Enlarge (credit: Getty Images)

Millions of WordPress sites have received a forced update over the past day to fix a critical vulnerability in a plugin called UpdraftPlus.

The mandatory patch came at the request of UpdraftPlus developers because of the severity of the vulnerability, which allows untrusted subscribers, customers, and others to download the site’s private database as long as they have an account on the vulnerable site. Databases frequently include sensitive information about customers or the site’s security settings, leaving millions of sites susceptible to serious data breaches that spill passwords, user names, IP addresses, and more.

Bad outcomes, easy to exploit

UpdraftPlus simplifies the process of backing up and restoring website databases and is the Internet’s most widely used scheduled backup plugin for the WordPress content management system. It streamlines data backup to Dropbox, Google Drive, Amazon S3, and other cloud services. Its developers say it also allows users to schedule regular backups and is faster and uses fewer server resources than competing WordPress plugins.

Read 9 remaining paragraphs | Comments

PHP is a widely-used programming language on the web, and it's estimated that nearly 80% of all websites use it. CrowdSec provides server admins with a PHP bouncer to help ward away bots and bad actors who may attempt to interact with PHP files. Note that a server agent must be installed, with the bouncer application running at website level. WordPress has a plugin, whilst Drupal does not, but for Drupal you can use the PHP Bouncer directly.

See https://opensource.com/article/22/1/php-website-bouncer-crowdsec

#technology #security #websites #bots #wordpress #secops

The plugin implements the ActivityPub protocol for your blog. Your readers will be able to follow your blogposts on Mastodon and other federated platforms that support ActivityPub.

The plugin works with the following federated platforms:

• Mastodon
• Pleroma
• Friendica
• HubZilla
• Pixelfed
• SocialHome
• Misskey

See https://wordpress.org/plugins/activitypub/

#technology #WordPress #activitypub #fediverse #decentralised

Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites.

The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch. Some of the targeted plugins were patched all the way back in 2018, while others had their vulnerabilities addressed as recently as this week.

You certainly always want to ensure you have a good security plugin installed which prevents brute force attacks, and that you only have the active themes and plugins installed, and that they are all set to auto update enabled.

See https://www.bleepingcomputer.com/news/security/massive-attack-against-16-million-wordpress-sites-underway/

#technology #security #wordpress

Wow, what a few days! I must be a sucker for punishment, as this was by far the biggest change I’ve ever made to my website. I certainly learnt a few new things, but there were quite a few challenges too. This is a summary of what I did:

Hosting change – I moved away from DigitalOcean to HostWorld (VPS-3 package). Both are VPS providers, and certainly DigitalOcean is fast, but their costs are a bit prohibitive for me where I need to add more storage etc. So a noticed a while back someone had recommended HostWorld, and there I could save about 30% with double the RAM and a good 50% more disc storage.

Hosting technology change – I was using Softaculous scripting as a sort of panel manager to install and upgrade all the services I ran. It generally worked very well, and included e-mail hosting, but it duplicates PHP and some other stuff, so depending on whether you are working via it or the command line, you have to be very careful what version of PHP you are running otherwise it can break things. My Drupal’s compose and drush commands ended up getting really broken, and I had to keep fixing it. Moving from Drupal 8 to 9 became impossible, and Drupal 8 was now at end of life. Although Softaculous is only $2 pm I thought maybe I should also try a change of technology on that front… so I decided to try running all my hosting services in separate docker containers. This took an entire day to get right (with wanting to have one shared MariaDB database for all my containers) as all the tutorials and videos mostly show single service setups. So I learnt a lot on this front and intend to do a video and post dedicated to just this factor. It was not all roses and sunshine though as I lost about 2 days trying to figure out how to rehost my e-mail, but I had a lot of complications with using the same base URL between my mail server and website, so had to abandon that for now. The main advantages for me with going with docker containers are, they are self-contained with everything they need to run, so I’m expecting (hoping) that updates will be easier and way quicker, and of course also that I have Nginx Proxy Manager now playing a central gatekeeper as far as managing access and redirects goes. They should also be easier in future to be migrated to other hosting providers.

Content Management System change – I was on WordPress way back in 2018 (as I found out from finding my old remote backups in DropBox) and I had migrated to Drupal for speed and flexibility (and of course I love to try new things), but like I said, the upgrades were becoming a nightmare. Drupal itself worked well, and I was very happy with it, but I had to decide whether to try running it in a container, or rather jump back to WP. I decided on the latter and bought an extension that did the conversion for me into a WP site. I spent another day or so getting the right plugins and doing the more notable fixes that needed to be done. It’s actually good to be back on WordPress, as there is a plugin for everything, although I do note that very few of the better ones are now truly fully free.

So apart from the learning curve needed to go from 15% docker knowledge to 50%, the usual problem with switching my domain name away from one provider to another also reared its head. It did not really result in any significant website downtime, but many may have noticed some images were not loading while the WP was resolving to a secondary domain name for a while. Once the DNS had settled down, and I set WP back to it’s primary domain name, it all looked good.

So what remains, is still some tweaking and tidying up (especially for the formatting of my big open source repository page), and I also need to finish spinning up my NextCloud, Wallabag, Webtrees, etc sites. My photos site is still live at the old hosting on its original domain name, and I need to set aside a day to a start testing it’s import.

See https://gadgeteer.co.za/hosting-migration-and-site-migration-back-to-wordpress-2-to-3-dec-2021/

#technology #sitemigration #docker #wordpress #VPS

Mis à nu pendant plusieurs mois, plus d’un million de sites WordPress hébergés par GoDaddy sont susceptibles d’avoir été piratés. Un risque pour les propriétaires, mais aussi pour les internautes.

WordPress : un million de sites piratés, êtes-vous concernés ?

Značky: #WordPress, #DailyOps, #Linux

Si vous êtes utilisateur de WordPress et que vous utilisez les blocs dans votre thème, vous avez peut-être remarqué après avoir analysé votre site qu’une grosse feuille de style venait alourdir tout ça.

Il s’agit de la feuille de style wp-block-library qui contient tous les styles pour tous les blocs.

wp-includes/css/dist/block-library/style.css

J’avais le souci dernièrement, donc j’ai creusé un peu et j’ai découvert que WordPress 5.8 améliorait la façon dont les sites chargeaient les styles de blocs.

En ajoutant un simple filtre dans votre fichier functions.php , il est possible de charger uniquement le fichier

wp-includes/css/dist/block-library/common.css

qui est beaucoup plus petit et qui contient uniquement des styles de base. Les styles des autres blocs seront alors chargés uniquement sur les pages où vous appelez ces blocs.

Ce changement ne modifie pas le fonctionnement de WordPress et n’impacte que le front, donc peu de risque que ça casse votre site ou que ça modifie votre design. Je vous invite vraiment à mettre ça en place. De mon côté, ça a vraiment allégé mon site.

Pour cela, ouvrez le fichier functions.php et ajoutez-y la ligne suivante :

add_filter('should_load_separate_core_block_assets', '__return_true');

Sauvegardez, rechargez, observez et voilà !

Si le sujet vous intéresse, vous trouverez plus d’infos ici .