Day: January 28, 2021 | The Blog Pros

January 28, 2021

WordPress Security Expert Stories & 40 New Security Tips from Our Members!

We recently interviewed four WPMU DEV members, who provide professional WordPress security services, about keeping WordPress secure. Here’s what they said…

Earlier this month we published a series of tutorials on WordPress security, ran a discussion on our members’ forum about WordPress security issues, and put out a request to interview WordPress security experts about…well, you guessed it…WordPress security!

We then collated and published the responses from our experts along with many great tips raised by members in our discussion forum.

Here are the topics we covered:

Meet Our WordPress Security Experts
What Our Experts Had To Say About WordPress Security
Additional WordPress Security Tips from Members

So without further ado, let’s meet our WordPress security experts and see what they had to say about keeping WordPress sites safe and secure.

Meet Our WordPress Security Experts

Richard van Denderen is the founder of WPHelpdesk.nl.

Richard has been creating websites since the age of 14 and began using WordPress in 2008.

He is very active in the Dutch WordPress community as an organizer and volunteer of Meetups and WordCamps, and moderator on the Dutch WordPress.org support forum.

As Richard states, “At WPHelpdesk we help to troubleshoot and solve problems, although we prefer to prevent them. A common problem we solve is websites that give errors or strange redirects because of malicious code. Over the years we have helped hundreds of website owners with the cleanup of hacked websites.”

Jesse Waitz provides hosting and website development services at FlagstaffConnection.com and works from Flagstaff AZ, USA.

A local WordPress developer and an expert with Codeable.io, Jesse has been hosting and developing websites since 1999.

His expertise has come from long, hard-won, and sometimes painful experiences. As he states, “after 20+ years of hosting sites, you figure out what works and what doesn’t. I have made every mistake in the book, but have learned from those mistakes, and evolved to be better, and more aware of what works, and what doesn’t.”

Cliff Rohde is the owner and CEO of GoatCloud Communications LLC, which he formed in 2013.

Cliff is passionate about the intersection of communications and technology and assists many different types of businesses and nonprofits to thrive online.

Cliff built his first website in 1995, and his first WordPress website around 2007. He is a former attorney and left the practice of law to focus exclusively on GoatCloud.

Logan Lenz, is Chief of Awesomeness at Awesome Website Guys. Logan is a website innovator and digital marketer with over twenty years of industry experience.

As a digital business agency owner, Logan utilizes a myriad of technologies, tools, and resources to ensure that their clients’ digital needs are met and more.

As Logan says, “I have been using WordPress for decades, as this open-source platform provides complete customization, which is necessary to truly personalize each client’s website. As an open-source platform, my agency can use our go-to plugins to build client sites that are fast, secure, optimized, and relevant.”

What Our Experts Had To Say About WordPress Security

1. What kind of WordPress sites do you normally work with?

Richard: I would describe our clients’ websites as small-medium and also eCommerce. Most of the clients we work with have one or more people who work as content managers or do the communications as a whole. We take over the technical parts of their website.

Jesse: I split my time mostly between development, maintenance, and hosting of WordPress-based sites. I work mostly on small to medium-sized client sites. I have about a dozen successful eCommerce sites and about a dozen multisite setups. I host over 200+ sites across 7 servers, provide ongoing maintenance and security for about 150 WordPress sites, and I have a separate mail server where I host 180+ email accounts for more than 60+ companies.

Cliff: Sites that GoatCloud maintains are primarily for small businesses and solo practitioners. That said, we also maintain a number of sites for sizable non-profits and mid-size businesses.

Logan: Awesome Website Guys specializes in working with other small businesses, which include a wide range of different industry websites. This includes e-commerce, multisite, nonprofit, restaurant, community, hotel, event, construction, automotive, health and wellness, fitness, real estate, other agencies, and much more.

2. What are the most common security issues you run across on client WordPress sites?

Richard: The most common security issue is overdue maintenance. Plugins that no longer receive updates from the developer, where sometimes the latest version was released 9+ years ago. Related to this are often premium plugins and themes, without a valid license, causing to not report available updates. The end-user is then convinced that they are up to date as WordPress is not displaying those available updates.

Another common security issue that I come across way too often is multiple sites within the same (budget) web hosting package, where they are not well isolated from each other, resulting in cross-site contamination.

Jesse: Brute force attacks on the WordPress login are the most prevalent issue for me right now. But, Defender takes care of that for me. I would say that the next most common vector is through weak or out-of-date plugins and themes. I address this by updating all of my sites’ core, themes, and plugins on a weekly basis. Keeping everything up-to-date is the best defense against this issue.

Years ago I used to have my sites on a single server that provided email and hosting services, and this really caused a lot of issues, either site activity would affect email delivery, or email viruses could be a trojan horse for attackers, but in the last few years I have separated email from sites on different servers, and I could not be happier, the crossover issues are gone, and it is way more secure.

Cliff: Many times when I inherit a site I discover just how lax either the site owner or the site developer was when setting up accounts. Software is often out of date and either passwords are not sufficient or usernames are easy to guess, or both. It’s often the case, too, that inherited sites have no software on the site or at the host aimed at protecting the site.

Logan: For clients’ WordPress sites, the most common security issues are DoS attacks. For those new to the term, DoS attacks are when several requests are sent to a client’s website at the same time, which overloads the server and crashes the site. Hackers can use data queries on client’s sites, which can add, remove, or even steal their site content. Another common security issue is hackers breaking into client’s sites, where they then add new users, random content (usually code or dummy content), and modify admin site settings.

3. What’s the worst security issue you have had to solve for clients?

Richard: The worst security issue I’ve seen was a hosting account with eight websites. Only 1 website was used and had all kinds of issues, they already tried something themselves with backups but that didn’t help. Before they came to us for help there was also another ‘WordPress developer’ who was supposed to solve the problem. He sold them a complete new website which was “hacked” again within a day or so.

When I started working on this issue it became clear that the cause was in a few of the other 7 websites, within the hosting package, which were no longer used and maintained but still online. All just for the domain names. Those old sites had some really old versions of Mambo, Drupal, and WordPress, from 12 years ago. After the primary website had received its own hosting package, it was just a matter of some cleanup and the hack was solved in no-time. The customer had decided to delete the other 7 websites later on, as those weren’t worth the money to fix.

Jesse: As an expert at Codeable I help clients with hack cleanups all the time. These are NOT people hosted on my servers, but in desperate need. I had a client that was breached through an outdated poorly-written plugin. The attacker was able to create a user on the site, promote the user to admin through a SQL injection, and then as an admin they injected spammy content on every single page of the site. This was not visible content, it was hidden on the page (ie. white font on a white background), and it was intended to help their SEO for their illicit products.

This content got their site blacklisted on Google search, browsers would not load the page without the big red warning page coming up, and the Google search results said “warning, this page is hacked.”

The attacker also used his access to inject code into every plugin and theme on the site, so that if you tried to delete the admin user and clean up the content, he had trojan horses all over the site, to let him back in and repeat his attack.

This job required removing the user, replacing every plugin and wp core file on the site, scanning, with my eyes, every file in the theme to make sure all of the injected content was removed, and then analyzing the database page by page to make sure all of the spammy content was removed. I then installed a combination of plugins that I rely on to lock this site down and prevent this from happening again. Finally, I had to submit a request to Google through their search console to remove the blacklisting, and to assure them that the site was no longer hacked.

It has been over a year since that all happened, and there has not been another occurrence.

Cliff: The worst was a site being hacked, prior to my engagement with the business. I was hired to eliminate the hack and maintain the site going forward. The hack was, thankfully, just the imposition of extraneous data on the website, with links to third party bad-actor sites and the like. Complicating matters was that it was a multisite installation. It took a good number of hours to work through the WordPress tables to clean everything up!

Logan: We’ve had a few really intelligent phishing scams to have to thwart. I remember one day a client called panicked having just realized they gave bank credentials to who they thought was their CFO at the time. Lo and behold, it was a hacker that we later found out had infiltrated all sorts of the clients’ systems before finding ways to get information that could lead to money for them. The issue ended up being taken care of before it got out of hand, but it was somewhat of a wake-up call as it pertains to the importance of high security in business.

4. Can you share a little about the process you use to secure WordPress sites, and how you approach security breaches on client sites?

Richard: One of the first points in my process is to check if the website has a hosting package of its own or that there are multiple & older sites.

Then, file permissions and limiting public access and execution of .php files in folders where this is not required. Further, checking users and their roles, pending updates/outdated themes and plugins. Also, auditing all plugins and themes that are present but not actively used.

All in all, I currently have an extensive checklist that I use and continuously update with new points whenever I come across a good addition.

When there is a breach it depends a bit on what kind of breach it is. In general, one of the first things I do is add deny from all in the .htaccess and then go through the log files to determine the how and what of the breach.

The vast majority of breaches in client sites I maintain happen because of fired and laid-off employees that try to cause havoc. In those cases, it is to revoke access, change passwords, and audit the changes they have made in recent months.

I notice that a lot of the (smaller) companies are really easy with giving their employees login credentials to all kinds of systems and tools but didn’t think about how to revoke the access and the consequences involved.

Jesse: This is not an easy question to answer. I use a combination of server and site-based solutions.

On the server, I have several bash scripts that run automatically on the server every night to lock things down. One script runs rkhunter, LMD scan, and clamscan every night to search for and remove injected content or files. I also have a script that checks every public-facing file and folder and makes sure that they are using the correct permissions (644 for files and 755 for directories). If the script finds anything, it changes them on the fly. I also have a script that backs up all of my sites and databases to an off-site Digital Ocean space every day.

On the sites, I use Defender to lock down all of the normal attack points, and I use a program called NinjaFirewall to create a Web Application Firewall for my site. This is a plugin, but it actually creates a firewall that is loaded before a single line of PHP is read or a single MySQL queries is run. This is the most important site-based solution that you can implement. I chose NinjaFirewall because it is Free, Wordfence’s WAF is expensive, and NinjaFirewall’s WAF just as good as Wordfence’s WAF, in fact, I think it is better, because it only does the WAF, and it does it really well.

Regarding breaches, every problem has a different solution, but I generally try to figure out how they got in, and then work back from there.

Cliff: First, update all software: WordPress core, plugins, themes, and hosting environment (e.g., PHP). I use usernames that are not easy to guess. I use secure passwords (long and not guessable; a Password manager comes in handy). I install basic security software on the website – Wordfence and anti-spam most often. I will often protect login by requiring a recaptcha and, in some instances, require two-factor for login. For many sites, I will also put them through the Cloudflare network. Cloudflare itself offers security enhancements and I also create firewall rules at Cloudflare aimed at keeping bad actors off the site.

Logan: To keep our clients’ WordPress sites secure, we combine security best practices and reliable security plugins to help us continually monitor and defend against cyber attacks and threats. Like other website agencies, cybersecurity is a top priority for our clients and ourselves. To offer additional security protection, we recently introduced a new security partnership with Protected By Dragon, a digital security consultancy to help protect what matters most to clients.

As for security breaches, we receive regular reports and notifications when there is a red flag on our clients’ sites. Our servers not only detect bad actors and irregular activity but also restricts site access when necessary. Thus, we can immediately identify the security breach, assess the damage, and notify clients when a vulnerability is detected.

5. Which WordPress security plugin(s) do you use or recommend and why?

Richard: To be honest, I haven’t used Defender for a while except for the sites that are also hosted at WPMU DEV. In 2016, when Defender was still fairly new I used it but it sometimes caused problems with the CPU at some providers. I probably should do some tests with it again, as 5 internet-years is a very very long time ago, so that experience is not even relevant anymore.

Looking at Defender now in terms of the recommendations and checks it offers, Defender seems fine, logs and scans are also nice features to have. I also think GOTMLS is a nice plugin that often gives solid results during a scan.

Jesse: See #4 above.

Cliff: I use Wordfence primarily, including its Wordfence Central interface, which allows the management of multiple sites from a single login. I’m not familiar with Defender.

Logan: In the past, we have primarily used WPMU Defender as our go-to security plugin on WordPress. This plugin is effective, easy to use, and allows users to set up weekly reports for clients. These reports can include everything from SEO to security updates. While we have enjoyed using Defender, we are transitioning to a new security solution known as InfiniteWP. This move will make it easier to manage our clients’ sites in a central location, as well as send out automated weekly security reports.

[Editor’s Note: WPMU DEV’s The Hub lets you manage the security of “infinite” WP sites using Defender ;)]

6. What would you suggest WordPress users should never overlook when it comes to securing their website?

Richard: Remove inactive users, especially with an administrator role. Use strong passwords and, whenever possible, let everyone use their own login details. Do not share an account with multiple people. Use 2FA when available and possible.

Jesse: Updates, updates, updates! And strong passwords. And if your clients are savvy enough to handle it, 2fa is probably the best defense against brute force attacks on the WP login you can implement.

Cliff: Everything I mentioned in the answer to Question 4!

Logan: As WordPress users, you should never ignore digital security measures to protect your site. If you do, you can compromise your site by making it more susceptible to cyber attacks and threats. Depending on the type of WordPress site you own, this can open the door for hackers to easily break into your site, steal your site content, and change admin settings to keep you out of your site. This will lead to losing all that time, energy, and money you invested in your site, which can be devastating for businesses. There are plenty of free WordPress security plugins that make it easy to prevent cyber attacks, so it’s recommended that users shouldn’t ignore using a security plugin for their site. It’s as easy as a few clicks and bam, their site is more secure than before.

7. Do you have a security tip or favorite resource you’d like to share with other WordPress web developers?

Richard: I guess a lot of the professionals are already familiar with WPScan.com (formerly wpvulndb). I highly recommend their mailing list. Most of it is now behind a paywall but in my opinion, it is still worth it. It is useful for looking up plugins and the email alerts for new vulnerabilities is very valuable.

Also, I can’t go without mentioning the blogs of Sucuri, WordFence, and NinTechNet, who always seem to be on top of new vulnerabilities with great detail!

Jesse: First, and I know that you probably don’t want to hear this, but I use MainWP for all of my site maintenance. Second, good hosting is probably the best investment you can make. If you can’t afford someone like me to take care of your sites for you, don’t use cheap hosting. Find a service that will secure and update your site on a weekly basis for you (this is NOT GoDaddy or Bluehost). You WILL get what you pay for… Third, do not host your site and your email on the same server! Finally, do not ever, EVER, use a host that uses cPanel. It is slow, out-of-date, and it opens up so many things on a server that hardly ever get used and/or should not be used (like email on a website server). I think I am done with my soapbox rant!

Cliff: Bad actors love to hit WordPress login and try to just brute force their way in. Wordfence does a good job of blocking too many bad attempts. But I also set a firewall rule at Cloudflare for many clients to block foreign IPs that try to access login, period. Obviously, that does not work if the site owner needs people to be able to log in outside the United States, which is increasingly common. But many small U.S.-based businesses have no need or interest in website visits from foreign IPs, let alone to the login URL.

Logan: It’s better to be overly safe than sorry when it comes to website security. Cybersecurity is becoming more advanced every day and hackers are finding loopholes to harm your clients’ sites. Stay informed by constantly researching best security practices, utilizing the best security plugins for your clients, and regularly monitoring clients’ sites. Most security plugins give you an option to set up automated weekly reports, in which clients receive key information about their site. If there is a security vulnerability, this is an ideal opportunity to address and fix the vulnerability. Thus, your clients’ site is more secure and less susceptible to becoming a hacker’s next target.

8. Anything else you’d like to add related to WordPress security?

Richard: A security plugin is a tool, not a solution.

Jesse: I think I covered it all above.

Cliff: Keep spreading the word about security!

Logan: As mentioned before, WordPress security will continue evolving and improving. This is good news because cyber criminals are also evolving. If you use your due diligence and stay aware of current cyber attacks and threats, this can help you implement plugins and technologies necessary to keep your clients’ sites safe and secure.

Additional WordPress Security Tips from Members

In addition to the many excellent points provided by our interviewed experts, we also ran a forum discussion on WordPress security, where we asked our members the following :

Have you ever run or managed a site that’s been the victim of an online attack? If so, tell us what went down and how it was fixed!
What security tool/s could you not live without?
When was the last time you did a thorough check of your WordPress security? Do you think it’s something you need to dedicate more time to?

Here are some of their answers:

1. Have your sites been attacked online? What happened and how did you fix it?

What I see way too often is a neglected website. No updates for years or premium themes/plugins without licenses that are the culprit. Also had once a malware cleanup where somebody mailed me the WordPress password that actually was in the top 10 of most used unsecured passwords. – Richard

Fortunately not. Thanks to Defender, strong passwords, and 2FA. – PS

Yes, someone gained access to the hosting account and deleted the site and all the backups. The intruder guessed the client’s password (which was their company name and the number 1). Booted new user, changed password, enabled 2FA and restored the site from an offline backup. – Chris

The last client I was able to fix with Defender Pro and get it all cleaned up and resubmitted to Google and clients were SOOOO thankful! Made me look like the superhero! Thanks to you all! – Victoria

I remember one specifically where the customer called me because their website (that I didn’t create) had been hacked. It was hard as I didn’t create the website I didn’t know what dependencies were between plugins and so. It took me a few download/scan/clean/re-upload to fill all the security breaches and I finally asked all the employees to change their mail password and all their passwords to add a security layer. – Guigro

I’ve taken over two sites that had been hacked. The problem for both was outdated core and plugins. Luckily both had come to me with requests to take the hacked site down and create a new one, so it was a matter of doing a fresh install with a coming soon page during the build. – Keith

Yes, a number of years ago had a site that fell victim to script injections, Was on shared hosting with some outdated plugins, clean involved a shit ton of manually scrubbing files. That was when I learned there was even a need for security beyond passwords. More recently brute force login attempts, which Defender locked out for me, but I did then change the admin login URL, & things have been quiet since then. – Danny

Yes, my website has been hacked more than once. I have WebARX and it was still hacked. I used Anti-Malware Security and Brute-Force Firewall by ELI to clean it. Installed and ran the program and it cleaned all of the malware. – Shala

After 15 years in WordPress and 20 in Web development, I have dealt with many hacked sites. Everything from DDoS and Brute force to a pissed off ex-wife that logged in and replace all her husband’s blog post images with less than flattering photos of him. In most cases, I find restoring a backup fastest and easiest. If one does not exist, then we have to do it the hard way and root out the malicious content and remove it or sometimes totally rebuild the site. – wolf Bishop

I have worked on cleaning several compromised WP websites. Almost every time the reason was missing plugins or WP updates. – Catalin I.

People are constantly trying to login into my accounts, for WordPress, Defender Pro helps. I also get a lot of spam for that I use a plugin called Stop Spammers. A lot of bots and hackers target plugin file paths to reveal site info. – Jonathan

2. What security tool(s) could you not live without?

No plugin can give you 100% security. Most of the time in one way or the other the user/site owner was at fault or made a mistake. You could harden your WP site a lot without any tools or plugins. Something you shouldn’t go without is an antivirus program on your PC. It doesn’t matter how good your site security is, if you have a keylogger on your pc you’re pretty much done for. – Richard

Anti-Malware Security and Brute-Force Firewall by ELI. Now, all WPMUDev plugins. – Diaz

Backup, for sure. – Alvaro

Defender. I need it on every single WordPress installation. I also need AntiSpam-Bee on every site with a comment section. – PS

Defender Pro, can’t believe it took me this long to find you!!!!! – Victoria

Backup tools, migration tools, scanners & firewalls. – djohns

Defender. I used to have a Sitelock account but eventually realized they are a waste of money. Then I used a few different WP plugins, but have since replaced most of them with Defender. – kahnfusion

I take security seriously. I did not have any sites hacked. I’ve been using Wordfence and Defender mainly. Also keeping watch on the vulnerabilities WPSCAN database. Frequent updates, backups. – Chip

For a few years, Defender Pro. The learning curve is quite easy to approach but I’m surprised I’m still learning every month. About recommendations, how to set them up properly, how to avoid spams, and things like that. – Guigro

Defender and WPMUDev hosting. It’s just so easy to use, and all the options for security headers + vulnerability scanning + WAF show that the devs were thinking of the right things. – Phil

With Defender, I block IPs after 3 login failures within 60 minutes, not the generous 5 failures in 5 minutes as is the Defender default. And I block for anywhere from an hour to a week. I also use the login mask, banned usernames, and other features in Defender. – Tony

Defender and WPMU DEV WAF. – Keith

Hosting that is active in their customers’ security, Regular backups, Firewalls, & 2FA – Danny

WAF is a big one. Stop them before it starts. I also use Defender which helps pull a whole bunch of common security measures into one place. – Lee

Anti-Malware Security and Brute-Force Firewall by ELI (gotmls), it’s a great plugin and the best part is that it’s reasonably priced, unlike others that are very expensive and not as effective. It’s just used for cleaning malware, not for detecting it, so another plugin is needed for that, unfortunately. – Shala

Defender, WPScan, SQLMap. – wolf Bishop

I’d say Malwarebytes for a security tool perspective & now Defender Pro for websites. However, also keen on Windows Security. – Shiv Patel

3. When was the last time you did a thorough check of your WordPress security?

I keep a close watch on all the sites I maintain and keep track of all the plugin and theme vulnerabilities. A thorough check is done at least yearly when no suspicious behavior is seen. So far *knock on wood* had 1 WP site that I’m responsible for that got hacked because of a zero-day vulnerability. Also, once my webhosting provider was a victim of a ransomware hack. Luckily, I had my own off-site backups, because at the same time his backup server got corrupted. I was back online in a few hours with a different host. His other customers were offline for 3 days. – Richard

I check almost every day or at least once a week – Diaz

At least weekly. – Chris

Once I set up Defender, I usually check sites weekly. Thanks to Defender, I don’t need to spend as much time on it like I used to! – Victoria

The last time I spent time on security was when I set up Defender on another site a couple of weeks ago. Once I’ve got everything set up, I don’t really focus on security. As long as I keep regular offline backups, I’m not too worried about getting hacked anymore. – kahnfusion

I try to take half a day every two months to make a good check of the 20-ish websites I’m managing. Seems fair enough to me, as I read Defender Pro summaries once in a while and made a good setup of my notifications to be sure to receive a mail if something REAL happens. – Guigro

I don’t do specific deep dives, since I just build in Defender into my processes. – Phil

I go through the Defender reports and actively ban IPs for any somewhat suspicious activity. Generally, I trust Defender and WPMU DEV to keep things secure for me. – Keith

I ensure to run a complete scan/review monthly for all my clients. Seems like the right amount for me. – Lee

We run scans on every site daily. We also do a deeper semi-annual Security Review which includes pentesting the client’s site. – wolf Bishop

I aim to have a step by step inspection check when installing all the available plugins in each site I host. But WP Security is a crucial aspect of all sites. – Shiv Patel

My working protocol includes weekly routine security checks and monthly deep security checks for the websites/servers I manage/run. – Catalin I.

Thank you to everyone who participated in our interviews and discussions.

January 28, 2021

Spring Boot: Boost JPA Bulk Insert Performance by 100x

I was facing a problem where I wanted to insert millions of records into the database, which needed to be imported from the file.

So, I did some research around this, and I would like to share with you what I found which helped me improve the insert records throughput by nearly 100 times.

January 28, 2021

A Storage Hack for Bringing Stateful Apps to Kubernetes: Data That Follows Applications

Kubernetes, the open-source container orchestration system created by Google, is one of the most adopted technologies of the last decade. It is clear everyone loves this open-source platform, as the double-digit growth in adoption rate clearly demonstrates.

In fact, the Cloud Native Computing Foundation (CNCF) found that in 2019 84% ran Kubernetes containers in production, double from two years prior. This growth in adoption is unlikely to stop any time soon, seeing how Kubernetes is an efficient way to manage containers at scale, which translates into lower costs and increased cloud flexibility.

January 28, 2021

Esri Announces ArcGIS Platform to Provide Developers Robust Location Data

Esri, a provider of mapping & spatial analytics technology, has announced the release of a new PaaS (Platform-as-a-service) offering that is intended to provide developers with deeper integration capabilities with the company’s location intelligence services. The ArcGIS Platform supports integration via fully supported APIs and SDKs, or third-party open-source API integrations.

January 28, 2021

How Do You Build a Minimum Viable Product in 2021?

Do you have a unique and groundbreaking idea but you're not sure whether it will be successful or not? Or, let's say you are looking for investors and they are just avoiding you, as you only have an idea with some rough sketches?

If so, you are at the right place.

January 28, 2021October 9, 2021

Dynamic Pagination With Vue.js

(source laptops)

For this tutorial, I will be using Atom.

January 28, 2021

Industry Experts Share Their Opinion on Website Security Trends for 2021

2021 was a strange year for security teams because cyberattacks accelerated at an alarming rate during the pandemic. Cybercriminals were seen attacking not only individuals but small businesses, major corporations, governments, and even critical infrastructures. With people confined to their homes, internet usage was pushed up to 70%, besides, global businesses were forced to deploy remote systems and networks to facilitate remote work for employees.

Consequently, cybercriminals started leveraging the vulnerabilities in the remote structures to steal sensitive information, and generate profits for personal gain, which disrupted economies and business operations immensely. But undoubtedly, lessons are learned from every experience, whether they're good or bad.

January 28, 2021

GreenSock ScrollTrigger

High five to the Greensock gang for the ScrollTrigger release. The point of this new plugin is triggering animation when a page scrolls to certain positions, as well as when certain elements are in the viewport. Anything you’d want configurable about it, is. There’s been plenty of scroll-position libraries over the years, but Greensock has a knack for getting the APIs and performance just right — not to mention that because what you want is to trigger animations, now you’ve got Greensock at your fingertips making sure you’re in good hands. It’s tightly integrated with all the other animation possibilities of GSAP (e.g. animating a timeline based on scroll position).

They’ve got docs and a bunch of examples. I particularly like how they have a mistakes section with ways you can screw it up. Every project should do that.

CodePen is full of examples too, so I’ll take the opportunity to drop some here for your viewing pleasure. You can play with it on CodePen for free (search for it).

Screenshot of CodePen JavaScript settings with a completed search for greensock scroll to plugin in the external scripts section.

If you’re worried about too much motion, that’s something that you can do responsibly through prefers-reduced-motion, which is available both as a CSS media query and in JavaScript.

The post GreenSock ScrollTrigger appeared first on CSS-Tricks.

You can support CSS-Tricks by being an MVP Supporter.

January 28, 2021

WP Lookout Lets WordPress Users Track and Receive Notifications for Their Preferred Plugins and Themes

Should WordPress notify users of plugin ownership changes? That was the question that Ian Atkins asked two months ago. WP Tavern readers seemed to think it was a good idea, at least those who commented on our coverage of it. However, the original Trac ticket has not seen any movement since.

There are real technical issues with automating the process. A change of ownership does not necessarily equate to a change of the plugin author. This is often the case when someone acquires a company and maintains the brand.

Tracking such changes does not necessarily need to go through WordPress. Chris Hardie built a service called WP Lookout that notifies users of such changes and much more. It has also been available since August of 2020.

“WP Lookout watches for interesting changes to the WordPress themes and plugins that someone cares about,” said Hardie. “I created WP Lookout for professional WordPress developers, consultants, and site managers who want to stay more informed about the plugins and themes that they (and their clients) depend on.”

While WP Lookout faces the same challenges with plugin ownership changes, it does have an advantage. It also tracks WordPress news organizations, including WP Tavern and Post Status. Even if the ownership change is not reflected on the plugin’s WordPress.org page, the story may be picked up in the news.

Hardie launched the news-tracking feature in early December 2020. It includes the Wordfence vulnerabilities blog and iThemes vulnerabilities roundup blog as a part of the service’s security notification system. The service also scans change logs for keywords related to security.

Notifications do not stop there. The WP Lookout tracks plugin, theme, and core WordPress updates. It also supports several commercial plugins such as Advanced Custom Fields Pro, Gravity Forms, and WP Rocket.

“When we first decide to use a theme or plugin on a WordPress site, we hopefully research it thoroughly — code quality, ratings, support responsiveness, new release history, speed of security fixes, and so on — but once it’s installed it’s easy to neglect those important bits of ‘health’ information over time,” said Hardie. “Auto-updates are great from many perspectives, but I think anyone who has had to manage and troubleshoot a non-trivial WordPress site over time knows that it’s also important to stay aware of, for example, what’s happening in the change log or whether ownership of a plugin has changed hands. But nobody wants to log in to wp-admin on a bunch of sites every week to gather that info.”

Hardie said WP Lookout will always have a robust free option for people who just want a daily email notification for a handful of plugins and themes. However, there are paid tiers for customers to access more features. They allow users to track more plugins and themes and get immediate alerts through email, RSS, Slack, or custom webhooks.

“The middle tier supports up to 50 themes/plugins, immediate email notifications, and a personalized RSS feed,” he said. “The Builder tier supports up to 200 themes/plugins and adds in Slack and custom webhook support along with the option to just get security-related notifications. With more real-world user feedback, we may adjust what’s in each tier over time.”

All users get access to the Builder tier for a few weeks after signing up. After that, they must subscribe or stick with the free tier features.

How the Service Works

Single plugin tracking history via the WP Lookout website. — Single plugin tracking history.

WP Lookout allows users to search for and add a tracker for individual plugins. The service primarily relies on the public WordPress.org API for getting plugin and theme data. This is the same system that WordPress uses to check to see if updates are available.

“But it also goes beyond what the API offers,” said Hardie. “For example, there’s no standard yet for theme authors to provide .ORG theme change logs, and so that information doesn’t show up when you go to update a theme in wp-admin; you’d have to go poking around in Trac or source files to find it. So WP Lookout follows the trail to the change log details and puts that right in front of you.”

Multiple plugins being tracked via the WP Lookout service. — Active plugin trackers.

There is also a WP Lookout plugin available in the plugin directory. It uses an API key, which users can get from the WP Lookout website. The plugin then lets the WP Lookout service know what plugins and themes are installed and adds them as trackers. Using the plugin is far more efficient than manually adding individual plugins and themes.

For plugins and themes that are not on WordPress.org, the service uses custom update APIs provided by the third-party developers. If that is not sufficient, it uses webpage scraping. For news sources, it parses RSS feeds.

“It’s been interesting to see the wide variety of ways that WordPress theme and plugin authors do or don’t manage and present data publicly about their products,” said Hardie. “Some have API endpoints that return the same level of detail as the .ORG API, others have change log/version documents generated by some internal tools, and still others don’t bother doing much at all. I think an argument could be made to standardize on something here for the long-run to help boost the culture of keeping software updated, even/especially if it eventually makes the need for a tool like WP Lookout obsolete.”

The Future of WP Lookout

Hardie has no plans of sitting on what he has already built. One of the next goals is regularly adding new themes and plugins that are not on WordPress.org. This will mean connecting with development teams and figuring out how users can get notifications of things that often have no public APIs. The lack of standardization in the space could be a tough hurdle to jump.

“I have a long list of features I’m planning to add, including things like integrating tracking GitHub repo releases, bringing some helpful data points from WP Lookout into the wp-admin interface, WordPress Packagist integration, allowing per-tracker Slack channel configurations, better internationalization, and better handling of change logs that theme/plugin authors chose to maintain outside of their .org code repositories,” he said.

Hardie does not want to get too far ahead of himself with feature ideas. He said he is excited to get more feedback from users about what they find useful. Currently, there are 80 users, which is publicly available data. WP Lookout maintains an open data and financial transparency page.

“Despite having paid options for more advanced users, I mostly think of this as a service I want to operate for the WordPress community, and I’ll always have a robust set of free functionality,” he said. “I’m also committed to participation in Five for the Future, bringing what I’ve learned here back into improvements that might benefit all WordPress users, whether they take advantage of WP Lookout or not.”

January 28, 2021

How To Choose the Best RPA Tool

In today’s evolving market, digital transformation has become a competitive parameter for companies, therefore, Robotic Process Automation has become a hot topic. Even though the technology gets more popular with every day, many companies still do not know about RPA’s features or, at least, they take the idea of implementing a whole new software with a pinch of salt. Yet, a company should learn more about how and which tool they should use to digitize their own company before implementing and investing for sure.

What Is RPA?

Robotic Process Automation is an application that interacts with the user interface and imitates human behavior. It performs human-like tasks in a more efficient way in terms of accuracy and speed. Software robots can conduct multiple, repetitive tasks such as validating and migrating data, automating reports, auditing, etc.

January 28, 2021

$_POST only returns last value

I am trying to create a quiz whereby user will key in their answer in a textfield. If the answer the user keys in matches with the answer in the array, the score will increase. However my $answer only returns the last value the user entered which does not allow comparison of the user's input with the array, and the score does not increase. Please advice on how to allow the textfield to read the user's input and compare it with the array's answer provided.

<?php
$qtspick_key = array_rand($qtspool, 3);

$pickqts = array(); 
$i = 0;
foreach ($qtspick_key as $key) {
    $pickqts[$i] = $qtspool[$key];
    $i++;
}

    $qtspool = array(
    1 => array(
    'qts' => 'When was The Fast and the Furious released? ', 'ans' => '2001'),
    2 => array(
    'qts' => 'When was The Fast and the Furious: Tokyo Drift released? ', 'ans' => '2006'),
    3 => array(
    'qts' => 'When was Fast & Furious Presents: Hobbs & Shaw released? ', 'ans' => '2019'),
    4 => array(
    'qts' => 'When was Insidious released? ', 'ans' => '2010'),
    5 => array(
    'qts' => 'When was Insidious: Chapter 2 released? ', 'ans' => '2013'),
    6 => array(
    'qts' => 'When was Insidious: Chapter 3 released? ', 'ans' => '2015'),
    7 => array(
    'qts' => 'When was Insidious: The Last Key released? ', 'ans' => '2018'),
    8 => array(
    'qts' => 'When was World War Z released? ', 'ans' => '2013'),
    9 => array(
    'qts' => 'When was The Conjuring released? ', 'ans' => '2013'),
    10 => array(
    'qts' => 'When was The Conjuring 2 released? ', 'ans' => '2016')
    );

?>

<form action="" method="post">

    <?php $score = 0; ?>
    <?php foreach($pickqts as $qtsno => $value) { ?>    
    <?php echo $value['qts'] ?>
    <input type="text" name="user_ans">
    <?php echo $value['ans'] ?><br><br>
    <?php if (isset($_POST["user_ans"])) { ?>
    <?php $answer = $_POST["user_ans"]; ?>
    <?php if ($value['ans'] == $answer) { ?>
    <?php $score++; ?>
    <?php } ?>
    <?php var_dump($value['ans']); ?>
    <?php var_dump($answer); ?>
    <?php } ?>
    <?php } ?>

    <p> Current score: <?php echo $score ?></p>
    <input type="submit" value="Submit Quiz"/>        
</form>

January 28, 2021

2021: Autonomous Cloud Operations, Agile App Security, Customer-First Approach Will Drive Second Wave in Digital Transformation

The pandemic did not create the need for digital transformation, but it has accelerated it dramatically. Some organizations’ capacity for digital services was, to put it simply, unprepared for the volume of new users. Other organizations were positioned better to adapt quickly because they invested in capabilities such as AI-assistance and continuous automation beforehand.

Last year’s increased demand for digital services and the urgency to adapt quickly to users’ needs will precipitate a rise this year in user experience-driven digital transformations, a renewed need to streamline operations by integrating application security into DevSecOps, and accelerated adoption of autonomous cloud operations.

January 28, 2021

Getting Started With OpenShift

Red Hat OpenShift is an enterprise open source container orchestration platform. It’s a software product that includes components of the Kubernetes container management project, but adds productivity and security features that are important to large-scale companies. In this Refcard, learn how to get started with the developer usage of Red Hat OpenShift to help you go hands-on with installing a local development cluster on your own machine.

January 28, 2021

API Linting With Spectral | What Is It and How Does It Work?

API linting is the process of making sure that APIs are not just technically correct (which is the realm of validation tooling), but that they also comply with a set of additional constraints that often are documented in the form of API guidelines. With the growing popularity of APIs, these guidelines become more common, APIs throughout organizations become more abundant, and it thus becomes more important to be able to scale the API practice in organizations. API linting can help with this because it allows you to check and enforce (some aspects of) API guidelines, making it easier for API teams to follow guidelines and making it easier for API platform teams to make sure that guidelines are being followed.

In this interview, Stoplight's Phil Sturgeon talks about Spectral. Spectral is an open-source general-purpose JSON/YAML linter, but it does come with built-in support for API-related formats such as OpenAPI, AsyncAPI, and JSON Schema. We discuss why Spectral is useful and what Spectral can do to help with managing APIs and API landscapes.

January 28, 2021

How Not To Get Hacked – A Guide For WordPress Website Developers (And Their Clients)

You’ve built your clients their dream website. Don’t allow hackers to take it over and turn it into a nightmare. Our “how not to get hacked” guide shows you how…

When hackers start breaking into the security firms that are protecting us from hackers, you know it’s time to take security seriously!

Especially when you consider stats like these:

There is a hacker attack every 39 seconds.
95% of cybersecurity breaches are due to human error.
64% of companies have experienced web-based attacks.
43% of cyber attacks target small businesses.

Source: Cybint

Yeah…But Not All Hacking is Done Via Websites

True, but here is the thing…

Most security threats are multidimensional.

This means that no matter how much time, money, and effort you invest into building and hosting a website securely, there are many factors that can threaten web security and allow hackers to wreak havoc on your website.

Take a look at this flowchart to see what I mean…

Security threat factors. — Security threats are multidimensional.

The above is my condensed version of the security threats classification model shown below…

ScienceDirect.com - Multi-dimensional Security Threats Model. — Multidimensional threats can affect the security of your website. (Source: ScienceDirect.com, Classification of Security Threats in Information Systems.)

As you can see from the diagram above, web security threats can come from either:

External sources (e.g. unauthorized users and natural disasters) or
Internal sources (e.g. an employee with admin access to the site, server, or a network account).

Add in human, environmental, and technological agents with malicious or non-malicious motivation and accidental or non-accidental intent, and the security threats posed by any combination of these factors are further multiplied.

To put it simply…

Web Security is Freaking Complex!

A failure in any part of the system can threaten the security of the whole.

Even in situations where cyber attackers are not directly involved (e.g. natural disasters), these threats can create security blind spots that could impair your site and lead to:

Destruction of information – e.g. deletion of important files or data.
Corruption of information – e.g. corrupted database tables and files.
Disclosure of information – e.g. exposing confidential data to unauthorized users or the general public.
Theft of service – e.g. data theft or misuse, stealing server resources, etc.
Denial of service – e.g. a Distributed Denial of Service attack (DDoS).
Unauthorized elevation of privilege – e.g. exploiting a weakness in the system to gain admin privileges to the site or network,
Illegal usage – e.g. using the site to attack other sites, spread viruses, run scams, identity theft, etc.

To prevent sites from being hacked, damaged, or disrupted, then, all threat factors in this multidimensional security beast need to be considered.

DevMan vs Multidimensional Security Threats. — Keeping security threats out is tough, especially when you’re battling a multidimensional beast!

Now that we understand the enormity of what we’re dealing with, let’s narrow down how to tackle this web security beast.

We’ll focus on how to prevent your sites from being hacked by addressing the following areas:

Mitigating Web Security Risks
Defence is Your Only Plan of Attack
Securing 95% of Vulnerabilities Against Hackers

1. Mitigating Web Security Risks

Many things can go wrong outside of your website and create an opportunity for hackers to get into your site.

These things include:

External Services – who and where you purchase services from or outsource to, including hosting, plugins, themes, other website developers, etc.
Processes and methods used to build, secure, and manage sites.
Human vulnerabilities – inadequate knowledge, understanding, experience, and skill level of security-related issues.

Mitigating Risks from External Services

As a WordPress developer, your main service providers include the following:

Your hosting company and data centers.
Third-party plugin and theme developers.
Integrated third-party platforms and software.
Outsourced developers, contractors, etc.

Data Centers

Webhosting companies typically own or lease space to house their servers within multiple data centers located around the world.

All of your hosting company’s hardware, data, and information processing takes place inside data centers, so it’s important for data centers to take physical and digital security seriously to mitigate all threats and risks of attacks and damage, and to ensure the safety and security of the servers housing your websites and data.

Most developers choose their web hosting company and the web host chooses their data center(s). Both hosting companies and data centers, however, have a shared responsibility to ensure website security.

Data Center responsibilities for ensuring security include managing things like:

Environmental controls – electronic equipment generates heat that can lead to failure, so it needs to operate at a safe temperature.
Backup power supplies – servers need to keep running even if the main power grid unexpectedly goes down.
Employing advanced security methods – this includes CCTV surveillance systems and technologies to ensure that hardware and people don’t enter or exit the center without approval, such as using trap rooms with biometrics and limited security access, single-entry doors (only one person allowed in at a time), server cages that enclose, protect, and segregate servers with sensitive data and equipment, metal detectors, etc.
Securing facilities – this includes employing guards and installing protective measures like bulletproof glass, high-impact crash barriers, weatherproofing, fire suppression systems, etc.

Your Hosting Company

Focusing on areas like server speed and reliability or recommending companies based on plan pricing, affiliate commissions, and reseller incentives without prioritizing security can put your clients’ sites at risk.

Performance factors and economic benefits should not be discounted, but it’s also important to evaluate your host’s commitment to security.

95% of breached records in 2016 came from three industries and technology was one of them (government and retail were the others). Companies that store a high level of personally identifiable information (PII) in their records are very popular targets. So, it’s important to know how your hosting company stores data and what active and passive security measures are in place to protect it.

Some hosting options are more secure than others. We have written a detailed guide on different types of hosting, including which types are more secure and how to choose the right type of hosting for your needs.

Understanding the network redundancies in your host’s infrastructure is also important. What happens if a network server or a router fails or a component is breached and hacked into? How are your sites isolated and protected from network incidents and service disruptions caused by security breaches?

When evaluating a host, find out what kind of security measures are built into their hosting management and servers. Does your plan include server-side firewalls that proactively prevent malicious codes from entering the network (e.g. WAF), security features for encrypting and transmitting data like SSL, SFTP, and CDN?

What about file scanning, dedicated IPs, two-factor authentication (2FA), nightly backups and one-click restores, and a secure staging area for developing client sites, performing maintenance updates, and installing or testing new applications without leaving your websites vulnerable and exposed to attack?

Also, if despite all security measures, your site ends up being compromised, what kind of security guarantees and support does your web host offer?

Here at WPMU DEV, for example, we not only offer affordable, blazing fast, and secure managed WordPress hosting, but we also provide members with a dedicated 24×7 helpdesk for all WordPress-related issues (including security) and we’ll help you clean your hacked sites. We also provide extensive documentation covering all of our hosting security features.

If you’re serious about protecting your sites from hackers, you should expect nothing less than a total commitment to web security from your hosting provider.

Mitigating Risks from Third-party Sources

Although WordPress is a secure platform, it’s hard to avoid using third-party plugins, themes, and integrations with other platforms.

Any vulnerability in a third-party solution can open the door to hackers and lead to a compromised website.

To minimize risk when using third-party solutions, only download plugins from trusted sources (and themes), use reputable third-party platforms in your site integrations, and always keep your WordPress site up to date.

An excellent resource to check before installing any third-party solutions is the National Vulnerability Database.

For example, while writing this article, I did a quick search of the database on “WordPress” and over 3,000 results popped up, many listing vulnerabilities in WordPress plugins and themes (I also ran a search on “WordPress themes” which brought up 180+ theme vulnerabilities).

(As a point of interest, when we wrote an article about searching for WordPress vulnerabilities almost a decade ago, we looked at eight years of previous data and found that security vulnerabilities reported for WordPress core were trending downward, but issues reported for 3rd-party plugins were trending upward. We plan to revisit this in the near future and we’ll report our findings here, so watch this space!)

Mitigating Risks from Internal Processes

To keep things simple, let’s divide everyone into two groups:

People you outsource services to (e.g. other web developers, remote workers, etc.)
People you provide services to (e.g. your clients) – we’ll address this group later.

Suppose you own a web development agency and you employ/outsource other people. Every person in your business is a potential security threat. Your partners, staff, outsourced contractors, remote workers…and — from your client’s perspective — even you!

For example:

You outsource technical work to someone with such high-level skills that no one else can understand or figure out what they are doing.
Someone in your team with network access has been careless with a password or an email attachment.
A remote worker with access to your systems and data is working from an unsecured wi-fi location.

In the introduction section, I pointed out that:

64% of companies have experienced web-based attacks.
43% of cyber attacks target small businesses.

Do the maths and you will quickly realize that some of your clients are bound to experience a cyber attack.

For example, if you are looking after 10 small business client sites, there’s a good chance that 2 or 3 of those websites will be targeted by hackers (10 x 64% = 6.4 sites x 43% =2.75 sites).

To reduce the probability that your business is responsible for client sites going down, it’s important to develop and implement internal security policies and guidelines covering areas like:

Passwords & Accounts – This includes specifying how often passwords should be changed, setting expiring passwords and accounts, revoking access for employees who leave or are terminated, archiving, storing, and deleting stale data and sensitive information, etc.
Use of BYOD (Bring Your Own Device) equipment – Do you allow staff, outsourced, or remote workers to use their own phones and laptops? If so, what security measures can you implement to store and handle proprietary data and client information on their devices securely? What happens if they delete important data accidentally or maliciously from your systems or server? Do you have a Mobile Device Management (MDM) policy giving you the power to wipe their devices clean remotely if their devices are stolen or lost?
Training – If you employ remote workers make sure that they know how to securely log in and work remotely. Also, consider implementing training programs for employees, especially those in roles that are vulnerable to cyberattacks, and give them options to develop preventative and defensive skills and understand security best practices.
Periodic Reviews & Evaluations – Just like software, the security of your business also needs to be reviewed, revised, and updated on a regular basis. Conduct periodic assessments of your internal security practices and policies to identify and patch up any weaknesses.

For additional tips on implementing security practices in your business or work environment, check out this great list of cybersecurity tips.

Now that we have looked at threats that can allow hackers into your business, let’s look at protecting ourselves from threats that can allow hackers into your website.

2. Defence is Your Only Plan of Attack

You’ve done all you can to mitigate security risks from external threats. You’ve chosen a web host that takes security seriously and runs servers from a data center more secure than Fort Knox. You only install third-party plugins and themes from reliable and trusted sources and integrate with established third-party platforms. Your workplace has implemented best security practices.

All that’s left now is to build amazing WordPress sites for your clients and make sure they’re impregnable fortresses to hackers.

Consider this quote from Sense of Security, a leading IT security firm on the escalation of the cybersecurity arms race:

Just as the advancements in technologies help security professionals identify and neutralise potential threats more effectively, it also provides the tools for hackers to undertake larger, more complex attacks. And these attacks are evolving faster than our defences can keep up.

Web security is not just a classic case of good guys vs bad guys, it’s also good guys training bad guys to become even badder guys!

As a web developer focused on building websites and not “cybersecurity weapons” the best you can do is try to keep up and defend as best as you can.

The more you know and understand about security-related issues, the better you will be able to defend sites from cyberattacks, hackers, malicious bots, etc.

To help you with this, we have written many in-depth articles and step-by-step tutorials on WordPress security and how to harden WordPress sites.

So, in this section, I’ll just provide you with a list of articles and tutorials that will turn you into a WordPress security pro.

If You’re a New WordPress Developer

If you’re just starting out as a web developer, we recommend checking out some of our hosting tutorials related to security, like understanding server file permissions, SSL, and WAF.

Also, make sure you understand why hackers want to target your WordPress site and how to scan a WordPress site for malware.

If your client has a small budget, check out how to secure a WordPress site for free.

We also recommend getting these quick and easy WordPress security vulnerability fixes into your tool belt.

Once you’ve got the basics covered, it’s time to…

Become A WordPress Security Pro

Start by checking out our Ultimate Guide To WordPress Security.

Next, go through our checklist for securing a WordPress site, checklist for making your site hacker-proof (with a downloadable PDF so you can tick off the boxes), and our guide to security resources for WordPress.

Also, check out our WordPress security expert interview (coming real soon!) for some great tips on what WordPress security experts do to keep their clients’ sites safe and protected from hackers and malicious threats.

As part of developing your security expertise, make sure to also become familiar with resources like our DDos protection guide and how to test your WordPress site security.

And if your site has been hacked, make sure to head over to this post and learn how to clean up a hacked WordPress site.

Use Defender for Smart WordPress Security

As stated earlier,

“There is a hacker attack every 39 seconds.”

If you don’t believe these statistics, you can confirm this yourself by installing our WordPress security plugin, Defender.

Defender sends out a notification and logs every time someone tries to hack your site.

Defender Lockout Notification — Hackers keep knocking, and Defender keeps blocking.

Defender blocks hackers at every level and adds layers of protection to your site. With just a few clicks, your WordPress site is protected from brute force attacks, SQL injections, cross-site scripting XSS, and many other WordPress vulnerabilities and hacks.

Defender also runs malware scans and antivirus scans and provides IP blocking, firewall, activity logs, security logs, and two-factor authentication login security.

And that’s just the free version of the plugin.

Check out our Defender WordPress security plugin tutorials to see everything that this plugin does and to learn how to easily configure it on your clients’ sites (tip: our WordPress management console The Hub makes it even easier and faster to install and configure Defender on multiple WordPress sites.)

3. Securing 95% of Vulnerabilities Against Hackers

As I stated earlier,

“95% of cybersecurity breaches are caused by human error.”

Choosing a super-secure web host is not a problem. (You can do this with one click here.)

Implementing internal security processes in your business takes some effort, but it’s also not a problem.

Hardening WordPress security…not a problem either. You can find everything you need to know to make WordPress impenetrable to hackers right here on this site.

The main challenge when it comes to preventing hackers is how to make sure people don’t make errors when “to err is human.”

If you can figure that one out, you’ll have protected your clients from 95% of all security vulnerabilities on the web and put hackers permanently out of a job. ;)

Until this happens, however, you’ll just need to be patient with people. Help them implement good security practices and develop better online safety habits, starting with basic things like password security, avoiding email phishing scams, etc.

Also, encourage your clients to implement good security policies in their workplace and train and educate them as best as you can on ways to become more aware of threats and how to reduce security risks.

Netflix Scam Email — All the WordPress security hardening in the world can’t stop hackers if your clients are falling for email phishing scams.

Remember that in the end, no matter what we do, we are all human and we are all going to make mistakes at some point or another.

Also, everyone in the world has problems. Addictions, resentments, job dissatisfaction, greed, opportunism, and disgruntled personalities can manifest at any time in the work environment and these can become a potential security threat too.

So, unless your clients are perfect human beings without problems, you’re still left with 95% of security vulnerabilities to deal with.

The Best You Can Do To Not Get Hacked

Web security threats are multidimensional and cybersecurity is an escalating arms race, so hackers will always have new opportunities to identify weaknesses and vulnerabilities on many levels.

The best you can do to not get hacked is to do your best.

Mitigate as many of the risks as you can, implement best security practices at every level, keep learning and improving your knowledge of web security, stay vigilant, and help your clients do the same.

If you need expert help with anything WordPress-related contact our 24/7 support team. We’re the good guys fighting on your side.

January 28, 2021

Daily API RoundUp: Weavy, Passfort, Tapfiliate, Survicate, Gladly

Every day, the ProgrammableWeb team is busy, updating its three primary directories for APIs, clients (language-specific libraries or SDKs for consuming or providing APIs), and source code samples.

January 28, 2021

Small App (created using Vb6.0) Exe file not working.

i have a small app created using Vb6.0 almost 20 years ago due to some pc problem deleted. i have manage to locate the Exe file and access Mdb files. i have tried to use in new pc but giving following error Msgs.
frmkunde Form Load:fehlernr13 Type mismatch
after pressing ok getting another error as below
380 invalid property value
appreciated your support.

January 28, 2021

ElasticPress.io Service Considers Next Move after Elasticsearch Abandons Open Source Licensing

Elastic, makers of the search and analytic engine Elasticsearch, have re-licensed its core product so that it is no longer open source. The company is moving new versions of both Kibana and Elasticsearch from the Apache 2.0-license to be dual-licensed under the Server Side Public License (SSPL) and the Elastic License, which do not meet the Open Source Definition.

In a post titled “Amazon: NOT OK – why we had to change Elastic licensing,” Elastic blames Amazon for the license change:

Our license change is aimed at preventing companies from taking our Elasticsearch and Kibana products and providing them directly as a service without collaborating with us.
Our license change comes after years of what we believe to be Amazon/AWS misleading and confusing the community – enough is enough.

Elastic claims AWS’s behavior has “forced” the company to abandon its open source licensing, citing examples of what they perceive to be “ethically challenged behavior.” In 2019, Amazon created an Open Distro for Elasticsearch, and Elastic claims they used code copied by a third party from their commercial code, further dividing the community.

As a result of the license change, Amazon announced its intention to officially fork Elasticsearch and Kibana, with plans to roll the forks into its Open Distro distributions:

Our forks of Elasticsearch and Kibana will be based on the latest ALv2-licensed codebases, version 7.10. We will publish new GitHub repositories in the next few weeks. In time, both will be included in the existing Open Distro distributions, replacing the ALv2 builds provided by Elastic. We’re in this for the long haul, and will work in a way that fosters healthy and sustainable open source practices—including implementing shared project governance with a community of contributors.

The Open Source Initiative (OSI) reacted to the news of the license change, calling the SSPL a “fauxpen” source license:

Fauxpen source licenses allow a user to view the source code but do not allow other highly important rights protected by the Open Source Definition, such as the right to make use of the program for any field of endeavor. By design, and as explained by the most recent adopter, Elastic, in a post it unironically titled “Doubling Down on Open,” Elastic says that it now can “restrict cloud service providers from offering our software as a service” in violation of OSD6. Elastic didn’t double down, it threw its cards in.

Elastic’s license changes may affect a few companies in the WordPress ecosystem that are redistributing Elasticsearch as a commercial offering. 10up, creators of ElasticPress, by far the most popular Elasticsearch plugin for WordPress, also runs the ElasticPress.io SaaS platform. More than 6,000 sites are using the open source plugin, but the company said these users will not be affected.

“No matter what this won’t affect the EP plugin,” 10up vice president of engineering Taylor Lovett said. “I would say the news is definitely discouraging and not a great look for Elastic.”

10up launched ElasticPress.io in 2017 and Lovett says it has become “an active part of the business with a plethora of customers,” and continues to grow. The company is currently seeking legal advice on how Elasticsearch’s licensing change will affect the ElasticPress.io service. Since previous versions of Elasticsearch remain open source, the company has time to figure out a new way forward.

“Right now we really don’t know what’s going to happen,” Lovett said. “There is no rush for us to upgrade ElasticPress.io to Elasticsearch 7.11+ so we have plenty of time to decide how to address the issue.”

Lovett confirmed that 10up is considering using the Amazon fork as an option but has not made a decision on the matter yet.

“I will say this does affect the end user in a way that they may end up having to choose between different flavors of Elasticserarch,” Lovett said.

“For example, you may need to decide if you want the official Elastic distribution or if you want to go with AWS’s fork.”

Unfortunately, for businesses that built services on top of redistributing the previously open source Elasticsearch, Elastic’s creators have gone back on the promise they made in 2018 to never change the license of any of the Apache 2.0 code of Elasticsearch, Kibana, Beats, and Logstash projects. As a consequence, Amazon has emerged as the one to drive the truly open source option for Elasticsearch and Kibana for the future.

“Elastic’s relicensing is not evidence of any failure of the open source licensing model or a gap in open source licenses,” the OSI board of directors stated in a recent post on the matter. “It is simply that Elastic’s current business model is inconsistent with what open source licenses are designed to do. Its current business desires are what proprietary licenses (which includes source available) are designed for.”