Favorite Plugins Shared at June 2017 Meeting

The June 2017 meeting was all about members sharing their favorite WordPress plugins. ManageWP, Duo for WordPress, iThemes Security, Zip Recipes, and Showcase IDX were discussed.

The June 2017 meeting was all about members sharing their favorite WordPress plugins.

Deborah (@redcrew) shared ManageWP (ManageWP Worker plugin directory listing), a plugin that automatically creates monthly backups of your WordPress installation. For $2 per month, you can get daily and on-demand backups. VaultPress is an alternative plugin with similar features.

Andy (@andymelichar) shared Duo for WordPress (Duo for WordPress plugin directory listing), which adds two-factor authentication to your site’s login. After you enter your valid username and password, you’ll need to prove your identity via SMS or push notification to your mobile device.

Andy also shared iThemes Security (iThemes Security plugin directory listing). This plugin guides you through securing your WordPress site, thwarts malicious attacks against your site, and notifies you of files that have changed on your site. An alternative plugin is WordFence.

Randy (@randywalker) told users about Zip Recipes (Zip Recipes plugin directory listing). If you frequently share recipes on your website, Zip Recipes makes it easy to format those recipes. Just type in your ingredients, directions, and other information, and this plugin will embed a gorgeous, printable recipe card in your post.

Jason (@jbigelow1) gave a demonstration of Showcase IDX (Showcase IX plugin directory listing), a powerful Real Estate listing tool. If you sell homes, this plugin is an inexpensive ($60 per month) way to present listings and saved searches on your website. Visitors can share these listings via social media. The agent can export contact information of potential leads. iHomefinder Optima is an alternative tool.

Takeaways from Fixing a Hacked Site

Seth Alling

At last month’s Metro Detroit WordPress meetup, Seth Alling presented on hacked sites, discussing the causes and what you can do to prevent your site from being hacked.

Members shared some of their own stories of hacks as well as useful resources. It was a great discussion at the end of the talk; thanks to Seth for his presentation!

And thanks to new member Christine Zheng, we have a recap of Seth’s presentation. Here are Christine’s notes:

Fixing a Hacked Site

Hack Types

There are three common hacks:

  • WordPress plugin hack
  • Malware hack
  • Themes hack

There are many causes of hacked sites, including:

  • Poor hosting
  • Bad or poorly coded plugin
  • Out of date software, which can be targeted by malware
  • Improper file permissions

To find the cause:

Step 1: Use Shell commands

List file with improper file permissions
find .–perm 777

List php files modified within last day
find .-name”.php” –mtime 1 -print

List general-template.php files with base64
Find.-name “general-template.php” – exec grep –H”base64”{}\;

List general-template.php files with base64 in text file
find.-name “general-template.php” –exec grep-H”base64{}\;”>hacked.txt

Step 2: Establish Your Game Plan

Don’t just dive in, figure out the best solution. For example, if your host doesn’t provide shell access, contact your web host customer support.

Step 3: Remove Hack and Change Passwords

Find out what is really causing the problem.

Manually fix:

  • Take full back up if possible, of all files and the database
  • Delete unwanted corrupted files and replace hacked files
  • Search through pages and/or database for additional corruptions and remove
  • Change password of admin users(and possibly users with other role as well)
  • Test, test, test
  • Take full backup when complete

Use the Force Plugin Updates plugin when you reactivate plugins.

Fix in bulk:

  • Manually remove hack on 1 site
  • Write script to do what you need
  • Run script on one single site
  • Test, test, test
  • Run script across multiple sites
  • Example scripts from Seth you can use on a host with cPanel (you’ll need root access to your server)

Step 3: Increase Security

  • Make sure everything is upgraded
  • Make sure backups are working; run a test first to insure
  • Have a security plugin
  • Use a password manager, LastPass, Dashlane
  • Send passwords/logins with Onetime Secret, or keep info in a notebook or offline
  • Do not sent the passwords via email – but message
  • Use Two-factor authentication (2FA), Clef, Duo, Google Authenticator
  • Remove unused sites
  • Check file permissions-don’t set it to 777 permission
  • Use strong passwords
  • Consider changing WordPress structure, because most hackers are trying to hack in bulk
  • Depending on your time, or if all else fails, hire security company (such as, Sucuri Security)

Summary

Be prepared for hack. Consider using the iThemes Security plugin. Another option is to set up Cloudflare security.

You may want to consider not turning on all the features, IP login. Whitelist log in IP.
When you’re adding a new plugin to a site, validate the plugin. Read reviews and check star rankings.

Check out the slides from Seth’s presentation.

Thanks to Larisa for taking and sharing photos from the meetup.

Additional Resources