Like most of you, I have experimented with many WordPress plugins. I have seen a lot of great plugins and also a lot of bad plugins. I am a bit of a WordPress plugin developer myself, and I admit that I borrow many ideas from other good WordPress plugins. From that experience I have consolidated these good ideas into a checklist that you can follow when reviewing or coding a new WordPress plugin. Here are my picks of the top characteristics that make a great WordPress plugin. 10. Easy Installation I have seen plugins that require you to modify code after plugin activation to be able to get it to work properly. The instructions were documented clearly in the readme.txt file, but most of the users seem to have missed it (I could tell from the frustration in the plugin support thread). Not everybody reads the installation instructions inside the […]
[Continue Reading...]
Posts Tagged ‘WordPress Security’
Many sites across the blogosphere are reporting a fake website that is distributing a backdoored version of WordPress. Though these are few and far between, it behooves all users to be careful when downloading any kind of code to run on their blog. The Register report contains an update from Peter Westwood (a WordPress lead dev) about the code being distributed and his suggestions on how to avoid being duped. Though the fake site is down now and If you believe that you might have been the victim of this site, please download a fresh copy of WordPress from WordPress.org and upgrade your blog to be safe. I personally follow a few simple rules to make sure that I never fall for a social engineering or covert code trap on my blogs. Always download core WordPress code from http://WordPress.org. Type the link into your browser address bar rather than following […]
[Continue Reading...]WordPress 2.6.2.: This release is in response to a recent warning to developers from Stefan Esser about the dangers of SQL Column Truncation and weaknesses of mt_rand(). The issue at hand that forced the release is discussed in detail on the WordPress.org blog post linked above. Basically the attack is complex, is dependent on open registration being turned on in your blog, but can be executed in theory and turns out to be more of an annoyance than an actual exploit. If you have open registration on your blog, the WordPress.org team recommends that you upgrade your install to WordPress 2.6.2 A handful of other fixes are also included in this upgrade. Here is a list of changed files.
[Continue Reading...]S@BUN is at it again, this time, reporting multiple SQL Injection Vulnerabilities within the Photo Album plugin for WordPress. According to the security bulletin: Multiple vulnerabilities have been identified in Photo Album (plugin for WordPress), which could be exploited by remote attackers to execute arbitrary SQL queries. These issues are caused by input validation errors in the “wppa.php” script when passing user-supplied parameters (e.g. “photo” or “album”) to certain functions (e.g. “wppa_album_name()” or “wppa_photo_name()”), which could be exploited by malicious people to conduct SQL injection attacks. Multiple security advisory services places this round of vulnerabilities as a Moderate Risk. For example, FrSIRT describes the Moderate risk as being: Remotely and locally exploitable flaws, which could lead to denial of Service or privilege escalation. Versions 1.1 and prior of this plugin are vulnerable. As always, it is recommended that you disable this plugin until a patch for it is released. [EDIT] […]
[Continue Reading...]I battled this one for a little bit and I hope the information here helps someone. First and foremost, there are various version of this problem and they might have different causes stemming from the same source. I list them here in no particular order. I found all the topics starting with a search for the dreaded “Method Not Implemented” 501 error code from the admin panel of WordPress. POST to /test/wp-admin/index-extra.php not supported: This error is also noticed on post.php and theme-editor.php. Now there are various WordPress Forum posts providing somewhat workable solutions to the problem. I tried some of the solutions but either they did not work for me (I had not looked that closely at the error before trying them) or they were too broad and I did not care for the results. There is some finger pointing in both the forums and the various other pages […]
[Continue Reading...]NBBN has discovered some cross site scripting vulnerabilities for the WP-Footnotes plugin version 2.2 for WordPress. Input passed to the “pre_footnotes”, “priority”, “post_footnotes”, and “style_rules” array elements in the “wp_footnotes_current_settings[]” array in the admin_panel.php script is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site. The good news this time around is that, ‘register_globals‘ must be turned on for exploitation to occur. If you are using this plugin on your site, it is advised that you disable the plugin until a security patch has been released. According to the security bulletin, the solution is to edit the plugin source code to ensure that input is properly sanitized. Again, if you know that your webserver has register_globals turned off, you are in the clear. S@BUN has reported an “id” […]
[Continue Reading...]Today, we have a moderately critical SQL Injection Vulnerability that was discovered by HouSSaMix in the “WP-Cal” plugin version 0.x for WordPress. According to the Secunia Advisory: Input passed to the “id” parameter in functions/editevent.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Users with a malicious intent can conduct SQL injection attacks which may result in the retrieval of usernames, password hashes, and email addresses for users and administrators. However, the malicious user must have knowledge of the database table prefix. So far, version 0.3 has been confirmed as having this vulnerability with other versions possibly being affected. Secunia states that the solution involves editing the source code to ensure that input is properly sanitised. Click here to read the original advisory which provides an example of the exploit as well as the vulnerable […]
[Continue Reading...]According to an advisory released by Packetstorm, a fellow by the name of g30rg3_x has discovered two bugs within Dean’s Permalinks Migration Plugin version 1.0. The first bug relates to XSRF and can allow an attacker to force a user to perform an unsolicited action that when combined with an XSS bug that has also been discovered, allows the attacker to gain valid credentials. g30rg3_x actually provides a detailed explanation into the problem: Since the variable $dean_pm_config[‘oldstructure’] its not correctly sanitized (when retrieving), this allow any user to store/save “malicious code” inside the database and later be injected this “malicious code” when the data is retrieved. Using the XSRF as a “combo” we can create crafted pages that will force users to conduct this injection and steal some valid credentials to the WordPress based CMS. g30rg3_x has tried to contact the author of the plugin but has not had any […]
[Continue Reading...]Matt Cutts has published an article which highlights three different ways to secure your WordPress installation. The first tip involves locking down your Admin directory. Matt configures his .hatccess file so that only his IP address is allowed to access the WP-Admin directory. For the second tip, you should create a blank index.html file to place into your wp-content/plugins directory. Not doing so allows your plugin folder to be wide open, giving nosy people an idea as to what plugins you have installed. Matt’s third and final tip involves subscribing to the official WordPress development blog – http://wordpress.org/development/feed/ As we should all know by now, this is the best way to stay up to date. Matt also offers a bonus tip where he suggest removing the line of code within your header.php file that publishes your WordPress version. All of these are excellent tips. But what do you do to […]
[Continue Reading...]About the Author
- Thaya Kareeson
I run a blog consisting of plugins, reviews, hacks, and how-to posts in the area of WordPress and other things required to operate a blog in the Web 2.0 age.
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2013
