WordPress 4.8.2 Security and Maintenance Update released

WordPress 4.8.2 Security and Maintenance Update released

On September 19, WordPress released a new Security and Maintenance Update.

Needless to say: if you are a WordPress website owner, you should update now, if you didn’t already. Also, be sure to backup your website, if you didn’t do it recently!

To Backup your website is always important before installing Core updates. This prevents issues (such as your website becoming broken or unbrowsable) from rising, especially with Plugins, as they may not always be 100% compatible with the new version.

Need help with your WordPress Backup and Update? Contact us!

What does WordPress 4.8.2 update fix?

Cross-site scripting vulnerabilities (XSS), mostly.
This is a short list of the main bugs that have been found and that the 4.8.2 update fixes, along with a brief explanation, where needed:

  • Cross-site scripting (XSS) vulnerabilities were discovered:
    • in the oEmbed discovery;
    • in the visual editor;
    • in the plugin editor;
    • in template names;
    • in the link modal.

XSS is a kind of vulnerability used to bypass websites’ access controls.

  • Path traversal vulnerabilities were discovered:
    • in the file unzipping code;
    • in the customizer.

A path traversal attack (aka directory traversal attack) aims to access files and directories that are stored outside the web root folder.

  • An open redirect was discovered on the user and term edit screens.

Through open redirects an attacker may successfully launch a phishing scam and steal user credentials. This can happen by redirecting the victim to links identical to the original site, so to have a more trustworthy appearance.

There are other 7 maintenance fixes. If you are interested, you can check the full Release Notes for WordPress 4.8.2 directly from their website.

We are available to chat with you over these and other WordPress related issues anytime. Contact us!

Let us help you find what you need! Fill our secure form!

4 + 2 =

5 free WordPress plugins we use on every website

5 free WordPress plugins we use on every website

As many of our customers prefer using WordPress for their Online Businesses, being it a very easy to use Content Management System, we are able to provide some tips on how to get the best out of your WordPress website.

Here is a quick list of 5 free WordPress plugins we began to use on every website. Do you think we missed something? Tell us!

Yoast SEO

Yoast SEO plugin logo

Yoast SEO plugin is globally known and almost every WordPress Website owner we know uses it. Although it has a Premium version, the Free one is still good enough.

Yoast ditches the concept of meta keyword and promotes the use of a “focus keyword”. We consider the focus keyword a writing tool rather than an on-page SEO technique.

Having a focus keyword helps you verify that you are writing good enough content, relevant to what you want your page or post to rank for on Search Engine Results Page.

Also, it’s Readability index helps you keep your content short, sweet and clear.

WP Smush

WP Smush plugin logo

Page speed is a ranking factor for Search Engines such as Google. It is very important that your website’s pages load fast, considering that we live in a Mobile-Friendly world nowadays

One thing that slows down your website is using uncompressed images.

WP Smush optimises all your images by using lossless compression techniques, resizing them automatically as you upload them, and more.

Simple 301 Redirects

301 redirect road sign

Whenever you change your domain name, URL structure or remove a post or page, 301 redirects are the first thing to do to avoid losing your domain authority.

Simple 301 Redirects does exactly what its name says: it makes 301 redirects simple.

Simple as in “just put your old page URL here and your new page URL here” simple.

Contact Form 7

Skewed Contact Form 7 plugin page

Almost all of our customers want to make sure that their audience is able to contact them, one way or another.

Contact Form 7 helps them doing just that.

With this free plugin it is possible to manage multiple, fully-customisable contact forms. The contact forms also support CAPTCHA and Akismet spam filtering.

WordFence and iThemes Security combined

WordFence and iThemes Security logos

A relatively new addition to our WordPress installations, we us both WordFence and iThemes Security free security plugins at the same time.

We install iThemes Security on top of WordFence and switch off whatever feature is already available in WordFence.

WordFence handles most of the security, while iThemes Security takes care of the database backups, changes to the admin login URLs, etc.

Let us help you find what you need! Fill our secure form!

2 + 14 =

WP-Base-SEO: fake SEO Plugin for WordPress it’s actually a Malware

WP-Base-SEO: fake SEO Plugin for WordPress it’s actually a Malware

If you are Administrator of a WordPress website, pay attention!

The security firm SiteLock has reported that WP-Base-SEO, a fake version of the legit WordPress SEO Tools plugin, has infected lots of WordPress websites.

As SiteLock shows, WP-Base-SEO does a very good job in faking legitimacy, providing references to the official WordPress Plugin Database and instructions on how to use the plugin properly.

Still, digging deeper in the main PHP files of the plugin, they found out a base64 eval request. It’s a PHP function very often used for malicious purposes and, as such, its use is disregarded by PHP.net. In this case, it opens up backdoor access to the website.

The security news website Threatpost states that over 4.000 WordPress sites have been infected by WP-Base-SEO. It is likely that the attackers have mass-scanned WordPress websites searching for outdated plugins to target. This is a very common practice.

Just to provide an example, in April, 2016 an outdated version of WordPress RevSlider image slider plugin, was held responsible for 2.5 terabytes data leak that went under the name of “Panama Papers”.

How to increase your WordPress website Security?

As always:

  • Keep the WordPress Core updated to the latest version
  • Pay attention when installing a new WordPress plugin on your website: look for good ratings and legit feedback from the WordPress Plugin Database users
  • Keep your plugins updated to the latest version
  • If a plugin has not provided any update in the last few months, consider removing it from your website.

We at Handyweb have dealt with WordPress Security issues and can help you if you need solutions! Contact us!

Let us help you find what you need! Fill our secure form!

1 + 2 =

WooCommerce 3.0 Major Update Released

WooCommerce 3.0 Major Update Released

WooCommerce 3.0 is a new Major Update for the worldwide-known eCommerce plugin for WordPress.

Codenamed “Bionic Butterfly”, this new version of the plugin has been in development since August 2016 and in beta since December 2016.

Let’s find out what’s new!

A new Product Gallery

This is probably the most visible improvement to both the end user and the administrator. The WooCommerce 3.0 Update comes with a new product gallery, providing a really clean, slick and intuitive user experience.

Mobile browsing of such product pages has been really improved: tap on a thumbnail to display the image in its true size, swipe to scroll, pinch to zoom, swipe up to close.

As you can see in the above video, the whole page is fully responsive without compromising design quality.

CRUD classes and new CLI for developers

WooCommerce 3.0 also introduces CRUD (Create, Read, Update, Delete) classes, to help developers retrieve data from the database more easily, and a new Command Line Interface powered by the REST API.

If you are a developer, you can read all about the new CRUD classes and the new Command Line Interface over to WooCommerce Official Development Blog.

Other Improvements

Other than plenty of performance improvements, WooCommerce 3.0 comes with some tweaks that benefit both the Administrator and the User.

This is just a quick round-up of all the features and improvements included in the “Bionic Butterfly” Update. For more details you should check the official Blog post about it!

Backup before updating

You should always backup your website before an update, especially if it’s a Major Update such as this one.

We are experienced in WooCommerce setup and management, as many of our clients make use of the plugin for their eCommerce businesses. We can help you and guide you through the process of backing up and updating your WooCommerce installation.

Let us help you find what you need! Fill our secure form!

11 + 4 =

WordPress 4.7.3 Security and Maintenance Update released

WordPress 4.7.3 Security and Maintenance Update released

WordPress has just released a Security and Maintenance Update.

The 4.7.3 update fixes important secuirity issues that 4.7.2 and previous updates still didn’t manage to fix completely.

Of course they suggest to install the update immediately and. as WordPress users ourselves, we can’t help but strongly suggest you to do that.

So, if your website uses WordPress as a Content Management System (CMS), you should backup your website and update WordPress Core to the latest version.

To backup your website is always important, especially before installing Core updates, so to prevent issues. Also, if your website has Plugins installed, these may not always be 100% compatible with the new version which can lead to your website becoming broken or unbrowsable.

Need help with your WordPress Backup and Update? Contact us!

What does WordPress 4.7.3 update fix?

Being an open source, heavily community-reliant CMS, WordPress updates are usually based on the huge amount of feedback coming from its huge user base (WordPress 4.7 has been downloaded over 17 million times).

This is a short list of the main bugs that the 4.7.3 update fixes, along with a brief explanation, where needed:

  • Cross-site scripting (XSS) via media file metadata.
    XSS is a kind of vulnerability used to bypass websites’ access controls.
  • Control characters can trick redirect URL validation.
  • Unintended files can be deleted by administrators using the plugin deletion functionality.
  • Cross-site scripting (XSS) via video URL in YouTube embeds.
  • Cross-site scripting (XSS) via taxonomy term names.
  • Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
    CSRF is a type of malicious website exploit where unauthorized commands are transmitted from a user that the website trusts.

There are other 39 maintenance fixes. If you are interested, you can check the full Release Notes for WordPress 4.7.3 directly from their website.

We are available to chat with you over these and other WordPress-related issues anytime. Contact us!

Let us help you find what you need! Fill our secure form!

2 + 9 =

Brought to you by Handyweb.ie 

Phone: +353 (0) 44 93 45145
Email: info@handyweb.ie
Services: Web and App Consultants, e-Commerce, Responsive Web Design, Search Engine Optimisation, Digital Marketing, Social Media, App Development, Online Payments, Online Business Automation