How to keep you WordPress blog secure

With WordCamp 2009,  it’s interesting that there’s been a slew of attacks and exploits being arrayed against WordPress. The first one is the Remote Admin Reset Vulnerability documented by Laurent Gaffié here and here. I’ve asked the question in StackOverflow and of course the intuitive answer would be:

As I understand it, the patch closes that particular hole. However, another basic security measure I take on every WP site I administrate is to delete the “admin” user, and ideally never have any users’ usernames be the same as their display names. That doubles the security in that bad guys have to guess the usernames, as well as figure out a way to hack the passwords.

There are a lot of additional security measures you can find by doing a search on WordPress + security, but I have stuck with changing usernames, altering the db table names on install, and basic permissions stuff. That’s worked well so far, without the ton of additional upkeep necessary during WP upgrades that some of the more intense security measures require.”

TechCrunch just recently mentions the proliferation of a WordPress worm and as Daniel Brusilovsky puts it:

“We’re hearing of numerous reports that older versions of WordPress are exposed to security threats. WordPress is one of the largest blogging engines with over 5,317,360 – and counting – downloads for their latest version, 2.8. Many large blogs, including TechCrunch, rely on WordPress to get the news out and post content online.”

The TechCrunch article quotes Lorelle VanFossen on how to know if your WordPress blog has already been hacked:

There are two clues that your WordPress site has been attacked.

There are strange additions to the pretty permalinks, such as example.com/category/post-title/%&(%7B$%7Beval(base64_decode($_SERVER%5BHTTP_REFERER%5D))%7D%7D|.+)&%/. The keywords are “eval” and “base64_decode.”

The second clue is that a “back door” was created by a “hidden” Administrator. Check your site users for “Administrator (2)” or a name you do not recognize. You will probably be unable to access that account, but Journey Etc. has a possible solution.”

Matt Mullenweg, BDFL of WordPress weighs in on what you can do:

“I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.

Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.”

So there, that’s straight from Matt himself and if you have any doubts, you can always ask him personally at WordCamp Philippines 2009 (incidentally, registration just closed)!

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s