WordPress Plugin Security Alert

Alert for WordPress Bloggers

If your blog/website uses the Custom Content Type Manager (CCTM) plugin, chances are, your WordPress blog/website has been compromised.

A backdoor hack has been discovered by Sucuri Security. March 4, 2016, Denis Sinegubko, wrote a post entitled, When a WordPress Plugin Goes Bad in the Sucuri blog.

It is a detailed account of the progression of activities leading to the discovery of the backdoor, and, Denis speculates about how the hack might have occurred, how the hacker might have progressed from a freelance WordPress developer to the dark side, and indeed, who the hacker might be (names he uses).

There are several recommended steps to mitigate the situation. The top four are:

  1. Replace the current version of Custom Content Type Manager with version which is the most current clean version.
  2. Replace ALL WordPress core files with a fresh install. (Delete the existing files (which have probably been hacked) and replace with a fresh install of the core files.)
  3. Change the passwords of ALL users.
  4. Delete the users that are unknown to you and look suspicious.

Six to eight steps are suggested in the Mitigation section of the article. Scroll to the bottom of the article, just above the author’s byline.

Easiest way to add a Facebook Pixel to a WordPress Website

A client recently asked me to add a Facebook pixel to a single page on their website. The website currently consists of 35 pages and 498 posts.

Having customized WordPress websites for over a decade, I have the skills to edit the functions.php file and make the code appear on that page, and that page only, and, I was tempted to do just that. Then I thought, “What about the next time?” This is new behavior for my client. Tracking visitor behavior is a good thing. If I edit the functions.php file, the next time the client wants to track user interaction with a different web page, they would have to contact me and have me update it again, and so on, and so on.

So, I searched and found the Facebook Conversion Pixel plugin. I watched the (excellent) video by Kellen Mace (@KellenMace).  The plugin was installed and configured in one minute, then I edited the page on which the pixel tracking code needed to be added, added the code, saved the page, checked to see if the code displayed, and Voila! Watching the video took longer than setting it up – and – now the client can be independent, if they want, and add Facebook tracking code to other pages without my interference.
Facebook Conversion Pixel plugin video

Notes on the Facebook Conversion Pixel plugin

  • Get your pixel code first. Store it in your favorite editor.
  • The plugin allows you to select which post types you want to allow tracking code to be added. For example, Posts, Pages, and Custom Post type(s).
  • In the Settings Area, it automatically displays a list of post types based on your (the current) WordPress installation.
  • Once you check the post types and save, the Facebook Conversion Pixel form displays on those post types for every post/page/custom post type. This allows you to add (different) tracking code to multiple posts and pages. In this example, the Facebook Conversion Pixel form entries display on 35 pages, but is only filled in on one page.


WordPress Performance Testing

Recently, I was engaged to work with a sometime client to help determine what might be eating up all the memory at her website and bringing the whole server (including another of her websites) down for 6 hours at a time. She had been working with her hosting company for a week on it and they had not discovered what it might be.  Suspecting that the memory consumption might be due to a plugin with unoptimized reads on the database, they asked me to take a look.

Recent Background

The website ranks in the top 93K in the US, receives 7K visits per day,  is built on Genesis framework, has 78 pages and about 600 posts, and recently switched over to CloudFlare CDN implementation. Several people work on the website, of varying degrees of familiarity with hosting servers and WordPress.

WordPress Plugin Inventory

I took inventory and learned there were 29 plugins. Most I recognized. Three that were inactive, I deleted right away. There was one plugin that monitors the Cron jobs, so, I thought that would be a good candidate, and another that monitors for bot activity and I thought that would be a good candidate as well.

WordPress Diagnostic Tools

I searched around the web and found P3 the Plugin Performance Profiler plugin and Query Monitor. With P3, I did manual and automatic testing. P3 reveals the results of testing (traversing from page to page for a sample session) in a pie chart.

P3 revealed that the Ninja Forms plugin was making (on average) 67 interactions with the database on each page/post. There is only one page with a short, standard form the website, so that was curious behavior to observe. The other resource consumer was the bot monitor (BotDetect Captcha), followed by WPTouch, the mobile-friendly plugin. One of my initial suspects, the Cron job monitor barely showed up as using any resources.

Query Monitor displays multiple views of the interactions with the WordPress database on each individual page and post as you are on that page/post. One of those views, Query by Component, consistently concurred with the P3 plugin about which plugins were consuming all the resources.

It turned out that the problem was related to the hosting situation and DDS attacks – but – I was glad to learn about and use these two plugins. The resource hogs were revealed, and because of that, I was still able to help this client. We learned that 65% of a pages’ load time was consumed by the plugins, and that Ninja Forms, WPtouch (mobile-friendly plugin), and BotDetect Captcha were the three biggest resource consumers.

Today we removed Ninja Forms and, replaced it with a simple lite form plugin that has a little over 100K active installs. It actually displays a more pleasant form and was so much more simple to set up. It’s use on resources thus far is negligible. The client and I have a verbal agreement to do continuous improvement based on the results of using these two plugins in the upcoming months.

Even though I am a novice with the Plugin Performance Profiler and Query Monitor plugins, I highly recommend them as helpful WordPress plugins.





2015 Toys for Tots at BNI


Click to view larger version

Fun day at BNI Marlborough this morning. It was Toys for Tots day. Each member was to bring in a toy to donate to the toy drive – and – in their 60-second commercial, tell how the toy represents the work they do.

We had a lot of fun with the creative connections between the toys and our work, and, some took a lot of ribbing from hecklers in the crowd- all in good humor!

WordPress Hits 25% Market Share

While tweeting the other morning, I noticed a tweet from Matt Mullenweg, creator of WordPress, highlighting that WordPress now owns 25% of the website market share.

Matt Mullenweg on WordPress approaching 25%

Nov. 8, Matt Mullenweg’s tweet about WordPress approaching 25% market share

One can assume that the title, ‘Seventy-Five to Go’ is a tongue-in-cheek poke at Matt’s intention to have 100% of websites built on WordPress. (We all know that I am doing my part.) Matt referenced the published survey results reported on the W3Techs website.

WordPress Market Share

Snapshot of chart at W3Techs.com

As this WP Tavern article  points out, WordPress likely has an even greater share since the websites surveyed by W3Techs are in Alexa’s top 10 million most popular websites. Websites not making the top 10 million most popular are not included, nor are the WordPress websites built on WordPress.COM that do not use their own domain name nor entice enough traffic to put them in Alexa’s top 10 million.

The survey also shows that WordPress is still the fastest growing CMS, “Every 74 seconds a site within the top 10 million starts using WordPress. Compare this with Shopify, the second-fastest growing CMS, which is gaining a new site every 22 minutes,” Gelbmann says. — Jeff Chandler, WP Tavern

So, WordPress is the fastest growing CMS…but we knew that. Still, I am feeling very gratified. Back in 2005, I started working with blogging software called ‘b2’.  WordPress was created from a fork of ‘b2’, and eventually replaced b2.

Initially, the development task was to add a blog to existing websites. Over time, the development task morphed into developing full websites using the WordPress software. In that scenario, clients had the opportunity to update content on the pages as well as the posts.  This is the practice I use today. Develop on WordPress unless there is a good reason not to. [And there are websites that don’t need WordPress.] Some clients maintain their own content and some send updates to me.

I am happy that I have positioned my clients for success. They are able to maintain their own websites (if they so choose). Their websites are on a tool that has

  • great visibility,
  • a plan for the future,
  • thousands who write code for it,
  • thousands of choices for add-on functionality (via plugins and widgets),
  • a loyal user base,

and, that can be hosted with almost any hosting company (Linux and IIS), and that is being included in curriculum in many academic environments.

Full Articles:

  1. A Quarter of the Top 10 Million Sites Ranked by Alexa Use WordPress, Jeff Chandler, WP Tavern
  2. Content Management Systems, W3Techs.com