Looking after a WordPress website is about more than just finding somewhere to host it. Like a car, a website needs to be maintained and cared for if you want it to keep running. But what does that involve, exactly?
We just came back from WordCamp Europe, a gathering of more than 800 WordPress professionals from 51 countries.
Most, if not all the countries of Europe were represented, with strong contingents from the Netherlands, the USA and of course, this year’s host nation, Bulgaria.
Thankfully for us, proceedings were entirely in English.
For those who don’t know, WordPress is the software we use to build all of our websites, but it’s more than just a collection of code.
It’s a community – and one that welcomes anyone who uses WordPress, from the small business website owner to advanced web developers and agencies who build highly customised WordPress websites for international companies.
WordPress also supports a whole ecosystem of companies providing products and services. It’s becoming big business, but people remain at its core.
So what happens at a WordCamp?
WordCamp Europe is one of those places where the WordPress community comes together to hear more than 30 talks over two tracks and two days, covering every subject from security issues, to business and even health. A full list of speakers and talks is available on the WordCamp Europe website.
WordCamp is a place where people all come with the same philosophy: They are there to learn, to improve what they do, but also to share.
The various talks are only part of the picture, as everyone there is eager to meet new people and forge new connections – both personal and professional.
It doesn’t matter who you are, WordPress is a friendly and approachable community and even among the leading lights there are no egos.
In fact you can often find yourself suddenly in conversation with them at the after party!
The ethos of self improvement extends to those who provide services to WordPress users, such as plugin developers.
At WordCamp we were able to connect with many developers whose products or services we use, provide valuable feedback and develop a relationship that helps them improve what they do, and helps us improve our service to our clients. Everybody wins.
It continues with the WordCamp speakers, many of whom can command high fees to appear at other conferences. At WordCamp they don’t get a penny, yet the likes of Chris Lema, Mark Jaquith and Tony Perez not only gave their time but flew in from half way around the world.
To share their knowledge.
And that extends to the organisers, who put months of hard work into setting up everything to make WordCamp Europe a slick and well-organised event – all on a voluntary basis.
Between the talks the halls were buzzing with people of all nationalities getting to know each other, helping each other, sharing information. Collaborating. With people who are essentially their competitors.
This mindset was best summed up in the talk by Simon Wheatley, of one of the UK’s top Wordpress agencies, Code For The People.
Code For The People lives by WordPress’ collaborative principles, sometimes competing with others in the same space, but sometimes working directly with competitors to help WordPress move forward as a whole.
We are not normal, he told us, yet collaboration can be married with solid business principles that not only help us and our clients, but the wider world, too.
Code for the People, by the way, have donated the skills of one of their top developers, John Blackbourn, for three months to lead work on the next version of WordPress.
It should come as no surprise that this is the approach adopted by the WordPress community, and in particular Automattic, the company that guides WordPress and its development, among other things. Automattic, led by WordPress co-founder Matt Mullenweg (another speaker at WordCamp Europe) has working practices that are unconventional to say the least. The WordPress system is open source, and contributing to it on a voluntary basis is encouraged through the Contributor Day that takes place after the two day conference. After all many of us make a living through WordPress, and it’s great to be able to give something back.
If your career/company is centered around WordPress, you have a huge interest in it still being around tomorrow. We’re in this together. <3 — Andrew Nacin (@nacin) October 2, 2014
You don’t have to be able to write code to contribute to WordPress, as everyone is split into groups according to skills and what they want to work on.
More than 180 turned up to the Contributor Day, which was held at the Sofia offices of SiteGround, a managed hosting company that offers specialised services for WordPress – so they gave something back by sponsoring the WordCamp.
Some went to work on improvements coming in the next version of WordPress, others on fixing reported bugs, others still on translating WordPress into yet more languages, while another group answered support requests on wordpress.org.
Although we’ve been to five WordCamps before, we’d never taken part in a Contributor Day. We ended up volunteering for a mini project that suited our skills perfectly, under the leadership of Sara Rosso of Automattic.
There were eight of us from five different countries, working together to create an outline for the project that we will all continue to collaborate on remotely – something that will be of use to the WordPress community worldwide. That’s the spirit of the Wordpress community.
If you’ve never been to a WordCamp
If you work with WordPress, even if (especially if) you don’t get involved in the geeky coding side, then you should go to a WordCamp at least once. You will be made to feel welcome.
You will benefit in all sorts of ways. Here in the UK, the next one will be in London in March 2015. Here’s all the info you need.
If you can’t spare the time for a WordCamp, then why not try a local meet? And this brings us on to…
So why don’t we do this here in Shropshire?
But if we can do this in Bulgaria, why can’t we do it here in Shropshire?
There must be dozens of companies using WordPress and hundreds of people running their own WordPress websites, yet there’s no WordPress community like you’ll find in other areas – Cumbria for example.
And while we have the excellent ShropGeek for all in the tech industry, we have nothing dedicated to WordPress alone.
In our experience, most of the companies in the Shropshire area who build websites regard each other with suspicion. As the competition. That’s a missed opportunity.
Most business people who run their own WordPress websites do so in isolation here. There’s no need for that.
We don’t share ideas, inspiration, knowledge or experience with each other – but if we did we would all benefit.
Many of use owe a lot to WordPress, and you can give back by sharing with others, even collaborating on work to help move the software forward.
The first step could be many things – a LinkedIn group, a local meetup, even our own website, but if you want to help build a WordPress community in Shropshire and the surrounding area then please get in touch.
Leave a comment or contact us privately via our webform.
For a well-rounded re-cap of WordCamp Europe, see Sarah Gooding’s article on WPTavern.
The WordCamp Europe site also has a list of individuals’ blog posts and photo galleries from WordCamp Europe 2014.
And here’s our very own Fiona’s take on WordCamp Europe.
Photo of the National Palace of Culture by Jorge in Brazil
Photos of Wordcamp Europe by Vladimir Kaladan Petkov
If you’re logging into your WordPress website for the first time in a while, you’ll notice things have changed. Here’s a quick guide to setting things up the way you need them.
The old dashboard, where you ended up immediately after you log in, was looking a little tired, so it’s had some improvements as part of the latest upgrade to WordPress 3.8.
The first thing you’ll notice is that the menu on the left is now black, but that’s just the start.
- A fresh, uncluttered design that is clearer and easier to use
- New typography optimised for desktop and mobile viewing
- Better contrast and higher definition graphics
- A fully responsive (i.e. mobile friendly) admin area
- Further improvements for site administrators
It may come as a shock at first, so the purpose of this post is to help you set up the admin the way you want it.
How to set up your admin colour scheme in WordPress 3.8
The new admin area gives you the option to use any one of eight different colour schemes.
You can stick with the standard black, or go for blue, red, purple or coffee tones. Here’s how to do it.
From the Users menu, select Your Profile. You can also select this from the dropdown in the top right that says Howdy, (Your Name)
Under Personal Options you’ll see an option for Admin Colour Schemes. Click the button next to any colour scheme and you’ll get an instant preview.
Your changes are instant so you don’t need to save the settings.
And that’s it!
A note about WordPress updates
If you have a website with Moghill Web Services, you will find the updates have already been done for you as part of our managed hosting service.
If you manage your own site, or your designer does it for you, we urge you to upgrade as soon as possible. It’s a simple process, as long as you take a back-up before running the updates. If you have any questions or need help, then please contact us.
Why you need to update your WordPress (and its plugins)
See this blog post to find out why you need to keep WordPress up to date.
Outdated software is the number one reason WordPress sites get hacked, but if you don’t know much about WordPress, how can you tell if you’re up to date?
There’s no need to track down your developer and ask, or go and look through code. All you have to do is visit the Sucuri website, type in your web address and you can find out straight away.
The tool doesn’t just test WordPress websites, it checks whatever you have, as other systems like Joomla! can also be vulnerable, especially if out of date.
We have written several times before about how out of date WordPress software and plug ins can make your site vulnerable to all kinds of hacking nastiness, including pharma hacks, malware or complete loss of your website.
Google blacklists (on average) 10,000 websites per day, many of which will be hacked WordPress sites. If your software is out of date and your site hasn’t been attacked, you’re not safe, you’re lucky.
90 per cent of hacks are opportunistic and automated. Hackers run automatic programmes that try known weaknesses on thousands of sites at a time and if they get in, there goes your website.
If you’re not up to date, it’s not a question of whether, but when.
Test your WordPress site now
Follow this link to the Sucuri website and test your own site by putting the domain name into the box. The link opens in a new tab and you can return to this page afterwards.
If you get the all clear, then great.
If your site is vulnerable
If your site is marked as vulnerable through out of date WordPress, then do yourself a favour and come and talk to us. We can put it right for the price of an hour or two’s work.
We can also check over your site’s security and other common ways in, such as insecure usernames and passwords, the second most common reason for hacks.
WordPress is not the problem
WordPress is popular – it’s now 20 per cent of websites – and that’s what makes it a target for hackers who know some people will always leave their websites to go out of date, often because they don’t know any better.
As it happens the WordPress development team works hard to ensure the software is as secure as it can be, which is one reason why it is updated relatively often.
It could be argued they are getting better and better at it.
Last week the latest version of WordPress – 3.7 – came out and includes the ability to do security updates automatically, which is a big step forward. But there are still lots of sites that are running old and vulnerable versions, just sitting there waiting to be hacked.
Don’t let that happen to your website. Check your site now!
We’re only just back from a trip to the Netherlands for a European conference for people who work with WordPress – known in the community as a WordCamp.
What did we learn? Well lots actually and we’ll be putting a lot of it into practice in the coming months, but for now we’re just going to share this presentation which details how WordPress is fast becoming the top choice for big business, never mind small business websites.
WordPress, which is Moghill’s favourite website tool, now powers more than 20 per cent of the web.
The presentation is by Sara Rosso of Automattic, the company that runs Wordpress.com and leads the WordPress project.
Have you updated your WordPress website yet? If not you need to do it now.
Last week a new version was launched – we’re now on WordPress 3.5.2 – and it’s a maintenance and security release. This version is plugging seven security holes that exist in all previous versions of WordPress, so this is not an update you can ignore.[caption id="attachment_543" align="alignright" width="405"] WordPress logo[/caption]
It’s also making other security improvements to keep ahead of the hackers who like to try and take over your WordPress website, bring it down or the other things hackers do.
Why do I have to update WordPress?
Here at Moghill Towers we’re often going on about how if you have WordPress you must keep its software up to date – not just the core WordPress software but also any plug-ins you are using for extra things like forms or online shops.
Why? Because of the sheer number of business websites we see who are using out of date (and therefore vulnerable) versions of WordPress. Not just WordPress but another piece of free software that is often left to go out of date and become vulnerable: Joomla.
And why is this happening? It’s usually not the fault of the business concerned, more that the business has been badly advised by whoever built their website.
Some website companies are happy to just sell businesses a website on a free software platform like WordPress without warning them that it needs to be maintained. Some web designers don’t even realise that updates are necessary.
But that’s like buying a car you never have to service: It would be a nice idea but it doesn’t really happen in the real world.
WordPress in particular is the most popular software for building websites in the world. It’s free at the point of use, can be extended to do whatever you want it to and made to look however you want it to.
We make no secret that we love WordPress and what it can do. We even like its cousin Joomla, too, which is also free but not as versatile.
But with that popularity means it’s attractive to hackers, and that means you must keep it up to date. Only in April there was a massive automated attack on WordPress websites around the world. If you were clued up on your security you were okay, but many sites fell victim.
The end result of not updating WordPress is your company website gets hacked, and if even if the reputation of your business is not damaged, you have to spend a lot of time restoring what you had, or re-building it completely.
And don’t think it doesn’t happen – in the last few weeks alone we have helped a couple of companies update and secure vulnerable web software that had been hacked.
That’s why we’ve taken it upon ourselves to spread the word and raise awareness of the problem.
Let us help with Your WordPress site
We keep the website software of all our customers up to date – WordPress and plug ins in particular – as part of our managed hosting package. Our sites were updated to WordPress 3.5.2 this morning.
We also offer a service where we can bring your WordPress software up to date for you if you don’t host your site with us – and we can also update Joomla websites to the latest version.
If you need help with updating your WordPress site then contact us for a chat.
As I write this, hosting companies all over the World are fighting off a huge attack on WordPress websites that has been going on for at least 24 hours.
Our sites were hit for about 20 minutes yesterday afternoon, but thankfully our hosting company has a solution so all our customer websites have been safe today.
How are the attacks happening?
Basically, the attacks are being conducted by an army of computers infected by a virus, known as a botnet.
They are simultaneously hitting thousands of WordPress login pages and trying to guess the password to get into the sites.
It also is cycling through various obvious usernames but most of all trying the default ‘admin’ username.[caption id="attachment_1176" align="alignright" width="375"] Is Hacker Barbie responsible for the attacks?[/caption]
This is called a brute force login attack, and an estimated 90,000 IP addresses are involved.
What they will do if and when they actually get in to websites is not known, but we’d expect the usual nasty surprises you get with a hacked WordPress site.
But a by product is this attack is slowing down websites all over the world, whether or not they use WordPress, as most websites are on shared hosting, and as the most popular content management system in the world, most websites are bound to be sharing a server with WordPress sites.
The repeated attacks basically cause everything to slow down.
If you are one of our customers and you want to get into the back end of your site you may see a password prompt screen you have not seen before.
This is an extra layer of security placed by our hosting company.
The box says: “A username and password are being requested by http://www.your-site.co.uk. The site says: “Automatic Protection” It now gives the username and password you need.
For current status visit our system status page. Once you have entered these details you can log in as you normally would.
If you have access to the admin area of your site make sure you have a secure password.
Minimum password recommendations:
- At least 8 characters total
- Mixture of upper and lower-case letters
- Numbers and special characters, such as punctuation or other non-alphanumeric characters
Example weak password:
Improved strong password:
In the meantime we are watching the situation closely and will implement any suggested security improvements across our customer websites as part of our normal service.
Is Wordpress not secure?
WordPress is fine but this attack tries to exploit the weakest link in any security system: The human factor.
If your site has secure username and password then it will not fall victim to this attack. We never use the default ‘admin’ account in WordPress, and delete it where we come across it in WordPress installs done by anyone else.
The rest is down to our hosting company who have added the extra layer of security to prevent unauthorised access to the login pages in the first place and making sure all our sites stay live.
WordPress is popular, and therefore it is a target for attacks like this. That’s why it is vitally important that you keep your Wordpress version and any plugins up to date.
The problem is not confined to WordPress as there are literally millions of Joomla websites on out of date versions that are just waiting to be hacked, too.
Silicon Republic: Major brute force attack against WordPress Under Way (Note: The Limit Login plugin suggested will not prevent these attacks because they come from multiple IP addresses).
Matt Mullenweg (WordPress co-founder): Passwords and brute force
Joomla is one of the most popular free content management systems in the world – but it has its drawbacks as a lot of people with Joomla sites are finding out right now in the cruellest way.
Thousands of owners of Joomla websites are waking up each day to find that their site has been taken down by their hosting companies, or replaced with what’s called a bragging message.[caption id="attachment_1035" align="alignright" width="450"] This charming fella is what hackers are placing over the homepage on vulnerable Joomla 1.5 sites. If you’re really unlucky you get music, too.[/caption]
Typically it’s this:
Hackeado por HighTech Brazil HackTeam
NoOne – CrazyDuck – Otrasher – L34NDR0
But if you’re really unlucky you get the nasty character in the picture and some hard rock tunes, or the clown who appears further down the page.
Here’s a report on the start of the hacking attack in early January, although it’s still going strong now.
So why are Joomla sites getting hacked?
The main reason why hackers are attacking Joomla sites is because they can. Where there is a vulnerability they will exploit it.
The current hacks seem to be coming from one group claiming an affiliation with Lulzec, who usually attack big business websites.
But practically anyone can hack a Joomla site: There are plenty of videos giving full instructions on YouTube.
The attacks are mainly confined to sites in the early versions of Joomla – 1.0 and 1.5 and later versions – 2.5 and 3.0 – appear unaffected. Two experimental versions, Joomla 1.6 and 1.7, are also vulnerable.
Joomla is created by a community of developers who work together to create this system, but from the end of last year that community stopped supporting the early versions and urged site owners to upgrade.
The problem is it’s hard to upgrade. Wordpress can (usually) be upgraded with a click of a button and the same is true of later versions of Joomla – but not the early versions. It involves a migration, which can be a long and involved (and geeky) process.
Essentially it means building the site all over again.[caption id="attachment_1036" align="alignright" width="450"] Another example of a hacked Joomla site.[/caption]
And to make things worse, many web companies have been knocking out cheap Joomla websites for years with no provision for upgrading when the software is no longer supported.
Not just that, we know of several companies who were still building sites in Joomla 1.5 last year, when they should have been aware that support for the software would soon end.
These factors mean many site owners are sticking with their old versions of Joomla – and these are the ones who are getting hacked.
How is it happening?
At present the hackers are seeming to target one particular Joomla add on (or extension) called JCE editor, which is present in most Joomla installs as standard. The security hole was sealed last year but the problem is that early versions of Joomla do not warn you about out of date extensions.
So if you have Joomla 1.0 or 1.5 and JCE installed, check you have the latest version. You can download the latest version of JCE Editor here.
Ashamed to say it, but we were caught out by this when one of our Joomla 1.5 websites was hacked in this way a few weeks ago. It took a whole day to clean the site up and get it live again, then close the security hole.[caption id="attachment_1037" align="alignright" width="200"] Joomla Logo[/caption]
Thankfully it was not a customer site and we closed the same hole in all our other Joomla 1.5 sites and began migrating them so it does not happen to us again.
By the end of March we will not have any sites left in Joomla 1.5.
Why? Because this is likely to be the tip of the iceberg and more hacking attacks will come as more security holes are discovered.
The Joomla community no longer supports early versions so nothing will be done to stop the security holes. It’s called End of Life for a reason.
Joomla 1.0 or 1.5 site? Start planning now
So if you have a Joomla 1.0 or 1.5 site, our advice is you need to start planning either migrating it to a later version or into another content management system, such as WordPress.
It’s not the end of the world and early versions of Joomla may stay stable for years, but why take the risk?
Our hosting company, Heart Internet, is advising all owners of Joomla 1.x sites to upgrade as soon as possible and they aren’t the only ones.
Knowledge Republic has been documenting the stream of hackings for some time: Case Study on: www.pa.gov.sg being hacked by HighTech Brazil HackTeam. This also covers vulnerable Wordpress installs, which we’ve talked about before.
For an alternative, and slightly less ‘The end is nigh’ view of things, this article from OsTraining weighs up the pro’s and cons of running outdated software.
How can I tell if my website is vulnerable to hacking?
This is relatively simple.
- Go to your website
- On a PC, right click on an area of blank space
- Select ‘View Source’ or ‘View Page Source’, depending on your browser.
You will see a stream of text but very close to the top you will see the Meta information. In Joomla 1.5 sites it usually says this:
<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />
If this is present you have a vulnerable site. Contact us if you want us to identify whether your site is vulnerable.
Got a Joomla site? We can help
If you’re one of those affected by this then we can help you weigh up what to do and plan for the future.
Contact us for a no obligation talk through the options. Whatever you decide to do, do something.
If you have a later Joomla site – version 2.5 or 3.0 there’s no need to do anything as both are actively supported and will continue to be until at least 2014. They are also far easier to upgrade.
We are specialists in using the WordPress content management system because it allows us to build great websites at an affordable price.[caption id="attachment_543" align="alignright" width="300"] We love it! And so should you.[/caption]
But we are also experts at getting the best out of WordPress for you and your business and many of our customers come to us with WordPress sites that have been sadly neglected.
We can fix that for you and give your a site a complete makeover using the system you already have.
WordPress is one of the most popular ways to build a website in the world – never mind Shropshire – and with good reason.
- It’s free to install with no licence fee to pay
- It’s future proof as it updates to keep up with the web – your site can grow with you
- It’s easy to extend and customise, meaning your site can do whatever you want it to
- Google loves WordPress and gives your site a strong SEO basis to build on
- WordPress lends itself to displaying on mobile phones, especially responsive sites
The possibilities with WordPress are endless. We can use it for:
- Blog-based sites
- Simple brochure sites to more advanced sites with hundreds of pages
- Web shops
- Directory sites
- Online learning sites
It keeps us honest!
Another factor is that WordPress does not tie you to a particular host or web design company.
That means that if you want to move to a new provider you don’t have to start from scratch with a new site.
We see that as a good thing because web companies like us have to pay more attention to customer service and not hold customers to ransome.
Moghill and WordPress
When we start to plan a new website, usually we only need to consider WordPress as our solution for how to build it.
We pride ourselves on not being geeks but in the case of WordPress we’ll make an exception: We love Wordpress!
But now we’ve got that out of the way we also work with Joomla and Magento! If we have to.
Recently we’ve been asked to look at a few sites built in WordPress, and have been surprised to find the software is years – yes, years – out of date.
Allowing your WordPress website to drift like this is a bad move that can leave your site open to hackers who could bring it down or worse.
Your site could be taken off search results, your reputation could be damaged but most of all it will take a lot of time to clean up the mess.
Wordpress is the most popular website platform in most of the world with good reason.
It’s free for a start, but also it can be extended with the help of plug ins, which allow custom functions like photo galleries or forums – just about anything you want.[caption id="attachment_526" align="alignright" width="300"] WordPress gives you plenty of warnings about updates to itself and its plug ins[/caption]
Another reason for its success is that WordPress is constantly moving forward, with a new version featuring improvements released every three to four months – the latest (3.5) was just last week – and sub versions to fix bugs and security issues in between.
Every major update also means the plug ins have to change, too.
That popularity means lots of people who like to hack websites devote a lot of time to finding holes in WordPress. Hackers share information and once they find a hole they will tell lots of other hackers.
When this has happened in the past the WordPress community has been quick to close the security hole by rolling out a new update that fixes the problem.
Asking for trouble
But if you don’t apply the update your site is basically sitting there waiting to be hacked. And the hackers will be looking for you.
Now we are not trying to scare you, or put you off using Wordpress, but if you or your web designer ignore this aspect of using WordPress then you are asking for trouble.
Wordpress itself does its best to warn users of new versions, but it’s amazing how many people ignore the warnings.
Even Google started warning website owners if they were running out of date Wordpress versions, and there were plenty of examples of people being caught out who should have known better.
For example the Reuters blog, which was hacked earlier this year and found to be running a version of WordPress that was two years out of date.
The result: Your website can be home to nasty software, advertising dodgy online drugs, hosting one of those fake banking/phishing sites or just taken over by someone else. In most cases you may not even know anything is wrong.
This can get your website blacklisted and removed from search results and the damage to your reputation can be immense.[caption id="attachment_527" align="alignright" width="197"] That’s a lot of out of date plug ins[/caption]
Sometimes the fault here lies with web companies themselves who sell a website to a customer but don’t explain that the software it runs on must be kept up to date.
One company we know of even told a customer to ignore the prompts to update the plug ins and Wordpress version – and warned them that if they updated and things went wrong they would be on their own.
In this case it seems the web company involved simply didn’t understand how to keep WordPress up to date – or the importance of doing so.
A Stitch in Time Saves Nine
Some customers are put off by the idea their website will need to be maintained that there will be a small cost associated with this but skipping this is a false economy.
After all doing the necessary back-ups and keeping everything up to date is a finite task that shouldn’t take long if done regularly.
Fixing a hacked website can be a long and involved process that could cost a lot – in time and money – to put right.
Or to put it another way, keeping Wordpress and your plug-ins up to date is the equivalent of taking your vitamins, but putting a hack attack right is open heart surgery.
Ask your web company
So if you already have a WordPress site find out what your web company is doing about back-ups and software updates. If you look after your own site then don’t ignore the warnings.
And if you’re thinking about having a WordPress site built for you, ask your web company what they are going to do about updating it and its plug-ins. If they don’t have an answer, then you might be better going somewhere else.
Otherwise there could be a lot of time and expense waiting for you down the road.
How to Keep WordPress Secure by Matt Mullenweg, co-founding developer of WordPress
WordPress Security: Seven Ways I Could Hack Into Your WordPress Site – Mark Maunder