| 3:18 pm on Jul 29, 2008 (gmt 0)|
Thanks for some great tips Greg. Incredibill has made it his mission to let everyone know how secure Wordpress is [google.com] especially as compared to a hosted service [webmasterworld.com]. So there's fair warning.
Then there are a few more tips from Matt Mullenweg [webmasterworld.com] and others, as well as our own Inredibill's suggestion to block some query strings and UAs [webmasterworld.com].
Personally, on a setup as open and vulnerable as Wordpress (or most CMS), I think the best defense is a backup plan. Literally. Depending on how busy your site is, daily or hourly DB dumps archived on a rotating basis is a ncecessity, because it's probably more of a "when" question than an "if" question.
The same things that make the most common platforms popular are the same things that make them vulnerable
- huge user base means a huge target worth shooting at
- open architecture means large holes that are difficult ot plug without losing functionality that many users desire
- an all things to all people approach means many holes
- again, the open architecture means many contributors often without serious code review, so even if the core is solid, the plugins and modules create points of vulnerability.
Does that mean don't use them? Depends on your risk tolerance of course. For a content-based site, a CMS saves you so much development time... but if you're on a popular platform, you'll get probed daily and can count on at the very least, spam inundation, at worst, being completely owned.
| 7:32 pm on Jul 29, 2008 (gmt 0)|
Here's a much simpler method to secure a WordPress site:
Host With WordPress
When you host it on WordPress's service then they deal with all the security concerns and backups since they're specialists in the software and it's completely FREE unless you want upgrades.
For a low fee, much less than the hassle of trying to keep WordPress updated and secured, you can domain map the WordPress blog to your own domain.
Hassle free, worry free, and only a nominal fee to use your own domain.
All the benefits of WordPress with none of the risk.
What could be better?
| 9:21 am on Jul 30, 2008 (gmt 0)|
|That free open wifi is very tempting. It is also an unnecessary risk. |
Free open wifi is not risky if you make sure that the URLs start with https (not with http) when you browse. Then all data sent and received will be securely encrypted. The only problem is when you want to access servers that do not support SSL.
| 10:28 am on Jul 30, 2008 (gmt 0)|
|Free open wifi is not risky if you make sure that the URLs start with https (not with http) when you browse. Then all data sent and received will be securely encrypted. The only problem is when you want to access servers that do not support SSL. |
Not true, if wifi router is cracked attacker install ssl-proxy (also known as man in the middle) to get all stuff in clear text format.
| 11:42 am on Jul 30, 2008 (gmt 0)|
Thanks for the education, Greg.
|search and rename anything (folders, databases, urls, etc) that starts with "wp-" |
I was looking at a download of version 2.3 of WP. A quick scan showed about 50+ files starting with WP_.
How many folks have actually employed the renaming tip? Was it simply a matter of running a search and replace program or did you experience any "procedural headaches"?
Do you then have to undertake the renaming process for all plugins or at least search them all?
[edited by: Webwork at 11:45 am (utc) on July 30, 2008]
| 12:06 pm on Jul 30, 2008 (gmt 0)|
|Not true, if wifi router is cracked attacker install ssl-proxy (also known as man in the middle) to get all stuff in clear text format. |
Uh, that is not true (it's FUD at best). One of the main purposes of SSL encryption (https) is to prevent man-in-the middle attacks of that and other kinds.
Any information that leaves your computer and the remote server is encrypted. A man in the middle cannot decrypt it even if he "cracks a wifi router". If what you wrote was true, then e-commerce (internet banking, etc.) would cease to exist.
| 12:13 pm on Jul 30, 2008 (gmt 0)|
WordPress 2.6 adds some nice security.
1. They finally turn xmlrpc off by default (I always had to manually delete the xmlrpc.php file manually)
2. They use separate cookies, where the admin cookie is only transmitted if you are actually admin and using admin features (by locking down cookie paths).
3. SSL is supported out of the box with additional SSL cookie security as well
If you look at the developments in store for 2.7 via their TRAC you can see they are also looking at some tricks to lock down plugin code to prevent plugins from affecting other files.
| 12:23 pm on Jul 30, 2008 (gmt 0)|
WP CLUB RULE #1: DON'T MESS WITH ANYTHING OUTSIDE OF WP-CONTENT!
You want to upgrade? You'll have to live with what WP has given you.
I normally upgrade in 5 minutes, and I have several VERY heavily modified WP sites. One of them is barely recognizable as a WP site. I do everything by the book. I have several -very complex- custom plugins that totally subvert the standard WP user experience, and several standard ones that I keep up to date. If you do it right, you can customize almost anything in WP from the wp-content directory.
By the way, this means NOT renaming all your directories. Any hacker worth their salt would figure out it's WP in about 30 seconds. The only people you'll fool by renaming directories will be the silliest of script k1661e5, and, if they can hack you, well, maybe you need to learn the hard way (like I did).
If you mess with the standard WP install, you make upgrading more difficult. What happens when upgrades become difficult? That's right, upgrades become less frequent. Sometimes those X.X.1 upgrades are emergency fixes to gaping flaws. You need to be able to upgrade quickly and easily.
I have had CMS sites pwn3d because I hacked the core, and was reluctant to upgrade. That was a very hard lesson, and one I took to heart.
I have not always gotten along with the folks at WP, but I have to hand it to them, they have created a system that works, and works well. That's why I continue to use it. They have API hooks to just about every element of the system. I haven't found a place yet that can't be reached by a hook. However, the docs are a typical wiki mess, and I often have to trace through the code to find it.
I also drop a .htaccess file in the root of the wp-content directory that has a few lines that look like this:
AddType text/plain .smarty .txt .php .php3 .php4 .htm
.html .shtm .shtml .cgi .pl .pm .py .php5 .jar .asp
.jsp .js .rb .rhtml .ruby .cf .cfm .cfml
Allow from all
I sometimes need to let certain PHP files be executable in the plugins, but I do this on a one-at-a-time basis.
I throw in a blank index.html file (I think one comes in the standard install anyway), and I have any password/login information stored outside the HTTP tree. The wp-config imports this file, as opposed to having the info hardcoded into it.
Not perfect, but it keeps someone from executing code in the wp-content directory (like the uploads folder). 90% of WP is includes that run as elements of the index.php file, so you could get REAL tinfoil, and declare a .htaccess file that only allows that file (and the admin one) to run.
Also, don't go plugin-happy. Just use ones that you REALLY NEED for the operation of the site, and carefully vet every one.
There are some REALLY DANGEROUS plugins that do things like let site authors write executable PHP in any post. If you add these plugins, prepare to be pwn3d.
[edited by: ergophobe at 4:06 pm (utc) on July 30, 2008]
[edit reason] fixed sidescroll [/edit]
| 12:46 pm on Jul 30, 2008 (gmt 0)|
Is there a good Wordpress to Blogger migration tool ?
| 1:39 pm on Jul 30, 2008 (gmt 0)|
Tip #1. Use Drupal if you can.
Tip #2. If you must use Wordpress, edit php.ini and add...
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
This way when your WordPress install gets exploited [and it will -- just give it some time], there is less chance for the average bot and script kiddy to compromise the system.
[edited by: TowerOfPower at 1:39 pm (utc) on July 30, 2008]
| 1:52 pm on Jul 30, 2008 (gmt 0)|
|Tip #1. Use Drupal if you can. |
Um, Drupal has had it's share of security issues and is way overpowered for 99% of website needs.
There's over 100 issues over three years listed here: [drupal.org...]
[edited by: amznVibe at 2:00 pm (utc) on July 30, 2008]
| 2:52 pm on Jul 30, 2008 (gmt 0)|
|Uh, that is not true (it's FUD at best). One of the main purposes of SSL encryption (https) is to prevent man-in-the middle attacks of that and other kinds. |
Generally hard to do but the owner of a public wireless access point can in principle conduct MITM attacks on the users. Please *educate yourself* if you are going to use free / cafes access point. Here is a quick demo:
| 2:58 pm on Jul 30, 2008 (gmt 0)|
|Generally hard to do but the owner of a public wireless access point can in principle conduct MITM attacks on the users. Please *educate yourself* |
What attacks? What will he do with securely encrypted data? Educate me, please. :-)
| 3:14 pm on Jul 30, 2008 (gmt 0)|
Your data is no longer encrypted with MITM attack. If I were attacker I can see all your password, login info and so on. Did you visited the url I gave you? I'm talking about insecure network here such as cafe wifi...
| 3:43 pm on Jul 30, 2008 (gmt 0)|
That works, but it also depends on the victim approving untrusted certificates.
| 4:12 pm on Jul 30, 2008 (gmt 0)|
Can we keep this on Wordpress security (and leave the specific pros and cons of using open wifi to another discussion)?
I have to go with cmarshall on renaming willy-nilly. Once you've hacked core, you've gone down a bumpy road.
That said, it would be simple enough to write a script to do that. But anything that makes upgrades harder is likely to make them less frequent.
| 4:42 pm on Jul 30, 2008 (gmt 0)|
I thought it was part of discussion. Anyway, I'm a long time wordpress user and don't follow any of these security tips. Never got hacked, this problem is usually related to shared server environment. I run and manage my own server. Not a single hack since 1999 :) . I manage security at OS level and all other tips are nothing but security through obscurity.
Please note that I'm not saying above tips are bad, but I just prefer to manage them at OS level.
| 6:11 pm on Jul 30, 2008 (gmt 0)|
|Your data is no longer encrypted with MITM attack. |
The data is encrypted by the browser on your computer and by the server software on the remote server.
Therefore, what you claim is impossible, unless your computer or the server is compromised (which they are not -- if we talk about man-in-the-middle attacks).
"Cracked routers" or compromised DNS servers ("men in middle") can not be used for attacks if you use proper SSL cerificates (any webmaster can get one from a public certificate authority for a few dollars per year).
Again, if what you say was true, e-commerce would not exist now.
| 6:24 pm on Jul 30, 2008 (gmt 0)|
>> I thought it was part of discussion.
It is sort of, but it's more of a general security question. It's a good point to raise, but there's enough there for its own thread (probably several) if we get off into staying secure while surfing.
| 7:18 pm on Jul 30, 2008 (gmt 0)|
Hmmm . . I get the impression that the suggestion to secure WP by renaming files may spawm it's own problems.
Someone please beat me about the head (verbally, only, please) to convince me that renaming files is definitely the way to go.
Might it be a case where renaming only "a few specific highly targeted files" would have a deterrent effect? (Do the "known programs and/or practices" look for "all files" or do they default to looking for certain primary "WP files"?)
Lastly, limiting access to a designated IP address wouldn't work for most of us since most of us don't have dedicated IP addresses, right?
| 7:47 pm on Jul 30, 2008 (gmt 0)|
If you really want to go tinfoil, then set up a .htaccess that restricts access and execution privileges to all files except for index.php and admin/admin.php. Since WP is all includes, then these are the only files that are ever actually executing at any given time (However, you need to allow HTTP access to various .js and .css files).
Set up your wp-config.php to import a file from outside the HTTP tree as credentials. Heck, if you want, run everything as SSL, but that will be a dog.
What everyone is going for anyway is SQL injection, and most of these types of issues are introduced by peripherals, such as plugins or custom themes. Try not to interact directly with the database in your own work, and test out your plugins for SQL injection vulnerabilities.
Basically, what hackers go for is a "foot in the door." Once they have access to the DB, then they can do pretty much whatever they want, regardless of how hardened your system is.
When I scan my ssh logs every morning, I still see thousands of attempts, nearly every night, to access backdoors left by Fluffi Bunni. Those guys have been out of business for quite some time.
| 9:08 pm on Jul 30, 2008 (gmt 0)|
For the WIFI paranoids, I started a new thread:
How Safe is SSL from MITM (Man In The Middle) Attacks? [webmasterworld.com]
| 10:00 am on Jul 31, 2008 (gmt 0)|
I use an External Vulnerability Scanner on my site and on my customers sites.
Every day they scan all my sites, There is no need to install anything on the site and all the reports are kept on my account in their system.
I think that this is exactly like anti virus software. Everybody has one on their laptop, right? so why aren't you protecting your website?
Google up "external vulnerability scanner" there are many companies that do this kind of service.
| 6:05 pm on Jul 31, 2008 (gmt 0)|
One thing that Drupal is working on for Drupal 7 is a security suite, which basically does unit testing with an eye to security. Obviously, it won't catch everything, but I think it will help you intelligently evaluate modules without having to understand all the code.
Hopefully Wordpress 3 will have a unit testing suite for stability and security for plugin and theme developers. That would get rid of a lot of vulnerabilities, or at least you would be warned.
| 6:19 pm on Jul 31, 2008 (gmt 0)|
|I think that this is exactly like anti virus software. |
Anti-virus checks your server for malicious files from the INSIDE so just because the vulnerability scanner doesn't find anything doesn't mean you're safe.
The external vulnerability scanner can only report known vulnerabilities from the outside and it's entirely possible that the first person to find a vulnerability in your server closed the hole to keep out other invaders and to stop your tool from reporting the flaw.
| 1:45 pm on Aug 4, 2008 (gmt 0)|
|it's entirely possible that the first person to find a vulnerability in your server closed the hole to keep out other invaders |
You are right, if your server is already infected, probably nothing can help.
However, the advantage in external scanning is that this service should find the vulnerability before the first attacker finds it.
And even if there was an attacker around, in many cases, after a break-in the attackers leave a listening service that can be detected by an external scanner. The good scanners are also designed to find backdoors, not only sql injection or cross site scripting holes.
Im sure you have seen houses secured with a big fence + 2 locks on the door + alarm system + a scary dog running in the back yard...
An external vulnerability scanner is definately not the only thing you should do to make your system secure, but it is an important part of your security protection suit.
| 4:25 pm on Aug 4, 2008 (gmt 0)|
|the advantage in external scanning is that this service should find the vulnerability |
Isn't there a huge assumption built into "the advantage"? Isn't hacking about being at the bleeding edge? Entering where no one sees you coming?
I'm sorry but I don't get that anyone's "scanning service" is synonymous with "cutting edge hacking" and in that respect the endorsemet of the service reads more like marketing talk than an objective apprciation of what IncrediBILL is talking about.
Chances are pretty good that a scanning service is spending its time checking for known exploits, not the next one to be released, and in that regard any ISP worth their fees ought to be taking care of the issues the scanning service provides: updatinga and patching the server, proactively seeking info about new exploits, etc. If your ISP / server host isn't doing that then it's time to move your website, not time to pay for another service - one that ought to be provided as a matter of course by an server provider or server admin.
| 9:37 pm on Aug 4, 2008 (gmt 0)|
|any ISP worth their fees ought to be taking care of the issues the scanning service provides: updatinga and patching the server, proactively seeking info about new exploits, etc |
No matter how hardened the ISP makes his server, the biggest vulnerability is actually the CUSTOMERS that install all of the vulnerable open source software (WordPress) that allows hackers to infiltrate the server.
That's another reason why I use my own dedicated servers so my site isn't at risk because of all the other people that don't know what they're doing sharing the server.
This is also why I recommend using WordPress hosting options instead of hosting it yourself because the WordPress hosts specialize in it and I would assume they know how to properly secure those sites, otherwise they wouldn't be in business long.
| 10:28 pm on Aug 4, 2008 (gmt 0)|
That's right. The best an ISP can do for you is run everything in a virtual-style account so that I can only mess up my own account, not yours too. I think the decent hosts partition off their servers that way and prevent the worst exploits.
I can't expect them to save me from myself. If they got into that business, they would lose customers. I want a host that gives me plenty of rope to hang myself, but doesn't let their other customers hold the other end for me. Beyond that, their hands are tied... er so to speak
| This 32 message thread spans 2 pages: 32 (  2 ) > > |