Shield Plugin Banner

Understanding Your WordPress Risk from the PHP Mailer Vulnerability

By | News, WordPress Guides, WordPress Security | No Comments

So nearly 3 weeks ago, we started hearing about the vulnerability within the PHP Mailer library that’s also used within the WordPress Core.

And everyone ran for the hills with their hair on fire (again).

Was this a critical security vulnerability? Yes.
Was WordPress susceptible? Actually, no.
So was it necessary to lose the plot and wet ourselves? No.

Anybody that pays attention to WordPress core security releases will know that when there’s a serious security vulnerability in the core, it gets patched pretty damn quick. There’s no messing around.

But isn’t it odd that WordPress didn’t get patched immediately following the announcement of this php mailer vulnerability?  Why haven’t the Core team released a security patch already?!

When something in life is weird, it’s probably not weird – you likely just don’t know all pertinent information, yet.

So it’s not odd. Why? Because, from WordPress themselves:

The Security Team has spent some time analysing this vulnerability, and how it applies to WordPress. This vulnerability does not appear to be directly exploitable in WordPress Core, or any major plugins in the plugin directory. The wp_mail() function, which WordPress Core and most plugins use for sending email, blocks this vulnerability from being exploited.

Unfortunately when a “security” expert posts on Facebook, or any where for that matter, it doesn’t mean it’s worth getting upset about. Now they may say “we’re not trying to alarm you” and other nice stuff, but unless there is a reason that goes beyond “making you aware”, it’s probably not going to help you at all. Read More

Better Automatic WordPress Updates

By | iControlWP: Manage WordPress Better, News, WordPress Security | 3 Comments

iControlWP WordPress Management LogoAutomatic updates have been available to us in WordPress since version 3.7.

They serve us well and ensure that WordPress sites don’t get left behind on security patches.

At the time, we saw the huge benefit in this. So we gave our clients the option to tune automatic updates from within iControlWP. Yet another first for multiple WordPress management 😉

But over time we’ve seen that there are “issues” with the automatic updates system. We’ll cover some of these here and outline what we’re doing about it. Read More

Tired of the WordPress Updates Hamster Wheel

WordPress Update Notifications that let you be Proactive instead of Reactive

By | iControlWP: Manage WordPress Better, News | 3 Comments

We’re making it easier for admins to stay on top of critical WordPress updates with Update Notifications.

We want to help you get off the WordPress updates hamster wheel:

… update → check for updates → test → update → check for updates → …

In this quick article we’ll outline what’s coming, how it helps you, and how you can get your hands on it.

WordPress updates find you, not the other way around

The idea that we need to keep plugins and themes up-to-date isn’t news to you. This is even more critical with security vulnerabilities that demand prompt action.

It’s a little bit like playing whack-a-mole… Lucky you!

Half the battle is just knowing the updates exist. So you log into each site to check. Or, use iControlWP that makes it easier to see and perform your updates in bulk.

But you still have to go looking for the updates in the first place.

Well, not any more…

With our new Update Notifications add-on, you can be informed of updates on your schedule.

Proactive vs Reactive – The Notification Advantage

I’m a huge Tim Ferriss fan (with perhaps one of the best podcasts available today!). He advocates several productivity principles that I try to subscribe to.

One such principle is “batching“- where you group similar tasks together in to groups. E.g. instead of handling emails throughout the day, you review and answer them less often at certain, fixed times of the day.

WordPress updates should be treated in the same way. Instead of repeatedly checking for updates, you only do them at a fixed time of the day or week.

Update Notifications facilitate this approach perfectly. It lets you pick a time of the day to be notified of updates, if there are any, and jump into it. When you’re done, you leave it until the next notification arrives.  This means:

  • less time spent checking for updates
  • less distraction and loss of focus on your core work
  • greater productivity, quality, and higher efficacy in your core work
  • … greater happiness! 😀

Greater happiness? Of course! If you spend less time on menial tasks, and more time doing the work you love doing, the better off you’ll be. 🙂 Read More

Shield Plugin Banner

W3 Total Cache XSS Vulnerability – You’re Protected With Shield

By | News | No Comments

So a few days ago ‘Zerial‘ reported a Cross-Site-Scripting vulnerability in the hugely (un)popular W3 Total Cache plugin for WordPress.

The plugin’s original author hasn’t been around much, it seems, and everyone and their cat is recommending you go and find a new caching plugin. You’d be forgiven for mistaking it for the End Times.

The problem with this “new caching plugin” solution? There are several …

  • What if W3TC works just fine for you? (It works just fine for us.)
  • What if you value your time and you don’t actually live to manage your WordPress sites?
  • What if, like many of our clients, you don’t just have 1 site to fix?  Perhaps you have 5… or even 50, 200?

Are you gonna go to each site and install/setup/configure a new caching plugin just because of this iddy-biddy vulnerability?

Well we aren’t. And if W3TC works just fine for you, we don’t recommend you do that either.

So if we’re not going to get a new caching plugin, what are our options?

Solution: Simply Block the XSS Vulnerability Altogether

We read the original report from Zerial to understand it. It seems pretty straight forward.

You have to realise that while this is a potentially serious vulnerability if you’re impacted, the chances are majorly slim that that’s going to happen. You don’t need to stress too hard about it and don’t listen to the scaremongers. But you should protect yourself and your site owners none-the-less.

What if we could just block the possibility that the XSS vulnerability ever gets a chance to run on your site?  Wouldn’t that be cool?  Wouldn’t that save you a massive ton of time?

That’s just what we’ve done.

With Shield Security v5.5.1 and the ‘Hack Protection’ module enabled (which is is by-default) you are protected against this security vulnerability. How? We just block the page from loading. Easy.

No new caching plugins; no wasted time.

DIY Solution?

Don’t worry – if your WordPress security plugin provider hasn’t bothered to supply you with this simple fix, and you don’t want to use our free Shield plugin, we wont force you.  But we still think you should ;D

Here is what you need to do on your site to solve this security problem.

    1. Open up the functions.php for your currently active theme in your favourite PHP editor
    2. Find a suitable spot for your new code – you can put it at the beginning, or at the end
    3. Copy and paste exactly the code below and now replace your functions.php on your server. (of course, make sure you backup your functions.php in-case you mess this up a little – don’t worry it happens to all of us!)
      if ( defined( 'W3TC_VERSION' ) && version_compare( W3TC_VERSION, '0.9.4.1', '<=' ) ) {
       	$sShieldW3tcPage = isset( $_GET[ 'page' ] ) ? $_GET[ 'page' ] : '';
       	if ( $sShieldW3tcPage == 'w3tc_support' ) {
       	 	wp_die( 'Access to W3 Total Cache support page is disabled due to XSS.' );
       	}
      }
    4. The Pros among you will want to wrap it up in a function, and hook it into an action, or perhaps take it out to dinner. But it doesn’t matter, it’ll work anywhere so long as it runs before the page itself gets rendered. If you put this at the beginning of your functions.php, you’ll be fine.

Thoughts? Suggestions?

We aim to try and make your WordPress management life easy. Both Shield Security and iControlWP deliver this in spades.

If we can save you time and effort, such as installing/buying a brand new caching plugin, we will. After all, it saves us time and effort too 🙂