Category: WordPress Security
Quick, you need to update your WordPress 3.8.x to 3.8.2 if you have not already!
Version 3.8.2 addressed some security issues and fixed 9 bugs and Version 3.8.1 addressed 31 bugs.
You may have serious security issues if you just ignor it.
- Potential authentication cookie forgery. CVE-2014-0166.
- Privilege escalation: prevent contributors from publishing posts. CVE-2014-0165.
- (Hardening) Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
- (Hardening) Fix a low-impact SQL injection by trusted users.
- (Hardening) Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files.
Do it quick before the hacker. Upgrade your WordPress as soon as you can, but you need to make sure it won't break your existing plug-ins or themes.
Better try the upgrade on your sanbox first if your production site can't be down for business. Contact us if you need our professional help.
Maintenance and Security Releases
Version 3.3.2 addressed some security issues and fixed 12 bugs. For more information, see the release notes.
Version 3.3.1 addressed a security issue and fixed 15 bugs. For more information, see the release notes.
It is surprising to see most of the WordPress website or blog owners do not know much about their weak security. In case of a crash or being hacked, they may lose all they have because they don't have a timely periodical backup or disaster recovery plan.
For beginners or old timers, the WordPress plugin "Better WP Security" is a must for most websites.
Installation is easy: just from your Dashboard, go to Plugins and Click Add New and type in "Better WP Security" to search and install. Then under Settings on the left, you will find "Security" Menu and you may click Dashboard to set up and enable the basic security features. Be careful of what you are doing, if you are not sure, you may want to call a "WordPress" professional to help you test it on a sandbox and then do it on your production website, which you may not want to let it down one minute at the important moment. This plugin has a great feature to set up database backup and email it to your mailbox (if your database is not too big for your inbox. Otherwise, a zipped database file over 100mb may blow up your mailbox.)
Talking about WordPress Backup, you may want to install another great plugin called "Online Backup for WordPress", which offer you to backup all your WordPress files along with database. You can directly download the whole backup file after the backup is completed. In case of the crash or even when your website is gone, you may choose another web server and upload the files and recreate the database with the dump file and your web site will be up within 30 minutes.
Here's some detailed description about Better WP Security:
#1 WORDPRESS SECURITY PLUGIN
Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site.
Someone has been trying to hack WP89.com! How did I know?
I've installed a WP plug-in called "Limit Login Attempts" and got warning email messages 3 times with 10 days saying someone from some IP address trying to log in as "admin" but failed many time and was blocked for 24 hours.
If you search for "Last user attempted: admin IP was blocked for 24 hours", you'll know how often a hacker tries to hack with user name:admin. Unfortunately, WordPress's default admin user name is "admin" and it doesn't make it easy for you to rename it.
A quick and easy way I can think of is: 1)create a new user and set it as administrator 2)and then (carefully) remove the user "admin" This works fine if you didn't created any posts and pages with the user "admin".
One other thing to make hacking harder is to change "Nickname" in your admin user profile page yourdomain.com/../wp-admin/profile.php to someone popular but use a hard to guess user name. And then change the "Display name publicly as" to that Nickname.
One simple and important thing to improve security is to upgrade your WordPress as soon as a new version (usually includes security patches) comes out. Hackers hacked into one of my popular sites and one of my friend's and embedded some "Viagra" sales contents to show up Google search results (it only shows the hacked contents to the search engine robots (especially to Google) but hide the content to regular visitors include site owners through a web browser so it is very hard to notice. More often, you will only notice after Google sends you a notice saying your site is removed from their index and won't show up in their search research. If you have this problem, we can help you to solve it. Please contact us.
Good catch: "WordPress 3.1.2 is now available and is a security release for all previous WordPress versions. This release addresses a vulnerability that allowed Contributor-level users to improperly publish posts." Does this sound familiar if you have been following WordPress updates for a while.
Well, I found that most security patches are related to certain kind of level access users. We do not give Contributor-level or higher to any users unless it is really necessary or to someone you can trust to certain extend.
Of course, whenever possible, we should upgrade our WordPress as soon as the new security release is available. For this reason, we found that Lunarpages hosting is great as their setting allows you to do "one click upgrade" from the WordPress Dashboard | Updates. For VPS hosting such as Linode or Slicehost, you need to change the owner of the WordPress installation folder to www-data to enable the "one-click" upgrade, but if you are not familiar with Linux, the process could be a bit tricky. What I mean is, in order to do the automatic WordPress upgrade withou FTP, we need to make the files and folders writable by the Web server. It is the same requirement for installing plugins without ftp and writing config files.
e.g. If your WordPress is installed in /var/www/wordpress, the basic linux command is
chowner -R www-data /var/www/wordpress
However, some people are also concern about another security issue caused by this setup if there are other sites (owned by different people) sharing the same Web servers.
Well, if you want convenience, you sacrifice your security on the other hand. If you do want more security, don't share your Web server with others, and it means you need to pay more. It is like sharing the same house or room with your schoolmates.
Amazingly, lots of WordPress Web sites are still using default "admin" user name for the admin log in. After WordPress 3.0, you may choose a hard to guess admin user name. If your WordPress site was created before that, you may go to your phpMyAdmin and the 'wp-users' table to change 'admin' to a new user name of your choice.
The bottom line is
Do Not Use The Default "admin" User Name
Also try to use a longer ( more than 10 characters long) user name for your WordPress admin account.
Another tip related to this is:
Prevent Log In Error To Be Displayed
Even with WordPress 3.1, the default setting is still "showing log in error" when you type in a wrong user name. This makes it convenient for users who really forget their user name or password, but it also gives too much information for hackers.
A trick to prevent the log in error to be displayed is to insert this simple line of code in the functions.php at your current theme folder (e.g. wp-content/themes/twentyten )
add_filter('login_errors',create_function('$a', "return null;"));
Remember to backup your functions.php file so you can roll-back the change in case you do it wrong.