Category Archives: Wordpress

Configure U2F in Joomla and WordPress [VIDEOS]

User accounts. Without them, the back-end of your WordPress or Joomla site would be a barren wasteland. And, well, there would be no point in having a back-end.

However, with user accounts comes great responsibility not to get them hacked, as anyone with enough credentials can turn your website in a pile of spam for enhancement pills, Eastern offers and other unpleasantries.

Two-factor authentication is all the rage right now. I wouldn’t say it’s mainstream, per sé as many users still think that their “kittykat01” password will protect them from evil. But it’s now available on pretty much every big site. It comes in a lot of forms and shapes. Mostly in the form of OTP (and Android Authenticator.)

U2F is one of those “universal” two-factor solutions. It’s backed (and implemented) by Google, Github and quite a few others. It’s also pretty easy to use. And, as of now, you can setup U2F in both Joomla and WordPress.

Now, I know we usually spell things out for you. However, we decided to switch things up a bit. We made two videos in cooperation with Ciptor Benelux, a small but fierce startup with a focus on authentication that’s hoping to take the Benelux (and then the world?!) by storm.

The videos should give you a good idea on how to setup U2F. The WordPress video is about five minutes long. The Joomla video is a bit longer, because we dove into Akeeba LoginGuard as well. It’s part “How to”, part “This component is pretty cool.

How to setup U2F in WordPress

How to setup U2F in Joomla (Using Akeeba LoginGuard)

Advertisements

Automattic brings free themes to Jetpack, WordPress Premium

Automattic, the company behind WordPress.com, WooCommerce, Jetpack and others has been betting hard on services lately. To add more value to users of their existing services, they’re now bringing a big seelction of themes to them, for free.

Jetpack brings a little more .com to your blog

Automattics’ plugin WordPress tries to bring WordPress.com features to your blog. Options like social sharing, simple forms, sitemaps and others are a few clicks away if you install Jetpack and connect your website to WordPress.com. And now, Jetpack users get another “WordPress.com” perk: access to the WordPress.com themes. Users of Jetpack can now install templates that were previously made available to WordPress.com users, which comes down to 150+ free themes that can be installed within a few clicks. There’s some pretty interesting templates in there. They might not all be “commercially” interesting for business sites but a lot of them definitely have their uses.

WordPress Premium now includes… Premium Themes

WordPress Premium is a service that adds new features to your WordPress.com blog, like a custom domain name, more storage, more design options and VideoPress. As of this month, a new option has been added.

Premium users now have access to all “Premium Themes.” These are WordPress.com themes that you could unlock by purchasing them (for an average price of €80). Now, you can use these themes for free when you’re a WordPress Premium user. Which is is a great deal, considering a Premium plan costs you €99 a year. You do the math.

My WordPress Test Site Got Hacked

I am sure you’ve heard about the “scandal” in which millions of WordPress sites got “defaced” by those pesky hackers. As it turns out, according to reports from leading security companies, it wasn’t particularly hard to pull off either.

WordPress introduces a REST API which allows you (and others) to do all kinds of wizardry remotely. Apparently, that included the option to edit all your posts and pages without providing any kind of credentials. Great job, WordPress!

With millions of people being “hacked”, of course my test website couldn’t miss out. You see, I have WordPress sites in all sorts and shapes that I keep up to date. Personal blog. Work websites. Fun blogs. However, there are also my “test blogs”, which I use to test plugins for WordPress. I also have those kind of sites for Joomla, but that’s another story.

Most of those sites are hosted on Siteground, but one is hosted on a server I shall not name. One where updates don’t happen automatically, and WAF’s are non-existent.

Well, my friends, that website got “hacked”. The reason I keep writing “hacked” is because alledgedly it takes nearly zero knowledge or effort to pull it off. You just need to know about the exploit, do two minutes of work and you can go crazy.

Which they did. The nice Syrian Peshmerga message left a message stating that ISIS sucks and that they’re going to do stuff. I’m guessing it’s related to shooting them. There was also the online pharmacy that wanted to promote some sort of products.

In my case, no damage was done. This is a test site. I don’t update it, because the site is a “throwaway” site. If something is broken, I’ll just start over. There’s the fair expectation that something WILL go wrong. Seeing the REST API hack in action on that site wasn’t scary, it was more of a “Ahah, it’s that easty?” moment.

However, can the same be said about those other sites? How about your sites? Can you afford to have your website defaced? Probably not. It would be bad for business.

That’s why you need to make sure your websites are up to date. And educate yourself on what to do when you DO get hacked. To help you with that, here’s a short and sweet strategy guide.

How not to get hacked

  1. Keep Your WordPress site up to date. Or, have someone else do it for you. Our friends over at Siteground allow you to enable automatic updates. If I’m not wrong – and I often am – they offer to enable this by default. The feature is super easy – once a new version is released Siteground will roll it out for you. Alternatively, some “Installers” like Installatron also roll out automatic updates. Of course, you could do it all manually. Assuming you’ve picked up on the news that an update is released. Unlike Joomla, WordPress doesn’t send reminders that a new version is available.
  2. Make sure you’re using quality web hosting. It’ll prevent you from most server side exploits. And if your hosting company is *really* good they’ll have rules and checks in place to prevent common exploits, like (again) our friends over at Siteground have in place.
  3. Don’t install shady plugins. Or themes. That’s an open invitation to be hacked. And those “cracked” versions of ExpensivePlugin? Yeah, that’s not a good idea either.
  4. If your website is technically sound, make sure that *you* aren’t the weakness. If your password is easy to crack, change it. Websites like HaveIBeenPwned can tell you if you’ve been part of security breaches. That can lead to a big “Oh, shit” moment when you were using the same password everywhere. Also, make sure to enable two-factor authentication.

How to recover from being hacked

  1. Restore your back-ups. What’s that? You didn’t make any, and assume your host is making them for you? While that might be true in some cases, that is NOT a safe bet to make. Setup your own backup tool, like Akeeba Backup or Vaultpress, an configure it. Make backups to more than one location. AND TEST YOUR BACKUPS
  2. Audit your website. Do you know how they got in your website? Then you probably have no idea how big the damage really is. If your website is used professionally, and your income depends on it, consider hiring an expert who knows what he’s doing. Unfortunately, that excludes  most of the $5 freelancers from a certain continent that “claim to be expert in Joomla, WordPress, Drupal, Magento, Grav, Prestashop, OsCommerce, Ghost, Facebook and Microsoft Word.”

    If you are using Joomla, a tool like MyJoomla can help you audit your website. I’m sure similar websites for WordPress exist as well.

  3. Patch your security holes. Don’t just restore your website, and assume you’re not going to get hacked again. You’d be wrong, and stupid to assume that you were just unlucky.

Of course, some people would suggest that my list is missing “Migrate away from WordPress, lol.” I mean, yes. That can be an option if the security holes in WordPress concern you. Just keep in mind that no CMS is perfect, and prone to security problems. Yes, even the one you built yourself. Especially the one you built yourself.

Do you have tips or suggestions to update our list? Questions and being hacked? Use the comments below to be heard. Please keep the “WordPress sucks lol get gud noob” jokes to a minimum.

 

You can now publish from Adobe Lightroom to WordPress.com using an official plug-in

Photographers using both Adobe Lightroom to edit their pictures, and WordPress.com to publish their work (like yours truly) can now save a lot of time. WordPress.com has just launched a plugin for Adobe Lightroom which allows you to upload photo’s to the WordPress.com site of your choice, from within Adobe Lightroom.

To achieve this, you can install their brand new plugin 

Using the plugin, you can select the image(s) you want to add from within Lightroom, and publish them to their blog directly.

If you want to use the plugin to upload to your self-hosted WordPress sites, you can. If you’ve got Jetpack installed and can manage your site from within WordPress.com you can easily connect Lightroom to your self-hosted site as well.

We’re looking forward to using this tool (as soon as I figure out how Adobe Lightroom works).

Adding Multiple Pages to WordPress At Once

When you are trying to take your WordPress site beyond a “Blog and a few pages”, you might run into some problems – especially if you’re coming from a Joomla background like me. One of them is that it’s kind of a pain in the butt to create multiple pages quickly.

In Joomla, I could rapidly create pages by (ab)using the “Save and new” button, but there is no such thing in WordPress. But of course, as is often true with WordPress (and Joomla) there is a plugin for nearly everything.

When you are looking to add multiple pages at once, we found a plugin that might interest you. It’s called “Bulk Page Creator” and does just that: It lets you add multiple pages at once.

You can set the category and status for the pages, and then separate the pages you want to add with a comma. We used the plugin to add fifty pages in a few minutes. When creating the pages, you can choose the “parent page”, and you can choose whether the page should be empty. The alternative is writing some content (which will then be added to all pages.

You can find Bulk Page Creator in the wordPress.org plugin directory.