3 Ways to Prepare for WordPress Website Malware in 2020

Maybe your client’s site got hacked, it’s time for a security checkup, or you’re tired of telemarketers terrorizing your phone lines with the vulnerabilities sales pitch.

Despite the hype, the threat is real. WordPress makes up 90% of hacked CMS sites, reports ZDNet the CBS-owned technology news site. It’s doubly dangerous when your client’s business and your reputation are at risk. WordPress website malware removal could protect your agency’s brand and bottom line.

What is malware or malicious software? Malware is software designed to damage, steal data, or simply mess things up. If you’ve searched “how to protect WordPress site from malware”, then follow these three steps.

1.) Keep Your Client’s Site Updated

Some agency managers hesitate to make updates because they’re afraid to break something. It’s critical that you update every aspect of the sites you oversee when the opportunity presents itself. Old versions are far more vulnerable because they lack the newest security and anti-malware measures. You’ll want to update WordPress itself, themes, plugins, and files.

As you update the various components, it’s often a smart idea to standardize your themes and plugins. It’ll prevent one-off vulnerabilities and help manage your business as it grows.

It’s a headache to manually monitor the WordPress Admin interface for each client. Many agency managers partner with a security firm to handle this crucial yet time-consuming task.

2.) Lockdown the Login Page

WordPress is a secure platform, but the log in page is a targeted weak point. The most often overlooked strategy for website malware protection is creating a strong username and password. Avoid “admin” as your username because it’s the default and therefore easy pickings for bots and hackers. A secure password can even by generated by WordPress itself.

Also, you can beef up security with 2-factor identification, which requires users to have a smartphone to log in. And you can add plugins that limit the number of login attempts to prevent a brute force attack, which is when a hacker tries endless combinations to crack your password.

3.) Schedule and Automate Regular Backups

Backups allow you to restore your client’s website to a saved version before a current hack or malware infection. It allows you to go to the “past” without a time machine.

Depending on your client’s industry, it may be essential to have a more frequent backup schedule. For example, a news company might need more frequent backups than a brochure site for a lawyer.

Choose the time interval for automated backups to match content updates. But always back up before significant changes such as when you switch themes, install a new plugin, or upload large amounts of content or products.

There are a few strategies to back up your WordPress sites. There are plugins with this feature, some web hosting offers backups, and there are support plans that provide this functionality. Although you often sacrifice a little content when you restore, it’s better than losing everything.

Client’s Site Hacked and You Need WordPress Website Malware Removal?

First, tell your client what’s up. Honesty is always the best policy. Do a complete backup of the site and go into maintenance mode. Use tools like Google Console to diagnose the infection if your sites been search engine blacklisted.

You can then follow step-by-step instructions from thousands of online articles to remove the malware. But with your reputation and your client’s customers in jeopardy, it may be best to contact a WordPress malware removal service. SECURELI has a three-step proprietary process that can get your client’s site going without delay, and you don’t pay until it’s repaired.

Client’s WordPress site hacked how to fix it doesn’t have to be a nightmare. We can help with WordPress website malware removal. Contact us today 24/7/365 at (833)-SITE-FIX or email us at support@SECURELI.com

dotCMS v5.1.1 – Vulnerable Open Source Dependencies

dotCMS v5.1.1 suffers from several vulnerabilities due to the reliance on open source dependencies with publicly disclosed issues.

These vulnerabilities are listed below:

Scanning open source dependencies of dotCMS_5.1.1
 
/ROOT/html/js/scriptaculous/prototype.js
 
↳ prototypejs 1.5.0
prototypejs 1.5.0 has known vulnerabilities: severity: high; CVE: CVE-2008-7220; http://www.cvedetails.com/cve/CVE-2008-7220/ http://prototypejs.org/2008/01/25/prototype-1-6-0-2-bug-fixes-performance-improvements-and-security/
 
ROOT/assets/3/6/36c22c5d-c813-4869-a4b7-fcc10a74e8b6/fileAsset/jquery.min.js
 
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/5/1/515cba4e-ac64-4523-b683-8e38329e7f46/fileAsset/bootstrap.min.js
↳ bootstrap 3.2.0
bootstrap 3.2.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184
 
ROOT/assets/9/9/99c7ffe7-e1c2-407f-85b7-ec483dbcf6f1/fileAsset/jquery.min.js
↳ jquery 3.3.1
jquery 3.3.1 has known vulnerabilities: severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/f/6/f6fa6b13-3a96-4cbf-9a75-19a40137f05a/fileAsset/jquery.min.js
 
↳ jquery 1.9.1
jquery 1.9.1 has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/assets/4/a/4a5a727f-369b-49e0-bff5-42d9efb4ba90/fileAsset/jquery-2.1.1.min.js
 
↳ jquery 2.1.1.min
jquery 2.1.1.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
 
ROOT/html/js/dojo/custom-build/dojo/dojo.js
 
↳ dojo 1.8.6
dojo 1.8.6 has known vulnerabilities: severity: medium; PR: 307; https://github.com/dojo/dojo/pull/307 https://dojotoolkit.org/blog/dojo-1-14-released
 
ROOT/html/js/tinymce/js/tinymce/tinymce.min.js
 
↳ tinyMCE 4.1.6
tinyMCE 4.1.6 has known vulnerabilities: severity: medium; summary: xss issues with media plugin not properly filtering out some script attributes.; https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED so script elements gets removed by default to prevent possible XSS issues in default config implementations; https://www.tinymce.com/docs/changelog/ severity: medium; summary: FIXED so links with xlink:href attributes are filtered correctly to prevent XSS.; https://www.tinymce.com/docs/changelog/