AIOSEO Release Testing

Category: WordPress News

WordPress Will Require Users to Have HTTPS This Year

Home » WordPress News

WordPress founder, Matt Mullenweg, recently announced that the software will require all hosts to have HTTPS for certain WordPress features to function.

Don’t panic just yet. If you already have HTTPS, this shouldn’t affect you. But if you’re still using HTTP, you’ll need to upgrade soon. The good news is that the transition is not as difficult as you think it is and the benefits outweigh the assumed disadvantages.

This article will go over what the WordPress HTTPS mandate means for you as a site owner; the advantages; as well as how to upgrade to HTTPS if you haven’t already done so.

What is HTTPS?

HTTPS adds a security layer to HTTP (Hypertext Transfer Protocol). HTTPS essentially encrypts data (using SSL or TSL) that is communicated between servers and clients until it reaches the intended recipient.

This prevents cybercriminals from accessing sensitive user information and also reduces the risk of tapping and modification of sensitive data. Although HTTPS is not completely foolproof, it undoubtedly has major security advantages.

HTTPS sites can be easily identified, as they have a locked padlock icon located on the link bar in most common browsers.

Why is WordPress Pushing HTTPS?

There’s mainly two reasons for this, so let’s quickly dive into them.

Google Prefers It

It is no secret that greater encryption and cyber security has made the Internet a safer place for users. As usual, a Google update signaled the necessity of HTTPS for user experience, SEO and internet security.

In 2014, Google suggested that enabling HTTPS on your site could result in higher search rankings. Although it still isn’t the only important factor in raising your site rankings, you shouldn’t underestimate its value. For example, if two sites are equal in all ways, but one site has HTTPS, that site would get a boost in rankings.

Chrome will display a green padlock in the link bar when a site is using HTTPS, assuring users it’s using the latest security protocol.

In January of this year, Google released version 56 of Google Chrome. This new release brought about some changes, notably with how Google Chrome treats HTTPS vs. HTTP sites. The browser now clearly identifies sites that are not operating HTTPS on their systems. For example, a “Not Secure” message now appears on pages without HTTPS that try to collect passwords or sensitive information. You can expect that, eventually, all pages not using HTTPS will clearly be labeled as having insecure connections.

We can reasonably assume that Google’s preference for HTTPS has been a contributing factor for the changes implemented by WordPress.

Users Prefer HTTPS Too

A secure connection can make all the difference from a user’s perspective. Users see HTTPS as a positive signal that you are taking your site security seriously, for their benefit. So, having HTTPS could mean more traffic and longer usage times on your site.

HTTPS is particularly important if you are operating an e-commerce site. Simply seeing the padlock icon could make users more comfortable in entering their payment details and other personal information. Particularly with the new Chrome update (mentioned earlier) which shows a “Not Secure” label on e-commerce sites or sites that require a user login or credit card information, but don’t have HTTPS.

Both Google and user preference should be enough reason for you to upgrade your site to HTTPS. It is simply necessary to ensure watertight security for your users and to protect your online business reputation.

Sites that require users to login or enter credit card information are now displayed as “Not secure” in Chrome when they haven’t switched to HTTPS yet.

Remember when JavaScript was first introduced and quickly embraced by users and webmasters? Looking back, we can see now that JavaScript was essential for smoother and better user experience. HTTPS similarly, presents a number of unique advantages for user experience and security that we should all quickly embrace.

We know that you may be overwhelmed switching from HTTP to HTTPS. After all, change does takes time to get used to, but in this instance, you may need to quickly get on board. At this point, the advantages of HTTPS have greatly outnumbered the disadvantages. Plus, upgrading to HTTPS is no longer the costly, time consuming, and difficult process that it once was. In fact, getting an SSL certificate in 2017 is fast, sometimes free, and quite easy to implement.

How to Get HTTPS

WordPress hosting partners should now provide an SSL certificate for all accounts. (It is required that they all do so as early as the first quarter of this year.)

Your hosting provider may already provide a free SSL certificate, so check with them first before you make any third-party purchase. If they do not offer a free one, you could ask them if they sell third party SSL certificates. Once purchased, you can ask your provider to install the certificate for you on your server.

Dozens of major companies are already backing Lets Encrypt, including Automattic (known for WooCommerce, Akismet and WordPress.com)

Another option is to explore the free alternatives, independent of your hosting provider. There are projects such as “Let’s Encrypt” which have now made it easy and quick to secure a free HTTPS certificate for your website.

Let’s Encrypt is an authorized open Certificate Authority with millions of active certificates in place. There are other comparable projects out there that can help by guiding you step-by-step through the installation process or who have been authorized to deliver certificates.

Remember that SSL certificates upgrade the website, but not the content itself. That means that the content on your page will also need to be updated so as to avoid 404 errors. Google may interpret the error as a mismatch in the security level of your site. The only way to avoid this is by encrypting the content of your website to match your SSL certificate.

To track and resolve any 404 errors on your site, you may want to use a specialised plugin such as Redirection to do so.

What if You Just Don’t Want to Upgrade to HTTPS?

You could see a number of things happening to your site over time if you do not upgrade to HTTPS. The first may be facing the consequences set out by Google, i.e: lower rankings and having your users staring at a “Not Secure” warning when they try to access your site via Google Chrome.

The second is that you could struggle with WordPress updates and lose some or all functionality on specific WordPress plugins.

Third, your site may be an easier target for hacking.

Those are three consequences that require you to seriously reconsider if you really want to take the risk of not upgrading to HTTPS.

Wrapping Up

Let’s put it this way: you will simply have nothing to lose by adopting HTTPS. Yet, if you do not use HTTPS, you could risk leaving your site in the “dark ages” of the Internet.

But then again, if you’re a WordPress site owner, you have no choice. Take the plunge and let us know how it worked out for you!

06/06/2017
WordPress Hack Redirects Visitors to Malicious Sites
Security is a major concern for WordPress site owners and rightly so: there are over 7.5 million cyber-attacks on WordPress sites every hour. Unsurprisingly, WordPress’ open-source nature and flexibility makes it vulnerable to a host of diverse attacks. But its core is quite secure as the WordPress team is dedicated to conserving the structural integrity of the application. The same, however, cannot be said for all WordPress themes and plugins.

A malware attack was recently discovered by John Castro of Sucuri. The malware places 10-12 lines of code at the top of vulnerable WordPress theme header.php files in order to redirect visitors to malicious sites.

This article will provide details of the attack; as well as tips to secure your site from such attacks in the future.

How the Malware Attack Works

As mentioned earlier, the malware places 10-12 lines of code at the top of the header.php file of an active WordPress theme. The code appears as follows:

The malware redirects visitors to default7 .com (not the final redirect destination) upon their first visit. It then sets the “896diC9OFnqeAcKGN7fW”cookie to track returning visitors for a year, and tests for search engine crawlers. If there are no crawlers, it proceeds to check the user agent header.

The redirects are random for everyone. Furthermore, default7 .com is only just the first redirect destination. Visitors are further redirected to the following domains (depending on the IP address and browser):
- test246 .com
- test0 .com
- distinctfestive .com
- ableoccassion .com
What is particularly interesting is the malware’s behavior on Internet Explorer. When the visitor uses Internet Explorer, they are redirected to a site that provides a malicious Flash or Java update.

Another interesting behavior occurs on Facebook. When you share an infected site link on Facebook, you may see the post snippet from another site – one of the five redirect sites. Facebook will still redirect people to the malicious site, even after you remove the malware from your site. This is because the cache is shared. You can reset the cache here.

You may be surprised to hear that this kind of infection is quite common when hackers get access to a WordPress admin interface. With the right credentials, they are able to (quite easily) edit a theme file.

Which Sites Are Infected?

The recent exploit is actually not the only malware threat on infected sites. In a majority of cases, the infected sites had several security vulnerabilities resulting in a number of other infections. Just a minority of sites showed that the infection was only found in the theme’s header.php file.

How to Detect the Malware

The malware code is not without flaws. That is, it often tests for parameters that do not exist, which results in a PHP error. Since some servers have PHP notices turned off, the error is not always displayed; but a Google search of “Notice: Undefined index: 6FoNxbvo73BHOjhxokW3” may reveal the malware code on your server.

Sucuri shared that some Google search results could reveal errors in the theme footer file. That is because the malware previously infected footer.php files and placed a similar redirect code at the top of those files. The attack moved to header.php files and re-infected sites that had the malware code in their footer.php file. Even though the malware has been updated, the redirects send visitors to the exact same pages.

How to Remove Malware

Removing malware is a multi-step process that you may want to consult a WordPress expert on. If you’re not that experienced in security yourself, odds are you’ll only make things worse. Businesses specialized in WordPress such as our very own Semper Fi Web Design team can address all your security concerns.

But for now, let’s take a look at what you can do in general to protect your site from such attacks.

How to Keep Your WordPress Site Secure

Protect Your WordPress Admin Interface

Your WordPress admin panel is a goldmine for criminals. Therefore, you need to restrict access to it as much as possible: only those who need to access it should be able to. In any case, you should restrict everybody’s ability to make changes to your header.php file.

As we’ve seen with this recent redirect attack, hackers with admin credentials to your site can directly and easily make changes to your theme’s header.php file. You can effortlessly disable a user’s ability to edit PHP files in your admin interface by adjusting your wp-config.php file. Simply copy and paste the following code in your wp-config.php file:
```
# Disable Theme Editing
 define( 'DISALLOW_FILE_EDIT', true );
```
Other tips for keeping your admin interface secure:
- Use strong passwords
- Change all passwords periodically
- Limit the number of login attempts
- Check to make sure that no fake admin accounts have been created
- Do not use “admin” as your admin username
- Enable two-factor authentication
Update WordPress, Themes and Plugins to Latest Versions

It is critical to update WordPress and all of your themes and plugins to their latest versions. In addition to improved functionality, most updates are provided to address security concerns and vulnerabilities, so update to the latest versions as soon as they are available.

Make Sure Your Computer(s) Is Free of Viruses and Malware

Any precautionary measures you take to protect your site from malware would all be null and void if your computer contains any viruses or malware. That’s because a hacker could access your site’s login details from your computer and swiftly proceed to infect the site. Therefore, it’s important to install a good antivirus program on all computers you use to log into your WordPress site.

Most of us love WordPress for its flexibility, among many other reasons. Indeed, it is the most popular open-source Content Management System (CMS) out there. However, the reasons we love it so much are the very reasons that make it vulnerable to cyber-attacks. It’s important to be aware of that and take the necessary steps to protect your site.
12/09/2016
WordPress Upgrades Usability and Customization with 4.5 Coleman

WordPress is always improving and introducing new features that make it easier to publish great content for your visitors. The latest release of WordPress, version 4.5 Coleman, named in honor of the famous jazz saxophonist Coleman Hawkins, is now available for all users to download. The update adds new features to the WordPress dashboard and improves usability, creating a more efficient experience whether you’re building a website or creating new content.

So what’s changed? Well, the WordPress team have improved usability, incorporated a host of new features and made it possible to customize user experience more than ever. Let’s take a look at this update and how all of the new features work.

Usability

Selective refresh

There is now a framework in WordPress that allows you to preview changes in real time. The Customizer (Appearance > Customize) has been changed to allow previews to load far more quickly. Previously, the Customizer relied on reloading the entire preview, which was time consuming. Now, only the parts of the page that you change are reloaded, allowing you to quickly see what changes as you edit code and other settings.

Using a postMessage transport that relies on JavaScript, changes are now seen instantly without any server-side communication!

Script loader improved

New support has been added for script header and footer dependencies. The new ‘wp_add_inlinescript()’ allows for extra code to be added to registered scripts. WordPress 4.5 no longer generates wp-admin.min.css and wp-admin-rtl.min.css files, which are often in excess of 235KB. The new load-styles.php combines the two and results in the system relying only on four dashboard.css files which make up just 72kb.

Embed template improvements

Embed templates have now been split into parts and can actually be overridden directly by themes that have been implemented by the users. These settings can be amended through the template hierarchy, making it possible to change the way themes interact with embed settings.

Smart image resizing

Smart image resizing is arguably one of the best new features introduced to WordPress. Generated images on your website can now load automatically around 50% faster than ever before. The best part? The image quality is exactly the same.

This is achieved by increasing the amount of compression that is applied to medium sizes. File sizes are notably decreased while maintaining image quality. This is beneficial also for sites that use ImageMagick, whereby unnecessary metadata has also been reduced.

Editing

Inline Linking

Inline linking was a hugely anticipated feature released in WordPress 4.5. Before the feature was implemented, users added hyperlinks in the visual editor by highlighting the desired text and launching a popup that required you to paste in a URL and add link text.

A new inline modal has been introduced in WordPress 4.5 that allows for easier link creation. A small inline modal will appear underneath the text that you highlight.

If you need extra settings, there is a gear icon in the inline modal which gives you access to advanced options. This new inline linking is designed to save time and make the editing experience far more fluid.

The change came as a result of WordPress user, Ella Iseulde Van Dorp, who became known for working on a ticket that encouraged WordPress to create a system that made the visual editor more like Google Docs. The Google system handles links much in the same way as the new inline linking system, putting WordPress on par with other online platforms.

New formatting shortcuts

In a further move designed to make content creation a more fluid and simple experience, the WordPress team have introduced new formatting shortcuts that allow you to change the way your content appears with simple input shortcuts.

One such shortcut includes creating a horizontal line across your page by simply adding three dashes. This is something that has been available on Microsoft Word and Google Docs for many years.

To see a full list of shortcuts in your new WordPress visual editor, simply head over to the help icon. The keyboard shortcuts page shows you a quite extensive list of text shortcuts that are available, including ‘>’ for Blockquote, ‘##’ for Heading 2, ‘###’ for Heading 3 and so much more. Keyboard shortcuts have also been added, including Alt+F8 that brings up an inline toolbar when text, an image or link is selected.

Customization

Custom logos

WordPress 4.5 now allows people to add their own custom logo to their website, as long as their chosen theme has declared support for this. This new feature is an addition to the Custom Background and Custom Header features that already allow users to customize their themes with ease.

The new logo feature allows you to not only upload and use your own logo, but you can crop logo images to the perfect size. This new feature works in the same way as the custom header option – a feature that is widely used by experienced and amateur WordPress users alike.

Using the new custom logos is easier than ever. If you have WordPress 4.5 installed, you’ll be able to head over to ‘Appearance’ in your dashboard, and then click ‘Customize’ and ‘Site Identity’. Here you’ll be given the option to upload your own custom logo in the part of the menu that was once home to the Header Logo settings. It’s super simple and a highly anticipated new feature.

Live responsive previews

Finally, it’s easier than ever to preview what your site looks like on phones, tablets and regular computers. The live responsive preview feature is found in the Customizer panel and can also be accessed whenever you search for a new theme.

When choosing your themes, it’s easier than ever to see what your website could look like on every platform. This will no doubt be a welcome addition to WordPress for people who are starting off on the platform and choosing what they want their website to look like.

Depending on your browser, too, you will be able to see how responsive and mobile-specific themes appear as well. For instance, by turning on ‘responsive preview’ in the Firefox browser, you’ll be able to easily see how a website changes when it responds to the screen size. This is a particularly welcome feature for people who prefer to have a website that adapts according to the size of the screen.

How to Update

Want to update to WordPress 4.5 Coleman system? It’s easy! Simply head over to your WordPress dashboard and look for the update message. These messages are sent out automatically by WordPress, informing you how to download and install the new update. Simply click the link in the message. This is the easiest way to update, though it can also be installed manually.

11/05/2016