates’“).

Free WordPress themes are often built by novice theme developers, who are still learning. Their intentions may be pure, but by using poor coding practices in building a theme, can leave your website vulnerable to security holes. Free WordPress themes are not usually kept current, either, so many begin to break down over time because of incompatibility with newer WordPress and plugin versions. Even free themes created by the most well-intentioned developer can pose problems with compatibility and security.

The authors of free themes are likely going to want you to keep a link to their website at the bottom of your website. Often this is done with what’s called base64 encryption. This encrypted code ensures that your website will give them a back link to build their own reputation. Unfortunately linking to poorly rated sites, or websites that have been identified as using black hat SEO strategies are also penalized. That means that if you use a free theme with a link back to the free theme author’s website (even if you don’t know it because it’s not visible on the screen) your website can be heavily penalized for it. That feels pretty wrong, doesn’t it?

Base64 is also an algorithm that is often used to encode and inject malicious code into a website. While I’m not suggesting that all free themes have code that does sneaky things, I am saying some of them definitely do.

If you’re already running a free theme and want to check for possible exploits in the code, we like to use a plugin called “Exploit Scanner“, written and maintained by Donncha Ó Caoimh, a highly respected WordPress developer. This plugin runs a deep scan of your database and will give you a lot of detail about anything suspicious. It can be overwhelming and not every warning is an indication that you have malicious code. If you think you may have a problem, we can help.

I have met so many new clients who came in a panic because of a ‘free’ theme problem they were experiencing.

You’ve heard the old saying, “It’s not just what you say, it’s how you say it.” One could argue that what we do at TrekVisual isn’t unique, but how we do it is. TrekVisual has been creating stable websites using sound practices since 2003. We don’t compromise security for design – or design for security. I think you’ll agree that our websites are also probably a lot prettier than any free theme you’ll find out there. I know that in the end they will cost you much less in time, aggravation and money.