WordPress

Yuzo Related Posts Plugin Security Threat

If you have this plugin installed, even if it’s not active, delete it immediately! Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild by Dan Moen, Wordfence.com April 10, 2019 The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities. The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately. Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed. Exploits currently seen in the wild inject malicious JavaScript into the yuzo_related_post_css_and_style option value. When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages. Three Vulnerabilities with a Lot in Common Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP. Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was

Grammarly Adds Junk Code to WordPress Posts and Pages

Grammarly Adds Junk Code to WordPress Posts and Pages By Kris Gunnars, SearchTraffic.com April 4, 2019   When you enable the Grammarly extension in your browser, it scans the text that you type for spelling and grammar errors and underlines them. This is what your text looks like if you have spelling errors with Grammarly enabled: When you hover over an underlined word, Grammarly shows a suggestion for a fix. You can simply click the suggestion and Grammarly corrects the text for you, which is very useful. Junk code added to the published pages If I publish the text block above, with the spelling errors still highlighted, Grammarly html code gets added to the published page. If you get a lot of Grammarly suggestions in your code and don’t take action to fix them, then your pages will become bloated with a lot of this type of junk code. I call this code “junk” because it doesn’t serve any purpose whatsoever on the live, published page that is consumed by real users and search engines. All it does is increase the size of your page, which can negative effects on site speed. Taking action on the code errors usually gets rid of the code, so you need to hover over each word and either select the suggested correction or click the “Ignore” button. Unfortunately, it doesn’t always work. Even if you take action on all of the suggestions, chances are that you will still find a lot of this unnecessary html junk code on your live pages. Some junk code may remain on the page I noticed while doing some article cleanup that most of my published articles had a bunch of this junk code added, including for parts of the text that didn’t have any errors. Here’s an example:

Seeing more contact form spam? Contact Form 7 now requires reCaptcha 3

I have been seeing more contact form spam in the past month or so from my own WordPress sites and clients are reporting the same. I assumed this was human spam and that little could be done to prevent it using the usual automated measures against spambots. However, while making changes on one of the sites, I noticed: that the form was no longer working, displaying a “There was a problem. Your email could not be sent.”, or words to that effect. that the reCaptcha 2 form was not being displayed below the form. I was vaguely aware that current versions of Contact Form 7 supported reCaptcha 3. What I failed to appreciate was that these versions were not backward compatible in that they no longer supported reCaptcha 2. That means, depending on the site, either visitors attempting to use your contact page were not getting their messages delivered; or messages sent via the form were no longer being intercepted by reCaptcha. If you use Contact Form 7 on any of your sites, make sure that you update them to reCaptcha 3: go to reCAPTCHA: Easy on Humans, Hard on Bots scroll down to the bottom of the page listing your sites and create a new listing for your domain to use reCaptcha 3 (there does not appear to be any way to just update a version 2 listing to version 3) delete your old site keys under the Integration option for Contact Form 7 and replace them with the new reCaptcha 3 site keys (Note: since these site keys apply to a domain plus any subdomains or subfolders under that domain, don’t delete your reCaptcha 2 keys until you are certain that you don’t have an application still using the old version. In particular, note that any custom HTML

WordPress Gutenberg editor is here: Are you ready?

Not everyone is happy about the new WordPress Gutenberg editor. Here’s a good summary about how to use it and how to avoid it (for now anyway) if you don’t want to use it: Official Resources for the Gutenberg Block Editor by Jeff Starr, DigWP.com December 14th, 2018 Just a quick post to share some recommended useful resources for anyone working with the new Gutenberg Block Editor. Learn more about Gutenberg There are many official posts that are useful in specific contexts. This list focuses on just the main resources for learning more about Gutenberg Block Editor. Starting points for digging in and branching out. Gutenberg Handbook Gutenberg Designer & Developer Handbook WordPress 5.0 Field Guide Gutenberg Media 5.0 Guide Blocks, Plugins, and You Any one of these resources will open many doors for further learning and exploration of the Gutenberg Block Editor and related WordPress features. Gutenberg Alternatives The Gutenberg Block Editor has come a long way since it first began as a plugin. But not everyone is ready for the changes. Some folks like myself prefer the original “classic” editor. So for anyone looking for alternatives to Gutenberg, here are some resources that may be useful. Classic Editor — official plugin by the WP team to restore the Classic Editor, already over 1 million active installations. Disable Gutenberg — free WP plugin that completely disables all traces of Gutenberg and restores the Classic Editor. Includes robust options for custom configuration and selective enabling of the Block Editor. ClassicPress — the new “Gutenberg-free” version of WordPress (forked at WP 4.9) that’s focused on providing a reliable, consistent CMS. Read more…

Google Reviews Widget for WordPress

I recently started a test drive of a neat WordPress widget plugin called the Google Reviews Widget by RichPlugins. I’m using the free version at the moment which you can download from WordPress.org here. The plugin boasts the following features: Display up to 5 Google business reviews per location Keep all reviews in WordPress database Shows real reviews from G+ users to increase user confidence Easy search of place and instantly show reviews Nofollow, target=”_blank” links Zero load time regardless of your site Works even if Google is unavailable The plugin does what it claims and creates a nice display in your sidebar of up to 5 reviews. The current free version is a bit quirky. I hadn’t really promoted my Google My Business page for this site other than registering some basic information (the cobbler’s shoes phenomenon) so I only recently started supplying the Google Reviews link to clients). When I first installed it, there were only two reviews and the plugin grabbed and displayed those just fine in the sidebar. However, when a third review was added, the plugin didn’t pick that up, even though obviously I was well within the 5 reviews limit. An email to the plugin support page was answered promptly on Monday morning, instructing me to add a sec0nd instance of the widget to force an update (see below) and then delete it once the reviews in the database were updated. This worked, although of course it would be a pain to have to do that repeatedly. I’m not certain whether the authors were suggesting this as a fix if the plugin gets stuck or whether this is a known bug that might get fixed in a future update. According to their support forum, Both plugins (free and paid) use the Google Places API

WordPress 4.98, Gutenberg, and Avoiding the Test Run

WordPress 4.9.8 Released by Jeff Chandler, WordPress Tavern August 3, 2018 WordPress 4.9.8 is available for download and is a maintenance release. Headlining this version is the “Try Gutenberg” callout. Note that not everyone will see the callout. Its visibility is determined based on certain criteria. This update is rolling out now so check your dashboards. If you are one of those who is selected for the pretest and you do NOT want to pretest Gutenberg, just click the “Install the Classic Editor” button. As I mentioned in a previous post, there are already some plugins available to prevent Gutenberg and keep the classic editor so, for a while at least, you can avoid Gutenberg at all. But you will be nagged by WordPress because they are pushing this thing.

Website Performance and Site Speed Tests Revisited

In a previous post from April 2018, Testing WordPress Performance and Site Speed, I discussed an article describing five online tools for testing the page load speeds for your website. Google PageSpeed Insights Pingdom GTmetrix WebPagetest YSlow Browser Plugin Most of these simply test a webpage from the URL submitted and report relative site speed of that page (it’s not always clear relative to what exactly – presumably all other webpages that tool has tested) and then make suggestions on how you can improve the performance of that page. Pingdom allows you to select from one of three locations to use to test your page load speed. WebPagetest expands on this by offering a choice of several locations around the world and in addition allows you to check your page speed with a choice of browsers and devices. More recently, I learned about a new online tool which is similar to those discussed above but with several significant improvements: Website Speed Test | Dotcom-Tools. Dotcom-Tools adds the following features to those offered by their competitors: Tests browser-based load time of all page elements Detects slow or missing elements Tests from your selection of Chrome, Firefox, Internet Explorer, or  various mobile web browsers Provides a complete waterfall report with  charts and graphs Displays results from nearly two dozen global locations all in the same report Conducts tests from each location twice, with the second visit cached to allow you to estimate the effectiveness of the various caching systems used by your page These tests are all absolutely free with no sign-up required. Dotcom Web Site Monitoring also offers a selection of various paid plans as well. In addition to the features of the free service described above, the Pro plans offer Website Performance Monitoring starting at $7.99 USD per month for

How to Disable Gutenberg in WordPress

The new Gutenberg editor is coming soon to WordPress. Some welcome this change. Some disparage it. Whichever camp you fall into, if you manage client sites you may want to disable it temporarily (or permanently) for client sites, either site-wide or for certain types of posts. The good news is you can now easily do that. How to Disable Gutenberg: Complete Guide by Jeff Starr, DigWP.com April 18th, 2018 Gutenberg soon will be added to the WordPress core. This is great news for some, not so great for others. With 99.9999% (estimate) of all WordPress sites currently setup to work without Gutenberg, the massive changes barreling down the pike are going to affect literally millions of websites. And as swell as the whole “Gutenberg” experience may seem, the simple truth is that a vast majority of site owners will not be prepared when it finally hits. Nor will many small business have time or budget to test and update client sites to accommodate ol’ Gut’. If that sounds like your situation, you basically have two options: Buck up and fork out your time and money to test and update all existing client sites for Gutenberg. OR, simply disable Gutenberg until you are ready for it. The easiest way to disable Gutenberg is to install my free plugin, Disable Gutenberg. It is a simple plugin focused on one thing: disabling Gutenberg and restoring the default classic WP Editor screen. Just enable the plugin, choose your options and done. Options include: Disable Gutenberg completely (all post types) Disable Gutenberg only on specific post types Disable Gutenberg for specific user roles So it’s flexible yet simple, and super easy to use. Check out the documentation and homepage for more details. More options… I will be testing both the Disable Gutenberg plugin and a second

Testing WordPress Performance and Site Speed

5 Tools to Test WordPress Performance and Site Speed WPExplorer January 10, 2018 The following tools will give you a complete picture of your website’s performance. You can use a single tool, or use them all in conjunction to cross-reference website data. 1. Google PageSpeed Insights PageSpeed Insights is a brainchild of Google. This nifty web app measures your site’s performance across multiple devices, including desktop and mobile browsers. This is useful if your visitors are accessing your site from a variety of screen sizes and devices. 2. Pingdom Pingdom is a free tool that gives you full-site performance information including load time, page size, as well as a detailed analysis of each page on your website. Best of all, this app saves your performance history, so you can track if your efforts to improve loading times are working. 3. GTmetrix The report that GTmetrix generates will show you a complete history of the website’s loading speeds, as well as a detailed report that suggests ways to improve the performance of your website. Beyond the initial page analysis tools, this web tool also has a video playback feature that enables you to see where the loading speed bottlenecks occur. 4. WebPagetest WebPagetest gives you your site’s loading speed and a grade breakdown of your site’s performance. It’s unique in that it allows you to select a country to view your report from, so you can see how your site performs across the world. This is useful if you have a large overseas user base. 5. YSlow Browser Plugin YSlow is a browser plugin that lets you track the performance of any site you’re currently visiting. It doesn’t give you the actual load time, but it does break down over 20 different performance cues. This can help you compare other competitors site’s within your niche to see

Facebook Instant Articles for WordPress

Automattic Releases WordPress Plugin for Facebook’s Instant Articles by Sarah Gooding, WordPress Tavern March 7, 2016 Today the WordPress.com VIP team released a plugin for Facebook’s Instant Articles, which will be open to any publisher starting April 12, 2016. Automattic partnered with Facebook and VIP-Featured-Partner agency Dekode to produce a plugin that outputs a compliant feed of posts wrapped in the required markup for Facebook. Instant Articles for WordPress is now available on GitHub and is also coming soon to the WordPress plugin directory. Publishers must go through a review process to ensure that their posts are properly formatted and compliant before being allowed to push content via Instant Articles. Once approved, articles will load nearly instantly on mobile devices. According to Facebook, the speed is as much as 10 times faster than the standard mobile web. Read more… The WordPress plugin is available at Facebook Instant Articles for WP — WordPress Plugins. This plugin adds support for Instant Articles for Facebook, which is a new way for publishers to distribute fast, interactive stories on Facebook. Instant Articles are preloaded in the Facebook mobile app so they load instantly. With the plugin active, a special RSS feed will be available at the URL /feed/instant-articles. Developers: please note that this plugin is still in early stages and the underlying APIs (like filters, classes, etc.) may change. Feed submission to Facebook Facebook has a review process where they verify that all Instant Articles are properly formatted, have content consistency with their mobile web counterparts, and adhere to their community standards and content policies. You will not be able to publish Instant Articles in Facebook until your feed has been approved. It’s important to note that if you use meta fields to add extra text, images or videos to your Posts, Facebook will
© Psychlinks Web Services. All rights reserved.