WordPress 4.2.3 Security Release

An important security update was released today for WordPress. This is a security release for all previous versions, and it fixes a cross-site scripting vulnerability which could allow users with the Contributor or Author role to compromise a website. WordPress versions 4.2.2 and earlier are affected by this vulnerability.

A large number of websites has been upgraded to WordPress 4.2.3 already. If you do not have automatic WordPress updates enabled, we strongly recommend you upgrade your website to version 4.2.3 immediately. We also suggest enabling automatic WordPress updates for your website.

We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click “Update Now”. Once you’re running WordPress 4.2.3, you’re protected from this vulnerability.

We are also e-mailing all owners of affected websites with upgrade instructions. Running the latest versions of WordPress, themes, and plugins is a great step to keep your site safe and sound.

As always, if you have any questions, drop us a line.

Posted in General | Leave a comment

Celebrating 5 Years of VaultPress

It’s VaultPress’ 5th birthday this week! In his post on June 29, 2010 — one of the first posts ever on this blog — Matt announced that we had sent out the very first Golden Ticket invites to VaultPress. In the beginning, we sent 30 invites a day, and grew gradually over the first several months. From those first Golden Tickets to the many users we support today, VaultPress has:

  • Found 201,754 infected files
  • Made 50,100,955 backup snapshots.
  • Backed up 27,615 distinct plugins and 17,675 themes

Let’s take a look back at our first tweet and some early designs:

Our designs have changed over the years, but we’ve never wavered in our commitment to making the best product we can for the WordPress community. In a recent survey of 21 professionals on the best backup WordPress plugins, we’re proud that VaultPress came out on top as the clear winner. Feedback on our product is incredibly positive — it’s great to see people like Brin Wilson of WinningWP say that VaultPress is “basically effortless.” We’re so happy to see how far we’ve come.

To celebrate our 5-year anniversary and to say thank you and give back to our users, we’ve launched an extended 3-month trial. If you want to sign up, just visit this page: https://vaultpress.com/bestof/

We hope that by extending the trial, we can help bring VaultPress to more people for free for a longer period of time.

As always, drop us a line if you have any follow-up questions!

Posted in Announcements, Community, General | 4 Comments

VaultPress Customer Stories: WP Daily Themes

Peter-NilssonPeter Nilsson started WP Daily Themes to initially write about themes and plugins but, in recent years, it has grown beyond his expectations. In his words, “Now we have many of the leading writers and experts in the WordPress community contributing with brilliant articles and tips on the blog”. Before starting his company, Peter previously worked a variety of jobs including being a sailor at one point! He finally then went to school to become a network technician and hasn’t looked back since. While he started his blogging career with Google’s blog platform back in 2007, he outgrew it by 2008 and switched to using WordPress.  Peter writes, “A new world opened up and since then I have been working with one of the best and most popular (CMS) Content Management System in the world: WordPress.”

After blogging for a couple of years, he opened up his business in 2009 to help clients with setting up WordPress, maintenance, and overall improvements to their sites. When WP Daily Themes began to grow, he turned to VaultPress to secure his content. As he puts it, “Even if you save that single document on your computer or website on your web hosting company, there is no guarantee the computer doesn’t crash or the hosting company lose your backup (which has happened to me with devastating consequences)… I have been a customer now for some years and VaultPress has proven to have been the right choice many times.”

In his spare time, he does his best to give back to the WordPress community through translating Plugins into Swedish. His most recent translation projects include WP Rollback and Birds Custom Login.

We can’t be more delighted that Peter chose VaultPress to protect his awesome content on WP Daily Themes.

You can learn more about how VaultPress can protect your site — including its contents, themes, plugins, site settings, and customizations.

Contact us with questions — or make our day, and sign up to protect your site!

Posted in Community, General | Leave a comment

WooCommerce PayPal Object Injection

The fine people at Woo have released a security patch for WooCommerce, fixing a vulnerability in their PayPal notification system.

The vulnerability affects WooCommerce 2.0.20 – 2.3.10 when a “PayPal Identity Token” is set. It allows attackers to remotely execute code, via a known vulnerability in PHP’s unserialize function.

WooCommerce 2.3.11 contains a fix for this issue, and we strongly recommend that all users upgrade to this version as soon as possible.

We’ve released a hotfix with VaultPress 1.7.5, which protects all vulnerable versions of WooCommerce from attack. We are currently attempting to deploy this update to all VaultPress users affected by the issue. We will email site owners whose sites we are unable to update.

As always, if you have any questions, please drop us a line at vaultpress.com/contact.

Posted in General, Security | Leave a comment

FAQs About FTP, SFTP, and SSH Credentials

Adding credentials for your site has huge benefits when you’re using VaultPress. It lets you restore your site, allows us to help you further if you run into issues, and overall improves the performance of the VaultPress plugin.

What are these credentials though? As a Happiness Engineer, I get asked a variety of questions every day about these credentials and thought it would be helpful to go over what they are, and why you should add them. I’ll also share some common questions we get about them.

What are FTP, SFTP, and SSH credentials?

For starters, I can tell you what they are NOT:

  • Your WordPress.org login
  • Your WordPress.com login
  • Your host’s control panel login

In short, these credentials are ways to access the files that make up your site. Rather than logging in using your WordPress.org login to access your dashboard, these login credentials let you access all of the files that make your site function. With these credentials, you can upload files, edit files, delete files, and more!

Where do I find these credentials?

Your host provides these credentials for you. Just contact them and they’ll point you in the right direction. You can also find them by referring to your host’s documentation, or by reading the email they sent you when you signed up.

Why does VaultPress need them?

We need credentials in order to restore your site or resolve some security threats, but not to back it up.

By adding these credentials, our team can better help solve any problems that arise by directly accessing the files that might be causing problems. Beyond just that, adding these credentials optimizes the performance of the plugin by giving the plugin a more direct route to the files and tables that we need to back up.

Which do you recommend adding?

We recommend SSH first and foremost as it’s the most robust and secure method you can add. If your host doesn’t allow SSH access, we recommend trying to get SFTP as it’s basically a more secure form of FTP. If you can’t get either, FTP will definitely still work.

Can I add all of them? 

While we only need one set of credentials, we do allow you to add multiple types of credential if you’d like.

How do I add them to VaultPress?

You can add them from your Settings page in the VaultPress dashboard. If you need a step by step, check out this post for FTP and this post for SSH.

Earn bonus points

  1. Make sure our IP ranges are whitelisted by your host as some hosts block access based on IP address. Whitelisting our IPs will ensure that we can access your server.
  2. Make sure the user you have provided us has full read and write access to your WordPress directory. Your hosting provider can help you with this step, if necessary.

As always, drop us a line if you have any follow-up questions!

Posted in General, Help | 1 Comment