The new WordPress admin area

New WordPress dashboard

If you’re logging into your WordPress website for the first time in a while, you’ll notice things have changed. Here’s a quick guide to setting things up the way you need them.

The old WordPress dashboard (click to enlarge)

The old dashboard, where you ended up immediately after you log in, was looking a little tired, so it’s had some improvements as part of the latest upgrade to WordPress 3.8.

The first thing you’ll notice is that the menu on the left is now black, but that’s just the start.

Improvements include:

  • A fresh, uncluttered design that is clearer and easier to use
  • New typography optimised for desktop and mobile viewing
  • Better contrast and higher definition graphics
  • A fully responsive (i.e. mobile friendly) admin area
  • Further improvements for site administrators

It may come as a shock at first, so the purpose of this post is to help you set up the admin the way you want it.

How to set up your admin colour scheme in WordPress 3.8

Your profile page in WordPress 3.8
Your profile page in WordPress 3.8 (click to enlarge)

The new admin area gives you the option to use any one of eight different colour schemes.

You can stick with the standard black, or go for blue, red, purple or coffee tones. Here’s how to do it.

From the Users menu, select Your Profile. You can also select this from the dropdown in the top right that says Howdy, (Your Name)

Under Personal Options you’ll see an option for Admin Colour Schemes. Click the button next to any colour scheme and you’ll get an instant preview.

Your changes are instant so you don’t need to save the settings.

And that’s it!

A note about WordPress updates

If you have a website with Moghill Web Services, you will find the updates have already been done for you as part of our managed hosting service.

If you manage your own site, or your designer does it for you, we urge you to upgrade as soon as possible. It’s a simple process, as long as you take a back-up before running the updates. If you have any questions or need help, then please contact us.

Why you need to update your WordPress (and its plugins)

See this blog post to find out why you need to keep WordPress up to date.

Is your WordPress site vulnerable to hackers? Test it for free

How to check if your website is vulnerable to hackers

Outdated software is the number one reason WordPress sites get hacked, but if you don’t know much about WordPress, how can you tell if you’re up to date?

Site check showing outdated WordPress version
Your WordPress site is vulnerable to hackers

There’s no need to track down your developer and ask, or go and look through code. All you have to do is visit the Sucuri website, type in your web address and you can find out straight away.

The tool doesn’t just test WordPress websites, it checks whatever you have, as other systems like Joomla! can also be vulnerable, especially if out of date.

We have written several times before about how out of date WordPress software and plug ins can make your site vulnerable to all kinds of hacking nastiness, including pharma hacks, malware or complete loss of your website.

Google blacklists (on average) 10,000 websites per day, many of which will be hacked WordPress sites. If your software is out of date and your site hasn’t been attacked, you’re not safe, you’re lucky.

90 per cent of hacks are opportunistic and automated. Hackers run automatic programmes that try known weaknesses on thousands of sites at a time and if they get in, there goes your website.

If you’re not up to date, it’s not a question of whether, but when.

Test your WordPress site now

Follow this link to the Sucuri website and test your own site by putting the domain name into the box. The link opens in a new tab and you can return to this page afterwards.

If you get the all clear, then great.

If your site is vulnerable

If your site is marked as vulnerable through out of date WordPress, then do yourself a favour and come and talk to us. We can put it right for the price of an hour or two’s work.

Sitecheck showing clean WordPress site
Congratulations: Your site is secure

We can also check over your site’s security and other common ways in, such as insecure usernames and passwords, the second most common reason for hacks.

Contact us for more information.

WordPress is not the problem

WordPress is popular – it’s now 20 per cent of websites – and that’s what makes it a target for hackers who know some people will always leave their websites to go out of date, often because they don’t know any better.

As it happens the WordPress development team works hard to ensure the software is as secure as it can be, which is one reason why it is updated relatively often.

It could be argued they are getting better and better at it.

Last week the latest version of WordPress – 3.7 – came out and includes the ability to do security updates automatically, which is a big step forward. But there are still lots of sites that are running old and vulnerable versions, just sitting there waiting to be hacked.

Don’t let that happen to your website. Check your site now!

Why the big brands love WordPress

WordPress logo

We’re only just back from a trip to the Netherlands for a European conference for people who work with WordPress – known in the community as a WordCamp.

What did we learn? Well lots actually and we’ll be putting a lot of it into practice in the coming months, but for now we’re just going to share this presentation which details how WordPress is fast becoming the top choice for big business, never mind small business websites.

WordPress, which is Moghill’s favourite website tool, now powers more than 20 per cent of the web.

The presentation is by Sara Rosso of Automattic, the company that runs Wordpress.com and leads the WordPress project.

 

This presentation and another nine from the event are available on the WP Tavern website

Update your WordPress now!

WordPress logo

Have you updated your WordPress website yet? If not you need to do it now.

Last week a new version was launched – we’re now on WordPress 3.5.2 – and it’s a maintenance and security release. This version is plugging seven security holes that exist in all previous versions of WordPress, so this is not an update you can ignore.

[caption id="attachment_543" align="alignright" width="405"]Wordpress logo WordPress logo[/caption]

It’s also making other security improvements to keep ahead of the hackers who like to try and take over your WordPress website, bring it down or the other things hackers do.

Why do I have to update WordPress?

Here at Moghill Towers we’re often going on about how if you have WordPress you must keep its software up to date – not just the core WordPress software but also any plug-ins you are using for extra things like forms or online shops.

Why? Because of the sheer number of business websites we see who are using out of date (and therefore vulnerable) versions of WordPress. Not just WordPress but another piece of free software that is often left to go out of date and become vulnerable: Joomla.

And why is this happening? It’s usually not the fault of the business concerned, more that the business has been badly advised by whoever built their website.

Some website companies are happy to just sell businesses a website on a free software platform like WordPress without warning them that it needs to be maintained. Some web designers don’t even realise that updates are necessary.

But that’s like buying a car you never have to service: It would be a nice idea but it doesn’t really happen in the real world.

Hacking danger

WordPress in particular is the most popular software for building websites in the world. It’s free at the point of use, can be extended to do whatever you want it to and made to look however you want it to.

We make no secret that we love WordPress and what it can do. We even like its cousin Joomla, too, which is also free but not as versatile.

But with that popularity means it’s attractive to hackers, and that means you must keep it up to date. Only in April there was a massive automated attack on WordPress websites around the world. If you were clued up on your security you were okay, but many sites fell victim.

The end result of not updating WordPress is your company website gets hacked, and if even if the reputation of your business is not damaged, you have to spend a lot of time restoring what you had, or re-building it completely.

And don’t think it doesn’t happen – in the last few weeks alone we have helped a couple of companies update and secure vulnerable web software that had been hacked.

That’s why we’ve taken it upon ourselves to spread the word and raise awareness of the problem.

Let us help with Your WordPress site

We keep the website software of all our customers up to date – WordPress and plug ins in particular – as part of our managed hosting package. Our sites were updated to WordPress 3.5.2 this morning.

We also offer a service where we can bring your WordPress software up to date for you if you don’t host your site with us – and we can also update Joomla websites to the latest version.

If you need help with updating your WordPress site then contact us for a chat.

Further information

WordPress website attacks hot up

Is Hacker Barbie responsible for the attacks?

As I write this, hosting companies all over the World are fighting off a huge attack on WordPress websites that has been going on for at least 24 hours.

Our sites were hit for about 20 minutes yesterday afternoon, but thankfully our hosting company has a solution so all our customer websites have been safe today.

How are the attacks happening?

Basically, the attacks are being conducted by an army of computers infected by a virus, known as a botnet.

They are simultaneously hitting thousands of WordPress login pages and trying to guess the password to get into the sites.

It also is cycling through various obvious usernames but most of all trying the default ‘admin’ username.

[caption id="attachment_1176" align="alignright" width="375"]Hacker Barbie Is Hacker Barbie responsible for the attacks?[/caption]

This is called a brute force login attack, and an estimated 90,000 IP addresses are involved.

What they will do if and when they actually get in to websites is not known, but we’d expect the usual nasty surprises you get with a hacked WordPress site.

But a by product is this attack is slowing down websites all over the world, whether or not they use WordPress, as most websites are on shared hosting, and as the most popular content management system in the world, most websites are bound to be sharing a server with WordPress sites.

The repeated attacks basically cause everything to slow down.

Moghill customers

If you are one of our customers and you want to get into the back end of your site you may see a password prompt screen you have not seen before.

This is an extra layer of security placed by our hosting company.

The box says: “A username and password are being requested by http://www.your-site.co.uk. The site says: “Automatic Protection” It now gives the username and password you need.

For current status visit our system status page. Once you have entered these details you can log in as you normally would.

If you have access to the admin area of your site make sure you have a secure password.

Minimum password recommendations:

  •  At least 8 characters total
  • Mixture of upper and lower-case letters
  • Numbers and special characters, such as punctuation or other non-alphanumeric characters

Example weak password:
password1

Improved strong password:
Z#ggghuZ2M4!Z

In the meantime we are watching the situation closely and will implement any suggested security improvements across our customer websites as part of our normal service.

Is Wordpress not secure?

WordPress is fine but this attack tries to exploit the weakest link in any security system: The human factor.

If your site has secure username and password then it will not fall victim to this attack. We never use the default ‘admin’ account in WordPress, and delete it where we come across it in WordPress installs done by anyone else.

The rest is down to our hosting company who have added the extra layer of security to prevent unauthorised access to the login pages in the first place and making sure all our sites stay live.

WordPress is popular, and therefore it is a target for attacks like this. That’s why it is vitally important that you keep your Wordpress version and any plugins up to date.

The problem is not confined to WordPress as there are literally millions of Joomla websites on out of date versions that are just waiting to be hacked, too.

More information

Securi.net: Mass WordPress Brute Force Attacks? Myth or Reality?

Silicon Republic: Major brute force attack against WordPress Under Way (Note: The Limit Login plugin suggested will not prevent these attacks because they come from multiple IP addresses).

Matt Mullenweg (WordPress co-founder): Passwords and brute force

Photo credit: nic221 via photopin cc

Using an early version of Joomla? Best think again before you get hacked

Joomla Logo

Joomla is one of the most popular free content management systems in the world – but it has its drawbacks as a lot of people with Joomla sites are finding out right now in the cruellest way.

Thousands of owners of Joomla websites are waking up each day to find that their site has been taken down by their hosting companies, or replaced with what’s called a bragging message.

[caption id="attachment_1035" align="alignright" width="450"]Hacked Joomla 1.5 site This charming fella is what hackers are placing over the homepage on vulnerable Joomla 1.5 sites. If you’re really unlucky you get music, too.[/caption]

Typically it’s this:

Hackeado por HighTech Brazil HackTeam

NoOne – CrazyDuck – Otrasher – L34NDR0

But if you’re really unlucky you get the nasty character in the picture and some hard rock tunes, or the clown who appears further down the page.

Here’s a report on the start of the hacking attack in early January, although it’s still going strong now.

So why are Joomla sites getting hacked?

The main reason why hackers are attacking Joomla sites is because they can. Where there is a vulnerability they will exploit it.

The current hacks seem to be coming from one group claiming an affiliation with Lulzec, who usually attack big business websites.

But practically anyone can hack a Joomla site: There are plenty of videos giving full instructions on YouTube.

The attacks are mainly confined to sites in the early versions of Joomla – 1.0 and 1.5 and later versions – 2.5 and 3.0 – appear unaffected. Two experimental versions, Joomla 1.6 and 1.7, are also vulnerable.

Joomla is created by a community of developers who work together to create this system, but from the end of last year that community stopped supporting the early versions and urged site owners to upgrade.

The problem is it’s hard to upgrade. Wordpress can (usually) be upgraded with a click of a button and the same is true of later versions of Joomla – but not the early versions. It involves a migration, which can be a long and involved (and geeky) process.

Essentially it means building the site all over again.

[caption id="attachment_1036" align="alignright" width="450"]Hacked Joomla 1.5 site Another example of a hacked Joomla site.[/caption]

And to make things worse, many web companies have been knocking out cheap Joomla websites for years with no provision for upgrading when the software is no longer supported.

Not just that, we know of several companies who were still building sites in Joomla 1.5 last year, when they should have been aware that support for the software would soon end.

These factors mean many site owners are sticking with their old versions of Joomla – and these are the ones who are getting hacked.

How is it happening?

At present the hackers are seeming to target one particular Joomla add on (or extension) called JCE editor, which is present in most Joomla installs as standard. The security hole was sealed last year but the problem is that early versions of Joomla do not warn you about out of date extensions.

So if you have Joomla 1.0 or 1.5 and JCE installed, check you have the latest version. You can download the latest version of JCE Editor here.

Ashamed to say it, but we were caught out by this when one of our Joomla 1.5 websites was hacked in this way a few weeks ago. It took a whole day to clean the site up and get it live again, then close the security hole.

[caption id="attachment_1037" align="alignright" width="200"]Joomla Logo Joomla Logo[/caption]

Thankfully it was not a customer site and we closed the same hole in all our other Joomla 1.5 sites and began migrating them so it does not happen to us again.

By the end of March we will not have any sites left in Joomla 1.5.

Why? Because this is likely to be the tip of the iceberg and more hacking attacks will come as more security holes are discovered.

The Joomla community no longer supports early versions so nothing will be done to stop the security holes. It’s called End of Life for a reason.

Joomla 1.0 or 1.5 site? Start planning now

So if you have a Joomla 1.0 or 1.5 site, our advice is you need to start planning either migrating it to a later version or into another content management system, such as WordPress.

It’s not the end of the world and early versions of Joomla may stay stable for years, but why take the risk?

Our hosting company, Heart Internet, is advising all owners of Joomla 1.x sites to upgrade as soon as possible and they aren’t the only ones.

Knowledge Republic has been documenting the stream of hackings for some time: Case Study on: www.pa.gov.sg being hacked by HighTech Brazil HackTeam. This also covers vulnerable Wordpress installs, which we’ve talked about before.

There’s also an interesting article from a Canadian IT Company suggesting Joomla 1.5 is already not secure.  This article from an Australian hosting company explains Joomla 1.5 and end of life.

For an alternative, and slightly less ‘The end is nigh’ view of things, this article from OsTraining weighs up the pro’s and cons of running outdated software.

How can I tell if my website is vulnerable to hacking?

This is relatively simple.

  1. Go to your website
  2. On a PC, right click on an area of blank space
  3. Select ‘View Source’ or ‘View Page Source’, depending on your browser.

You will see a stream of text but very close to the top you will see the Meta information. In Joomla 1.5 sites it usually says this:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If this is present you have a vulnerable site. Contact us if you want us to identify whether your site is vulnerable.

Got a Joomla site? We can help

If you’re one of those affected by this then we can help you weigh up what to do and plan for the future.

Contact us for a no obligation talk through the options. Whatever you decide to do, do something.

If you have a later Joomla site – version 2.5 or 3.0 there’s no need to do anything as both are actively supported and will continue to be until at least 2014. They are also far easier to upgrade.

 

Keep your WordPress software up to date – unless you like nasty surprises

Out of date plug ins

Recently we’ve been asked to look at a few sites built in WordPress, and have been surprised to find the software is years – yes, years – out of date.

Allowing  your WordPress website to drift like this is a bad move that can leave your site open to hackers who could bring it down or worse.

Your site could be taken off search results, your reputation could be damaged but most of all it will take a lot of time to clean up the mess.

Wordpress is the most popular website platform in most of the world with good reason.

It’s free for a start, but also it can be extended with the help of plug ins, which allow custom functions like photo galleries or forums – just about anything you want.

[caption id="attachment_526" align="alignright" width="300"]Update WordPress now! WordPress gives you plenty of warnings about updates to itself and its plug ins[/caption]

Another reason for its success is that WordPress is constantly moving forward, with a new version featuring improvements released every three to four months  – the latest (3.5) was just last week – and sub versions to fix bugs and security issues in between.

Every major update also means the plug ins have to change, too.

That popularity means lots of people who like to hack websites devote a lot of time to finding holes in WordPress. Hackers share information and once they find a hole they will tell lots of other hackers.

When this has happened in the past the WordPress community has been quick to close the security hole by rolling out a new update that fixes the problem.

Asking for trouble

But if you don’t apply the update your site is basically sitting there waiting to be hacked. And the hackers will be looking for you.

Now we are not trying to scare you, or put you off using Wordpress, but if you or your web designer ignore this aspect of using WordPress then you are asking for trouble.

Wordpress itself does its best to warn users of new versions, but it’s amazing how many people ignore the warnings.

Even Google started warning website owners if they were running out of date Wordpress versions, and there were plenty of examples of people being caught out who should have known better.

For example the Reuters blog, which was hacked earlier this year and found to be running a version of WordPress that was two years out of date.

Blacklisted

The result: Your website can be home to nasty software, advertising dodgy online drugs, hosting one of those fake banking/phishing sites or just taken over by someone else. In most cases you may not even know anything is wrong.

This can get your website blacklisted and removed from search results and the damage to your reputation can be immense.

[caption id="attachment_527" align="alignright" width="197"]Out of date plug ins That’s a lot of out of date plug ins[/caption]

Sometimes the fault here lies with web companies themselves who sell a website to a customer but don’t explain that the software it runs on must be kept up to date.

One company we know of even told a customer to ignore the prompts to update the plug ins and Wordpress version – and warned them that if they updated and things went wrong they would be on their own.

In this case it seems the web company involved simply didn’t understand how to keep WordPress up to date – or the importance of doing so.

A Stitch in Time Saves Nine

Some customers are put off by the idea their website will need to be maintained that there will be a small cost associated with this but skipping this is a false economy.

After all doing the necessary back-ups and keeping everything up to date is a finite task that shouldn’t take long if done regularly.

Fixing a hacked website can be a long and involved process that could cost a lot – in time and money – to put right.

Or to put it another way, keeping Wordpress and your plug-ins up to date is the equivalent of taking your vitamins, but putting a hack attack right is open heart surgery.

Ask your web company

So if you already have a WordPress site find out what your web company is doing about back-ups and software updates. If you look after your own site then don’t ignore the warnings.

And if you’re thinking about having a WordPress site built for you, ask your web company what they are going to do about updating it and its plug-ins. If they don’t have an answer, then you might be better going somewhere else.

Otherwise there could be a lot of time and expense waiting for you down the road.

More information

How to Keep WordPress Secure by Matt Mullenweg, co-founding developer of WordPress

WordPress Security: Seven Ways I Could Hack Into Your WordPress Site – Mark Maunder

Reuters was using old WordPress version when it was hacked – ZDNet.com