Tag Archives: Security

Checking Your WordPress Security

By Dougal | Published: September 5, 2009

You may have already heard that sites running out-of-date versions of WordPress have been under attack (Lorelle, Weblog Tools Collection, WordPress Dev Blog). Of course, sites running the latest version of the software seem to be safe, which once again takes us back to what I said over a year ago: Upgrade or else! I haven’t seen complete details yet about how this new worm works, but reports say that part of the hack is to create a new Administrator level account, and then try to hide the existence of that account (via javascript) when you view your list of users.

If you want a sure-fire way to make sure there are no “extra” administrator accounts registered in your blog, I suggest going straight to the source: your MySQL database. [...]

Posted in WordPress | Also tagged administrator, base64, database, eval, hacks, hidden account, permalinks, url, users, WordPress | 36 Comments

WordPress 2.6.5 Released

By Dougal | Published: November 25, 2008

The WordPress team released WordPress 2.6.5 earlier today. This release addresses a potential XSS (cross-site scripting) attack under some server configurations, plus adds some bugfixes for some other minor issues. As noted in the official announcement, there was no official 2.6.4 release. There was an attempt to fool people into downloading a fake release under that number, so it has been skipped in the official release numbering, to avoid confusion.

I would like to take this opportunity to point out the WordPress project entry on Freshmeat. [...]

Posted in WordPress | Also tagged Blogging, Bugs, fixes, freshmeat, Releases, Software, WordPress, xss | 3 Comments

WordPress 2.6.2 Release

By Dougal | Published: September 9, 2008

As most of you have probably already seen in your Dashboard, yesterday afternoon saw the official WordPress 2.6.2 Release. And as mentioned in the comments on my intitial news break on the 2.6.2 Beta, the focus is on two security patches to cover weaknesses in PHP’s random number generation (which affects password encryption strength), and in MySQL’s field length checking. [...]

Posted in Announcements, Community, WordPress | Also tagged Bugs, encryption, mt_rand, mt_srand, MySQL, PHP, random, Release, truncation, WordPress | 8 Comments

Upgrade or else!

By Dougal | Published: April 8, 2008

UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.

Okay, people, if you are running any version of WordPress older than ~~2.3.3~~ 2.5*, you need to upgrade now. [...]

Posted in Blogs, Search, Security, WordPress | Also tagged payattention, Plugins, Search, Spam, Technorati, Themes, upgrade, Upgrades, WordPress | 91 Comments

Creating a secure WordPress install

By Dougal | Published: October 30, 2007

Over on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration, Apache protection of directories, and some useful plugins. I’ve glanced over it, and I have mixed feelings. Here’s a quick list of notes, off the top of my head:

Pros:

There is detailed information about granting the minimum privileges necessary for the MySQL login. This is a good idea that many people probably don’t think about.
Creating a less privileged WordPress account for posting, separate from your blog admin login, is also a good suggestion.
The notes on password enumeration are important. [...]