WordPress 4.7.3 Security and Maintenance Release

There’s another update by the WordPress team. The last update was back in January, so it’s been over a month since the last update. I definitely recommend upgrading as soon as possible. I had not updated my system and hackers were able to compromise my site and publish their own content. It was easy to revert the content, but it was not a great a feeling knowing someone had updated my site without my consent. Details on the update below.

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.2 and earlier are affected by six security issues:

  1. Cross-site scripting (XSS) via media file metadata.  Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
  2. Control characters can trick redirect URL validation.  Reported by Daniel Chatfield.
  3. Unintended files can be deleted by administrators using the plugin deletion functionality.  Reported by xuliang.
  4. Cross-site scripting (XSS) via video URL in YouTube embeds.  Reported by Marc Montpas.
  5. Cross-site scripting (XSS) via taxonomy term names.  Reported by Delta.
  6. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.  Reported by Sipke Mellema.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

PHP Fatal error: Call to undefined function wp_suspend_cache_addition()

WordPress

I encountered another error causing my site to not load and blocking me from logging into the admin console. So if you’re getting the following error in your logs, keep reading to learn how to fix the problem and get your site up and running.

Fatal error: Call to undefined function wp_suspend_cache_addition() in /home/u356894638/public_html/wp-includes/cache.php on line 415

This error is most likely due to a caching plugin – if you’re not sure what that means, check to see if you have one of the following plugins:

  • WP Super Cache
  • W3 Total Cache
  • WP Rocket
  • Any plugin with the word “cache” in it

What probably happened is that the plugin was updated and/or WordPress was updated and is causing this incompatibility. So what do you do? The only guaranteed solution is to disable the plugin until the issue is resolved by the plugin. To disable the plugin, you’ll need to access to your website’s filesystem through your control panel’s file manager, FTP or direct shell access via SSH. Then follow these steps:

  1. Navigate to /wp-content/plugins
  2. Find the directory/folder of the plugin causing the problem
  3. Rename the directory to something else (i.e. badplugin-disabled)

Once you’ve done that, your site should be active again and you should be able to login to the admin panel.

I hope this helps someone. If you’re still having problems or need help, leave a comment and I’ll try to help. But I also recommend checking on the WordPress Support Forum – lots of super helpful and smart people. And if you already host your own WordPress instance or want to start, check out my list of Best WordPress Hosts.

 

 

 

WordPress 4.7.2 Security Update

WordPress

We have an update from the WordPress team and WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. It’s great to see another update addressing some fairly serious security issues. This is a good sign of well-maintained software. Kudos to the team over at WordPress.

WordPress versions 4.7.1 and earlier are affected by three security issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4 look at more info.7.2.

UpdraftPlus PHP Fatal error: Can’t use function return value in write context

WordPress

If you’re reading this, you probably have a dead site and you’re seeing the following error in your logs:

Fatal error: Can’t use function return value in write context in /home/u356894638/public_html/wp-content/plugins/updraftplus/admin.php on line 3855

This is luckily a known issue and something that can be fixed. Unfortunately, the options to fix this are manual and may require more technical understanding than some people have. You can read through the thread on the WordPress Support Forum or just take a look at your options below:

1) Download this file and save on your computer: https://plugins.svn.wordpress.org/updraftplus/tags/1.12.32/admin try this site.php. Then, using a FTP or the file manager in your web hosting control panel, replace the file wp-content/plugins/updraftplus/admin.php with this file:

OR

2) Using FTP or the file manager in your web hosting control panel, remove the directory wp-content/plugins/updraftplus. You will then be able to log into your admin area. Your front-end site will be down until you do so.

OR

3) Use any remote-control panel product that you have connected your site to (e.g. UpdraftCentral, JetPack Manage, ManageWP, etc.) to update UpdraftPlus.

OR

4) Edit the file wp-content/plugins/updraftplus/admin.php in any tool of your choice, and remove lines 3855-3857, which are:

if (isset($settings['updraft_include_more_path']) || UpdraftPlus_Options::get_updraft_option('updraft_include_more_path')) {
$more_files_path_updated = true;
}

OR

5) Using your web hosting control panel, update your site to use PHP 5.5 or later.

I hope this helps someone – I would highly recommend option #4 if you’re comfortable editing files on your server. Then you’ll be able to update the plugin from within the admin console which will be least risky way to upgrade a plugin.

 

PHP Fatal error: Cannot redeclare get_avatar_url()

WordPress

So my last post explaining how to resolve a WordPress issue got some really positive feedback and clicks, so I figured I would share my latest WordPress issue:

PHP Fatal error: Cannot redeclare get_avatar_url() (previously declared in /home/u356894638/public_html/wp-includes/link-template.php:3798) in /home/u356894638/public_html/wp-content/themes/custom_theme/functions.php on line 1: /home/u356894638/public_html/index.php

And in case you’re wondering if you’re experiencing the same problem I did, I should add that this caused my entire site to go down and be blank. I had to look in my Apache logs to find the error being thrown by WordPress. So now that we have the error and the symptoms of the problem, let’s move on to the answer…

As always, I like to says YMMV (your miles may vary), but I was able to resolve the issue by updating my theme (which I built). I had implemented a custom version of the function get_avatar_url which conflicted with the version built into WordPress core. I simply renamed the function and updated the files that used the function and the error went away.

I hope this helps someone. If you’re still having problems or need help, leave a comment and I’ll try to help. But I also recommend checking on the WordPress Support Forum – lots of super helpful and smart people. And if you already host your own WordPress instance or want to start, check out my list of Best WordPress Hosts.

WordPress 4.7.1 Security and Maintenance Update

WordPress 4.7.1

The WordPress team released a new version of WordPress to address security and maintenance issues. WordPress 4.7.1 addresses 62 bugs and 8 security issues. Because of the security fixes, it’s recommended that you update immediately to avoid someone exploiting the vulnerabilities. WordPress 4.7 was released back in December, so it’s nice to see an update within a month that addresses both security issues and bugs. In case you still need a reason to update your installation, here are the security issues fixed with this release:

  1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release. This issue was reported to PHPMailer by Dawid Golunski and Paul Buonopane.
  2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. Reported by Krogsgard and Chris Jean.
  3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
  4. Cross-site request forgery (CSRF) bypass via uploading a Flash file. Reported by Abdullah Hussam.
  5. Cross-site scripting (XSS) via theme name fallback. Reported by Mehmet Ince.
  6. Post via email checks mail.example.com if default settings aren’t changed. Reported by John Blackbourn of the WordPress Security Team.
  7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing. Reported by Ronnie Skansing.
  8. Weak cryptographic security for multisite activation key. Reported by Jack.

Release notes can be found here. And for instructions on how to upgrade to WordPress 4.7.1, see Updating WordPress.

And lastly, if your site is powered by WordPress, I highly recommend taking a look at our best WordPress hosting providers to see how your hosting provider stacks up. And if you’re looking for hosting, take a look at the list to find the right host for you.

Fatal error: Class ‘WP_Taxonomy’ not found

WordPress

One of the great things about WordPress is that it gets updated frequently and unfortunately, one of the dangerous things about WordPress is that it gets updated frequently and can break things. I recently updated to WordPress 4.7 and got the following error in my Apache logs:

Fatal error: Class ‘WP_Taxonomy’ not found in /home/u356894638/public_html/wp-includes/taxonomy.php on line 384

Actually, I should first mention that my site went down and I got a blank screen, so then I went to investigate my logs. After some searching and stumbling across this support thread on the WordPress support forum, the reason for the error seems to stem from not updating my wp-settings.php file. I manually update WordPress and update only the necessary files to make it easier to roll back if there is a problem but I completely missed updating wp-settings.php. Once I updated the file and restarted my server, everything was back to normal. A fairly simple and painless fix but still something that caused me a bit of grief. I hope this post helps someone having the same problem.

And lastly, if your site is powered by WordPress, I highly recommend taking a look at our best WordPress hosting providers.

Happy New Year

It’s a brand new year, so I want to wish everyone a prosperous 2017. At BuildHack, we want to help small businesses, hobbyists and even startups get online and build their digital presence. It’s not easy to start something new, so we want to be there to help make it as easy as possible. If there’s anything we can do to help, please reach out to us on Twitter. Here’s to an amazing year.

How To Check If Your Site Is Mobile Responsive

Am I Responsive

As you should already know, making your site mobile responsive is critical for your users and for your SEO rankings. If your users can’t view your site on their tablets and phones, you’re losing potential users/customers. And if your site isn’t mobile responsive, Google will ding your site which will affect your rankings and prevent you from showing up in SERP results. At a bare minimum, you should make sure you have the following on your site:

<meta name="viewport" content="width=device-width, initial-scale=1">

This means that the browser will try to render the width of the page at the width of its own screen. This prevents the browser on your phone from rendering a zoomed out page that’s barely legible. But, of course, this alone doesn’t make your website mobile responsive. You’ll need to make sure your content is formatted for tablets and mobile devices. If you’re not sure how to do this, it’s typically done through CSS media queries like this one for tablets:

@media only screen and (min-device-width : 768px) {
/* Styles */
}

If you’re not a CSS guru, this may look like a foreign language so go ahead and ignore it. Hopefully, you’re using a theme which has already taken care of making your site mobile responsive. The next step is to then check to see what your site looks like on different devices. Go to Am I Responsive and enter the URL to your site. You’ll see how your site looks on mobile, tablet and desktop browsers. This doesn’t quite test different browsers like Internet Explorer, Chrome, Firefox, Safari, etc. but it does show what your site looks like at different sizes. If you want check your site on specific operating system and browser combinations, go to BrowserStack to check out your site. There are ways to automate checking or you can just manually check your site. This really depends on how often you’re changing your site and what kind of users are visiting your site (type meaning what devices are they using).

And lastly, but possibly most importantly, you’ll want to make sure Google sees your site as mobile responsive. To do this, go to Google Search Console and use the “Fetch as Google” feature to check your site by fetching and rendering your site on a mobile smartphone. This will show you and let you know if Google thinks your site is mobile responsive.

And now that your site is mobile responsive, go build amazing content and find new users/customers.

Launchaco – Build a Free Responsive Website

Launchaco

Launchaco is a pretty amazing free tool to build a responsive website for your product, startup or business that I found over on Hacker News. It walks you through 4 steps that lets you customize your website and then provides you the HTML and CSS for your website. With the files, you can then upload them to your hosting provider and voila, you have a website. All it takes is walking through 4 steps:

Step 1: Select Hero Template

You have 6 different hero templates to pick from and for each one, you can customize things like the page title, hero text and sub-text, hero image, and call to action (button, email sign-up, Google Play link, App Store link).

Step 2: Select Feature Template

You can have multiple feature sections to showcase different things like products, services or anything else you want your visitors to read. Again, you have 6 differente templates to pick from and you can customize the text and pick from different images to use.

Step 3: Select Social Template

Next you have 6 different social templates where you can provide social proof of who uses your services, your top customers or customer testimonials.

Step 4: Select Footer Template

And lastly, you have your footer template and you have 6 different options to pick from. They range from super minimal (just a couple links and copyright text) to the full kitchen sink with a closing quote, sign-up/email links and social media links.

And once you’ve gone through all 4 steps, you’re done and you have a website that’s ready to launch. And you can skip any of the sections as well, so if you don’t have anything to feature (yet) you can just skip and move on project management tracking software. This isn’t the most feature-rich site but it’s a good starting point. And the best part is that you get a responsive site (great for mobile visitors) and you can organize your content and get Google to start indexing your site.