Simply performance and safety.

Blog
Doc
Portal

Category: Internet

  • Your WordPress site is vulnerable

    Your WordPress site is vulnerable

    Many wonder how WordPress can be vulnerable to attack despite its popularity and following. Others are completely unaware of the risk. Analysis.

    What is a vulnerability?

    WordPress is programmed using the PHP language.
    PHP code makes it possible to create "dynamic" sites. In other words, content is generated on each page by a PHP program. A dynamic site also enables interaction with visitors. In technical terms, it enables requests to be received and processed.

    This strength is also a weakness in that it can leave room for unwanted interactions, enabling a website to be hacked.
    This is known as a "security flaw" or "vulnerability".

    PHP vulnerabilities

    Vulnerabilities in PHP code can have various causes.
    Here are a few common examples.

    1. Unvalidated input: When PHP code accepts user data, such as a form or query, without proper validation, it can be vulnerable to malicious code injection attacks.
    2. Excessive permissions: Assigning excessive permissions to files and users can enable unauthorized manipulation attacks.
    3. Poor error handling: revealing sensitive information in error messages can give attackers clues to further exploit the system.

    In addition, there may be vulnerabilities in PHP. The PHP executor itself sometimes contains security holes if not kept up to date. (see image)

    Other vulnerabilities not directly linked to PHP, such as XSS vulnerabilities, are also common. These allow malicious code to be executed.

    Let's see how this works in practice for WordPress.

    Source: Supported PHP versions

    WordPress website vulnerabilities

    Security vulnerabilities in WordPress

    WordPress is a robust content management system, but it includes nearly a million lines of PHP code (924,096 lines currently).
    WordPress is also 59,772 plugins and 11,378 themes available on wordpress.org. Millions more lines of code available for installation on your site.
    This wealth of code creates fertile ground for security flaws. The more you multiply the code, the more you multiply the risk. So, every day, new vulnerabilities are discovered. They can be found in the core of WordPress, but also in installed themes and plugins.

    Detecting, correcting and revealing vulnerabilities

    If a party detects a flaw (an individual developer, a "white hat", a specialized security organization), it notifies the developers of the script containing the flaw.

    If the developers are reactive, they correct the flaw and publish the patch.

    Then, typically 30 to 90 days after its discovery, the security flaw is publicly disclosed. On the one hand, to give credit for the discovery to the whistle-blower, and on the other, to warn script users of the risk involved in failing to update.

    Current flaw not corrected

    WordPress currently features a uncorrected flaw since version 6.1.1 (i.e. several months ago). This allows you to use a website to execute requests to other targets. It can be mitigated by blocking access to xmlrpc.php and disabling WordPress pingbacks (which was done on all the sites I manage even before this flaw was detected).

    When is WordPress vulnerable and what can you do about it?

    Vulnerabilities revealed

    When a vulnerability is revealed, all installations with the vulnerable script are inherently affected. If this is the case, hackers are likely to exploit the flaw.

    There are two types of vulnerabilities:

    • Your site contains a script (WordPress, plugin, theme) with a known vulnerability that has not been corrected by the developers. Development of this script may have been abandoned. In this case, you should disable the script or replace it with a non-vulnerable script that is better monitored by its developers.
    • Your site is out of date. You haven't corrected the security flaw. You need to update your site as regularly as possible, and make sure you don't have any obsolete scripts (which could potentially put you in the same situation down the line).

    Zero-day vulnerabilities

    Sometimes, hackers will find a vulnerability before it is revealed and then corrected. They will exploit it directly. This is known as a zero-day vulnerability.

    The more popular a script is, the more likely it is that hackers will look for zero-day vulnerabilities in it. It's rare, but it happens.
    Here's another reason to design simple sites: the more popular plugins you multiply, the more vulnerable your WordPress site becomes. Not just to zero-day vulnerabilities, but to vulnerabilities in general.

    To protect against 0-day vulnerabilities, the server hosting your site needs to be secure. This can be achieved by blocking suspicious requests from hackers using an application firewall. Then block attacking IPs with fail2ban, for example. This is not generally the case with shared hosting packages. With the exception ofHaiSoft with whom I've pushed these security measures, which has greatly reduced the number of hacks. But this can lead to false positives: Requests blocked when they are legitimate, especially with WordPress builders (Elementor, Divi, WP-Bakery and others). The technical support required is then higher, which is why most service providers don't implement this type of security. Security is always more complex than no security.

    Despite all the security measures in place, it's important to bear in mind that some hacker requests can slip through the net. There is no such thing as zero risk, and anyone who claims otherwise is either ignorant or a liar.

    So, since perfect security doesn't exist, assume that your site could be hacked tomorrow. If this happens, what do you do? You'd better have an up-to-date, easily restorable backup that's not stored on your site.

    Conclusion

    Hacking doesn't just happen to other people. On a regular basis, owners of WordPress sites come to me with a problem. hacked website to repair.

    Every computer system is potentially vulnerable, including your WordPress site. The challenge is to minimize the risks of hacking by applying all preventive measures. This starts with an up-to-date, secure server capable of blocking attacks. It also means regularly monitoring your WordPress site, updating it as often as possible, constantly checking for known security vulnerabilities, and taking swift action in the event of a problem. In all cases, an automated, external, independent backup of your site must be carried out on a daily basis. This is precisely the set of services you'll find in my Webmastering WordPress.

    If your site is important to your business, don't wait to be hacked. Be proactive and have your site checked by a WordPress security audit or go directly to my Webmastering.

  • How can I check if my WordPress site has been hacked? Warning signs to be aware of

    How can I check if my WordPress site has been hacked? Warning signs to be aware of

    It's sometimes hard to tell the difference between a malfunction and a hack. But there are signs that your site may have been hacked. Today, let's take a look at the 8 most common signs to spot a hack on your WordPress site.

    ❌ Warning: if in doubt, it's best not to connect to the site administration. Indeed, if your site is hacked, this may allow the hacker to recover your password. What's more, the hacker may trigger certain actions automatically when you act on the hacked site, which would make the situation worse.

    ✅ If you think your site has been hacked, you need to suspend your hosting until your site's files and database have been dealt with directly.
    Repairing a WordPress site requires respecting a scrupulous protocol like the one I offer in my repairing and securing hacked WordPress sites. If you have any doubts, contact me and we'll be happy to advise you. free assessment and immediate safety measures.

    1. Unauthorized advertising and redirections

    Unwanted ads or redirects to third-party sites appear on your site.

    Cause and explanation

    The hacker was able to penetrate the site's files and/or database to insert these ads and redirects. His aim is to steal your traffic to generate revenue.

    2. Unable to log in as administrator

    Your administrator password no longer works or seems to change unexpectedly after each reset.

    Cause and explanation

    The hacker has introduced a backdoor (code hidden in your site) enabling him to change all your passwords at will.

    3. You receive notifications of rejected e-mails

    You receive notifications of bounced e-mails (also known as "mailer-daemons") that you have not sent yourself.

    Cause and explanation

    The hacker is using your site to send emails, or may have compromised your email password. In some cases, they are simply using a poorly configured and insecure contact form as a platform to send emails to the recipients of their choice, which also needs to be addressed to avoid your blacklisting.

    4. Google Safe Browsing or antivirus security alert

    When you visit your site, your browser displays a "Dangerous or malicious site" alert, either via Google Safe Browsing or via your antivirus software. The blocked URL displayed belongs to your site or to a third-party site.

    Cause and explanation

    Your site contains URLs from phishingmalware, or redirects to malicious sites. Google maintains a database of these malicious sites, which all web browsers use to protect visitors.

    5. Unwanted content and foreign languages

    You see additional or modified articles or pages on your site. Often in a foreign language. And often with suspicious links to other sites.

    Cause and explanation

    The hacker controls your site. Either by adding an administrator account, or by using a backdoor to inject code into the database. This allows him to insert any content he wishes.

    Not to be confused with "spam" comments. This concern must be addressed, but does not necessarily mean that your site has been compromised.

    6. Unknown users

    You see one or more unknown administrator users in your WordPress user list. Sometimes you notice that your existing admin account details have changed.
    NB: As you don't want to log in to the site administration, you can also see this in the database table wp_users (via phpMyAdmin for example).

    Cause and explanation

    The hacker controls your site. Either via an administrator account added or compromised, or (and this is the most common case) via a backdoor enabling him to inject code into the database. In particular, this enables him to control the site's users.

    This is not to be confused with unwanted users registering on your site. This concern must be addressed, but does not necessarily mean that your site has been compromised.

    7. Phishing pages

    You may notice that some URLs or files (often .html) resemble pages from well-known sites, either through a statistics tool or when exploring your site's files.

    Cause and explanation

    This is called phishing. The hacker has taken control of your site and can write files of his choice into it, or write to the database. Phishing allows the hacker to lure visitors to your site whom he has previously sent bogus e-mails, in order to use it as a gateway to his victims' personal information.

    8. Intruder files

    To do this, you need to browse your site files via FTP or your hosting panel. You may even notice an intruder file or folder in your WordPress files. Sometimes these are ".zip" files, and sometimes they're in the underlying folders. If in doubt, compare with the archive on wordpress.org.

    Cause and explanation

    The hacker has been able to send unwanted files to your site and now has complete control. He can read existing files and add new ones. He will usually have taken care to hide "backdoor" files throughout the files in an attempt to retain access to the site even if you clean up the content.

    Further information

    Ideally, you should host your site on a secure server, as I propose in my hosting and webmastering packages. In this way, hackers are automatically blocked, drastically reducing any risk of piracy. Also, malicious files are regularly scanned at server level, which is the most reliable way of proceeding.

    If there are no special security measures in place on the server hosting your site, you can start by using the WordFence which, while cumbersome and slowing down your site, will at least scan your site for malware and protect you from some basic attacks.

    If you spot any of these signs of piracy, don't hesitate to contact me. contact us for immediate assistance.

    Constant vigilance is essential to keep your WordPress site secure. I offer this through my webmastering services.

    In the next few articles, we'll be covering other topics related to the security of your WordPress site. Stay tuned.

  • WordPress site attacks: Why and how do hackers operate?

    WordPress site attacks: Why and how do hackers operate?

    Let's put ourselves in the shoes of hackers attacking WordPress sites.
    Let's understand how they think and operate, to better protect ourselves.

    The pirates' goal

    Hackers are generally motivated by money. Although their attacks are often stupid and nasty, you shouldn't underestimate them, because some of them are clever.

    To generate revenue, pirates will do anything. They distract visitors pirated sites via sponsored links or redirections, or add inopportune advertising of which they reap the rewards. They also sometimes add links to other infected sites in an attempt to get them listed on Google.

    Often without limits, they even host phishing on your site. In other words, copies of institutional sites. This enables them to refer victims to whom they have previously sent fake e-mails pointing to these links, and thus to retrieve their personal login details for these real accounts. In some cases, these may be bank or health accounts.

    In the targeted hackingmotivation is ideological or political.

    More marginally, we can also observe hacking competitionsometimes taking place at events such as "hackathonSometimes, on the other hand, the site is completely defaced. However, I haven't observed this type of hack for a few years, so it seems that this practice is being lost for the time being.

    Why attack WordPress sites?

    WordPress is widely used, with 43% websites worldwide. This makes it a target of choice for hackers. Attacking WordPress allows them to maximize their results in their attacks. It's exactly the same principle as with Windows, which is the most popular operating system and therefore the most attacked.

    Also, WordPress is very rich in terms of code and functionality, as well as documentation. So much so that numerous vulnerabilities are regularly made public. It is important to note that vulnerabilities also and above all concern numerous plugins and themes from WordPress.

    Hackers' modus operandi

    It is relatively easy to identify bulk WordPress sites on the Internet. Pirates therefore create WordPress site listings.

    They will then cross-reference these lists with the known security vulnerabilities from WordPress.

    They then have to write or find pirate communities "exploitsi.e. queries or code to be used to exploit these vulnerabilities.

    Once they have found their "exploits", they program robots which automatically attempt to use them on all these sites. These bots are often set up on previously infected servers and personal computers. Together, these bots are known as "botnet.

    To attack more effectively, some more skilled hackers will first list the plugins and themes installed on each site and their versions. By knowing the version of the scripts, anyone who may be aware of the security holes in each version. In fact, this is one of the actions carried out during a WordPress security audit. Hackers use this method to find and exploit vulnerabilities in each site much more effectively.

    Some pirates are even more gifted plan their attacks in advance, sometimes targeting numerous sites of a particular host, in an attempt to saturate user support and keep their hack going as long as possible.

    This is how we see waves of piracy. Note that some waves of hacking also occur because a new flaw has been discovered by hackers before it has been corrected by developers. This is known as a "zero-day vulnerability.

    Targeted attacks

    Your site doesn't have to be specifically targeted to be hacked. Because, as we've seen, hackers attack thousands of WordPress sites a day in an automated fashion. This means that even very small sites with just a few dozen visitors a day, or the sites of small associations or local authorities, can be hacked.

    Nevertheless if your site has a security flaw of any kind, a targeted attack, operated and directed directly by a hacker, will very quickly result in the complete hacking of your site.

    Targeted attacks are relatively rare (less than 3% of hack cases in my experience). The targets of choice in this case are mainly political, media or ideological.. In other words, targeted attacks tend to be aimed at institutional sites or sites with ideologically charged content. If this is your case, don't wait until it's too late and treat yourself to a WordPress security audit.

    Further information

    Check if my site is vulnerable

    You can test the vulnerability of your website via my WordPress security audit.

    Please note that this service is included in my Webmastering Critical. WordPress scripts are updated on a daily basis, I receive an e-mail in the event of a vulnerability, and I monitor obsolete scripts. I also manage to detect the activity of hacker bots on my hosts and automatically block hundreds of them every day. Manual attacks are also blocked; for example, during an audit of a site I host, a major security group asked me to unblock them so they could continue their tests, as all their IPs had been automatically blocked by my security systems.

  • WordPress "Builders": The hidden face

    WordPress "Builders": The hidden face

    Page builders for WordPress have been all the rage for years. These are visual editors designed to facilitate site layout.

    Elementor, Divi, WPBakery: Web agencies, webmasters, everyone's using their own builder. WordPress revolution, or monumental mistake, what does the "WordPress expert" have to say?

    The promise of WordPress builders

    Builders are popular because they promise to create rich, complex pages without touching a single line of code, thanks to visual editors. And they generally deliver on this promise.

    But then, Jamy, what evidence is there to question the wisdom of using builders in this perfect world of ours?

    WordPress "Builders" imprison you

    Builders are generally available on an annual subscription basis. Having paid for your builder, you have no intention of backing out and will do everything in your power to make it work.

    But one day, fate will strike: you'll have a really blocking problem with your builder and you'll want to go back to native (without a builder). Or choose another builder.

    And then the drama begins.

    No standards, no interoperability between different builders. And above all, no display if the plugin is deactivated.

    Without its builder, your site is out of order and you'll have to completely rebuild it.

    So, have you really saved time and money by using a builder to shape your site?

    Builders go against the WordPress grain

    Builders modify the native operation of the WordPress CMS.

    How builders work

    A builder will generate hundreds of tags which must be interpreted and dynamically converted into HTML code (the final display language sent to visitors) by the server before being sent to the visitor.

    Some builders will also generate scripts (js) and style sheets (css) on the fly, depending on the page.

    Native WordPress operation

    Previously, to change the appearance of WordPress from a given theme, you either had to have chosen a highly customizable theme, or get your hands into the site's code. In both cases, page content remained native, so a change of theme didn't break the whole site.

    From now on, WordPress pushes Gutenbergits block system. It allows you to edit all the content of your site natively, without any modification to WordPress: pages, articles, but also the global display thanks to "full site editing". Like a builder in fact...? Yes, except that the code generated is HTML and therefore has no cost in terms of performance or loading time.

    The impact on performance... And ecology.

    Extreme slowness

    In my experience as a web-hosting outsourcer, I've been approached by numerous WordPress customers complaining about the slowness of their sites. The servers weren't saturated, but their sites had one thing in common: they used WordPress builders.

    During tests with/without builder, I observed a slowdown of between 10 and 40 with their builder activated. In other words, a site that takes 0.3s to load natively takes more than 3s, or even more than 10s in the most extreme cases.

    But the slowdown also affects visitors. The many heavy scripts (js) and style sheets (css) generated by builders take time to download, and then have to be interpreted. In the process, they take even longer.

    Time is energy

    Load times are calculation resources and therefore energy consumed by the server and your access device (smartphone, PC). The more CPUs are occupied, the more energy is wasted.

    While the situation is improving with builders' optimization patches, or caching plugins (which avoid certain server consumption), performance is still generally not up to scratch compared to a native site.

    Impact on site success

    As we all know, visitor retention on a site depends on its speed. And there's good reason to believe that search engines favor the best-optimized sites.

    Undeniable ecological impact

    WordPress powers over 43% websites worldwide. Many of these sites include builders, generating an overconsumption of server resources on the order of x10 (or even x40). Builders therefore have a considerable carbon footprint that it would be interesting to measure objectively. I wouldn't be surprised if this increased Internet energy consumption by 10% or more.

    Reliability and safety

    A large proportion of the failures observed on sites during updates are due to the builder. You'd better have a good backup. All this is additional maintenance, lost for the webmaster and/or the customer.

    What's more, as builders are popular, security flaws are regularly discovered. So if you update, you risk breaking the site, and if you don't update, you risk a hack. What's your choice?

    Builders galore

    Some people have a systematic builder reflex. Even on an extremely simple site. But is it really necessary?

    In many cases, using a builder is like killing a fly with a flamethrower.

    The #1 rule of optimization: use only what you need. A little minimalism never hurt anyone.

    Do we need to think for 2,000 years to shift an image by one or two pixels? It only pleases web designers. Users and site owners couldn't care less.
    In the real world, it's not the content that counts for a site's success.

    What you need is a site that's easy to maintain, reliable, secure and quick for visitors to view, and above all, that contains the useful information your visitors are looking for, for good SEO (on Google and other search engines), and with the lowest possible carbon footprint.

    Alternatives

    Many native themes, often free of charge, are capable of offering a clear and pleasant visual experience, and already allow an excellent level of customization.

    What's more, with Gutenberg, WordPress now offers the " Full Site Editing "With compatible themes, you can arrange each part of the site as you wish.

    In the near future, this should mark the beginning of the end for builders.

    Personally, I've always refused to go against WordPress' native way of working, and I adopted Gutenberg as soon as it was released, despite the bugs and limitations.

en_US
fr_FR en_US