Are You leaving Your WordPress Website Vulnerable to Attack?

Laptop with WordPress website on screen

Do you have a WordPress website? If you do, you’re in good company. WordPress sites actually make up 14.7% of the Top 100 Websites in the world including TED, NBC, CNN, TechCrunch, People Magazine, the NFL, Best Buy, CBS Radio, and UPS to name just a few. In fact, according to a study published by whoishostingthis.com, 35% of the entire internet is powered by WordPress and according to W3techs, WordPress has 61.8% of the Content Management System (CMS) market share – more than all other systems combined. Not only that, but WordPress is STILL growing!

The question is, do you really need to update WordPress EVERY TIME there is a new update? Actually, yes – there can be huge costs to ignoring those update notifications on WordPress. You have to be proactive and make sure your WordPress site is updated regularly. There are several reasons why.

Why keeping your WordPress Site Updated Is So Important:

1. Security

Website Security for WordPress

Since WordPress is open-source, anyone can study the source code to learn and improve it. This is great and is the reason why WordPress has so many amazing free plugins. But this also means hackers can study the source as well and find ways to compromise WordPress websites. Updating to the latest version of WordPress avoids the vulnerability that could have been in the previous versions. This prevents hackers from inserting malicious code.

How do you know your website has been hacked?

Sometimes, it is subtle, like your email list grew ten-fold overnight. Or, your website resources are working at full capacity all of a sudden but you normally do not have that much traffic. You may find plugins installed that you never installed, or new users/administrators in your WordPress. Here are some more obvious examples of website hacks:

Your password has been changed without your knowledge:

Wordpress login screen

Your WordPress database cannot be found:

database error message

You get a redirect notice when going to your website:

redirect message

When googling your website, you receive this warning:

google website may be hacked message

You receive this warning when visiting your website (if you don’t have an SSL certificate and your site is not secure, this can be the issue. Read our blog post on Security Warnings for more information on this):

site may contain harmful programs message

Your website has been defaced (here are some examples of what that could look like):

vogue website defacedutah office of tourism defaced angry birds website defaced

So, the saying “If it ‘ain’t broke, don’t fix it” simply doesn’t apply to WordPress sites.

2. Bug Fixes

big fixes

Despite the rigorous testing before updates are released, sometimes bugs may slip through the cracks. Bugs are errors in a computer program or system that make it behave in a way that the developer didn’t intend it to. Bugs can cause weird glitches or even make things crash. To make sure your website keeps running smoothly, it’s essential to implement these fixes, and with each WordPress update, bugs are addressed and fixed.

3. Performance and Features

New Features and Performance

WordPress is continually being improved. Each new release and update contains new features and performance improvements that allow your website to function better with greater performance and speed. Better performance means better SEO, therefore you want to make sure your site is up to date to take advantage of the best possible organic SEO ratings Google has to offer.

4. Plugins and Theme Updates

Plugin and Theme updates

Don’t forget to update those plugins and themes as well! WordPress core installation is not the only thing that can be exploited – don’t ignore those plugins and WordPress Theme. Plugin and theme developers may coordinate their updates with major WordPress update releases to warrant they are taking advantage of new WordPress features. If you are not updating your plugins and theme when an update is available, you could be limiting the functionality of your site or even leaving your site vulnerable to security risks.


Now that you know that it is important to keep your site updated (and why). How in the world do you update your site?

Minor releases that include security and bug fixes are sometimes updated automatically, which is awesome! However, you will need to log in to your WordPress dashboard regularly to see major WordPress updates, PHP updates, and when plugin updates are available.

If you haven’t updated your website in a while, the process could take some time and there could be issues that need your attention. This is great if you have WordPress knowledge – kudos to you; however, we highly caution you if you aren’t certain, as you can break things. If you run into this issue, contact us, we can help.

Pro Tip: In some cases, an update to these plugins or themes can actually break your existing WordPress plugins. This happens when plugins aren’t compatible with your version of WordPress. It is important to keep regular WordPress backups and to check your site after updating that all your plugins work and that your site is running (and looking) the way it should.


Feeling Overwhelmed? Don’t have the time to Regularly Maintain your Website?

We can help you with that. Check out some information about our maintenance plans here; we can take the guesswork out of maintaining your website.

TrevNet Maintenance Plans

It is key to remember that just like in car ownership, a website needs maintenance, and maintenance is always cheaper than repair. That is why there are mechanics to help with that maintenance and repair! Let us help you with your website maintenance. We have plans that take the stress out of remembering when and how to update your website so you can focus on what your specialty is – running your business. Our area of expertise is development and we know websites!

Review information about our most popular maintenance plans here, and if you need a custom solution for your business, contact us – we would be happy to talk with you.

Security Warnings: Is Your Site In Danger?

Google has announced that in just a couple of short months Chrome will start showing security warnings on HTTP sites that have any text input fields in them.

Breaking it Down: What Does That Mean, Exactly?

If you have a blog that can be commented on, a newsletter sign up form on your website, members only content that requires a login – anything that is interactive with your users and has an field where people type into on your website will show a warning that it is “NOT SECURE” starting October 1, 2017.

BOTTOM LINE: This WILL effect the users ability to access your website!

Google is the first web browser to jump on board with this, and has been marking login forms, certain websites and credit card forms not secure for a while, but, there was a story earlier this year where Firefox reported already showing these warnings on un-encrypted login pages.

These safety precautions are all steps to ensure a better, secure, internet environment for all users moving forward; making it harder for cyber criminals to intercept information over the web.

These are just the first steps, with websites having forms being the first to be flagged. However, it is the goal to have ALL websites eventually go to HTTPS (sooner than later).

This goal may be closer than you think. We had a client’s entire blog site blocked from being shown at all to users in Europe just last week because it was not an HTTPS site and deemed “NOT SECURE”. This is taking it a step further from just a warning in an input field – the whole site was marked not secure and was not shown to the user at all.

What does this mean for you?

If you are the owner or manager or a website, this affects you, and your website needs to be secure. You can secure your site and prevent these “NOT SECURE” warnings by moving your site to HTTPS. This is done by installing an SSL Certificate.

We did a blog post a while back on how you can get a free SSL certificate From Let’s Encrypt and the benefits that comes with them (I’ll give you a hint: Search Engines love SSL Certificates and your SEO will thank you!).

If you are a current TrevNet Full Service Hosting customer and you’d like to take advantage of a “Let’s Encrypt” FREE SSL Certificate on your site, contact us to get started.

Are you sick of spam? We’re reducing email spam now!

Trademark300dpiThis week we are rolling out some new updates to our mail server which will help reduce the amount of spam being received by our customers. We’ve recently noticed an increase in spam over the last few months and decided to take action. This update will include a new settings panel in cPanel called “MailScanner Configuration”; here you can fine-tune how you want to handle a message when it is detected as possible spam. We went ahead and configured this for you and you should already be seeing a reduction in the amount of spam received.

You may start to see some emails come in that start with {spam?} or {Disarmed} but this is just the new spam blocking system working. You can delete these emails if they are spam or treat them as you would a normal message. If you have any specific questions or would like us to make some changes to your account, please contact us or open a support ticket.

We are always striving to improve the quality of service at TrevNet Media – and no one hates spam email as much as we do!

The Year of the Hack!

Some are calling 2013 “The Year Of The Hack”; it’s more important than ever to take the necessary steps to ensure your site is secure. Since 2008, almost half a million WP sites have been reportedly hacked and this number is sure to rise as WordPress gains more in popularity. Close to 19% of the world’s websites are powered by WordPress. By not keeping all of the plug-ins and themes associated with your site up to date, you could be potentially leaving it vulnerable to an attack.

Tips to reduce the risk of being hacked:

  • Keep software and all plug-ins updated
  • Remove all plug-in and add-ons not in use
  • Make security a priority when choosing a web hosting company
  • Use proper file permissions on your server
  • Use strong, varied passwords and don’t store them locally
  • Regularly scan your PC for malware

We are in an era where everywhere you turn, you hear stories of the latest hack, and it’s no secret that WordPress has received plenty of bad publicity regarding the topic. Recently, stories about hackers laying a massive, global siege on WordPress sites across the Internet have been everywhere. The main focus of these hacks was exploiting the default “admin” accounts and over 90,000+ IP addresses were involved in the attack. From this, companies scramble with their tail between their legs trying to patch up the security holes they swore never existed.

It should be made a general rule when owning a WordPress site to continuously stay current on the latest updates. Hacking aside, there are several additional benefits to keeping your website fresh and up to date. To put it another way, think about a car; you know the over-all cost of maintenance it is far less than fixing a problem should it occur. Keeping your website up to date, like your car, will be far less expensive in the long run and will give you more “mileage” out of your site.

Email Marketing Tips: Avoiding the Spam Filters for your Newsletters

Email marketing as many of us know, can be a powerful and inexpensive method of reaching our most active potential and/or existing customers. It can boost not only our direct sales, but also our credibility and referrals.

One of the major benefits of email marketing is that email is free, but obviously this is the same reason that spam has become so popular and so frustrating. With spam comes spam filters and with spam filters comes the blocking of legitimate email.

This article

 

The right selection of words


Many spam filters work by analyzing the email based on its content and the words used. Many words — such as free, sex and so forth — are very heavy spam trigger keywords. Your priority should be to avoid such words while keeping your newsletter as professional as possible.

Later in this article I will show you a technique that I use to help me detect words that could trigger spam filters that I may have missed.

Pay attention to your formatting

When formatting your email, keep it simple and professional. Excessive use of different colors, fonts, sizes, images and so forth will result in a higher spam filtering rate. Keep your email as clean as possible, and try to stick to a maximum of 2 or 3 different font types and sizes. Overly large sized fonts will surely add to an email being flagged as spam, as will too many images (or not enough text).

Try and use a short and simple stylesheet rather than using font tags excessively. Most spam filters don’t appreciate a multitude of font tags and inline formatting, and the more primitive filters can’t detect stylesheets so they will not penalize as easily.

Consistency is king

Use a template if you plan on sending newsletters consistently. This will make sure that all your newsletters look and feel the same. It will also add a touch of professionalism and branding to your newsletters.

Whilst not directly affecting spam filters, this will enable your readers to distinguish your newsletter instantly, thus not reporting it as spam accidentally. Some spam filters work by querying a spam server, whereas others report individual emails as spam. If your email gets reported as spam, then more than likely multiple spam filters will flag your email.

Being consistent with your timing of the newsletter also helps. For example, if you send a newsletter once per month (I personally don’t recommend you send out any more than this, unless you’ve got something really interesting to say), then aim to send it out at the same time, on the same day each month.

Once again, your potential readers will learn to expect your email, adding professionalism and often improving open rates, also reducing accidental spam flagging as well.

Always use Double Opt-in

Always make your contact lists double opt-in. This means that when a user subscribes to your contact list, they will be sent an email with a link that they must click on to confirm their subscription.

This is very important because many people can accidentally enter an incorrect email address, or even the email address of someone else on purpose. When that person receives a newsletter they did not subscribe to, they will assume they have been spammed, and your newsletter (and possibly your web server) will be reported as spam.

Unsubscribe and Contact Information

Every newsletter you send out should contain a way for the reader to unsubscribe. Not doing so is illegal in some countries and is an instant sign of spamming. You should also display your contact information (Phone, Fax and Address) clearly, as this greatly increases confidence in your email and your company, as well as conforms to spam laws in the United States. Contact information also allows a potential customer to contact you if need be.

Test, Test, Test

The key to avoiding spam filters is testing. The first method of testing I use is to send the newsletter to multiple email accounts with existing spam filters. For example, I have a Gmail (http://www.gmail.com) account and a Hotmail (http://www.hotmail.com) account that I make sure I send my newsletter to. If the newsletter ends up in the junk folder, then I’ve got some work to do.

I also have a couple of email accounts with different web hosts that have spam filters in place. In particular, they mostly use spam assassin — a popular piece of spam filtering software. Spam assassin is useful because every email that it flags as spam is given a report and a list of why that email was considered spam.

I also have a local spam filtering application called No Spam Today! for Workstations, that runs a local copy of spam assassin on my PC. It acts as a very close replica to the same software used on thousands of servers world-wide. By sending myself copies of the newsletter No Spam Today! — using the spam assassin checking techniques — gives me feedback as to why my email may have been flagged. If I’ve used words or formatting that I shouldn’t have, or if I’ve included too many images, etc.

Conclusion

Avoiding spam filters when sending out legitimate newsletters can be a time consuming effort. However, as your contact list grows, it can also be a very beneficial exercise. I’ve watched open rates of just 2 to 3% soar to a massive 50% and over, simply by applying the techniques described in this article.

At TrevNet Media we can help you setup and manage a succussful email campaign.