MultiSite Network Hub Website Security Checks:
- 1. WordPress Network Backup:
- WordPress Backup to Dropbox. Backup completed on Thursday November 17, 2016 at 04:31:47.
- 2. WP Secure Administrators:
- No unsafe admin names or IDs. No Posts, Comments or other exposed content authored by admins.
- 3. WP Secure Users:
- Top 5 Failed Logins shows no domains targeted with invalid domain user.
- 4. WordPress Version:
- 5. WordPress Plugins:
- 10 plugins to update:
- Version 2.5.10 installed. Update to 2.5.11. Improved support for WordPress 4.7 and 2 other minor tweaks.
- Version 3.0.3 installed. Update to 3.1.0. Improved support for cache purge and MultiSite Domain Mapping. Also, other tweaks and fixes.
- Code Snippets
- Version 2.7.0 installed. Update to 2.7.2. 2 fixes and translations.
- Multisite Enhancements
- Version 1.3.5 installed. Update to 1.3.7. Various fixes and improvements.
- Version 1.7.3 installed. Update to 1.7.4. Several fixes and 3 new features. Includes ShareThis fix to stop “Fatal error: Call to undefined function mycred_get_share_service_names() in … wp-content/plugins/mycred/includes/classes/class.query-log.php on line 1613”.
- Ninja Forms
- Version 18.104.22.168 installed. Update to 3.0.15. Not updated. Requires a conversion process. Investigate replacement with plugin that is more stable.
- Version 7.7 installed. Update to 7.8. Minor bug fixes.
- Simple Org Chart
- Version 2.0 installed. Update to 2.0.1. Added user node delete option.
- Version 2.6.4 installed. Update to 2.6.8. Loads more Fixes and a few tweaks.
- Yoast SEO
- Version 3.5 installed. Update to 3.8. More bloat and lots of bug fixes.
9 plugins updated to latest versions.
- 6. WordPress Themes:
- Needs theme review to delete badly documented and overly complex themes. Wait for project to downgrade use of child themes.
- 7. Wordfence Scan:
- [Nov 17 07:49:19] Scan Complete. Scanned 14467 files, 43 plugins, 76 themes, 9 pages, 1 comments and 100276 records in 12 minutes 25 seconds. No security problems were detected by Wordfence. 8 ignored issues:
Also, other themes, pending child theme downgrade, and Archiver plugin problem regarding front end update forms.
- 8. Wordfence Blocked IP review:
- No IPs blocked. 22.214.171.124 throttled – IP Access Records for AS202939 Fat Shark Ltd.
- 9. CloudFlare settings review:
- Automatic Cache Management set
On. Always Online set
On. Security Level set
- 10. Spam Comments:
- Registered users only, so annual check only. No spam comments: Next Check May 2017.
- 11. WordPress Log In page indexed:
- Crawl disallowed within MultiSite, so annual check only. Not in Google index: Next Check May 2017.
- 12. GSC Security Issues:
- Currently, we haven’t detected any security issues with your site’s content. Google emails a warning if that status changes, so annual check only. Security check passed: Next Check May 2017.
- 13. GSC Search Traffic – Manual Actions:
- No manual webspam actions found. Annual, as per GSC Security Issues. Manual Actions check passed: Next Check May 2017.
- 14. WP Redirection 404 Hacking Attempts:
- No malicious activity detected.
- 15. WP Media Author:
- No Media Authors are Admins.
- 16. Update SALTS:
- New keys applied.
Next Security Health Check: 17 Dec 2016.
Today’s website security check summary:
3. WordPress Version: Updated from 4.5.2. to 4.5.3.
4. WordPress Plugins: 4 plugins updated:
- Ninja Forms 2.9.48 to 2.9.50. Preparation for version 3.
- Pods – Custom Content Types and Fields 126.96.36.199 to 2.6.6. 9 additions and 8 bug fixes.
- WooCommerce 2.5.5 to 2.6.1. Several changes 2.6.0 – 14/06/16. Approx 20 bug fixes 2.6.1 – 16/06/16.
- Yoast SEO 3.2.5 to 3.3.1. Major changes at 3.3.0 – release Date: June 14th, 2016. Several bugfixes and more enhancements at 3.3.1 – release Date: June 15th, 2016. 1 bugfix & 3 enhancements at 3.3.2 – Release Date: June 21st, 2016.
Today’s website security check summary, includes a new check added at #3:
3. WP Secure Users: Top 5 Failed Logins shows 2 live targets from domain names. Support Request raised: Username security rules breached.
5. WordPress Plugins: 7 plugins updated:
- Archiver 1.0.1 to 1.0.2. Fix: fix issue in which directly referencing array index on function call caused issues in PHP < 5.4.
- Multisite Admin bar Switcher 1.2.3 to 1.2.4. Add support for UTF-8 blog names.
- Ninja Forms 2.9.50 to 2.9.51. More preparation for version 3, and 1 fix.
- WooCommerce 2.6.1 to 2.6.2. Over 40 fixes and tweaks.
- WooCommerce Compare Products LITE 2.4.1 to 2.4.2. Maintenance Update. 1 Bug Fix and 1 Tweak for full compatibility with WooCommerce version 2.6.1 and WordPress version 4.5.3.
- WP Crontrol 1.3 to 1.3.1. “Display a less scary looking message when DISABLE_WP_CRON is defined. Correct the example code for cron event arguments.”
- Yoast SEO 3.3.2 to 3.3.4. 3 bug fixes.
6. WordPress Themes: Movers Packers 1.9 to 2.0. “i) Rectified Sidebar Border Bottom Overlapping.
ii) Translated theme in Greek Language.
iii) Updated Theme Tags.”
Today’s website security check summary.
4. WordPress Version: Updated from 4.5.3. to 4.6. and upgraded network (25 sites).
5. WordPress Plugins: 16 plugins updated:
- Adminer 1.4.4 to 1.4.5. Security release fix unsecure adminer editor loading.
- Archiver 1.0.2 to 1.0.5. 3 fixes. Has caused problem on bbPress User Edit page. Task added: Fix broken update to Archiver Plugin
- bbPress 2.5.9 to 2.5.10. Improved user display-name rendering.
- Child Theme Configurator 2.0.6 to 2.1.1. Various code improvements. No obvious feature changes.
- Code Snippets 2.6.1 to 2.7.0. 5 fixes and 4 minor improvements.
- Compress JPEG & PNG images 1.7.2 to 2.0.2. New Bulk Optimization page and other improvements and fixes.
- myCRED 1.6.9 to 1.7.1. Many improvements. Requires review of all page displays to ensure best presentation of changed features.
- Ninja Forms 2.9.51 to 188.8.131.52. Several fixes, including one security fix.
- Pods – Custom Content Types and Fields 2.6.6 to 2.6.7. 15 fixes.
- Social Login 5.0 to 5.2. Buddypress avatar bugfix. Do not create users without email addresses when plugin set to request emails. Support for WP_PROXY_HOST added. Filter for callback uri added. More pannel added.
- Video Embed & Thumbnail Generator 4.6.8 to 4.6.9. Updated Video.js to version 5.10.7. Fixed bug that sometimes prevented thumbnail generation. Fixed bug that prevented selection of encoding error email setting in Network admin page. Added visual feedback while saving manually selected thumbnails.
- WooCommerce 2.6.2 to 2.6.4. Several fixes and tweaks.
- WooCommerce Compare Products LITE 2.4.2 to 2.5.0. Major changes – need to assess if this improves the situation discussed in Better WooCommerce Compare.
- WordPress Backup to Dropbox 4.5 to 4.5.3. Fix database error: Column ‘offset’ cannot be null.
- WP RSS Aggregator 4.9 to 4.9.1. Changed copyright and other info in plugin header.
- Yoast SEO 3.3.4 to 3.4.2. Much more bloat and bug fixes.
Favicon by RealFaviconGenerator flagged for retirement.
6. WordPress Themes: 7 themes updated.
- Movers Packers 2.0 to 2.2. Removed education & holiday tags as reported by admin. Resolved slider incompatibility with IE.
- Twenty Eleven 2.4 to 2.5. Ephemera widget fix for caching in Customizer preview and Update theme tags.
- Twenty Fifteen 1.5 to 1.6. Remove .pot files from Default Themes and Update theme tags.
- Twenty Fourteen 1.7 to 1.8. Remove .pot files from Default Themes, Fix PHP 7 compatibility issues, and Update theme tags.
- Twenty Sixteen 1.2 to 1.3. Update deprecated theme tags. Make twentysixteen_categorized_blog() function pluggable. Add clearfix for blockquote. Add styles for date/time input[type]s introduced in HTML5. Remove .pot files from Default Themes.
- Twenty Thirteen 1.9 to 2.0. Remove .pot files from Default Themes. Fix selective refresh of Masonry-laid out widgets by deferring initialization until DOM ready. Fix PHP 7 compatibility issues. Update theme tags.
- Twenty Twelve 2.0 to 2.1. Remove .pot files from Default Themes, and Update theme tags.
Storefront to replace with something less commercial looking for a knowledgebase (Retayler and Fernis).
Today’s website security check includes 2 new options (bold below). Therefore, I’ve renumbered the steps to accommodate these additional security checks.
3. WP Secure Users: Top 5 Failed Logins shows 1 domain targeted with invalid domain user. Issue now resolved.
4. WordPress Version: Updated from 4.6. to 4.6.1.
5. WordPress Plugins: 8 plugins updated:
- Child Theme Configurator 2.1.1 to 2.1.2. Fixes related to testing if CTC Pro is installed.
- CloudFlare 1.3.24 to 3.0.2. Extensive changes including more setings to change from within WordPress and analytics view. Removes need for separate purge plugin.
- Compress JPEG & PNG images 2.0.2 to 2.1.0. Compression added for WP Retina 2.x, and 3 fixes.
- myCRED 1.7.1 to 1.7.3. Several fixes and 3 new features.
- Simple Org Chart 1.3 to 2.0. Major update to remove need to start over when editing chart. I rebuilt the one affected chart after updating this plugin.
- Video Embed & Thumbnail Generator 4.6.9 to 4.6.11. Updated Video.js to version 5.11.6. Several fixes and improvements.
- WordPress Importer 0.6.1 to 0.6.3. Added existing post filter and support for import term metadata. 3 Fixes.
- Yoast SEO 3.4.2 to 3.5. More bloat and lots of bug fixes.
6. WordPress Themes: 1 Theme updated:
- Customizr 3.4.21 to 3.4.23. Center the rectangular thumbs with golden ration only in post lists, not in single posts. Several other improvements and fixes.
Pingraphy and Storefront to replace.
7. Wordfence Scan: OK with 4 ignored issues:
- Storefront Theme.
- Retire Pingraphy Theme.
- Favicon Plugin.
- Investigate Ninja Forms replacement.
8. Wordfence Blocked IP review:
No IPs blocked. 184.108.40.206 (Columbus, Ohio, United States) throttled. This is a hosting company. No need for access, so challenged in CloudFlare (no separate ASN record created for AS54455, as Internet Services database is under structural review.)
9. CloudFlare settings review: Automatic Full Cache Management set on. Speed and security confirmed as On and High.
17. Update SALTS: New keys applied.
I’ve done an interim update for the CloudFlare plugin:
3.0.3 – 2016-09-21
– Fixed an issue where some domains were being incorrectly propagated to the domain selector dropdown
– Fixed an issue where the Web Application Firewall was accidentally triggering RFI Attack Rules
– Fixed an issue where image optimization was not being enabled for Pro and higher CloudFlare plans
Today’s website security check:
5. WordPress Plugins: 9 plugins updated:
- bbPress 2.5.10 to 2.5.11. Improved support for WordPress 4.7 and 2 other minor tweaks.
- CloudFlare 3.0.3 to 3.1.0. Improved support for cache purge and MultiSite Domain Mapping. Also, other tweaks and fixes.
- Code Snippets 2.7.0 to 2.7.2. 2 fixes and translations.
- Multisite Enhancements 1.3.5 to 1.3.7. Various fixes and improvements.
- myCRED 1.7.3 to 1.7.4. Several fixes and 3 new features. Includes ShareThis fix to stop “Fatal error: Call to undefined function mycred_get_share_service_names() in … wp-content/plugins/mycred/includes/classes/class.query-log.php on line 1613”.
- Ninja Forms 220.127.116.11 to 3.0.15. Not updated. Requires a conversion process. Investigate replacement with plugin that is more stable.
- ShareThis 7.7 to 7.8. Minor bug fixes.
- Simple Org Chart 2.0 to 2.0.1. Added user node delete option.
- WooCommerce 2.6.4 to 2.6.8. Loads more Fixes and a few tweaks.
- Yoast SEO 3.5 to 3.8. More bloat and lots of bug fixes.
6. WordPress Themes: Needs theme review to delete badly documented and overly complex themes. Wait for project to downgrade use of child themes.
7. Wordfence Scan: Scan Complete. No security problems were detected by Wordfence. 8 ignored issues, mainly themes, pending child theme downgrade.
8. Wordfence Blocked IP review: No IPs blocked. 18.104.22.168 throttled – IP Access Records for AS202939 Fat Shark Ltd.
9. CloudFlare settings review: Automatic Cache Management confirmed On. Always Online confirmed On. Security Level confirmed High.
16. Update SALTS: New keys applied.
The 16 website security checks now need to be split into groups.
First priority is Backup and Version check, including plugin and theme update check.
The first priority is actioned at Installation Security Check for KeCaTa Com. That includes a scheduled prompt for the next check. I’m concerned that the reply won’t be clear enough. And, if so, prompts for repeat checks might get overlooked. Perhaps we could resolve that by making one account responsible for new checks.
Let’s resolve that next week, when the first repeat is due. In the meantime, priorities should be:
- Backup and version check for all independent websites.
- Priority assessment of the other website security checks identified in this topic.
- Process next priority checks for this network hub.
- Process next priority checks for all independent websites.
- Repeat previous 2 steps until all these security checks are scheduled for all websites, including clients.
- Move on to scheduling website quality checks.
scheduled prompt for the next check. I’m concerned that the reply won’t be clear enough. And, if so, prompts for repeat checks might get overlooked. Perhaps we could resolve that by making one account responsible for new checks.
I think the best solution, that should work in all situations, is to use 2 accounts. There will always be a manager, and assistant. So, where Manager owns the task, set the scheduled reply to Assistant. And, vice versa. That way, the task owner can see if there are replies that might need action. Action might be to do the security check, or delegate it. And, I think that will be obvious from the circumstances.
Also, I can double-check these, as part of my daily review of the forum activity list.
I’ve set the first WordPress Installation Security Check to me. So, it should pop-up as a reminder next week. I’m not absolutely certain how bbPress handles its freshness settings.
When we tried this first, the scheduled reply was the latest. But, I believe this was because it was the highest post record number. With the latest procedure, this should not be the case. For example:
- New Security Check topic is created with record number 1. Author is Manager.
- Reminder reply template is created with record number 2. Date is next check date. Author is Assistant.
- Template is copied to new reply. And, posted with record number 3, as Manager processes the check. Author is Manager.
At this stage, bbPress reports that
Started byare both Manager. We interpret this as “No current action required”.
The uncertainty is: what happens when the scheduled date arrives? To test this, I’ve temporarily set the task for an hour. I’ll report back on how bbPress reports this.
And, following my final paragraph, I must report that, the sequence of steps for processing scheduled repeat tasks using bbPress forum replies does not work. Freshness in the topic lists is always based on highest Reply number. This does not change if lower numbered replies are dated later.
Therefore, I suggest we use scheduled topics for next task. But, document actions taken by replies to a separate topic.
You should log in to KeČaTa to reply to this topic.
If you need more information, get it from Keith Taylor’s Log-in Help.