Archive for the ‘WordPress Plugins’ Category

Most Attacked WordPress Plugins in January 2017

Wednesday, February 8th, 2017

Wordfence security report

In Wordfence’s monthly report about attacks on WordPress websites, they list the top 25 plugins that received the most focus in January 2017. In order of the number of MOST attacks received, they are:

  1. wp-ecommerce-shop-styling
  2. wp-symposium
  3. candidate-application-form
  4. google-mp3-audio-player
  5. recent-backups
  6. wptf-image-gallery
  7. db-backup
  8. really-simple-guest-post
  9. dzs-zoomsounds
  10. wp-mobile-detector
  11. jquery-html5-file-upload
  12. woocommerce-product-options
  13. s3bubble-amazon-s3-html-5-
  14. plugin-newsletter
  15. tinymce-thumbnail-gallery
  16. simple-download-button-
  17. pica-photo-gallery
  18. wp-filemanager
  19. dukapress
  20. eugeot-music-plugin
  21. acf-frontend-display
  22. levelfourstorefront
  23. formcraft
  24. malapascua-agency
  25. work-the-flow-file-upload

The report goes on to say:

The WP-Mobile-Detector plugin saw the biggest gain in the number of attacks, jumping 25 points in our rankings to position 12. The plugin has been removed from the WordPress plugin repository, probably because a vulnerability was not fixed by the author, and the last review was posted over 7 months ago.

Read the full report here.


Go-To Plugins for Transferring a WordPress Website

Monday, August 1st, 2016

When I transfer WordPress websites from one hosting company to another or even one server to another, I tend to install and use a limited set of WordPress plugins to assist in the transfer. Which plugins are used depends on the website’s set up, but, here’s a list of the plugins that help developers like myself transfer WordPress websites.

WordPress website transfer data migration

The existing website hosting area is the ‘source‘, and, the hosting area to which the website is being transferred is the ‘destination‘.

  • UpdraftPlus
    • Before doing anything else, backup the source website to remote storage. I have used this plugin for WordPress websites as large as 2.5 GB – with no problems. (Yes, gigabyte.)
    • Duplicator is an alternative for smaller websites. Remember to download the Duplicator package to your local drive and delete it from the source area before copying the website over to the destination area.
  • Broken Link Checker
    • Check the broken links on the source website, record them, and save them to your local or remote storage.
    • Use again to check the broken links in the destination website (after the transfer) in order to ensure that they match the broken links on the source website
    • Report broken links to the client
  • WP Migrate DB Pro with WP Migrate DB Pro Media Files
    WP Migrate DB Pro Media Files is an add-on plugin available with WP Migrate DB Pro.

    • Create a migration ‘definition’ that:
      • Backs up the source database. (I don’t worry about backing up the destination database as I use a clean install. See the Before Transferring a WordPress Website section.)
      • Maps the source addresses to the destination addresses (inside the database)
      • Copies the source database into the destination location.
        NOTE: Depending on how you prepare the destination hosting area, you may not want to copy the usermeta nor user tables to the destination. See the comments below about how I prep the destination hosting area.
      • Copies the images and other media from the source into the same folder locations in the destination hosting area.
  • Search and Replace
    • When I forget to map one or more addresses, or need to make mass changes to content in the destination database, I install Search and Replace. Search and Replace is a WordPress tool that makes mass changes to the database – and – the best feature is that it handles serialized data. WordPress data is stored in serialized format. This format is special and needs special handling. Search and Replace does the job well.

These are the WordPress plugins that I typically use. These plugins provide functionality for WordPress website developers. I delete them as soon as the website transfer is complete as they add no value to the public-facing website, and, we know that having extra files hanging out in your WordPress hosting account is an invitation for hackers.

Actually, Broken Links Checker does add value, but, has been reported as a source for burning up server resources. I have not experienced the burn, but prefer to err on the side of caution. So, periodically, I install it on websites, run it, record the broken links, inactivate and delete the plugin, then report the broken links to the client.

Before transferring a WordPress website

  1. Update WordPress to its latest security release on the source website
  2. Update all the plugins to their latest releases on the source website
  3. Install a clean version of WordPress in the destination hosting area
  4. Copy the .htaccess (if exists) and the wp-config files of the destination hosting area onto your local drive for safe keeping.
  5. Copy the wp-custom folder from the source over the destination folder of the same name

What plugins do you use when you transfer WordPress websites?


WordPress Plugin Security Alert

Tuesday, March 15th, 2016

Alert for WordPress Bloggers

If your blog/website uses the Custom Content Type Manager (CCTM) plugin, chances are, your WordPress blog/website has been compromised.

A backdoor hack has been discovered by Sucuri Security. March 4, 2016, Denis Sinegubko, wrote a post entitled, When a WordPress Plugin Goes Bad in the Sucuri blog.

It is a detailed account of the progression of activities leading to the discovery of the backdoor, and, Denis speculates about how the hack might have occurred, how the hacker might have progressed from a freelance WordPress developer to the dark side, and indeed, who the hacker might be (names he uses).

There are several recommended steps to mitigate the situation. The top four are:

  1. Replace the current version of Custom Content Type Manager with version which is the most current clean version.
  2. Replace ALL WordPress core files with a fresh install. (Delete the existing files (which have probably been hacked) and replace with a fresh install of the core files.)
  3. Change the passwords of ALL users.
  4. Delete the users that are unknown to you and look suspicious.

Six to eight steps are suggested in the Mitigation section of the article. Scroll to the bottom of the article, just above the author’s byline.


Easiest way to add a Facebook Pixel to a WordPress Website

Tuesday, January 12th, 2016

A client recently asked me to add a Facebook pixel to a single page on their website. The website currently consists of 35 pages and 498 posts.

Having customized WordPress websites for over a decade, I have the skills to edit the functions.php file and make the code appear on that page, and that page only, and, I was tempted to do just that. Then I thought, “What about the next time?” This is new behavior for my client. Tracking visitor behavior is a good thing. If I edit the functions.php file, the next time the client wants to track user interaction with a different web page, they would have to contact me and have me update it again, and so on, and so on.

So, I searched and found the Facebook Conversion Pixel plugin. I watched the (excellent) video by Kellen Mace (@KellenMace).  The plugin was installed and configured in one minute, then I edited the page on which the pixel tracking code needed to be added, added the code, saved the page, checked to see if the code displayed, and Voila! Watching the video took longer than setting it up – and – now the client can be independent, if they want, and add Facebook tracking code to other pages without my interference.
Facebook Conversion Pixel plugin video

Notes on the Facebook Conversion Pixel plugin

  • Get your pixel code first. Store it in your favorite editor.
  • The plugin allows you to select which post types you want to allow tracking code to be added. For example, Posts, Pages, and Custom Post type(s).
  • In the Settings Area, it automatically displays a list of post types based on your (the current) WordPress installation.
  • Once you check the post types and save, the Facebook Conversion Pixel form displays on those post types for every post/page/custom post type. This allows you to add (different) tracking code to multiple posts and pages. In this example, the Facebook Conversion Pixel form entries display on 35 pages, but is only filled in on one page.



WordPress Performance Testing

Monday, December 14th, 2015

Recently, I was engaged to work with a sometime client to help determine what might be eating up all the memory at her website and bringing the whole server (including another of her websites) down for 6 hours at a time. She had been working with her hosting company for a week on it and they had not discovered what it might be.  Suspecting that the memory consumption might be due to a plugin with unoptimized reads on the database, they asked me to take a look.

Recent Background

The website ranks in the top 93K in the US, receives 7K visits per day,  is built on Genesis framework, has 78 pages and about 600 posts, and recently switched over to CloudFlare CDN implementation. Several people work on the website, of varying degrees of familiarity with hosting servers and WordPress.

WordPress Plugin Inventory

I took inventory and learned there were 29 plugins. Most I recognized. Three that were inactive, I deleted right away. There was one plugin that monitors the Cron jobs, so, I thought that would be a good candidate, and another that monitors for bot activity and I thought that would be a good candidate as well.

WordPress Diagnostic Tools

I searched around the web and found P3 the Plugin Performance Profiler plugin and Query Monitor. With P3, I did manual and automatic testing. P3 reveals the results of testing (traversing from page to page for a sample session) in a pie chart.

P3 revealed that the Ninja Forms plugin was making (on average) 67 interactions with the database on each page/post. There is only one page with a short, standard form the website, so that was curious behavior to observe. The other resource consumer was the bot monitor (BotDetect Captcha), followed by WPTouch, the mobile-friendly plugin. One of my initial suspects, the Cron job monitor barely showed up as using any resources.

Query Monitor displays multiple views of the interactions with the WordPress database on each individual page and post as you are on that page/post. One of those views, Query by Component, consistently concurred with the P3 plugin about which plugins were consuming all the resources.

It turned out that the problem was related to the hosting situation and DDS attacks – but – I was glad to learn about and use these two plugins. The resource hogs were revealed, and because of that, I was still able to help this client. We learned that 65% of a pages’ load time was consumed by the plugins, and that Ninja Forms, WPtouch (mobile-friendly plugin), and BotDetect Captcha were the three biggest resource consumers.

Today we removed Ninja Forms and, replaced it with a simple lite form plugin that has a little over 100K active installs. It actually displays a more pleasant form and was so much more simple to set up. It’s use on resources thus far is negligible. The client and I have a verbal agreement to do continuous improvement based on the results of using these two plugins in the upcoming months.

Even though I am a novice with the Plugin Performance Profiler and Query Monitor plugins, I highly recommend them as helpful WordPress plugins.