IMPROVING APPLICATION SECURITY IN AN ASP.NET CORE API USING HTTP HEADERS – KLCWEB

This article indicates a way to enhance the security of an ASP.NET Core Web API application by using including safety headers to all HTTP API responses. The protection headers are brought the usage of the NetEscapades.AspNetCore.SecurityHeaders Nuget bundle from Andrew Lock.

The headers are used to defend the session, no longer for authorization. The application uses Microsoft.Identity.Web to authorize the API requests. The protection headers are used to shield the consultation. Swagger is used in the improvement and the CSP desires to be weakened to permit swagger to paintings all through development. A strict CSP definition is used for the deployed surroundings.

Code:: GitHub – damienbod/AzureAD-Auth-MyUI-with-MyAPI: Azure AD Auth with ASP.NET CORE UI and ASP.ENT Core API

The NetEscapades.AspNetCore.SecurityHeaders Nuget package is added to the csproj file of the web applications. The Swagger Open API packages are added as well as the Microsoft.Identity.Web to protect the API using OAuth.

<ItemGroup>
    <PackageReference
        Include="Microsoft.Identity.Web" Version="1.15.2" />
    <PackageReference
        Include="IdentityModel.AspNetCore" Version="3.0.0" />
    <PackageReference
        Include="NetEscapades.AspNetCore.SecurityHeaders" Version="0.16.0" />
    <PackageReference
        Include="Swashbuckle.AspNetCore" Version="6.1.4" />
    <PackageReference
        Include="Swashbuckle.AspNetCore.Annotations" Version="6.1.4" />
</ItemGroup>

The security header definitions are added using the HeaderPolicyCollection class. I added this to a separate class to keep the Startup class small where the middleware is added. I passed a boolean parameter into the method which is used to add or remove the HSTS header and create a CSP policy depending on the environment.

public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev)
{
    var policy = new HeaderPolicyCollection()
        .AddFrameOptionsDeny()
        .AddXssProtectionBlock()
        .AddContentTypeOptionsNoSniff()
        .AddReferrerPolicyStrictOriginWhenCrossOrigin()
        .RemoveServerHeader()
        .AddCrossOriginOpenerPolicy(builder =>
        {
            builder.SameOrigin();
        })
        .AddCrossOriginEmbedderPolicy(builder =>
        {
            builder.RequireCorp();
        })
        .AddCrossOriginResourcePolicy(builder =>
        {
            builder.SameOrigin();
        })
        .RemoveServerHeader()
        .AddPermissionsPolicy(builder =>
        {
            builder.AddAccelerometer().None();
            builder.AddAutoplay().None();
            builder.AddCamera().None();
            builder.AddEncryptedMedia().None();
            builder.AddFullscreen().All();
            builder.AddGeolocation().None();
            builder.AddGyroscope().None();
            builder.AddMagnetometer().None();
            builder.AddMicrophone().None();
            builder.AddMidi().None();
            builder.AddPayment().None();
            builder.AddPictureInPicture().None();
            builder.AddSyncXHR().None();
            builder.AddUsb().None();
        });
 
    AddCspHstsDefinitions(isDev, policy);
 
    return policy;
}

The AddCspHstsDefinitions defines different policies using the parameter. In development, the HSTS header is not added to the headers and a weak CSP is used so that the Swagger UI will work. This UI uses unsafe-inline Javascript and needs to be allowed in development. I remove swagger from all non-dev deployments due to this and force a strong CSP definition then.

private static void AddCspHstsDefinitions(bool isDev, HeaderPolicyCollection policy)
{
    if (!isDev)
    {
        policy.AddContentSecurityPolicy(builder =>
        {
            builder.AddObjectSrc().None();
            builder.AddBlockAllMixedContent();
            builder.AddImgSrc().None();
            builder.AddFormAction().None();
            builder.AddFontSrc().None();
            builder.AddStyleSrc().None();
            builder.AddScriptSrc().None();
            builder.AddBaseUri().Self();
            builder.AddFrameAncestors().None();
            builder.AddCustomDirective("require-trusted-types-for", "'script'");
        });
        // maxage = one year in seconds
        policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains
          (maxAgeInSeconds: 60 * 60 * 24 * 365);
    }
    else
    {
        // allow swagger UI for dev
        policy.AddContentSecurityPolicy(builder =>
        {
            builder.AddObjectSrc().None();
            builder.AddBlockAllMixedContent();
            builder.AddImgSrc().Self().From("data:");
            builder.AddFormAction().Self();
            builder.AddFontSrc().Self();
            builder.AddStyleSrc().Self().UnsafeInline();
            builder.AddScriptSrc().Self().UnsafeInline(); //.WithNonce();
            builder.AddBaseUri().Self();
            builder.AddFrameAncestors().None();
        });
    }
}

In the Startup class, the UseSecurityHeaders method is used to apply the HTTP headers policy and add the middleware to the application. The env.IsDevelopment() is used to add or not to add the HSTS header. The default HSTS middleware from the ASP.NET Core templates was removed from the Configure method as this is not required. The UseSecurityHeaders is added before the swagger middleware so that the security headers are deployment to all environments.

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseSecurityHeaders(
        SecurityHeadersDefinitions.GetHeaderPolicyCollection(env.IsDevelopment()));
 
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
 
        app.UseSwagger();
        app.UseSwaggerUI(c =>
        {
            c.SwaggerEndpoint("/swagger/v1/swagger.json", "API v1");
        });
    }

The server header can be removed in the program class if using Kestrel. If using IIS, you probably need to use the web.config to remove this.

public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)
                .ConfigureWebHostDefaults(webBuilder =>
                {
                    webBuilder
                        .ConfigureKestrel(options => options.AddServerHeader = false)
                        .UseStartup<Startup>();
                });

Running the application using a non-development environment, the securtiyheaders.com check returns good results. Everything is closed as this is an API with no UI.

IMPROVING APPLICATION SECURITY IN AN ASP.NET CORE API USING HTTP HEADERS - KLCWEB
IMPROVING APPLICATION SECURITY IN AN ASP.NET CORE API USING HTTP HEADERS - KLCWEB

If a Swagger UI is required, the API application can be run in the development environment. This could also be deployed if required, but in a production deployment, you probably don’t need this.

IMPROVING APPLICATION SECURITY IN AN ASP.NET CORE API USING HTTP HEADERS - KLCWEB

To support the swagger UI, a weakened CSP is used and the https://csp-evaluator.withgoogle.com/ check returns a more negative result.

IMPROVING APPLICATION SECURITY IN AN ASP.NET CORE API USING HTTP HEADERS - KLCWEB

Benefits of Adopting an Automated Website Backup Solution

Here’s a brief horror tale for website owners available. Your net website hosting server has crashed, and you have no manner of restoring your misplaced statistics!

This is a totally horrifying but real opportunity that can spell doom in your website. At this point in time, when websites take care of the sensitive economic records of their customers, safety is a prime difficulty.

Proactive protection is the simplest part of the safety equation wherein you put in firewalls and anti-malware software programs to hold the threats out. However, There’s one more component to safety – Backup.

Backups are as critical as protection, but seldom get the eye they deserve. The easy act of making copies of your website records at everyday periods can potentially store your website if the worst occurs.

Taking a backup is as simple as making a duplicate of your website statistics and storing it appropriately in an exclusive location. It can be finished manually however as your website grows and the quantity of files increases, it will become a tedious task, and errors can appear. But there’s a way to back up your website without hassles— automate it!

Automated backups to the rescue

Believe it or now not, automation is a great way to take backups. Automated backup solutions can take everyday backups with clockwork precision, once they’re set up. You can set the duration of those backups and additionally choose what gets subsidized up code documents, CSS documents, scripts, et al.

With an automated backup solution in the region, you may rest confident that your website is in safe arms and is getting subsidized up often. And if you’re searching out a strong backup tool, appearance no further than CodeGuard Website Backup, which is one of the most dependent on apps inside the realm of backups.

Let’s take a closer look at CodeGuard to recognize what it offers and how it could shield your website information from being misplaced.

What is CodeGuard?

CodeGuard is an automated backup tool that shops all your backup facts on 0.33-party cloud storage and offers you a one-click on restore feature. Not handiest does it save your records at a secure far off place, however, it also encrypts them using 256-bit encryption.

It is sort of an enterprise trendy and packs in an entire lot of features which make it an indispensable tool for website owners. But it does greater than just taking backups. It monitors your website continuously and notifies you of any changes it comes across. This feature will not only maintain you in the loop but additionally permit you to seize any suspicious additions, deletions or adjustments carried out on your website.

The manner CodeGuard works is quite straightforward. It gives you a dashboard that gives you all of the crucial stats as well as gets the right of entry to its gear. You can configure CodeGuard on your website from here. Add your server’s SFTP information and MySQL database credentials, and let CodeGuard take your website’s first backup.

Once it successfully connects to your website, it’s going to take everyday backups of your database and files. Additionally, you could also take a backup on every occasion you want. CodeGuard gives you access to all your backups thru the dashboard. This is also in which you get the only-click on repair alternative. Now that we recognize how CodeGuard works allow us to study a few blessings of computerized backup solutions in well-known.

Advantages of an automated backup 

As a website proprietor, not anything can be handier for you than a tool that takes normal backups of your website without fail. It saves you the hassle of manual backups, which may consume your valuable time. It frees you from this administrative undertaking so you can concentrate more on other crucial enterprise desires. Here are a few vast advantages of automated backups a good way to convince you of their usefulness.

It is infallible

A small human error can fee you hugely if you forget about taking a backup or leave out backing up some files inadvertently. You will no longer only not get the state-of-the-art facts, but may also break your web page’s capability.

In assessment, after you configure an automated backup device, it’ll backup your website with unerring consistency and precision. There’s no question of missing documents because it will make certain that it receives them all.

It enables instant recovery

Instant restoration is important in making sure that your internet site doesn’t stay unavailable for long. The longer your website stays down, the more users you may lose.

But that’s no longer all that you may lose. Once a domain gains the popularity of unreliability, it loses its credibility as well.

Most of the modern-day automated backup tools provide a once-click healing capability in which the service restores the trendy back up almost instantly.

It is cost-effective

A true computerized restoration option expenses cash. But it’s miles greater of an investment in peace of thoughts that justifies the value normally over.

It saves you valuable time by using taking backups automatically and can potentially save your website while the time comes.

Also, automated backup tools are available as very cheap subscription plans, which does now not burden you with huge prematurely prices.

It secures your backups

If a backup tool stores your backup information on an identical server, you will lose all of your backups in conjunction with your records if the server crashes.

A computerized backup tool will correctly store your backup on 1/3-birthday party cloud storage where it’s going to remain until it’s miles used to repair your website online.

Major computerized backup equipment additionally eases your information with 256-bit encryption to save you from achieving the incorrect palms.

It creates versions of your backups

If your website crashes because of a computer virus on your coding, the most recent backup could be vain, because it will incorporate the same computer virus.

With versioning, you could tune down the computer virus’s beginning and restore your website with the backup version before the computer virus.

You can even override the tool’s preset garage period if you pick to hold all of your backups all the time.

Summing Up

An automated backup tool is distinctly encouraging funding in an effort to make sure your website’s continuity. However, this doesn’t suggest which you surrender guide backups altogether. A complete backup approach ought to consist of both manual backup efforts and automated backup answers

So layout an awesome manual backup approach and complement it with an automated backup tool like CodeGuard. You should buy CodeGuard at very low cost subscription plans. Also, most are available as add-ons together with your web website hosting plans that lead them to be less difficult to combine.

KLCWEB gives CodeGuard’s automatic backup provider inside the shape of distinctly low-priced plans and backs it up with 24X7 award-prevailing aid. Design a problem-loose backup method with CodeGuard!

To know greater approximately the other web hosting categories and to choose the proper alternative to your enterprise, go to our Hosting Blogs Category.

Tagged : / / / /

How to Secure a Website from Hackers

As a website proprietor, is there whatever more terrifying than the idea of seeing all your work altered or totally wiped out via a nefarious hacker?

We see records breaches and hacks inside the information all the time. And you may think, why would a person come after my small business website? But hacks don’t simply take place to the huge guys. One document determined that small corporations were the victims of 43% of all facts breaches.

You’ve laboured difficulty to your website (and your logo) – so it’s important to make the effort to shield it with those primary hacker safety guidelines.

5 Easy Steps to Secure Your Website from Hackers

You may have worried when beginning this post that it might be complete of technical jargon that your average website owner would locate baffling. Some of our hints similarly down do get technical, and you could need to bring in your developer for the ones.

But there are a few things you could do on your personal first that don’t involve that great deal of technical knowledge.

1: Install security plugins.

If you constructed your website with a content material control system (CMS), you may beautify your internet site with security plugins that actively save you website hacking attempts. Each of the principle CMS options has security plugins to be had, many of them totally free.

Security plugins for WordPress:

  • iThemes Security
  • Bulletproof Security 
  • Sucuri
  • Wordfence
  • fail2Ban

Security options for Magento:

  • Amasty
  • Watchlog Pro

Security extensions for Joomla:

  • JHacker Watch
  • jomDefender
  • RSFirewall
  • Antivirus Website Protection

These alternatives cope with the security vulnerabilities that are inherent in every platform, foiling additional sorts of hacking tries that could threaten your internet site.

In addition, all websites whether or not you’re walking a CMS-managed site or HTML pages can benefit from thinking about SiteLock. SiteLock is going above and past clearly last web page security loopholes by using presenting each day monitoring for the whole lot from malware detection to vulnerability identity to lively virus scanning and greater. If your commercial enterprise is based on its internet site, SiteLock is really funding worth considering.

Note: Our Managed WordPress website hosting plan has SiteLock built-in, along with other features to help relax your website.

2: Use HTTPS

As a purchaser, you can already recognize to always search for the green lock picture and HTTPS to your browser bar any time you provide sensitive data to a website. Those 5 little letters are a crucial shorthand for hacker protection: they sign that it’s safe to provide financial facts on that precise webpage.

klcweb.com

An SSL certificate is vital because it secures the switch of records – which include credit playing cards, personal facts, and call statistics – among your website and the server.

While an SSL certificate has usually been critical for eCommerce websites, having one has recently become crucial for all websites. Google launched a Chrome replace in 2018. The security replacement took place in July and alerts website site visitors in case your website doesn’t have an SSL certificate mounted. That makes site visitors more likely to dance, even if your website doesn’t gather touchy information.

Search engines are taking website security extra significantly than ever because they need users to have a high quality and safe revel in browsing the net. Taking the commitment to protection similarly, a seek engine can also rank your website lower in search results if you don’t have an SSL certificate.

3: Keep your website platform and software up-to-date.

Using a CMS with numerous beneficial plugins and extensions offers lots of benefits, but it also brings threats. The main cause of website infections is vulnerabilities in a content material control device’s extensible components.

Because lots of this equipment are created as open-source software applications, their code is easily handy to each accurate-intentioned developer as well as malicious hackers. Hackers can pore over this code, searching out protection vulnerabilities that permit them to take control of your website by using exploiting any platform or script weaknesses.

To shield your website from being hacked, constantly ensure your content management gadget, plugins, apps, and any scripts you’ve set up are updated.

Site health

4: Make sure your passwords are secure.

It’s tempting to go together with a password you know will continually be clean as a way to don’t forget. That’s why the number 1 maximum commonplace password remains 123456. You should do higher than that loads higher than that to prevent login tries from hackers and other outsiders.

Make the attempt to parent out an honestly relaxed password Make it long. Use a combination of unique characters, numbers, and letters. And steer clear of doubtlessly easy-to-bet keywords like your birthday or youngster’s call. If a hacker someway gains get admission to different information approximately you, they’ll realize to guess those first.

Holding yourself to a high general for password security is the first step. You additionally want to make certain everybody who has to get admission to your website has further strong passwords. One weak password inside your crew can make your internet site vulnerable to a records leak, so set expectations with everybody who has to get entry to it.

5: Invest in automatic backups.

Even if you do the whole thing else on this listing, you continue to face a few dangers. The worst-case state of affairs of a website hack is to lose the entirety because you forgot to back your internet site up. A great way to guard yourself is to ensure you continually have a recent backup.

While a facts breach may be worrying irrespective of what, if you have a present-day backup, improving is a whole lot less complicated. You can make a habit out of manually backing your website up day by day or weekly. But if there’s even the slightest risk you’ll overlook, put money into automated backups. It’s a reasonably-priced way to shop for peace of mind.

Our all plans offer automated backup of your website, databases and email (as soon as consistent with month) free of cost.

Protect Your Website from Hackers

Securing your website online and studying a way to defend against hackers is a massive part of keeping your web page healthy and secure ultimately! Don’t procrastinate taking those critical steps.

At klcweb, we’ve created a fixed of custom mod protection regulations to a resource inside the protection of your website. If you’re seeking out a brand new net website hosting company, you can click on right here to enrol in an exceptional deal. For new accounts, we’ll even transfer you totally free! After you’ve created an account, you just want to fill out the shape here.

Don’t fear getting tripped up inside the technique. Try our klcweb guide articles or touch one among our customer support professionals which might be to be had 24/7/365 through chat and price tag guide. We permit you to get secure!

Shared web hosting & VPS hosting provider

Tagged : / / /

How To Prevent Ransomware?

I’ve been involved with InfoSec lengthy enough to have visible diverse waves of attack types be evolved, have their day within the sun, and fade, because the panorama evolved. It’s almost tough to agree with now, but once upon a time, denial of carrier assaults did now not must be hugely dispensed to be powerful; port scans could screen a wealth of open famous ports to have a laugh with (sure, Shodan suggests that is nonetheless genuine, however it’s nothing like it as soon as turned into); simple viruses and worms made their rounds and they had been defeated via incredibly simple signature-primarily based detections, and their next-era successors have been likewise frequently dispatched with behavioral evaluation or sandboxing.

For a number of attack types that burned brilliant, the tale had a pretty obvious beginning, center, and end. We all knew, of path, that as defenses became greater successful, adversaries could simply move on to something more effective; but there has been delight in seeing one of a kind malicious schemes pass through the wayside as defenders were given the higher hand in opposition to them.

It dawned on me these days that I’d been subconsciously anticipating that same crest-and-trough dynamic to play out with ransomware; a few low-degree manner in my head changed into muttering “absolutely we’re going to get our palms around this one, too.” Well, it’s truly obvious that it’s no longer gambling out that manner.

If whatever, we’re probable nevertheless on the wrong side of the crest. But, for all the frustration and struggling we’re enduring on the fingers of ransomware gangs, the basics of why we’re here aren’t complex. We realize a way to prevent ransomware, we’re just not doing it.

That may additionally sound unfairly glib, so allow me clarify. First, the announcement isn’t always supposed in judgment. Security teams are doing extraordinary work, especially in light of what the pandemic threw at them.

Yes, things are terrible, but they will be so much worse, and hearty credit is going to our protection colleagues, from practitioners to educators to vendors. What I’m driving at is that by means of and big, the reason ransomware is this kind of chronic hassle is not because it’s far technically remarkable or because vulnerabilities are immoderate.

Acknowledging that there are a few clever tools, and a few thorny vulns, the purpose ransomware is one of these stubborn problems is that it represents the distillation of units of techniques, strategies, and procedures that have been honed, streamlined, and commoditized. Its evolution mirrors organic evolution: what fails goes extinct, what works survives, and what adapts, prospers

But haven’t defenses evolved, too? They have, and in a few modern and exciting approaches. But the problem is similar to the idea of entropy: there are numerous, many special states of ailment in which an adversary can live on and attain goals, while the efficaciously defended surroundings is an ordered kingdom, and accordingly demands extra energy to maintain.

Malware and malicious actors, then, can evolve in an essentially endless quantity of methods and obtain their dreams. Defenses, then again, additionally ought to evolve, but with a extraordinarily small quantity of ordered conditions being the only safe states.

Ransomware is a Shape-Shifter

With a few exceptions, the constructing blocks of a ransomware marketing campaign, and the conditions of the victim environment important for the campaign to prevail, are very familiar. Initial access is sort of always thru phishing or a few different approach of credential theft. Lateral motion is aided via unsegment networks and uneven controls over identity and authorization.

Various stages are enabled by means of the exploitation of acknowledged, however unpatched, vulnerabilities. Recovery is hampered by inadequate backups or backups that become inflamed with the same malware that delivered the network down initially. (Recovery also now entails dealing with the capability fallout from statistics leaked or bought by means of the ransomware actors, it need to be referred to).

Almost every object in the preceding paragraph is a problem that, in and of itself, is properly understood and for which properly solutions exist. What ransomware is displaying us is that it’s miles a unprecedented surroundings in which every container is checked. It looks like a recreation of Whack-A-Mole due to the fact it is very much like that. Got correct phishing safety in vicinity? Great! But legitimate credentials can leak in different approaches. Got the whole lot patched? Rock on!

But privileges can be escalated with out exploiting a vulnerability. Got the community segmented robustly? Excellent! But what takes place whilst the stolen credentials get directly right into a “crown jewels” subnet, or when stolen creeds permit traversal of the segmented boundaries? You see the factor. Ransomware isn’t always a monolithic element. It is a form-shifter. It’s the massive-fish-formed college of small fish, each for my part easy to dispatch, however collectively packing a huge chunk.

Helpful Ransomware Resources

So in which does this go away us? Well, if there’s any silver lining to the ransomware disaster and calling it such seems reasonable. it is that it has mobilized numerous incredible work throughout both the public and the personal quarter to help all and sundry cope with it. Following are some of the assets I even have determined in particular enlightening and inspiring:

Helpful Ransomware Resources

President Biden’s Cybersecurity Executive Order: while this EO does not simply mention the word “ransomware,” it does target a number of the man or woman factors that have allowed the ransomware to proliferate.

It touches on thwarting cybercrime at its source, via things like upgrades in facts sharing, and at its vacation spot (the victim surroundings) thru improvements to cloud protection regulations and deliver chain hardening. While this is applicable to the federal authorities and now not the private zone, the private quarter will see a few tailwinds due to it.

NIST’s (National Institute of Standards and Technology) draft Cyber security Framework Profile for Ransomware Risk Management: this file takes specific additives of the NIST Framework and applies them to ransomware. This file become part of the foundation for this weblog due to the fact the person controls and practices all relate to addressing the individual TTP that make up typical ransomware campaigns.

CISA’s (Cybersecurity and Infrastructure Security Agency) new Ransomware Risk Assessment module within the CSET (Cyber Security Evaluation Tool) is a extraordinary tool for assisting organizations compare their protection posture with admire to the ransomware hazard. Some companies will especially appreciate the evaluation dashboard characteristic.

IST’s Ransomware Task Force’s record: this is the most comprehensive framework but devised especially to combat ransomware. It has large guidelines for each the private and non-private sector, prepared round 4 key goals: deterring assaults, disrupting the ransomware commercial enterprise version, supporting organizations put together, and developing extra powerful responses to ransomware attacks. It is a considerable (70+ web page) read, however worth the time.

The free Playbook Viewer from Palo Alto Networks’ Unit 42 team: this interactive tool (which isn’t always simplest centered on ransomware) offers defenders a splendid manner to come to be extra familiar with the TTP used by different corporations, and it’s prepared around the MITRE ATT&CK framework, which facilitates draw a via-line from the myriad hazard businesses that make the information, to the precise controls the blue group desires to be on pinnacle of.

KLCWEB research latest Defender’s Guide to the maximum prolific ransomware businesses, which includes a complete visual map of agencies and tooling, is another awesome way to assist maintain situational recognition in the absolute blizzard of ransomware information and articles at the Internet.

The Takeaway

None of the above assets is a silver bullet, but I hope one of the takeaways right here is that we don’t need silver bullets. We have already got technology and techniques that are recognized to be powerful towards a maximum of the TTP that compose a ransomware attack. The heightened attention at the ransomware trouble, and the superb paintings being finished to help defenders, may assist companies inside the essential paintings they do on their danger modeling and their security posture, and, ultimately, we just would possibly flip the tide. The ransomware story has had a beginning and center; with some of the work defined here, there’s a wish that it will additionally have a cease.

Tagged : / / /

WordPress 5.8 Release Candidate

The first release candidate for WordPress 5.8 is now available! 🎉

Please join us in celebrating this very important milestone in the community’s progress towards the final release of WordPress 5.8!

“Release Candidate” means the new version is ready for release, but with thousands of plugins and themes and differences in how the millions of people use WordPress, it is possible something was missed. WordPress 5.8 is slated for release on July 20, 2021, but your help is needed to get there—if you have not tried 5.8 yet, now is the time!

You can test the WordPress 5.8 release candidate in three ways:

  • Install and activate the WordPress Beta Tester plugin (select the Bleeding edge channel and then Beta/RC Only stream)
  • Directly download the release candidate version (zip)
  • Using WP-CLI to test: wp core update --version=5.8-RC1

Thank you to all of the contributors who tested the Beta releases and gave feedback. Testing for bugs is a critical part of polishing every release and a great way to contribute to WordPress.

What is in WordPress 5.8?

The second release of 2021 continues to progress on the block editor towards the promised future of full site editing with these updates:

  • Manage Widgets with Blocks
  • Display Posts with New Blocks and Patterns
  • Edit Post Templates
  • Overview of the Page Structure
  • Suggested Patterns for Blocks
  • Style and Colorize Images
  • theme.json
  • Dropping support for IE11
  • Adding support for WebP
  • Adding Additional Block Supports
  • Version 10.7 of the Gutenberg plugin

WordPress 5.8 also has lots of refinements to enhance the developer experience. To learn more, subscribe to the Make WordPress Core blog and pay special attention to the developer notes tag for updates on those and other changes that could affect your products.

Plugin and Theme Developers

Please test your plugins and themes against WordPress 5.8 and update the Tested up to version in the readme file to 5.8. If you find compatibility problems, please be sure to post to the support forums, so those can be figured out before the final release.

The WordPress 5.8 Field Guide, due to be published very shortly, will give you a deeper dive into the major changes.

How to Help

Do you speak a language other than English?  Help us translate WordPress into more than 100 languages!  This release also marks the hard string freeze point of the 5.8 release schedule.

If you think you have found a bug, you can post to the Alpha/Beta area in the support forums. We would love to hear from you! If you are comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Tagged :

WordPress 5.8 Beta 2 and Gutenberg Highlights

WordPress 5.8 Beta 2 is now available for testing!

This software is still in development, so it’s not recommended to run this version on a production site. Consider setting up a test site to play with it.

You can test the WordPress 5.8 Beta 2 in three ways:

  • Install/activate the WordPress Beta Tester plugin (select the Bleeding edge channel and the Beta/RC Only stream)
  • Direct download the beta version here (zip).
  • You can sign up with WordPress hosting package and test WordPress 5.8 Beta 2

The current target for the final release is July 20, 2021. That’s just five weeks away, so your help is vital to ensure that the final release is as good as it can be.

Some Highlights

Since Beta 126 bugs have been fixed. Here is a summary of some of the included changes:

  • Block Editor: Remove bundled block patterns and support the patterns directory. (#53246)
  • Block Editor: Add a type property to allow Core to identify the source of the editor styles. (#53175)
  • Build/Test Tools: Adds some tests for the Quick Draft section in Dashboard. (#52905)
  • Build/Test Tools: Replaced @babel/polyfill with core-js/stable. (#52941)
  • Coding Standards: Further update the code for bulk menu items deletion to better follow WordPress coding standards. (#21603)
  • External Libraries: Update Underscore to version 1.13.1. (#45785)
  • General: A number of block editor, template mode, and widget screen-related fixes. (#51149)
  • Login and Registration: Improve the unknown username error message. (#52915)
  • Media: Restore AJAX response data shape in the media library. (#50105)
  • Site Health: Display a list of file formats supported by the GD library. (#53022)
  • Twemoji: It’s the new one! (#52852)

Gutenberg Highlights

During WordCamp Europe, this past Wednesday Matt and I gathered to discuss the latest developments of Gutenberg and to share a video with some of the current and upcoming highlights. The video is wonderfully narrated by @beafialho and it was a great opportunity to celebrate all the incredible work that contributors are doing around the globe to improve the editing and customization experience of WordPress. For those that weren’t able to attend live it’s now available for watching online.

Tagged : /

Managed and Unmanaged Dedicated Hosting

Managed and Unmanaged Dedicated Server Hosting is a type of web website hosting in which users have a whole server to themselves. This includes all of the server assets, inclusive of storage, RAM, and all of the CPU cores. In most different styles of hosting, the sources of a server, in one manner or any other, are shared among multiple websites. However, in Dedicated Hosting, one server, with all its resources, is allotted to at least one person only.

It’s critical to observe that small, new websites with little traffic don’t have any want for Dedicated Hosting. However, a website has grown and deal with lots of traffic will benefit immensely from Dedicated Hosting.

For starters, you don’t percentage the sources of the server, meaning you get the greater garage and overall performance. Also, a large internet site has loads of client statistics, this means that protection is a real situation.

Dedicated Hosting could be very relaxed, for the reason that there aren’t any other susceptible websites on the server. Also, due to the fact you’re the only one using the server, you could configure the server but you need. This way that there are numerous steps that you may take to enhance protection. For instance, you could save your applications from gaining access to the internet except they clearly have to, lowering your exposure, hence growing the safety of your website.

What is Unmanaged Dedicated Hosting?

Unmanaged hosting is the ‘default’ sort of website hosting plan, so to say. When you buy a Dedicated Hosting plan, until they mention otherwise, what you’re getting is Unmanaged Dedicated Hosting.

As the call indicates, the hosting provider doesn’t get involved here in terms of ‘control’. You get server sources and an operating machine, and that’s about it. It is your duty to hold your internet site up to date and relaxed. It’s essential to word that you also are accountable for installing and keeping base software like PHP and Apache.

What is Unmanaged Dedicated Hosting?

Managed website hosting is a feature that hosting groups offer wherein they will actively ‘manipulate’ your web hosting plan. There are several matters that the organization will deal with for you.

1. Backups

Backups are important for your website. In case of statistics loss, they may be your simplest way out. So, you need a sturdy backup and healing approach. If you opt for managed website hosting, your internet hosting company will manipulate these backups for you. They will create backups, hold them securely, and in case of a records loss, use your backups to repair your website.

2. Security

Security, obviously, is essential for websites, particularly huge websites that have a number of consumer data with them. When you choose a controlled hosting plan, security professionals out of your internet website hosting provider are in rate of the safety of your website.

Regular malware scans are carried out, and all recognized problems are dealt with by means of these professionals. Additionally, the employer’s professionals may also optimize configurations to ensure that most security is performed.

3. Support

Now, even with unmanaged website hosting, you get customer service, and some businesses do it brilliantly. However, now not everyone offers incredible customer service. When you have got a controlled website hosting plan, you get better customer service, given that you’re paying extra costs to the business enterprise.

Here, it’s vital to note that this could not be the case with all website hosting groups. Some organizations provide tremendous guides irrespective of what plan you’re the usage of. However, having a managed web hosting plan puts you beforehand of the road.

Managed vs Unmanaged Dedicated Server Hosting: Which one is best for you?

Reasons to opt for Unmanaged Dedicated Hosting: 

Unmanaged hosting, if you haven’t guessed it already, is the inexpensive option right here. But that’s not the only motive a few human beings choose it. Unmanaged Dedicated Hosting offers you complete freedom to installation your internet site precisely the manner you need it. In controlled website hosting solutions, there’s usually a person out of your web hosting company’s agency worried. With unmanaged web hosting, you get full freedom.

Also, some organizations have an in-residence tech crew. If you have got get right of entry to to a tech crew or in case you’re an professional your self, managed web hosting makes little sense.

Reasons to opt for Managed Dedicated Hosting:

Managed hosting has usually had many takers. This is due to the fact managed website hosting is all approximately making your lifestyles simpler. You entrust the responsibilities of retaining your server to specialists and leave it at that. The enterprise, for a charge, looks after the entirety.

You don’t ought to fear in case your website is cozy or if malware scans are occurring often or if your website is truely as comfortable as it can be, or if all of the vital packages are updated, or whatever else, honestly.

For folks that aren’t specialists on hosting, controlled hosting plans definitely make so much greater experience. It would value them more to rent know-how on their personal. So, they pay a small charge to the web hosting company and spend their time concentrating on their commercial enterprise.

Comparison Between managed and unmanaged

ParametersManaged Unmanaged
FreedomLower. The agency has a say in matters, to a quantityHigh. You manipulate everything.
PriceHigh. The employer is providing brought offerings for standard management and preservation.Lower. The provider only offers servers and basic management. 
Your involvementLow. You shouldn’t definitely be involved in any respect. The business enterprise takes care of pretty lots the whole thing.High. There are a lot of factors that want to be achieved on a regular foundation, and you or your crew must do all of it.
Your responsibility Low. You’re not surely held accountable for anything, in phrases of backups, protection, and so on. You pay the agency to do all that for you.High. The onus of maintaining your internet site comfy and updated is on you.

Conclusion

So, there you have it. If you want a problem-loose, however barely more high-priced website hosting answer wherein all issues are treated by using experts within the web hosting corporation, Managed Dedicated Hosting is for you. However, when you have an in-house tech team or in case you’re an expert yourself, Unmanaged Dedicated Hosting is probably a higher answer for you.

KLCWEB offers sturdy and feature-rich Dedicated Hosting plans. We offer SSD-primarily based storage, complete root get right of entry to, server administration panel, WHM manipulate panel, DDoS safety, and immediate server provisioning. Enjoy 24×7 dedicated support from our in-residence server experts. You can contact us for greater information concerning our Dedicated Server plans.

Tagged : /

WordPress 5.8 Beta 1

WordPress 5.8 Beta 1 is now available for testing!

This software is still in development, so it is not recommended to run this version on a production site. Instead, we recommend that you run this on a test site to play with the new version Or you can test this version with KLCWEB WordPress hosting plan.

You can test the WordPress 5.8 Beta 1 in two ways:

The current target for the final release is July 20, 2021. This is just six weeks away, so your help is vital to ensure this release is tested properly and as good as it can be.

Keep your eyes on the Make WordPress Core blog for 5.8-related developer notes in the coming weeks, breaking down these and other changes in greater detail.

So what’s new in this 5.8? Let’s start with some highlights.

Highlights

Powerful Blocks

  • Discover several new blocks and expressive tools, including blocks for Page ListsSite TitleLogo, and Tagline. A powerful Query Loop block offers multiple ways for displaying lists of posts and comes with new block patterns that take advantage of its flexibility and creative possibilities.
  • Interacting with nested blocks has been made easier with a permanent toolbar button for selecting a parent. Block outlines are shown when hovering or focusing on the different block type buttons. Block handles are now also present for drag and drop when in “select” mode.
  • Introduces the List View, a panel that can be toggled and helps navigate complex blocks and patterns.
  • Reusable blocks have an improved creation flow and support for history revisions.
  • A cool new duotone block adds images effects which can be used in media blocks or supported in third-party blocks. Color presets can also be customized by the theme.

Handpicked Patterns

Patterns can now also be recommended and selected during block setup, offering powerful new flows. Pattern transformations are also possible and allow converting a block or a collection of blocks into different patterns.

New collection of Patterns and an initial integration with the upcoming Pattern Directory on WordPress.org.

Better Tools

  • New template editor that allows creating new custom templates for a page using blocks.
  • Themes can now control and configure styling with a theme.json file, including layout configuration, block supports, color palettes, and more.
  • New design tools and enhancements to existing blocks, including more color, typography, and spacing options, drag and drop for Cover backgrounds, additions to block transformation options, ability to embed PDFs within the File block, and more.
  • Includes improvements to how the editor is rendered to more accurately resemble the frontend.

Internet Explorer 11

Support for Internet Explorer 11 is ending in WordPress this year. In this release, most of those changes are being merged so use the Beta and RC periods to test!

Blocks in Widgets Area

  • You can now use any block in your theme’s widget areas using the all-new Widgets screen and updated Customizer.
  • Existing third-party widgets continue to work via the Legacy Widget block.
  • Not quite ready for a full switch? To ease the transition, users can use the Classic Widgets plugin and themes can call remove_theme_support( ‘widgets-block-editor’ ).

How You Can Help

Do some testing!

Testing for bugs is an important part of polishing the release during the beta stage and a great way to contribute.

If you think you’ve found a bug, please post to the Alpha/Beta area in the support forums. We would love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac. That’s also where you can find a list of known bugs.

Improvements in this Release

  • Improvements to Reusable blocks, Cover block, Table block, ListView, Rich text placeholder, Template Editing Mode, Block Inserter, and Top Toolbar
  • Query loop block that uses a query/filter to create a flexible post list based on templates. Best used with patterns.
  • Parity refinement between editor and frontend, Standardization to block toolbars organization
  • Block widgets in the Customizer
  • Introducing the Global Styles and Global Settings APIs: control the editor settings and available customization tools and style blocks using a theme.json file. The template editor opens inside an iframe to more accurately resemble the front end.
  • Ability to transform Media and Text into Columns
  • Embedded PDFs within File block
  • Spacing options for Social Links and Buttons, Spacer block width adjustments
  • Twemoji has been updated to version 13.1, bringing you many new Emoji.
  • Editor performance improvements
  • Hide writing prompt from subsequent empty paragraphs
  • More descriptive publishing UI
  • Added capability to set the default format for image sub-sizes as well as WebP support
  • Added widgets block editor to widgets.php and customize.php
  • Added block patterns to default themes
  • Added ability to mark a plugin as unmanaged
  • Enable revisions for the reusable block custom post type
  • Enqueue script and style assets only for blocks present on the page
  • Abstracted block editor configuration by deprecating existing filters and introducing replacements that are context-aware
  • New sidebars, widget, and widget-types REST API endpoints
  • Added support for modifying the term relation when querying posts in the REST API
  • Site Health now supports custom sub-menus and pages
  • Themes now display the number of available theme updates in the admin menu
  • Speed cached get_pages() calls
  • Underscore updates from 1.8.3 to 1.9.1
Tagged :

How to check the performance of your rich results in Google Search Console

Adding dependent records for your web page is a tremendous way of describing your content to Google in order that it makes it simpler for it to comprehend your pages. Once you’ve introduced it, you may reveal the performance of your rich outcomes in Google Search Console. This tool gives you the entirety you want to get the maximum from your wealth consequences.

Google Search Console helps improve your structured data implementation

Google Search Console is a crucial tool for every sort of website proprietor. In it, you’ll find a range of tools that help you enhance your website in a technical experience as well as provide better content material for your visitors. One way it does is to give you insights into the technical implementation of your dependent records improvements and the overall performance of these wealthy consequences within the search outcomes.

In this submit, we’re not going to awareness of the technical component. We’re now not going to give an explanation for how to restoration troubles that can rise up along with your dependent records upgrades. This time, we’re inspecting how your rich consequences are doing in Google’s seek consequences pages.

What is the Search Appearance report?

The Search Appearance file in Search Console indicates all of the types of wealth effects your content has earned. What’s greater, it gives you information on how humans interacted with one’s wealthy consequences, which allows you to enhance the content material for one’s rich results.

  • Clicks: the number of clicks from a search query on a search result page that ended up on your site.
  • Impressions: how many times a user saw a mention of your search result. Every visit to the search results page counts as an impression, and your result doesn’t have to be in view to be counted. Of course, if your listing appears on the next page and the visitor doesn’t get there, it won’t count as an impression.

If you click on a form of wealth bring about the Search Appearance segment, you get extra stats just like the CTR and the average function of your seek consequences. You can do the whole lot you generally do in Search Console and upload even extra filters to high-quality-track your information from this page. You should, for instance, appearance simplest at cellular usages or how visitors from particular nations have interacted together with your content material.

How to use the Performance report for your rich results

As with all matters of Search Console, there are lots you may do. But, there’s the nobody-size-fits-all solution that’ll work for all of us in each scenario. If you want a few essential insights into you to seek overall performance, you could get it here. If you’re going to run complex queries and discover information to electricity your dashboards, you may locate it here as properly.

Want to get a feel of how your wealthy results are doing? Of course, you do! The least you may do is often test the Search Console. Go to Performance > search results to open the document. Then, you can locate the Search Appearance reports in methods: by including a new clear out from the pinnacle bar called Search look or through clicking the Search Appearance tab underneath the graph.

Performance report

Picking your rich result

Picking choice gives you a remarkable evaluation of all your wealth effects that Google discovered. Keep in mind that the record handiest indicates the styles of rich content material that Google encountered for your web page.

However, if you are positive you’ve added a selected kind, but it doesn’t seem here, it is probably broken. Check the Enhancements section on the left-hand facet of the display screen, choose your enhancement, and spot if there are mistakes to be discovered.

It additionally might be which you’ve brought stuff that Google doesn’t award with a wealthy end result. You won’t locate those here. Of course, it might be that Google will add precise rich outcomes for those inside the destiny, so on occasion, it makes experience to add that established facts besides. Just make sure that your dependent facts are valid, so don’t neglect to test them inside the Rich Results Test or the Schema Validator.

Google remains to throw a few stuff collectively in a non-descript bucket named Rich results. Shortly, that bucket might be long past as Google will an increasing number of add separate sections for each sort of rich result. Note that Google said that every wealthy end result type has slightly unique conduct connected to it, so it makes sense to split the whole lot.

Looking at a performance chart for FAQ rich results

Picking a selected rich result — the FAQ in this situation —, you can start to look at the records a touch greater sincerely. In the screenshot under, you’ll see the overview data for this content type over a three-month length. This worries all the content material in which you’ve added legitimate FAQ dependent statistics.

You’ll notice the whole clicks, impressions, CTR, and average function of your FAQs. This way, you’ll get a sense of how this type of content material is acting to your site, and also you get a tough concept of the manner human beings are interacting with it.

FAQ reach result.

Drilling down

Of course, it receives extra thrilling whilst you start drilling down. In the screenshot beneath, we are searching at a particular page that suggests peculiar conduct something we are able to all see, proper?

Drilling Down

This web page had an FAQ-wealthy result that went from nothing to something to not anything. If you locate something like this, it is probably that Google’s conduct for this sort of result has modified. It can be that it no longer shows an FAQ-rich result for that time period or page.

We recognize Google is stricter in displaying FAQ-rich outcomes in recent times, which would possibly have something to do with it. Or maybe your FAQ is incomplete or resulted in a mistaken document?

Also, it is probably that your competitor produced a better FAQ page — stealing your wealthy result. Search for the FAQ content in Google to see if that is the case. You’ll also observe if Google doesn’t display an FAQ for that term anymore. But in case your competitor has stolen it, meaning you need to improve yours — specifically if that is a web page that means a lot to you and your business. Don’t assume that you’ll get it back if you sit there resting on your laurels.

This is only a simple instance of what you could locate in case you screen your wealthy consequences in Google Search Console. Using this information, you can start improving your content to make your wealthy consequences carry out even better. Of route, you may also use the information to goal new ones!

Do more with your reports

Google Search Console is a groovy tool that’ll assist you to get quick insight, but it’ll additionally tailor to the strength user. For example, you may export your information to analyze in Sheets or Excel or build a Data Studio dashboard. Comfortable with regex? Then you could run complicated queries that’ll assist you to get even more information based on your particular filters. Google has extra statistics on how to do that.

As stated before, there’s nobody way of using Search Console — just remember the fact that you must use it!

Checking your rich results in Search Console

This put up gave a quick review of how you may use Google Search Console to hold a watch at the performance of your rich results. Even if you use it to screen simply more than one key posts, it’s going to show its really worth in gold. If you’re extra experienced, you might use the information to energy the dashboards you integrated Google Data Studio. Whatever you do, don’t sleep on this feature!

Read SEO basis to improve your Site ranking on the Google.
Tagged : / /

A New Design is Coming to WordPress News

After many years of a tidy, white-space filled design on WordPress.org/news it’s time to bring new life to the way we present our content. So much has changed since this site was first created: the people who read it, the type and variety of what is published, even the way WordPress works has changed.

Which means it makes sense to change our theme.

Earlier this year, Matt requested a new design from Beatriz Fialho (who also created the State of the Word slides for 2020). The design keeps a clean, white-space-friendly format while incorporating a more jazzy, playful feeling with a refreshed color palette. More detail on this modern exploration has been posted on make.wordpress.org/design. I encourage you to stop by and read more about the thoughts behind the coming updates, and keep an eye out for the new look here and across WordPress.org!

Tagged :

Internet Explorer will end of the life in 2022 (IE Death)

Shocking News about IE Death, A 25-year-old veteran of the Internet, Internet Explorer will finally be put out to pasture in 2022.

Microsoft has been trying to move away from IE (and all the jokes about the buggy browser) since 2015 when it released the new Edge browser. But almost all of us know someone maybe that family member who always calls for tech support. who refuses to let go of the magic button on their desktop that connects them to the Internet.

In the announcement on Microsoft’s blog, Microsoft said they will be transitioning away from Internet Explorer on June 15, 2022.

In response, WordPress will be dropping support for Internet Explorer with the next version. WordPress 5.8, due out in July 2021.

The death of IE will make a huge difference for companies that provide support for their services. Users who rely on (often older versions) of Internet Explorer discover that websites don’t always function as intended, but often these users are less tech-savvy and are hesitant to install a newer or different browser. The shift to Edge will also help website designers who have to ensure their designs or functionality works in all current browsers. Once IE is deprecated, customer support staff and engineers will no longer have to worry about the IE holdouts.

For IE holdouts, you have a year to switch either to Microsoft Edge (which comes with Windows 10 and will have an Internet Explorer mode), or to another current browser such as ChromeSafari, or Mozilla Firefox.

Easy peasy, right? For individuals, it’s as simple as downloading a new browser.  As Microsoft acknowledges, some companies or nonprofit organizations may still be running Internet Explorer, or have legacy IE-based websites and apps.

Microsoft reassures such organizations that Internet Explorer mode in Microsoft Edge will be supported through at least 2029. If you need more information about how to migrate systems and apps, there are additional links within the announcement from Microsoft. 

Tagged :