Multiple Vulnerabilities In Ninja Forms WordPress Plugin Could Allow Site Takeovers Attribution

Some serious security vulnerabilities existed in the Ninja Forms WordPress plugin that risked over a million sites. Exploiting these vulnerabilities could allow an attacker to takeover target websites and redirect incoming traffic to malicious links.

Of course, any sites under management by have already been updated with the latest fixes.

Full article:

WordFence offers free security audits to K-12 public schools using WordPress

Know a K-12 public school using WordPress?

Wordfence is offering free site security audits and site cleaning for public and government-funded schools, now available worldwide. (The original announcement said U.S. only, but apparently they’ve extended it.) Check out their announcement, and please share this offer with a state-funded school, anywhere in the world, that could benefit from their services. uses WordPress

The big buzz in the WordPress community this month is that the new administration is using WordPress to serve

And while you and I probably don’t have anywhere near the manpower behind our sites that the Federal Government can muster to keep one of the most visible – and probably one of the most attacked – websites on the internet safe from all manner of security threats, it’s reassuring to know that they trust it enough for something this important.

So rest assured that YOU have made a good choice in using WordPress.

Is WordPress perfect? Definitely not – no computer program is. Does it hit that sweet spot of balance between ease of use, flexibility, security, and cost? I’d say yes.

The Value of a Testing or Staging Site

A well accepted practice in the software development world is to run major software updates through a series of tests before running them on the live site. This allows the developer to catch as many bugs as possible before putting the changes in front of users. Unfortunately, that’s not a practice that many WordPress site owners employ.

Most WordPress updates come with the standard warning that you insure you have a fresh backup of the site before running them. But the support forums are full of panicking site owners asking for help: “I just updated <WordPress, a theme, or a plugin> and now <some function> is not working! How do I get it back?” so it’s pretty obvious that even that level of caution is often ignored.

Many site hosts (SiteGround, some GoDaddy plans, etc) offer the ability to create a staging site – essentially a mirror copy of the live site with a different web address – with just a click or two, at no extra cost. Ask your host if that’s available for yours. If your host doesn’t offer staging sites we can set you up with one for a fee – contact us for details.

Ideally, you’ll upgrade your staging site and give it a run through to make sure everything looks right and functions correctly. Check things like menu drop-downs, contact forms, product ordering pages (have a cheap test product as a draft – or use a real product and cancel the purchase afterwards), embedded videos, site banners, as well as the general layout. If anything is broken, get it fixed and re-tested before moving forward. If possible, make those same fixes on the live site before upgrading it.

Once everything checks out OK on the testing/staging site, take a full backup of the live site, then perform the upgrade there and re-test. Sometimes there are bugs which only show up on the live site, despite your having passed all the tests on the staging site!

WordPress 5.6 May Break Sites on December 8 2020

From Search Engine Journal:

“WordPress 5.5 rolled in August 2020 and soon after millions of websites across the Internet broke. Get ready because WordPress 5.6 has the potential to do the same thing.

One of the WordPress developers behind the jQuery Migrate Plugin said in a support thread that the plugin would become “useless” once 5.6 rolls out. Anyone still depending on it in December will experience the rubber bands snapping off their sites all over again.”

The article goes into some detail on why the update in August broke many sites and why the 5.6 update might as well.

At we’ll be very cautious about this update, insuring we have a clean backup prior to updating. See also our post about testing on a staging site.

If you want to be extra careful about your updates, consider signing up for our Automated Visual Testing.

PHP 8 Released Nov 26

The latest update to PHP, the programming language which powers a lot of WordPress, was released on Nov 26, 2020. We can expect a

We can expect a lot of changes as WordPress and the plugin and theme developers incorporate the extensive code changes they’ll be required to make – and we’ll see a much more secure PHP. It has been predicted that a good number of plugins and themes will not be compatible, and that some developers will drop support of their creations rather than go through the work required to make them function.

Fortunately it’ll be a while before PHP8 hits at the user level, though WordPress 5.6 (currently scheduled for release December 8th +/- a few days) aims to be PHP8 compatible. But most web hosts will still need to test PHP8 versions on their equipment before rolling it out for general consumption, and plugin and theme developers will also need to do extensive testing and possibly rewrite a lot of code.

PHP is on a 2-year upgrade cycle; version 8 will be actively updated for the next two years and will then get one year of security upgrades after that.

more details on the WordFence blog

more details on

False Positive Vulnerability Report on Events Manager

The popular calendar plugin Events Manager was reported as containing a Cross-Site Scripting vulnerability, which turned out to be a false positive (no such vulnerability). Several vulnerability reporting sites are still listing it as vulnerable, and if you have it installed you may have been notified.

However, it is not an actual problem and you can safely continue using version or later.

A common .htaccess hack

We see this problem a fair bit, both on new hack repair client’s sites and being discussed on places like Facebook. So I figured I’d give a quick tutorial on how to identify and fix the problem.

The Symptom

When you look up your site on a search engine, you find your web address associated with a list of sites which are definitely not yours.

The Exploit

This is often caused by a hacker getting into your site and making changes to a special hidden file in the root level of your site named .htaccess

The .htaccess file can be used for a lot of things – blocking specific IP addresses or series of IP addresses, preventing directory listings, preventing hotlinking… and of course, redirecting traffic.

The hacker script inserts a few lines which redirect all traffic from the big search engines to other sites.

Immediate Solution

Log in to your web host’s cPanel or similar, and go to File Manager. (These steps can also be done via FTP if you have an account). Go to the root level of your WordPress installation. You should see your .htaccess file – if not, make sure that you have the ability to see hidden files (you may have to chat with your web host).

Open the .htaccess file and look for three lines similar to these:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ antiquate-cashers.php?$1 [L]

The first two lines basically say “If anyone comes to your site from any of these major search engines….”
and the third line says “Go to this page”.  The file name in that third line is automatically generated by the hack script, and like the one above typically has a nonsense name.

When you go look at that page, it’s going to be 100% hacker code.

Delete those three lines from your .htaccess file, or put a # at the beginning of each line, which indicates that it’s a comment, not to be acted upon. Save .htaccess.

Check the creation date on that nonsense-named file. Chances are that there are a bunch of files strewn about your site structure which were created on the same date and contain similar looking hacker code. Delete them all. Consider uploading fresh, clean copies of WordPress, all your plugins, and your themes, as it’ll ensure that you didn’t miss any in those parts of your site. That will take care of most of the offending files, but you’ll also have to look around in other parts of your wp-content folder such as Uploads.

If you don’t get them all AND remove the security hole they got through in order to hack you in the first place, then the problem will just come back later.

Long term solution

The long term solution of course is to sign up here and we’ll do our best to keep your site from getting hacked in the first place! We’re also available to do hack repairs on your site if you’re in need. Contact us any time.