Catch up on the conversation. This piece comes as a followup to our CEO Joshua Strebel’s recent piece on why you should never pay your WordPress host for pageviews. Managed WordPress hosting has exploded across the hosting industry since Pagely created it way back in 2006. Overall, the level of innovation that the mainstream has brought to WordPress is amazing. Unfortunately, this sometimes comes with negative side-effects. As investors demand higher profits, many of these managed WordPress hosts are looking for ways to gain a quick and easy boost to their margins. Like we mentioned in our definitive guide to PHP workers, there are a few different metrics that are often misinterpreted, whether intentionally or not. Today, we’re going to talk about pageviews and their role in the managed WordPress hosting world. What Counts as a Pageview? Many hosts cite pageviews as a billing metric with vague term descriptions, if any exist at all. Even with clarified definitions, pageviews tend to mutate on a host-by-host basis with a dizzying array of buzzwords. Although individual managed WordPress hosts vary on what they consider a “pageview”, most define it like this: pageviews are the number of unique IP addresses that access pages on your WordPress site per day, excluding known bots. (Yeah, I know. The term is more like “the number of unique request sources per day, based on predefined catch-all filters.” But I wasn’t the one that made this up, so bear with me here.) Pageviews as a Billing Metric Before we dig in any deeper into the details, let’s think about the definition that I mentioned. Considering that narrative, which of these sites would be more expensive to host? A directory website that houses billions of pages, showing 1,000 entries at a time. A personal blog who’s majority of traffic is to single posts. A documentation site where visitors typically access multiple pages per day. A simple informational website for a local restaurant. An online shop that sells small-batch artisanal snake oil. An API that uses headless WordPress to dynamically fetch content. If you guessed that they represent the same metrics in the eyes of pageview-based billing, your logic prevails! Assuming that they all experience the same number of unique visitors, they’re all treated the same way, regardless of how resource-intensive the site is or how many pages each visitor accesses. Of course, it would be silly to treat all of these sites the same way. Some pages might have large amounts of fully dynamic content, while others might be eternally served from cache. Using an umbrella term like pageviews as a billing metric causes several different issues, based on the site being hosted. Setting Realistic Expectations The first issue that pageview-based billing causes is an unrealistic expectation for low-performance, unoptimized sites. If you’re not familiar with how WordPress sites perform on the server side, you might think that these limits matter exclusively and use them to determine what capabilities you need from a hosting provider. If you’re evaluating your hosting options purely based on a pageview limit, you’re ignoring critical factors that can dramatically impact your WordPress site. Performance-Based Punishment What if you’ve put hard work into optimizing your site? Well, now you’re wasting money on a billing metric that doesn’t matter. If your site is highly cacheable, you’re feeling the impacts even further. When serving content from cache, it’s practically free from a hosting perspective. You’re being nickel-and-dimed for something that is entirely outside of your control. Knowledge is Power As you scale, knowing what you’re paying for can quickly become a critical part of maintaining a healthy, cost-effective site. Coupled with the fact that the same people who are charging for pageviews tend to hide their underlying infrastructure behind the curtains, there’s no way to verify or manipulate what’s being counted. While many claim that they exclude the known IP addresses and user agents of known bots from counting towards your monthly pageview bill, what’s their motivation for even bothering? After all, more pageviews mean more money in their pockets. Pageviews Are Still Helpful Many of our prospective customers ask, “How many pageviews can ‘x’ plan handle?” Like we mentioned earlier, the impact of each pageview dramatically varies based on the type of content viewed and how your site was developed. Every WordPress site is different. It would be impossible to accurately estimate the ideal hosting environment without a complete understanding of what your site’s usage looks like. Although pageviews are a faulty metric as far as billing is concerned, they can still be useful as part of a larger dataset. Whether you’re scaling, optimizing for better performance, or shopping for a new hosting provider, pageview data plays a role in getting a full picture of your site. For example, if you were running benchmarks to determine your server’s capacity, pageview data could be used to identify what a typical day looks like. Let’s say your site looks something like this: 10% of traffic is on the home page. 30% of traffic is to various landing pages. 30% of traffic is to different blog posts. 20% of traffic is to your product’s pricing page. 10% of traffic is on account-related pages. Using that traffic data, you could then estimate what types of content have the most significant impact on server resources. You may find that some pages underperform and could use some optimization, while other highly-cacheable content, like blog posts or landing pages, remain essentially free. If 90% of your traffic goes to fully-cached content, increases in traffic have a trivial impact on your bottom line, if any. Closing Remarks Operating a WordPress site at scale is all about a delicate balance of performance and cost. At Pagely, we partner with our clients to help them achieve those goals. While shopping for a new hosting provider, be on the lookout for hosts that impose false barriers, such as PHP worker limits and pageview counts. Those vague limitations are a red flag that they’re going to try to upsell you later. (These limitations are also a sign that they’re trying to sell you on shared hosting resources too, but that’s a topic for another discussion entirely.) We hope that you’ve learned more about the impact of pageviews (or lack thereof) and why it’s not an appropriate billing metric. Do you have any experiences with pageview-based billing that you’d like to share? Is there something we missed? Let us know in the comments below.
At Pagely, we pride ourselves on providing the best possible solutions for our customers. Sometimes, that requires dedicating a significant amount of research and development into truly discovering what works best. Whenever possible, we always want to take a data-backed approach. That’s why we’ve run several benchmarks to determine how PHP workers impact a site’s performance. By running these benchmarks, we can ensure that our customers can get the maximum amount of value out of their hosting environment. So without further ado, let’s take a look at our tests and what we found! Our Testing Environment First, let’s talk about the environment that we tested on. To ensure that our tests can be replicated and improved upon, we’ve performed them on a standard Amazon EC2 instance that anyone can spin up. In addition, we’ve also made the entirety of our benchmarking code available on GitHub. Our PHP Test Scripts As anyone who’s done any benchmarking knows, a primary concern is eliminating any potential noise within the tests. An excellent way of testing PHP worker behavior is to have the worker perform tasks that are heavy on CPU, without impacting things like disk I/O or network latency. To accurately benchmark PHP worker behavior, our test code is a simple PHP script that encrypts and decrypts a string several thousand times to perform CPU-heavy activity. Here’s the gist of how it works: // Encrypt and decrypt a string 50,000 times. while ( $times_run < 50000 ) { $encrypted = openssl_encrypt( $string, $method, $key, null, $iv ); $decrypted = openssl_decrypt( $encrypted, $method, $key, null, $iv ); $times_run++; } Our Benchmarking Environment On the client-side, we wanted to ensure that we’ve eliminated noise from any outbound requests, while performing tests that accurately reflect different CPU core counts. For this, we wrote up a shell script that runs the k6 benchmarking tool against various Docker container configurations that reside on the server. By using Docker, we’re able to run a single script that utilizes different numbers of CPU cores and runs benchmarks against each separate core count. Just like our PHP code, it also resides within GitHub for you to take a look through. Here’s how we’re doing it: #!/bin/bash mkdir -p reports # “num-cores cpuset” for row in “1 0” “2 0-1” do set — $row cores=$1 cpuset=$2 for worker in {1,2,8,50,100,200} do pworker=$(printf “%03d” $worker) pcores=$(printf “%02d” $cores) file=reports/${pcores}core-${pworker}worker.txt json=reports/${pcores}core-${pworker}worker.json if [[ ! -f $file ]] then ./run-php.sh $cpuset $worker $file ./run-bench.sh 3 $worker $json >> $file fi done done Our Results When processing our results, we need to eliminate things like network latency. Thanks to the k6 benchmarking tool, we were able to do that with ease by looking at http_req_waiting times and using the following statistics: Average response time Minimum response time Median response time Maximum response time p90 (maximum response time for the fastest 90% of users) p95 (maximum response time for the fastest 95% of users) Requests per second Requests Per Second Within our tests, we’re sending a number of virtual users that match the number of cores being utilized by our testing environment. For example, when running a test against an environment with 4 CPU cores, our benchmark uses 4 simultaneous virtual users. These users perform a request, wait for a response, then immediately send another request. They’ll continue doing this for our testing duration of 60 seconds. Here’s a graph of the results: As you can see, a balance of PHP workers and CPU cores is what matters most. Without enough dedicated CPU workers to handle the influx of traffic, requests can’t be handled efficiently. In contrast, after a certain point, adding more PHP workers has a minimal impact on the number of requests per second that the server can handle. Once at critical mass, there’s even a negative impact on the site’s performance as too many PHP workers are added. Looking even further at the data we’ve collected, we can quickly determine that the optimal number of PHP workers varies based on the number of CPU cores being utilized. Of course, on different workloads (different levels of code optimization) or digging deeper into different PHP worker counts, we may have found a slightly more optimal worker pool. Still, overall, it’s a pretty good starting point. Looking deeper into how the number of PHP workers impacts the number of requests per second that our test environment could handle, we see some interesting data. For example, let’s look at our 32 core test: 1 Worker 4.99999187 2 Workers 10.86665914 8 Workers 41.84993377 50 Workers 160.8998032 100 Workers 162.8164824 200 Workers 160.1164952 400 Workers 159.6665389 As you can see here, the number of requests per second that can be handled steadily increases as we increase the PHP workers, until it reaches 50 workers. At 100 PHP workers, we see a slight increase; then, at 200 and 400 workers, we see performance declining. This is a common trend amongst all of our tests. After a certain point, adding more PHP workers will decrease performance overall. While the impact is at rather low levels, this can be majorly problematic for sites that don’t have a dedicated resource pool. Many shared/cloud WordPress hosts have thousands of people all on the same server. Since the number of PHP workers will need to be significant (and they’re always screaming about how many PHP workers they have), every site on the server is negatively impacted by the worker pool as a whole. Measuring Response Times While the overall capacity of requests per second is a reasonable determination of how many users a site can support simultaneously, it’s not the only metric at play here. In our tests, we also measured response times, based on the number of PHP workers are active for environments with different core counts. Here’s what our chart for a 32-core environment looks like: As you see here, there is a measurable increase in response times as the number of PHP workers increases. While our Requests Per Second statistics only change slightly between 50 PHP workers and 400 PHP workers, request time shows an entirely different story. Let’s take a look at the raw data to look a bit closer at what’s happening: Worker Count Average Minimum Maximum Requests Per Second 1 Workers 199.39 198.50 208.07 4.99 2 Workers 183.67 177.27 188.35 10.86 8 Workers 190.71 175.81 197.59 41.84 50 Workers 309.70 189.69 1034.55 160.89 100 Workers 610.20 191.03 2903.50 162.81 200 Workers 1230.40 194.00 3937.65 160.116 400 Workers 2422.41 197.82 10478.34 159.66 When running a static count of 50 PHP workers across 32 cores, we see that we can make 160 requests per second, with an average response time of 309ms. When we increase that worker pool to 100 PHP workers, we see that we can handle an additional 2 requests per second, but our average response time increases to 610ms. That’s a 97% increase in the time it takes PHP to handle the request for only being able to handle an additional 1.25% more users! As we increase the worker count even further, we see that while the number of requests per second stays roughly the same between 50 and 200 PHP workers, our average response time increased by almost 300%. From this data, we also see that while a lower number of PHP workers in the pool can handle less traffic, our response times do become lower. At 8 PHP workers, we’re only able to process roughly 41 requests per second, but our site became much faster — responding in around 190ms. Putting It All Together After running our various benchmarks, we see plenty of interesting data that everyone can use to optimize their WordPress sites better. Within our benchmarks, we’ve proven that the number of available PHP workers on your server does indeed matter quite a bit — just not how you might have imagined. Now that you’ve seen the data, we’d also like to stress the importance of running an optimal number of PHP workers that is appropriate for your WordPress site, rather than just guessing or taking a cookie-cutter approach. More PHP workers do not necessarily mean increased performance. If not tuned to the exact specifications of your site, changing your PHP worker count can be catastrophic to your site. If you’re attempting to tune your site’s performance to handle more traffic or get faster page load times, you’ll want to do so in a way that’s specific to your website and the server on which it resides. Generally speaking, if you want to increase the number of users that your site can handle simultaneously, you’ll want to increase your PHP worker count. If you want your site to be faster, decrease the worker count. If you want a mix of the two, you can always use dynamic limits with a minimum and maximum worker count. Having a dynamic worker count allows you to handle spikes in traffic while offering faster page load times when you’re receiving an average amount of traffic. Want to share your thoughts? Have an idea for performing even better tests? Want to see something else benchmarked? Let us know in the comments below.
Thanks to 1-click installers and GUIs, WordPress exists as a way for people to quickly get things done, many times without a deep understanding of how all of the pieces fit together. WordPress’s ease-of-use is a great thing, but it can also leave many people in the dark when it comes to scalable approaches and best practices. Several service providers try to solve this problem by offering a “1 size fits all” approach. While a generic way of doing things might work alright at first, you’ll likely find out down the road that you lack the customization to scale based on your site’s needs. Is the solution to do everything yourself without any guidance? Unless you have a full team of extremely talented people working around the clock to manage your sites, you’re likely to run into even more problems as things complexities increase with scale. So what do you do? Here at Pagely, we realize that scalable solutions can sometimes be a significant change from what you and your team are used to. You’ve likely moved up to Pagely from a generic, cookie-cutter approach, but now it’s time for the big leagues. To help ease that transition, we want to help you gain a full understanding of how the Pagely stack operates, the tools that are at your disposal, and best practices when developing or deploying your WordPress site. Announcing Pagely Quickstart Today, we’re proud to announce the Pagely Quickstart education center. Inside Pagely Quickstart, you’ll be able to walk through every aspect of what you’ll need to know when onboarding with Pagely. We’ve covered everything from logging into our Atomic control panel to creating automatic deployments across multiple environments. Since we realize that your time is valuable, Pagely Quickstart is broken up into several different courses to keep your learning experience quick and lean. Are you an account owner who wants to let their development team handle the heavy lifting? Do you want to give your developers a course to help them hit the ground running? Each course is designed to be as efficient as possible. Nobody likes to be bored with endless information that they’ll never use in a practical scenario. Pagely Quickstart Includes Comprehensive Product Guides for our Proprietary Technology & Service: The Atomic Control Panel Overview Migrating to Pagely Gaining SSH/SFTP Access Installing SSL Certificates ARES, PressARMOR, PressCACHE, PressCDN, and PressTHUMB We hope that you’ll find our new Pagely Quickstart courses useful. As we move forward and collect feedback, we’ll be adding further enhancements to ensure that your learning experience is comprehensive and enjoyable. If you have any feedback for us, feel free to let us know in the comments below!
One of the greatest things about WordPress is the open source community behind it. Thanks to the multitude of plugins and themes available, even the most basic of users can create and deploy a WordPress site with ease. Through this beautiful ecosystem that empowers people to build amazing websites, several businesses have also flourished. Premium plugins like Gravity Forms and Easy Digital Downloads have even created niche communities inside the broader WordPress community. The Benefits and Drawbacks of WordPress’ Open Source Ecosystem WordPress itself is available under the GPL license. Although hotly debated and rarely enforced, this means that the PHP code inside of any WordPress plugins and themes must also be licensed under the GPL. Because of this, even premium plugins and themes are usually released under the GPL license and can be legally distributed to anyone who wants them. Not only does the license allow someone to give these premium products away for free, but anyone can even resell them without permission. As an advocate for open source software and someone who has contributed countless hours of his time to giving back to the WordPress community, I love this approach. Almost everyone in the world uses some form of open source software to improve their lives, so why not give back as much as possible to improve someone else’s life? But inside the WordPress ecosystem (and many other open source platforms), there’s a problem with this approach that can’t be easily solved. Scavengers all over the world abuse the generosity of the open source community by exploiting the freedoms that they’ve been offered. They’re not just impacting those WordPress-based product businesses — they’re hurting the end-user. 3rd-Party WordPress Product Resellers Reselling 3rd-party WordPress plugins and themes is quite common and easy to do. It’s as simple as getting a copy of the product, setting up a website, then offering 90% off of whatever price that the creator is charging. It takes minimal effort, if really any at all. If you’re the average small business who built your own WordPress site, you probably wouldn’t even know the difference. Isn’t it still the same plugin? The important thing to note is that most premium WordPress plugins and themes aren’t selling you their code or access to a download link. They’re selling a license for support, updates, add-ons, and various other perks. When it comes down to it, you’re buying into a guarantee that you’re receiving a quality product from a reputable brand. Unfortunately, a typical small business wouldn’t notice this distinction. When problems arise, such as compatibility or security concerns, who do they go to? If they received the product from a reseller, is the reseller going to make sure that they’re in good hands? Most certainly not. Nulled WordPress Plugins and Themes Even more dangerous than buying a WordPress plugin or theme from a 3rd-party reseller is getting a free or “nulled” copy. For those who might not be aware of what a nulled product is, it’s a premium product that has had its licensing stripped out so that it can be used without any sort of validation that the product has been purchased. Why would someone go through the trouble of doing something like this? There are somewhat rare instances when it’s done for philosophical reasons, but in the overwhelming majority of situations, it’s to exploit the user. Sometimes these “nulled” versions will collect some data from you. Other times, they might collect data about your site. Worst of all, they might completely infect your site and users with dangerous malware. In fact, malware infections are quite common amongst unlicensed premium plugins and themes. For example, the WP-VCD malware has been spread exclusively through nulled plugins and themes. Once a site is infected, the plugin will call home to receive instructions on what to do with its newest victim. Usually, this will include hiding spam links on your site, as well as creating a new admin user. It’s pretty nasty stuff. To read more, check out Wordfence’s full report. Limiting Risk and Avoiding Dangerous Software You’ll never be able to completely prevent 100% of issues as long as you’re running 3rd-party code. Still, you can dramatically reduce your risk by always using reputable plugins and themes that come directly from the author. In general, evaluating any plugins or themes with the following criteria will dramatically reduce your risk: Is the product widely used? Is the product actively maintained? When was the last update? Have there been any security issues in the past? How quickly were they resolved? Is the product being purchased and downloaded from the original author? If you have a developer on staff, it never hurts to have them perform an audit of any changes that happen on your site. If you’re installing a new plugin, it’s always a great idea to take a look through the code that it’s running. If it’s a well-known plugin with a good reputation, you’re almost always safe, but the extra bit of verification can go a long way to keep you secure. You’ll also want to check with your WordPress hosting provider to make sure that they’re actively protecting you from any known (or even unknown) threats that your site may face. Any reputable web host will have a security staff that is actively protecting your site. Most of the time, they can identify an issue extremely quickly and resolve it before you even knew it existed. Remember when I mentioned earlier that buying a license for a premium WordPress product was much more about buying support, updates, and a guarantee of quality? Don’t forget to take advantage of those perks! If you have a concern, get in contact with the author for help. After all, that’s what you paid for. With a bit of honesty, integrity, and knowledge, avoiding dangerous WordPress plugins and themes is quite easy. If you have any questions or tips that would help others, feel free to drop a comment on this post. We’d love to hear your thoughts.
Whether you’re running a single WordPress site or a million, you’ve likely come across this question at least once: how do I scale as I grow? It’s a tough question to face. Should you scale up to a larger server, scale horizontally to additional servers, or is there something else that you should do instead? In this article, we’ll take a look at the different scenarios to help you determine which is best for scaling your site. Determining Needs When it comes to scaling WordPress sites, there isn’t a 1-size-fits-all answer. Your business is unique, and your website is no different. Even if your site was built exactly like another, you might not have the same goals in mind. Due to all of these variables, what works for one business may not work for another. There’s a well-known saying in most industries that you can have it 2 of 3 ways: good, fast, or cheap. It’s no different when it comes to hosting your website. If you’ve kept costs as low as possible and have done the right performance enhancements that your site needs, you might be barely skating by on your server’s resources. What if you wanted the fastest possible site and are willing to spend the money to ensure that nothing ever goes wrong? In many cases, there’s still a performance impact, even if a small one. So, where do you even start? Let’s take a look at a few things to consider when determining how to scale your WordPress site. Reliability How critical is reliability to you? If your site were to go down for 5 minutes on a Tuesday afternoon, how would it impact your business as a whole? Would you even notice? In a perfect world, every site would be up and running 24/7. While you might want to guarantee that your website would stay up and running smoothly forever, even in the face of catastrophe, it most certainly wouldn’t be cost-effective or practical. Even the biggest companies in the world, such as Amazon or Google, have issues from time to time. It’s just the nature of the beast. When determining how to scale your WordPress site, it’s essential to set realistic goals that reflect your needs. If you’re running a local restaurant or any other company that does the overwhelming majority of its business in person, a flawless uptime record might not be your highest priority. In contrast, if you’re operating an online-only eCommerce business, any sort of downtime could be detrimental to your bottom-line. It’s also important to keep in mind that running a reliable site is much more than how you host it. Things like hardware failures are exceedingly rare, thanks to advances in modern technology. In the overwhelming majority of cases, reliability boils down to how updates are performed, how well your code is written, and a multitude of other factors. When you’re determining your reliability needs, be sure to consider the fact that server reliability can be impacted by far more than server size or quantity when deciding how to scale your site. When reliability isn’t a critical concern, vertically scaling up to a larger server is usually your best option. It’ll allow you to keep costs lower than having multiple servers and handles future growth by accounting for higher resource usage when traffic grows. The downside is that if that single server goes down, everything else is going down along with it. If reliability is vital to your business, horizontal scaling is the best option. By scaling out horizontally, you’ll be balancing resources across multiple servers. If a node has an issue, another node is still there to handle your traffic. Performance We all want our sites to be fast, but how fast is enough? Are you concerned about a few extra milliseconds on the occasional page load? Perhaps the most important thing to understand about website performance is that it’s not all about the typical “page load time” metric that most people realize. When considering server performance, it’s not about how quickly a page can be served up, but rather how the server handles all of your traffic as a whole. If your site’s traffic increased by 50%, would your page load time remain the same? Aside from things like a gateway layer to handle horizontal scaling, you’ll need to figure out how your files will be handled. You’ll need to have a process in place to sync data across all of the servers. Not only will it take additional configuration to accomplish, but there can also be increased performance impacts if files or databases need to sync up often. The performance impact of scaling out to multiple servers can largely depend on your team that’s managing those servers. If you have a configuration that’s highly-optimized for how your site operates, those performance impacts can be minimal. When determining the best way for you to scale your WordPress site, here’s what you’ll want to consider: If you’re not as concerned with performance as you are reliability or cost, scaling out can be your best option here. On the flip side, if performance is your biggest concern, you may want to opt for scaling up to a larger server. Of course, if you have the funds to have a great team managing your servers, you’ll likely be able to scale out to multiple servers with a minimal impact on performance. Cost If you’re scaling your WordPress site, another thing you’ll want to consider is cost. Are you a small startup that’s trying to save money wherever you can? Are you an established business that has a larger budget? How much is your website worth to your business as a whole? Just like any other business asset, the better your team is, the better your end-results are. Great teams typically cost more, and it’s up to you to determine how much you’re willing to spend. If you have a small group with a lower budget, it might be best to scale up instead of out. As we mentioned earlier, scaling out to additional servers requires more advanced configurations that are custom-tailored to your site based on your needs. Due to these more complex configurations, your team needs more expertise and monitoring capabilities. Scaling up to a larger server is also a better option if you want “more bang for your buck.” Upgrading an existing server to allocate more resources is almost always cheaper than adding a second server for balancing resources. Hosting Multiple Sites: Evaluating Blast Radius Now that you have an understanding of the different things you’ll need to consider when deciding how to scale your WordPress site, let’s look at an additional scenario that might also apply to you: blast radius when hosting multiple sites. If you’re a WordPress agency who’s also hosting sites for your clients, or even hosting multiple websites for your own business, you’ll want to take further considerations in regards to blast radius. Your site’s blast radius determines how far an issue can reach. Does a problem with one site become an issue for others? For example, if you have multiple sites and one site decides that it wants to use up all of the available resources or became the target of an attack, it can cause the others to go down as well. If you’re hosting lots of little non-critical sites, some downtime might not be as much of a problem, but if you’re going to get a bunch of phone calls as soon as a client’s website becomes unavailable, you’ll want to limit your blast radius as much as possible. Scaling horizontally to additional servers is an excellent way to avoid problems with resource spikes. If a site starts spiking in traffic, server resources have a way to spread out. Going even further, if your entire fleet of servers is hitting capacity, you can easily add additional servers to handle the load relatively quickly. Beyond Hardware If you’re increasing in resource usage, you might not even need to add more hardware. Often, it’s something as simple as optimizing your WordPress site or server. Making sure that your code runs as smoothly as possible is a great start. By understanding your site’s performance as a whole, you’ll be able to make better decisions that could save you quite a bit of that hard-earned money. Even if you don’t have a dedicated development team working on your site, hiring a good freelance developer or agency to perform a few performance enhancements can save you a ton of money in the long run. Having an experienced team to manage your servers can also have an astronomical impact. An elite group of talented people can identify those opportunities and provide creative solutions to squeeze even more performance out of your existing setup. Frequently, these enhancements have a minimum impact on your budget, if any impact at all. So How Should I Scale My WordPress Site? Every site is unique, and there isn’t a simple answer to how to scale every WordPress site. It’s all going to depend on what’s essential to your business. Are you looking for more performance? Better reliability? The cheapest possible route to handle growth? If you’re looking for better reliability, your best option is usually to add more servers and scale horizontally. When trying to get the most out of your investment, scaling vertically to a larger server is going to be your best option. If you need increased performance, you’ll want to take a look at how your code is performing (and if all else fails, jump to a bigger server). Of course, these are all general rules. Determining how to scale your site is much more complicated than what could be written in an article or even an entire book. The complexities involved with scaling WordPress sites are best handled by always having an experienced team in your corner. If you’re not an expert in scaling sites, your best asset is someone who fully understands how your website runs and can provide deep insight on how to grow it. Need a team of WordPress experts to have your back? Pagely is always here to help your business grow.
We’re excited to announce that our development team has several new Atomic features that they’ve been working so hard on! Without further ado, let’s take a look at what we’ve rolled out in the newest version of the Atomic control panel. Simple Path Redirects Previously, the process of creating a redirect would have required a WordPress plugin, changes to .htaccess files if in Apache+NGINX mode, or contacting support for them to create a gateway-level redirect for you. Today, we’re proud to announce a new feature for managing redirects. Within each app, you can now create gateway-level redirects with ease. To check out the new redirect feature, jump over to your app’s settings and look for the new Custom Redirects section, or check out our documentation on creating custom redirects. Moving Domains Between Apps Have you ever needed to transfer a domain or domain alias from one app to another? Now you can do it from inside Atomic with just the click of a button! For more information on this new feature, please take a look at our documentation article on moving domains between apps. Easy Billing Cycle Changes At Pagely, we pride ourselves in being a flexible solution that best fits the needs of our clients. The flexibility of Pagely includes not only meeting the needs of your technical departments but also your accounting needs as well. That’s why we’ve rolled out a new feature that allows you to easily change your billing cycle from directly within the Atomic control panel. Billing cycles can easily be adjusted between monthly, quarterly, or annually with just a click of a button. For more information, see our documentation on changing your billing cycle in Atomic. A Focus on Education As you may have already heard, we’ve recently added Jeff Matson to our team of experts here at Pagely. Since he came on board three months ago, he’s been working hard to do what he does best: provide outstanding customer experiences through education. (He’s also pretty good at describing himself in the third person when writing blog posts.) With Jeff at the forefront of Pagely’s documentation efforts, he’s also leading an effort in improving user experience inside Atomic. One of these efforts that has rolled out is better descriptions of roles when adding a new collaborator. While these roles have always been described inside Pagely’s documentation, we wanted to make it even easier to understand the role you’re selecting, without the need to review an article on our documentation site. The addition of collaborator role descriptions is just one of the many new changes that we’re building into Atomic that focus on saving you time and effort while giving you a better understanding of our systems as a whole. We Love Your Feedback! Is there a feature that you would love to see? Are you excited about this new update? Let us know in the comments below or connect with us on Twitter.
There are a number of reasons you might need to change the URL of your WordPress site. Say a change to the brand, or the required switch from HTTP to HTTPS for security purposes. Then, of course, there’s the matter of updating a website from www to a naked (non-www) URL. In the following tutorial, I’ll explain why you might want to add www to your URLs in WordPress and provide you with a couple of methods for doing so. Reasons to Use WWW At first glance, it might not seem like there’s a whole bunch of difference between the Zapier non-www URL: And the Salesforce www URL: Both are located on an encrypted connection (as evidenced by the https:// prefix). And they both use a clear and concise .com domain name. However, there is a reason why one of those websites uses www and the other does not. Larger websites that contain subdomains must use www. Ultimately, it boils down to how the visitors’ browsers handle cookies. With www, browsers store cookies for the website as a whole, including all subdomains. Without www, browsers have to store a different cookie for every subdomain request. As you can imagine, the process is highly inefficient and slows down loading times on the website as a result. Aside from that one (very good) reason, the difference between www and non-www is superficial. How to Add WWW in WordPress For those who would like to add www to your WordPress website–regardless of whether it’s for a site with multiple subdomains–there are a couple of ways to do this. Just be careful. One wrong move and you could end up with the white screen of death. It might be simple to execute the change from non-www to www, but it will have far-reaching effects on your website. It will change: The web address on the frontend for visitors. The login URL for you and other WordPress users’ backend access. The functioning of internal and external links pointing to the website. Before adding www in WordPress, read the following instructions thoroughly. 1. Add WWW in the WordPress Admin From the WordPress dashboard, visit General Settings. On this screen, you’ll need to update these two fields: Add www. after “https://” and hit Save Changes. WordPress should instantly log you out at this time. If it doesn’t, you’ll want to do this on your own. To log back in, enter your admin URL into the browser window. This time, however, add www. to it. If you can’t log in after doing this, you need to refresh the server cache. If you continue to experience issues, use the next option. 2. Add WWW with the wp-config.php File If you want to hard-code the domain name change into the website, use the wp-config.php file to do so. Visit your control panel and open your file manager or FTP manager. Then, locate the wp-config.php file and add the following lines of code: define( 'WP_HOME', 'https://www.better-businesses-etc.com' ); define( 'WP_SITEURL', 'https://www.better-businesses-etc' ); Just remember to replace better-businesses-etc.com with your domain name. When you’re done, save your changes. One quick thing to note: The wp-config.php settings will always override the domain name settings in the WordPress dashboard. If you experienced issues trying to add www in WordPress and clearing the cache didn’t work, it’s probably because someone already hard-coded the non-www URL into this file. Do a search for the lines above and edit them to reflect the domain name structure you need them to be. 3. Perform a Database Search and Replace Depending on your plugins and theme, you might need to also perform a search and replace on the database to change all other references of the old non-WWW URL to the new one. The easiest way to do this is through WP-CLI. More information on doing this can be found on our Performing a Search and Replace with WP-CLI documentation. Why You Should Implement a 301 Redirect If you’re wondering, “Why don’t I just create a version of my website at www and one at non-www? Wouldn’t that be easier?” Here’s the thing: It’s not ideal to have both a www and non-www version of a website in existence. There are a couple of reasons for this. To start, Google indexes website content and associates it with the full URL. If you launched your WordPress site with a non-www domain and then decide a year down the line you want to change it, Google will have to index the www version of it from scratch and you’ll lose all that good link juice you accumulated. Creating a www mirror image of the non-www website would pose problems in SEO as well. Google bots don’t understand that you’re doing this for the purposes of capturing any and all traffic that goes to the www or the non-www of your website. Google bots will see this and try to rank both versions of the site simultaneously. So, not only will your content compete against itself, but it’ll suffer a penalty for listing duplicate content in search. Bottom line: you should choose whether to add www to your WordPress site or just leave it out altogether. But make a choice and stick to it. Then, when you’ve committed to your URL, set up a 301 redirect. Go to your domain manager and configure a 301 redirect to push traffic from the non-www: https://better-businesses-etc.localhost To the www URL: https://www.better-businesses-etc.localhost This ensures you capture all web traffic looking for your brand who might stumble on the wrong or older version of your URL. Final Thoughts To www or not to www? That was the question here today. As you have learned, there are clear reasons why large websites with subdomains should use www. For everyone else, the choice is yours to make. If you like how it looks, or you want to be 100% sure that people who know your brand name can find you, go ahead and add www to your WordPress site. Just make sure you follow the steps above to ensure it’s properly implemented.
Pagely is thrilled to announce our partnership with Object Cache Pro. Utilizing state of the art compression technology, Object Cache Pro is now part of Pagely’s core offering, and available to all of our customers, platform wide. Offering major cost savings, access to some of the world’s best technology, and a dedicated DevOps team to personalize your setup, Pagely customers can look forward to continued scale and growth, with no hosting friction. A first of its kind partnership, Pagely is proud to help fund innovation in this WordPress space by investing part of our budget into working alongside the fantastic team at Object Cache Pro. We’ve already seen great gains with Object Cache Pro and our customers can look forward to more in the future! Why Object Cache Pro? Before Object Cache Pro, we faced two challenges with sites making use of an object cache – CPU overhead and network saturation. The underlying technologies in Object Cache Pro solved both of these problems for us, translating to less money spent on server hardware and fewer situations where the (quite generous) AWS network limits are reached. With Object Cache Pro’s state of the art technology utilizing the Zstandard compression library from Facebook, without a lot of CPU overhead, compression is now done at the extension level, talking to and from Redis. This means less hardware, lower costs, and a better experience for our customers. Aside from supporting an efficient compression algorithm (zstd), Object Cache Pro also uses the igbinary serializer which is a drop-in replacement for the standard serializer in PHP. This works about twice as fast at serializing and unserializing data. Additionally, the data footprint is smaller when using igbinary and that translates into less memory being used by the underlying Redis service. We also found an in-depth comparison on igbinary vs other serializers on Blobfolio that you may also enjoy reading if you’re into this kinda stuff: https://blobfolio.com/2017/03/benchmark-php7-serialization/ With a wide selection of Redis plugins available in the WordPress marketplace, Object Cache Pro was the obvious choice for us not only because of their forward-thinking tech but also because of the dependability we have come to expect and appreciate from their brilliant team. All of this aside, Object Cache Pro is unrivaled when it comes to bug fixing, an extent to which is a rarity across opensource software. There’s a saying in the opensource community that goes, “there’s a lot of eyes so all the bugs get fixed.” But, more what we see concentrated use of the software by lots of users leading to fewer bug fixes for fear of breaking one users’ site. That, and, no one owns the codebase, so less can get addressed in a timely manner. Similarly, we are continuously impressed by their coverage of testing, fully unit tested with 100% code coverage. Further, switching over to Object Cache Pro gives Pagely customers access to our commercial relationship with their team, which means any problems our customers see are fixed within a few days. You benefit from our relationship. Fewer bugs in the caching layer and full unit testing is a good thing, and that’s something we stand behind. So, What’s in it for the Pagely Customer? We are the first premium host to achieve this level of partnership with one of the best technology companies in WordPress. Through our relationship with Object Cache Pro, every single Pagely customer benefits from the work we’ve done to secure that. But real talk, what’s in it for you? Major cost savings. Even when it means less revenue for Pagely, we’re constantly looking out for cost savings for our customers. By decreasing our dependency on more hardware, you see the savings directly on your bill. Access to a premium partner. Since you’re at a premium hosting provider, you automatically get access to the partnerships we’ve developed. What’s more? You don’t pay an extra licensing fee. The best tech, baked into your Pagely account. We’re always on the hunt for the best and most innovative technology for you. With no effort on your part, we do the legwork of implementing this tech across our technology stack. All you do is benefit from it. Bigger performance wins possible with a little extra code work. WordPress has a feature called Transients. It’s a way to store the result of a complex query or a long-running remote API call temporarily in order to make subsequent lookups for that data return a lot faster without doing the same expensive operation again. Normally without any object cache, transients are stored in the WordPress database’s wp_options table. When using an object cache, it is stored in memory. Adding a few extra lines to your code allows you to tap into the power of this API for incredible performance gains. Having an efficient object cache utilizing fast compression and serialization only increases those gains. A dedicated DevOps team. While others might catch on and jump on the bandwagon of partnerships like this, Pagely still stands above the rest in meaningful ways that translate to real gains for you, the customer. Our DevOps staff becomes your dedicated, in-house team. Our engineers handle all the setup and optimization to make sure your usage of Redis is optimized specifically based on your exact circumstances and needs. Other hosts don’t do that! When you partner with Pagely for your WordPress hosting at scale, you know you have selected the most forward-looking host driven by advances in technology, cost savings for you, and tangible outcomes that help your business thrive. Object Cache Pro Helped FanSided Scale So let’s get to a real-life example here. One of the first Pagely customers we switched over to Object Cache Pro was FanSided. Here you can see a dramatic decrease in network utilization on the Amazon Aurora RDS instance after implementing Object Cache Pro along with custom Transients Caching, which dropped usage from 1 Gigabit per second to 400 Megabit per second; and yielded even lower usage after some more optimizations were made. FanSided comprises a massive network of over 300 active websites and needed a fast solution to maxing out servers and using way too much CPU. Pagely found that solution in Object Cache Pro and implemented it with no effort on FanSided’s part to completely eliminate those issues. Here you can see how memory is no longer being maxed out after the date we turned on Object Cache Pro for FanSided. The proof is in the data, and here you can see dramatic drops in CPU usage after Object Cache Pro was implemented, as well as servers being maxed-out-no-more after the switch. Dramatic drops in CPU usage after implementing Object Cache Pro for FanSided. Read the full FanSided + Object Cache Pro case study here, and take it from our CEO: “In the vacuum of 1 website, a small performance gain is useful. At our scale of hosting, processing hundreds of billions of requests per month across thousands of AWS EC2 instances, a small performance gain to each site means a real and quantifiable benefit to our customers and our bottom line. Now what if that performance gain was not so small, but major. We sought out and partnered with Object Cache Pro after seeing the dramatic results in terms of performance and resource usage when testing. We have thus deployed their Enterprise solution fleet wide and the results speak for themselves.” – Joshua Strebel, CEO of Pagely
This monthly report is provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user. We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion. WordPress Core No notable WordPress core security releases. Plugin/Theme Vulnerabilities of Note Security & Malware scan by CleanTalk https://wpvulndb.com/vulnerabilities/10292 This vulnerability within CleanTalk allows an authenticated user, such as an editor or subscriber, to make unauthorized Ajax calls which could lead to file deletion or downloads and also potentially function calls. Adning Advertising https://wpvulndb.com/vulnerabilities/10293 The Adning Advertising plugin has a vulnerability in versions lower than 1.5.6 which allows unauthenticated requests to upload or delete files, leading to an RCE attack, which can then lead to full site takeover. Wise Chat https://wpvulndb.com/vulnerabilities/10299 Wise Chat versions lower than 2.8.4 are susceptible to a CSV injection via a command sent in chat messages by an unauthenticated user that is included in an exported CSV file, which then could potentially lead to an RCE attack. Email Verification for WooCommerce https://wpvulndb.com/vulnerabilities/10318 The Email Verification for Woocommerce plugin prior to version 1.8.2 is affected by a loose comparison issue. This could potentially lead to any user (authenticated or non-authenticated), to log into the WordPress site. SRS Simple Hits Counter https://wpvulndb.com/vulnerabilities/10316 The SRS Simple Hits counter plugin is currently vulnerable to an unauthenticated blind SQL injection vulnerability. The responsible reporting parties at Tenable ( https://www.tenable.com/security/research/tra-2020-42 ) are working with the developer to write a more comprehensive patch to address this vulnerability, and will not release more details on the attack until they know a patch has been released. Site owners using SRS Simple Hits Counter plugin on their sites should keep an eye out daily for the patch to be released. Payment Form For Paypal Pro https://wpvulndb.com/vulnerabilities/10287 The Payment Form for Paypal Pro plugin versions before 1.1.65 are vulnerable to an unauthenticated SQL injection attack. The attack is a trivial single request which can expose the contents of your database (which includes user passwords and potentially other secrets) to the attack. This is a high risk vulnerability and site owners should patch immediately. WooCommerce Subscriptions https://wpvulndb.com/vulnerabilities/10330 The WooCommerce Subscription plugin is vulnerable to an unauthenticated stored cross site scripting (XSS) attack in the subscription billing process. Attackers can submit their XSS attack payload to during the billing step in the signup process, and later that payload will be executed on the browser of the administrator/user who reviews the attacker’s account. Site owners should update WooCommerce Subscriptions plugin to version 2.6.3 and not check any new user account information until that update is performed. TC Custom JavaScript https://wpvulndb.com/vulnerabilities/10325 The TC Custom Javascript plugin is vulnerable to an unauthenticated stored cross site scripting attack. Sites running versions before 1.2.2 should update immediately, attackers can add their own javascript or HTML to the footer of all pages loaded by WordPress with a few basic requests. This vulnerability is likely to be targeted by SEO spam bots. KingComposer https://wpvulndb.com/vulnerabilities/10297 The KingComposer plugin is vulnerable to a reflected cross site scripting vulnerability in versions before 2.9.5 This means the attacker’s malicious HTML/javascript will only be available to the browser making this request. This still poses a high risk if an attacker can trick an already logged in user to click on a malicious link/form to the website, potentially exposing secrets viewable by the user giving them to the attacker. JobSearch https://wpvulndb.com/vulnerabilities/10328 The JobSearch plugin versions before 1.5.6 are vulnerable to a reflected cross site scripting vulnerability. Much like the KingComposer vulnerability above it is a high risk if logged in users to be targeted. The proof of concept for this vulnerability will be released on August 6th, 2020, site owners should patch before this date. See previous months’ WordPress security updates from May and June.
The benefits of this WordPress security guide are two fold: Learn exactly what you need to know about WordPress security in 2020. Understanding WordPress security helps you adopt a security-oriented mindset that will help you prevent and mitigate risks as you make day-to-day decisions. Get actionable, step-by-step instructions for securing your WordPress site. The steps you need to take aren’t particularly time-consuming, don’t require advanced technical knowledge, and the linked guides are vetted for clarity and completeness. Of course, it’s impossible to cover every possible vulnerability and scenario. That’s why we also include the overarching “principles of WordPress security.” If you can follow these broad principles many of the minute details that are difficult to address in this type of post will take care of themselves. Why is WordPress security critical? It’s important you understand how big an issue WordPress security is so you give it the time and attention it deserves. Here are some sobering statistics: Google blacklists 10k sites a day for malware and another 50k for phishing each week. A blacklist from Google kills that source of traffic which can be highly disruptive to a business’s revenue. Fixing and removing a blacklist can be a hassle, particularly if your server was used to send SPAM emails. A blacklist from email service providers harms your deliverability rate which undermines the effectiveness of your email marketing. In 2018, 90% of CMS hacks were WordPress. Granted, WordPress is the world’s most popular CMS with 34% of the web powered by WordPress, but this is still a disproportionate amount of hacks. For a variety of reasons, WordPress sites are targeted and exploited more than any other CMS. 60% of attacks target small businesses. You may think that hackers won’t bother with your site because you’re a small fish but “security through obscurity” does not exist on the web. No one is too small to be a victim of an attack. WordFence reports that there are over 97,978 attacks happening per minute. This is not a small, isolated problem. Large swaths of WordPress sites are being probed for weaknesses at any given time. Will you be ready if your site is targeted? While these stats paint an intimidating picture of what you’re up against, it’s important you confront the realities of managing a WordPress site in 2020. If your business relies on WordPress, security is not something you can afford to ignore. If you haven’t taken steps to secure your site, you’re vulnerable to attack. It could be only a matter of time until your site becomes compromised. This is one area where “an ounce of prevention is worth a pound of cure.” The principles of WordPress security Securing WordPress is more than checking off a list of boxes, it requires you to adopt a security-oriented mindset that guides your decision making. These principles will help you prevent mistakes as you make day-to-day decisions like adding new WordPress users, plugins, and themes: Vulnerabilities are often introduced by WordPress users. Vanilla WordPress that is kept up to date and uses strong passwords is relatively secure. It’s often the decisions made by WordPress users that create weaknesses that hackers exploit. This is why articles like this one are so important. It’s up to you to be educated on, and consistently follow, the WordPress security best practices outlined here. Minimize plugins and themes. New WordPress users are often overjoyed by the extensive ecosystem of plugins and themes available for WordPress. This can lead to indiscriminate installation of plugins. But, each new plugin or theme adds code to your site that, potentially, adds new vulnerabilities. By minimizing the plugins and themes installed, you also minimize the amount of code your site uses, and, by extension, the number of potential security vulnerabilities. In general, if you can solve a problem without installing a plugin, that’s the best option. Install updates as soon as possible. Updates to the WordPress core and updates to plugins and themes often contain critical security updates. They should be installed as quickly as possible. If you have a good back up strategy in place, you can roll back to a previous version in the event the update causes issues. Follow the principle of least privilege. This is a core principle of cybersecurity in general and is not unique to WordPress. This is a fancy way of saying, “don’t give a user more privileges than they need because those extra privileges give hackers more power and access than they’d otherwise have if they compromise that account.” Attacks can still happen. You can try as hard as you can to cover all the bases and still fall victim to an attack. This is why regular, automated backups are critical. Do not ignore this advice. A hacked site can be disruptive but can generally be fixed with minimal cost and disruption, a hacked site without a backup to roll back to can be severely disruptive. You are never finished with security. Having a 100% secure WordPress site is an impossible task. You can’t accomplish complete risk elimination, so aim instead for ongoing risk reduction. This “risk reduction” mindset prompts you to continue taking steps to improve your security as part of an ongoing, never-ending initiative. The most common WordPress attack vectors Understanding the most common methods hackers use to exploit WordPress will help you understand how to address them and why the steps recommended later in this article are necessary: Brute Force Attack A cyber criminal uses trial and error to identify a password or pin. They use combinations of common usernames and passwords until they find the right one. It’s the equivalent of trying every key on a key ring to find the one that works. This is all done using a computer script so they can run thousands of combinations with very little effort. Given enough time, any account is hackable but strong passwords thwart this kind of attack. SQL Injection Malicious SQL code is injected into a database to gain access to database information that was never intended to be displayed. Depending on the hackers goals, this can lead to your database being deleted, customer information being stolen, or sensitive company information being accessed. Malware A virus or spyware is inserted using an expired theme or plugin. The attacker can gain access to your data, insert pages into your site for black hat SEO, and perform a number of other nefarious activities using your site. Cross-site scripting Javascript code is inserted which then collects data commonly used to exploit WordPress plugins. This can be used to redirect your site visitors to malicious content. also known as an “XSS attack.” DDoS Attack A Distributed Denial of Service (DDoS) attack floods a website with traffic which overwhelms server resources causing it to fail. Multiple machines send frequent requests to the server using malware installed on those machines for that purpose. The distributed nature of the attack can make it difficult to identify and block the sources of the traffic. Now that you understand how hackers will attempt to breach your site security, let’s look at how we can block and prevent these attacks… Steps to secure your WordPress site In spite of the many ways your site can be compromised, it is possible to mitigate these risks and prevent many attacks. Here’s a list of recommended steps to protect your WordPress site from security attacks: 1. Force Strong Passwords “81% of attacks are based on insecure or stolen passwords” “It only takes about 10 minutes to crack a lowercase password that is 6 characters long.” These two facts taken together make the case that you must use strong passwords for all WordPress users. Strong passwords are long and use a combination of upper and lower case letters, numbers, and symbols. Longer is better but 20-characters is probably plenty. Strong passwords are difficult to memorize, especially if you’re using unique passwords for each site (you should be!). This means a password manager, such as LastPass or Dashlane, is a critical tool. These apps make creating strong passwords easy, store them in a central location, and make logging into your websites easy by autofilling your passwords. Here’s how to make sure all your WordPress users are using strong passwords. 2. Turn on automatic WordPress Core updates One of the advantages of using a popular CMS like WordPress is that there are many people with a vested interest in keeping it secure. Thousands of people are contributing to WordPress security by reporting vulnerabilities to the WordPress team. This widespread collaboration means most holes are patched relatively quickly. But, if the updates that contain those fixes are not applied, you leave your site vulnerable to attack. The best way to ensure your WordPress core updates happen quickly is to turn on automatic updates. This way your WordPress site will be kept up-to-date without you having to do anything. Here’s how to turn on automatic core updates by modifying your config.php file. 3. Stay on top of plugin and theme updates You absolutely must keep your plugins and themes up-to-date. The importance of this cannot be overstated. You’ll also want to be careful to use plugins and themes that are updated often. If you’re using a plugin or theme that has not received an update in months, it’s a good idea to check in with the developer or find a more frequently updated plugin that accomplishes the same goal. When you search for a plugin in the WordPress plugin database, this information is provided in the sidebar: 4. Use Two-Factor Authentication (2FA) Two-factor authentication adds a layer of protection to your WordPress site by making it nearly impossible for a hacker to log in to your site — even if they know your username and password. You should set up 2FA for all WordPress users. 2FA can be set up quickly with simple, free plugins. Here’s a list of available 2FA plugin solutions for WordPress. 5. Brute Force protection Even with 2FA and strong passwords, it is good to setup brute force protection to help with overall performance on the server by reducing the amount of work PHP has to do. Here’s how to protect your site from brute force attacks. 6. Create automated, scheduled Backups In the event of an issue, there should always be recent database and file backups available. You should also create a backup before making any major changes to your site, such as installing plugin and theme updates. Many of the popular backup solutions take care of this for you. Here’s a list of backup solutions for your WordPress site 7. Change your login pages The default login pages for all WordPress sites are sitename.com/wp-login.php and sitename.com/wp-admin.php. Using these default login page URLs makes it easy for hackers to begin a brute force attack by trying combinations of usernames and passwords. By using a login URL that is difficult to guess, it makes it more difficult for hackers to begin the brute force attack because they don’t know where the login form lives. Here’s how to change your login page URLs. 8. Use SSL Secure Sockets Layer (SSL) encrypts all data sent from your website to the visitors browser obscuring potentially sensitive data. Using SSL has many benefits in addition to security. Google may rank your site higher in the search results and many browsers indicate whether a site is secured by SSL which can reassure them your site is trustworthy. Here’s a tutorial on setting up SSL for your WordPress site 9. Don’t use the default database prefix Using the default “wp_” database prefix makes it easier for a hacker to insert code into your database (SQL injection). Here’s how to change the default database prefix for a new site and an existing site. 10. Check your folder and file permissions File permissions define what actions can be applied to the files on your server. You should never set any WordPress file or directory to 777 permissions. Instead, make sure your permission scheme is as follows: Folders – 755 Files – 644 Here’s a guide to checking and fixing the permissions of your WordPress files and folders. 11. Disable pingbacks WordPress pingbacks are enabled by default. But for most sites, they offer little benefit. But, they can be used to turn your WordPress site into an unwilling participant in a DDoS botnet. To turn off pingbacks, you can go to “Settings –> Discussion” and uncheck the “Attempt to notify any blogs linked to from the article” box. It’s also a good idea to uncheck the “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles” box: 12. Hide your WordPress version number One of the ways attackers gain access to a site is by exploiting known vulnerabilities in outdated versions of WordPress. Hackers can scan your site and easily find out what version of WordPress you’re using. If that version has a known vulnerability then the hacker has a good idea of how to proceed. The best way to prevent this is to keep WordPress up to date. However, you can also prevent a hacker from finding out what version of WordPress you’re running. Here’s how to hide your WordPress version number. 13. Don’t use the admin username Hackers can safely assume that a WordPress site is using the default “admin” username and that username will give them admin privileges so all they need to do is figure out the password. This gives them a direct path to gaining admin access to your site with a good probability of success. Eliminating the admin username makes it significantly more difficult to attack your site this way. If you’re already using the admin username, that’s okay, you can change it now. Here’s how to change the admin username. 14. Use a secure Managed WordPress Host A host that supports all the major CMSs will have difficulty staying on top of WordPress security. By specializing in the WordPress CMS alone, a WordPress hosting provider can devote the resources necessary to prevent many attacks. A reputable Managed WordPress Host will have a security team dedicated to shielding your site from threats. They’ll handle many of the concerns raised above like taking care of WordPress updates, creating backups, and more. Here at Pagely we have a comprehensive suite of security features called PressArmor that handles both WordPress application security and server security. Security questions to ask a potential managed WordPress host: Is your hosting environment chrooted? If your host has multiple domains on the same server, check with them to ensure they use chroot to isolate each WordPress app. If one app is hacked, this would help prevent access to other apps on the server. Is SSL included and easy to set up? A good WordPress hosting provider will provide SSL free of charge using a service such as Let’s Encrypt. Do you actively monitor my site specifically for WordPress vulnerabilities? If you detect a vulnerability on my site, how will you inform me? A good WordPress host will stay on top of the latest threats to WordPress sites and constantly scan your site for those threats. If they find a vulnerability, they will work with you to address it. Are you using a web application firewall (WAF) to protect my site? A WAF block malicious traffic before it reaches your site and can help prevent XSS attacks and SQL injections. Here’s a list of important considerations for choosing a Managed WordPress Host. Conclusion WordPress security cannot be taken lightly and you must take steps to secure your site. Using a Managed WordPress Hosting Provider like Pagely is one of the best ways to improve your security because you will have an experienced team dedicated to protecting you. Whether you choose to handle WordPress security yourself or leverage a host that specializes in WordPress, it’s important to treat WordPress security as an ongoing effort. You are never done with security but if you’ve taken the above steps you’ve protected yourself from many of the most common threats.
Since this is the internet – and the rules of the internet clearly state everyone gets an opinion, I’d like to share one of mine around website hosting billing plans. Quick backstory: 10+ years ago when we launched Pagely we did so with a simple line on our pricing page denoting a rough estimate of the expected capabilities of that plan ie: Plan – 1 was suitable for ~1 million pageviews. Along came the next several providers who did something similar with one important difference. They actually attempted to measure and cap pageviews per hosting plan, bracketing their plans by this new billing metric. In my opinion Pageviews used as a billing item is a predatory and anti-consumer practice and you should be very wary of working with any company that applies this #successtax to your monthly bill. Definition of anti-consumer : not favorable to consumers: improperly favoring the interests of businesses over the interests of consumers Hi, I’m Joshua Strebel, Co-founder and CEO of Pagely – A leading Managed WordPress hosting company – Thank you for attending my TED Talk. What are you buying when you are buying “hosting”? To host a WordPress site you need a few key components. A server (a computer) connected to the internet with software installed to process requests and responses for your application. Storage / Disk space attached to that webserver to save your files to. Data Transfer / Bandwidth. This is the pipe the information flows through. That’s basically it. Hosting providers typically lease/sell you packaged fragments of these resources for a monthly fee. Plan A, Plan B, Plan C. etc. Of course there are other items that may be line-itemed such as included support levels, CDN GB’s per month, managed services, etc. Plan A has X amount of consumables for Z price. It’s all fairly straightforward as most consumers understand what a Gigabyte of Disk space is and can at least grasp that more CPU/RAM offered should equate to more potential performance. “Pageviews” does not fit this model well – as the definition of a pageview is amorphous and subject to exploitation. Oh, and spoiler alert, PHP workers is not a valid billing metric for WordPress hosts either. What does an automobile lease have to do with hosting plans? Pageview limits on hosting plans are akin to annual mileage limits on auto leases. It’s a cap on the use of an asset you already purchased. In an automobile lease context a mileage cap at least has some merit as being a form of controlling the depreciation of the vehicle – you are essentially financing the deprecation of the automobile asset with a lease – and the lease company expects to sell that car (New retail value – Depreciation) when you return it. If the depreciation is too high, they lose money on that transaction as they have to sell it for less than they calculated. Your hosting plan is not a depreciating asset though – the hosting company is going to sell the same resources to the next customer when you are done for the same or likely higher fee. Therefore in my humble opinion: Pageviews are just an arbitrary anti-consumer fee – a penalty tax for using the service you already paid for. A Pageview is (depending on who you ask) a wrapper around these items: A measurable amount of Data Transfer in and out A measurable amount of CPU resources to process the request and render the response A measurable amount of Disk and Database activity Are you not already paying for these items as part of your hosting plan? Hint: Yes you are. But wait, there’s more – and my colleague will dig into these more in a future post. This pageview billing model is so poorly defined by the hosts that use it – it is ripe for abuse. It’s a scheme to generate revenue for the hosting company and unfairly penalizes the consumer. Hint: You already “paid” for the sum of the parts of a “pageview”. No two pages are the same. A cached page even with a few images can be served a million times a month with ease, and yet a badly coded membership-site page may tax the hardware it runs on each time it loads. They have very different cost profiles to the host – yet both are treated equally under this model. If you invested the time to optimize your site, get it caching well and then blow it up with viral traffic.. That is a GOOD day for you and costs your host pennies of the monthly fee you are already paying them – yet when you get the overage bill for exceeding your pageview cap at the end of the month, are you going to enjoy that tax on your success? If you want to keep paying twice for the same resources you are welcome to. I simply do not think that is fair. Our friends down in Austin have made millions on charging their customers overage fees for exceeding their monthly pageview cap – even to the point having to publicly respond to criticism – only to keep the practice in place. Reminds me of airline baggage fees and fuel surcharges. and An “online payment convenience fee” when they only accept payments online. and JetPack being “free”. Happy WordPress’ing – Joshua Strebel
These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user. We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion. WordPress Core WordPress 5.4.2 Security Release https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/ A WordPress Security release (5.4.2) was made available on June 10th. This release addresses the following 6 vulnerabilities: Authenticated XSS in the block editor Authenticated XSS in media files Authenticated XSS in theme uploads Privilege escalation in set-screen-option() Open redirect in wp_validate_redirect() Information leak allowing comments to be read from password-protected posts and pages. Plugin/Theme Vulnerabilities of Note Removed from Repo WordPress website owners who have the following plugins installed are strongly encouraged to remove them from their websites or find a replacement as soon as possible. These plugins were removed from the WP.org plugin repository due to inaction of the developer to patch one or more security flaws: wp-pro-quiz delete-all-comments-easily High Severity Vulnerabilities ACF to REST API https://wpvulndb.com/vulnerabilities/10284 The acf-to-rest-api plugin versions before 3.3.0 are affected by a vulnerability which would disclose the values of the wp_options table to attackers. This vulnerability has varying severity based on what data is contained in a site’s wp_options table. KingComposer https://wpvulndb.com/vulnerabilities/10270 The kingcomposer plugin versions before 2.9.4 lack proper access controls for ajax endpoints, many of these ajax endpoints also include vulnerabilities which users with a valid accounts could target to change WordPress option values, inject content, store XSS code, delete files on the site or execute arbitrary code. wpDiscuz https://wpvulndb.com/vulnerabilities/10273 The wpdiscuz plugin versions before 5.3.6 are affected by an unauthenticated SQL injection vulnerability. This plugin is currently on release 7.0.3, and the plugin author is making 5.3.6 available as a back port for site owners not ready for version 7. Brizy – Page Builder https://wpvulndb.com/vulnerabilities/10261 Brizy Page Builder before version 1.0.126 is susceptible to an access control vulnerability via AJAX calls which allows a user with minimal privileges the ability to access editor functions. JobSearch https://wpvulndb.com/vulnerabilities/10255 The Jobsearch premium plugin before version 1.5.1 is affected by an unauthenticated reflected cross-site scripting vulnerability. The Proof of Concept is provided within the link below and is easily replicated: https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-03-jobsearch-wp-job-board-wordpress-plugin-v1-5-1.txt See previous months’ WordPress security updates from April and May.
This article covers our public notifications related to major security issues our clients and the WordPress community should know about. We are always focused on prevention and the mitigation of risk to our clients, and keeping you updated here is part of that process. WordPress 5.4.2 Security Release June 11th, 2020 WordPress site users We trust them within reason. And patch, to be sure. The WordPress security team has released WordPress 5.4.2. This security release addresses 6 security vulnerabilities. There are numerous cross site scripting vulnerabilities addressed in this release however each required an authenticated user to execute the attack. There also includes one privilege escalation attack. If there were a theme in this release, it serves as a reminder to be sure you trust who you give accounts to on your WordPress site. The Pagely team has already begun rolling out this patch for all customers. If you have a version hold request on file, we will patch your site while keeping it on the same major branch version. WordPress 5.4.1 Security Release April 29th, 2020 You are safe at home, while we are patching your sites. Stay Safe. Stay Secure. The WordPress security team has released WordPress 5.4.1. This security release addresses 7 security vulnerabilities and includes 17 bug fixes. There are numerous cross site scripting vulnerabilities addressed in this release, so it is recommended site owner update right away (if you’re a Pagely customer we are already working on this for you.) The Pagely team will be rolling out this patch for all customers shortly. If you have a version hold request on file, we will patch your site while keeping it on the same major branch version. WordPress 5.3.1 Security Release December 13th, 2019 A vuln is a vuln, until a patch is released. Now it is secure. The WordPress core team has released WordPress 5.3.1, which addresses 3 security vulnerabilities and includes 1 security hardening measure. The higher risk vulnerabilities include XSS (Cross Site Scripting) in some unlikely situations, as well a vulnerability which could allow someone to mark a post “sticky” on the site, without the need for authentication. Pagely has tested this version and has the patch available for all customers running any WordPress version. Due to the weekend being upon us, we will begin upgrading sites on Monday December 16th. Any customers who would like the upgrade to be performed over the weekend can reach out to our support staff and they will be glad to help. PHP-FPM+Nginx Remote Code Execution (CVE-2019-11043) October 29th, 2019 Hasty vuln released. We checked immediately; Our servers are safe. On October 22nd, 2019 a security researcher released their findings related to a remote code execution in PHP-FPM, which was present on hosts with specific nginx configurations using fastcgi_split_path_info. Pagely’s stack does use the fastcgi_split_path_info directive within our nginx configurations, and our staff investigated the vulnerability on the 22nd the day of the relase. We identified we were already properly using the recommended remediation of try_files to ensure the file being requested actually exists on the website. Pagely’s default nginx configuration is not vulnerable. On October 24th the PHP dev team released the official patch version to address this vulnerability. Our staff have already started applying this patch to all customer servers. WordPress 5.2.4 Security Release October 15th, 2019 Secure WordPress Fast Six Vulnerabilities Secured by this Patch. The WordPress.org core team has released WordPress 5.2.4, a security release addressing six vulnerabilities from XSS to viewing unauthorized posts. Pagely staff have already begun applying patches to our customer’s WordPress websites. Customers with version holds will only receive the patch for the branch they are currently running. WordPress 5.1.1 Security Release Addresses XSS March 15th, 2019 Comment filter for Cross Site Scripting prevention; Helps secure WordPress. The WordPress.org core team has released WordPress 5.1.1 which is a security release to address two vulnerabilities related to improper filtering of comments on WordPress sites. Pagely staff have already begun applying the patch for each of our customer’s WordPress version, and will keep customers on their current branch version if they have requested a version hold. WordPress 5.0.1 (and 4.9.9) Security Release December 13th, 2018 WordPress new release Patches seven vulns in all. Handled by our team. The WordPress.org core team has released WordPress 5.0.1 which is a security release to address a number of vulnerabilities found in WordPress versions 5.0, 4.9.8 and older. The core team has also provided security releases for WordPress versions 4.9.x, 4.8.x, etc.. which addresses the same vulnerabilities for that WordPress branch release. Pagely staff will apply the appropriate patch for each of our customer’s WordPress version, and will keep customers on their current branch version. This means, if you’re running 5.0, we will apply the 5.0.1 patch, if you’re running 4.9 then we will apply the 4.9.9 patch, and so on with 4.8 and etc… This patching will be completed by the end of the week. WordPress 4.9.7 Security Release Addresses Arbitrary File Delete (CVE-2018-12895) July 5th, 2018 We patched this last week. This security release is safe to wait for. The WordPress.org core team has released WordPress 4.9.7 which adds some functionality and includes a security patch for the previously reported “Arbitrary File Delete” vulnerability (CVE-2018-12895) which we addressed last week Pagely implemented a patch to address this vulnerability on all customer websites, as there was no WordPress.org patch available when the vulnerability was publicly disclosed. Pagely customers can request to be upgraded to patched versions of WordPress over the weekend, all customer sites will be upgraded by early next week. WordPress Author Arbitrary File Delete (CVE-2018-12895) We trust our authors, to not delete files, but let’s not allow it. RIPSTech researchers Slavco Mihajloski and Karim El Ouerghemmi reported yesterday of a vulnerability in WordPress core which would allow users on a WordPress site with Author level access or higher the ability to delete and/or re-upload any file writable by the PHP process WordPress runs under. The limitation of this vulnerability hinges on the fact a malicious user must also be someone a site owner trusted with having author level access already (or a compromised author user account could be abused) The consequence of this vulnerability would be that an attacker or malicious user could potentially remove files on the server, which may disable protections (such as .htaccess files, or security plugins), or allow them to re-write a site’s wp-config.php (to point your site at the attacker’s database, or install their own credentials/secret keys.) Our infrastructure configuration does not allow PHP processes to be able to modify any WordPress core files, however the risk of modifications to plugins, .htaccess files or other user uploaded files remains. To address this we have implemented a recommended hotfix which sanitizes the file path in the attachment delete/modification function used by WordPress core. The patch implemented has been tested and verified as safe and will be pushed out to our customer servers this week. If for any reason this hotfix causes issues with your site user’s ability to remove or edit media on your blog, please let our support staff know and we can help sort out the problem. PHPMyAdmin File Inclusion and Remote Code Execution (CVE-2018-12613) (PMASA-2018-4) Admin your DB with php, securely. We did the upgrade Pagely customers who have phpMyAdmin configured on their servers can rest assured we have taken steps to upgrade all of our customer’s phpMyAdmin installations to address multiple vulnerabilities recently reported. TLS 1.0 Retirement It’s been a long time coming, so break out the gold watch and cake. TLS 1.0 is finally being retired across the web thanks to the push by PCI-DSS. Pagely is updating our customer websites this week to address this and will be supporting TLS 1.1 or higher by default on our servers this week. By default, customer websites will only communicate over HTTP using the more secure TLS 1.1 and 1.2 protocol versions, and TLS 1.0 will no longer be an option. The reason for the change has been a long time coming. There are multiple browser based vulnerabilities in TLS 1.0, and the protocol version has been depreciated for years. However, the big deadline is that PCI-DSS counsel has set a hard deadline for June 30th, 2018 as the final day that sites will no longer be able to pass PCI scans if they have TLS 1.0 enabled in any manner. The impact of requiring TLS 1.1 or higher, is almost certainly going to be negligible. Every major browser supports TLS 1.1 and 1.2, rough estimates put less than 4% of the global internet traffic as using a browser that only support TLS 1.0, this is mostly composed of old mobile devices. So, sorry everyone on a dated iPad or Android tablet/phone, it’s not safe for you to transmit data over HTTPS and hasn’t been for a long time! Luckily, this number continues to drop every year, as these old devices eventually get replaced or taken out of service. Pagely Login Page Updates Pagely customers will notice something new when accessing their Pagely administration panel https://atomic.pagely.com on May 31st 2018. Our new login portal! Don’t worry, this change is expected as we are rolling out some improvements to our administration panel and preparing for it’s replacement. When you visit https://atomic.pagely.com your browser will automatically be redirected to our new version of Atomic. You may see the words “BETA” here and there, and some customers (those already upgraded to ARES) will have new features available as well. There is nothing you need to do on your end at this time, your login will function as normal and the new atomic panel has all the same basic features as the old one — If you’re feeling a little nostalgic, you can still switch back to the old Atomic panel by hitting the “Atomic (Legacy)” button found in the panel. In the near future we will be offering a new 2FA feature to give our customers a better experience with their 2FA management, but this first login portal change on 2018-05-31 will not affect your existing login credentials. PHP Security Patch (CVE-2018-10546 CVE-2018-10547 CVE-2018-10548 CVE-2018-10549) You need a null byte; Or you get heap overflows! MakerNote take Note. PHP has released a security patch which addresses four security vulnerabilities, the worst of which is a heap overflow from uploaded images which lack null bytes or corrupted EXIF data in MakerNote files. Further details available in the PHP 7.0 Changelog and PHP 5.6 Changelog. Pagely has begun upgrading customer servers and all PHP versions will be on patched in the next few days, if not already. WordPress 4.9.5 Release Secure hardening in the four nine five release; Other bugs fixed too. WordPress version 4.9.5 has been released and is considered a security and maintenance release. The WP core team addressed 3 security related bugs which are not critical security bugs, but improve the code’s overall security. You can read more about the release here. Pagely will begin updating customer sites to 4.9.5 shortly. POP-ping WordPress Object Injection? DNS must be trusted. Or else, oh no! Hacks! Researcher Nick Bloor (@nickstadb) recently released a report on object inject+DNS vulnerabilities in WordPress which could lead to remote code execution/arbitrary file uploads to sites. Nick explains that if attackers control the name servers the website uses to lookup domains, then it’s possible to “spoof” being the WP update server due to WordPress defaulting to HTTP communications when HTTPS fails during updates. This report outline that if attackers were able to take control of a DNS server, they could pivot that access to then also take over WordPress website via the WordPress auto-updater as well as exposes a PHP Object injection as well. Pagely customers are not affected by this vulnerability, as we are a managed host and do not allow modifications to what name servers our customer’s servers utilize. Secondarily, our server permissions would not allow WordPress auto-updater to function on it’s own (we handle upgrades for customers), this is identified in the “caveats” section of the vulnerability disclosure page as a preventative measure. WordPress load-scripts.php DoS (CVE-2018-6389) Feb. 6, 2018 Loading all the scripts, leads to long web responses. Rate limiting, Win. We are aware of the reported Denial of Service (DoS) affecting WordPress’s /wp-admin/load-scripts.php; Assessing the risk we believe our caching system dramatically reduces any DoS threat targeting a single URL with scripts like this. We are implementing a fix which is currently in testing, it will limit the number of requests people can make to this file before being throttled and subsequently blocked. This fix will be available for all customers, including those on the new ARES platform. WordPress Security and Maintenance Release: 4.9.2 Jan. 16, 2018 Other people’s code How did it get on your site? Sad emoji face. WordPress version 4.9.2 has been released and it contains an update to address an insecurity in the Media Elements library, which is included in WordPress core. The patch addresses a cross site scripting (XSS) vulnerability, which could allow remote attackers to inject their own HTML onto your site. Pagely will be patching customer sites immediately, and should be finished shortly. If you would like to read more about this release please see the WordPress blog announcement here. Spectre and Meltdown Jan. 5, 2018 Reading memory, outside of your privilege. Time to patch kernels. [Update: Feb 2, 2018 CST] Our kernel hotpatch provider has released a working patch for Meltdown as well, and it has been applied to all customer servers. [Update: Jan 18, 2018 09:00 CST] Spectre: Patched without the need for a reboot Meltdown: Patch available if you request a reboot, we are still waiting on the no-reboot patch which is close to being tested as safe to apply. If you are concerned about the risks associated with Meltdown, contact support to request a server reboot. Or wait until our no-reboot patch has been tested and is working safely. Risk associated with Meltdown: There are still no PHP based proof of concepts, therefor we consider it a low-likelyhood that anyone (aside from someone with SSH access to your server) would be able to perform this attack on your site/server. If you disagree with this risk assessment, then please contact support and we will schedule a reboot to apply the patch for Meltdown ASAP. [Update: Jan 11, 2018 11:30 CST] Our kernel patch provider has released a working patch for Spectre, but not Meltdown. We will be applying the Spectre patch to all servers before the end of the week, and will be awaiting their patch for Meltdown when it becomes available. If you would like to hasten the patch time, we can apply the kernel patch from Ubuntu (released yesterday) however this will require a schedule reboot for the change to take affect. If you would like to schedule a reboot of your server, please contact our support staff from your account’s primary contact email address (or via our administration panel) These patches are known to cause a negligible performance hit on servers when applied. It’s likely you will not notice this performance hit on your site unless your code does a large amount of system calls and/or you are already close to needing an upgrade. Our engineers are working on a solution to this issue and we may be able to work with customers impacted to entirely remove this performance hit or actually come out ahead. [Update: Jan 9, 2018 09:00 CST] At this time (Tuesday January 9th) we do not yet have a stable patch to apply to customer’s servers. The patch plan for early this week was not met. This was due to the complicated nature of this patch, and ensuring a stable patch is what is pushed out to servers. It’s been identified by multiple sources that this patch is not the simplest, concerns of stability and CPU overhead come up and this has delayed the patch from either Ubuntu (our operating system) or KernelCare (our kernel patch provider). Risk assessment: The existing proof of concepts for these vulnerabilities are not executable against our customer’s sites due to how our PHP is configuration (we restrict/ban any exec/shell calls) which reduces the risk of this vulnerability. Only customers with compromised SSH accounts would be vulnerable (and if there does exist a PHP PoC in the future, only customers with compromised sites would be exposed.) We are delaying the patching process. This decision is made under the consideration that many people are reporting issues with the patches available, and the lower risk this vulnerability has at exploiting WordPress sites on our network. Tentative timeline: We expect patches from one of the upstream providers (Either KernelCare or Ubuntu) tomorrow, Wednesday Jan 10th, however this may be delayed. When a patch is available, if it is Kernel Care, no reboot will be required. If it is Ubuntu, then we will need to reboot your server for the change to take affect. We will begin applying patches for customers this weekend or next week (a few days after the patches are released so we have time to test the patch sets.) We will contact customers via email to schedule a reboot, if it will be required to apply this patch. [Original post] Pagely is aware of the multiple related vulnerabilities in Intel (and other) CPUs known as “meltdown” or “spectre” and has been working on patching affected servers. This vulnerability is a bit different than most, as it requires patching done on the bare-metal server as well as a second round of patching on our virtual instances for Pagely customers. Our data center provider notified us regarding what servers were affected by a security concern and needed reboots to apply a patch. We have already been working with the affected customers on and scheduled reboots to address this security concern. It’s likely that these CPU architecture vulnerabilities were likely the cause for the scheduled reboots in December. At least check, we have address almost all of these (and the last few are scheduled with the respective customers to happen shortly.) All remaining EC2 instances are on bare-metal servers which likely have been patched without the need for a reboot (however this may change). If you did not receive an email related to scheduling reboots on your site/server, then the patch for this vulnerability did not require a reboot to take affect. If this changes, we will be on contact with any customers who need to schedule a reboot. That only leaves the linux kernel on each of our EC2 instances as a remaining concern. Luckily we now utilize a new technology in the linux kernel which allows for live-patching the kernel without the need for a reboot. This patch will be applied to all of our customers as soon as the kernel patch is officially out and properly tested. The tentative timeline for this should be this weekend or early next week (and require no reboot of the server, it should be applied seamlessly.) PHPMyAdmin CSRF Jan. 5, 2018 Click this link my friend Cross-Site Request Forgery! But not with Pagely. Over the holiday break there was a CSRF vulnerability reported with PHPMyAdmin, this class of vulnerability would allow an attacker to send malicious links to users with browser’s already authenticated in PHPMyAdmin to perform actions as the logged in user. A patch was applied in 4.7.7 to address this issue, and all PHPMyAdmin installations Pagley has have been updated. WordPress Security and Maintenance Release: 4.9.1 Nov. 20, 2017 Holidays are for: Family, eating too much, and security. Don’t worry you can stay distraction free when dining with friends and family this holiday season, knowing that we have handled this WordPress security release update for you and your sites. Instead of worrying if your site has been patched, you can be the one to bring it up at social gatherings and watch as your friends or family with WordPress sites become uncomfortable not knowing if their sites are secure or not. Pagely customers will receive the WordPress 4.9.1 security release update this week. This security and maintenance release includes patches for multiple vulnerabilities including a cross-site scripting (XSS) and XML eXternal Entity (XXE) issues. This will also officially bring all customers up to the 4.9 branch from 4.8.3, unless you’ve previously written in requesting an upgrade to 4.9 in the last few weeks. You can read more about this security release and specific details on what it includes here on the WordPress news blog, as well as more details on how we handle major WordPress releases (like 4.9) on our blog here: WordPress 4.9 Release. WordPress 4.8.3 Oct. 31, 2017 WordPress Halloween. We patch the tricks, 4 8 3 You get the treats. Boo! There is nothing spookier than a WordPress security release, the 4.8.3 patch addresses an SQL injection vulnerability in WordPress core which could be exposed by insecure coding practices found in some plugins. This release hardens the WP Core code to protect the sites who may harbor an insecure SQL query that trusts user input, sanitizing the input before it’s passed along to the database server. More information on this release can be found on the WordPress blog, details on the changes and how it modifies the return value of of esc_sql() have been posted by Gary Pendergast on the Make WordPress Core developers blog. Thanks goes out to the reporter of the vulnerability (Anthony Ferrara) for working with the WordPress security team. And a special acknowledgement to our own Arman Zakaryan for the Haiku this time around. OptionsBleed Sept. 21, 2017 Memory Leaking over OPTIONS requests sent. This patch stops the leak. The vuln-du-jour is called OptionsBleed and affects Apache2 web servers. It was caused by a programming oversight in the Apache2 server project which allowed small amounts of memory to be leaked when an OPTIONS request is sent to the web server. This bug only affects sites that are configured with a LIMIT directive which attempts to filter nonexistent HTTP methods, which is extremely rare but does exist in just under 500 of the Alexa top 1 million websites. A more detailed write up about this can be found here. The Apache2 dev team wasted no time in providing a patch. Which we have already begun applying to customer servers. We are rolling this patch out slower than a normal security patch because it’s so rare for this misconfiguration to exist and initial reviews of customer sites shows no Pagely customers have misconfigured LIMIT directives which would put them at risk. That said, the patch will be applied in a safe manner over the next week as to minimize any risk of downtime on customer sites related to the upgrade. WordPress 4.8.2 Sept. 19, 2017 Within this release, Nine security patches. Sites are now secure This week brings a security update to WordPress core. The security patches include multiple serious vulnerabilities and we are applying patches as soon as possible for customers. The WordPress core and security team have also released version to address any of the patched vulnerabilities for the following versions: 4.8.2, 4.7.6, 4.6.7, 4.5.10, 4.4.11, 4.3.12, 4.2.16, 4.1.19, 4.0.19, 3.9.20, 3.8.22, and 3.7.22. Any customer of Pagely running older branches of WordPress will also be brought up to date with these security patches. Malicious Code in Display Widgets Sept. 13, 2017 We coined a new term: “plugin identity theft”. Let it not catch on. A popular plugin in the WordPress.org repository has been “hijacked” (for lack of a better term) by a developer with suspicious intent. The popular plugin “Display Widgets” is described as “Adds checkboxes to each widget to show or hide on site pages“, yet in the last few releases there have been some unexpected new features added: such as adding posts directly to the site and tracking site visitors. Wordfence, a security plugin, wrote a full explanation on how this might have happened, it’s worth a read here. For our customer’s safety, we have banned the plugin from our customer sites. If your site hosted with Pagely was affected we have already reaching out directly to help you with the concern. More information about the issue at hand with this plugin can be found on WPVULNDB and in the plugin’s support forum . Update: The plugin team at WordPress.org have released a patched version of Display Widgets which reverts it back to the last known safe version, but there appears to be no author to continue maintenance on the plugin. The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching it’s code. Which plugins and themes aside from display-widgets should you avoid? See our full list here. WordPress 4.7.5 Release May 17, 2017 Patchy patchy patch I love patches for WordPress Here come the patches Pagely customer sites are being updated to address 6 vulnerabilities. The ExploitBox Unauthenticated Password Reset Vulnerability has still not yet been addressed; Pagely customers are still not affected. Further details on this release can be found here: wordpress.org ExploitBox’s CVE-2017-8295 May 5, 2017 Return to sender sending to the wrong domain read from HOST header. There was a recently released authentication bypass vulnerability that affects WordPress before and including 4.7.4, with specific server configurations. The attack requires a request to a WordPress site via it’s IP address, while the attacker sets the HTTP request header to their own HOST value. Pagely does not allow direct access to WordPress sites via IP address and requires the HOST field sent in the headers to be the actual site being requested, thus a request with a HOST value controlled by an attacker will not be directed to a WordPress installation at Pagely. Bonus Haiku: Pagely hosted sites are not affected by this reported exploit. For more details on the vulnerability and how it works, please read: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html WordPress 4.7.3 Security Release Mar. 6, 2017 XSS and more bugs get patched in this release. The update is done Customer sites are being updated to address 6 security related issues. Further details on the release can be found here: wordpress.org CloudBleed, Shattered, CVE-2017-6074 Feb. 28, 2017 SHA One Collision CloudFlare Leaking Memory and Kernel Patching Normally these Haiku’s are short and sweet, but it was a busy week for security in the headlines last week so I took a little more time to compile the following information for you: The CloudFlare Bug (A.k.a. “let’s not call it CloudBleed”) A security researcher working for Google’s Project Zero disclosed information on a bug identified in CloudFlare’s services. The bug was in CloudFlare’s services, and in some cases resulted in a trace amount of the contents of the CloudFlare’s servers memory being leaked. This could have had major repercussions as the contents of these servers may contain sensitive information being sent to or from the web server behind CloudFlare’s services (such as passwords, encryption keys, or other sensitive data.) Many news outlets reported this as a catastrophe, however CloudFlare patched it’s server’s before the announcement and there have been no reports of this being attacked in the wild before the report by the Project Zero researcher. Key points include that the data being leaked was not controllable by the attacker (it was always random, including no ability for an attacker to target a specific site’s data). The data was also limited to small chunks. The leaks however, have likely been happening for a while, no one knows how much data has been leaked to people looking for it or if any widespread attacks could have gleaned any usable data from the memory leaks. Ultimately, while it’s possible every password, SSL cert, and secret keys were pulled from CloudFlare server’s using this attack, it’s not likely to be the case. Most probably: the researchers at Google’s Project Zero were the first to be aware of the problem and reported it responsibly to CloudFlare. However, it is still yet to be seen if anyone reports malicious activity caused by these leaks in the weeks and months to come. How could this affect you? If you utilize CloudFlare on your site (or utilized a service that used CloudFlare) and wish to be absolutely sure your private data (such as a password) is safe then you may want to be pro-active and change that password or other secret data. The SHA-1 Collision: (A.k.a. “Shattered”) A collision in the SHA-1 algorithm was reported by a different team at Google. SHA-1 is a cryptographic hashing algorithm, commonly used to validate the integrity of data being sent. The collision released by the team at Google showed that they were able to send two different messages but they both validated with the same SHA-1 value; ultimately meaning that data signed or verified using a SHA-1 algorithm can no longer be trusted. There is some good news however, this attack is fairly expensive to execute (over $100k) and SHA-1 has been on it’s way out for the better part of a decade. SHA-256 has already been established as the replacement and most people have already migrated to the more secure algorithm. How could this affect you? If your site has SSL/HTTPS, then that certificate might be signed using SHA-1 , but it is probably already signed using SHA-256 (as of 2015) if you would like to double check you can always utilize a utility like ssllabs.com to look up your site’s SSL certificate and see what method is used to fingerprint it. If you find you are using SHA-1 only, then the fix is to get a new certificate (most likely whomever you purchased the certificate from will issue you a new one using SHA-256 without much hassle.) Secondarily, if you developed your site’s code explicitly using the sha1 function, then you may wish to swap that sha1 function with the sha256 function. CVE-2017-6074 While CVE-2017-6074 did not have a cool name or website or lots of media coverage; it was a more serious threat. This flaw could allow anyone with access to a Linux server to escalate their privileges from a normal user to root on the server. Linux servers running up to date kernels (such as ours) were affected and we were very concerned about getting this patched for our customers. Luckily we have been updating our infrastructure and these kernel based vulnerabilities no longer require reboots to apply new patches. We applied a patch to address this vulnerability on the same day it was made available and noted no issue with the new kernel code running. WordPress 4.7.2 Security Release Jan. 26, 2017 Sites updating now we handle the patch. So you focus on your site. Customer sites are being updated to address 3 security related issues. Further details on the release can be found here: wordpress.org CVE-2016-5195 “Dirty COW” Oct. 26, 2016 We have sent many email notifications about the reboot. Kernel patches have been applied on our servers, however a restart is required for it to take affect. Scheduled reboot notification emails have been sent out and reboots will take place the week of October 31st. More information on the vulnerability can be found here: dirtycow.ninja WordPress 4.6.1 Security Release Sept. 12, 2016 The update happened faster than I could write this haiku about it. All sites have been updated to address 2 security related issues. Further details on the release can be found here: wordpress.org httPoxy Jul. 20, 2016 A pox on proxy headers; that are misused by some developers. Updates to our server configs are being pushed out that remove any “Proxy:” values attempted to be set by a request header. More details here: httpoxy.org And see also: Pagely’s Reverse Proxy WordPress Hosting WordPress 4.5.3 Security Release Jun. 21, 2016 WordPress 4.5.3 Several security issues are addressed. We are currently testing and rolling out this security update. Further details on the release can be found here: wordpress.org WordPress 4.5.2 Security Release May 9, 2016 4 point 5 point 2; Patch vulnerabilities in cross site scripting Updates on our platform are finishing up today. Further details on the release can be found here: wordpress.org CVE-2016–3714 “ImageTragick” May 9, 2016 Image conversion tragedy; is currently patched by policy. Further details: ImageTragick.com CVE-2016-2107 CVE-2016-2108 May 3, 2016 High Severity Vuln? We patched openssl, so you don’t have to. Security Haiku: CVE-2015-7547 Feb. 19, 2016 Host lookup dangers? No worry, we already patched glibc Which plugins and themes aside from display-widgets should you avoid? See our full list here.
These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user. We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion. WordPress Core No notable WordPress core security releases. Plugin/Theme Vulnerabilities of Note bbPress By The bbPress Contributors https://wpvulndb.com/vulnerabilities/10242 https://wpvulndb.com/vulnerabilities/10243 https://wpvulndb.com/vulnerabilities/10244 https://bbpress.org/blog/2020/05/bbpress-2-6-5-is-out/ bbPress version 2.6.5 was released on May 28th. This security release addresses multiple vulnerabilities including one which affects sites with New User Registration enabled, allowing privilege escalation on newly created accounts. WooCommerce By Automattic https://wpvulndb.com/vulnerabilities/10220 There exists a vulnerability within WooCommerce, which would allow users with access to modify and duplicate products to upload arbitrary PHP code to the website, then execute it. This is an authenticated vulnerability (requiring a user account), and high risk as it would allow attackers to execute code on the server itself. Note: This vulnerability is a Remote Code Execution (RCE) based on our review of mslavco’s findings. Page Builder by SiteOrigin https://wpvulndb.com/vulnerabilities/10219 The page-builder plugin before version 2.10.16 has a CSRF (Cross-Site Request Forgery) to Reflected XSS (Cross-Site Scripting) vulnerability. Attackers could utilize this attack to target site administrators to execute code within the administrator’s browser within wp-admin. The attack targets the live editor and action_builder_content functions of the plugins. Elementor Pro https://wpvulndb.com/vulnerabilities/10214 There is a critical vulnerability in Elementor Pro versions before 2.9.4 which allows any logged-in user the ability to upload and execute PHP scripts. This vulnerability is actively being utilized with a registration bypass vulnerability which affects Ultimate Addons for Elementor (described next), allowing for subscriber registration even if registration is disabled. Ultimate Addons for Elementor https://wpvulndb.com/vulnerabilities/10215 The Ultimate-Elementor plugin before versions 1.24.2 allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site. As noted, this vulnerability is being combined with the Elementor Pro vulnerability described above which may lead to remote code execution on sites with registration open and both Elementor plugins installed. Photo Gallery By 10Web https://wpvulndb.com/vulnerabilities/10227 An unauthenticated SQL injection can be executed on this plugin and it looks to target the gallery_type area of the plugin specifically. Site owners have until June 5th to update to version 1.5.55 or higher before the vulnerability details will be made publicly available. Form Maker By 10Web https://wpvulndb.com/vulnerabilities/10237 A vulnerability in this plugin allows an administrator or higher-level user to perform a SQL injection via Form Maker. Site owners should update to version 1.13.35 or higher as soon as possible, as the security researchers have stated some details regarding how to exploit this vulnerability have already been released publically. Official MailerLite Sign Up Forms By MailerGroup (x2) https://wpvulndb.com/vulnerabilities/10235 https://wpvulndb.com/vulnerabilities/10236 The official-mailerlite-sign-up-forms plugin has two vulnerabilities that have recently been reported. The first deals with the MailerLite plugin not sanitizing user input data which leaves a site vulnerable to SQL injection, this vulnerability was fixed in version 1.4.4. The second vulnerability addresses CSRF issues and was patched in version 1.4.5 of this plugin. WP Product Review Lite By ThemeIsle https://wpvulndb.com/vulnerabilities/10226 The wp-product-review plugin before version 3.7.6 is susceptible to an Unauthenticated Stored XSS attack which bypasses built-in protections allowing malicious HTML or Javascript to be stored and injected on all the site’s product pages. See previous months’ WordPress security updates from April and March.
