Weblogtoolscollection News » Wordpress News

WP 2.6: Security Check Before The Upgrade.

  • Topic started 4 years ago
  • 3 posts so far
  • Latest reply from UseShots

  1. UseShots
    Member

    WordPress 2.6 is out. It's time to upgrade.

    Just don't forget to run a security check before the upgrade.

    When you are upgrading a compromised blog, the new version will remain
    compromised. Hackers can leave a backdoor script, create a new user or
    steal your admin's password. This way even the very new and secure
    WordPress 2.6 can be exploited.

    Here are two relatively new tools to help you:

    • WordPress Exploit Scanner - This plugin searches the files and database of your website for signs of suspicious activity. It will not stop someone hacking into your site, but it may help you find any uploaded or compromised files left by the hacker.

      Current version 0.1 (released on June 26, 2008) was designed for WordPress 2.5.1. So use it before the upgrade and then deactivate. You can use it with WordPress 2.6 but it may report more false positives. I guess we can expect a new version of the plugin pretty soon.

      By the way, this plugin displays warnings for its own file. Just skip
      warnings for exploit-scanner.php - the plugin finds its own list of suspicious strings.

      Another false positive is PSpellShell.php file from the original TinyMCE package.

      If the plugin reports other files - take a closer look at them.

    • If you don't feel like installing anything or your current WP version is not 2.5.1, you can try the Unmask Parasites online service to check individual web pages for hidden illicit content (i.e. invisible spam links, malicious scripts and redirects).
      This simple service is in its beta stage (released on July 1, 2007). Since it doesn't have access to your server, it can only reveal exploits visible in the HTML source code of your web pages.

    Both tools can reveal most common types of WordPress exploits but don't guarantee 100% accuracy of their tests. And they won't remove anything. However, in the world where thousands of WordPress blogs have been compromised and exploited by hackers, the security check step is a must and these tool do their best to help you.

    Happy upgrade!

    P.S. If you know other similar tools, leave their links in this thread.

    Posted: 4 years #

  2. UseShots
    Member

    Correction: The Unmask Parasites service was release on July 1, 2008 (not 2007).

    Posted: 4 years #

  3. UseShots
    Member

    For some reason the WordPress Exploit Scanner has not still been updated to work with WP 2.6(.1).
    However it still works. It just reports one more false positive: "Text/Diff/Engine/shell.php" as this file uses the Unix diff program via shell_exec.

    Posted: 4 years #

RSS feed for this thread

This topic has been closed to new replies.


Back to top

0.120 - 12 queries