For a variety of reasons WordPress sites are targeted by hackers. This makes addressing security vulnerabilities a critical aspect of managing a WordPress website. WordPress attacks are not an isolated issue that only affects popular sites — you can’t avoid them simply by being a small, relatively unknown website. If your site runs on WordPress, it is safe to assume it will be targeted at some point. A compromised site could be an inconvenience or it could be business-ending if it leads to a customer data leak. To protect your site from being compromised, you should install (and correctly configure!) WordPress security plugins to cover the vulnerabilities your host doesn’t handle for you. If you’re not using a good Managed WordPress Host (like us), chances are good that your site needs a couple of extra security plugins to add WordPress-specific security defenses. Thankfully, there are a wide variety of excellent WordPress plugins available to help with everything from authentication to zipping and sending automated backups into the cloud. In this post, we help you choose the best WordPress security solutions for your website by listing some of the most popular plugins. We provide a concise summary and categorize them by their primary function. You should combine plugins to create the types of protection you need. To know what protection your site needs, ask your current host whether they provide: General defensive hardening for WordPress sites Daily, automated backups held for at least two weeks Firewall protection Two-factor authentication (2FA) Malware scanning The plugins listed here are divided into categories so you can easily jump to the ones that interest you: All-in-one security plugins Malware scanning plugins Firewall plugins Two-factor authentication plugins Backup plugin solutions Miscellaneous security plugins The plugins aren’t listed in any particular order (they aren’t ranked) but to make this list they had to: Have been updated recently (last couple of months) Have a good user rating (4 stars and up) in the WordPress directory Have a decent number of installations (100+) All in one security plugins All-in-one WordPress security solutions try to protect you from all security threats with general hardening of your site’s defenses by patching common security vulnerabilities, file protection, brute force protection, firewall, etc. If you just want the easiest, fastest solution for protecting your site, an all-in-one solution probably makes the most sense. It is important to know that you’ll have to go through the configuration process for the plugin to be effective. You can’t just activate the plugin. All the plugins listed here have thorough documentation to guide you through the setup process. iThemes Security iThemes protects your site in more than 30 ways. Their free version of the plugin checks many of the important security boxes like hiding your login URLs, file change detection, forced SSL, securing wp-admin, and more. The Pro version starts at $80 and adds Google reCAPTCHA integration, two-factor authentication, core file comparison, and other advanced security features for top-notch site protection. WordPress directory rating: 4.7 out of 5 Free version available: Yes Premium version starts at: $80 Website | WordPress directory | Documentation WordFence WordFence premium offers some interesting features including real-time IP blacklist (as other sites using WordFence are targeted all other sites using WordFence block that IP address), real-time website firewall rule updates, and malware signature updates. In addition, they offer an endpoint firewall that may offer more protection than the cloud firewalls offered by many solutions because the traffic to and from your site remains encrypted throughout the process. WordPress directory rating: 4.8 out of 5 Free version available: Yes Premium version starts at: $99 Website | WordPress directory | Documentation All In One WP Security & Firewall This solution is great for someone with limited technical knowledge because it divides different security features into basic, intermediate, and advanced categories then gives you an overall grade on how well-protected your site is. This plugin is unique because it is a completely free WordPress security plugin — it does not offer a paid version. WebNots has a great configuration and set up tutorial should you choose to go this route. WordPress directory rating: 4.8 out of 5 Free version available: Yes Premium version starts at: n/a WordPress directory | Documentation BulletProof Security BulletProof offers a free version and a Pro version that includes additional security features for a one-time fee and lifetime updates (no recurring monthly or yearly charges). The Pro version offers important features like auto-restore, upload anti-exploit guard, php.ini security protection, and more. WordPress directory rating: 4.8 out of 5 Free version available: Yes Premium version starts at: $69.95 Website | WordPress directory | Documentation Astra Web Security Astra’s core features are a Web Application Firewall (WAF), malware removal, file upload scanning, and the general security hardening features you’d expect an all-in-one solution to have. If you’re an agency, Astra offers tools that make it easy to monitor and manage the security of the sites you’re responsible for. A free version of the plugin is not available to install and try on your site but monthly plans start at $9 a month. WordPress directory rating: n/a Free version available: No Premium version starts at: $9/month Website | Documentation Security Ninja Security Ninja offers a one-click, 50 point scan of your website. You can test the plugin for free but to unlock all its features you’ll need the paid version which starts at $29 for a year of updates and support. The Pro version includes a firewall, malware scanner, auto fixer, core scanner, and other tools you’d expect a comprehensive WordPress security solution to include. WordPress directory rating: 4.3 out of 5 Free version available: Yes Premium version starts at: $29/year Website | WordPress directory | Docs Jetpack Jetpack is the swiss army knife of the WordPress world. One of the tools on that multifunction knife is security. If you’re already a Jetpack user, it makes sense to see if it offers the level of protection you need before adding yet another plugin to your WordPress app. Jetpack, being built and maintained by Automattic lends it authority but, it is less robust than some of the other all-in-ones listed here in terms of the number of security enhancements it provides. Jetpack includes: Downtime Monitoring, Plugin Updates, Secure Sign-On on the free version and Security Scanning, Backups, and Spam Protection on the paid version. The $9 a month paid version includes all security features as well as the many other WordPress enhancements Jetpack offers. WordPress directory rating: 3.9 out of 5 Free version available: Yes Premium version starts at: $9/month Website | WordPress directory | Docs Malware scanner plugins A malware scanner protects your site from malicious code by checking your files for known malware and suspicious code. While many all-in-one plugins include malware scanners, you may want a standalone malware scanner if, for instance, you’ve taken care of general WordPress security and hardening of your defenses. MalCare A malicious code scanner that also helps you clean up any infected files. Malcare states that their scanner will not slow your website down because there is no load placed on server resources. Similar to WordFence, Malcare leverages its network of websites to create a smart firewall that is updated as new threats are identified. Malcare advertises that their scanner will not slow down your site. One year of Malcare protection starts at $99 for one site. WordPress directory rating: 4.5 out of 5 Free version available: Yes Premium version starts at: $99 Website | WordPress directory | Docs Cerber Security, Antispam & Malware Scan Cerber protects your site with a malware scanner, integrity checker, and file monitor to continuously check your site’s files for signs of a malicious code infection. This plugin also includes brute force protection, various anti-spam protections, and logs suspicious activity making it close to an all-in-one security solution. WordPress directory rating: 4.9 out of 5 Free version available: Yes Premium version starts at: $29/quarter Website | WordPress directory | Docs WordPress firewall plugins WordPress firewalls are web application firewalls (WAF) designed specifically for protecting WordPress by monitoring and controlling incoming and outgoing traffic. Basically, it is a barrier that protects your WordPress website from potentially malicious traffic. When your firewall detects malicious traffic, it drops the connection. BBQ: Block Bad Queries BBQ claims to be the fastest WordPress firewall plugin available. It is fully customizable but needs zero configuration to launch. The paid version is powered by the 5G/6G blacklist, offers IP address whitelisting, and advanced configuration and customization options. WordPress directory rating: 5 out of 5 Free version available: Yes Premium version starts at: $20 Website | WordPress directory | Docs Sucuri This cloud-based firewall uses application profiling, signatures and heuristics, and a correlation engine to protect your site from unwanted traffic leading to enhanced security. Sucuri’s paid plans start at $199/year and offer additional protection and services including: malware and hack clean up, blacklist monitoring, virtual patching, and a CDN for faster performance. WordPress directory rating: 4.4 out of 5 Free version available: Yes Premium version starts at: $199 Website | WordPress directory | Docs Two-factor authentication (2FA) plugins 2FA plugins protect WordPress from unauthorized access by adding another layer of security to the login process. Rather than simply entering your username and password, you’re asked to enter a code sent to your email, phone, or an authentication app like Authenticator or Authy. Google Authenticator 2FA plugin The free version of this plugin offers 2FA authentication for a single user. If you need protection for additional users, the cost is $5 for 2 users, $20 for up to 5 users, and $30 for up to 50 users. In spite of the name, this plugin is actually compatible with many 2FA solutions, not just Google Authenticator, including Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token, and Security Questions (KBA). WordPress directory rating: 4.5 out of 5 Free version available: Yes Premium version starts at: $5 Website | WordPress directory | Docs UNLOQ UNLOQ specializes in two-factor authentication. They realized that installing, configuring, and managing a 2FA solution can be daunting and overwhelming to many users so they intentionally created a 2FA solution that is easy to set up and manage. Authentication can be sent by push notification, time-based one-time password (provided by the UNLOQ mobile app), and by email. UNLOQ is free for up to 100 users. WordPress directory rating: 4.4 out of 5 Free version available: Yes Premium version starts at: Free up to 100 users then $19/month for 101 – 200 users Website | WordPress directory | Docs Back up solutions Having frequent, scheduled backups is an important part of risk mitigation. In the event of a security issue you’ll need an uncompromised version of your website to restore to. While these plugins make the process of creating and managing backups simple, Pagely customers do not need a backup solution because we handle that for you as part of our managed WordPress hosting solution. UpDraftPlus UpDraftPlus is a popular and highly-regarded WordPress backup solution that can handle full and incremental backups of files and databases, automated backups prior to updates, and migrations. It is highly configurable allowing you to send your backups to a number of remote locations including Google Drive, Dropbox, AWS, and more. The premium version gives you access to a variety of useful add-ons and is $70 for two sites ($45/year after the initial $70 fee). WordPress directory rating: 4.8 out of 5 Free version available: Yes Premium version starts at: $70/first year, $45/year after Website | WordPress directory | Docs Backup Buddy Backup Buddy offers complete site backup, restore, and migration. They include advanced features like database back up and rollback. The easy roll back feature is convenient if you ever make a small mistake and don’t want to go through the hassle of restoring from a complete backup. The premium version of BackUp Buddy is $80 for 1 site. There is no free or trial version available in the WordPress directory but this is a highly regarded solution worth evaluating. WordPress directory rating: n/a Free version available: No Premium version starts at: $80 Website | Docs VaultPress (part of JetPack) JetPack was already mentioned as an all-in-one security solution but it also includes options for backing up your website. Like its security features, these features are straightforward and may be enough for many users but it lacks the advanced options and depth more specialized backup plugins offer. WordPress directory rating: 3.9 out of 5 Free version available: Yes Premium version starts at: $9/month Website | WordPress directory | Docs Miscellaneous security plugins These are highly specialized plugins that offer unique security benefits but don’t fit neatly into other security categories. Simple History Simple history logs events that happen in WordPress including changes to pages and posts, uploads, plugins installed or modified, comments, logins and failed attempts, and data exports and data erasure requests. Having a detailed log of this type of activity can help you untangle what happened in the event there’s unauthorized access to one of your WordPress accounts. Once you have a rough idea of what was modified and when, you can rewind the clock to undo those changes by restoring from a backup. WordPress directory rating: n/a Free version available: No Premium version starts at: n/a (no premium version offered) Website | WordPress directory Fail2Ban Fail2Ban offers protection from a very specific type of attack: brute force. A brute force attack is when combinations of usernames and passwords are tried, one after the other, until the right combination is found. Once authenticated the attacker has whatever privileges and access that account provides. While using a strong password and avoiding the “admin” username will help prevent a successful brute force attack, another defense is to block access to bots and humans who may be trying combinations maliciously. That’s exactly what the Fail2Ban plugin does and it does it very well. With 4.9 stars, it’s one of the highest-rated security plugins covered here. WordPress directory rating: 4.8 out of 5 Free version available: Yes Premium version starts at: $99 WordPress directory | Docs Conclusion WordPress website security is a critical responsibility for anyone managing a WordPress site. It is not something that can be ignored or put off. You have to address it or it’s only a matter of time till your site is hacked or somehow compromised. If managing your own site’s security defenses is daunting or intimidating to you, you may want to seek out a Managed WordPress Hosting provider such as Pagely to handle security for you. We’ve specialized in WordPress hosting for over a decade and have a security team dedicated to proactively protecting your WordPress site from malicious activity.
For quite a few years AWS had little competition in the cloud provider space. Today, that’s no longer true. Oracle, Microsoft, Alibaba, Google, and other heavy-hitters have entered the market and each of their cloud solutions has unique strengths and weaknesses. The competition between cloud providers is great for end users. Ultimately we get better technology at better prices. But, if you’re comparing cloud providers today, you’ll probably find it challenging to make a choice on which solution is best for your needs. As competition increases, each provider strives to match the strengths of competing solutions and overcome their weaknesses. This means there’s an ever-narrowing gap between what makes cloud solution’s unique and this can make it increasingly difficult to identify the cloud that’s the best match for your project. In this post we’ll do an in-depth comparison of two popular public cloud solutions: Amazon Web Services (AWS) and Google Cloud Platform (GCP). I’ve tried to be fair and unbiased on the strengths and weaknesses of each solution but you should know upfront that here at Pagely we are an AWS Advanced tier partner. Both our managed WordPress hosting solution and our serverless solution are built on AWS. It’s the cloud we trust and I hope to clearly explain why in this post while still remaining fair to GCP. Comparing AWS vs Google Cloud in 2019 Just a few years ago, you could say that AWS was bigger and far more feature-rich but Google Cloud Platform was priced lower and the services they did offer were solid enough so, if they met your needs, they were a strong contender. It was simple and straightforward to summarize how things were at that point in time. Today, halfway through 2019, the lines are less clear so it’s no longer easy to boil the differences down to a single sentence. So, for you, the person doing research on public cloud options, this rapidly developing competitive landscape presents another challenge. A comparison article from 3, 2, or even 1 year ago no longer captures the current situation. Things are changing that fast. We’ll try to keep this article up-to-date as both clouds advance. AWS overview Jeff Bezos said it well, “AWS had the unusual advantage of a seven-year head start before facing like-minded competition. As a result, the AWS services are by far the most evolved and most functionality-rich.” With that generous head start AWS has built an incredibly well-rounded solution while establishing a strong reputation for performance, reliability, and security. AWS has been, and continues to be, the bar all other clouds are measured against. The fact that AWS was the first to market, alone, does not necessarily make them a better solution. But, it does mean that they’ve had more time to develop and refine their cloud offerings. With something as rapidly evolving as cloud technology, this is a tremendous advantage. Their platform is more mature. They offer far more services (200 + versus ~ 50 for GCP). Those services have more options and offer more functionality. Everyone else is just trying to catch up at this point. In general, you can’t go wrong with AWS. If you’re a startup pitching potential investors and you tell them your solution is built on AWS, no one blinks an eye. It’s a safe bet and a time-tested, proven solution. But that doesn’t mean it’s always the best option for every situation and in this post I’ll point out specific situations where GCP may be the better option. Google Cloud Platform overview If anyone can compete with an entrenched market leader like AWS, Google is in a good position. They have a strong brand, global infrastructure, and many users of their office suite of tools (Gmail, Drive, Docs, Sheets, etc.). Their emphasis on affordability (they were the first cloud solution to provide to-the-minute billing and they offer increasing discounts as you use more resources), security, and performance have allowed them to continue growing even as AWS’s marketshare has also increased year over year. While some companies may be hesitant to trust their sensitive data to Google given its privacy issues, Google explicitly states your Google Cloud Platform data is not used for advertising purposes and there are no backdoors for government agencies. Current market share SOURCE Market share trends don’t say much about which cloud solution is best but they indicate changes in consumer choices that reflect a shifting competitive landscape caused by stronger product offerings or pricing strategies. It can be useful to see where things are at and try to understand why. In this case, we see AWS is the 800 pound gorilla every new competitor is gunning for. AWS’s marketshare is greater than the next three competitors combined and it’s almost 7x Google’s. In spite of the increasing competition, AWS’s marketshare continues to grow as the top four cloud solutions take marketshare from the multiple smaller providers that make up the “Other” category. In the years ahead as the “Other” category continues to grow smaller, we’ll probably start to see more direct competition between the major players. It will be interesting to see how that plays out as things heat up. Point-by-point comparison The core components of a cloud solution are compute and storage resources so we’ll cover those options from both providers and then compare the important higher-level points of comparison like network coverage, security, and pricing. Compute and storage options Virtual machine instances: EC2 versus Compute Engine What AWS calls “EC2 instances,” Google calls “Compute Engine Virtual Machine instances.” To keep things simple, I’ll refer to both virtual machine offerings simply as “instances.” Google Cloud Compute Engine currently offers 19 instance configurations. AWS offers 60 instance configurations. The wide range of instance configurations made available by AWS means companies will be more likely to find an instance configuration that matches their project’s exact needs. Google’s Cloud Compute does offer a variety of customization options for their instances so boiling the comparison down to the standard configurations is misleading. More than likely, on either platform, you’ll be able to find an instance that matches your project’s needs so, while this is a popular point of comparison, it probably isn’t a notable difference for most situations. Storage/Disk Storage options are similarly priced and offer relatively similar options at this point. It can be helpful to divide these services as hot storage, cool storage, and cold storage. Hot storage — Durable, available, and performance-focused storage for frequently accessed data. Amazon S3 Standard Google Cloud Storage standard Cool storage — Storage for data that is infrequently used but requires fast access when needed Amazon S3 Standard I/A and S3 Standard Z-I/A Google Cloud Storage Nearline Cold storage — Secure, durable, and low-cost storage for long-term archival for infrequently used data Amazon Glacier and Amazon Glacier Deep Archive Google Cloud Storage Coldline While minute differences between these storage options exist, they’re unlikely to be a deciding factor in which cloud solution is best so I won’t waste time picking those minor differences apart. Network Regions Google Cloud Platform’s network: AWS’s network: If those two maps look remarkably similar to you, you’re not alone. AWS does maintain an edge but that edge is becoming smaller as Google aggressively tries to match AWS’s coverage: A region is a specific geographic location where you can host resources. On their websites, AWS has coverage in 21 regions versus Google’s 20. Regions are divided into zones. Most regions have 3 or more zones. AWS has 66 zones and Google has 61 zones with 12 more coming soon. It’s safe to assume that in the not too distant future, we’ll see all major providers with basically the same global coverage and the differences will become negligible to the point of being moot. For now, AWS wins on this point of comparison. No other public cloud provider has the global coverage they do. Latency Google Cloud Platform has been touted as the fastest cloud provider. While initially they did seem to have a notable performance advantage over AWS, that gap is closing quickly as AWS optimizes their network. This is a great example of how increasing competition is forcing AWS to stay on their game and address specific concerns of the market. In recent latency tests on EC2 instances and Cloud Compute instances I conducted from a public internet provider on the southeast coast of the US using Cloud Harmony: Test 1: July 24th 2019: AWS’s lowest latency: 76.5 ms (us-east-2a) GCP lowest latency: 68.5 ms (us-east-4a) AWS’s highest latency: 492 ms (ap-southeast-2) GCP highest latency: 328.5 ms (asia-south1-a) Test 2: July 25th 2019: AWS’s lowest latency: 75.5 ms (us-east-2b) GCP lowest latency: 67.5 ms (us-east-4a) AWS’s highest latency: 505 ms (ap-southeast-2) GCP highest latency: 338.5 ms (asia-south1-a) These tests indicate Google Cloud Platform still has a modest latency performance advantage over AWS. Particularly when it comes to services located in Asia, latency is generally lower when pinging GCP. However, the real world performance difference is negligible. It’s true that every second counts, but when you’re measuring the difference in milliseconds it counts much less. The general rule of thumb is that 100 ms of network latency creates a noticeable effect. The performance difference between most zones is much, much smaller than that. As AWS continues to tweak and refine their network, we’ll continue seeing a smaller and smaller performance gap here. Until then, GCP wins in the latency category. Uptime and downtime Sum of downtime hours from January 2018 to June 2019 as published by AWS and Google: This very recent data indicates that the AWS cloud is more reliable than GCP’s. This is straightforward data so there’s not much commentary needed. But, for most businesses, the importance of having reliable access to their data cannot be overstated. AWS is a clear winner in this category and this is a major reason why they’re trusted by startups, enterprise businesses, and governments alike. Security AWS has more security features, compliance certifications, and accreditations than any other cloud provider, including Google Cloud Platform. In addition, AWS gives fine-grained security control that’s not possible on any other network. An AWS customer could restrict a user to create a database in only a specific region, from 3-5 pm on Monday through Friday, only on a virtual private cloud, and only in an M4 instances with a maximum number of IOPs. GCP simply cannot offer that granular level of security control and permissions. Both cloud solutions are building security capabilities for their most stringent and demanding customers and all customers benefit from those advances. While AWS does have an edge here, it’d be wrong to imply that the Google Cloud is not also highly secure with similar security credentials. Unless your company has extraordinary security needs, either cloud provider should have adequate security offerings and processes. Pricing Many comparison articles attempt to compare pricing on similar services between AWS and GCP. I’m going to decline to offer such a comparison. Cloud pricing has become too complex, depends on too many factors that are unique to each situation, and each solution offers unique discounting schemes. These factors together make a direct, accurate, apples-to-apples comparison extraordinarily challenging, if not impossible. In the end, it’d probably be misleading and useless. GCP has traditionally been considered to be the more affordable option. You’ll see this repeated in many older comparisons so I want to be careful to point out that this isn’t as true in 2019 as it has been in years past. AWS has recently become far more aggressive with their pricing and discounting so this advantage applies much less today than it has in years past. I recommend starting a conversation with both providers to see what they’re willing to offer in terms of discounts. This will give you a better idea of your true costs with each provider. AWS vs GCP: Seeing the big picture While there are areas where GCP is doing better than AWS, you’d be hard-pressed to make the case that GCP is better than AWS overall. Where GCP is outperforming AWS, those areas are usually minor and AWS has either made efforts to close those gaps or plans to close those gaps in the near future. When you zoom out and look at the big picture, AWS is clearly the better cloud solution at this point in time. They offer far more services with far more features and their network covers more of the globe. They’re more reliable, more secure, and more established. They’re winning in almost every way you can measure a cloud provider and that makes sense considering they had a multi-year headstart. With the differences between AWS and GCP becoming smaller with time, it’s important that you know exactly what your company needs out of its cloud provider for its project. While AWS is the best overall solution for most companies most of the time, if Google Cloud has a strength that matters for your particular project it may make sense to go that route.
Not all hosts are created equal. When it comes to Managed WordPress Hosting, that fact is becoming ever more clear to us with near-daily sales calls from people with business-critical WordPress sites at a loss because their current host is failing them. This is a conversation that happens all too often, so we’re addressing it here in hopes that we can reach a few more of you experiencing this, and offer an action plan (or, at least, a glimmer of hope). All is not lost. There are lots of reasons why your current host might stop working for you. For example, the exciting time comes when your site grows and if you’ve been using shared web hosting that no longer works. Or maybe your host lacks the WordPress fine-tuning in their infrastructure or hosting stack, so your site isn’t operating at maximum capacity based on the CMS you’ve chosen. It could also be something like your host lacks the support knowledge to identify an issue and help you optimize; they just try to shamelessly upsell. More basic? Maybe the infrastructure of the hosting company itself is changing, or you just simply don’t share the same morals and ethics. Whatever the reason, they’re all frustrating. The good news? They’re all avoidable. Migrating hosts can seem like a big task to take on, maybe even something you avoid, but the benefits outweigh the extra work. Here’s your survival guide to getting it done with the least amount of friction to your day-to-day. Why your current web host might be failing right now In order to put together an action plan, you first need to understand what about your current situation isn’t working. Here are a few scenarios to get your brain thinking. You should think granularly here, because the more specifics you have, the better you’ll be able to choose another provider for your migration. Your host doesn’t provide true managed WordPress services. Patches and updates are applied without proper testing and QA. Your host doesn’t provide a deep level of DevOps knowledge. They cannot help you troubleshoot the bottleneck in performance. Your host has sold you on a physical server that runs outdated hardware and you can no longer scale or keep up with demand. Your host sold you on shared containerized hosting and the shared VPS cannot keep up with the demand of your site and the other customers on the server. Issues like this can’t be ignored. The security, performance, and scalability of your site are fundamental benefits to using a top-notch managed WordPress host. If the host themselves is becoming a blocker in any of those areas, it’s undoubtedly time to migrate on. What to prepare before moving to a new host This checklist will help you get the basics together before you decide on a new host. Use these findings as conversation points in any meeting you take, the faster you understand a new host’s ability to meet your needs in these areas, the better you’ll be able to understand the best fit for you. Understand how many WordPress apps you have and if they are single WordPress installs or multi-site installs. How much disk space do all of your WordPress websites consume? How much disk space your database consumes? Access to migrate the database via PHPMyAdmin or command line via SSH access. Do you have any custom code outside of the WordPress directory? Have the answers to these questions at the ready, and bring each one up during any sales calls you take. The representative on the other line should have followup questions or solutions at the ready, and be fully familiar with each point you’re presenting. If they stumble at any of these discussion points, that’s a red flag. 3 Things to ask a new web host when you’re in a pinch What if your host fails you at the absolute worst time? Maybe you’re in the middle of a campaign that’s challenging your servers, or your updates are outdated and exposed your visitors to a security breach. This is a stressful situation, and you need to make sure you’re making the right move if you choose to do so at such a delicate time. Our high-level suggestions are simple. First, you want to make sure you’re moving into something more reliable not just affordable. Second, if you don’t have time to put out the fire yourself, find a team to help. There’s no shame (or wasting of resources) in outsourcing when it’s critical to your business. A few questions to ask yourself in the midst of putting out the fire and switching hosts: Does the new web host offer white-glove migration and onboarding services? Do they offer reliable infrastructure and hosting servers? Will there support work with me to identify gaps in performance or security? Keep these questions at the ready, so you can seek answers to them immediately should there be an issue. In all likelihood, if this happens you’ll be distracted, and looking for the shortest distance between where you are now, and fixing the issue. These questions can help you make the actual best decision when your mind is elsewhere. Remember: It’s not your fault your web host is failing If you know your WordPress site inside and out and it’s still crashing, it’s not your fault. Plain and simple. The facts suck, but it’s the sad truth and a common example of what can happen when an industry like Managed WordPress Hosting grows to the point that businesses see an opportunity to exploit users. Most big-box web hosts use flashy features and marketing to get you hooked into a low-price, only to upsell you later. Smooth-talking reps and high design sales collateral doesn’t necessarily translate to excellent hosting (unless, of course, you’re talking to the Pagely reps. We’re all smooth talkers and our hosting, and onboarding, is as excellent as it is flexible and customizable). Most web hosts don’t reveal that you’re not on dedicated hardware and they are sharing resources with other customers, which is absolutely the wrong solution for any user looking to scale and optimize performance. You can’t be bogged down by another customer’s resource usage, it’s a risk you just shouldn’t be willing to take. When it comes down to it, Managed WordPress Hosting means different things to different hosts. Most of them just keep WordPress auto-updated for you, but not your plugins, and they lack the knowledge to truly optimize and secure your site. For small scale blogs and businesses just getting started, that might work. For you? It won’t. If we leave you with one thing and one thing only, don’t be afraid of migrating hosts if your running into issues with your current provider. The success of your business cannot wait. We’re happy to dig into these points more with you. Contact us here, or leave us a question in the comments. Need help evaluating your WordPress Hosting infrastructure? We offer a free WordPress readiness checklist that you can request here.
Microservice Architecture (a.k.a. “Microservices”) is a method of developing software focused on building single-function modules. The term was coined in 2011 and the microservice approach quickly gained steam near the end of 2013: The advancement of microservices was driven, in part, by tech giants like Netflix, Amazon, Twitter, Google, and Uber evangelizing its benefits. What’s all the microservice buzz about? Why is anyone interested in microservices? To answer that question we need to briefly explore the evolution of software architecture. Monoliths Not long ago, most software was “monolithic.” A monolithic design means the user interface and the data access code are combined into a single, self-contained program. Monolithic software design comes with some downsides. Most notably, because of the self-contained, interdependent nature of monoliths, a failure anywhere in a program can cause the whole application to come crashing down. And, there are other issues: Reduced agility. The application’s codebase is released all at once. Developers need to code and deploy the entire stack. Rebuilding the whole application takes time and slows down the pace at which new features can be delivered. Complexity. Large applications become harder to understand and work with. There are side effects of changes that might not be obvious due to easy-to-overlook dependencies leading to “mysteries and magic” that can be difficult to untangle. Less scalability. Scaling becomes a matter of adding new instances to run the entire codebase rather than adding instances to scale individual pieces of the app that might be used more than others. Unequal usage of that application can lead to some resources being wasted and other resources straining the server. Service-Oriented Architecture To overcome these problems, a Service Oriented Architecture (SOA) was introduced and became popular in the early and mid-2000s. The SOA views an application as a collection of services running in parallel and connected by application programming interfaces (APIs). Each service is self-contained and represents a specific business activity with a desired outcome. This approach helps solve many of the downsides inherent to monolithic software designs: Easy maintenance. Distinct services can be updated without affecting other services. Platform independence. You can create an application by combining services that use different solutions. Improved reliability. It is easier to locate the problem and debug a small service than it is with a monolith and a single service going down usually won’t take down the entire application. Scalability. Individual services can scale by adding server resources as demand increases. The Microservice Architecture (MSA) is a variant of SOA. In fact, some people argue that MSA and SOA are not really different things at all, so the term “microservices” is superfluous. Nevertheless, the term seems to be here to stay. What are microservices? According to Jerry Andrews, when people talk about MSA they’re generally referring to software design that includes these characteristics: Services typically rely on other services to accomplish their goals Services are often containerized using a container tool such as Docker but they could also run in a virtual machine (VM) Asynchronous communication is handled via messaging or job queues and synchronous communication is handled via HTTP with JSON messages Instance management automation Auto-scaling components There is some debate on the exact definition and some would argue with aspects of the defining characteristics repeated here. SOA and MSA are also differentiated by how granular services are: Source: Dzone There are also differences in how individual services are conceptualized. SOAs view services through distinct lenses: Business services Enterprise services Application services Infrastructure services In contrast, MSA views services purely as functional (without viewing them through the separate lenses SOA does). Microservices might be created for discrete functional services like: Authentication Email sending Account management Account creation Billing Messaging Microservice architecture versus APIs When learning about microservice architecture there is often some confusion on how it’s different than an API endpoint. The clearest way to express the difference between these two terms is to point out that an API is about communication and a microservice is about how the software is organized. An API allows an app’s data to be accessed or instructs the app to perform a function. This communication can happen either internally (in the case of a private API) or externally (in the case of a public API). These functions could be: Making changes to data Pull data out of one app so it can be brought into another Telling the app to create a new user Triggering the app to send out an email A microservice may leverage APIs to allow different services to interact but the term refers specifically to how an application is divided up. If the difference between an API and MSA is still unclear, here’s a great video from IBM that explores the differences in more depth: Benefits of Microservices The self-contained nature of individual microservices introduces a variety of benefits: Simplicity. Microservice architectures are usually more simple so they can be easier to build and maintain. Autonomous cross-functional teams. Technical decisions can be made faster and by smaller groups. Flexibility in technology. Like the SOA approach, microservices allow a blend of solutions to work together. Flexibility in scalability. Microservices can scale independently so additional resources can be added exactly where they’re necessary. Code can be re-used. For example, here at Pagely we were able to use some Pagely-made microservices to power our new serverless hosting solution, NorthStack. Source: Skelia The downsides of microservices While many companies are refactoring their monoliths in favor of a microservices approach, microservices aren’t always the right answer. It’s not the one true perfect way to design an application that everyone should always use. In many cases, the upsides of MSA outweigh the downsides, but sometimes not because: Microservices can introduce complexity. A monolith’s complexity comes from how challenging it can be to understand how different code interacts, MSA’s complexity comes from having more and more of the code split out into individual services. Five or six services aren’t difficult to manage, but twenty, thirty, or more can be! Microservices require changes to culture and process. Companies that adopt microservices will also need to adopt an agile coding approach and, often, create a DevOps team. Microservices can be costly. Network calls made by APIs aren’t free and add up. In addition, the labor costs of breaking up a monolith can create an otherwise unnecessary expense. Microservices may introduce security issues. Each inter-network communication path creates a new security risk that needs to be addressed and monitored. Source: Tiempo Development Moving from monolith to microservices Many applications begin their lives as monoliths, but as they mature bottlenecks that should be split out into microservices become apparent. This refactoring process is known as “breaking up the monolith.” The two architecture approaches are not an “either-or” thing or a “right or wrong” thing— many popular apps are a monolith-microservices hybrid. Starting from scratch: Monolithic versus Microservice architecture While microservices offer distinct advantages over monoliths, building software from scratch as a monolith and then moving toward a microservice approach may sometimes make more sense: Developing an application as microservices will usually be slower (initially) than taking a monolith approach As the monolithic software matures and the big picture becomes more clear, the functions that should be split out into microservices will be more obvious. A well-designed monolith can easily be broken out into microservices later. If development time is a non-issue, taking a microservices approach from the beginning avoids the effort and expense of later refactoring. You could weigh the pros and cons of absorbing the time costs of starting with microservices versus delaying those costs and beginning with a monolith. The right answer will depend on the priorities of the company and its project.
Traffic surges and overall growth are an indicator of business success. A big splash of attention resulting in lots of people coming to your site means you’ve done something right, but you’ve also got a lot on the line. You want to make sure your site keeps running fast no matter how many hits it gets. As your site traffic grows, it puts more load on your server resources. If you’ve got limited server resources, then you can’t scale. These principles are simple enough to understand, but what about when you’re serving content at scale and dealing with the most demanding applications? The technical fundamentals of a well-performing site must be in place. In reality, this is essential for all sites but, it’s a non-negotiable for business-critical sites that are prone to traffic surges (looking at you, ecomm and elite publishers). PHP workers and CPU core counts often get thrown around with hosting, but there’s a misconception as to what actually matters for scaling a site. So, let’s talk about performance and dig into PHP. Performance Rules There are a few simple rules that your site’s performance is based on, which we’ll go into more detail on later. For now, it boils down to three things: Use the caching layer, whenever possible. Don’t have slow database queries. Do as little as possible in PHP. Scaling vs. Performance Planning for scalability shouldn’t sacrifice the performance of your site. Performance = how long it takes to serve a request = low latency Scaling = ability to handle more requests at once = high throughput To illustrate by example, this is our robust and scalable stack which lets you sustain massive traffic without sacrificing performance. Digging into PHP Things that are single threaded, like the most common installation of PHP, don’t perform better based on more CPU cores. After all, each request can only run on one of them. But, extra cores when cache + PHP + MySQL are all on the same server can help by reducing resource contention. As it relates to hosting, the focus can often be on the wrong metrics here: number of PHP workers. In reality, the number of workers doesn’t actually matter, as it’s only a tuning parameter. The key is in the number of CPU cores you get. There is an exception here though, and that’s if your hosting stack is just Apache + mod_php. In this case, if you run out of PHP workers, you get an error. With PHP-fpm, Nginx-unit, Litespeed lsapi, or stacks with varnish/Nginx in front of Apache then extra requests can be queued between the different layers making the number of workers immaterial to scaling. Our goal with PHP is to have the right number of workers to keep our CPU cores at 100%, all the time. But it’s not only PHP running on servers, often times we’re seeing: A kernel, doing memory management, TCP stack Some logging infrastructure Some monitoring infrastructure In some cases, an Nginx cache (this is the standard Pagely setup) and it might have an additional logging infrastructure In some cases, a Redis object cache (also standard at Pagely) In some cases, a MySQL database (not at Pagely, but this is the case at many VPS providers) Generally, this doesn’t add up to a lot, unless the database is on the same server. At very high traffic sites Nginx, logging, Kernel, and Redis can add up to a lot, so on an 8 or 16 core server doing a lot of traffic you might want to plan for PHP to use 75% of the cores. So if your page just uses PHP, doesn’t use MySQL, doesn’t talk to any APIs (making http requests somewhere), doesn’t use Redis, then things are pretty simple. 1 PHP worker per core would suffice and it would run at maximum efficiency giving you the least amount of overhead. That means the best performance (lowest latency) and the highest throughput (average requests per second). But that’s not the real world. In the real world, we need to talk to data stores, read files from disks, and make requests to APIs. So, we generally want to be in the 2-4 workers per core range for WordPress. A few exceptions to that include: If you do a ton of very fast, very simple requests you might want to be higher, because there’s some overhead to the request read/respond cycle that is doing IO between, say, Nginx and PHP-fpm, and we need extra workers to keep that busy. If you’re building an application hitting a bunch of APIs, or making a bunch of slow database connections, you might want even more. As a baseline at Pagely, we generally don’t run things higher than 4 workers per CPU core. So what is the downside for optimizing PHP for efficiency? If your site suddenly gets much slower, due to a slow external API call, you will no longer be maxing out your CPU since you’ll be spending so much time waiting. The upside here is that more workers don’t help you much anyway, and having a bunch can expose you to lots of interesting server death conditions due to running out of RAM. Stay tuned for a future post on these server death conditions… we’ll get to it someday soon. TL;DR When it comes down to it, you want to optimize PHP so that it uses your target number of CPU cores without wasting resources. This ensures: Best performance (lowest latency) Good reliability (low chance of running out of memory) Best efficiency (highest throughput when maxed out) Optimizing Your PHP Code for Higher Performance In general, optimizing your PHP code for higher performance fits into two categories: Running less code Making fewer calls to external resources. 1. Running Less Code Running less code is done in both the obvious way; turning off plugins where the feature adds little value and, the less obvious way; transient caching and code optimization. Transient caching is pretty straight forward: Find a section of code that takes a lot of time to produce some HTML. Figure out if it’s personalized, or can be cached globally or as some group of variants. Use the WordPress Transients API to cache that HTML. A tool like New Relic can help you identify slow chunks of code, so you can make those fixes efficiently. Transient caching can also be used for datasets instead of just HTML but, in general, the closer to final output that you can do caching, the more impact you will have. Code optimization is harder, which is where you likely need a developer to dig into things. It might be as simple as switching to a more efficient algorithm, but often it will take a larger rethink and rework of how things are being done. 2. Making Fewer External Calls When you make a MySQL query or an http request to an API like Twitter, PHP sits and waits for the response. You want to do less of this. The Transients API can be the answer here, caching the data from API calls where it doesn’t need to be fresh. On the database side, you might be able to fetch less data from smart page design. Does a page really need to show content from 100 posts at once? Probably not. I spoke on how to determine these problems and presented strategies for solving them at WordCamp Phoenix. You can watch the whole talk below: <span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span> TL;DR Huge wins are possible, but look for easy wins from transient caching and design first. When it comes to your site’s performance, and how PHP effects that, it’s all about being smart. Understand what’s needed in terms of PHP worker counts vs CPU cores, and how to use your resources efficiently without extra code hanging around to slow things down. If it’s over your head, talk to a managed WordPress host that can help alleviate the pressure and get things running smoothly. https://pagely.com/wp-content/uploads/2019/06/Performance-PHP.mp4
“The cloud” changed the game so much, and so quickly, it’s difficult to remember what things were like before it arrived. But, not that long ago, getting server resources meant buying or leasing an actual box off the rack of a server farm. It wasn’t instant. It wasn’t cheap. And it usually required a great deal of technical knowledge. “The cloud” freed us from the constraints of working with individual boxes. Instead, it offered an immense pool of resources that could be borrowed from as needed. Renting “shares” of the cloud eliminated the need to invest in hardware upfront and provided near instant scaling. Its value was a one-two combination of economies of scale and elastic autoscaling driving down the cost and “infrastructure as a service” lowering the knowledge barrier. We haven’t looked back since. One of the most important cloud services is Amazon Elastic Cloud Compute (EC2) which was introduced in 2006. EC2 quickly became one of the most popular AWS services and remains so today. What is EC2? You can think of EC2 as the cloud equivalent of a server. A server, broken down to its essential elements, is a combination of storage and compute resources that can be remotely accessed. What you’re actually getting with EC2 is a virtual machine which AWS calls an “instance.” It includes all the resources of a physical server but it’s not a distinct box — it’s a slice of a much larger pie. Functionally, it’s the exact same thing but behind the scenes it’s more like tapping into an ocean of resources. There aren’t really any downsides to using a virtual machine versus a physical machine. In fact, there are only advantages. You can get as much, or as little, compute capacity as needed for your project and scale up and down as your needs change over time. And, it’s really easy to do so. EC2 is a web service so you can log in and create a new EC2 instance quickly and without the technical knowledge that would normally be required to provision a server. Why use EC2? In less than 10 minutes you can rent a slice of Amazon’s vast cloud network and put those computing resources to work on anything from data science to bitcoin mining. EC2 offers a number of benefits and advantages over alternatives. Most notably: Affordability EC2 allows you to take advantage of Amazon’s enormous scale. You can pay a very low rate for the resources you use. The smallest EC2 instance can be rented for as little as $.0058 per hour which works out to about $4.18 per month. Of course, instances with more resources are more expensive but this gives you a sense of how affordable EC2 instances are. With EC2 instances, you’re only paying for what you use in terms of compute hours and bandwidth so there’s little wasted expense. Ease of use Amazon’s goal with EC2 was to make accessing compute resources low friction and, by and large, they’ve succeeded. Launching an instance is simply a matter of logging into the AWS Console, selecting your operating system, instance type, and storage options. At most, it’s a 10 minute process and there aren’t any major technical barriers preventing anyone from spinning up an instance, though it may take some technical knowledge to leverage those resources after launch. Scalability You can easily add EC2 instances as needed, creating your own private cloud of computer resources that perfectly matches your needs. Here at Pagely a common configuration is an EC2 instance to run a WordPress app, an instance to run RDS (a database service), and an EBS so that data can easily be moved and shared between instances as they’re added. AWS offers built-in, rules-based autoscaling so that you can automatically turn instances on or off based on demand. This helps you ensure that you’re never wasting resources but you also have enough resources available to do the job. Integration Perhaps the biggest advantage of EC2, and something no competing solution can claim, is its native integration with the vast ecosystem of AWS services. Currently there are over 170 services. No other cloud network can claim the breadth, depth, and flexibility AWS can. What can you do with EC2 instances? Anything you can do with a computer, you can do with EC2. Data scientists use EC2 instances to crunch large data sets. Animators use EC2 instances to render 3D worlds. At Pagely we use EC2 instances to serve websites for our Managed WordPress Hosting customers. Instances come in a variety of different hardware configurations (memory and CPU) called “types” and are grouped into six families. Each family has a variety of instance types that have resources optimized for specific use cases. To understand all the different ways EC2 instances can be leveraged, it can be helpful to explore the available instance families so you understand what’s available and how it can be put to use. The first letter of the instance type indicates which family it is in. For instance, a c5.2xlarge is in the compute-optimized family (as indicated by the “C”) and a p3dn.24xlarge is in the accelerated computer family (as indicated by the “P”). General purpose instances A, T, and M General purpose instances are simple instances with modest options best suited for testing environments. Generally, you would not want to use them as a production server. M instances offer more balanced resources and are suitable for more general use (they’re powerful enough to be used for production on a budget). Compute-optimized instances C Compute-optimized instances offer a low price per compute ratio making them a cost-effective solution for compute-heavy applications like web servers, machine/deep learning inference, ad serving, highly scalable multiplayer gaming, and video encoding. Accelerated computing P, G, F These are GPU optimized instances for graphics-intensive applications or GPU compute applications. These instances are well-suite for speech analysis, machine learning, 3D rendering, and genomics research. Memory optimized instances X1e, X1, R Memory-optimized instances are for applications that don’t require a lot of compute resources and instead require a lot of RAM. Often these instances are useful for data science applications — such as data mining and data analysis — where the data set can be stored in RAM. Storage optimized instances H, I, D Storage optimized instances deliver high disk throughput, low latency SSD, or HDD storage for a variety of storage heavy applications like distributed file systems, big data workload clusters, data processing applications like Apache Kafka, elastic search, and NoSQL databases. The range of hardware options on these instance types can be overwhelming. You can use a resource like https://www.ec2instances.info/ to make comparisons and find the hardware that’s best for your application. Persistent storage with EBS An instance can be launched with its native storage (boot disk) or, optionally, Elastic Block Store (EBS) can be added as a service. EBS’s main advantage is that it can be easily attached to any instance. Using the storage provided by an instance makes it more difficult to share data with an instance and once that instance is turned off that data is no longer available (this is called ephemeral storage). Pricing Amazon provides a generous free tier for exploring many of its products including 750 free hours over 12 months for EC2 instances. When you’re ready to purchase an instance they offer three options: On-Demand Instances Pay only for what you use. No long-term commitments or upfront payments. Reserved Instances One-time, upfront payment for a period of 1-3 years. Machine is always on. Save a significant amount of money by pre-paying. Spot Instances Purchase unused EC2 instances at a discount for significant cost savings. Machine could be taken down by Amazon so not a good option if continuous uptime is important. So to simplify things, a reserved instance is great if you have a long-term need for an instance that is always on. If you want to save money, you can go with an On-Demand or Spot instance but if it’s important that machine be available when you need it, On-Demand is your best option. This flowchart from Cloud Academy summarizes this nicely: Source Why we use EC2 at Pagely Here at Pagely we use C5 instances and VBurst instances. We analyzed many instance types and found these best suited for the unique resource demands of WordPress. Along with AWS RDS as our database solution, they allow us to serve web pages quickly and reliably. The reason we chose EC2 over competing solutions can be boiled down to one important advantage: EC2 is part of the AWS cloud ecosystem. No other cloud solution comes close in terms of number of services (over 170+ and counting). The breadth and depth of services offered by AWS is currently unmatched. There are less expensive cloud providers on the market but we chose the AWS ecosystem because it offers our customers unparalleled flexibility. All those services and instance types allow us to meet the demands of any customer — whether they’re a blogger, an ecommerce store, or an international enterprise with unique and demanding requirements. AWS can do it all — reliably and securely.
Site reliability is generally talked about less often than other performance indicators, like page speed. With many web hosts offering multiple 9’s of guaranteed uptime, it’s become less of a ‘hot’ topic and more of the norm that your site will be up 99.99x percent of the time. But what many people don’t realize is that there’s more to reliability than uptime. One of the most important pieces of the reliability puzzle is Data Reliability, which generally refers to the protection of both your database and your site files. Posts and pages are often the most important part of WordPress, so it makes sense that protecting both should be a priority. There are situations, both catastrophic (think natural disaster in the region where a data center is located) and more common, day to day occurrences, that can endanger your data. Your host’s configuration plays a massive role in how you are protected from both. A few minutes invested into ensuring your host has adequate data reliability protections in place can prevent a disaster. Let’s explore how server configurations can help or hinder Data Reliability, any trade-offs those optimizations can produce, and how to find the right balance between data reliability and other performance factors based on your organization’s needs. The Container Model The Container Model is fairly straightforward: all site files and the database live on the same machine, allowing for simpler management and slightly lower latency between assets, like the site files and the database. But when something goes wrong on that single machine, you can imagine how a small issue can escalate into a larger one. We’ve seen cases where sites hosted on containerized platforms (that are hosted on other platforms) experience a spike in traffic, PHP uses all the system memory, and then the machine locks up, corrupting the database tables. On a larger site, that could mean an hour or two of recovery time before they’re back up. They may have lost data, not to mention lost business, in that case. If Google, or another search engine, attempts to index your site during this downtime, it could impact your site’s ranking because they do not want to serve unreliable sites to their users. Downtime + lost data = risky business This risk becomes even more significant when other sites are sharing those same resources, and backups are stored on the same machine. The Dedicated Resources Model The alternative to the grouped, container model is what we call the Dedicated Resources model. By keeping the database, code, and backups on separate, dedicated server instances, we’re ensuring that any failure or issue with one asset has minimal impact on the remaining assets. This approach creates a superior configuration compared to sharing the same server, in terms of both data reliability and performing at scale. How Pagely isolates & connects server assets. Explore the interactive version here. If the Dedicated Resources approach makes sense to you, these are the questions to ask of your current and potential hosting solutions: Are there separate resources dedicated to your code and your database? What deliberate hardware decisions have they made to protect your data? How do they manage backups and recovery? Are backups stored separately? If they aren’t actively addressing these issues, you could be looking at not only potential downtime and data loss, but scalability challenges as you grow. The Trade-off We’ve established that having the database and app on separate server instances (separate virtual machines) is ideal for overall reliability, but this server utopia comes at a cost: latency. Because the resources are separated, this configuration does result in slightly higher latency between the two resources, and this impacts page speed. But the real-world performance difference caused by this latency is negligible (typically in the 1-2 millisecond range,) as long as there are no major issues with the site code or plugins. This is where the power of a reliable managed hosting partner comes into play – to find and help you fix problematic code issues. It’s something that Pagely does for every customer, and this is a level of service most other companies do not offer. How Important is Data Reliability to You? Depending on the complexity of your WordPress website and the requirements of your business, the answer here is usually ‘very important.’ With that answer in mind, it’s a good idea to ask your team the following questions to help you determine where your priorities lie: Do we have noticeable performance issues – and if more hardware isn’t the answer, are we willing to address the root cause of those issues? Can we quantify the value of our data reliability and uptime? Are things like page speed empirically more or less valuable to us than data reliability, scalability, and flexibility? Can we achieve both (better performance and data reliability) at above-acceptable levels with our current provider? That last question is at the heart of what we’ve dedicated the last decade towards solving at Pagely. Yes, we’ve made hard-but-smart decisions around the trade-offs that increase reliability within WordPress. And in doing so, we’ve balanced all key performance and stability metrics into one elevated metric that larger organizations strive to achieve: scalability. By working with your team to improve your code and customize your server configuration to match your specific needs, we’ve created real-world solutions that can scale as you grow.
A fast loading website has many benefits for both you as a website owner and your visitors. Slow site speeds have been shown to not only hamper the user experience, resulting in reduced conversion rates and higher bounce rates, but it can also negatively affect the position of your website in the search engines results pages. While upgrading to a high-performance web host is a quick and effective way to improve website loading times, there’s also a free plugin you can install on your WordPress website which can help your pages load faster. That plugin is Smush, and in this post, we’ll be discussing how it can help you effortlessly optimize your images to avoid frustrating your visitors with slow loading content. Why Use Smush to Automatically Optimize Your Images As mentioned, Smush is a free image compression and optimization plugin for WordPress. This plugin is maintained by the good folks over at WPMU DEV and is loaded with nifty features, including lossless compression, bulk smush (not to be confused with ‘Hulk smash’), incorrect size image detection, and automated optimization, to name a few. All of these features combine to help web pages that load faster, without any reduction in image quality – the only thing you have to do is install the free plugin. Now each time you add a new image to the WordPress media library, it will automatically run through the Smush service, reducing the file size – without any visible loss in image quality. One of the other great things about this plugin is that it can optimize all of the existing images on your site without you having to re-upload them (limit of 50 without a WPMU DEV subscription.) How to Use Smush on Your Website As the Smush plugin is free to use, it can be installed on your site directly from the WordPress plugin directory To do so, log into your site’s admin area and then navigate to Plugins > Add New using the sidebar menu. From the Add Plugins screen, enter ‘smush’ in the search field and then install the first item listed in the results. Once the plugin has been installed and activated it will run in the background and whenever a new image file is added to your website, it will be optimized to load as fast as possible, without any loss in quality. The settings for the plugin can be found in the Smush link in the main menu of the WordPress admin dashboard. From there, you have the following options: Bulk Smush: Optimization of existing images in your media library (limit 50 on the free version) Directory Smush: Optimizing images outside of your uploads directory Integrations: Integrates with Gutenberg, Amazon S3 and photo galleries CDN: A premium feature that utilizes WPMU DEV’s CDN for multi-pass lossy compression and auto resize features Lazyload: This feature defers the loading of below the fold imagery until the page has loaded, adjustable by page/image type. Settings: General plugin settings Conclusion By using this free plugin and image optimization service, you can ensure that all existing and future images that you use on your website will load as fast as possible. This will not only help your website load faster, but can also help reduce the amount of bandwidth your site uses and how much data your visitors need to transfer in order to view your content. Note that there are more advanced features that require a WPMU DEV subscription, like bulk updating more than 50 images, updating the original image on the server, and more. Loving Smush? Have an alternative to suggest? Comment below.
There’s a lot of hype around page speed, and the hype is usually centered around 2 main points: SEO: The Google algorithm measures page load time as one of its many search ranking factors UX – User Experience: It’s well documented that slow loading websites create a poor user experience, increase bounce rates, and lower conversion rates For those reasons, optimizing your WordPress site for speed is generally worth the time and effort, and here are a few simple steps that you can take to get started with speed optimization. Measuring Page Speed Speed is important, but testing your speed can be tricky. There are a variety of tools and methods to test page speed, but most test your site in ideal circumstances, and no two tests are the same. One solution: find a benchmarking tool from a reputable source, and then test multiple WordPress sites (including your own) to get a sense of what is good, bad, and ugly. By comparing the benchmarks of your site against other reputable WordPress projects, you’re now able to set a reasonable goal for your efforts. Improving Page Speed Caching is generally the defacto first solution for improving page load times, as serving traffic from the cache can be up to 1,000 times more efficient than serving it from PHP. Say you serve your site without any caching: it might take 1500 milliseconds to generate that page, where serving that same page from the cache might take 5 milliseconds. Using Pagely’s VPS1 solution as an example, you might be able to do 8 PHP requests a second without caching, while you can do 8,000 requests a second with caching. Pagely High Availability VPS Hosting Tech It’s important to note that larger, more complex sites often have specific caching requirements, where it makes sense to cache some things while leaving others alone. This customization is typically more resource-intensive. But, if your managed hosting team and platform can help you move 20% of your traffic to the cache via a custom-built cache key and additional capabilities, then that can make up for the fact that your dedicated hardware is more expensive. Check Your Code Your code and plugins play a substantial role here as well. If your project is laden with inefficient code, throwing more hardware at the problem isn’t a financially prudent, nor scalable, solution. You need to fix those inefficiencies, and a good hosting provider can help with hands-on guidance. Optimize Your Images This might be common sense, but it’s worth noting: large image files are page speed killers. Quick tips for images: Upload images at the smallest dimensions required by your design Compress images locally before uploading, or run a server-side compression plugin Use the SVG format for graphics when possible Upgrade Your Hosting Where you host WordPress plays a substantial role in how fast your site will load. Many inexpensive hosts use outdated hardware and jam as many accounts onto a single server as possible, leaving fewer resources available to you. These same hosts are often vague about how those resources are allocated and what their infrastructure looks like, making it hard to know where you stand. If you don’t know how your host prioritizes the resources running your project, how can you compare them to others or effectively improve your page speed? What to Look For in a Fast WordPress Host When reviewing a current or potential hosting partner, transparency is key. Building on that, your host is only as fast as the infrastructure their tech is built upon, so look for a host with reputable technology partners. Arguably one of the most well-known names in hosting is, of course, Amazon. Amazon powers major brands like GE, Expedia, Pinterest, LinkedIn, Dow Jones, Adobe, Pfizer, and even NASA by supporting the best hosting companies with 64-bit machines in their data centers. So, what tools should your hosting provider have in place to keep your site running quickly? A CDN A content delivery network is a geographically distributed network of proxy servers and their data centers. By serving a user content from a location physically closest to where they are, your site performs faster and loads better for each visitor. For example, at Pagely, our CDN, PressCDN, is built specifically for WordPress and services clients across five continents, serving photos, images, and static assets from a global network of servers. This means faster download speeds for your site visitors. PressCDN Sample Dashboard with Statistics A Web Server Full Page Cache With a proper caching mechanism in place, content is cached at one or several points of presence (POP). When a request is made for a site, the POP closest to the user delivers the cached page. This means faster speeds to every visitor. To use Pagely as an example again, we built PressCACHE as a global WordPress acceleration system which works much like a CDN but is specifically designed to cache and serve WordPress page output. This makes your site available instantly, from anywhere. For more on caching, check out Maura Teal’s talk on The Balancing Act of Caching in WordPress. <span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span> A PHP Stack Optimized for WordPress There are several small PHP concepts that add up to improved performance and speed. First, tuning PHP for WordPress typically involves the right number of php-fpm works for the hardware to give maximum throughput while limiting overhead and minimizing memory use. Second, running up to date versions of PHP so you get the newest performance enhancements. And last, configuring the support infrastructure for maximum benefit, OPcache, and object cache. Bonus: the better hosts will make individualized tuning changes for your site. A Hardware Stack Optimized for WordPress The hardware a host uses varies widely by host, and not all are transparent about how they configure resources, who their backbone provider is, etc. Generally, you want to separate resources, like site code, database, and backups. And there are benefits with database options, like data reliability and scaling. The bottom line: there’s no reason why your host shouldn’t have protocols and tools in place to earn your trust as a fast provider. The examples listed here should help you get a sense of how your host stacks up. If they have a logical answer to each area, you can rest a little easier. Bonus: Look for a host that utilizes Nginx for caching NGINX is a fast, high-performance web server that accelerates content & application delivery, improves security, and facilitates availability and scalability for half of the world’s busiest sites. It can also be utilized to cache pages and assets. By placing Nginx in front of the traditional LAMP stack WordPress is installed upon, it’s utilized to cache pages and static assets for faster load times. Combine that with Redis for object caching, and PressCDN for content caching around the globe, and you have a recipe for some of the fastest WordPress hosting available. Here’s an image showing how we default to Nginx cache node with Apache behind it serving PHP at Pagely, though you can also opt for Nginx only. One Last Thing to Consider While page speed is important, your goal should be to improve larger issues that substantially affect page speed, rather than trying to achieve the perfect benchmark score or shave 1 millisecond off of your load times. In fact, you might even consider that 1 millisecond a vanity metric. Is that 1 millisecond really going to be noticeable to your users, or is it a metric you can throw into a report to make your team look good? It’s clearly much more important to focus on systemic improvements that lead to measurable outcomes. The quality of your code and the capabilities of your hosting provider, and the tools they utilize is a great place to start for this. Solve real problems and don’t chase perfection, in other words. And don’t sacrifice performance or data reliability for the sake of speed.
As innovators in the hosting space, we’re constantly testing hardware and software solutions here at Pagely to find the optimum balance between price and performance for the unique demands of WordPress. Through all of that testing, Amazon RDS emerged as the clear winner for our database solution. We’ve built our hosting solution on it so it’s fair to say we’re fans. In this post we’ll give an overview of RDS, how it works, and its features and benefits. For us, as it does for many other businesses, it comes down to a mixture of reliability, flexibility, and, most importantly of all, it integrates seamlessly with the powerful AWS cloud ecosystem. What is RDS? <span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span><span data-mce-type="bookmark" style="display: inline-block; width: 0px; overflow: hidden; line-height: 0;" class="mce_SELRES_start"></span> When Amazon Relational Database Service (RDS) burst onto the scene in 2009, it was immediately hailed as a game-changer. It was a revolutionary “database as a service” solution that made it simple and easy to set up, manage, and scale a database that included built-in scalability, redundancy, and failover protection. One of its biggest innovations was separating the database from the server. “When you buy a server, you get CPU, memory, storage, and IOPS, all bundled together. With Amazon RDS, these are split apart so that you can scale them independently. If you need more CPU, less IOPS, or more storage, you can easily allocate them.” Source RDS is a managed solution so you won’t have shell access and there’s restricted access on advanced privileges but the majority of what you would need to do is handled for you so this is a non-issue in most cases. RDS versus other cloud database solutions When it comes to cloud database solutions, AWS is the industry leader by a landslide: Amazon RDS market share Source While alternatives from Google, Microsoft, Oracle, and IBM exist, they have not become as popular in spite of aggressive pricing aimed at stealing market share from AWS. RDS’s preeminent advantage over other cloud database solutions is that it integrates seamlessly with AWS’s robust ecosystem of cloud-based tools, services, and solutions. AWS is far and away the leading cloud provider with the most powerful, reliable, and flexible suite of cloud services that integrate flawlessly with one another. Today, Amazon offers an incomparable array of over 170 cloud services and continuously introduces more to complement existing services and add new functionality: EC2 Instances Amazon Simple Storage Solution (S3) Amazon Aurora AWS Lambda Amazon LightSail Amazon CloudFront Amazon Elastic Block Store (Amazon EBS) Amazon Route 53 See the full list of services here Cloud services like these have become the building blocks of the internet as we know it today. These services can be combined to create powerful new solutions that are greater than the sum of their parts, like our Managed WordPress Hosting. How does RDS work? RDS operates within an instance (an isolated, cloud-based database environment). When you create a new database, you choose the database engine it runs. RDS is compatible with the most popular engines: MySQL MariaDB PostgreSQL Oracle Microsoft SQL Server Aurora The computation and memory resources allocated to the database are determined by what AWS calls its “instance class.” As a database grows, its instance class can easily be upgraded with very little downtime to provide more resources making it a highly scalable and flexible solution. There are currently 27 instance classes to choose from with a range of resource options. Instances can have as little as 1 GB of memory up to 256 GB and provide a single processing core up to 64 cores. There’s an instance class to fit pretty much every use case and all of these instance sizes are available to Pagely customers so RDS is part of what makes Pagely such a flexible, customizable hosting solution for companies with unique technical demands. High availability For enterprises that rely on their databases, one of the most important features offered by RDS is its Multi-AZ (Multiple Availability Zone) option. Two distinct copies of the database are created — a primary that handles read and write requests and a secondary that is only written to. If there is an availability issue, the secondary database is promoted into the primary role and the traffic is re-routed using DNS. It’s important to note that the Multi-AZ feature is not a scaling solution because the secondary database cannot serve read traffic. For scaling, Amazon has Read Replicas. Read Replicas Using Read Replicas “you can elastically scale out beyond the capacity constraints of a single DB instance for read-heavy database workloads.” Source To get started with Read Replicas you first pick a database that will operate as the source. A snapshot is created to duplicate the database and that duplicate version is updated whenever there is a change to the source database. Note that Read Replicas are only compatible with MariaDB, MySQL, Oracle, and PostgreSQL engines. Benefits of RDS RDS’s feature set makes it an attractive database solution: A managed solution AWS takes care of backups, software patching, automatic failure detection, and recovery so your administrative burden is close to nil. They have a nearly impeccable track record in this department so you can rest easy knowing your database is being managed by experts. High performance RDS uses Solid State Drives (SSDs) to achieve high input/output (IO) throughput and also has an option for Provisioned IOPS (SSD) Storage, which allows you to specify a target input/output operations per second (IOPS) rate when creating the database instance. Scalability RDS users can easily and quickly scale their compute and storage resources with very little downtime. They also offer read replicas that allow users to scale out read-heavy databases. Superior availability and durability RDS offers automated backups for point-in-time recovery for a user-specified retention period. This means you can restore to literally any second within the retention period. In the event of a hardware failure, AWS will automatically replace the hardware on that compute instance. Robust security If an instance is running with RDS encryption, the data, its backups, replicas, and snapshots are all encrypted and SSL is used to encrypt data in transit. Resource-level permissions give granular control over who has access to the database and what capabilities they have. Manageability Amazon CloudWatch is included so you’ll have detailed analytics on your databases’ performance at no additional charge. You can receive text and email alerts through Amazon SNS. AWS Config records and audits changes to the database config to support governance and compliance needs. Amazon’s Performance Insights makes analyzing performance data to tune your database easier than ever. If you’re already using the AWS ecosystem, there’s no compelling reason to choose anything else. Even if you’re not, the RDS solution offers a superior feature set, with a much longer track record of reliability, than competing solutions. Amazon RDS offers many advantages over traditional database solutions. It’s flexible, reliable, and easily manageable. If you’re researching RDS for WordPress website hosting, you may want to consider a Managed WordPress Hosting solution that uses RDS, like Pagely. Pagely masks the complexity and eliminates the time costs associated with managing your own database and server. If you’re interested in hassle-free WordPress hosting powered by AWS infrastructure and optimized by a team of WordPress hosting experts, start a discussion with our sales team or see our plans and sign up here. Make your own process infographics with Venngage.
Pagely is thrilled to announce our partnership with Object Cache Pro. Utilizing state of the art compression technology, Object Cache Pro is now part of Pagely’s core offering, and available to all of our customers, platform wide. Offering major cost savings, access to some of the world’s best technology, and a dedicated DevOps team to personalize your setup, Pagely customers can look forward to continued scale and growth, with no hosting friction. A first of its kind partnership, Pagely is proud to help fund innovation in this WordPress space by investing part of our budget into working alongside the fantastic team at Object Cache Pro. We’ve already seen great gains with Object Cache Pro and our customers can look forward to more in the future! Why Object Cache Pro? Before Object Cache Pro, we faced two challenges with sites making use of an object cache – CPU overhead and network saturation. The underlying technologies in Object Cache Pro solved both of these problems for us, translating to less money spent on server hardware and fewer situations where the (quite generous) AWS network limits are reached. With Object Cache Pro’s state of the art technology utilizing the Zstandard compression library from Facebook, without a lot of CPU overhead, compression is now done at the extension level, talking to and from Redis. This means less hardware, lower costs, and a better experience for our customers. Aside from supporting an efficient compression algorithm (zstd), Object Cache Pro also uses the igbinary serializer which is a drop-in replacement for the standard serializer in PHP. This works about twice as fast at serializing and unserializing data. Additionally, the data footprint is smaller when using igbinary and that translates into less memory being used by the underlying Redis service. We also found an in-depth comparison on igbinary vs other serializers on Blobfolio that you may also enjoy reading if you’re into this kinda stuff: https://blobfolio.com/2017/03/benchmark-php7-serialization/ With a wide selection of Redis plugins available in the WordPress marketplace, Object Cache Pro was the obvious choice for us not only because of their forward-thinking tech but also because of the dependability we have come to expect and appreciate from their brilliant team. All of this aside, Object Cache Pro is unrivaled when it comes to bug fixing, an extent to which is a rarity across opensource software. There’s a saying in the opensource community that goes, “there’s a lot of eyes so all the bugs get fixed.” But, more what we see concentrated use of the software by lots of users leading to fewer bug fixes for fear of breaking one users’ site. That, and, no one owns the codebase, so less can get addressed in a timely manner. Similarly, we are continuously impressed by their coverage of testing, fully unit tested with 100% code coverage. Further, switching over to Object Cache Pro gives Pagely customers access to our commercial relationship with their team, which means any problems our customers see are fixed within a few days. You benefit from our relationship. Fewer bugs in the caching layer and full unit testing is a good thing, and that’s something we stand behind. So, What’s in it for the Pagely Customer? We are the first premium host to achieve this level of partnership with one of the best technology companies in WordPress. Through our relationship with Object Cache Pro, every single Pagely customer benefits from the work we’ve done to secure that. But real talk, what’s in it for you? Major cost savings. Even when it means less revenue for Pagely, we’re constantly looking out for cost savings for our customers. By decreasing our dependency on more hardware, you see the savings directly on your bill. Access to a premium partner. Since you’re at a premium hosting provider, you automatically get access to the partnerships we’ve developed. What’s more? You don’t pay an extra licensing fee. The best tech, baked into your Pagely account. We’re always on the hunt for the best and most innovative technology for you. With no effort on your part, we do the legwork of implementing this tech across our technology stack. All you do is benefit from it. Bigger performance wins possible with a little extra code work. WordPress has a feature called Transients. It’s a way to store the result of a complex query or a long-running remote API call temporarily in order to make subsequent lookups for that data return a lot faster without doing the same expensive operation again. Normally without any object cache, transients are stored in the WordPress database’s wp_options table. When using an object cache, it is stored in memory. Adding a few extra lines to your code allows you to tap into the power of this API for incredible performance gains. Having an efficient object cache utilizing fast compression and serialization only increases those gains. A dedicated DevOps team. While others might catch on and jump on the bandwagon of partnerships like this, Pagely still stands above the rest in meaningful ways that translate to real gains for you, the customer. Our DevOps staff becomes your dedicated, in-house team. Our engineers handle all the setup and optimization to make sure your usage of Redis is optimized specifically based on your exact circumstances and needs. Other hosts don’t do that! When you partner with Pagely for your WordPress hosting at scale, you know you have selected the most forward-looking host driven by advances in technology, cost savings for you, and tangible outcomes that help your business thrive. Object Cache Pro Helped FanSided Scale So let’s get to a real-life example here. One of the first Pagely customers we switched over to Object Cache Pro was FanSided. Here you can see a dramatic decrease in network utilization on the Amazon Aurora RDS instance after implementing Object Cache Pro along with custom Transients Caching, which dropped usage from 1 Gigabit per second to 400 Megabit per second; and yielded even lower usage after some more optimizations were made. FanSided comprises a massive network of over 300 active websites and needed a fast solution to maxing out servers and using way too much CPU. Pagely found that solution in Object Cache Pro and implemented it with no effort on FanSided’s part to completely eliminate those issues. Here you can see how memory is no longer being maxed out after the date we turned on Object Cache Pro for FanSided. The proof is in the data, and here you can see dramatic drops in CPU usage after Object Cache Pro was implemented, as well as servers being maxed-out-no-more after the switch. Dramatic drops in CPU usage after implementing Object Cache Pro for FanSided. Read the full FanSided + Object Cache Pro case study here, and take it from our CEO: “In the vacuum of 1 website, a small performance gain is useful. At our scale of hosting, processing hundreds of billions of requests per month across thousands of AWS EC2 instances, a small performance gain to each site means a real and quantifiable benefit to our customers and our bottom line. Now what if that performance gain was not so small, but major. We sought out and partnered with Object Cache Pro after seeing the dramatic results in terms of performance and resource usage when testing. We have thus deployed their Enterprise solution fleet wide and the results speak for themselves.” – Joshua Strebel, CEO of Pagely
Catch up on the conversation. This piece comes as a followup to our CEO Joshua Strebel’s recent piece on why you should never pay your WordPress host for pageviews. Managed WordPress hosting has exploded across the hosting industry since Pagely created it way back in 2006. Overall, the level of innovation that the mainstream has brought to WordPress is amazing. Unfortunately, this sometimes comes with negative side-effects. As investors demand higher profits, many of these managed WordPress hosts are looking for ways to gain a quick and easy boost to their margins. Like we mentioned in our definitive guide to PHP workers, there are a few different metrics that are often misinterpreted, whether intentionally or not. Today, we’re going to talk about pageviews and their role in the managed WordPress hosting world. What Counts as a Pageview? Many hosts cite pageviews as a billing metric with vague term descriptions, if any exist at all. Even with clarified definitions, pageviews tend to mutate on a host-by-host basis with a dizzying array of buzzwords. Although individual managed WordPress hosts vary on what they consider a “pageview”, most define it like this: pageviews are the number of unique IP addresses that access pages on your WordPress site per day, excluding known bots. (Yeah, I know. The term is more like “the number of unique request sources per day, based on predefined catch-all filters.” But I wasn’t the one that made this up, so bear with me here.) Pageviews as a Billing Metric Before we dig in any deeper into the details, let’s think about the definition that I mentioned. Considering that narrative, which of these sites would be more expensive to host? A directory website that houses billions of pages, showing 1,000 entries at a time. A personal blog who’s majority of traffic is to single posts. A documentation site where visitors typically access multiple pages per day. A simple informational website for a local restaurant. An online shop that sells small-batch artisanal snake oil. An API that uses headless WordPress to dynamically fetch content. If you guessed that they represent the same metrics in the eyes of pageview-based billing, your logic prevails! Assuming that they all experience the same number of unique visitors, they’re all treated the same way, regardless of how resource-intensive the site is or how many pages each visitor accesses. Of course, it would be silly to treat all of these sites the same way. Some pages might have large amounts of fully dynamic content, while others might be eternally served from cache. Using an umbrella term like pageviews as a billing metric causes several different issues, based on the site being hosted. Setting Realistic Expectations The first issue that pageview-based billing causes is an unrealistic expectation for low-performance, unoptimized sites. If you’re not familiar with how WordPress sites perform on the server side, you might think that these limits matter exclusively and use them to determine what capabilities you need from a hosting provider. If you’re evaluating your hosting options purely based on a pageview limit, you’re ignoring critical factors that can dramatically impact your WordPress site. Performance-Based Punishment What if you’ve put hard work into optimizing your site? Well, now you’re wasting money on a billing metric that doesn’t matter. If your site is highly cacheable, you’re feeling the impacts even further. When serving content from cache, it’s practically free from a hosting perspective. You’re being nickel-and-dimed for something that is entirely outside of your control. Knowledge is Power As you scale, knowing what you’re paying for can quickly become a critical part of maintaining a healthy, cost-effective site. Coupled with the fact that the same people who are charging for pageviews tend to hide their underlying infrastructure behind the curtains, there’s no way to verify or manipulate what’s being counted. While many claim that they exclude the known IP addresses and user agents of known bots from counting towards your monthly pageview bill, what’s their motivation for even bothering? After all, more pageviews mean more money in their pockets. Pageviews Are Still Helpful Many of our prospective customers ask, “How many pageviews can ‘x’ plan handle?” Like we mentioned earlier, the impact of each pageview dramatically varies based on the type of content viewed and how your site was developed. Every WordPress site is different. It would be impossible to accurately estimate the ideal hosting environment without a complete understanding of what your site’s usage looks like. Although pageviews are a faulty metric as far as billing is concerned, they can still be useful as part of a larger dataset. Whether you’re scaling, optimizing for better performance, or shopping for a new hosting provider, pageview data plays a role in getting a full picture of your site. For example, if you were running benchmarks to determine your server’s capacity, pageview data could be used to identify what a typical day looks like. Let’s say your site looks something like this: 10% of traffic is on the home page. 30% of traffic is to various landing pages. 30% of traffic is to different blog posts. 20% of traffic is to your product’s pricing page. 10% of traffic is on account-related pages. Using that traffic data, you could then estimate what types of content have the most significant impact on server resources. You may find that some pages underperform and could use some optimization, while other highly-cacheable content, like blog posts or landing pages, remain essentially free. If 90% of your traffic goes to fully-cached content, increases in traffic have a trivial impact on your bottom line, if any. Closing Remarks Operating a WordPress site at scale is all about a delicate balance of performance and cost. At Pagely, we partner with our clients to help them achieve those goals. While shopping for a new hosting provider, be on the lookout for hosts that impose false barriers, such as PHP worker limits and pageview counts. Those vague limitations are a red flag that they’re going to try to upsell you later. (These limitations are also a sign that they’re trying to sell you on shared hosting resources too, but that’s a topic for another discussion entirely.) We hope that you’ve learned more about the impact of pageviews (or lack thereof) and why it’s not an appropriate billing metric. Do you have any experiences with pageview-based billing that you’d like to share? Is there something we missed? Let us know in the comments below.
This monthly report is provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user. We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion. WordPress Core No notable WordPress core security releases. Plugin/Theme Vulnerabilities of Note Security & Malware scan by CleanTalk https://wpvulndb.com/vulnerabilities/10292 This vulnerability within CleanTalk allows an authenticated user, such as an editor or subscriber, to make unauthorized Ajax calls which could lead to file deletion or downloads and also potentially function calls. Adning Advertising https://wpvulndb.com/vulnerabilities/10293 The Adning Advertising plugin has a vulnerability in versions lower than 1.5.6 which allows unauthenticated requests to upload or delete files, leading to an RCE attack, which can then lead to full site takeover. Wise Chat https://wpvulndb.com/vulnerabilities/10299 Wise Chat versions lower than 2.8.4 are susceptible to a CSV injection via a command sent in chat messages by an unauthenticated user that is included in an exported CSV file, which then could potentially lead to an RCE attack. Email Verification for WooCommerce https://wpvulndb.com/vulnerabilities/10318 The Email Verification for Woocommerce plugin prior to version 1.8.2 is affected by a loose comparison issue. This could potentially lead to any user (authenticated or non-authenticated), to log into the WordPress site. SRS Simple Hits Counter https://wpvulndb.com/vulnerabilities/10316 The SRS Simple Hits counter plugin is currently vulnerable to an unauthenticated blind SQL injection vulnerability. The responsible reporting parties at Tenable ( https://www.tenable.com/security/research/tra-2020-42 ) are working with the developer to write a more comprehensive patch to address this vulnerability, and will not release more details on the attack until they know a patch has been released. Site owners using SRS Simple Hits Counter plugin on their sites should keep an eye out daily for the patch to be released. Payment Form For Paypal Pro https://wpvulndb.com/vulnerabilities/10287 The Payment Form for Paypal Pro plugin versions before 1.1.65 are vulnerable to an unauthenticated SQL injection attack. The attack is a trivial single request which can expose the contents of your database (which includes user passwords and potentially other secrets) to the attack. This is a high risk vulnerability and site owners should patch immediately. WooCommerce Subscriptions https://wpvulndb.com/vulnerabilities/10330 The WooCommerce Subscription plugin is vulnerable to an unauthenticated stored cross site scripting (XSS) attack in the subscription billing process. Attackers can submit their XSS attack payload to during the billing step in the signup process, and later that payload will be executed on the browser of the administrator/user who reviews the attacker’s account. Site owners should update WooCommerce Subscriptions plugin to version 2.6.3 and not check any new user account information until that update is performed. TC Custom JavaScript https://wpvulndb.com/vulnerabilities/10325 The TC Custom Javascript plugin is vulnerable to an unauthenticated stored cross site scripting attack. Sites running versions before 1.2.2 should update immediately, attackers can add their own javascript or HTML to the footer of all pages loaded by WordPress with a few basic requests. This vulnerability is likely to be targeted by SEO spam bots. KingComposer https://wpvulndb.com/vulnerabilities/10297 The KingComposer plugin is vulnerable to a reflected cross site scripting vulnerability in versions before 2.9.5 This means the attacker’s malicious HTML/javascript will only be available to the browser making this request. This still poses a high risk if an attacker can trick an already logged in user to click on a malicious link/form to the website, potentially exposing secrets viewable by the user giving them to the attacker. JobSearch https://wpvulndb.com/vulnerabilities/10328 The JobSearch plugin versions before 1.5.6 are vulnerable to a reflected cross site scripting vulnerability. Much like the KingComposer vulnerability above it is a high risk if logged in users to be targeted. The proof of concept for this vulnerability will be released on August 6th, 2020, site owners should patch before this date. See previous months’ WordPress security updates from May and June.
The benefits of this WordPress security guide are two fold: Learn exactly what you need to know about WordPress security in 2020. Understanding WordPress security helps you adopt a security-oriented mindset that will help you prevent and mitigate risks as you make day-to-day decisions. Get actionable, step-by-step instructions for securing your WordPress site. The steps you need to take aren’t particularly time-consuming, don’t require advanced technical knowledge, and the linked guides are vetted for clarity and completeness. Of course, it’s impossible to cover every possible vulnerability and scenario. That’s why we also include the overarching “principles of WordPress security.” If you can follow these broad principles many of the minute details that are difficult to address in this type of post will take care of themselves. Why is WordPress security critical? It’s important you understand how big an issue WordPress security is so you give it the time and attention it deserves. Here are some sobering statistics: Google blacklists 10k sites a day for malware and another 50k for phishing each week. A blacklist from Google kills that source of traffic which can be highly disruptive to a business’s revenue. Fixing and removing a blacklist can be a hassle, particularly if your server was used to send SPAM emails. A blacklist from email service providers harms your deliverability rate which undermines the effectiveness of your email marketing. In 2018, 90% of CMS hacks were WordPress. Granted, WordPress is the world’s most popular CMS with 34% of the web powered by WordPress, but this is still a disproportionate amount of hacks. For a variety of reasons, WordPress sites are targeted and exploited more than any other CMS. 60% of attacks target small businesses. You may think that hackers won’t bother with your site because you’re a small fish but “security through obscurity” does not exist on the web. No one is too small to be a victim of an attack. WordFence reports that there are over 97,978 attacks happening per minute. This is not a small, isolated problem. Large swaths of WordPress sites are being probed for weaknesses at any given time. Will you be ready if your site is targeted? While these stats paint an intimidating picture of what you’re up against, it’s important you confront the realities of managing a WordPress site in 2020. If your business relies on WordPress, security is not something you can afford to ignore. If you haven’t taken steps to secure your site, you’re vulnerable to attack. It could be only a matter of time until your site becomes compromised. This is one area where “an ounce of prevention is worth a pound of cure.” The principles of WordPress security Securing WordPress is more than checking off a list of boxes, it requires you to adopt a security-oriented mindset that guides your decision making. These principles will help you prevent mistakes as you make day-to-day decisions like adding new WordPress users, plugins, and themes: Vulnerabilities are often introduced by WordPress users. Vanilla WordPress that is kept up to date and uses strong passwords is relatively secure. It’s often the decisions made by WordPress users that create weaknesses that hackers exploit. This is why articles like this one are so important. It’s up to you to be educated on, and consistently follow, the WordPress security best practices outlined here. Minimize plugins and themes. New WordPress users are often overjoyed by the extensive ecosystem of plugins and themes available for WordPress. This can lead to indiscriminate installation of plugins. But, each new plugin or theme adds code to your site that, potentially, adds new vulnerabilities. By minimizing the plugins and themes installed, you also minimize the amount of code your site uses, and, by extension, the number of potential security vulnerabilities. In general, if you can solve a problem without installing a plugin, that’s the best option. Install updates as soon as possible. Updates to the WordPress core and updates to plugins and themes often contain critical security updates. They should be installed as quickly as possible. If you have a good back up strategy in place, you can roll back to a previous version in the event the update causes issues. Follow the principle of least privilege. This is a core principle of cybersecurity in general and is not unique to WordPress. This is a fancy way of saying, “don’t give a user more privileges than they need because those extra privileges give hackers more power and access than they’d otherwise have if they compromise that account.” Attacks can still happen. You can try as hard as you can to cover all the bases and still fall victim to an attack. This is why regular, automated backups are critical. Do not ignore this advice. A hacked site can be disruptive but can generally be fixed with minimal cost and disruption, a hacked site without a backup to roll back to can be severely disruptive. You are never finished with security. Having a 100% secure WordPress site is an impossible task. You can’t accomplish complete risk elimination, so aim instead for ongoing risk reduction. This “risk reduction” mindset prompts you to continue taking steps to improve your security as part of an ongoing, never-ending initiative. The most common WordPress attack vectors Understanding the most common methods hackers use to exploit WordPress will help you understand how to address them and why the steps recommended later in this article are necessary: Brute Force Attack A cyber criminal uses trial and error to identify a password or pin. They use combinations of common usernames and passwords until they find the right one. It’s the equivalent of trying every key on a key ring to find the one that works. This is all done using a computer script so they can run thousands of combinations with very little effort. Given enough time, any account is hackable but strong passwords thwart this kind of attack. SQL Injection Malicious SQL code is injected into a database to gain access to database information that was never intended to be displayed. Depending on the hackers goals, this can lead to your database being deleted, customer information being stolen, or sensitive company information being accessed. Malware A virus or spyware is inserted using an expired theme or plugin. The attacker can gain access to your data, insert pages into your site for black hat SEO, and perform a number of other nefarious activities using your site. Cross-site scripting Javascript code is inserted which then collects data commonly used to exploit WordPress plugins. This can be used to redirect your site visitors to malicious content. also known as an “XSS attack.” DDoS Attack A Distributed Denial of Service (DDoS) attack floods a website with traffic which overwhelms server resources causing it to fail. Multiple machines send frequent requests to the server using malware installed on those machines for that purpose. The distributed nature of the attack can make it difficult to identify and block the sources of the traffic. Now that you understand how hackers will attempt to breach your site security, let’s look at how we can block and prevent these attacks… Steps to secure your WordPress site In spite of the many ways your site can be compromised, it is possible to mitigate these risks and prevent many attacks. Here’s a list of recommended steps to protect your WordPress site from security attacks: 1. Force Strong Passwords “81% of attacks are based on insecure or stolen passwords” “It only takes about 10 minutes to crack a lowercase password that is 6 characters long.” These two facts taken together make the case that you must use strong passwords for all WordPress users. Strong passwords are long and use a combination of upper and lower case letters, numbers, and symbols. Longer is better but 20-characters is probably plenty. Strong passwords are difficult to memorize, especially if you’re using unique passwords for each site (you should be!). This means a password manager, such as LastPass or Dashlane, is a critical tool. These apps make creating strong passwords easy, store them in a central location, and make logging into your websites easy by autofilling your passwords. Here’s how to make sure all your WordPress users are using strong passwords. 2. Turn on automatic WordPress Core updates One of the advantages of using a popular CMS like WordPress is that there are many people with a vested interest in keeping it secure. Thousands of people are contributing to WordPress security by reporting vulnerabilities to the WordPress team. This widespread collaboration means most holes are patched relatively quickly. But, if the updates that contain those fixes are not applied, you leave your site vulnerable to attack. The best way to ensure your WordPress core updates happen quickly is to turn on automatic updates. This way your WordPress site will be kept up-to-date without you having to do anything. Here’s how to turn on automatic core updates by modifying your config.php file. 3. Stay on top of plugin and theme updates You absolutely must keep your plugins and themes up-to-date. The importance of this cannot be overstated. You’ll also want to be careful to use plugins and themes that are updated often. If you’re using a plugin or theme that has not received an update in months, it’s a good idea to check in with the developer or find a more frequently updated plugin that accomplishes the same goal. When you search for a plugin in the WordPress plugin database, this information is provided in the sidebar: 4. Use Two-Factor Authentication (2FA) Two-factor authentication adds a layer of protection to your WordPress site by making it nearly impossible for a hacker to log in to your site — even if they know your username and password. You should set up 2FA for all WordPress users. 2FA can be set up quickly with simple, free plugins. Here’s a list of available 2FA plugin solutions for WordPress. 5. Brute Force protection Even with 2FA and strong passwords, it is good to setup brute force protection to help with overall performance on the server by reducing the amount of work PHP has to do. Here’s how to protect your site from brute force attacks. 6. Create automated, scheduled Backups In the event of an issue, there should always be recent database and file backups available. You should also create a backup before making any major changes to your site, such as installing plugin and theme updates. Many of the popular backup solutions take care of this for you. Here’s a list of backup solutions for your WordPress site 7. Change your login pages The default login pages for all WordPress sites are sitename.com/wp-login.php and sitename.com/wp-admin.php. Using these default login page URLs makes it easy for hackers to begin a brute force attack by trying combinations of usernames and passwords. By using a login URL that is difficult to guess, it makes it more difficult for hackers to begin the brute force attack because they don’t know where the login form lives. Here’s how to change your login page URLs. 8. Use SSL Secure Sockets Layer (SSL) encrypts all data sent from your website to the visitors browser obscuring potentially sensitive data. Using SSL has many benefits in addition to security. Google may rank your site higher in the search results and many browsers indicate whether a site is secured by SSL which can reassure them your site is trustworthy. Here’s a tutorial on setting up SSL for your WordPress site 9. Don’t use the default database prefix Using the default “wp_” database prefix makes it easier for a hacker to insert code into your database (SQL injection). Here’s how to change the default database prefix for a new site and an existing site. 10. Check your folder and file permissions File permissions define what actions can be applied to the files on your server. You should never set any WordPress file or directory to 777 permissions. Instead, make sure your permission scheme is as follows: Folders – 755 Files – 644 Here’s a guide to checking and fixing the permissions of your WordPress files and folders. 11. Disable pingbacks WordPress pingbacks are enabled by default. But for most sites, they offer little benefit. But, they can be used to turn your WordPress site into an unwilling participant in a DDoS botnet. To turn off pingbacks, you can go to “Settings –> Discussion” and uncheck the “Attempt to notify any blogs linked to from the article” box. It’s also a good idea to uncheck the “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles” box: 12. Hide your WordPress version number One of the ways attackers gain access to a site is by exploiting known vulnerabilities in outdated versions of WordPress. Hackers can scan your site and easily find out what version of WordPress you’re using. If that version has a known vulnerability then the hacker has a good idea of how to proceed. The best way to prevent this is to keep WordPress up to date. However, you can also prevent a hacker from finding out what version of WordPress you’re running. Here’s how to hide your WordPress version number. 13. Don’t use the admin username Hackers can safely assume that a WordPress site is using the default “admin” username and that username will give them admin privileges so all they need to do is figure out the password. This gives them a direct path to gaining admin access to your site with a good probability of success. Eliminating the admin username makes it significantly more difficult to attack your site this way. If you’re already using the admin username, that’s okay, you can change it now. Here’s how to change the admin username. 14. Use a secure Managed WordPress Host A host that supports all the major CMSs will have difficulty staying on top of WordPress security. By specializing in the WordPress CMS alone, a WordPress hosting provider can devote the resources necessary to prevent many attacks. A reputable Managed WordPress Host will have a security team dedicated to shielding your site from threats. They’ll handle many of the concerns raised above like taking care of WordPress updates, creating backups, and more. Here at Pagely we have a comprehensive suite of security features called PressArmor that handles both WordPress application security and server security. Security questions to ask a potential managed WordPress host: Is your hosting environment chrooted? If your host has multiple domains on the same server, check with them to ensure they use chroot to isolate each WordPress app. If one app is hacked, this would help prevent access to other apps on the server. Is SSL included and easy to set up? A good WordPress hosting provider will provide SSL free of charge using a service such as Let’s Encrypt. Do you actively monitor my site specifically for WordPress vulnerabilities? If you detect a vulnerability on my site, how will you inform me? A good WordPress host will stay on top of the latest threats to WordPress sites and constantly scan your site for those threats. If they find a vulnerability, they will work with you to address it. Are you using a web application firewall (WAF) to protect my site? A WAF block malicious traffic before it reaches your site and can help prevent XSS attacks and SQL injections. Here’s a list of important considerations for choosing a Managed WordPress Host. Conclusion WordPress security cannot be taken lightly and you must take steps to secure your site. Using a Managed WordPress Hosting Provider like Pagely is one of the best ways to improve your security because you will have an experienced team dedicated to protecting you. Whether you choose to handle WordPress security yourself or leverage a host that specializes in WordPress, it’s important to treat WordPress security as an ongoing effort. You are never done with security but if you’ve taken the above steps you’ve protected yourself from many of the most common threats.
Since this is the internet – and the rules of the internet clearly state everyone gets an opinion, I’d like to share one of mine around website hosting billing plans. Quick backstory: 10+ years ago when we launched Pagely we did so with a simple line on our pricing page denoting a rough estimate of the expected capabilities of that plan ie: Plan – 1 was suitable for ~1 million pageviews. Along came the next several providers who did something similar with one important difference. They actually attempted to measure and cap pageviews per hosting plan, bracketing their plans by this new billing metric. In my opinion Pageviews used as a billing item is a predatory and anti-consumer practice and you should be very wary of working with any company that applies this #successtax to your monthly bill. Definition of anti-consumer : not favorable to consumers: improperly favoring the interests of businesses over the interests of consumers Hi, I’m Joshua Strebel, Co-founder and CEO of Pagely – A leading Managed WordPress hosting company – Thank you for attending my TED Talk. What are you buying when you are buying “hosting”? To host a WordPress site you need a few key components. A server (a computer) connected to the internet with software installed to process requests and responses for your application. Storage / Disk space attached to that webserver to save your files to. Data Transfer / Bandwidth. This is the pipe the information flows through. That’s basically it. Hosting providers typically lease/sell you packaged fragments of these resources for a monthly fee. Plan A, Plan B, Plan C. etc. Of course there are other items that may be line-itemed such as included support levels, CDN GB’s per month, managed services, etc. Plan A has X amount of consumables for Z price. It’s all fairly straightforward as most consumers understand what a Gigabyte of Disk space is and can at least grasp that more CPU/RAM offered should equate to more potential performance. “Pageviews” does not fit this model well – as the definition of a pageview is amorphous and subject to exploitation. Oh, and spoiler alert, PHP workers is not a valid billing metric for WordPress hosts either. What does an automobile lease have to do with hosting plans? Pageview limits on hosting plans are akin to annual mileage limits on auto leases. It’s a cap on the use of an asset you already purchased. In an automobile lease context a mileage cap at least has some merit as being a form of controlling the depreciation of the vehicle – you are essentially financing the deprecation of the automobile asset with a lease – and the lease company expects to sell that car (New retail value – Depreciation) when you return it. If the depreciation is too high, they lose money on that transaction as they have to sell it for less than they calculated. Your hosting plan is not a depreciating asset though – the hosting company is going to sell the same resources to the next customer when you are done for the same or likely higher fee. Therefore in my humble opinion: Pageviews are just an arbitrary anti-consumer fee – a penalty tax for using the service you already paid for. A Pageview is (depending on who you ask) a wrapper around these items: A measurable amount of Data Transfer in and out A measurable amount of CPU resources to process the request and render the response A measurable amount of Disk and Database activity Are you not already paying for these items as part of your hosting plan? Hint: Yes you are. But wait, there’s more – and my colleague will dig into these more in a future post. This pageview billing model is so poorly defined by the hosts that use it – it is ripe for abuse. It’s a scheme to generate revenue for the hosting company and unfairly penalizes the consumer. Hint: You already “paid” for the sum of the parts of a “pageview”. No two pages are the same. A cached page even with a few images can be served a million times a month with ease, and yet a badly coded membership-site page may tax the hardware it runs on each time it loads. They have very different cost profiles to the host – yet both are treated equally under this model. If you invested the time to optimize your site, get it caching well and then blow it up with viral traffic.. That is a GOOD day for you and costs your host pennies of the monthly fee you are already paying them – yet when you get the overage bill for exceeding your pageview cap at the end of the month, are you going to enjoy that tax on your success? If you want to keep paying twice for the same resources you are welcome to. I simply do not think that is fair. Our friends down in Austin have made millions on charging their customers overage fees for exceeding their monthly pageview cap – even to the point having to publicly respond to criticism – only to keep the practice in place. Reminds me of airline baggage fees and fuel surcharges. and An “online payment convenience fee” when they only accept payments online. and JetPack being “free”. Happy WordPress’ing – Joshua Strebel
These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user. We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion. WordPress Core WordPress 5.4.2 Security Release https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/ A WordPress Security release (5.4.2) was made available on June 10th. This release addresses the following 6 vulnerabilities: Authenticated XSS in the block editor Authenticated XSS in media files Authenticated XSS in theme uploads Privilege escalation in set-screen-option() Open redirect in wp_validate_redirect() Information leak allowing comments to be read from password-protected posts and pages. Plugin/Theme Vulnerabilities of Note Removed from Repo WordPress website owners who have the following plugins installed are strongly encouraged to remove them from their websites or find a replacement as soon as possible. These plugins were removed from the WP.org plugin repository due to inaction of the developer to patch one or more security flaws: wp-pro-quiz delete-all-comments-easily High Severity Vulnerabilities ACF to REST API https://wpvulndb.com/vulnerabilities/10284 The acf-to-rest-api plugin versions before 3.3.0 are affected by a vulnerability which would disclose the values of the wp_options table to attackers. This vulnerability has varying severity based on what data is contained in a site’s wp_options table. KingComposer https://wpvulndb.com/vulnerabilities/10270 The kingcomposer plugin versions before 2.9.4 lack proper access controls for ajax endpoints, many of these ajax endpoints also include vulnerabilities which users with a valid accounts could target to change WordPress option values, inject content, store XSS code, delete files on the site or execute arbitrary code. wpDiscuz https://wpvulndb.com/vulnerabilities/10273 The wpdiscuz plugin versions before 5.3.6 are affected by an unauthenticated SQL injection vulnerability. This plugin is currently on release 7.0.3, and the plugin author is making 5.3.6 available as a back port for site owners not ready for version 7. Brizy – Page Builder https://wpvulndb.com/vulnerabilities/10261 Brizy Page Builder before version 1.0.126 is susceptible to an access control vulnerability via AJAX calls which allows a user with minimal privileges the ability to access editor functions. JobSearch https://wpvulndb.com/vulnerabilities/10255 The Jobsearch premium plugin before version 1.5.1 is affected by an unauthenticated reflected cross-site scripting vulnerability. The Proof of Concept is provided within the link below and is easily replicated: https://github.com/vladvector/vladvector.github.io/blob/master/exploit/2020-07-03-jobsearch-wp-job-board-wordpress-plugin-v1-5-1.txt See previous months’ WordPress security updates from April and May.
This article covers our public notifications related to major security issues our clients and the WordPress community should know about. We are always focused on prevention and the mitigation of risk to our clients, and keeping you updated here is part of that process. WordPress 5.4.2 Security Release June 11th, 2020 WordPress site users We trust them within reason. And patch, to be sure. The WordPress security team has released WordPress 5.4.2. This security release addresses 6 security vulnerabilities. There are numerous cross site scripting vulnerabilities addressed in this release however each required an authenticated user to execute the attack. There also includes one privilege escalation attack. If there were a theme in this release, it serves as a reminder to be sure you trust who you give accounts to on your WordPress site. The Pagely team has already begun rolling out this patch for all customers. If you have a version hold request on file, we will patch your site while keeping it on the same major branch version. WordPress 5.4.1 Security Release April 29th, 2020 You are safe at home, while we are patching your sites. Stay Safe. Stay Secure. The WordPress security team has released WordPress 5.4.1. This security release addresses 7 security vulnerabilities and includes 17 bug fixes. There are numerous cross site scripting vulnerabilities addressed in this release, so it is recommended site owner update right away (if you’re a Pagely customer we are already working on this for you.) The Pagely team will be rolling out this patch for all customers shortly. If you have a version hold request on file, we will patch your site while keeping it on the same major branch version. WordPress 5.3.1 Security Release December 13th, 2019 A vuln is a vuln, until a patch is released. Now it is secure. The WordPress core team has released WordPress 5.3.1, which addresses 3 security vulnerabilities and includes 1 security hardening measure. The higher risk vulnerabilities include XSS (Cross Site Scripting) in some unlikely situations, as well a vulnerability which could allow someone to mark a post “sticky” on the site, without the need for authentication. Pagely has tested this version and has the patch available for all customers running any WordPress version. Due to the weekend being upon us, we will begin upgrading sites on Monday December 16th. Any customers who would like the upgrade to be performed over the weekend can reach out to our support staff and they will be glad to help. PHP-FPM+Nginx Remote Code Execution (CVE-2019-11043) October 29th, 2019 Hasty vuln released. We checked immediately; Our servers are safe. On October 22nd, 2019 a security researcher released their findings related to a remote code execution in PHP-FPM, which was present on hosts with specific nginx configurations using fastcgi_split_path_info. Pagely’s stack does use the fastcgi_split_path_info directive within our nginx configurations, and our staff investigated the vulnerability on the 22nd the day of the relase. We identified we were already properly using the recommended remediation of try_files to ensure the file being requested actually exists on the website. Pagely’s default nginx configuration is not vulnerable. On October 24th the PHP dev team released the official patch version to address this vulnerability. Our staff have already started applying this patch to all customer servers. WordPress 5.2.4 Security Release October 15th, 2019 Secure WordPress Fast Six Vulnerabilities Secured by this Patch. The WordPress.org core team has released WordPress 5.2.4, a security release addressing six vulnerabilities from XSS to viewing unauthorized posts. Pagely staff have already begun applying patches to our customer’s WordPress websites. Customers with version holds will only receive the patch for the branch they are currently running. WordPress 5.1.1 Security Release Addresses XSS March 15th, 2019 Comment filter for Cross Site Scripting prevention; Helps secure WordPress. The WordPress.org core team has released WordPress 5.1.1 which is a security release to address two vulnerabilities related to improper filtering of comments on WordPress sites. Pagely staff have already begun applying the patch for each of our customer’s WordPress version, and will keep customers on their current branch version if they have requested a version hold. WordPress 5.0.1 (and 4.9.9) Security Release December 13th, 2018 WordPress new release Patches seven vulns in all. Handled by our team. The WordPress.org core team has released WordPress 5.0.1 which is a security release to address a number of vulnerabilities found in WordPress versions 5.0, 4.9.8 and older. The core team has also provided security releases for WordPress versions 4.9.x, 4.8.x, etc.. which addresses the same vulnerabilities for that WordPress branch release. Pagely staff will apply the appropriate patch for each of our customer’s WordPress version, and will keep customers on their current branch version. This means, if you’re running 5.0, we will apply the 5.0.1 patch, if you’re running 4.9 then we will apply the 4.9.9 patch, and so on with 4.8 and etc… This patching will be completed by the end of the week. WordPress 4.9.7 Security Release Addresses Arbitrary File Delete (CVE-2018-12895) July 5th, 2018 We patched this last week. This security release is safe to wait for. The WordPress.org core team has released WordPress 4.9.7 which adds some functionality and includes a security patch for the previously reported “Arbitrary File Delete” vulnerability (CVE-2018-12895) which we addressed last week Pagely implemented a patch to address this vulnerability on all customer websites, as there was no WordPress.org patch available when the vulnerability was publicly disclosed. Pagely customers can request to be upgraded to patched versions of WordPress over the weekend, all customer sites will be upgraded by early next week. WordPress Author Arbitrary File Delete (CVE-2018-12895) We trust our authors, to not delete files, but let’s not allow it. RIPSTech researchers Slavco Mihajloski and Karim El Ouerghemmi reported yesterday of a vulnerability in WordPress core which would allow users on a WordPress site with Author level access or higher the ability to delete and/or re-upload any file writable by the PHP process WordPress runs under. The limitation of this vulnerability hinges on the fact a malicious user must also be someone a site owner trusted with having author level access already (or a compromised author user account could be abused) The consequence of this vulnerability would be that an attacker or malicious user could potentially remove files on the server, which may disable protections (such as .htaccess files, or security plugins), or allow them to re-write a site’s wp-config.php (to point your site at the attacker’s database, or install their own credentials/secret keys.) Our infrastructure configuration does not allow PHP processes to be able to modify any WordPress core files, however the risk of modifications to plugins, .htaccess files or other user uploaded files remains. To address this we have implemented a recommended hotfix which sanitizes the file path in the attachment delete/modification function used by WordPress core. The patch implemented has been tested and verified as safe and will be pushed out to our customer servers this week. If for any reason this hotfix causes issues with your site user’s ability to remove or edit media on your blog, please let our support staff know and we can help sort out the problem. PHPMyAdmin File Inclusion and Remote Code Execution (CVE-2018-12613) (PMASA-2018-4) Admin your DB with php, securely. We did the upgrade Pagely customers who have phpMyAdmin configured on their servers can rest assured we have taken steps to upgrade all of our customer’s phpMyAdmin installations to address multiple vulnerabilities recently reported. TLS 1.0 Retirement It’s been a long time coming, so break out the gold watch and cake. TLS 1.0 is finally being retired across the web thanks to the push by PCI-DSS. Pagely is updating our customer websites this week to address this and will be supporting TLS 1.1 or higher by default on our servers this week. By default, customer websites will only communicate over HTTP using the more secure TLS 1.1 and 1.2 protocol versions, and TLS 1.0 will no longer be an option. The reason for the change has been a long time coming. There are multiple browser based vulnerabilities in TLS 1.0, and the protocol version has been depreciated for years. However, the big deadline is that PCI-DSS counsel has set a hard deadline for June 30th, 2018 as the final day that sites will no longer be able to pass PCI scans if they have TLS 1.0 enabled in any manner. The impact of requiring TLS 1.1 or higher, is almost certainly going to be negligible. Every major browser supports TLS 1.1 and 1.2, rough estimates put less than 4% of the global internet traffic as using a browser that only support TLS 1.0, this is mostly composed of old mobile devices. So, sorry everyone on a dated iPad or Android tablet/phone, it’s not safe for you to transmit data over HTTPS and hasn’t been for a long time! Luckily, this number continues to drop every year, as these old devices eventually get replaced or taken out of service. Pagely Login Page Updates Pagely customers will notice something new when accessing their Pagely administration panel https://atomic.pagely.com on May 31st 2018. Our new login portal! Don’t worry, this change is expected as we are rolling out some improvements to our administration panel and preparing for it’s replacement. When you visit https://atomic.pagely.com your browser will automatically be redirected to our new version of Atomic. You may see the words “BETA” here and there, and some customers (those already upgraded to ARES) will have new features available as well. There is nothing you need to do on your end at this time, your login will function as normal and the new atomic panel has all the same basic features as the old one — If you’re feeling a little nostalgic, you can still switch back to the old Atomic panel by hitting the “Atomic (Legacy)” button found in the panel. In the near future we will be offering a new 2FA feature to give our customers a better experience with their 2FA management, but this first login portal change on 2018-05-31 will not affect your existing login credentials. PHP Security Patch (CVE-2018-10546 CVE-2018-10547 CVE-2018-10548 CVE-2018-10549) You need a null byte; Or you get heap overflows! MakerNote take Note. PHP has released a security patch which addresses four security vulnerabilities, the worst of which is a heap overflow from uploaded images which lack null bytes or corrupted EXIF data in MakerNote files. Further details available in the PHP 7.0 Changelog and PHP 5.6 Changelog. Pagely has begun upgrading customer servers and all PHP versions will be on patched in the next few days, if not already. WordPress 4.9.5 Release Secure hardening in the four nine five release; Other bugs fixed too. WordPress version 4.9.5 has been released and is considered a security and maintenance release. The WP core team addressed 3 security related bugs which are not critical security bugs, but improve the code’s overall security. You can read more about the release here. Pagely will begin updating customer sites to 4.9.5 shortly. POP-ping WordPress Object Injection? DNS must be trusted. Or else, oh no! Hacks! Researcher Nick Bloor (@nickstadb) recently released a report on object inject+DNS vulnerabilities in WordPress which could lead to remote code execution/arbitrary file uploads to sites. Nick explains that if attackers control the name servers the website uses to lookup domains, then it’s possible to “spoof” being the WP update server due to WordPress defaulting to HTTP communications when HTTPS fails during updates. This report outline that if attackers were able to take control of a DNS server, they could pivot that access to then also take over WordPress website via the WordPress auto-updater as well as exposes a PHP Object injection as well. Pagely customers are not affected by this vulnerability, as we are a managed host and do not allow modifications to what name servers our customer’s servers utilize. Secondarily, our server permissions would not allow WordPress auto-updater to function on it’s own (we handle upgrades for customers), this is identified in the “caveats” section of the vulnerability disclosure page as a preventative measure. WordPress load-scripts.php DoS (CVE-2018-6389) Feb. 6, 2018 Loading all the scripts, leads to long web responses. Rate limiting, Win. We are aware of the reported Denial of Service (DoS) affecting WordPress’s /wp-admin/load-scripts.php; Assessing the risk we believe our caching system dramatically reduces any DoS threat targeting a single URL with scripts like this. We are implementing a fix which is currently in testing, it will limit the number of requests people can make to this file before being throttled and subsequently blocked. This fix will be available for all customers, including those on the new ARES platform. WordPress Security and Maintenance Release: 4.9.2 Jan. 16, 2018 Other people’s code How did it get on your site? Sad emoji face. WordPress version 4.9.2 has been released and it contains an update to address an insecurity in the Media Elements library, which is included in WordPress core. The patch addresses a cross site scripting (XSS) vulnerability, which could allow remote attackers to inject their own HTML onto your site. Pagely will be patching customer sites immediately, and should be finished shortly. If you would like to read more about this release please see the WordPress blog announcement here. Spectre and Meltdown Jan. 5, 2018 Reading memory, outside of your privilege. Time to patch kernels. [Update: Feb 2, 2018 CST] Our kernel hotpatch provider has released a working patch for Meltdown as well, and it has been applied to all customer servers. [Update: Jan 18, 2018 09:00 CST] Spectre: Patched without the need for a reboot Meltdown: Patch available if you request a reboot, we are still waiting on the no-reboot patch which is close to being tested as safe to apply. If you are concerned about the risks associated with Meltdown, contact support to request a server reboot. Or wait until our no-reboot patch has been tested and is working safely. Risk associated with Meltdown: There are still no PHP based proof of concepts, therefor we consider it a low-likelyhood that anyone (aside from someone with SSH access to your server) would be able to perform this attack on your site/server. If you disagree with this risk assessment, then please contact support and we will schedule a reboot to apply the patch for Meltdown ASAP. [Update: Jan 11, 2018 11:30 CST] Our kernel patch provider has released a working patch for Spectre, but not Meltdown. We will be applying the Spectre patch to all servers before the end of the week, and will be awaiting their patch for Meltdown when it becomes available. If you would like to hasten the patch time, we can apply the kernel patch from Ubuntu (released yesterday) however this will require a schedule reboot for the change to take affect. If you would like to schedule a reboot of your server, please contact our support staff from your account’s primary contact email address (or via our administration panel) These patches are known to cause a negligible performance hit on servers when applied. It’s likely you will not notice this performance hit on your site unless your code does a large amount of system calls and/or you are already close to needing an upgrade. Our engineers are working on a solution to this issue and we may be able to work with customers impacted to entirely remove this performance hit or actually come out ahead. [Update: Jan 9, 2018 09:00 CST] At this time (Tuesday January 9th) we do not yet have a stable patch to apply to customer’s servers. The patch plan for early this week was not met. This was due to the complicated nature of this patch, and ensuring a stable patch is what is pushed out to servers. It’s been identified by multiple sources that this patch is not the simplest, concerns of stability and CPU overhead come up and this has delayed the patch from either Ubuntu (our operating system) or KernelCare (our kernel patch provider). Risk assessment: The existing proof of concepts for these vulnerabilities are not executable against our customer’s sites due to how our PHP is configuration (we restrict/ban any exec/shell calls) which reduces the risk of this vulnerability. Only customers with compromised SSH accounts would be vulnerable (and if there does exist a PHP PoC in the future, only customers with compromised sites would be exposed.) We are delaying the patching process. This decision is made under the consideration that many people are reporting issues with the patches available, and the lower risk this vulnerability has at exploiting WordPress sites on our network. Tentative timeline: We expect patches from one of the upstream providers (Either KernelCare or Ubuntu) tomorrow, Wednesday Jan 10th, however this may be delayed. When a patch is available, if it is Kernel Care, no reboot will be required. If it is Ubuntu, then we will need to reboot your server for the change to take affect. We will begin applying patches for customers this weekend or next week (a few days after the patches are released so we have time to test the patch sets.) We will contact customers via email to schedule a reboot, if it will be required to apply this patch. [Original post] Pagely is aware of the multiple related vulnerabilities in Intel (and other) CPUs known as “meltdown” or “spectre” and has been working on patching affected servers. This vulnerability is a bit different than most, as it requires patching done on the bare-metal server as well as a second round of patching on our virtual instances for Pagely customers. Our data center provider notified us regarding what servers were affected by a security concern and needed reboots to apply a patch. We have already been working with the affected customers on and scheduled reboots to address this security concern. It’s likely that these CPU architecture vulnerabilities were likely the cause for the scheduled reboots in December. At least check, we have address almost all of these (and the last few are scheduled with the respective customers to happen shortly.) All remaining EC2 instances are on bare-metal servers which likely have been patched without the need for a reboot (however this may change). If you did not receive an email related to scheduling reboots on your site/server, then the patch for this vulnerability did not require a reboot to take affect. If this changes, we will be on contact with any customers who need to schedule a reboot. That only leaves the linux kernel on each of our EC2 instances as a remaining concern. Luckily we now utilize a new technology in the linux kernel which allows for live-patching the kernel without the need for a reboot. This patch will be applied to all of our customers as soon as the kernel patch is officially out and properly tested. The tentative timeline for this should be this weekend or early next week (and require no reboot of the server, it should be applied seamlessly.) PHPMyAdmin CSRF Jan. 5, 2018 Click this link my friend Cross-Site Request Forgery! But not with Pagely. Over the holiday break there was a CSRF vulnerability reported with PHPMyAdmin, this class of vulnerability would allow an attacker to send malicious links to users with browser’s already authenticated in PHPMyAdmin to perform actions as the logged in user. A patch was applied in 4.7.7 to address this issue, and all PHPMyAdmin installations Pagley has have been updated. WordPress Security and Maintenance Release: 4.9.1 Nov. 20, 2017 Holidays are for: Family, eating too much, and security. Don’t worry you can stay distraction free when dining with friends and family this holiday season, knowing that we have handled this WordPress security release update for you and your sites. Instead of worrying if your site has been patched, you can be the one to bring it up at social gatherings and watch as your friends or family with WordPress sites become uncomfortable not knowing if their sites are secure or not. Pagely customers will receive the WordPress 4.9.1 security release update this week. This security and maintenance release includes patches for multiple vulnerabilities including a cross-site scripting (XSS) and XML eXternal Entity (XXE) issues. This will also officially bring all customers up to the 4.9 branch from 4.8.3, unless you’ve previously written in requesting an upgrade to 4.9 in the last few weeks. You can read more about this security release and specific details on what it includes here on the WordPress news blog, as well as more details on how we handle major WordPress releases (like 4.9) on our blog here: WordPress 4.9 Release. WordPress 4.8.3 Oct. 31, 2017 WordPress Halloween. We patch the tricks, 4 8 3 You get the treats. Boo! There is nothing spookier than a WordPress security release, the 4.8.3 patch addresses an SQL injection vulnerability in WordPress core which could be exposed by insecure coding practices found in some plugins. This release hardens the WP Core code to protect the sites who may harbor an insecure SQL query that trusts user input, sanitizing the input before it’s passed along to the database server. More information on this release can be found on the WordPress blog, details on the changes and how it modifies the return value of of esc_sql() have been posted by Gary Pendergast on the Make WordPress Core developers blog. Thanks goes out to the reporter of the vulnerability (Anthony Ferrara) for working with the WordPress security team. And a special acknowledgement to our own Arman Zakaryan for the Haiku this time around. OptionsBleed Sept. 21, 2017 Memory Leaking over OPTIONS requests sent. This patch stops the leak. The vuln-du-jour is called OptionsBleed and affects Apache2 web servers. It was caused by a programming oversight in the Apache2 server project which allowed small amounts of memory to be leaked when an OPTIONS request is sent to the web server. This bug only affects sites that are configured with a LIMIT directive which attempts to filter nonexistent HTTP methods, which is extremely rare but does exist in just under 500 of the Alexa top 1 million websites. A more detailed write up about this can be found here. The Apache2 dev team wasted no time in providing a patch. Which we have already begun applying to customer servers. We are rolling this patch out slower than a normal security patch because it’s so rare for this misconfiguration to exist and initial reviews of customer sites shows no Pagely customers have misconfigured LIMIT directives which would put them at risk. That said, the patch will be applied in a safe manner over the next week as to minimize any risk of downtime on customer sites related to the upgrade. WordPress 4.8.2 Sept. 19, 2017 Within this release, Nine security patches. Sites are now secure This week brings a security update to WordPress core. The security patches include multiple serious vulnerabilities and we are applying patches as soon as possible for customers. The WordPress core and security team have also released version to address any of the patched vulnerabilities for the following versions: 4.8.2, 4.7.6, 4.6.7, 4.5.10, 4.4.11, 4.3.12, 4.2.16, 4.1.19, 4.0.19, 3.9.20, 3.8.22, and 3.7.22. Any customer of Pagely running older branches of WordPress will also be brought up to date with these security patches. Malicious Code in Display Widgets Sept. 13, 2017 We coined a new term: “plugin identity theft”. Let it not catch on. A popular plugin in the WordPress.org repository has been “hijacked” (for lack of a better term) by a developer with suspicious intent. The popular plugin “Display Widgets” is described as “Adds checkboxes to each widget to show or hide on site pages“, yet in the last few releases there have been some unexpected new features added: such as adding posts directly to the site and tracking site visitors. Wordfence, a security plugin, wrote a full explanation on how this might have happened, it’s worth a read here. For our customer’s safety, we have banned the plugin from our customer sites. If your site hosted with Pagely was affected we have already reaching out directly to help you with the concern. More information about the issue at hand with this plugin can be found on WPVULNDB and in the plugin’s support forum . Update: The plugin team at WordPress.org have released a patched version of Display Widgets which reverts it back to the last known safe version, but there appears to be no author to continue maintenance on the plugin. The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching it’s code. Which plugins and themes aside from display-widgets should you avoid? See our full list here. WordPress 4.7.5 Release May 17, 2017 Patchy patchy patch I love patches for WordPress Here come the patches Pagely customer sites are being updated to address 6 vulnerabilities. The ExploitBox Unauthenticated Password Reset Vulnerability has still not yet been addressed; Pagely customers are still not affected. Further details on this release can be found here: wordpress.org ExploitBox’s CVE-2017-8295 May 5, 2017 Return to sender sending to the wrong domain read from HOST header. There was a recently released authentication bypass vulnerability that affects WordPress before and including 4.7.4, with specific server configurations. The attack requires a request to a WordPress site via it’s IP address, while the attacker sets the HTTP request header to their own HOST value. Pagely does not allow direct access to WordPress sites via IP address and requires the HOST field sent in the headers to be the actual site being requested, thus a request with a HOST value controlled by an attacker will not be directed to a WordPress installation at Pagely. Bonus Haiku: Pagely hosted sites are not affected by this reported exploit. For more details on the vulnerability and how it works, please read: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html WordPress 4.7.3 Security Release Mar. 6, 2017 XSS and more bugs get patched in this release. The update is done Customer sites are being updated to address 6 security related issues. Further details on the release can be found here: wordpress.org CloudBleed, Shattered, CVE-2017-6074 Feb. 28, 2017 SHA One Collision CloudFlare Leaking Memory and Kernel Patching Normally these Haiku’s are short and sweet, but it was a busy week for security in the headlines last week so I took a little more time to compile the following information for you: The CloudFlare Bug (A.k.a. “let’s not call it CloudBleed”) A security researcher working for Google’s Project Zero disclosed information on a bug identified in CloudFlare’s services. The bug was in CloudFlare’s services, and in some cases resulted in a trace amount of the contents of the CloudFlare’s servers memory being leaked. This could have had major repercussions as the contents of these servers may contain sensitive information being sent to or from the web server behind CloudFlare’s services (such as passwords, encryption keys, or other sensitive data.) Many news outlets reported this as a catastrophe, however CloudFlare patched it’s server’s before the announcement and there have been no reports of this being attacked in the wild before the report by the Project Zero researcher. Key points include that the data being leaked was not controllable by the attacker (it was always random, including no ability for an attacker to target a specific site’s data). The data was also limited to small chunks. The leaks however, have likely been happening for a while, no one knows how much data has been leaked to people looking for it or if any widespread attacks could have gleaned any usable data from the memory leaks. Ultimately, while it’s possible every password, SSL cert, and secret keys were pulled from CloudFlare server’s using this attack, it’s not likely to be the case. Most probably: the researchers at Google’s Project Zero were the first to be aware of the problem and reported it responsibly to CloudFlare. However, it is still yet to be seen if anyone reports malicious activity caused by these leaks in the weeks and months to come. How could this affect you? If you utilize CloudFlare on your site (or utilized a service that used CloudFlare) and wish to be absolutely sure your private data (such as a password) is safe then you may want to be pro-active and change that password or other secret data. The SHA-1 Collision: (A.k.a. “Shattered”) A collision in the SHA-1 algorithm was reported by a different team at Google. SHA-1 is a cryptographic hashing algorithm, commonly used to validate the integrity of data being sent. The collision released by the team at Google showed that they were able to send two different messages but they both validated with the same SHA-1 value; ultimately meaning that data signed or verified using a SHA-1 algorithm can no longer be trusted. There is some good news however, this attack is fairly expensive to execute (over $100k) and SHA-1 has been on it’s way out for the better part of a decade. SHA-256 has already been established as the replacement and most people have already migrated to the more secure algorithm. How could this affect you? If your site has SSL/HTTPS, then that certificate might be signed using SHA-1 , but it is probably already signed using SHA-256 (as of 2015) if you would like to double check you can always utilize a utility like ssllabs.com to look up your site’s SSL certificate and see what method is used to fingerprint it. If you find you are using SHA-1 only, then the fix is to get a new certificate (most likely whomever you purchased the certificate from will issue you a new one using SHA-256 without much hassle.) Secondarily, if you developed your site’s code explicitly using the sha1 function, then you may wish to swap that sha1 function with the sha256 function. CVE-2017-6074 While CVE-2017-6074 did not have a cool name or website or lots of media coverage; it was a more serious threat. This flaw could allow anyone with access to a Linux server to escalate their privileges from a normal user to root on the server. Linux servers running up to date kernels (such as ours) were affected and we were very concerned about getting this patched for our customers. Luckily we have been updating our infrastructure and these kernel based vulnerabilities no longer require reboots to apply new patches. We applied a patch to address this vulnerability on the same day it was made available and noted no issue with the new kernel code running. WordPress 4.7.2 Security Release Jan. 26, 2017 Sites updating now we handle the patch. So you focus on your site. Customer sites are being updated to address 3 security related issues. Further details on the release can be found here: wordpress.org CVE-2016-5195 “Dirty COW” Oct. 26, 2016 We have sent many email notifications about the reboot. Kernel patches have been applied on our servers, however a restart is required for it to take affect. Scheduled reboot notification emails have been sent out and reboots will take place the week of October 31st. More information on the vulnerability can be found here: dirtycow.ninja WordPress 4.6.1 Security Release Sept. 12, 2016 The update happened faster than I could write this haiku about it. All sites have been updated to address 2 security related issues. Further details on the release can be found here: wordpress.org httPoxy Jul. 20, 2016 A pox on proxy headers; that are misused by some developers. Updates to our server configs are being pushed out that remove any “Proxy:” values attempted to be set by a request header. More details here: httpoxy.org And see also: Pagely’s Reverse Proxy WordPress Hosting WordPress 4.5.3 Security Release Jun. 21, 2016 WordPress 4.5.3 Several security issues are addressed. We are currently testing and rolling out this security update. Further details on the release can be found here: wordpress.org WordPress 4.5.2 Security Release May 9, 2016 4 point 5 point 2; Patch vulnerabilities in cross site scripting Updates on our platform are finishing up today. Further details on the release can be found here: wordpress.org CVE-2016–3714 “ImageTragick” May 9, 2016 Image conversion tragedy; is currently patched by policy. Further details: ImageTragick.com CVE-2016-2107 CVE-2016-2108 May 3, 2016 High Severity Vuln? We patched openssl, so you don’t have to. Security Haiku: CVE-2015-7547 Feb. 19, 2016 Host lookup dangers? No worry, we already patched glibc Which plugins and themes aside from display-widgets should you avoid? See our full list here.
These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user. We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion. WordPress Core No notable WordPress core security releases. Plugin/Theme Vulnerabilities of Note bbPress By The bbPress Contributors https://wpvulndb.com/vulnerabilities/10242 https://wpvulndb.com/vulnerabilities/10243 https://wpvulndb.com/vulnerabilities/10244 https://bbpress.org/blog/2020/05/bbpress-2-6-5-is-out/ bbPress version 2.6.5 was released on May 28th. This security release addresses multiple vulnerabilities including one which affects sites with New User Registration enabled, allowing privilege escalation on newly created accounts. WooCommerce By Automattic https://wpvulndb.com/vulnerabilities/10220 There exists a vulnerability within WooCommerce, which would allow users with access to modify and duplicate products to upload arbitrary PHP code to the website, then execute it. This is an authenticated vulnerability (requiring a user account), and high risk as it would allow attackers to execute code on the server itself. Note: This vulnerability is a Remote Code Execution (RCE) based on our review of mslavco’s findings. Page Builder by SiteOrigin https://wpvulndb.com/vulnerabilities/10219 The page-builder plugin before version 2.10.16 has a CSRF (Cross-Site Request Forgery) to Reflected XSS (Cross-Site Scripting) vulnerability. Attackers could utilize this attack to target site administrators to execute code within the administrator’s browser within wp-admin. The attack targets the live editor and action_builder_content functions of the plugins. Elementor Pro https://wpvulndb.com/vulnerabilities/10214 There is a critical vulnerability in Elementor Pro versions before 2.9.4 which allows any logged-in user the ability to upload and execute PHP scripts. This vulnerability is actively being utilized with a registration bypass vulnerability which affects Ultimate Addons for Elementor (described next), allowing for subscriber registration even if registration is disabled. Ultimate Addons for Elementor https://wpvulndb.com/vulnerabilities/10215 The Ultimate-Elementor plugin before versions 1.24.2 allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site. As noted, this vulnerability is being combined with the Elementor Pro vulnerability described above which may lead to remote code execution on sites with registration open and both Elementor plugins installed. Photo Gallery By 10Web https://wpvulndb.com/vulnerabilities/10227 An unauthenticated SQL injection can be executed on this plugin and it looks to target the gallery_type area of the plugin specifically. Site owners have until June 5th to update to version 1.5.55 or higher before the vulnerability details will be made publicly available. Form Maker By 10Web https://wpvulndb.com/vulnerabilities/10237 A vulnerability in this plugin allows an administrator or higher-level user to perform a SQL injection via Form Maker. Site owners should update to version 1.13.35 or higher as soon as possible, as the security researchers have stated some details regarding how to exploit this vulnerability have already been released publically. Official MailerLite Sign Up Forms By MailerGroup (x2) https://wpvulndb.com/vulnerabilities/10235 https://wpvulndb.com/vulnerabilities/10236 The official-mailerlite-sign-up-forms plugin has two vulnerabilities that have recently been reported. The first deals with the MailerLite plugin not sanitizing user input data which leaves a site vulnerable to SQL injection, this vulnerability was fixed in version 1.4.4. The second vulnerability addresses CSRF issues and was patched in version 1.4.5 of this plugin. WP Product Review Lite By ThemeIsle https://wpvulndb.com/vulnerabilities/10226 The wp-product-review plugin before version 3.7.6 is susceptible to an Unauthenticated Stored XSS attack which bypasses built-in protections allowing malicious HTML or Javascript to be stored and injected on all the site’s product pages. See previous months’ WordPress security updates from April and March.
