A crucial vulnerability was found in the popular Duplicator plugin in WordPress. It has affected more than 1 million websites, so we urge you to act quickly and take proper actions to mitigate the vulnerability discovered in this addon.
Updated duplicator 1.3.28 can be found here https://wordpress.org/plugins/duplicator/.
If you have installed the duplicator, even for the PRO version, I suggest you update your database credential when you are updating the plugin.
You can minimize your risks with our shared hosting and cloud hosting, websites protect by Imunify360.
It is a simplified control panel for WordPress mainly developed by ISPsystem. They advertise “With Vepp you can easily install WordPress, assign a domain, and get a free SSL. You’ll be sure your website is stable and secure.”
I was asked to try. The installation is untraditional. You prepare a server instance and assign it to your account at my.vepp.com to get started. Apparently, if you want to change to other server or server details, you have to write in. I do not like the idea that this is not self-serviced. Maybe there is a reason for that, let me dive deeper and probably I will find the reasons.
Anyway, the installation started at my.vepp.com because I’m further it has taken me 30 minutes than the advertised 10 minutes to install VEPP. I assume providers will have this “my.vepp.com” set up in their infra. This will get closer to the users and significantly cut down the installation time.
Before we are going to the 2nd part of this review, I have asked myself a few questions. Do I still need to update my server OS? If the updates will break my previous installation? If kernelcare is compatible? Can I install other libraries and components in my server? How about another website and web application?
I will address these in my 2nd round of review on VEPP.
Today, my customer has come to me to view his WordPress website using an IP address. You can use an IP address as your hostname. However, we do not recommend this method.
There are a few reasons and you have these criteria. Actually, I still cannot find a good reason for doing this.
- You have a dedicated IP address and resolved to only one site. You can use it as a default site.
- Private site. Do not want others to resolve using a domain name.
- Do not want to use reverse and forward DNS. Maybe for point of failure.
- Never hard code a link using domain name every permalink is managed by the WordPress.
If anyone can think of a valid reason, please write down the comment below.
Getting a WordPress website using an IP address must at least meet the first criteria like what I have mentioned earlier. In addition, you need to change the name to IP address in ‘General Settings’ of your WordPress website or define it in your wp-config,
In this case, you can use an IP address.
However, if you are making a new website or staging, I personally recommend the ‘host file’ method to resolve locally. The domain name can use the same if the website has a different IP address. If it is done using the same IP address, you cannot use the same domain name but a fake domain name.
If you are using a fake domain name you will have to update the general settings or define it in the wp-config file.
In this way, your WordPress website is always accessible and it will not run into errors like ‘404’ page not found.
Methods to protect your WordPress admin panel
A plugin known as Stealth Login allows you to create custom URLs for logging in and out, administration and registering for your WordPress blog. Stealth Mode is also possible which will prevent users from accessing wp-login.php directly. You can then set your login URL to something more obscure. However, this is not perfect but if someone does manage to “discover” your password, it can make it difficult for them to find the exact login URL. This also prevents bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.
Sometimes the hacker may believe they know your password, or they may develop a script to guess your password. In that case, what you should do is limit the login attempts. You can easily accomplish that by using a plugin called Limit Login Attempts that could lock end user out when they entered an unacceptable password in excess of the specified time.
I reckon this is the most effective protection if you own a static IP you can limit access to your WP-Admin Panel and only allow certain IP Addresses to access. All you have to do is create a .htaccess file in your web root with this code:
deny from all
allow from 126.96.36.199 #permitted IP address
Yoast, a popular SEO plugin for wordpress version 188.8.131.52 and below have been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.
Customers are advised to take immediate action and upgrade their Yoast to the lastest 1.7.4 and 1.5.3 for Premium version.