Posts Tagged ‘Security’

Newer Entries »

WordPress under gpc_10805 attack

Tuesday, September 8th, 2009

WordPress

WordPress


A lot of information about last attack on WordPress managed sites can be found:
http://mashable.com/2009/09/05/wordpress-attack/
http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/
http://www.warriorforum.com/main-internet-marketing-discussion-forum/121131-wordpress-mysql-injection.html
http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/
http://www.seanrees.com/2009/09/02/well-an-update-worth-its-salt/
But pay attention that not only WordPress sites are attacked in this manner, look at the
http://www.webdeveloper.com/forum/showthread.php?p=1032611
Sites in the HTML only are attacked by this robot too.

Read the rest of this entry

Tags: , ,
Posted in General, PHP, Security, WordPress | No Comments »

WordPress Security: Silence is golden. Part 2.

Sunday, September 6th, 2009

display_errors OFF

display_errors OFF


Some shared hosting providers don’t turn off php error showing by default. If you don’t change this default PHP configuration settings too, your blog has vulnerability issue or even security problem. Why I talk about security problem? Be cause of this can lead to exposure of the absolute path to your WordPress blog installation. Let’s check together. Put this little script into your blog root folder, for example name it phpinfo.php:

<?php
phpinfo();
?>

Call it from the browser as http://yourBlogURL/phpinfo.php
You will see standard ‘PHP Info’ page with values of different PHP configuration parameters. Check display_errors parameter value under ‘PHP Core section’ now.

Read the rest of this entry

Tags: , , , , , ,
Posted in PHP, Security, WordPress | No Comments »

Is new installed WordPress plugin package clean?

Saturday, August 29th, 2009

Security

Security


In this post I wish to talk about cleanness of WordPress plugin’s packages. I name package clean if it doesn’t contain any unnecessary files inside. Unnecessary files together with garbage issue can lead to the real security problem. Let’s take my last download as an example. It is a well known WordPress plugin WP-Forum produced by Fredrik Fahlstad. In case if somebody is new to this plugin, this is the simple discussion forum plugin for WordPress. You can download this plugin from Frederik site http://fahlstad.se/wordpress/plugins/wp-forum/.
I went to the plugin’s home page http://www.fahlstad.se/wp-plugins/wp-forum/ and downloaded a 2.4 version installation package.
Inside this package .zip file in addition to core plugin code files we can see:

Read the rest of this entry

Tags: , , ,
Posted in Security, WordPress | No Comments »

Silence is golden

Friday, August 28th, 2009

Silence is golden

Silence is golden


Is your new WordPress plugin secure? Did you see the small 30 byte size only index.php file in such WordPress folders as wp-content, wp-content/themes? It is placed there by WordPress developers for the security reason. The explanation is obvious: if somebody input in his browser the URL like
http://www.yourblog.com/wp-content/plugins/
he could not see the full folder content, its subfolders and files list. Of course there are some other methods to hide directory list from visitors, for example it can be done with .htaccess directive but this (empty index.php file) way is the most simple and straightforward one.
Some of WordPress plugins developers ignore this issue and don’t put such empty index.php file into theirs plugins folders and subfolders.
It is highly recommended that you check this file presence at the new installed plugin folder and its subfolders after every new WordPress plugin installation. Put this index.php file

<?php
// Silence is golden.
?>

there yourself if plugin’s author missed it.
I made a plugin to make this job automatically. You can read about it at Silence is Golden Guard WordPress Plugin. Download link is available there also.

Tags: , ,
Posted in Security, WordPress | 11 Comments »

Newer Entries »