Tag Archives: wordpress

All About WordPress’ Protection: How Secure is WordPress?

Is-WordPress-Secure

As one of the most used websites in the world, WordPress has mostly been trusted by people for many purposes; however, many web developers are still wondering about whether or not WordPress is secure, since it surely has its flaws too. It is definitely not only the WordPress team’s responsibility to protect the underlying core of WordPress, but the responsibility also ultimately falls on your shoulders too.

Since WordPress is generally discussed online, consequently, the weaknesses of the platform are widely known. This is why hackers can easily target WordPress websites. Therefore, it is important to learn about how secure a WordPress is. Let’s figure out the explanation below.

What You Need to Know About the WordPress Project and Security

Below are things that you may need to know, regarding the WordPress Project and what they are doing to maintain the security of the core.

The WordPress Security Team

The WordPress security team is responsible for identifying security risks in the core. Aside from that, they are also good at reviewing potential issues with the third-party-submitted themes or plugins and then making recommendations on how they can harden their tools or patch known breaches. They also work on their own to identify and resolve issues, even though they may need some other experts in the field sometimes.

How WordPress identifies Security Risks

There are several ways that are used by the security risks to identify and resolute process work.

  • An issue can be identified by anyone. It can be someone from the security team or from outside of the team. For non-project members, you can communicate these detected issues by emailing security @wordpress.org.
  • A report is logged and the security team acknowledges receipt of it.
  • To verify that the threat is valid, team members need to work together on a walled-off and private server.
  • Then, they can track, test, and repair any security flaws detected.
  • After that, the security patch then gets added to the next minor WordPress release.
  • If you have a mild problem, WordPress will notify you within the WordPress dashboard whenever an automatic release occurs.
  • On the other hand, the release will go out immediately and WordPress.org will announce it on the News page of the website in more urgent issues.

Even though WordPress doesn’t always announce these security patches immediately, they will always take immediate action to resolve problems.

A Note about Automatic Updates

WordPress is able to push minor updates automatically to all websites, since version 3.7. In this way, the WordPress security team can get urgent patches out as timely as possible without having to wait for users to accept and make the update on each of their websites.

However, as a WordPress user, you can opt out of these automatic core updates. In fact, if this happens to you, please keep in mind that this may put your site at additional risk, especially when you don’t have time to monitor all your sites all the time for the latest and greatest update.

WordPress Plugins and Themes Security

Even though it may sound impossible to manage the  tens of thousands of plugins and themes out there, at least WordPress can keep a close eye on them to ensure nothing seriously insecure slips through the cracks.

When a security issue is detected, the WordPress Project is the team, responsible for working with developers. However, before that, there is a team of volunteers assigned to review each and every theme or plugin submitted to WordPress. This team is specially formed to work with developers and ensure that best practices are followed.

Nevertheless, there will always be security vulnerabilities found and that’s why we need security team to step in to:

  • Provide documentation for WordPress developers on plugin and theme development and security best practices.
  • Monitor plugins and themes for potential security flaws. Any issues detected will then be brought to the attention of the developer.
  • Remove harmful plugins or themes from the directory if the developers are unresponsive or uncooperative.

Later, when those security patches are available, WordPress will then notify its users via the WordPress admin.

OWASP’s Top 10

With the purpose of protecting organizations from software and programs that could potentially do harm, the Open Web Application Security Project (OWASP) Foundation was created back in 2001. What you may be surprised to learn is that the WordPress Project aims to abide by OWASP’s Top at all times.

Below are the top 10 list comprised by the OWASP of known and very serious security risks. By using the list, the WordPress security team uses those trends to define their own top 10 list of ways to defend the core. Basically, their goal is to protect the core from the following risks:

  1. User account management abuse
  2. Unauthenticated access requests to the WordPress admin
  3. Unwanted or unauthorized redirects
  4. Exposing users’ private data
  5. Requests for access to direct object reference
  6. Server misconfiguration
  7. Unauthorized code injection
  8. Cross-site scripting from unauthorized users
  9. Cross-site request forgeries whereby hackers misuse WordPress nonces
  10. Corrupted third-party plugins, themes, frameworks, libraries, etc.

Summary

Knowing that there is a dedicated team working that keeps the WordPress core secure at all times will surely let WordPress users feel at ease. Still, we have to do what we can do to secure it from every angle, since no matter how good the WordPress Project is at monitoring and securing the platform, hackers will find a way in.

Customizing the Error Page for Deactivated or Archived WordPress Sites

When someone visits a site by default, that means they are deactivated, then they will see a pretty dull default screen, informing that the site has been suspended. However, the problem comes when you want to customize, or add some custom content. Therefore, as a solution, this article will show you the exact way to do that. Below are some of the ways:

Suspending Sites in Your Network – the Options

Many web developers may think that terminology around deleting and suspending sites in a network is very confusing, since it’s not clear what each one means and sometimes when you do one, the system will tell you that you’ve done another.

Below is a recap on the options for removing sites from your network.

Here’s a detail of the Multisite Sites screen, which you access by going to My Sites>Network Admin>Sites:

You can find four options for removing the site:

  • When your users signup for a site, you can deactivate reverse the activation step users. However, it can be reactivated any time, since it doesn’t permanently delete the site. Besides, both the front end and the site admin screens aren’t accessible.
  • It is important to mark a site as being archived to prevent other users from accessing it. The admin screens can be accessed but not the front end. Besides, you can archive a site easily at any time and it hasn’t been removed.
  • Once your site gets spam, your site will be marked as spam, not deleted. To make it available again, you can decide whether to unmark it as spam or delete it.
  • Delete the site, but be careful when deleting the site because you have to make sure that you are ready to delete it.

The Default Screen for Suspended Sites

When your site is removed, WordPress will show a default screen. Below are scenarios that you will see.

Deactivated Sites

Visitors can see a default screen if a site is deactivated and someone other than the (logged in) network admin visits it.

Archived Sites and Sites Marked as spam

You’ll get a different screen notification, when you mark a site as spam or archived.

I know that the screens may be too basic and simple. Therefore there is not much information or explanation about what’s meant by ‘no longer available’ or ‘archived or suspended’.

Creating a Page for Deactivated Sites

Creating a new page for displaying when someone visits a deactivated site is quite straightforward. You simply create a new file called blog-deleted.php and put it in your network’s wp-content folder. This file will then be used to display a custom page instead of the default page.

Note that this is in the network’s wp-content.php folder and so the same file will be used for any sites in your network that are deactivated. In other words, you have to create something generic, rather than something specific to one site in your network.

To avoid your site from using theme or calling any plugins or additional files, the page you create has to stand alone. As a solution, you need to include any styling in that file or call an external stylesheet, which you would put in a styles folder in your wp-content folder.

Remember to include the <head> section and the opening and closing <body> tags as these won’t be coming in via your themes’ header or footer files.

You can try this by using a very simple file with all the styling included in it or with a completely blank file if you’d like or you can copy some of the content from your theme files. For example, use the copied contents of  theme’s header.php file and edit those down significantly, then manually add the rest of the markup.

Here’s the content of  <head> section:

<?php
              // file for displaying an error message on deleted sites
?>
<!DOCTYPE html>
<head>
<meta charset=”<?php bloginfo( ‘charset’ ); ?>” />
<title><?php
              /*
               * Print the <title> tag based on what is being viewed.
               */
              global $page, $paged;
              wp_title( ‘|’, true, ‘right’ );
              // Add the blog name.
              bloginfo( ‘name’ );
?></title>
<style>
              .content {
                             width:500px;
                             height:500px;
                             margin:0 auto;
                             background:#999;
                             position:absolute;
                             left:50%;
                             top:50%;
                             margin-left:-250px;
                             margin-top:-250px;
                             padding: 10px;
              }
              .content p {
                             position: relative;
                             top: 50%;
                             transform: translateY(-50%);
                             text-align: center;
                             font-size: 18px;
                             font-family: ‘Helvetica Neue’, Verdana, sans-serif;
              }
              a:link,
              a:visited {
                             color: #fff;
                             text-decoration: underline;
              }
              a:hover,
              a:active {
                             color: #fff;
                             text-decoration: none;
              }
</style>
</head>

 

You can find some metadata and styling from the example above.

Now for the <body>:

<body <?php body_class(); ?>>
       <section class=”content”>
 
              <?php _e( ‘<p>This blog has been deleted, sorry! To create your own site, please visit <a href=”‘ . network_site_url() . ‘”>The Main Network Site</a>.’, ‘compass’ ); ?>
 
       </section>
</body>

 

The code above is just an element for the content, with a paragraph inside it and some text, which is translatable. If your network allows user sign-ups, you might need to include a link to the main site. If this site has been replaced, you might need to link to a different site or to a page on your main site explaining your policy for deleting sites, or wherever you want.

So, now the result will be like:

Isn’t it pretty? Now, you can add some different styling colors and maybe a headline. Furthermore, it is also possible to replace the default page for deleted sites and add anything you want to.

Creating a Page for Archived Sites

You can also create a custom page for sites which have been archived or marked as spam and you need to create another file also in your wp-content folder. This is called blog-suspended.php. file, but with a slightly different text. Here’s the code:

<?php
              // file for displaying an error message on deleted sites
?>
<!DOCTYPE html>
<head>
<meta charset=”<?php bloginfo( ‘charset’ ); ?>” />
<title><?php
              /*
               * Print the <title> tag based on what is being viewed.
               */
              global $page, $paged;
              wp_title( ‘|’, true, ‘right’ );
              // Add the blog name.
              bloginfo( ‘name’ );
?></title>
<style>
              .content {
                             width:500px;
                             height:500px;
                             margin:0 auto;
                             background:#999;
                             position:absolute;
                             left:50%;
                             top:50%;
                             margin-left:-250px;
                             margin-top:-250px;
                             padding: 10px;
              }
              .content p {
                             position: relative;
                             top: 50%;
                             transform: translateY(-50%);
                             text-align: center;
                             font-size: 18px;
                             font-family: ‘Helvetica Neue’, Verdana, sans-serif;
              }
              a:link,
              a:visited {
                             color: #fff;
                             text-decoration: underline;
              }
              a:hover,
              a:active {
                             color: #fff;
                             text-decoration: none;
              }
</style>
</head>
<body <?php body_class(); ?>>
       <section class=”content”>
 
              <?php _e( ‘<p>This blog has been suspended, sorry! To create your own site, please visit <a href=”‘ . network_site_url() . ‘”>The Main Network Site</a>.’, ‘compass’ ); ?>
 
       </section>
</body>

 

The page below is what you will get when you visit an archived site:

 

By this, our visitor will get more information and a link to the main site which you can replace it with whatever you want.

Hopefully, by following the steps above, you can quickly and easily replace the default pages for archived, suspended or deleted sites. As a result, visitors will get more information from the default screens which will give them a link to your main site. This will prevent users from just leaving your network entirely.

Knowing What’s Missing in WordPress Functionality

WORDPRESS’-MISSING-FUNCTIONALITY-(AND-HOW-TO-FIND-IT)_ywf

WordPress has become one of the most well-known website platforms in the world. Many people love this platform because of its flexibility, security and ranges of plugins that one can install to provide additional functionality. However, with many benefits that it offers, WordPress still lacks with many things. If you are a web developer, the information below can be beneficial for you. Here are a few requests for the missing functionality in WordPress; and some workarounds for the meantime.

Ability to Duplicate Posts

WordPress is equipped with completely redo settings to get the desired output which can be unnecessarily time consuming. This functionality on WordPress is limited to the use of a plugin: Duplicate Post.

With a duplicate post plugin, you can “clone” a post or “create a new draft”. The latter copies the post and opens it in a new window for editing. On the other hand, the former creates a new post entirely.

Moreover, you can also edit settings that let you do things like copying with this plugin:

  • Original date,
  • Original status (saved to draft, published, pending),
  • Original excerpt; original attachments,
  • Children of the original page,
  • Taxonomies/custom fields.

You are also able to work with custom post types in this plugin. Unfortunately, not all plugins are compatible and doesn’t necessarily call out these incompatibilities on the front end. As a result, it can cause worst scenario, such as complication from using this plugin can crash your website, so it is important for you to have a backup.

Bundle Settings and Plugins for New Installs

If you are planning to create multiple sites in WordPress, it would be particularly helpful to have some functionality that combines all the desired features into a file that could be uploaded to the site you’re building. If you work with clients in a similar industry, you will see that many WordPress websites have the same base features. However, installing /activating the launch list plugins one by one is tedious, so as a solution, you can install WordPress Install Profiles plugins. Once installed and activated, Go to Plugins > Bulk Install Profiles.

Furthermore, you can easily add or remove plugins from the list with a default list of plugins. Use the name on the plugin’s URL to add a new plugin, after that, give the list profile a name and download it to your computer.

You’ll need to have the WordPress Install Profiles plugin installed and activated on that site, then import the profile you want to install on another website. However, since this plugin hasn’t been updated in many years, there may be compatibility or security issues associated with its use.

SITE CACHING

Site caching supports your site to load faster by storing the website processes in an HTML file to be loaded as needed. That is why page loading is a major factor for ranking in technical SEO. To avoid any server calls, developers wish that WordPress had site caching.

Even though you cannot find site caching built into the platform, there are many plugins that can initiate this process, like W3 Total Cache and WP Super Cache. Actually, there are some WordPress hosting companies that offer site caching. However, many find that site caching offered through a web host is more efficient than these plugins, so if that’s an option, don’t install a caching plugin.

Built-In Form Builder

You can find a lot of form builder plugins, but since most businesses use forms anyway, why not add this functionality to the WordPress core code? Rather than waiting for this functionality missing in WordPress, try an all-purpose contact form plugin like Contact Form 7. With contact Form 7, you can manage multiple contact forms, and you can easily customize form and email content with simple markup. Besides, Contact Form 7 supports Ajax-powered submitting, CAPTCHA, Akismet spam filtering, and other important security factors. Another benefit that you can get is the simplicity to set-up, flexible, as well as it offers customizable default messages, and easily-defined mail messages.

Improved Theming System

In terms of the theming system, WordPress still needs lots of improvement. There are still “sloppy code” and “disastrous mix of business and display logic”. In the current version, you can see that template hierarchy does not take plugins into account. As a result, the plugin has to override the template system, or create a workaround to provide a default template for displaying this custom post type if you have a plugin with a custom post type for movies.

The more complex the code base, there is a greater opportunity to improve code practices, eliminate short codes, and fix template hierarchy for a more efficient base theme.

Custom User Permissions

In general, WordPress serves its users with 5 roles:

  • Administrator
  • Editor
  • Author
  • Contributor
  • Writer

In terms of managing tasks, each of these roles has their own specific limits. Many developers suggest it, so that WordPress could allow users to set, specify, or limit what each individual user can do, especially for a multi-author/user site.

To overcome this functionality missing, you can use Advanced Access Manager plugin; which manages both frontend and backend access.

File Browsing Interface

Even though you can find various plugins available, you have to be careful in choosing the right plugin for your website, since certain plugins may cause your website to slow down. By having an error code, you can identify this, but when it does not, then you have to manually deactivate all files, and then reactivate them one by one in the admin area to determine what is causing the error. However, you have to use a File Transfer protocol (FTP) like Firezilla to backup all plugin files if the error does not allow access to the admin area.

Besides, developers can quickly fix issues without needing cPanel/FTP access since you can access files directly from WordPress.

Nowadays, WordPress is still the most powerful platform on its own. No wonder there are various plugins that have been developed to support the functionality missing in WordPress, even though many developers are still hoping that the issues will immediately get built-in solutions.