At Wordfence we continually look for security vulnerabilities in the third party plugins and themes that are widely used by the WordPress community. In addition to this research, we regularly examine WordPress core and the related wordpress.org systems. Recently we discovered a major vulnerability that could have caused a mass compromise of the majority of WordPress sites.
The vulnerability we describe below may have allowed an attacker to use the WordPress auto-update function, which is turned on by default, to deploy malware to up to 27% of the Web at once.
Choosing the most damaging target to attack
The server api.wordpress.org (or servers) has an important role in the WordPress ecosystem: it releases automatic updates for WordPress websites. Every WordPress installation makes a request to this server about once an hour to check for plugin, theme, or WordPress core updates. The response from this server contains information about any newer versions that may be available, including if the plugin, theme or core needs to be updated automatically. It also includes a URL to download and install the updated software.
Compromising this server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically. This provides a way for an attacker to mass-compromise WordPress websites through the auto-update mechanism supplied by api.wordpress.org. This is all possible because WordPress itself provides no signature verification of the software being installed. It will trust any URL and any package that is supplied by api.wordpress.org.
WordPress powers approximately 27% of all websites on the Internet. According to the WordPress documentation: “By default, every site has automatic updates enabled for minor core releases and translation files.”. By compromising api.wordpress.org, an attacker could conceivably compromise more than a quarter of the websites worldwide in one stroke.
Below we describe the technical details of a serious security vulnerability that we uncovered earlier this year that could compromise api.wordpress.org. We reported this vulnerability to the WordPress team via HackerOne. They fixed the vulnerability within a few hours of acknowledging the report. They have also awarded Wordfence lead developer Matt Barry a bounty for discovering and reporting it…
Future-proofing your site is an aspect of site development that many users neglect until it’s too late. It’s a simple process that shouldn’t eat into your schedule too much. In any case, the benefits far outweigh the additional time spent keeping on top of it all.
In this post, the author suggests four important steps to help you future-proof your site:
Sign up with a reputable hosting provider.
Create regular backups of your website.
Select themes and plugins from trustworthy developers.
This article talks about some useful, essential and totally free WordPress plugins meant for photographers and photography sites.
I have used and I also have friends who use ‘Meta Slider’, ‘NextGEN Gallery’ and ‘Pinterest Pin It Button’ with success:
Meta Slider – will display great looking photos on your header
NextGEN Gallery – Jetpack has many features for your Photos and Photo Galleries. Use NextGEN Gallery if additionally to photo Galleries you also want to display Photo Albums.
Pinterest Pin It Button – makes it very easy for users to pin images to Pinterest.
WordPress makes it really easy to create a photo blog or run an online portfolio of your images. As such, many photographers, both professionals, and hobbyists alike, tend to use WordPress to showcase their works online.
You still need to cater to popular photo-centric platforms, such as Flickr or 500px, but having your own website with a showcase of your images goes a long way in establishing your identity online.
If you are looking to create a photography website using WordPress, where should you begin? You can, obviously, use WordPress plugins to do more with your website. This article talks about some useful WordPress plugins for photographers and photography sites.
15 Essential WordPress Plugins For Photographers
1. WP Smush
We know that images can be really heavy in terms of combined size. If all you do is upload the odd featured image or two, you have nothing to worry about. But if you are running a photography site, you need to be wary of the file size. Larger images can slow down your site.
WP Smush is a simple plugin that lets you compress and optimize your images on the fly. You can simply upload photos as usual, and WP Smush takes care of the rest.
You should also note that for image optimization plugins, there are so many choices. I chose WP Smush simply on account of its popularity, it has over 500,000 active installations. There are other, equally worthy, alternatives out there. If you wish to browse through image optimization plugins and read some benchmarks or comparison tests, this particular blog post might be of help.
Imsanity can automatically resize the images that you upload to your site. Considering the fact that most professional photographers work with large images, and not always web-friendly dimensions, Imsanity can do the hard work for you.
The plugin works by scaling down all the uploaded images as per the max width, height and quality specifications configured by you. Additionally, Imsanity can also convert formats such as BMP to JPG for web friendly output.
3. Post Thumbnail Editor
Different WordPress themes have different dimensions specified for thumbnails. While for the most part, WordPress does a very good job at cropping images, Post Thumbnail Editor offers you better and more granular control over your image thumbnails. It gives you the ability to crop and scale the thumbnails to fit any requirements.
Note that if you change a WordPress theme and the thumbnails are the wrong size, Regenerate Thumbnails might a better fix for the problem.
4. Easy Watermark
Though not all photographers want a watermark on their photos, some find it incredibly useful. If you need to add watermarks to any image that you upload to your site, Easy Watermark can help you.
This plugin lets you add watermarks to your images, both new ones that you upload as well as any previous ones that you had uploaded in the past. You can also choose to restore the original images by removing the watermark.
5. Media Library Assistant
Media Library Assistant offers several enhancements for your media library. It comes with custom shortcodes, that perform various functions. You can create galleries, add EXIF and other metadata to your media files, display files on the basis of taxonomy, and even search across media files from the frontend.
Additionally, this plugin integrates with the default WP Media Library, so it’s easy to learn.
PhotoPress lets you add metadata to your images. You can add or import data such as XMP, EXIF or IPTC tags for your photos.
You can extend this plugin by means of addons, and even use it to create basic galleries. Note that, however, this plugin has a little over 200 active users, and is not very popular as compared to the others.
7. Easy Digital Downloads
Easy Digital Downloads (or EDD) is an eCommerce plugin meant for folks looking to sell digital products (yes, photos) on their site.
EDD comes with all the features that you might expect from an eCommerce solution — you get detailed sales statistics, easy addition and deletion of discounts and offers, support for multiple payment gateways, ability to extend the plugin further by means of extensions or addons, and so on.
Of course, WooCommerce is still the most popular choice for WP eCommerce, but for digital products such as photos, EDD has always been my preferred tool.
8. Sell Media
Sell Media, as the name suggests, lets you sell media files, such as photos, on your website. You can sell, license or protect your images, create a stock photo site, or even charge a licensing fee.
PayPal integration is offered by default, but you can add other payment gateways and features by means of extensions, such as MailChimp integration or offsite cloud backups of your content.
Image Display (Gallery and Sliders)
9. NextGEN Gallery
NextGEN Gallery has had over 15 million downloads and continues to receive almost a million new users per year. The numbers speak for themselves — this is the most popular plugin for creating a gallery in WordPress.
You can batch upload, edit metadata and arrange and sort your images to create a gallery. The plugin also has a Pro version. If you are looking to create stunning galleries, NextGEN Gallery is a worthy choice.
10. Foo Gallery
Foo Gallery is another popular WordPress plugin for gallery management. Its set of features is the same as NextGEN Gallery, and you can extend it functionality by means of paid addons.
Foo Gallery uses a Gallery custom post type to help you create galleries. You can use shortcodes to embed and display galleries anywhere on your site. Foo Gallery also has a NextGEN Gallery import tool.
11. Simple Lightbox
Simple Lightbox lets you do what its name suggests — add a lightbox to your site.
You can customize the appearance of the lightbox, resize it to fit the viewport, use it with various themes, and choose when and where to display it.
12. Meta Slider
There are various WordPress plugins when it comes to creating sliders, and Meta Slider is one such extremely popular plugin.
With over 700,000 active installations, Meta Slider lets you create slideshows with different layouts, types and design. All sliders are responsive, SEO friendly, and the plugin also comes with smart cropping for photos.
Meta Slider has a Pro version as well which lets you work with video slides too, in addition to image sliders.
13. Photographers Galleries
Note that it is a rather lesser known plugin, and currently has under 100 active installations.
You should consider adding social sharing buttons for various popular networks. However, since Pinterest and Instagram are image-centric social networks, the following plugins focus on these two in particular.
14. Pinterest Pin It Button on Image Hover and Post
If Instagram does not interest you or if you are more of a Flickr user, the Flickr Album Gallery plugin is worth looking at.
There you have it, 15 WordPress plugins meant especially for photographers. Also, you should by all means install plugins for caching as well, or invest in a CDN for your images. Jetpack Photon is a free and amazing option, if all you are serving is images.
Similarly, do not ignore the importance of a good SEO plugin as well as a security plugin. Your WordPress site needs to be kept secure from malicious folks. Plus, with proper SEO optimization, your work may not get the exposure it deserves!
Which of the above free WordPress plugins do you use on your photography website? Share the list in the comments below!
Sufyan bin Uzayr writes for various magazine and blogs, and has authored several books. He blogs about technology, Linux and open source, mobile, web design and development, typography, and Content Management Systems at Code Carbon. You can learn more about him, follow him on Twitter or friend him on Facebook and Google+.
Not only does WordPress dominate more than 25 percent of the internet but it has now conquered space. NASA recently updated a blog post explaining the benefits they’ve received since launching the NASA GRC WordPress website, which first launched in July 2007.
The post highlights several of the benefits for using WordPress including ease of use, low cost, SEO, and more.
Search Engine Friendly
The basics of SEO are already built into the system. It encourages you to fill out title tags, categories, and meta descriptions.
“When a site curator posts a news-related item on a public-facing NASA WordPress site, the major search engines are automatically notified to catalog the new content; additionally, the system automatically builds XML sitemaps to help search engines correctly catalog and prioritize your content in their databases,” the post said.
Though this isn’t new, it is a great service for any site owner that doesn’t have a strong SEO background. NASA is able to deliver important news quickly.
Section 508 is a government-wide accessibility program. It is essential that every government-sponsored website adheres to it. Luckily for NASA, WordPress does it automatically.
“Our NASA WordPress themes (the HTML/CSS design, structure and programming) is already Section 508 compliant, and new Section 508 issues are addressed as the overall theme is upgraded. Essentially, only the content (text, photos, videos) that a site curator adds will need to be verified for Section 508 compliance by the curator,” the post said.
Content Separate From Design
Another huge time saver is that content is separate from design. That means that when you change your theme, the old content will change with it. No more going through every old post or image, and making sure it lines up with the new design.
“There’s no need for wholesale, time-consuming revisions of your entire site if and when the design changes,” the post said.
When everything is done for you, you can focus on the content.
This blog post is one small step for WordPress and one giant leap for open-source software. I know that was a cheap joke, but it really illustrates the exciting role open source is beginning to take in the US government. NASA isn’t the final frontier.
The White House And Open Source
A few months ago, The White House not only announced Whitehouse.gov would be open source but asked for input from developers.
People added suggestions on GitHub to help create the federal source code policy and this month, the results were shared. From the analyzed data, custom open-source code was born.
The announcement post, titled “The People’s Code,” explains the uses of Code.gov.
“The policy, which incorporates feedback received during the public comment period, requires new custom-developed source code developed specifically by or for the Federal Government to be made available for sharing and re-use across all Federal agencies,” the announcement said.
This isn’t the first case of the US government using open source, but it takes the practices government-wide.
“By opening more of our code to the brightest minds inside and outside of government, we can enable them to work together to ensure that the code is reliable and effective in furthering our national objectives,” the announcement said.
In the coming months, Code.gov will be released and people from all over will able to share and access government code.
It’s a huge year for open-source projects. From the White House to NASA and beyond, code is being shared and collaborated on for a more transparent world.
Version 4.5 of WordPress, named “Coleman” in honor of jazz saxophonist Coleman Hawkins, is available for download or update in your WordPress dashboard. New features in 4.5 include inline linking, formatting shortcuts, live responsive previews and more…
This morning at 9am Pacific time we rolled out a new kind of firewall to over 1 Million active WordPress websites. It comes with a Threat Defense Feed that updates our firewall as new threats emerge. It also continuously updates our malware scan as we discover new malware patterns through our forensic research.
Mossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among […]
Lyn wrote: “Hi Tony, I got this email below about a new “User Registration” but I haven’t loaded anyone or given anyone access to upload new details? Do you have any clue for me on how this may have been created without the relevant passwords? Below New user registration details: Username: ChristieOster23 E-mail:firstname.lastname@example.orgThanks, Lyn”
Just by looking at the Username and E-Mail you can “see” this is spam!
There are various plugins that will enable you to block IPs and even block entire countries. However sometimes you will not be able get the relevant IP address so this article is about how to go about blocking email addresses. Ban Hammer does that for you by preventing unwanted users from registering.
Go to the admin area of your website > click ‘Plugins’ > ‘Add New’ > in the search bar type ‘Ban Hammer’ > click ‘Install Now’ > click ‘Activate Plugin’.
After installation go to ‘Tools’ > click ‘Ban Hammer’. In the ‘Blacklisted emails’ box enter all the emails you want to ban one below the other as per the screenshot below:
In a case where the User already registered, delete the User and then add the User’s email address to ‘Blacklisted emails’