Our servers are not vulnerable to the critical PHPMailer security bug CVE-2016-10033

Many scripts that send e-mail include a file called PHPMailer. The file is distributed as part of WordPress, Joomla, Drupal, and lots more software.

Recently, a security researcher discovered a security bug in PHPMailer. The bug could allow “hackers” to take over a website.

However, sites hosted on our servers are not vulnerable to this problem. (Despite that, you should always update your copy of WordPress, Joomla, or any other software when there’s a new version available.)

Read the rest of this entry »

WordPress 4.7

WordPress 4.7 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

Read the rest of this entry »

WordPress 4.5; built in editors

WordPress 4.5 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version (actually now version 4.5.1) for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

We’ve also modified our automatic installer to disable the built in theme and plugin file editor by default for new installations (existing installations are not affected).

This both improves security (many automated hacks and XSS attacks blindly try to use the editor) and avoids a problem we see happen often:

  • People think that the “Edit” link next to a plugin or theme will edit the settings of it, not the code of it, so they click it;
  • Then they see a weird screen of code and don’t know what to do, and they perhaps type something as an experiment;
  • That doesn’t help, so they click “save” to get out of the weird screen;
  • And WordPress completely stops working due to a PHP syntax error in what they typed.

We think the editor shouldn’t be enabled for most people. It should be enabled only by developers (and very brave developers who make good backups, at that). Developers can easily enable it by editing the wp-config.php file to remove the “DISALLOW_FILE_EDIT” line.

Update 2016-05-26: We have removed the customization that disabled the built-in theme and plugin editors because several customers said it is an integral part of their workflow. All new installations will have the standard theme and plugin editors functionality.

WordPress 4.4

WordPress 4.4 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

Preventing PHP scripts from running in /wp-content/uploads

We write a lot about how out of date WordPress plugins or themes can cause your site to get “hacked” due to security bugs.

Interestingly, many of these bugs have a near-identical flaw: They intentionally allow strangers to upload files to your site (intending to allow image uploads and so on), but they don’t sufficiently screen out malicious script files. The bugs allow a malicious PHP script somewhere under the site’s “/wp-content/uploads” directory, then the “hacker” simply runs that script in a web browser.

To help our customers, we’re doing something to minimize the impact of these security vulnerabilities: By default, we’re now blocking PHP scripts from running in “/wp-content/uploads”.

This will improve security because very few sites use this feature legitimately (and none should do so, really; relying on being able to run uploaded PHP scripts without moving them to a safe location is a security risk). Disabling PHP scripts in this directory is recommended by well-known WordPress security companies like Acunetix and Sucuri.

Read the rest of this entry »

Cleaning compromised sites while moving them to Tiger Technologies

One issue we (unfortunately) have lots of experience with is fixing a WordPress site after we discover it’s been “hacked”. But while it’s one thing to try to clean a Web site after it got infected on our servers, it’s essentially impossible to try to clean a Web site that was infected on another server and is being transferred to our servers.

We have a page with more information, including:

  • why this is a problem, and the related risks of not fixing it
  • why the normal way of fixing a site isn’t sufficient
  • how to fix the problem

Protection against the WordPress “large comment” security bug

The authors of WordPress today released version 4.2.1 that fixes a critical security bug.

While upgrading is always a good idea, we’ve blocked the attack for all versions of WordPress on all sites that we host. We’ve also verified using our MySQL binary logs that no sites were attacked before we started the blocking.

Read the rest of this entry »

Protection against WordPress “Pagelines” and “Platform” theme security bugs

The researchers at Sucuri yesterday announced that they’ve discovered a critical security bug in the widely used Pagelines/Platform WordPress themes. If you use one of these themes or their many derivatives, “hackers” can easily take over your site unless you update the theme.

Since many of our customers use these themes, so we’ve added security rules to block attacks even if you haven’t updated. And we’re glad we did: our logs show that a large Chinese botnet started attacking every WordPress site we host last night, in alphabetical order (they’re currently up to domain names starting with “e”), testing whether each site is vulnerable to the bugs.

We’re again surprised to see how many customers are using versions of these themes that haven’t been updated in years. I know we sound like a broken record, but when WordPress offers to update something you’ve installed, you must update it if you want your site to stay secure.

Read the rest of this entry »

WordPress 4.1

WordPress 4.1 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

By the way, the new WordPress 4.1 Twenty Fifteen theme doesn’t display a default navigation menu, unlike earlier themes. To ensure you’ll always see a list of the pages on your site, our installer now adds a Pages widget at the top of the sidebar for new installations. If you later create a custom navigation menu, you’ll see two lists of pages in the sidebar. You can just delete the extra Pages widget if that happens to you.

Out-of-date WordPress sites will get hacked

I’m going to use annoyingly big type, on an annoying yellow background, because it’s important:

If you use WordPress, you MUST update your plugins and themes whenever you see that an update is available. If you don’t, your site will eventually be “hacked” because of a security bug in old software. The contents of your site will be replaced with something malicious, and your e-mail will be used to send offensive spam.

We have a page with more information, including:

  • why this is a problem
  • why it would happen to your site in particular
  • the two most common ways sites get hacked
  • the risks of not fixing it
  • the risks of inactive plugins and themes
  • the steps to update WordPress properly