WordPress Exploit – AMP Plugin

AMP for WP -Accelerated Mobile Pages allows your site to be faster for mobile visitors. Along with last week’s report, the AMP plugin has also been added to the list exploited. The AMP for WP plugin was reported on October 20, 2018, by its developers. Luckily, the newest version, 0.9.97.20, of this plugin has patched for their known security flaws. This exploit has the means of putting 100,000+ users at potential risk, so its best to check if you are utilizing this plugin. In this tutorial, we will be checking if you use this plugin. Along with updating, we will also show you how to check if your site for compromises.

In the vein of the WP GDPR plugin exploit, the AMP hack allows code vulnerability to make site-wide changes. Bots scan for sites using the AMP plugin and use an XSS security bug to create a new user that has admin-like privileges. The vulnerable versions’ (below 0.9.97.20) code didn’t cross check to see if registered users had the permissions to perform some actions. With administrative like privileges a hacker can hide their code within your WordPress files to use to take over your website. Additionally, they can upload files, update plugins, read files, and inject posts.

Identify If You Use AMP for WP

By logging into your WordPress backend you can easily see if you are subject to this exploit.

Step 1: Enter the WordPress backend by going to yourdomain.com/wp-login.php in your browser.
Step 2: Login with your WordPress username and password and navigate to Plugins and click on Installed Plugins on the left-hand side of your screen.
Step 3: Scroll down through any installed plugins to see if you have Accelerated Mobile Pages within your list, followed by its version. Any version below 0.9.97.20 is still vulnerable and you’ll have to perform a few actions to protect yourself.
The Plugins section in WordPress will allow you to see if you are utilizing AMP.

Upgrade AMP – Accelerated Mobile Pages

Note: It’s recommended to backup your website before pushing any updates.

Step 1: Follow the steps above in the section “Identify If You Use AMP for WP” to login and locate your Plugins menu.

Step 2: Locate Accelerated Mobile Pages. If you are running an outdated version you’ll see a message providing you a link to update. Click “update now” to automatically update to the latest version.

 

In the WordPress backend click the "update now" link to protect yourself from the AMP hack.

Have You Been Hacked?

A site hack is possible even without noticing any visual differences to your site. For a closer inspection below are some of the characteristics of the AMP exploit.

  • Characteristics of the AMP hack:
  • External Calls to sslapis.com
  • New creation of WordPress admin user “supportuuser”
  • Post injections
  • Registered user can manipulate code
  • Code vulnerability in ajax hooks
    • ampforwp_save_steps_data
    • wp_ajax_ampforwp_get_licence_activate_update
    • wp_ajax_ampforwp_deactivate_license
    • wp_ajax_ampforwp_save_installer
    • wp_ajax_amppb_export_layout_data
    • wp_ajax_amppb_save_layout_data
    • wp_ajax_ampforwp_get_image

If have identified your site is compromised from above characteristics, you’ll want to remedy it immediately since other sites on the same server can potentially be affected.

  • Liquid Web customer can purchase a Malware Clean Up package
  • Manually remove the code from the infected files
  • Restore from a backup dated before October 20, 2018 (keep in mind this will still have the old version and your site will still be in danger).

As time goes by, more plugins will give way to more vulnerabilities but there are some proactive steps to ensure your site’s security. For insight into ways of protecting your WordPress site look into our article on the subject, The Best Ways to Protect Your WordPress Site.

 

An Overview of Managed WordPress

WordPress is open source software for building unique and powerful websites! It is quickly becoming the easiest and most popular way to create blogs, business sites, portfolios, forums, memberships, and e-commerce websites.

Liquid Web’s Managed WordPress Hosting is a complete solution for your web publishing needs. With pre-installed plugins, streamlined plugin updates, website staging area, nightly backups, iThemes sync, and customizable website stencils, it’s a must-have for any WordPress developer.

 

MWP Features

Let’s get right into it with a couple of Managed WordPress Hosting best features and ease of use!

 

 

Pre-installed Plugins:

Managed WordPress (MWP) comes with quite a few money saving, pre-installed plugins, curated for maximum performance:

Akismet
Akismet: The number one plugin for spam filtering on blogs and forum pages.  This indispensable plugin helps comment-heavy sites by preventing spam comments from being posted to your site. Akismet protects your website from being marked negatively thus helping your Google SEO standing. A free plan is included with every site as well as having the option to subscribe to their Plus and Enterprise plans.
Async JavaScript
Async JavaScriptWith a 4.5-star rating by its users, Async JavaScript increases site speed and search engine ranking by only loading javascript viewable by the user.
Autoptimize
Autoptimize: If speed is essential to your site then you can’t go wrong with the Auto Optimizer plugin. Autoptimize takes out the legwork of site optimization by aggregating, minifying and caching scripts. For the CSS and JavaScript programmer, it can inject CSS into your page header, async non-aggregated JavaScript, and minimize HTML.
BJ Lazy Load
BJ Lazy Load: This plugin comes in handy for sites with lots of images. The idea is only to load those videos/pictures that are viewable on the browser and not those below the screen view (or “fold” as it’s called) until the client scrolls down the page. Thus increasing site speed and performance by reducing the resources loaded at a given time.
iThemes Sync
Themes Sync: Ever wish you had a portal where you could update all your plugins and themes for multiple websites in one spot? Look no further then iThemes Sync.  iThemes Sync provides you with one central dashboard for all your WordPress admin tasks saving you time to focus on development.
TinyPNG
TinyPNG: Minimizes load times for your site by compressing your images, while still maintaining photo resolution. Compression increases site performance especially if you have a large number of images.

WP Forms Lite
WP Forms Lite: Easily create contact forms with intuitive tools that allow for drag and drop construction.

Liquid Web’s Managed WordPress staging site allows you to experiment with themes, plugins, or any variety of other changes you might want to make, all without affecting your live site! It works by creating a temporary clone of your site to test your changes, giving you a chance to get things exactly the way you want them before applying them to your live site. So feel free to test away!

Nightly backups of your sites are included in each plan. The backups allow you to roll back to an older version by clicking the restore option, or you can download a copy. No need to install an extra plugin or stress when a development error occurs.

Core updates help secure your site from hackers and malware by keeping your website up to date. Once available, the core WordPress plugin updates MWP are tested before being implemented on your site. If the plugin or update is compatible with your site, it will auto push the update to the live site. If the new update is not compatible, it will let you know via email allowing you time to inspect at your leisure.

The stencil feature is useful for developers who use the same themes and plugins across multiple sites. You can create as many stencils as you like with the click of a button! Click here for information about how you can set up your stencil.

Managed WordPress allows you to access your content via SSH and FTP. Once logged into SSH, Liquid Web’s Manage WordPress comes with WP-CLI pre-installed, so you can make simple commands from the command line to fine-tune users, plugins, and current themes settings.

Let your users know their information is safe! Managed WordPress includes free SSL for all sites on your server to help keep your sites secure.  With automatic SSLs you no longer have to purchase certificates for your websites!

Our managed WordPress product has a 24/7 operations team that manages routine server maintenance and monitors for DDoS attacks, so you don’t have to, leaving you free to develop your website’s content.

Experience a streamlined way managing your sites through Liquid Web’s Managed WordPress platform.

 

Managing code snippets in WooCommerce

When working on a WordPress site, especially stores, you’ll likely reach a point where you need something custom. You might want to customize something that doesn’t have a true setting in WordPress? Or, you need to add a custom hook to modify something? Or, maybe you need to customize part of your WooCommerce store?

No matter the case, making code changes means you’ll need to know the right place to do that. In this article, we cover the best ways to get this done and some best practices.
Continue reading “Managing code snippets in WooCommerce”

How to Block Traffic by Country in the CSF Firewall

One of the most-requested features on cPanel servers is the ability to manage and filter traffic at a country level. With the ConfigServer Firewall (CSF) plugin in WebHost Manager, you can do exactly that.

Country-level filtering in CSF uses the Maxmind GeoLite Country database to obtain CIDR (Classless Inter-Domain Routing) ranges for specific countries. Each CIDR range covers all the IP addresses assigned to that country. Continue reading “How to Block Traffic by Country in the CSF Firewall”

How to Prevent Being Hacked by the Cross-site Scripting Vulnerability in WP Super Cache

The popular WordPress plugin WP Super Cache has been found to have a cross-site scripting (XSS) vulnerability in versions prior to 1.4.4. On sites with outdated versions, it is possible for an attacker to take complete control of the WordPress site. Please note: this vulnerability only affects users which have installed WP Super Cache. However, if you are unsure if you use the plugin or not you should still take precautions to protect your site.

Thankfully, this is vulnerability is simple to address; version 1.4.4, available now, contains a patch.

This tutorial is very similar to our tutorial on updating any WordPress plugin: How To Update a WordPress Plugin

Continue reading “How to Prevent Being Hacked by the Cross-site Scripting Vulnerability in WP Super Cache”

How to Update a WordPress Plugin

Step 1: Login to WordPress as Administrator

Hopefully, you’re already well-versed in logging into your WordPress site as an administrator!

Step 2: Access Updates

If there is an update for a plugin or a theme, then you’ll likely have a number in the top bar and next to Updates as shown below (the number 5). Click on Updates!

How To Update a WordPress Plugin - 01

Step 3: Select All the Plugins

Check the box for Select All:

How To Update a WordPress Plugin - 02

Step 4: Update the Plugins

Click on Update Plugins:

How To Update a WordPress Plugin

And at the end of the update process you should receive something similar to, All updates have been completed.

How To Update a WordPress Plugin