WordPress Security Follow-up

All you WordPress fans should be aware of the recent problems WordPress has had with cross-site scripting vulnerabilities – I did a recap on the issue a couple weeks ago. Things have calmed down considerably but there’s still some who are unsettled with WordPress security so I wanted to take a moment to address this.

Brian and I recently participated in a Security Webinar and while we didn’t get any eye-opening information the facilitator did say one thing that stuck with me:

WordPress is both the most, and the least, secure content management system on the web.

For the record, I completely agree. A WordPress site created, thrown onto the web and then left to rot with no updates is very vulnerable. A WordPress site carefully built, with solid themes and plugins, configured to be secure, backed-up, with excellent web hosting, and frequent updates is as good as any site out there. Yes, there will always be new vulnerabilities discovered, new hacks attempted, and mistakes can be made – never assume that your site is 100% safe. But a WordPress site can – and should – be well-built and secure. And if you do that security problems should be exceptionally rare.

I’m going to supplement this with a link to some content we’ve been working on for the campus site, getontheweb.ncsu.edu. This is a new(-ish) site meant to help users identify the right campus web tools for them. It will also be a resource to answer frequently-asked questions and address other web issues: accessibility, domain and web policies for campus, and of course security. We’ve recently added some information about SSL (probably a blog post for another day) and have a lot of information and tips on WordPress Security. I urge you to check it out, and if you have the need or interest, do more research on the web and in the WordPress Codex. The Codex article on “Hardening WordPress” is an excellent place to start. Happy reading!

Summer WordPress Classes

In addition to our design and development projects, OIT Design offers regular classes introducing new users to WordPress. This summer, we will be offering two classes, both of which I’ll be teaching:

Basics of WordPress

Wednesday, June 17, 2015 – 2pm to 4pm
Avent Ferry Technology Center Room 110

Basics of WordPress

Wednesday, July 22, 2015 10am to 12pm
Avent Ferry Technology Center Room 110

Class Description: 

Heard of this “WordPress” thing and want to see what it’s all about? Learn everything you need to know to get started using WordPress here at NC State.

Representatives from OIT Design, Education and Outreach will cover a complete outline of topics including: setup, configuration, themes, plug-ins, settings, options and management of WordPress.

There are just 15 seats in each class, so be sure to register soon. This is one of OIT’s most popular classes and seats fill up quickly. Follow these links to register for the June 17 class and to register for the July 22 class.

What’s covered in this class?

The Basics of WordPress class is just that: the basics to get you started. Students range from absolute beginners to WordPress users who need a refresher or have never been clear on how something works.

After providing some background on WordPress– what it is, why we use it– every student will build a personal WordPress website in NCSU’s WordPress Blogs environment. I will help you publish your first post, build a few pages, add some sidebar widgets, enable some plugins, and change your site’s theme.

You’ll walk away with all the tools you’ll need to maintain your personal website or add content to your departmental website.

What’s not covered in this class?

Advanced administrative topics, like coding your own themes and plugins or running a multisite environment, are not covered in this class. And if you’re already managing a WordPress site on campus, there may be some tools specific to your website that won’t be discussed.

If you have questions about more advanced topics, or if you need help with your site, Jen and I are always available during our WordPress Office Hours every Friday from 9am to 12pm in AFTC Room 106.

OIT Design Staffing Announcements

Lots of changes and excitement for OIT Design these days! We were delighted to get Brian in here as a dedicated WordPress person this past fall and now we’re happy to announce we’ve been given the go-ahead to hire another position for WordPress support and development. We can’t tell you how much we’re excited about being able to improve our offerings to campus, our support, and our own business processes. Stay tuned for more information about the position and the person we hire!

In other staffing news we were recently able to add a new part-timer person to our roster. David Mueller will be working with clients on content review and migration, along with assisting with our routine maintenance and support tasks. You may begin to see emails from him in the coming weeks and months. We’ll also get him in here to write a blog post at some point – he has an undergrad degree in writing so no doubt he’ll be much more eloquent than Brian and I!

Finally, we have a very busy summer coming up personally! David, Brian, and I are all engaged and getting married at some point in the next few months. I’m actually first to go – my wedding will be next weekend, May 16. Please note that my last name will be changing from ‘Riehle’ to ‘McFarland’ so emails might look a bit different – we’re hoping to minimize confusion.

Thanks all! Happy graduation and hope everyone has a wonderful summer!

Featured Site: “All About Corgis”

OIT Design provides the NC State community with its WordPress Blogs service. Any student, staff, or faculty member can create a website (or many websites) free of charge using their Unity ID and password. A WordPress site will be instantly generated for you at [thenameofyoursite].wordpress.ncsu.edu.

This is an ideal platform for a personal profile page, a portfolio, a class project, or even just as a place to experiment and get to know WordPress a little better.

It’s also the perfect place to share with the world your love of corgis.

All About CorgisCorgis, as you’ll learn at the All About Corgis site, are easy to train dogs and come in two types of breeds. This site is a surprisingly useful resource for learning more about this popular and diminutive type of dog.

Curious about what else is happening on NC State’s WordPress Blogs service? You can see all of the public and searchable blogs at wordpress.ncsu.edu/blog-sites/sites/.

(Don’t want your site included on that list? You can hide it and tell Google not to search it under Dashboard > Settings > Reading. Check the box labeled “Discourage search engines from indexing this site.”)

Many of the sites on the service are test sites and don’t have much content. But there are some really great examples of members of the NC State community sharing something they love or something they’re proud of.


Recent WordPress Vulnerabilities and Updates

Hello WordPress fans!

Some of you may have noticed that WordPress has had a busy week of plugin and core updates. It turns out that WordPress has some vulnerabilities caused by PHP functions being used improperly. This has opened up the potential for cross-site scripting (XSS) which could allow hackers to add potentially malicious (or simply annoying) content to the core content being delivered by your WordPress site. These are commonly-used functions and in addition to WordPress core, they have impacted a large number of plugins, many of them very popular:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • WP-E-Commerce
  • WPTouch
  • Related Posts for WordPress
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

News of the vulnerability and many of the updates came early in the week, and WordPress released its own core update to address the XSS issue on Tuesday (4/21) bringing core to version 4.1.2. Interestingly, WordPress followed up with a major release on Thursday (4.2) only a few days after the security release, and they also pushed release 4.1.3 after 4.2.

The reason for this flurry of activity is because – as you may know – WordPress has auto-updates available. As of WordPress version 3.7, any minor update (dot-dot, so for example, 4.1.1 or 4.1.2) update is automatically applied to your site. This means that by default the update to 4.2 will not occur unless an administrator logs in and completes the update, however updates for both 4.1.2 and 4.1.3 should proceed. 4.1.2 was the update to address the XSS security flaws; 4.1.3 address some minor issues with the 4.1.2 release. So if you’re site is updating you automatically you should be ok with these 4.1.x updates, however you should login soon to move to 4.2 as it addresses more issues and includes some new features (https://wordpress.org/news/2015/04/powell/).

For extra information on updates, please read up on the Codex page. It is possible to turn off auto-updates, however I urge careful consideration before you do so. It’s also possible to enable all updates – minor and major – by default, and to enable plugin and theme releases (hosted by WordPress) to auto update. But again, I urge consideration as to whether this is right for your site/environment.

One final note: I haven’t heard of any sites actually impacted by this vulnerability at this time. I’m sure that there are some sites that have been impacted and now that the vulnerability is news no doubt more folks will attempt to use this for nefarious purposes. So while this seems to be an issue caught before it became a problem, it is a very important reminder to make sure your site(s) – and all the plugin and theme pieces – are being kept up-to-date and secure.