WordPress Flaw found in Social Media plugin

Simple Social Buttons plugin flaw found that can take over your site.

 

URGENT – If you use the plugin ‘Simple Social Buttons’ in your WordPress installation, you should immediately update it to the latest version as there has been a serious flaw found in it that could allow an attacker to take over the site. The flaw, which was discovered last week by security researcher and developer Luka Šikić, has been discovered and a video showing how to use it to break in to WordPress websites has been released.

The flaw has been fixed by the developer and a patch released. So if you haven’t already then you should update now.

The flaw can only be leveraged in sites that allow user sign-up, which most sites have disabled due to security reasons. Never the less you should update before they figure out how to exploit the flaw without user sign-up requirements.

Any of our customers who have website maintenance contracts will have already been updated to the latest security patch. If you are not sure then you should contact your web development team and/or your host to see if they can help.

If you are really stuck then we may be able to help, please submit a support ticket with your website URL and contact information. Do NOT post your username and password in the ticket we will contact you separately for the information if needed.

If you use the Simple Social Buttons plugin for WordPress then make sure you update your site to correct the security flaw immediately.

Stay Safe

CritchCorp Computers Ltd.

 

Google Forces Sites to use SSL Certificates

***Notice to all Website owners***

That’s right, as of July 2018 Google Chrome will start reporting non-SSL sites (that is sites that don’t use https:// for access) as insecure. This is a major change from the current norm which is to highlight sites that use SSL certificates with a green SECURE next to the address and other browsers who use a green padlock. They will from July this year not show the green SECURE but they will show a NOT SECURE next to any site that does not have an SSL certificate. Making the norm to have an SSL certificate. That is going to be followed in the future by a warning screen that informs users that continuing to your site is not recommended. Though the warning wall is not being implemented right away it is planned for the future.

Google's July update, what it looks like

What the browser will report before and after July for sites that do not have an SSL certificate.

The new move forces website owners to have an SSL certificate and make their site secure, even if it is not required, or risk losing visitors that are scared away.

There are several different types of SSL certificate and the higher (more expensive) ones will still show the green bar in the address bar, but the norm will be to have one of the cheaper ones and if you don’t have any or it expires, the company backing the SSL cert (Cert provider not the retailer) goes out of business or has their master certificate rejected then you will be faced with a blocking screen when trying to get to your site which will prevent users from going there, with warnings that your site is insecure and should not be visited. This is obviously not good for business.

Google have also hinted that sites that use SSL certificates currently get a boost in the Google rankings over those who do not.

At CritchCorp Computers Ltd we have a quick and easy way for you to comply with this new Google rule for all our shared hosting customers you can purchase a fully managed SSL certificate from your yesDomains account or submit a support ticket here to get the ball rolling. It is quite an in-depth process but we will take care of it for you, with as little interaction as possible required by you. Please go here to get started.

The industry is working towards lowering the cost of SSL certificates to nothing and automating the install and renewal process, but that is still in development so for the time being you will need to purchase an SSL certificate in the normal way. If you want the users browser to light up in green then you need to select the Extended Validation (EV) certificate otherwise the cheaper normal one will suffice to prevent you being labelled as NOT SECURE. We have monthly or annual billing options to spread the cost but all certificates are annual commitments.

We use Comodo, DigiCert, Symantec, Thwarte, GeoTrust and Trustwave certificates  that are strong providers in this field and highly unlikely to go out of business or have their master certificates rejected. This provides you with stability and reassurance that your certificate will not become invalid before it expires as does happen from time to time with smaller SSL providers.

If you want to read the Google blog entry about this; with their advertising spin on it then click here. What this does do is add further costs to businesses. Whilst we absolutely agree that any site that accepts payments or collects user data should be secure, there are still many sites that do not and so forcing them to have this does seem unfair to us, but that is what the mighty Google has decided and so it shall unfortunately be.

There has been some discussion about the colour of the NOT SECURE. The current SECURE label is green and it is understood that the new NOT SECURE is going to be Red, although some discussions at Google say it will be more neutral, which ever it is it isn’t good for business.

Keep safe

CritchCorp Computers Ltd