What To Do If You Think Your Client’s WordPress Site’s Been Hacked
Posted by Guest on November 21, 2017
By Bud Kraus
The frantic email, text, or call always comes at a bad time. Your client thinks their site's been hacked. What are you going to do?
Take a deep breath — even if you've done this before — and then head straight to the Sucuri Site Scanner, put your web address into the box, and hit the “Scan Website” button. Let the smart Sucuri people analyze your site. They'll let you know if there is a problem and if so, its likely cause.
If you get a result like this, then it's "Houston, we have a problem."
In this case, the site is being blacklisted from search engines and other sites because, in all likelihood, it has been compromised. Further investigation may turn up any or all of these issues:
1. Brute Force Attack: An illegal entry into your WordPress Admin.
2. File Inclusion Exploits: A method to compromise your wp-config.php, a mission-critical file in every WordPress site
3. MySQL Injection: Damage to or destruction of a database where data is maliciously added or removed.
4. Cross-site Scripting (XSS): Presents as a danger to your site's users.
5. Malware: Malicious code that is being used on your site.
How you resolve the problem(s) depends upon the nature of the problem, your skills and/or the co-operation you will get from the web hosting company. You may also need to hire an outside service, like Sucuri, to clean up the mess. They may recommend the use of a firewall for the site.
But wait — there's a step before Step 1.
“An ounce of prevention is worth a pound of cure” is not just a trite expression. In the business of keeping WordPress sites safer, it's true. At minimum, keeping WordPress software up-to-date is a must. Understanding how versions work with any WordPress software is easy, so keep this in mind:
1. If any update has two digits, like 4.9, that means it's a major update. New features will be introduced, as well as bug fixes or security patches.
2. If any update has three digits, like 4.9.1, this means no new features will be introduced. Three digit updates include only bug fixes and security patches.
WordPress software comes in three types, all of which need to be kept current:
1. WordPress Core Updates: Major (two-digit) updates are usually available two or three times per year. Three-digit updates occur on a more regular basis. Most web hosts will automatically do three-digit updates for you. The two-digit update is something you usually need to do on your own.
2. Theme Updates: Theme developers occasionally update their software. This may occur when WordPress itself is updated, but not necessarily; the two- and three-digit system applies for these updates as well. If you change your theme's coding, always make sure to create a Child Theme. That way, your customizations will not be lost when your theme is updated.
3. Plugin Updates: These can occur on a very regular basis. Again, you'll know what kind of update it is by noting if it's two or three digits. Good plugin developers frequently update their plugins.
Keeping Track Of The Updates
If you regularly log into a WordPress site it's easy to tell what needs to be updated. If not, I recommend using the WP Updates Notifier plugin. You will get email that lets you know if WordPress, your theme, or any plugins need to be updated. Ignore that email at your own peril! (Note: If you manage many sites, consider using ManageWP, which lets you update software from one c-Panel.)
Security Is A Shared Responsibility
Keeping software up to date is just part of the precautions you need to take to keep a site safe and in good working order. The web host also has a role to play. Have they added SSL to your domain? (You can request this and it's free in most cases). Are they using current versions of software, such as PHP? (7.0). Is the web host using a shared hosting plan? If so, that’s not nearly as secure as a Virtual Private Server.
In your contract with a client it should be clearly stipulated that you are to be held harmless and without liability if a site were to go down for any reason beyond your control. This includes sites you currently work on or maintain, as well as sites you no longer have responsibility for. In all cases, consult an attorney to help protect yourself from legal liability.
Bud Kraus has been teaching the fundamentals of web design for thousands of students at Pratt Institute, the Fashion Institute of Technology and for his private students for 20 years.
Besides teaching Bud works with individuals and small businesses developing their WordPress sites.
His free WordPress A To Z Series is for beginners or if a re-fresher course is needed. Get access to all his videos at https://joyofwp.com/courses/free-tutorials-course-to-learn-wordpress/.
Questions? email Bud at: firstname.lastname@example.org
Montreal Design Declaration: “All People Deserve to Live in a Well-Designed World”
Posted by Rebecca Blake on November 14, 2017
On October 24, representatives from 14 international associations of designers, architects, urban planners, and landscape architects signed the Montreal Design Declaration. The signing took place at the conclusion of the first ever international Design Summit Meeting, and in the presence of representatives from three UN agencies: UNESCO, UN-Habitat, and UN Environment. The 14 international associations, along with four other design organizations, collaborated on the call to action. Collectively, over 600 national entities – design organizations, educational institutions, and design promotional centers — from 89 different countries were represented by the Declaration signers. (The Guild, as a member of ico-D, is represented on the Design Declaration.)
The Declaration challenges designers, educators, governments, and the private sector to work collaboratively in creating a world that is “environmentally sustainable, economically viable, socially equitable, and culturally diverse.” To reach this goal, the Declaration proposed 20 projects, from developing metrics to evaluate the impact of design, to fostering support and funding for design research and education, to showing the role of design in enhancing and celebrating cultural diversity.
The final project proposed by the Declaration is “Generate support for a world design agenda through distribution and statements of support for the Montréal Design Declaration.” To that end, designers are encouraged to download the Declaration, read it, and share it with their colleagues and contacts. The Montréal Design Declaration can be downloaded from their website. You can also like and share their Facebook page.
Creating Unity Through Color Editing
Posted by Rebecca Blake on June 22, 2017
How often have you faced this challenge? You have a disparate selection of images—they may have very little in common in terms of subject matter, color palette, or composition—and it’s your task to create a cohesive and effective layout using all of the images. Proper color editing of webpage images is a step most web designers overlook. Yet ignoring this crucial step can result in a webpage which is unbalanced, misdirecting the viewer’s focus and resulting in an unpleasant (if not confusing) user experience.
In her blog post titled Color Editing for Web Page Design, Photoshop & Color Specialist Martha DiMeo walks through a case study of a website’s homepage to demonstrate how editing color can be the solution to create unity and visual flow. In a recent project, she needed to combine four disparate images on a webpage. The images had previously been color corrected to be used separately, in either print or email, but didn’t work cohesively when placed together.
DiMeo’s process to reconcile the images involved carefully evaluating the combined images, and adjusting each to create rhythm and harmony. The result is a harmonious image that allows the viewer to absorb the web page with ease. To read how DiMeo identified the problem areas and adjusted the color balance, read the full article.
This article originally appeared on CQ Blog, Martha DiMeo’s blog on her website ChromaQueen.com.
© Martha DiMeo. Paintings © Meldy Phaneuf. Color correction images © Martha DiMeo. Used with permission.
Fake Flash Player Targets Apple Users and WP Engine Clients
Posted by Rebecca Blake on April 05, 2017
Fake Flash Player updates which mask malware have been around since MySpace was hot; Adobe was warning the public not to download the Flash Player from sources outside their download site back in 2008. But despite the publicity, the malware-installing fake downloads persist. Currently, a fake Flash Player scam is targeting visitors and users of the popular WordPress hosting platform WP Engine by taking advantage a common typo of the company URL.
If a webdesigner or WPEngine client accidentally inserts an hyphen (“wp-engine”) into the URL of their development site on WP Engine, they are immediately taken to a page with a pop-up screen warning them that their Flash Player is outdated. The screen apes legitimate warnings that appear when Flash Player truly is outdated. If the user clicks onto the update button, rather than being taken to the official Adobe Flash Player download page, they’ve initiated the installation of the malware onto their computers. To confuse users who suspect something is amiss, the installer also downloads a genuine version of the Flash installer.
The irony is that WPEngine is rated one of the most secure web hosts for WordPress websites, and takes great pride in their robust security settings. (WP Engine customers needn't be concerned that the webhost has been compromised. The website is never accessed, since the malware redirects from the incorrect URL pulled up from the typo.)
The particular brand of malware installed is appropriately named scareware. The infected computer is overrun with pop-up ads warning of an infection and prompting the user to install malware masquerading as anti-virus software. Going into the Applications folder and deleting the fake Flash download appears to solve the problem. However, once the computer restarts, the pop-up screens appear again, and the fake Flash installer reappears in the downloads folder. Doing a reinstall of the browser prevents subsequent appearances of the pop-up windows, but the malware will reside in the system until an antivirus program such as Malwarebytes Anti-Malware is run.
The Intego Mac Security Blog ran a comprehensive article on fake Flash update scareware last year. According to Graham Cluley of Intego, the scareware manipulates the computer users fear of infected computers to trick them into downloading the fake Flash Player. Johannes Ullrich of SANS Institute reported that the scareware installer took advantage of a valid Apple developer certificate. That permitted the malware to bypass recent OS X defenses which permit only programs downloaded from the official App store or identified developers to be downloaded. (Ullrich pulled together an informative video which shows what happened when he downloaded the fake Flash player.)
Downloading the Flash Player from only the official Adobe website is common sense, and websites which ask users to legitimately update their version of Flash will direct users to this page. The fake Flash Player download continues to be used by scammers. This February, Intego reported that a fake Flash Player is being used to install a sloppy new malware, “MadDownloader.” MacDownloader attempts to steal the users keychain information – passwords, usernames, PINs, etc. – by tricking the user into believing adware software needs to be removed from their system. Although the malware was so poorly designed as to pose little risk, chances are the developers will release an updated version. If a user suspects their version of Flash may be updated, they should check the status via their Systems Preferences or, better yet, permit Adobe to automatically update the program.
As for WP Engine customers: just be sure to not include a hyphen in the domain when you're typing in the URL for your development platform. If you forget,and that persistent “Flash Player outdated" screen appears, simply quit out of your browser. If. you haven't downloaded anything, chances are you’re fine. (You can always run your anti-malware software just to be sure.)
If you accidentally type “wp-engine” into your address bar, you’re taken to a deceptively official-looking Flash update screen.. Note the URL is dllmacfiles, not the Adobe Flash download site. The intercept is quite aggressive; a persistent popover window prompts you to install the fake Adobe Flash Player. The fake download screen even includes reassuring verbiage telling you that dllmac is distributing an “install manager.”
If you click “cancel,” a popover window asks you if you’re sure you want to leave the page. Clicking "Leave Page” averts any problems.
Adobe Design Achievement Awards Student Competition is Open
Posted by Rebecca Blake on March 15, 2017
The annual Adobe Design Achievement Awards global student competition is again open. Students 18 years and older, and registered (or recent graduates from) accredited institutions of higher education, are encouraged to submit their existing student work. Students can enter up to three unique projects in the broad categories of Fine Arts, Commercial, and Social Impact. The breadth of subcategories covers the range of disciplines studied by visual arts students, from photography, illustration, and package and graphic design, to animation/motion design and video editing and production, to web, app, and game design. This year, students working in virtual or augmented reality, 360-degree technology, and other new media will be considered for an “Excellence in New Media” Special Designation.
As in previous years, all entrants will receive a subscription to 99U career tips, will have their entries reviewed by the international panel of judges, and can choose to be considered for a mentorship with a creative professional, coordinated through ADAA partner ico-D. The full complement of prizes supports the ADAA’s mission of “Launching Student Careers,” and includes participation in Adobe Bootcamps, meetings with industry leaders, creative residencies, and subscriptions to Creative Cloud.
There is no charge for entering the competition, and submissions are accepted through June 12th. Students who submit work by May 2nd will have their work considered for early bird semifinalist. Entries can be viewed in real time on the ADAA website as they are uploaded. Students who want to see what their peers are entering can visit the “Entries” page and filter by category, region, country, school, and (once judging begins) status.
How to Start your Very Own Communication Design Business!
Enter your email address below to receive a FREE download of "Starting Your Own Communication Design Business" written by Lara Kisielewska.
By signing up you will receive our monthly newsletter and occasional e-mails about our advocacy work. You will have the option to opt out at any time.
Looking to keep up with industry trends and techniques?
Taking your creative career to the next level means you need to be up on a myriad of topics. And as good as your art school education may have been, chances are there are gaps in your education. The Guild’s professional monthly webinar series, Webinar Wednesdays, can help take you to the next level.
Members can join the live webinars for FREE - as part of your benefits of membership! Non-members can join the live webinars for $45.
Visit our webinar archive page, purchase the webinar of your choice for $35 and watch it any time that works for you.