UpdraftPlus version 1.9.4, release almost exactly a year ago (23rd April 2014), introduced an all-new back-end for Google Drive.

One of the reasons we did this, was because Google had previously announced that in April 2015, they would be shutting down one of their interfaces for programs to use Google Drive.

Google have now done what they said they would. Their old way of accessing Google Drive has now been permanently removed. If you are still using a version of UpdraftPlus from before 1.9.4 to use Google Drive, then you must update to be able to carry on doing so.

David Anderson (founder, lead developer, UpdraftPlus)

 

You may already have spotted that WordPress 4.2 is out. Follow that link to get the low-down. Safe to say, as we reported earlier, that this release is mostly about incremental improvements, rather than any dramatic leaps – except for users in certain foreign languages, for whom improvements in handling their character sets will be very welcome.

It’s been quite a week for WordPress updates, with the mass plugin release followed by the WordPress 4.1.2 security release, and now this. Just to confirm: if you’re on the current release of UpdraftPlus (1.9.64 / 2.9.64)  then you’re already compatible with WordPress 4.2. (The previous 1.9.63 / 2.9.63 release made a week before for WP 4.2 compatibility won’t do it – as some more changes went into the final release of WP 4.2).

As ever, if you’ve got UpdraftPlus Premium installed, then it can take a helpful automatic backup of everything before you update to WordPress 4.2. So, if WP 4.2 causes a problem, you’re covered with a backup. If you’ve not yet got UpdraftPlus Premium, please do take a look!

David Anderson (founder, lead developer, UpdraftPlus)

Trying to predict the future timings of a backup on shared web hosting with certain web hosting companies I could mention reminded me of this cartoon from XKCD

XKCD cartoon

Which is why UpdraftPlus does not estimate how long your backup will take to complete! Instead, it has algorithms found in no other backup plugin to attempt to make sure, as much as possible, that no matter how cheap and nasty your web hosting, it will complete. Why not give UpdraftPlus Premium a look today?

David Anderson (lead developer, founder, UpdraftPlus)

In case you’ve not seen, there was a new critical security release made for WordPress itself a few hours ago.

Most sites should update automatically within 12 hours – but since the release notes say that the security hole allows complete site take-over by an unauthenticated user (i.e. the worst possible kind of security vulnerability), I’d recommend updating right away. I’ve just updated around 100 sites!

David Anderson (founder, lead developer, UpdraftPlus)

Last week, security researchers at Sucuri (their advisory is here) discovered a security defect affecting a large number of WordPress plugins – including UpdraftPlus in versions before our current release (1.9.64 for the free version, 2.9.64 for the paid version).

Because many plugins were affected, news of this defect has been under wraps until now, whilst Sucuri searched for more affected plugins. Announcing at the same time means that hackers who spot the announcement in one plugin can’t go and search for it in other plugins that haven’t yet made updates available.

The defect is an “XSS” vulnerability (Wikipedia link). This means that it is possible for a hacker to inject unwanted content in your website. What kind of content, and who it can affect, depends on the details of the plugin itself and how it works.

In UpdraftPlus, the danger is as follows: an attacker would need to a) send you a specially crafted link, and b) persuade you to click on it, on a computer on which you are also logged in to the WordPress dashboard on your site, with admin privileges. If you clicked on that link, then the attacker could run code in your dashboard page one time (i.e. not persistent – it won’t remain in your dashboard), performing UpdraftPlus administrative actions (e.g. download a backup, run a backup, delete a backup). We do not believe that there is a way for an attacker to upload and restore their own backup. (i.e. They cannot modify your site through injecting and restoring their own backups).

For clarity: since UpdraftPlus never has any cause, and hence has no code, to display anything on the front-end of your website, it is not possible for this defect to result in code being shown to visitors to your website. Logged-in users who do not have administrative access to the UpdraftPlus dashboard also have no way of being affected.

Other plugins will be affected in other ways. The above description does not describe what the risks may be through other affected plugins. To check all 40,000-ish WordPress plugins would be impossible (plugin authors will have to check themselves), but Sucuri have been auditing many popular plugins, and at least these plugins are known to be vulnerable:

  • WordPress SEO
  • JetPack
  • All In One SEO
  • Gravity Forms
  • Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • P3 Profiler
  • Give
  • Ithemes Exchange
  • Two Factor Authentication
  • Broken Link Checker

You should immediately check that all of these plugins have been updated to the latest version.How has this vulnerability affected so many plugins? Basically, it was easy to do. The WordPress coding manual, for a particular function, included an example of its use that was vulnerable. If you used the function in a way like the example suggested, then you’d introduce a security vulnerability into your plugin. The page has now been corrected to give specific guidance on the potential pitfall, and showing secure examples instead. Sucuri, who realised the mistake, set about looking for plugins that were using the function in the way previously suggested.This defect is fixed in UpdraftPlus 1.9.64 (free users) and 2.9.64 (paying users). So, if your version number is below that, then please update. Many free users will find that they are already updated – wordpress.org has been pushing out instructions to sites to automatically update. So don’t be surprised if you’re already on a safe version!

David Anderson (founder, lead developer, UpdraftPlus)

UpdraftPlus 1.9.64 (free version) / 2.9.64 (paid version) is in process of being released. You should see it available in your WP dashboard in the next day or so.

This release includes:

The full changelog is available here (though usually takes a few hours to catch up).

All users not already running 1.9.64 / 2.9.64 are advised to update as soon as they see that an update is available.

David Anderson (founder, lead developer, UpdraftPlus)

All users can now decide to activate two-factor security for logging in to updraftplus.com.

What does this mean? It means that you can install a simple app installed on your phone (or tablet, or in your browser), that generates time-limited login codes. If you enable two-factor on your updraftplus.com account, then these codes will be needed to log in to the website at updraftplus.com. So, somebody who knows your password still can’t log in – without also stealing your device.

There are also “emergency codes” available for you to keep safe, in case you lose your phone/tablet/whatever.

If you want to activate two-factor security on your account, then you can do so by logging in to your account, and following the link from that page to enable it.

The two-factor code comes entirely from our sister company’s premium two-factor authentication plugin for WordPress – no special tricks or hacks, just the plugin; so if you’re interested in adding this to your WordPress website, then here’s the link. There’s also a free version that has the main features, here.

David Anderson (founder, lead developer, UpdraftPlus)

The next release of UpdraftPlus is due out on Monday. This includes some tweaks necessary for our “automatic backups” feature (whereby a backup is taken just before a WordPress update, so that you’re covered if the update is bad) to work well with WP 4.2. (WP 4.2 made some more changes to its updating functionality since our previous release).

One other thing that it will contain (for UpdraftPlus Premium users) is a new wizard to make it easier to use a more secure Amazon S3 setup.

Amazon Web Services (AWS) is very good in that it allows you to create lots of different users (each of which has its own access credentials – which in AWS are an access key and a secret key), each of which has its own permissions. So, with one AWS account, you can set up lots of separate S3 buckets, each with its own user. This means that if someone gets the access details for one bucket, then that’s all they have – they can’t reach any of your other buckets. They’re segregated.

We’ve had an FAQ on how to set this up for a long time, here. However, the process is still quite fiddly and intimidating to many users. The next release of UpdraftPlus Premium now adds a wizard. If you have an all-powerful administrative account in your Amazon S3 setup (which is the default – or at least, was when I set up my AWS account), then instead of entering those details into your UpdraftPlus settings (which would put your whole S3 account at risk if those keys were stolen), and instead of having to go through the fiddly steps, you can now use our wizard.

You’ll enter those all-powerful keys once… and then UpdraftPlus will deploy them to create a less powerful user that can only access the backup bucket – and nothing else in your Amazon AWS account. It then never saves the admin credentials – only the less powerful ones. So, you can get the better security, without needing to face the rather intimidating bucket policy generator in Amazon’s console, etcetera.

Create Amazon S3 user wizard

You can also use this wizard with existing buckets. So, if you’d previously been storing your root AWS keys in UpdraftPlus, then after the next UpdraftPlus release hits, you can just make a few clicks in the wizard for an instantly more secure setup. (Don’t forget to save settings after changing them!).

David Anderson (founder, lead developer, UpdraftPlus)

Do you speak Slovenian? I don’t! But according to Wikipedia, 2.5 million people do (as native speakers). And thus, we’re really happy that Clav Icula has created a Slovenian translation for UpdraftPlus. It’ll be part of the next release.

This will take UpdraftPlus to 16 languages with 90%+ complete translations. If your language isn’t yet one of those, then please do take a look at this page – and the offer for free licences that we offer to new translators.

David Anderson (founder, lead developer, UpdraftPlus)

If you’ve not yet tried out our sister company’s free “two factor” authentication plugin, available in the wordpress.org directory for everyone, then please do take a look. Since its recent release, it’s already gathered over 100 active users who are now protected against hackers guessing their passwords, using industry standard protocols (don’t use home-cooked ideas to set up your site’s security!).

If you have tried it out, then you may be interested to know that a cheaply-priced premium version with more features is now available, at this link. It’s on a sale price at approximately 33% off for the next fortnight.

David Anderson (founder, lead developer, UpdraftPlus)

TwitterFacebookGooglePlusLinkedIn

UpdraftPlus is a trade mark of Simba Hosting Limited, UK registered company number: 8570611, VAT number: 202 1260 80

$0.000 items

Cart