Our resident tech expert is back with some great advice for us creative types. Take it away, Penny!
Clients often ask me why I insist they keep their sites and their servers up-to-date and perform regular backups.
Backing up and maintaining a WordPress site can take some time. Even if you pay for this service through VaultPress, Sucuri, or PennyWise, you should still regularly review the reports of your backups and spot check that things are working and being updated.
Why? While many software updates are to add new features, a fair number are to address security vulnerabilities. The most common of these is XSS. This post is going to focus on WordPress; depending on your web host you may also need to make sure that your hosting software (apache, mysql, php) is also up-to-date.
What is XSS?
XSS has been in the news quite a bit the past few months (see XSS Vulnerability Affecting Multiple WordPress Plugins, Critical Persistent XSS 0day in WordPress, and Persistent XSS Vulnerability in WordPress Explained).
What is it and how does it cause problems? What can you do to stay safe?
Ok, that wasn’t very informative. What does it really mean? There are two types of ways to run code, on the web server (aka server side) and in the browser (aka client side). Server side code tends to be more robust and traditional; for example, this is where the contact form actually gets sent. Client side code is very often the pretty extras, such as the popup window asking you to fill out that contact form.
The 0day XSS bug took advantage of how comments were stored in the WordPress database and how modern web browsers like to be helpful and clean up bad code by closing html tags, for example. Someone could submit a comment that, depending on how the site was configured, could have caused some very large issues, including infecting site visitors with malware or injecting SEO spam into the site.
Could we have avoided this issue in the first place? Very likely yes, but why is beyond the scope of this quick post. We are hearing more about XSS exploits for several reasons including the spread of information through social media and the increase in the number of sites using the software that is impacted.
To stay safe, keep your site backed up and up-to-date.
Even with your software kept current, here are two additional quick tips to help keep your site safe:
1. If you were putting it off, now is a great time to do that spring cleaning maintenance and delete unused themes and plugins.
2. Not only should you change passwords every so often, you should limit who can access your site. That also means how you interact. I have two user accounts: one for site administration and maintenance, and one that has a different level of access to write and publish blog posts. The account I use to write posts can’t update plugins. Sure, it’s a little annoying to log in with a different account, but that is a trade-off for security!
Here are some additional tips to help you stay safe from phishing!
Want to learn more? In addition to the links above:
Common Website Security Terminology Defined
WordPress Themes: XSS Vulnerabilities and Secure Coding Practices (Sucuri, October 4, 2012).
Cross-Site Scripting in WordPress: What Is XSS? (tuts+, March 13, 2013)
What is cross-site scripting? (Tech Republic, March 18, 2008)
Penny Shima Glanz spends her days spinning yarn and code into memorable projects. Small businesses rely on her for practical technology solutions. Designers rely on her to sample, test, and edit their handknit and crochet patterns. She loves muddy trail runs, fosters kittens, and lives in Westchester, NY with her husband and two resident cats. www.pennyshima.com