‘WordPress Security’ Category
Just moments ago, WordPress 3.0.2 was released to the public. This version is a mandatory security upgrade. According to the release notes: This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements. It’s been awhile since we’ve seen one of these types of releases. However, thanks to automatic upgrades built in, upgrading is a pretty easy thing to do.
[Continue Reading...]The three components of information security are: Confidentiality, Integrity and Availability (CIA). If you’ve followed the steps my previous tutorial, you’ll have come a long way towards ensuring all three. But you’ll always need to keep an eye on things – remember, no site is hack proof. Here are some tools to verify the integrity of your data. These plugins will not protect your site from attacks, they will only help you monitor your site and diagnose problems. I have not tested any of these with the latest WordPress 3.0 beta. Monitoring In my first article on WordPress security I mentioned Open Source Tripwire as an option for monitoring your WordPress install for unexpected changes. A reader pointed out that it wasn’t the best solution since it’s no longer maintained and suggested a couple other alternatives. Since then, I’ve discovered a much easier way of monitoring your WP install: WordPress […]
[Continue Reading...]I wrote previously on securing a fresh WordPress install. Today, I’ll cover several WordPress plugins that can be used with fresh or existing WordPress installations to enhance security. I’m not going to cover recovering a hacked site, or exploit scanning tools like Exploit Scanner or WordPress Antivirus in this tutorial.
[Continue Reading...]I was notified on Twitter the other day that there was a new 0 Day denial of service exploit for WordPress. When asking on Twitter if it worked, numerous people replied that the published code did work and was taking down their sites. This raised some red flags for me so I jumped into the WordPress-Dev IRC channel to figure out what was going on. The way this denial of service attack works is that a random search string is sent to the search form of a WordPress based website. Caching plugins do not work against this because the search string is randomized. It’s quite simple but what I’ve been told is that this is not an issue for WordPress to handle. Instead, this attack should be dealt with by the webhost on a firewall level. At one point, a ticket was created by Scribu but has since been closed […]
[Continue Reading...]Bojan Zdrnja has published a post on the SANS Internet Storm Center blog today highlighting a distributed WordPress admin account cracking script. The script was discovered by one of the sites readers on a virtual private server (VPS). The acquired script is written in PHP and performs brute force cracking attempts to WordPress admin accounts. While this particular version is relatively simple, the power behind the script and the MySQL database allows the attacker to distribute the attacks not only by sites, but also by passwords tried as well. The article goes into detail explaining how the script works and suggests the typical security precautions such as using strong passwords, changing the admin username and limiting the admin login page to only your IP address. Brute force attacks on WordPress are nothing new but it’s interesting to see this approach using a distributed technique. Hat tip to WPVibe.
[Continue Reading...]According to the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based websites. Back in May of this year, this malicious botnet was responsible for infecting a large number of websites in a short period of time. This time around however, the Gumblar botnet has buggy code which is leading to a number of infected WordPress sites breaking. WordPress is a complex web application that comprises more than 200 .php files. When you open any page, WordPress loads index.php which, in turn, loads many other .php files using the require() function. WordPress admin interface also relies on multiple .php files. In all cases, WordPress loads wp-config.php file which contains database credentials and other important information required for normal operation. So what happens if both index.php and wp-config.php are infected with the gumblar backdoor scripts? Since Gumblar injects identical backdoor scripts into […]
[Continue Reading...]I’m pretty sure by now that you’ve heard about the worm attack on older versions of WordPress. In the trail of destruction, I’ve been reading quite a few blog posts regarding the attacks along with comments attached to those posts and quite honestly, I can’t believe some of the comments I’ve read. One of the most absurd comments I came across stated that upgrading was not an option for them. How on earth do you put yourself in a position where upgrading is not an option? Might as well just leave the door open so the bad guys can come in freely. Unfortunately, the blame game has come back in full force with those affected generally blaming WordPress, and those not affected blaming users who failed to upgrade in a timely fashion. The bottom line is, the issues that lead to this worm attacking older versions of WordPress was fixed […]
[Continue Reading...]Old WordPress Versions Under Attack: Older version of WordPress are being attacked and characters are being added to the permalinks. Sure signs of the attack include strange characters in your permalinks (single posts do not work) and an extra administrator account in the users control panel which you cannot see. Look for the administrator count in brackets at the top. Is the number there what you would expect on your blog? Please upgrade your WordPress blog to the latest version ASAP. Our own PluginBlog was vulnerable and was compromised (shame on me for not having upgraded from a really old version). Our blog had registration turned off. After upgrading your blog and changing your password to a strong one, you can visit Lorelle’s post to find more ways to secure your install and remove the extra admin account that might have been created as part of the attack. I removed […]
[Continue Reading...]About the Author
- Jeff Chandler
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2013
Comment Rating Plugin Fixes Security Vulnerability
If you use the Comment Rating plugin for your WordPress powered site, you are highly encouraged to upgrade to the latest version as it fixes a security vulnerability. More specifically, a Cross-site Request Forgery attack. According to the report at OSVDB.org which is an Open Source Vulnerability Database: The flaw exists because the application does not require multiple steps or explicit confirmation for unspecified sensitive transactions for the admin function. By using a crafted URL (e.g., a crafted GET request inside an “img” tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. There is no known workaround for versions lower than 2.9.21. Kudos goes to KrebsOnSecurity for reporting […]
[Continue Reading...]