Posts

Yuzo Related Posts Plugin Security Threat

If you have this plugin installed, even if it’s not active, delete it immediately! Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild by Dan Moen, Wordfence.com April 10, 2019 The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities. The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately. Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed. Exploits currently seen in the wild inject malicious JavaScript into the yuzo_related_post_css_and_style option value. When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages. Three Vulnerabilities with a Lot in Common Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP. Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was

Grammarly Adds Junk Code to WordPress Posts and Pages

Grammarly Adds Junk Code to WordPress Posts and Pages By Kris Gunnars, SearchTraffic.com April 4, 2019   When you enable the Grammarly extension in your browser, it scans the text that you type for spelling and grammar errors and underlines them. This is what your text looks like if you have spelling errors with Grammarly enabled: When you hover over an underlined word, Grammarly shows a suggestion for a fix. You can simply click the suggestion and Grammarly corrects the text for you, which is very useful. Junk code added to the published pages If I publish the text block above, with the spelling errors still highlighted, Grammarly html code gets added to the published page. If you get a lot of Grammarly suggestions in your code and don’t take action to fix them, then your pages will become bloated with a lot of this type of junk code. I call this code “junk” because it doesn’t serve any purpose whatsoever on the live, published page that is consumed by real users and search engines. All it does is increase the size of your page, which can negative effects on site speed. Taking action on the code errors usually gets rid of the code, so you need to hover over each word and either select the suggested correction or click the “Ignore” button. Unfortunately, it doesn’t always work. Even if you take action on all of the suggestions, chances are that you will still find a lot of this unnecessary html junk code on your live pages. Some junk code may remain on the page I noticed while doing some article cleanup that most of my published articles had a bunch of this junk code added, including for parts of the text that didn’t have any errors. Here’s an example:

Page Load Speed: Benefits to Ranking in Mobile Search & User Retention

User experience improvements with page speed in mobile search Google Webmaster Blog April 4, 2019 To help users find the answers to their questions faster, we included page speed as a ranking factor for mobile searches in 2018. Since then, we’ve observed improvements on many pages across the web. We want to recognize the performance improvements webmasters have made over the past year. A few highlights: For the slowest one-third of traffic, we saw user-centric performance metrics improve by 15% to 20% in 2018. As a comparison, no improvement was seen in 2017. We observed improvements across the whole web ecosystem. On a per country basis, more than 95% of countries had improved speeds. When a page is slow to load, users are more likely to abandon the navigation. Thanks to these speed improvements, we’ve observed a 20% reduction in abandonment rate for navigations initiated from Search, a metric that site owners can now also measure via the Network Error Logging API available in Chrome. In 2018, developers ran over a billion PageSpeed Insights audits to identify performance optimization opportunities for over 200 million unique urls. Read more… How does your site measure up when it comes to mobile loading speed? Check your load times at PageSpeed Insights. Check Google’s Chrome User Experience Report to see how you measure up to other web pages. See Google’s article on Why Performance Matters. If your site doesn’t compare well to your competitors’ sites, you are almost certainly losing potential customers in a world where increasingly people have abandoned desktop and laptop computers and are searching for products and services on tablets or smart phones. Contact us today for an evaluation of your business website. We won’t mislead you and we will never try to sell you anything you don’t need. But if

Windows Mail Phantom New Message Count

I use Microsoft Outlook as my primary email client but for less urgent things (things that don’t necessarily need to have immediate attention) I also have some accounts set up in the Windows 10 Mail app. Periodically, the Mail app seems to get stuck displaying 1 unread message when in fact all messages have been read, something that has come to be known as the “phantom message”. Sometimes, the count may be higher than 1 but  the most common scenario is just 1 phantom message. People have been reporting this, complaining about it, and seeking solutions since windows 8 but it’s still an issue with apparently no clear solution. The issues seems to be caused (in Windows 10 at least) by dismissing new mail notifications in the Windows Notification area (or in the noification popup) instead of opening the Mail app to check the mail. This seems to mess up the mail synchronization function in the app. Most of the suggested solutions either don’t work at all or they involve drastic measures like uninstalling and reinstalling the app, or performing a complete reset on the app, either of which is probably going to cause a loss of your emails and even your accounts, meaning you have to set everything up all over again. Thank you, Microsoft, but if that’s my only option I think I’d rather live with the annoyance of a phantom 1 showing on the app. Fortunately, there is a solution I’ve discovered, possibly two, that actually works: Try this first: If you have a second account, or if you create a temporary one, send yourself an email to an account that is checked by the Windows Mail app. Then open the app, and click on the email to “read” it, and the unread mail count should reset

Seeing more contact form spam? Contact Form 7 now requires reCaptcha 3

I have been seeing more contact form spam in the past month or so from my own WordPress sites and clients are reporting the same. I assumed this was human spam and that little could be done to prevent it using the usual automated measures against spambots. However, while making changes on one of the sites, I noticed: that the form was no longer working, displaying a “There was a problem. Your email could not be sent.”, or words to that effect. that the reCaptcha 2 form was not being displayed below the form. I was vaguely aware that current versions of Contact Form 7 supported reCaptcha 3. What I failed to appreciate was that these versions were not backward compatible in that they no longer supported reCaptcha 2. That means, depending on the site, either visitors attempting to use your contact page were not getting their messages delivered; or messages sent via the form were no longer being intercepted by reCaptcha. If you use Contact Form 7 on any of your sites, make sure that you update them to reCaptcha 3: go to reCAPTCHA: Easy on Humans, Hard on Bots scroll down to the bottom of the page listing your sites and create a new listing for your domain to use reCaptcha 3 (there does not appear to be any way to just update a version 2 listing to version 3) delete your old site keys under the Integration option for Contact Form 7 and replace them with the new reCaptcha 3 site keys (Note: since these site keys apply to a domain plus any subdomains or subfolders under that domain, don’t delete your reCaptcha 2 keys until you are certain that you don’t have an application still using the old version. In particular, note that any custom HTML

WordPress Gutenberg editor is here: Are you ready?

Not everyone is happy about the new WordPress Gutenberg editor. Here’s a good summary about how to use it and how to avoid it (for now anyway) if you don’t want to use it: Official Resources for the Gutenberg Block Editor by Jeff Starr, DigWP.com December 14th, 2018 Just a quick post to share some recommended useful resources for anyone working with the new Gutenberg Block Editor. Learn more about Gutenberg There are many official posts that are useful in specific contexts. This list focuses on just the main resources for learning more about Gutenberg Block Editor. Starting points for digging in and branching out. Gutenberg Handbook Gutenberg Designer & Developer Handbook WordPress 5.0 Field Guide Gutenberg Media 5.0 Guide Blocks, Plugins, and You Any one of these resources will open many doors for further learning and exploration of the Gutenberg Block Editor and related WordPress features. Gutenberg Alternatives The Gutenberg Block Editor has come a long way since it first began as a plugin. But not everyone is ready for the changes. Some folks like myself prefer the original “classic” editor. So for anyone looking for alternatives to Gutenberg, here are some resources that may be useful. Classic Editor — official plugin by the WP team to restore the Classic Editor, already over 1 million active installations. Disable Gutenberg — free WP plugin that completely disables all traces of Gutenberg and restores the Classic Editor. Includes robust options for custom configuration and selective enabling of the Block Editor. ClassicPress — the new “Gutenberg-free” version of WordPress (forked at WP 4.9) that’s focused on providing a reliable, consistent CMS. Read more…

Google Reviews Widget for WordPress

I recently started a test drive of a neat WordPress widget plugin called the Google Reviews Widget by RichPlugins. I’m using the free version at the moment which you can download from WordPress.org here. The plugin boasts the following features: Display up to 5 Google business reviews per location Keep all reviews in WordPress database Shows real reviews from G+ users to increase user confidence Easy search of place and instantly show reviews Nofollow, target=”_blank” links Zero load time regardless of your site Works even if Google is unavailable The plugin does what it claims and creates a nice display in your sidebar of up to 5 reviews. The current free version is a bit quirky. I hadn’t really promoted my Google My Business page for this site other than registering some basic information (the cobbler’s shoes phenomenon) so I only recently started supplying the Google Reviews link to clients). When I first installed it, there were only two reviews and the plugin grabbed and displayed those just fine in the sidebar. However, when a third review was added, the plugin didn’t pick that up, even though obviously I was well within the 5 reviews limit. An email to the plugin support page was answered promptly on Monday morning, instructing me to add a sec0nd instance of the widget to force an update (see below) and then delete it once the reviews in the database were updated. This worked, although of course it would be a pain to have to do that repeatedly. I’m not certain whether the authors were suggesting this as a fix if the plugin gets stuck or whether this is a known bug that might get fixed in a future update. According to their support forum, Both plugins (free and paid) use the Google Places API

Extraordinary support, extraordinary people

I recently upgraded a forum to Xenforo 2. This was a major upgrade with a bit of a learning curve to convert everything from the previous version, Xenforo 1.5.21. I won’t pretend it wasn’t challenging but it was made a lot easier by the help and support from four individuals in particular who went out of their way to help during this process and to provide fast support, even on the weekend and late at night to get the forums back online. First, I need to thank two people from Xenforo, for providing advice and support beyond the call of duty: ChrisD and Slavik. Second, Russ from Pixel Exit. Pixel Exit are the designers of some excellent Xenforo forum themes or styles. Russ never seems to sleep! It seems like no matter what day of the week or what hour of the day or night I submitted a question in a support ticket, he was back with a solution usually within an hour or two and sometimes within a matter of minutes. And third, but by no means least, AndyB, the author of numerous addons at XF2 Addons which we are using both currently and in the previous forum software version to add extra features to the forum.

Website Push Notifications: How to Disable Them in Major Browsers

With recent browser updates, it appears that the popups asking whether you want to allow Push Notifications from websites you visit have become more aggressive – or perhaps it’s just that more websites are using this feature. We have nothing enabled on this site to use these popups but here is how to disable these annoying popups in the three major browsers for Windows. Disable all push notifications in Chrome How notifications work By default, Chrome alerts you whenever a website, app, or extension wants to send you notifications. You can change this setting at any time. If you’re browsing in Incognito mode, you won’t get notifications. Allow or block notifications from all sites On your computer, open Chrome. At the top right, click More    > Settings. At the bottom, click Advanced. Under “Privacy and security,” click Content settings. Click Notifications. Block all: Turn off Ask before sending. Block a site: Next to “Block,” click Add. Enter the site and click Add. Allow a site: Next to “Allow,” click Add. Enter the site and click Add. Choose to block or allow notifications: You can also block any sites or apps from sending you notifications. Disable all push notifications in Firefox Open up Firefox, click on the Menu button at the top right, and click Options. Click on Privacy & Security in the left pane. Scroll down to Permissions > Notifications. Click on Settings to the right of Notifications. If there are any websites already listed as okay, click on Remove All Websites. Check the box next to Block new requests asking to allow notifications. Click Save changes. Disable all push notifications in Edge Start Edge and click on the More button at the top right. Scroll down to View Advanced Settings. Scroll down to Website Permissions. I think you

Google Public DNS turns 8.8.8.8 years old

Google Public DNS turns 8.8.8.8 years old by Alexander Dupuy, Software Engineer, Google Online Security Blog August 11, 2018 Once upon a time, we launched Google Public DNS, which you might know by its iconic IP address, 8.8.8.8. Sunday, August 12th, 2018, at 00:30 UTC marks eight years, eight months, eight days and eight hours since the announcement. Though not as well-known as Google Search or Gmail, the four eights have had quite a journey—and some pretty amazing growth! Whether it’s travelers in India’s train stations or researchers on the remote Antarctic island Bouvetøya, hundreds of millions of people the world over rely on our free DNS service to turn domain names like wikipedia.org into IP addresses like 208.80.154.224. Read more… If you haven’t tried Google DNS or other DNS alternatives like OpenDNS, there is a free small utility called DNS Jumper that makes it easy to scan and identify the fastest DNS server in your area, with speed comparisons to all the others tested switch to the DNS server of your choice switch back to your original default DNS server (usually the one used by your Internet Service Provider or ISP) at any time Download DNS Jumper 2.1 for Windows at: Download DNS jumper 2.1 (Free) for Windows
© Psychlinks Web Services. All rights reserved.