There are also some responsibilities, though. Making sure your installation is up-to-date is among them. And software updates come frequently. Experts tell us to apply updates as they are released. Doing so improves website security, squashes bugs, and adds features.

We may assume that hitting the update button is the right thing to do. But what could go wrong? Is there a potential for harm?

That came to light during a supply chain attack on multiple WordPress plugins. Hackers infiltrated each plugin’s code repository. From there, they added malicious code to otherwise legitimate software. Once installed, that code created a shadow administrator account. It’s scary stuff.

Perhaps this isn’t a common scenario. But it’s a reminder to take precautions before installing an update.

Here are some tips to keep your site safe when updating WordPress.

Find out What’s Changing

Yes, you can automatically update WordPress core, plugins, and themes. That puts you at risk for a supply chain attack, however.

There’s nothing wrong with automatically updating minor versions of WordPress core. They often contain security fixes. But it’s safer to update plugins and themes manually.

You’ll want to know what’s changing and why. A little research will tell you everything you need to know.

First, take a look at what updates are available for your site. Navigate to Dashboard > Updates to see what’s available.

Next, take note of any plugin and theme updates. Plugins offer version details. Click the link next to each item to see them.

Plugins hosted on WordPress.org also have a support forum. Check them to see if other users have reported issues. You may also find notes from the developer.

It will take a bit more research for items hosted elsewhere. You might check their documentation, private support forum, or GitHub repository.

These details will help you make an informed decision. Seeing bug reports, for example, may lead you to hold off on updating.

Feel free to ask questions if you have concerns. Knowledge is power, as they say.

Back up Your Website Frequently

Security isn’t the only potential issue here. A software update could cause other problems. You might find a compatibility issue. Or an update might introduce a conflict with another plugin or theme. There’s also a chance that the update will fail.

It’s never a bad idea to back up your site before applying updates. You’ll have peace of mind knowing you can roll back if needed.

Your web host may provide backup capabilities. If not, you can also use a backup plugin. These options are usually seamless. Choose one that fits your desired workflow.

A tool that creates incremental backups is preferred. The feature improves the efficiency of both backing up and restoring your site.

And don’t forget about backing up your database! Some updates make changes there as well.

Test Each Update for Issues

Don’t update and walk away. You’ll never know what sort of trouble you left behind. At least, not until a client discovers it.

Be sure to test updates after installing them. Ideally, you’ll have a staging environment to work with. That gives you the freedom to test without impacting users.

So, what should you test? That depends on the type of updates you installed.

If you updated WooCommerce, look at your site’s products. Add an item to your cart and test the checkout process. Edit a product or setting from the WordPress dashboard. Be on the lookout for anything that doesn’t work as expected.

Follow the same pattern for other items. Determine what could be impacted by the update. Then, test on both the front and back ends.

You can use your browser’s developer tools to help. For example, the console tab will alert you to issues like 404 and JavaScript errors. These can affect stability and site performance.

The process shouldn’t take more than a few minutes. And you’ll rest easy knowing that everything is working correctly.

A Holistic Approach to Updating WordPress

We all appreciate convenience – especially with mundane tasks. Such is the case with updating WordPress. It’s easy to hit the update button without a second thought.

That puts your site at risk, however. There are a myriad of things that can go wrong. Therefore, it’s worth paying attention.

Perform some research regarding each update. Get a sense of what is changing. From there, you can gauge the potential impact.

In some cases, you might want to delay installing an update. That’s OK. Only security-related updates should be considered an emergency.

Being proactive also means keeping site backups. That will be your safety net should something go wrong. Testing on a staging environment is also recommended.

The bottom line is to pay attention. Your site and its users will be glad you did.

The post How to Stay Safe When Updating WordPress appeared first on Speckyboy Design Magazine.

An experienced web designer knows better. A site launch is just the beginning. Content management systems (CMS) like WordPress are a case in point. A steady stream of updates keeps us on our toes.

It’s one reason why I believe a professional should manage WordPress sites. Even the tiniest of websites have significant maintenance needs.

Still, clients don’t always understand the stakes or the costs involved. Until something goes wrong, that is. But let’s not go that far.

The key to avoiding problems starts with education. Teaching clients the hows and whys of WordPress maintenance can do the trick. With that, here are some points worth driving home in your discussions.

Website Maintenance Is an Investment

There are two types of website investments. The first is the cost of the initial design and build. It covers everything from the idea phase to the site launch. That’s the big, expensive part.

The second comes after the site goes out into the world. It ensures both content and software are current. Clients can get tripped up by this one.

What clients may not understand is that websites require care – regardless of whether the content changes. They’re viewing the phrase “website updates” through a different lens.

How do we change their perspective? You could compare website maintenance to that of a car.

Cars need regular care to keep things running smoothly. Doing so prevents problems down the road. It’s an investment in safety and stability.

Websites need the same kind of investment. The goal is to keep it in tip-top shape – and avoid common pitfalls.

WordPress sees frequent updates to plugins, themes, and the core software. Together, they improve the overall security and performance of a website. It’s too important to ignore.

Standards and Best Practices Change

The web’s standards and best practices are subject to change. So, that shiny website from a few years ago is now behind the times.

We’ll see this in several areas of a typical WordPress site. Accessibility is a big one. An older WordPress theme may not be up to the current standard. Old or abandoned plugins might also lack accessible features.

Server technology also marches on. A website may run on an outdated version of PHP, for instance. That means you’re missing out on better performance and security.

These issues go beyond a website’s aesthetics. They are fundamental to things like usability and legal compliance. The more you fall behind, the greater the risk.

Resolving these issues requires time and money. We’ll need to review the website and determine what needs to be changed or fixed. From there, it’s time to perform the necessary tasks.

Clients may have a hard time grasping this concept. They can’t always see the need for such changes. Nor can they always measure the results.

However, it’s one of the costs of website ownership. Think of it this way: Brick-and-mortar locations must keep up with building codes. Websites need to do the same.

Vigilance Is an Important Part of the Plan

Website maintenance is not a once-per-year type of task. It’s an ongoing commitment. WordPress releases a new major version every few months. Plugin and theme updates can drop at any time.

Each update opens the door to potential change. For example, a plugin update might require a new version of PHP. You might also need to update any custom code.

Security is also a key factor. New vulnerabilities pop up frequently. They require us to act quickly. Otherwise, we increase the risk of a compromised site.

Vigilance is important. It comes at a cost, though. Web designers need to keep a watchful eye. That means a combination of manual intervention and automated tools.

These acts won’t guarantee a problem-free experience. But they can prevent a small problem from becoming a major one.

That peace of mind is worth the price – particularly for clients who depend on their website for sales. A broken or hacked eCommerce site could spell disaster.

A Well-Maintained Website Benefits All

In a nutshell, everyone benefits from a well-maintained website. Web designers can use it as a vehicle for recurring revenue. Users are less likely to encounter problems. And that should make website owners happy!

The other side effect is taking advantage of new features. WordPress is continually refining its core. The same goes for its theme and plugin ecosystem.

It’s an opportunity to do more online. Features that enhance performance, accessibility, or ease of use can mean more sales. That’s one way to increase the chances of customer loyalty.

Make an effort to discuss WordPress maintenance with your clients. Help guide them on the importance of staying on the cutting edge.

They’ll be more likely to commit once they learn the hows and whys. And they’ll be better prepared to adapt to the web’s ever-changing landscape.

The post How to Explain WordPress Maintenance to Clients in Simple Terms appeared first on Speckyboy Design Magazine.

They’re constantly scanning for outdated installations and zero-day vulnerabilities. Brute-force login attacks hit even the most lightly trafficked sites.

It has become absolutely imperative that site owners take extra security measures. Some of that is done at the server level, but you can do plenty within WordPress itself. In fact, there are a plethora of free plugins out there that will harden WordPress and provide you with an extra layer of protection.

The Top Plugins for Securing WordPress

Limit Login Attempts Reloaded for WordPress

Brute-force login attacks are such a nuisance that there is a whole category of plugins dedicated to stopping them. Limit Login Attempts Reloaded can help you take control of the situation. It provides the ability to set login limits and block offending IP addresses for a specified amount of time.

Additionally, you can choose to be notified when an IP is blocked. That may be a bit overwhelming for sites that see a lot of attacks. Thus, it might be more efficient to periodically check the log of blocked attempts.

Sucuri Security WordPress Plugin

Sucuri Security includes a suite of features aimed at keeping site administrators informed. The plugin will scan your files for suspicious code, known vulnerabilities, and notify you of any issues it finds. In addition, your site will be checked against blocklist engines and will report if it has been flagged.

You’ll also find a helpful log of security-related activities, helping you keep track of changes made to your site. Level up to the premium version to activate a firewall, performance optimization, and more.

WordFence WordPress Plugin

With millions of active installs, WordFence is one of the most popular plugins out there. It will routinely scan your WordPress install for malicious code and has a real-time firewall that will help secure your site from known (and unknown) threats.

Advanced features like IP blocking and brute-force login protection can give site owners some peace of mind. The premium version includes country blocking and two-factor authentication, and the firewall is updated in real-time.

JetPack WordPress Plugin

The WordPress jack-of-all-trades JetPack has added some great security features in recent years. Brute-force login protection is included (and will proudly display how many malicious login attempts have been thwarted on the WP Dashboard).

There’s also a single sign-on feature that works with your WordPress.com account. Paid plans add spam blocking, malware scanning, and more.

iThemes Security for WordPress

This security suite (in plugin form) will protect your site with brute-force protection, file change detection, requiring users to implement strong passwords, and even help you run your entire site in SSL. A Pro version enables malware scanning, password expiration, and much more.

All In One WP Security & Firewall Plugin

This plugin will scan your site’s user accounts to ensure that a user’s username and display name aren’t identical – a key method bots use to grab logins. User registration can also be set for admin approval – meaning you’ll have the ability to reject accounts you don’t trust.

You’ll also find brute-force protection, a firewall, malware scanning, and protection for configuration files.

BulletProof Security Plugin for WordPress

BulletProof Security will provide extra security for your site’s .htaccess file, logins, auth cookie expiration, and allow for database backups. You can also set a time limit on idle WordPress sessions, which will log the user out of the system after a specified period of inactivity.

Really Simple SSL for WordPress

One of the absolute best things you can do for security is to enable SSL on your site. Once you’ve acquired an SSL certificate and installed it on your server, Really Simple SSL will ensure your WordPress install is optimized to run under HTTPS.

Shield WordPress Security Plugin

Formerly known as WordPress Simple Firewall, this plugin will automatically block out malicious URLs and requests. It will also protect your blog from spambot comments and add two-factor authentication.

Hide My WordPress Plugin

One of the telltale signs a site is running WordPress is the use of the default /wp-admin/ and wp-login.php URLs. Hide My WordPress allows you to safely rename these login gateways to help avoid attacks.

Security Plugin Caution

Note that you should use caution when enabling more than one security plugin. Some can conflict with each other and lead to either a crashed site or a major performance hit. If you plan to use more than one security plugin, do some research to see how they coexist.

While there is no silver bullet for securing WordPress (or any other CMS), there are steps you can take to thwart malicious attacks. Most bots and hackers are looking for easy targets. Using a security plugin makes things much more difficult to crack.

More Essential Free WordPress Plugins

The post 10 Best Free Security WordPress Plugins appeared first on Speckyboy Design Magazine.

Even so, we’re not out of the woods. To paraphrase the old saying: a website is only as secure as its weakest link. Beyond potential exploits due to code, the weakest link tends to be an uninformed user. Someone who, through no fault of their own, makes a bad choice that leaves their website vulnerable.

To use another cliché: the best defense is a good offense. In this case, it means being proactive when it comes to teaching clients about security best practices. Some things (like strong passwords) are universal, while others are more specific to WordPress itself. And that’s our focus for today.

With that, let’s review five things your clients need to know about WordPress security.

Don’t Install a WordPress Plugin Without Consulting a Professional

We get it: the temptation to install plugins is real. They are, after all, just a few clicks away.

But the risk is also real. WordPress plugins vary greatly in terms of quality and, thus, security. It’s not uncommon to find a plugin in the official repository that hasn’t been updated in a year or more. Maybe it’s harmless; maybe it’s not.

Because of this, web designers should encourage clients to perform a quick consultation before installing a plugin. Offer to take a look and review the particulars. This single step could prevent a nightmare scenario with regards to security and site stability.

There are several benefits. First, this keeps you in the loop as to what’s going on with the site. In addition, it allows you to point clients in the direction of good, reputable plugins. Not to mention that this trains clients to think before they click. That benefits everyone.

Create New User Accounts, Rather Than Sharing a Single One

Many organizations have more than one person who needs access to the WordPress dashboard. Too often, those users share a single account.

On the surface, this may seem like a simple matter of trust. And there certainly is an element of that. If a team member leaves the organization, there is the possibility of them still having access if the password hasn’t been changed. And a malicious person could do some damage.

The other real concern here is about device security. If you have, say, five people sharing a WordPress administrator account, all it takes is one of their devices to be exploited. For example, a keylogger on one user’s PC could compromise the account.

Therefore, it’s recommended that each user have their own account. This is easy to do within WordPress, and we can even create custom user roles that limit what someone can and can’t do.

Keep WordPress Core, Plugins and Themes Up-To-Date

Ideally, your clients will contract with you to handle software updates. But if they’re the ones taking responsibility, it’s important that they treat the issue very seriously.

As a developer, there are few things more irritating than troubleshooting a compromised website, only to log into WordPress and see that things are several versions out-of-date. It’s akin to leaving the front door of your house wide open, 24/7. You shouldn’t be too surprised when someone comes in and takes your fancy new TV.

The importance of keeping WordPress core, plugins, and themes updated cannot be overstated. Knowing that it still may be beyond the comfort level of some clients. That’s OK. Either they can hire you to deal with it or, at the very least, enable auto updates where possible.

Regardless of how updates are implemented, they must be taken care of. While it won’t guarantee security, it’s much better than the alternative.

Two-Factor Authentication Can Make a Big Difference

Adding two-factor authentication to WordPress is fairly simple. But it’s only worthwhile if stakeholders actually use it.

True, it’s not very convenient. Having to verify an email, a text message, or check a mobile app to login can be a major pain. But this extra step is vital. It puts up a huge barrier between a malicious actor and access to your website’s back end.

And the user experience is actually getting better. Some implementations are now combining device recognition with 2FA. This means that, so long as a user’s device is recognized, there won’t be a need to verify a login for a specified amount of time.

Plus, 2FA has become standard in so many places. Some online banking apps won’t let you login without it. There’s no reason why your website shouldn’t take advantage of this technology as well.

What’s Secure Today May Not Be Tomorrow

Regardless of the platform it runs on, a website is not a one-and-done affair. It requires frequent (if not constant) attention – with security playing a major role.

The web is constantly evolving. New technology gets old very quickly. And what was once thought to be a security best practice can sometimes be proven otherwise.

Because of that, website security is a challenge that really has no end. It’s a daily battle for small and large organizations alike.

The result is that websites need to change along with the times. When it comes to WordPress, that may mean replacing older security plugins with something better. Or doing away with abandoned themes and plugins to tighten things up. It could also require a change in hosts or server environments.

It’s important to understand that just because you’ve invested in security today doesn’t mean you won’t have to do so again tomorrow.

Educate Clients Today for a More Secure WordPress Website

Our clients often rely on us to provide some knowledge along with a killer website. And security may just be the most important subject we can educate them on.

Making an effort to do so from the beginning can pay long-term dividends. A client who understands how to keep their WordPress website secure is less likely to make one of those crucial mistakes. That alone may be the difference between cleaning up a hacked site and smooth sailing.

The post How to Educate Clients on WordPress Security Best Practices appeared first on Speckyboy Design Magazine.

But, try as I might, certain things stick with me. Things that stay at the front of my mind all day and night. This vicious cycle results in less sleep and more grump. Yes, that’s wonderful for inspiring columns. Not so good for the soul, though.

I’m willing to bet that others are facing the same issue. The growing complexity of web design is making it harder to relax.

Feeling better starts with sharing. So, allow me to dig into the depths of my psyche. The following is a look at web-related issues that keep me up at night. Make a cup of coffee and join me on this nerve-wracking journey.

The Never-Ending Quest for Web Security

Security has long been a thorn in our sides. We can build websites in any number of ways. However, they all seem to be a target for malicious actors.

I work primarily with WordPress. I love the flexibility it offers. But securing these sites is a constant battle.

Hackers have numerous points of attack. They might take advantage of a plugin vulnerability. Or they might crack a weak password. They’re even stealing session cookies these days.

WordPress isn’t alone in the struggle for security. But working with it each day seems to magnify the issue. It has become a constant presence in my mind.

Sometimes, the situation feels hopeless. You plug one security hole – only to see another one pop up. Cleaning up a hacked site is tedious at best. Plus, the thought of data theft is enough to make anyone nervous.

Perhaps the answer lies in not going it alone. Web security is a vast subject. Threats continue to evolve. Thus, working with expert tools (and humans) is worth the price.

Even so, security issues make it harder to fall asleep.

The Always-on Work Culture of a Web Designer

Remember my goal of separating work and life? I’m terrible at it. Sure, I do well enough during slow times. But I drown when things get busy.

The web industry has a 24/7 work culture that’s hard to escape. A website won’t wait until business hours to break. Most clients won’t consider the clock when making a request, either.

It used to be easier to get away. Before smartphones, you could leave your desk and inbox behind.

I can recall vacationing in places that had no internet access. I could go an entire week without email. How quaint!

Good luck avoiding your inbox these days. You’ll need self-discipline and clients who can temporarily live without you.

Yes, I try to turn my brain off. I’ll even abstain from replying to an email – for a while. Eventually, my brain gets the best of me. Things stay on my mind until I address them. So, why not respond?

That makes sense on the surface. It doesn’t lead to much peace after hours, though.

The Things Out of My Control

Web designers can only control so much. Security is one example – but there are others. Modern websites tend to rely on third-party providers.

That covers everything from web hosting to SaaS (software as a service) to plugins. We may get to choose which tools to use. But we must also trust them to deliver.

What happens when something goes wrong? We might be able to contact a support person. However, some providers take days to respond. Plus, some companies are using chatbots as their first point of contact. Navigating these tools is no picnic.

The result leaves us stuck in the middle. Our clients want to know what’s going on. Meanwhile, we can only rely on what the provider tells us. A lack of communication can be frustrating and worrisome.

It’s about more than downtime, though. Sometimes, a product makes a significant change that impacts your website. Things may not work the way we (or our clients) expect. That leaves us scrambling to figure it out.

Gmail’s recent bulk-sender policy changes are an example. The change’s impact went beyond my expectations. That led to a lot of rushing around to fix email deliverability issues.

Sure, we can try to prepare for the inevitable. But sometimes, all we can do is react.

The Expectations of Clients and Myself

Expectations can keep any web designer up at night. Clients are asking more from us. They want high-end features in exchange for bargain-bin pricing.

That leads us on a wild goose chase. The quest to be faster, cheaper, and better. How do we squeeze in more projects in the same timeframe?

The expectations we have for ourselves are also a burden. I pride myself on getting things done. I want to create the layouts, pick the colors, and write the code. It’s the way I’ve done things for over two decades.

That’s becoming harder, though. The right tools can help. But there’s still a massive responsibility to do the job right.

Part of this may be cultural. Growth is expected and encouraged. After all, who wants to stay the same?

We don’t prioritize comfort nearly enough. Doing so may be perceived as accepting the status quo. Nobody wants to look like they’re stagnating.

All told, this adds to the pressure we feel. We must move onward and upward, regardless of the consequences.

Making Sense and Making Peace

So, what lessons have I learned? That was the point of writing this down, right?

I think web designers need to create boundaries – and stick to them. Otherwise, it’s too easy to get pulled into that vicious cycle. It’s hard – but better than the alternative.

Self-forgiveness is also a factor. It’s OK if you don’t know how to do something. There’s no shame in needing extra time to complete a project.

Sometimes, we’re harder on ourselves than any client could be. So, permit yourself to be imperfect. Give yourself some grace. None of us go through life without experiencing adversity.

Finally, don’t let your job become your only source of identity. It took me a while to understand that advice. But we all need time away from the online world.

Will the things above still keep me awake? I’m betting that they will. Perhaps it’s better to accept it instead of fighting it. Tomorrow can always be better.

The post Things That Keep the Grumpy Designer Awake at Night appeared first on Speckyboy Design Magazine.

As web designers, we seek to add even more convenience. We employ systems to “remember” users. We store customer information in the cloud. These features make it easier for people to get things done.

A seamless user experience is the goal. It’s both well-intentioned and potentially lucrative. There is often a cost when it comes to security, though.

Malicious actors are taking advantage of this convenience. Methods like stealing session cookies are prevalent. Thus, staying logged into your website is a risk.

That’s just the tip of the iceberg. Indeed, making the web more secure means less convenience. Here are a few examples of what that looks like. In addition, we’ll talk about why these measures may be temporary.

Using Two-Factor Authentication Everywhere

It’s becoming harder to avoid two-factor authentication (2FA). This method is in place just about everywhere – including your WordPress site.

The idea makes perfect sense. The extra layer of authentication means a hacker needs more than a username and password. They can’t access your account without a 2FA code.

However, 2FA is far from perfect. The aforementioned stolen session cookies are proof. A hacker with a valid cookie can bypass other login requirements.

Plus, 2FA is a hassle for users. Think about all the extra time it takes to log into each website you use. It makes people want to stay logged in – and run the risk of a stolen session cookie.

Help may be on the horizon. Passkeys are poised to simplify the login process – while maintaining top security.

Passkeys rely on a user’s device to replace a username and password. Users authenticate using the same method they use to unlock their devices. PINs and biometrics are examples.

That may ease the burden. But we’re likely to be stuck with current methods a while longer.

Locked down WordPress Files

The theme and plugin ecosystem are a big part of WordPress. You can add new items or update existing ones. It’s all done within a single dashboard. Once again, it’s a very convenient feature.

The problems start when a user account is compromised. A malicious actor can add all manner of malware. And they don’t have to be an administrator. Some vulnerabilities allow a lesser user to bypass WordPress permissions.

The answer appears to be locking down your WordPress install. For example, a site may allow its staging environment to write to files. That would allow you to add or update software. But it would also be protected by an HTTP login.

The production site would allow for uploading media files – but nothing else. That means any theme or plugin installations must come from staging first. The same goes for updates.

Yes, it’s an extra step. But it’s one worth taking. This method not only increases security. It is also a best practice for testing. It could prevent issues for mission-critical sites.

Not every web host offers staging, though. Or an easy way to lock down an install. But this may be the best option until something better comes along.

Speaking of that, security providers are devising new strategies. That could provide a balance between security and ease of use.

Limiting Code Execution within Site Content

Sometimes, we need to execute code within a site’s content. For example, we might embed JavaScript from an advertising network into a blog post.

WordPress facilitates this via its Custom HTML block. Some plugins enable adding code snippets as well.

It’s a handy feature. You can add all sorts of third-party widgets that engage users. They might also produce revenue.

It’s also an easy way to introduce malicious code. WordPress tries to sanitize input. However, not all themes and plugins follow best practices. Unsanitized code could infect your site – and impact users.

Limiting code execution is one way to prevent security issues. You might disable the Custom HTML block, for instance. You could also create HTTP security headers at the server level.

Artificial intelligence (AI) could soon be a factor. A tool that can detect malicious code in real-time might prevent a successful attack. That would empower users without creating as many security concerns.

A Secure Website Requires Sacrifice

Security puts web designers in a difficult position. We strive to build great user experiences. We want to help our clients to do their jobs with ease.

But we also want our websites to be secure. That requires us to make some difficult decisions. Do we sacrifice convenience for safety?

The answer appears to be “yes” for now. Insecure login methods and writeable folders are risky. So is allowing users to execute code within their content. And it seems that malware continues to thrive in these environments.

As such, closing these avenues of attack makes sense. Even if it creates extra hurdles for users.

We can still hope for a better future, though. The advent of passkeys and AI-driven security might be just what we need. Their time can’t come soon enough.

The post Better Web Security Means Less Convenience – For Now appeared first on Speckyboy Design Magazine.

WordPress is no stranger to various myths and conspiracy theories. Some people are suspicious of big changes to the content management system’s (CMS) core. And others simply have misconceptions about the ecosystem, community and the overall picture of how things work.

It’s time to set the record straight. Today, we’ll take a look at some of the most common myths floating around in the world of WordPress and attempt to uncover the truth. What will we find? Keep reading to find out!

Myth #1: WordPress Is Slow and Insecure

Let’s start with the double-whammy of performance and security. Social media clickbait often portrays WordPress as seriously lacking in both of these key areas.

The problem with this narrative is that it treats WordPress as a one-size-fits-all CMS. The fact is that, while a stock installation is universal, we rarely leave it that way.

There are so many ways to customize WordPress. For starters, third-party plugins and themes are a huge part of the experience. And seasoned developers may well craft their own. In addition, the CMS can be hosted in any number of different server environments.

Each one of these factors into both security and performance. For instance, equip your website with a bloated theme or buggy plugin and you open yourself up to potential issues. Opting for cheap web hosting can do the same.

Beyond that, WordPress is also incredibly popular. Thus, it has a target on its back from bots and other nasties. Much like hackers write viruses targeting the Windows operating system over others, they aim for WordPress as well. The bigger you are, the more they come after you.

The WordPress project is open-source and has a large number of volunteers who dedicate themselves to, among other things, performance and security. That’s not to say that there’s never a bug or security flaw – but the core software is quite well-maintained.

That said, WordPress by itself is neither particularly slow nor insecure. It’s what we add on to it after-the-fact that can lead to the biggest problems.

Myth #2: Automattic/Matt Mullenweg Own WordPress

There’s long been a misunderstanding regarding the “ownership” of WordPress. At least some of this is due to some self-inflicted branding confusion and a few blurred lines.

It’s true that Matt Mullenweg co-founded WordPress way back in 2003. This is the free, open-source project that can be downloaded by anyone and installed just about anywhere. It’s commonly referred to as “.ORG”, an homage to the project’s domain name.

Mullenweg is still very much active in the project. You’ll see his name pop up as a core contributor for various releases and he often takes part in community discussion. He also works with others in determining the software’s roadmap for future development as well. He does not, however, own the project itself. That is in the hands of the non-profit WordPress Foundation (which Mullenweg founded, by the way).

Now here’s the part that may confuse you. The similarly-named WordPress.com (“.COM”) is a place where you can host a blog for free or buy various levels of hosting. This is in fact owned by Mullenweg’s company, Automattic. And yes, it does run WordPress software.

If you’re curious as to the differences between WordPress.org and WordPress.com, there’s a handy guide to help you sort things out.

So, while Automattic (and thus, Mullenweg) are major contributors to the project, they do not own WordPress itself.

Clear enough? No? It’s best to not try and unravel it all at once.

Myth #3: WordPress Websites Are Too Cheap/Expensive

A bit of crowdsourcing brought this juxtaposition to the forefront. It’s a great example of how varied the perceptions of WordPress can be.

The reality is that WordPress can be either of these things or none at all. So much depends on how web designers choose to market and sell services. Then there is also the matter of how much a specific client is willing to pay. Oh, and project requirements have a good bit of say as well.

WordPress itself is free. And you can certainly grab a free theme, then sprinkle in any number of free plugins. It’s entirely possible to build a website for nothing (or next to it).

On the other hand, you could build your own custom theme that does exactly what you need. Then, invest in some high-end commercial plugins that provide crucial functionality. To top it off, add in some enterprise-grade web hosting. The costs will add up.

WordPress can be made to do as much or as little as you like. A web professional can utilize it to create a massive corporate hub or a simple landing page. There is no single way to do things. Therefore, you can’t really peg WordPress as singularly cheap or expensive. It’s all about what you do with it.

Myth #4: WordPress Isn’t a “Real” CMS

Back in its early days, WordPress was purely a blogging platform. And, despite a whole lot of evolutionary changes since, some people still associate it with this purpose.

Running a super-cool blog is only the start of what a modern WordPress website is capable of. You can leverage the software to serve just about any purpose.

Celebrity eCommerce shop? Check. Major government portal? Check. Home for a corporate giant? Check. Well-known educational institution? Check that one, too.

We could go on and on. The point is that WordPress can be used for virtually any type of website – large, small or in-between.

Now, whether one personally thinks that WordPress is the best tool for a particular use case is up for debate. Everyone has their own preferences. But to say that it’s just a blogging platform is myth.

Myth #5: WordPress Maintenance Is Inherently Messy

When it comes to WordPress maintenance, there are two separate entities to consider:

• WordPress core software;
• Themes and plugins;

WordPress core generally releases a few major updates per year. 2019 and 2020 saw three such releases each. Beyond that, there several minor releases (which update automatically) that patch security holes and squash bugs. Consider core updates as a baseline for maintaining your website.

Third-party plugins and themes are a whole different animal. The number of updates (or lack thereof) is up to each developer. Some larger plugins may push updates every few weeks. Others might not see a change for a year or more.

In theory, the more third-party resources you add to your website, the more there is to maintain. But it goes a bit deeper than that.

So much depends upon the types of themes and plugins you’re implementing. A plugin that powers crucial functionality and has a large user base (such as WooCommerce) is going require a bit more maintenance. The same can be said for a theme that uses a lot of advanced JavaScript libraries and custom features.

That said, every CMS requires some form of maintenance. This is a positive in that we want to make sure everything is as functional and secure as possible. Can something go wrong? Yes. However, applying updates is still vital.

Maintenance needs can be cut quite a bit by eliminating unnecessary plugins. This will not only save you time, but also help you avoid software conflicts as well. Short of that, there’s an auto update feature that can do a lot of the hard work for you.

WordPress Is What You Make It

When going through these myths and misconceptions, it becomes clear that the WordPress experience is different for everyone. Whether you’ve used it to build hundreds of unique websites or played around with a single blog – we all have a story.

Those stories ultimately shape our perception of what the CMS can and can’t do. Even some confusion over the separation between WordPress.org and WordPress.com can lead us to assumptions about who’s in charge and what is possible.

The bottom line is that WordPress really is ours to bend and shape. Use it to build something big or small, cheap or expensive. Install enough plugins to keep maintenance needs high or go completely barebones. Customize it to your heart’s content. It’s your choice.

There is almost endless flexibility. That’s what has led so many of us to choose WordPress. Just know that, whatever it means to you, there are other perspectives out there worth considering.

The post 5 Common WordPress Myths Debunked appeared first on Speckyboy Design Magazine.

Consider a recent report from the security firm We Watch Your Website, for example. The report claims that 60% of hacked WordPress sites stem from stolen session cookies. I sure didn’t see that one coming.

We know about using strong passwords and setting file permissions. We understand the importance of updating our WordPress installs. We may even use a security plugin or two.

However, even the most security-conscious among us can miss things. That one oversight can lead to a hacked website. And that’s despite taking a bevy of security measures.

Stolen session cookies weren’t on the radar. So, what can we do to prevent this from happening? The author of this report has some advice.

How to Prevent Stolen Session Cookies

Thomas J. Raef is the author of “The Real Attack Vector Responsible for 60% of Hacked WordPress Sites in 2023.” His report demonstrates the threat of stolen session cookies in great detail. And a recent appearance on the WP Tavern Jukebox podcast shed more light on the subject.

But what about remedies? How do we stop these attacks from impacting our websites? I asked Raef for some preventative tips. The answer is as simple as logging out.

Our interview was lightly edited for clarity and brevity.

How do session cookies get stolen?

Thomas J. Raef: If it’s not WordPress, they’re frequently stolen via cross-site scripting. However, WordPress uses the HttpOnly option in the headers. So, that prevents cookie theft in WordPress via XSS.

The main way is by info stealers. If you Google the term, you’ll see it’s almost as popular as ransomware. Some ransomware hackers are starting to use info stealers more for their infections. Info stealers are designed to evade detection from most anti-malware programs. Some are dedicated to evading detection on Windows, others on Macs.

They typically steal everything possible in about 10 seconds. Some ask, why would they bother stealing WordPress session cookies if they’re also stealing bank logins, etc. But look at the cybercriminal industry. What do they need for the majority of their attacks? Oh, a legitimate website to infect unsuspecting visitors.

They steal the session cookies because it totally bypasses 2FA (Two-Factor Authentication), MFA, etc. because the user is still authenticated. As long as the cookie hasn’t expired.

Raef’s report shows that nearly 60% of hacked WordPress websites were the result of stolen session cookies.
Image credit: We Watch Your Website

How can we secure our devices against this type of threat?

TJR: The easiest way is to remember to log out. That’s it! When you log out you expire the cookie. If you just close your browser window, it leaves the cookie active. So, if it’s stolen, it can be used by anyone.

One simple prevention is using SolidWP (Solid Security). Their Trusted Devices feature uses the IP address to generate the session cookie. If it’s stolen, it can’t be used anywhere other than where it was originally created. Those two things are the best way to prevent session cookies from being used against your sites.

Are there any changes the WordPress project could take to increase the security of session cookies?

TJR: Possibly. If there was a procedure that checked for inactivity after 30 minutes, and then automatically logged out the user, that might help. But I believe that would involve JavaScript and that’s getting too complicated. They already include the HttpOnly option, so they’re doing a lot to prevent this from being even bigger.

Do you have any other advice for web designers managing WordPress sites?

TJR: Make sure that everyone with admin access to your site is also focused on sanitary procedures for all local devices. We’re seeing more and more sites being infected due to malware on the local device of an admin. It can steal usernames, passwords, and session cookies.

2FA can stop the usage of username and password, but not session cookies. Tell all devs to log out! It’s quite simple and 100% effective.

One thing we’re starting to see more of is hackers attacking from the local device. Not stealing session cookies or anything else, just piggybacking on a legitimate admin session.

We see the legit IP address of an admin, and they’re doing their work and then suddenly from the same IP address at the same time, the legit admin is working – BAM! – a bogus plugin is installed from the same IP address!

The hackers have control over the local device and they’re attacking from that device. This supports the fact that you MUST be concerned about the health and well-being of your local devices.

Your Device Is Also a Factor in Website Security

A compromised computer or mobile device can impact your website’s security. On the surface, this theory makes sense. However, we typically don’t hear much about it.

Website security usually means a focus on the site itself. We attempt to filter out malicious traffic. And we employ various methods to prevent direct attacks.

It’s past time to look at our devices as well. You know, the systems we use to log into our websites. Good security should start there.

An info stealer can do untold damage in mere seconds. We won’t know the consequences until it’s too late. Let’s do something about it.

Follow best practices to secure your device – and encourage your clients and colleagues to do the same. A few simple steps could prevent a catastrophe.

And to follow Raef’s advice: Be sure to log out of your website! An expired session cookie is useless. Thus, it can’t do any harm.

Many thanks to Thomas J. Raef for chatting with us! Check out more of his security advice at We Watch Your Website.

The post The Risks of Not Logging Out of WordPress appeared first on Speckyboy Design Magazine.

You see, things don’t really go away so much as they fade into the background. The website that used to be buzzing with traffic might turn into a ghost town. And it’s just as likely that the technology behind that site is also sitting there collecting dust.

But it’s not just those old, unattended sites that have issues. There are also situations where a mission-critical website relies on outdated software. That could be anything from an abandoned WordPress plugin to an unsupported version of PHP.

It’s far from an ideal situation. And many potential problems can arise from sticking with these old standbys. Yet, it’s also the reality of the modern web. As quickly as new tech arrives to grab the spotlight, the old continues to lumber along in the shadows.

The problem is complex – and so are the potential solutions. Is it even possible to rid the web of these dinosaurs?

Why Do Websites Continue to Use Legacy Code?

When you picture a website that uses legacy code – what comes to mind? Maybe it’s a blog that hasn’t seen new content in a few years. Or a defunct online community. You might even think of a dormant business site.

The common thread of these examples is that they’re likely small and inexpensive (perhaps free) websites. Entities that are frozen in time.

Now consider a large enterprise site that is heavily customized. Maybe it includes bespoke functionality that enables customers to pay their bills. There could be a custom WordPress plugin that facilitates a specific workflow for team members.

Custom functionality is expensive and time-consuming to produce. And in some cases, it can be fragile. It might rely on a method or feature that isn’t supported in newer versions of its dependent software. For example, an application that was built for PHP 5 may no longer work in PHP 8.

And while a developer (or a team of them) can refactor the code – it’s not always easy or fits within a given budget. Much like the old stories of corporate users who kept Internet Explorer 6 around long after its time, legacy code can live on for years.

The bottom line is that outdated software very much remains in active use. That’s true at both the high and low ends of the scale.

Two Prime Examples: PHP and WordPress

Usage statistics change regularly – and they will undoubtedly shift after this article has been published. But two trends, in particular, are prime examples of outdated software in action: PHP and WordPress.

PHP 5 and 7 Are Still Out There

As of this writing, the latest version of PHP is 8.1. It was released in November 2021, and security updates are scheduled to end in November 2024. Version 8.0 was released in November 2020 (security updates end in November 2023). Version 7.4 was sent out into the world in November 2019 (security updates end in November 2022).

Thus, versions 8 and above have been with us for several years. Yet according to W3Techs’ PHP usage statistics, just over 6% of the sites surveyed are running PHP 8 or 8.1. Meanwhile, 70% are using some flavor of PHP 7, and nearly 23% are still running PHP 5 (which ended support in 2018).

The transition between major versions of PHP tends to be a slow one. That’s likely due in part to changes in compatibility. WordPress and its ecosystem, for example, have had a long road toward full support for PHP 8.

Plus, web hosts haven’t traditionally pushed customers too hard to upgrade (more on that in a bit). At the same time, website owners range from being unaware of PHP to not being overly concerned about upgrading.

In short: there has been little sense of urgency. Or, not enough of it to turn the tide and get more websites using the latest version.

PHP version statistics from W3Techs, as of November 2022

WordPress 4 and 5 Live On

As we go to press (pun intended), WordPress 6.1 has been released. It’s the latest version of the most popular content management system (CMS) known to humankind.

And according to the W3Techs WordPress usage statistics, nearly 60% of surveyed sites are using version 6 or above. It’s significantly higher than the usage rates for PHP 8. That’s probably not too surprising, though.

By comparison, updating WordPress is easier and can even be automated. Site owners and those responsible for maintenance don’t necessarily have to lift a finger to upgrade. Managed hosting providers may also take care of it. And WordPress is known to value backward compatibility, so there’s less chance of a major issue occurring.

But outdated versions are still hanging in there. Version 5 powers 34% of installs, while over 6% of installs cling to version 4.

If there’s any good news, it’s that WordPress core continues to release security updates for several older versions of the software. Still, these sites lose out on new features and performance enhancements. Not to mention possible theme and plugin compatibility issues. Oh, and it’s unlikely they’ll work with the latest version of PHP.

It’s also worth noting that these statistics don’t account for websites running outdated or abandoned plugins and themes. That could be an entirely different galaxy worth exploring, yet just as relevant. This is where the majority of WordPress-related security issues originate.

WordPress version statistics from W3Techs, as of November 2022

Why This Is a Concern

The term “outdated software” can conjure up all sorts of nightmare visions. A person shopping online with an unpatched version of Windows XP comes to mind. It might work, but there are a lot of risks in continuing to use it.

Security is of paramount concern. It stands to reason that using a version of PHP that is no longer receiving security updates is a risk. Attacks that might be easily stopped with newer versions could do damage to a legacy setup.

But so is employing an old JavaScript library or server utility with an open security flaw. Dependencies of all stripes can be dangerous, after all. The recent Log4j vulnerability is but one of many reminders.

Then there are issues of efficiency and performance. Outdated software that lacks these enhancements can negatively impact user experience, SEO, and energy consumption.

And the more outdated the software, the harder (and more expensive) it may be to get up to speed in the future. Each subsequent version can add obstacles to the process.

Some Web Hosts Are Forcing the Issue

Web hosts have a role to play in helping their customers implement new software. And some are becoming more aggressive in these efforts.

PHP has been a primary target. Some hosts will allow customers to continue running an unsupported version but have begun charging an extra fee. This could be a result of higher support costs for customers using outdated software. At the very least, it’s a way to convince users to upgrade.

Still, others have taken a more hardline stance. They’ll notify customers that use an outdated PHP version and provide them with a scheduled upgrade date. From there, the site is upgraded regardless of whether it has been tested or patched for the new version.

It remains to be seen how effective these measures will be. But cleaning up outdated software is a massive undertaking. Thus, someone must get the ball rolling. Hosts are well-positioned to do so.

Out with the Old?

At 30+ years old, the web has hosted an incalculable amount of software. Consider all the apps – large and small – that have been downloaded and installed on servers over time. It’s no wonder that some were left in place well past their expiration date.

Sometimes this legacy code sticks around out of necessity – other applications depend on it. But it might also happen simply because a site’s owner isn’t aware of the situation. No one may have approached them regarding an upgrade.

In either case, resources are what’s needed to increase modernization efforts. At the enterprise level, this means dedicated time and money to keep things evolving with newer versions.

On the lower rungs of the ladder, education is a key factor. Web hosts are starting to realize the importance of keeping customers informed. And web designers should do the same.

It starts by letting clients know where they stand, the dangers of using outdated software, and the benefits of upgrading. From there, they can make informed decisions.

No, a single upgraded site won’t change the world. But each is a tiny step towards a safer web that can take advantage of the latest technologies.

The post The Web Has an Outdated Software Problem appeared first on Speckyboy Design Magazine.

Those of us who work with WordPress can empathize. The content management system’s (CMS) popularity makes for a tempting target. A deluge of automated attacks is sure to hit every installation.

It has also become clear that there are no bulletproof solutions. Security plugins that scan for malicious files aren’t perfect. They might miss an infected file. And some malware can elude detection.

It’s a reality check for web professionals. Taking proactive steps is a positive thing. But it could create a false sense of confidence. Eventually, you find yourself cleaning up after a successful attack.

Determining the cause of an attack can be difficult. That makes it harder to prevent the next one.

There is an often overlooked tool that can help, however. Tracking backend activity in the WordPress dashboard provides crucial information. And it may save you from a headache or two.

Keeping Track of Who Does What

WordPress websites require maintenance. Plugins, themes, and the core software should be updated as needed. Making frequent site backups is also recommended. But we can go deeper.

Activity tracking provides a different perspective on your website. And it’s not just for detecting intrusions.

Administrators can identify potential workflow issues. And it helps for troubleshooting a “broken” page or undesirable content change.

You can see all manner of information. For example, when a user logs in and updates a page. Or pinpoint when a plugin was installed or deactivated.

And that’s not all. Depending on the activity logging plugin used, you can track the following:

• Content creation, edits, or deletions;
• Failed login attempts;
• Password reset attempts;
• Plugin installation, activation, and deactivation;
• Updates applied to WordPress;
• User creation and deletion;

These actions could be typical user behavior. But they might also be a sign of something more sinister. Reviewing this data will help you confirm what happened.

Note that this data won’t likely tell you how your website was compromised. But it will tell you what actions an attacker took while logged in.

Log Dashboard Activity with a WordPress Plugin

There are several plugins available that track dashboard activity. Security suites like Wordfence and Solid Security (formerly iThemes Security) include some form of this capability.

For this example, we’ll use a niche plugin called Simple History. It’s free and tracks a wide array of activities by default. It also works with popular plugins like Jetpack and Advanced Custom Fields. There’s also an API for logging custom events.

Even better is that Simple History doesn’t require much setup. Install the plugin, activate it, and it just works. A widget will now display on the Home screen. You can see a more detailed log by visiting Dashboard > Simple History.

In addition, the plugin can optionally create an RSS feed. That lets you keep track of activity without having to log in.

Here are a few examples of how the plugin can boost security:

Track User Logins

Simple History will record when a user logs into your site. It will also report any actions the user took.

There are a lot of reasons why this data is helpful. For example, it can help you identify a compromised account.

The plugin provides a timestamp and the user’s IP address. If either of these items looks suspicious, you can take further action. You could then reset the user’s password and alert them to the issue.

Simple History provides details of user logins.

Find the Origins of a Suspicious User

It’s important to know who has access to your website. WordPress has several user roles – administrator being the highest. An administrator can perform potentially-damaging tasks. It could be catastrophic in the wrong hands.

Take note if you see that an unfamiliar administrative account has been created. It could mean that a malicious actor has gained access.

A suspicious user was created. Is it a sign of a compromised website?

How Did That Plugin Get Here?

Website administrators also need to keep track of installed plugins. But new plugins can go undetected. You can use activity logging to find out who installed a plugin and when they did it.

Pay close attention to plugins that have known vulnerabilities. Or those that enable file uploads or running code within the back end.

A malicious actor may install a plugin to take advantage of an exploit. They can use it to install malware, for instance.

Attackers may install plugins to help infect your website with malware.

Be Informed about Content Changes

Websites with multiple authors can get messy. It can be difficult to track changes to content. But knowing what’s changed has security implications.

For example, SEO spam is a popular type of attack. The attack adds hidden content to existing pages and posts. It may also contain redirects to malicious websites.

Simple History logs content changes. You’ll see who made changes, along with when.

The plugin also taps into the WordPress revisions feature. That provides a highlighted view of each change.

This tool may not catch every vector of attack. But it’s another way to stay on top of your content.

Simple History helps you see what content was changed and when it took place.

The More You Know

As it turns out, installing a WordPress security plugin isn’t enough. Your website still runs the risk of being compromised. Indeed, security is a 24/7 responsibility.

That’s why having backend activity data on hand is so important. Sure, it may help you clean up a hacked site. But it may also help you catch suspicious activity before it’s too late.

At the very least, you’ll have a list of user actions. It will come in handy if/when an incident occurs.

It’s just another proactive step we can take to stay safe. And it requires minimal effort. What’s not to love?

The post How Tracking Backend Activity Improves WordPress Security appeared first on Speckyboy Design Magazine.