It’s been a wild few weeks in the world of web security. Especially in the WordPress sphere.
First, in late March, Mikey Veenstra of WordFence and Jem Turner independently reported security issues with the Pipdig plugin, including a way for the plugin owners to drop all data tables for a website without the owner’s permission and obfuscated code that used sites to launch Distributed-Denial-of-Service attacks on competitors sites.
Then this week, Dan Goodin of Ars Technica wrote about how the owner of Plugin Vulnerabilities was essentially showing hackers how to exploit weaknesses in several WordPress plugins as the result of a grunge against the WordPress forum moderators.
Web security issues are nothing new. It’s one of the things about working on the web with websites. You just deal with them when they come up.
But it’s extremely important to stay on top of web security news. If you used one of the plugins affected by Pipdigs’ issues or Plugin Vulnerability’s posts, would you have known about it in time to limit the damage.
If the answer is no, then it’s time to start paying attention to all things web security.
Update, update, update
While this isn’t necessarily a way to stay informed about web security, the number one tip I can give to you to keep your site secure to always make sure your website is updated. It doesn’t matter what platform you use, if it’s not updated to the latest version, it’s insecure and vulnerable.
This obviously takes time, which you may or may not have. And if you happen to run a WordPress website, like I do, with a number of plugins, you’ll run a lot of updates every week. There are at least three days every week that I’ll open my dashboard to see an update notification.
I get it. But it’s worth taking about 15 minutes each day to check and run updates to keep your site running. If you don’t and your website gets compromised because you didn’t update a component, you’ll end up spending more time fixing that problem than you would just running updates every day.
Also, for WordPress folks who don’t want to update to version 5.X because of Gutenberg, you can still download and install WordPress 4.9.X point releases here to stay with the normal editor and still get security fixes (although I recommend jumping to version 5 and using the Classic Editor plugin if you’re in that camp).
Let’s Keep Your Story Online
Creating a new website can be a challenge. But keep it up and running efficiently can be a challenge. You have to make sure things are updated and running smoothly because if your site is down, no one can find or read your story. But I can help make sure that’s never a problem for your business.Let’s Come Up With A Plan to Maintain Your Site
Follow web security businesses, blogs
The most obvious answer, however, is to follow security businesses and blogs. These are the experts. It’s their job to follow and track security vulnerabilities across a lot of different areas. And the advice they give is going to be top notch.
If you’re using WordPress, I highly recommend WordFence. They, along with Turner, were able to break open the Pipdig story, and have been extremely reliable with all of their reporting. You don’t necessarily . Other WordPress security companies like iThemes Security and Sucuri, as well as WP Campus’ Weekly WordPress Plugins Vulnerability report.
Basically, if they look reputable and have a strong following, they’re a good bet to follow.
Periodically look up your plugins, themes on Google
When you looked for plugins or components, you probably looked through Google. You saw reviews, news items and more about each product. And then you made a decision based on what you learned.
So, why not do that every so often with the items you have on your site. Every now and again, run a Google search on your plugins or components to find out the latest news. You’ll either see nothing, which is good, or you might stumble upon an article about it having a security vulnerability. From there you can take action.
If you had done that with Pipdig or any one of the plugins that had a vulnerability released into the wild, you could have taken immediate action.
So, as I always tend to say, websites are not static items. They are living and breathing things (okay maybe not exactly “breathing” but you get the point). And they need to be taken care of.
So stay on top of the security news for your website. It doesn’t have to be much, but keeping your ear to the ground can help keep your website up and running.