wordpressguru.eu » security

WP Hide Dashboard

Owen — Thu, 18 Feb 2010 23:02:54 +0000

: Image via Wikipedia

Do you ever open up your WordPress blog to let your subscribers set up and modify their profile? Well, if you do, you might want to lock down your blog a bit to stop them from wandering around. This is where WP Hide Dashboard comes in. Just like it’s a good idea to get rid of blackheads before going out on a date, it’s always a good idea to hide extra functionality before letting visitors mess around with your blog.

One for the toolbox methinks.

WordPress v2.8.4

Owen — Sat, 15 Aug 2009 23:13:29 +0000

Hot on the heels of the latest version of WordPress comes a new version with another security hole fixed. This wasn’t a major one, just an annoyance that lets a malicious user keep reseting a particular user’s password. It wouldn’t let them get into the blog, but it could be used to keep harassing a user (Now if someone chases you to sell low cost term life insurance and they have a WordPress blog, you know how to annoy them).

Anyway, the new release blocks the whole and helps WordPress be a little bit more secure than before, so go ahead and download it.

Help, my WordPress blog is giving a virus warning!

Owen — Wed, 17 Dec 2008 14:58:39 +0000

I got called in to resolve an issue on a WordPress blog today. On the surface it looked as if the administration side of the site had broken, but the real cause turned out to be much darker than that.

Looking at the source of the page, I could see that lines were being inserted on all pages that tried to open an iFrame onto a website that used a browser exploit to try and install a virus on your computer. If my browser wasn’t patched and I wasn’t using a virus scanner, it could have been a ton of work for me to clean up. The question was, where was that iFrame coming from?

Turns out that a couple (4 actually) of WordPress files had got compromised and had extra lines added to them to open this iFrame. The files were:

wp-feed.php
wp-blog-header.php
wp-config.php
wp-load.php

This was the extra line:

These files are used in every WordPress page load and were the cause of the extra iFrame. The big question was how the files got compromised in the first place. They were set to the correct permissions, so could only have been changed by someone (or a script) with root access to the server. Unforuntately this is not something you can protect against. Almost make sure your blog is living on a reliable host and remember, “It’s wilder than Las Vegas out there”

WordPress 2.6.2 released

Owen — Sat, 13 Sep 2008 17:11:53 +0000

There’s been a new drop of WordPress which addresses some security issues and a couple of bugs. Here the write up from the development blog:

Stefan Esser recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand(). With his help we worked around these problems and are now releasing WordPress 2.6.2. If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser will release details of the complete attack shortly. The attack is difficult to accomplish, but its mere possibility means we recommend upgrading to 2.6.2.

Other PHP apps are susceptible to this class of attack. To protect all of your apps, grab the latest version of Suhosin. If you’ve already updated Suhosin, your existing WordPress install is already protected from the full exploit. You should still upgrade to 2.6.2 if you allow open user registration so as to prevent the possibility of passwords being randomized.

2.6.2 also contains a handful of bug fixes. Check out the full changeset and list of changed files.

It’s not a big upgrade, so pretty easy to deploy to your blog. WordPress 2.7 shouldn’t be too far away though, so you might want to hold out for that one.