5 ‘Ignore at Your Peril’ Reasons You Need to Run Regular Updates on Your Website

In this blog, we share the 5 ‘ignore at your peril’ reasons you need to run regular updates on your website.

This includes using the latest version of WordPress, and regularly deploying theme and plugin updates.

Not sure how to do this on your own? We can help! Find out more about our Client Care Plan below and we’ll take care of it. It’s a small outlay for peace of mind and to keep your website secure and functioning at its optimal! Call us on 07 3889 2977 or enquire here.

Why you need to be using the latest version of WordPress

Here’s why you need to run regular updates on your website – and keep your theme and plugins up to date!

1. Security

It might sound obvious, but it’s sheer madness to see the volume of business owners who don’t bother to switch to the latest version of WordPress.

Especially given it’s free and takes less than 2 minutes.

WordPress powers almost one quarter (23%) of the world’s websites. And thanks to its popularity, it is often the target of hackers, data thieves and malicious code distributors.

Sounds scary, but the good news is that ensuring your website is using the latest version of WordPress means you’ll significantly reduce the risk of getting hacked.

With each new release, developers fix bugs and known security vulnerabilities.

Hackers can even search for websites running outdated versions of WordPress. So, no matter the size of your business – simply running an old version of WordPress can mean you’re at greater risk of a sophisticated attack.

And we’ve seen it happen time and time again – even on websites for small Aussie businesses.

2. Fixes Bugs

It’s not just the major WordPress updates you should be keeping on top of. Despite rigorous testing in the lead up to a major update, it’s not uncommon for a few bugs to slip through the cracks for a short period of time.

This means minor releases (which are shown by X.X.X) are equally important and shouldn’t be ignored. To give you an example, WordPress update 4.2.3 fixed 20 bugs from the 4.2 major release.

The key takeaway – always ensure you’re run both major and minor WordPress updates once they become available.

But it’s not all doom and gloom, running your WordPress, theme and plugin updates also have some positive perks…

3. Access to New Features

Using the latest version of WordPress means you’ll be able to leverage the latest and greatest features and software changes – designed to make updating your website even easier.

And if you do hit a roadblock, because you’re using the latest version you won’t have any issues finding WordPress help online. Steps for troubleshooting is typically based on the latest version

4. Improved Performance and Speed

WordPress developers are always pushing the limits to make things faster. Each new release will have several performance updates to improve efficiency and speed.

And given speed is a crucial factor in SEO, updating to the latest WordPress theme is a no brainer.

5. Compatability

While we’ve mostly addressed WordPress themes updates above, it’s just as important to use the latest theme and plugin versions – and for many of the same reasons. To protect against security vulnerabilities and eliminate any bugs in the software.

This will ensure that all the software – and your website – keeps functioning smoothly.

It’s not uncommon for issues to arise when your plugins are out of date, but you’ve got the latest version of WordPress – due to an incompatibility.

How to Update WordPress, Theme and Plugins

True to form, WordPress has made it easy to see and install a new WP, theme or plugin update.

Simply login to you Dashboard and look for the in-built “UPDATES” notification field. If new updates are available, you’ll see a round orange circle displaying the number of updates available.

Not comfortable navigating the back end of your website (your WordPress Dashboard) – we can help!

Brisbane Hosting Client Care Package

While some business owners may find it easy to run their WordPress, theme or plugin updates – others may not have the time, energy or confidence to do it on a regular basis.

Our Client Care Package not only ensures your website updates are up to date, we also take a full site back up and check for irregular hacker files, that will save you a lot of headaches (and money) should the unforeseeable happen.

To sign up for our Client Care Package, recommended on a quarterly basis at minimum, but can also be monthly – email us here

Brisbane Hosting & Website Hosting’s products and services include Website HostingDomain NamesDNS ServicesWebsite DevelopmentWebsite DesignWebsite RevampsWebsite Maintenance, Lead Generation Packages and Blogging, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information. 

Optus admits handing user phone numbers to websites

Without customer’s knowledge.

Optus has admitted to handing over its customer’s phone numbers to certain third-party websites accessed by the user.

As first flagged by a user on telco forum Whirlpool, when a user browses certain websites, Optus provides the customer’s mobile phone number to the website operator where a “commercial relationship” exists.

The practice, known as HTTP header enrichment, includes a mobile browser’s phone number in the HTTP header of the website request. The process aims to streamline direct billing for customers.

The Whirlpool user discovered the practice after receiving alerts about a subscription to a site they had not signed up to.

Optus confirmed its use of HTTP header enrichment to iTnews but said it only provided the details to certain sites involved in a “trusted” commercial relationship with the telco.

“When consumers browse the internet, information about the device they’re using is passed on to website owners in order to optimise websites for those users,” a spokesperson said.

“Optus adds our customers’ mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites.”

The telco said numbers were only sent to sites where user authentication is required – such as for premium content services with direct billing to Optus.

iTnews has contacted other telcos about their apparoach to the practice.

Optus customers have raised concerns about the privacy implications of these information sharing habits.

One user, who declined to be named, said there was no way for the end user to opt out of third-party sites being able to see their mobile number if they are an Optus customer.

“This raises huge privacy concerns,” the user said.

Optus’ privacy policy states that it may share some “personal information” with third parties, but does not specifically mention mobile numbers.

“We sometimes team up with other companies to offer products,” the policy advises.

“If you purchase a product that is delivered by one of our partners, we’ll give them the personal information they need to provide it and manage their relationship with you. In these circumstances, we have arrangements in place with our partners that limit their use or disclosure of your personal information to these purposes.”

In the United States, Verizon Wireless’ use of HTTP header enrichment to track users with a “super cookie” became a privacy cause celebre, and led to a “please explain” letter from US senators in January this year.

Verizon Wireless modifies network traffic and injects an X-UIDH HTTP header that was thought to uniquely, and silently, identify the telco’s customers to advertisers.

The cellular provider denied the X-UIDH header contained customer information, instead calling it a temporary anonymous identifier sent to advertisers, and therefore not a privacy threat.

After official uproar arose over the practice, Verizon Wireless was forced to introduce an opt-out scheme for customers who did not want to be tracked in this manner.

By Allie Coyne, Juha Saarinen
Published in: http://www.itnews.com.au/News/405656,optus-admits-handing-user-phone-numbers-to-websites.aspx#ixzz3eV0Wj300

Microsoft won’t fix Internet Explorer zero-day

HP researchers release exploit code after Microsoft declines to issue patch.

HP researchers have published details and proof-of-concept exploit code for a number of zero-day vulnerabilities in Microsoft’s Internet Explorer web browser which allow attackers to bypass a key exploit mitigation.

The researchers – part of HP’s zero-day initiative team – have a policy to only disclose details of bugs reported to vendors after patches are issued.

But the team decided to go public after being informed by Microsoft that it did not intend to fix the bugs as the company feels the vulnerabilities don’t affect enough users.

The flaws were serious enough, however, for Microsoft to earlier award the HP team a US$125,000 bug bounty.

The researchers had discovered that an attacker could fully bypass address space layout randomisation (ASLR) and data execution protection (DEP) in Windows, beating the Isolated Heap and MemoryProtection mitigation measures Microsoft introduced last year for IE.

ASLR makes it difficult for attackers to work out where data is located in a computer’s memory; DEP uses the system processor to mark areas of memory as non-executable, preventing malicious code from running in that space.

The HP team said it reported the vulnerabilities to Microsofft last year and had opted to wait to release full details of the flaws until they were fixed.

However, the security researchers were told by Microsoft that as the flaws didn’t affect 64-bit systems, they would not be patched.

HP researcher Dustin Childs said while Microsoft was technically correct – “a 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective” – millions of 32-bit systems were still at risk from the flaw.

Microsoft’s forthcoming Windows 10 operating system will also have a 32-bit edition.

“To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,” Childs, formerly the group manager of response communications at Microsoft’s security department, wrote.

The exploit abuses the Internet Explorer MemoryProtection protective measure to work out where in memory a certain dynamic link library (DLL) is stored, bypassing ASLR.

By leveraging a use-after-free (UAF) vulnerability, the researchers were able to use the address of the DLL to update a return-oriented programming chain, and transfer execution to it.

This process bypasses the hardware DEP security measure, and the PoC executes a benign shell-code to launch the Windows calculator application.

He said his team had decided to release the proof-of-concept exploit code and full details to arm users with as much information as possible to defend against potential attack.

“Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk,” Childs wrote.

“We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.”

By Allie Coyne, Juha Saarinen
Published in: http://www.itnews.com.au/News/405645,microsoft-wont-fix-internet-explorer-zero-day.aspx#ixzz3eUzBwOYD