A WordPress disaster waiting to happen

Over the years we’ve noticed that a lot of our larger clients tend to have live or dormant WordPress based website campaigns, microsites and blog sites which have gone off radar by their security teams. Overlooked and with a mix of bad practices and low level hosting it’s a recipe for disaster.

We recommend backing up your WordPress site daily and checking for updates weekly. We also recommend separating any WordPress developments away from your mission critical sites.

Ignoring WordPress updates and thinking your site and micro sites “will be OK” isn’t a good idea! A classic example of this is one of the most popular WordPress plugins Slider Revolution.  This plugin had a serious vulnerability which allowed a remote attacker to download any file from the server.

We not only check all of our WordPress sites on a weekly basis we also update all plugins and apply any WordPress updates. After scanning a plugin if we feel it is deemed as a threat we remove or immediately update it. We also keep a month’s worth of backups of each site.

Here’s a current list of plugins we do not allow on our servers:

adminer
async-google-analytics
backup
backup-scheduler
backupwordpress
backwpup
bad-behavior
broken-link-checker
content-molecules
contextual-related-posts
duplicator
dynamic-related-posts
ewww-image-optimizer
ezpz-one-click-backup
file-commander
fuzzy-seo-booster
gd-system-plugin
gd-system-plugin.php
google-xml-sitemaps-with-multisite-support
hc-custom-wp-admin-url
hcs.php
hello.php
jr-referrer
jumpple
missed-schedule
no-revisions
ozh-who-sees-ads
portable-phpmyadmin
quick-cache
quick-cache-pro
recommend-a-friend
seo-alrp
si-captcha-for-wordpress
similar-posts
spamreferrerblock

ssclassic
sspro
super-post
superslider
sweetcaptcha-revolutionary-free-captcha-service
text-passwords
the-codetree-backup
toolspack
ToolsPack
tweet-blender
versionpress
w3-total-cache
wordfence
wordpress-gzip-compression
wp-cache
wp-database-optimizer
wp-db-backup
wp-dbmanager
wp-engine-snapshot
wp-file-cache
wp-mailinglist
wp-phpmyadmin
wp-postviews
wp-slimstat
wp-super-cache
wp-symposium-alerts
wpengine-migrate
wpengine-migrate.tar.gz
wpengine-migrate.zip
wpengine-snapshot
wpengine-snapshot.tar.gz
wponlinebackup
yet-another-featured-posts-plugin
ayet-another-related-posts-plugin

By no means are we suggesting all (or even most) of these plugins are bad plugins. Some of them can be very good however our main focus is on making sure they work well with our system and that they are safe for our customers.

If you’d like Hello Web to review your WordPress sites and discuss your hosting requirements please get in touch.

2017-02-27T15:47:06+00:00February 27th, 2017|