WordPress 4.7 vulnerabilities – update now to avoid hack

I was recently alerted by a client about a hack that was a result of running WordPress version 4.7.  This particular instance was a pretty harmless hack, which was identified as a defacement (MW:DEFACED:01) “generally done for fun, political reasons and by script kiddies.” A blog post was edited with the text “Hacked by Imam” overwriting the original content of the post. Searching for the hack message on the Internet turned up 1000’s of results, and after little research I learned that it was hacked because of a WordPress vulnerability.

WordPress 4.7 release was a major milestone bringing many new features and one that has many developers very excited.  WordPress is now a REST API (also known as JSON API) which makes if a fully-fledged application framework.  This means that you can use WordPress to build applications.  However, a severe content injection vulnerability has been discovered in the REST API that allows unauthenticated users to modify the content of any post or page within WordPress. An update patch was released to fix the vulnerability. If you haven’t updated yet, you should do so immediately.

More details on the security patch and vulnerabilities: WordPress 4.7.2 Security Release

Other than the found vulnerabilities in the new WordPress version, the REST API could have other potential vulnerabilities because it exposes some sensitive data that hacks can use to exploit your site, including user names.

Rest API JSON Response Using Postman
Rest API JSON Response Using Postman

 

If you’re not using the REST API, it’s recommended that you disable it, which you can easily do so by installing this plugin Disable REST API.

WordPress REST API vulnerabilities
JSON response from domain.com/wp-json/wp/v2/user using web browser

How Do I know the REST API is Enabled?

You can tell that the REST API is enabled by looking at your site in a browser.  After the URL, append “/wp-json/wp/v2.  So an example would be http://example.com/wp-json/wp/v2

If you see a bunch of text, which is actually a JSON string, then it’s enabled.  Otherwise you should see the following text.

{"code":"rest_disabled","message":"The REST API is disabled on this site."}

Conclusion

WordPress 4.7 has some vulnerabilities, and there’re two simple things you should do to remedy them.  First, make sure you’re running the latest version of WordPress (4.7.2 at time of this writing), and that you disable the REST API.

References:

Fancy Grid Portfolio just Published to WordPress.org

Just wanted to share my new WordPress plugin that’s now published at WordPress.org. The plugin is super easy to use and is great for creating a portfolio page on the fly. I’ve set up a demo page with full details.

Fancy Grid Portfolio Demo: https://www.sinawiwebdesign.com/wordpress-plugins/fancy-grid-portfolio/

Fancy Grid Portfolio @ WordPress.org: https://wordpress.org/plugins/fancy-grid-portfolio/

Dynamic Pricing Shopping Cart for Bullion and Coin Seller

Integrate Dynamic Pricing Shopping Cart into Existing Product Catalog Application

This dynamic pricing shopping cart was a special project that required adding a shopping cart to an existing website/application with a product catalog.  In order to minimize work of adding shopping cart capability and not disturbing existing code, I carefully injected code into the product page to add quantity input fields and checkout button. Product prices are based on spot price data feed, so prices are dynamic and are updated everything minute. Once the user enters quantities for products and clicks Checkout button, user gets redirected to another page (separate domain) where transaction is completed.

  • Manipulate page by injecting code to add column to products table. Column includes quantity input field.
  • Dynamic pricing shopping cart – latest spot prices are parsed from page (top left of page) and price basis added for each product (see image for diagram).
  • Add Buy Now button. When button is clicked, script parses page to get product list with quantities and prices, serialize data and send to processing script.
  • The processing script creates an Advanced Product String with all the product details and redirects user to a secure payment gateway, where he can enter his payment information to complete the transaction.

Technologies used: PHP, jQuery, Ajax, HTML, CSS, Shopping Cart API

Top 10 Essential WordPress Plugins

I’ve compiled a list of my top 10 most essential plugins that came from experience of installing, testing and uninstalling dozens of plugins, and finding a small handful of plugins that make managing a WordPress site fast, easy and efficient. This list is somewhat different from most of the top 10 WordPress plugins posts you might read because apparently these bloggers are just reading and writing about plugins, and not applying them to their profession and using them for their clients’ sites as I do.

I feel like I’m giving away my trade secrets by writing about this. Most of these plugins are installed on all my WordPress sites whether I build a WordPress theme from scratch or build a website using a pre-built theme. Here’s my top 10 essential WordPress plugins and a brief description of each.

Akismet

Akismet - WordPress Plugin for Filtering Comments Spam


If you enable comments on your pages or posts, it’s only a matter of time before you start getting bombarded with massive amounts of spam. Akismet is a plugin that filters comments. It costs about $5/mo and well worth it!  This plugin comes pre-installed in WordPress, so all you have to do is enable it and signup for an account.

Download the Plugin Here

Duplicate Post

Duplicate Post - WordPress Plugin to Duplicate Post with One Click!

This seems like it would be a native feature of WordPress. Joomla and other CMSs already have “Duplicate” or “Copy” built into the UI. With the Duplicate Post WordPress plugin, you can clone a post or page, or edit it as a new draft with one click! It’s a must have for me and is installed on all my WordPress sites.

Download the Plugin Here

Quicktag Extender

Quicktag Extender - A Must Have WordPress Plugin for All Websites


If you like working in code view as I do, then Quicktag Extender is another must have. This plugin adds more buttons to the non-visual editor view for creating/editing posts/pages.

Download the Plugin Here

Redirection

Redirection - A WordPress Plugin for Setting up 301 Redirects
Redirection - A WordPress Plugin for Setting up 301 Redirects

Whenever you change a URL, you should always set up 301 redirects, or you’ll get 404 errors from search engine spiders and browser favorites, which has a negative effect on SEO of your website. You can set up 301 redirects manually by editing your .htaccess file, but if you don’t know how to use .htaccess files or have frequent or multiple redirects to set up, manually editing the .htaccess can get tedious and time consuming. The Redirection plugin allows you to set up 301 redirects without having any knowledge of Apache .htaccess files. Redirection is a WordPress plugin to manage 301 redirections, keep track of 404 errors, and generally tidy up any loose ends your site may have. This is particularly useful if you are migrating pages from an old website, or are changing the directory of your WordPress installation.

Download the Plugin Here

WordPress SEO by Yoast

WordPress SE0 by Yoast

WordPress SEO by Yoast is the best SEO plugin I’ve found and is a must have for all my WordPress sites. Not only does it allow you to manage keywords for pages and posts through page titles and meta descriptions, but it’s also loaded with lots of advanced features like Page Analysis that gives you the ability to measure your SEO performance and write better content.

Download the Plugin Here

Manually Move WordPress Site to New Domain Name


I get this question a lot. “I moved my WordPress site from another host and now it’s redirecting to the old domain. What’s the problem?” Even though you change your domain name in the configuration file, references to the old domain name or location will remain in the database, and that can cause issues with links or theme display.

If you move your WordPress site or change your domain name, you have to change it in several places, not just the WordPress configuration file (wp-config.php). WordPress stores your domain name in multiple database tables as well. So you need to find all references to the old domain name and replace them with the new domain.

Here’s a list of simple steps to fix the redirect problem:

  1. Export your database to an SQL file using phpMyAdmin or some other database management tool. Make sure you select an option to “drop table if exists,” otherwise you’ll get errors when trying to re-import your SQL file.
  2. Open the SQL file in your favorite text editor and replace all instances of “http://old_domain.com” with “http://new_domain.com” in the entire document using the Find and Replace tool. I use Notepad++. It’s a great text editor and it’s free.
  3. Save your changes and close the file.
  4. Import the eidted SQL file using phpMyAdmin tool or some other database management tool.
  5. And finally, edit wp-config.php replacing the old domain with the new domain.

That it! Your direct problem should be fixed.


Alternative Method to Changing Domain Name or Moving WordPress Site

There are WordPress plugins designed to automate the process of moving a WordPress site, so you don’t have to do it manually.  Three of the most popular are WP Migrate DB,  XCloner and Backup Buddy.

Prebuilt WordPress themes, WordPress Frameworks or Blank Themes – Which is Better?

When building a WordPress theme, determining what method to use is the first place to start. Developers will usually use one of three methods: Install a prebuilt WordPress theme and customize it to suit your needs, use a WordPress framework (like Genesis or Thematic) to build a child theme, or build a theme starting from a blank theme, like HTML5 Boilerplate. Which method you choose really depends on your experience level and what you’re trying to accomplish.

When I first started building themes, I used frameworks to take advantage of all the features of WordPress (widgetized sidebars, post featured image, custom menus, etc.) without having to write backend PHP code, because those features were already part of the framework. Coding is done mostly through filters, hooks and CSS.

As I became more experienced, I found I prefered to build WordPress sites starting with a “Blank” theme, because you have granular control of what you can do, a much smaller footprint, and it’s actually easier and faster to develop once you get use to use it.

Prebuilt WordPress Themes

A prebuilt (AKA stand-alone, pre-made, or base/starter theme) WordPress theme is one that is already designed and developed, and just needs to be installed on WordPress before it’s ready to use. The advantage of using this method is it requires the least amount of time or experience. You can find a theme that is close to what you’re looking for, do some minor customization after installing the theme, and you have a complete website. Prebuilt themes usually have numerous theme options that let you change the theme to give it a completely unique look, which include different background colors, fonts, and adding a logo.

This method isn’t actually building a theme. Instead it uses a prebuilt theme that can be customize to be unique. But some developers will start with a prebuilt theme and use it as a framework to build their theme. There’re dozens of great themes that are good for this, including Twenty Twelve and Responsive, to name a couple I’ve used as a framework. The issue with using a premade theme as a framework is that it’s very difficult to customize beyond what it was designed to do through its options panels, and writing CSS code often requires overriding the parent’s theme styles using long complicated CSS specificity rules.

WordPress Framework

A framework is a sort of “drop-in” code library that’s used to facilitate theme development by extending the functionality of WordPress. To build a theme from a framework, you have to include the framework as a parent theme and then build a child theme that inherits the parent’s resources. There’s a learning curve for using frameworks because each framework has it’s own documentation for building themes through hooks, filters, and CSS rules. Once you learn a specific framework, building themes can be much easier than using a blank theme because it requires a lot less coding, which is great for people who want to build a quick theme and inherit page layouts, CSS styles, and widgets areas from the parent theme. Because frameworks come with all these built-in features, they are usually bloated with lots of extra code and files, making it difficult to integrate your own custom code or troubleshoot if you have a problem.

Blank Theme

A blank theme is a stand-alone theme or “starter-kit” designed to be used as a starting point to building a custom theme. Using a blank theme means you have to write your own WordPress backend code to handle features like theme options panel or widgetized sidebars in your themes. But you can reuse your blank theme in all your projects to help avoid writing repetitive code.

The upside of using blank themes is that you have complete control of layout, design and functionality without having to strip out unnecessary code, or having to read documentation on how to use a specific framework through using hooks or parent theme CSS.

When I build themes, I start with layered PSD files from which I write markup. At this point, since I’ve already written HTML, CSS and Javascript, it’s easier converting the markup into WordPress using a blank theme. I can copy and paste most of my code directly into the blank theme with little modification, then add some code for custom menus, widget areas, support for post thumbnails, etc.

In my opinion, prebuilt themes are appropriate for low budget projects. You can find a theme that looks close to what your client wants, making only minor customizations. Using frameworks is okay if you don’t mind all the extra bloatware and don’t have a lot of custom code of your own to integrate. But if you want complete control of your theme’s layouts and features, and especially if you’re building your themes from layered PSD files, and like writing your own HTML markup as I do, then starting from a blank theme is by far the best choice.

>

Contact Us For a Free Consultation

Let's Get Started!
Top