You escaped the end of the Mayan calendar and are no doubt looking forward to 2013. Your WordPress site, however, might not be so lucky. Doomsday could be right around the corner, lurking in the darkness of the internet, waiting to hack and exploit your /wp-admin area. Brute force login attempts and lousy passwords can make even the most sophisticated website susceptible to destruction. In an instant your site could be turned into a Canadian pharmacy or Russian dating site.
In June of 2011, my colleague Sarah Gooding wrote about a phpMyAdmin plugin that posed a HUGE security risk. Because of the security risk, this plugin was removed from the WordPress repository and it was recommended that everyone stop using it and remove it.
Now, there’s another dangerous plugin in the WordPress repository – Portable phpMyAdmin.
How Dangerous Is This Plugin?
I’m on a lot of marketing email lists, and I actually read a lot of emails. Recently, I received an email from a marketer and began reading the first line of the email. It read, “I didn’t sleep very well last night. No, it wasn’t because of a barking dog, a crying child, or my WordPress website had been hacked.”
Hopefully, you’ve never had your WordPress site or network hacked. Take my word for it though, you need to be ready because all it takes is one hack to put you out of business. For a long time, I wasn’t a cat that was big on WordPress security, mainly because I didn’t think anyone had reason to mess with me and I figured my hosting company and WordPress had that figured out.
Back in March of this year, I published The Top 100 WordPress Plugins For Your Site. It was a list of the most popular plugins available on WordPress.org, filtered and sorted by compatibility, freshness, and ratings.
As I expected, reactions to the post were a mix between, “This is a great resource — thanks!”, and “This is the worst post I have ever seen in my life — you are an awful human being”.
Or something similar to that anyway. I’m paraphrasing.
If you’re unable to install an SSL certificate on your web server or are just too cheap to buy your own ($10+ per year per website), you can still force all WordPress logins to use the secure HTTPS protocol.
Note: If you already have your own SSL certificate installed, all you need to do is use the FORCE_SSL_LOGIN wp-config.php constant. You don’t need this plugin.
How to setup the Https-SSL-free plugin
Install and activate the Https-SSL-free plugin.
Upon plugin activation, it will change your WordPress Site URL setting from http://example.com to https://example_com.1.com.ar and log you out.
Here’s a quick security and site management tool.
Wouldn’t you like to know if one of your installed plugins is no longer in the WordPress Plugin Directory?
A new plugin, No Longer in Directory, does just that.
It ignores plugins from other sources, like WPMU DEV.
It simply lists the names of the installed plugins, whether active or not, that are no longer in the WP Plugin Directory, as shown below:
Why Do We Care?
As stated on the plugin’s Description page:
Plugins can be removed for the following reasons:
they are found to break the GPL
they are found to break the directory rules
SMS Verification plugin from wedevs is a new plugin which adds member and user verification through SMS text messaging. It’s a great plugin to add an extra level of security and user verification, which works well with blogs setup as member sites, and is particularly useful for forum runners who need another level of spam deterrent.
The plugin works by hiding content behind a shortcode that is activated when the plugin is installed and configured.
According to security firm Sophos, a major malware campaign now underway is using insecure WordPress sites (not up-to-date secured sites) to install harmful software on the computers of unwitting visitors.
The campaign works like this:
An email is sent to a random person with the subject line, “Verify your order.”
In the email is a link to a malware-infected WordPress site. (These are legitimate sites that have been compromised.)
Clicking on the link takes the person to the infected site, and an attempt is made to install malware onto the visitor’s PC by using the Blackhole Exploit Kit.
There are really two irritants (well, there are many, but these are the ones I am looking at today) for the website owner who is linking to something from their site. If you are offering a paid download, it can be easy for others to use your link to gain access to your downloadable products. If you are part of an affiliate marketing program, it is easy for people to be scared off by an intimidating and unusual looking affiliate link. Either way, you are out of a sale through no fault of your own. The best way to avoid those outcomes is to cloak your links so that their real paths are harder to guess and less intimidating. There are two great plugins below that can help you to do just that and then some.