Over the weekend, news quickly spread throughout the WordPress community of a worm that was taking advantage of older versions of WordPress. I found out about the problem through Lorelle’s twitter account where she linked to an article on her blog covering the details of the attack. Mark Ghosh of WeblogToolsCollection.com quickly followed up with a post of his own acknowledging that the plugin competition blog had been compromised. News of the attack quickly spread with over 150 posts in this WordPress support forum thread alone, but unlike so many people, I had no need to panic since this site is upgraded within a day or two of a release whether it’s security related or not.
I spent most of the weekend reading all of the coverage this series of attacks was gaining. Most notable was a post by Robert Scoble, a tech evangelist who forgot to apply the basics of security to his self-hosted WordPress site and ended up burned. Even more interesting was the series of exchanges between Robert Scoble, his followers on FriendFeed and Matt Mullenweg which you can read here.
While reading all sorts of comments published on blogs discussing the attacks, I couldn’t help but notice how many short sighted WordPress users there are in existence. I must have read over a dozen different excuses for why a particular site was not upgraded in a timely fashion. It seems functionality trumps security. However, Dave Coveney made a great point in the forums yesterday in that although everyone was being told to upgrade to solve their problems, being secure goes far beyond keeping WordPress up to date. Just because WPTavern is running WordPress 2.8.4 doesn’t mean that I’m safe. I’m just ‘safer‘.
WordPress is web based software. The speed at which things move is incredibly fast. I expect new versions of WordPress on a regular basis. If there is a new version that fixes one line of code to combat a security vulnerability, I want that code released ASAP so I can have it running on WPTavern. WordPress has added the ability to do a one click upgrade which to this day has worked flawlessly for me. I know it doesn’t work for 100% of the people out there but even if it works, it’s as if people can’t even press a button to initiate the process. It’s getting to the point where the only way to make it easier to upgrade WordPress is for someone to do it for them, probably without a price.
Broken plugins are no excuse to stay on a particular version of WordPress, especially when it comes to security. If your website truly depends on a particular plugin to function, send a note to the plugin author to let them know it’s broken or better yet, hire a developer to build and maintain the plugin for you. Plugins and to a lesser extent themes have to continuially evolve with their parent software. That’s just the way it is. Unfortunately, there is a perception amongst the general WordPress userbase that upgrading is most certainly going to break plugins. While that is a risk, I don’t think it’s as bad these days as it once was. Besides, there are hundreds of guides that have been written which explain how to create a test environment to mimick a public site to test new releases to see if plugins break or not. Although if it’s a security release, I would upgrade now, test later.
What I think this all boils down to is a lack of responsbility from a lot of WordPress users. Everything can not be handed on a silver platter. Running a WordPress powered site requires effort as well as the responsibility to make sure everything is on the up and up. Quite frankly, if you’re running a WordPress powered site or multiple sites, you should be tuned into the WordPress development blog as that is where all the information is published regarding new releases. Speaking of the development blog, please read Matt’s latest post which is a breath of fresh air regarding the latest round of attacks and why upgrading is an important step in the grand scheme of things.
Before I let you go, it’s important to note that had the majority of people actually upgraded their sites to 2.8.4 prior to the worm being released on the web, we wouldn’t be talking about the attacks that took place during this past weekend. Oh and if you have yet to upgrade, get 2.8.4 now.
In this episode, David and I get you caught up on the news of the week which includes a few stories from the WordPress.com side of the world. We give you the 411 on the latest version of WordPress to be released, WordPress getting it’s own URL shortener, and much more. We were also joined by special guest Jane Wells who provided us some great information regarding the happenings with WordPress.
Ad Copy:
This episode of WordPress Weekly is sponsored by, WebDevStudios.com WebDevStudios is a WebDevStudios.com is a New Jersey based software development company specializing in website development, social network applications, search engine optimization, e-commerce solutions and more. Check out webdevstudios.com for more information
What is the name of the company that does the server hosting for WordPress.com?
WordPress Trivia Answer:
LayeredTech
This Weeks Trivia Question
What is the name of the new part fulltime employee Automattic recently hired?
Announcements:
On Thursday August 27th at 2PM Eastern Daylight Time, we’ll be interviewing Adii of WooThemes. The special date and time is due to Adiis geographic location.
This is a guest blog post written by Brad Williams, author of the blog, Strangework.com. He’s also a developer for WebDevStudios.com
I recently gave a presentation at WordCamp Montreal on WordPress Security. While doing research for my presentation I came across a bunch of great WordPress Security tips that all WordPress users should use. Surprisingly, a good majority of these tips are not usually followed. Below is a list of the top 5 tips that most WordPress administrators do not do, but should:
1. Don’t use the admin account – The default user account that is created with every installation of WordPress is the admin account. Unfortunately the entire world knows this, including hackers, and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username.
2. Move your wp-config.php file – Did you know since WordPress 2.6 you can move your wp-config.php file outside of your root WordPress directory? Most users don’t know this and the ones that do don’t do it. To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.
3. Change the WordPress table prefix – The WordPress table prefix is wp_ by default. You can change this prior to installing WordPress by changing the $table_prefix value in your wp-config.php file. If a hacker is able to exploit your website using SQL Injection, this will make it harder for them to guess your table names and quite possibly keep them from doing SQL Injection at all. If you want to change the table prefix after you have installed WordPress you can use the WP Security Scan plugin to do so. Make sure you take a good backup before doing this though.
4. Use Secret Keys – This is probably the most followed security tip on the list, but still I’m amazed at how many people don’t do this. A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1 to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.
5. htaccess lockdown – This is actually my favorite tip from my presentation. Using a .htaccess file you can lockdown your wp-admin directory by IP address. This means only IP addresses you specify can access your admin dashboard URLs. This makes it impossible for anyone else to try and hack your WordPress backend. To do this simply create a file called .htaccess and add the following code to your file, replacing xxx.xxx.xxx.xxx with your IP address:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
You can add multiple “allow from” lines so make sure to add any IP addresses you plan on accessing your site from (ie Home, Office, etc). Remember most ISP use dynamic IPs so your IP address might change on occasion. If you get locked out just update your .htaccess file or delete it all together. This obviously is not a good tip if you allow open registrations as you need to allow your users access to wp-admin.
So, how many of these tips do you follow regularly?
You can view my full WordPress Security Presentation from WordCamp Montreal below and view my slides (Canadian flags and all!) here:
Were you surprised to see WordPress 2.8.3 released? I was, but I didn’t think it would be because of the same security related issue that 2.8.1 was supposed to address. I thought 2.8.3 was released as a bug fix version as a few annoying bugs have popped up that were giving people issues. It was inevitable that a 2.8.3 would be released before 2.9. I’m glad however to report that 2.8.3 does contain some bug fixes as well as completely fixing the security exploit. The bug I had in mind deals with editing comments and the URL field being blank even though there was a value represented in it, which has been fixed. The upgrade was easy peasy for me and I suggest you upgrade as well. But please, backup your data first before you even think about touching that upgrade button.
John Kolbert who authors a few different WordPress plugins has released an update to Absolute Privacy. The new update now allows XML-RPC protocols such as the iPhone App and also prevents subscribers from reaching any of the administration pages. Absolute Privacy provides a wealth of options for those wanting to really turn their blog into a private domain. Here is listing of the features currently supported.
Force registrants to enter first and last name
Allow registrants to choose their own passwords
Moderate users: new registrants cannot login until approved
Get emailed every time an approval is waiting (with a link for quick approval)
Lock out all non-logged in views from your website (configurable)
Prevent subscribers from viewing admin pages (like their profile page and the dashboard)
Perfect for family blogs, personal sites, and private communities!
In essence, it takes WordPress privacy settings to the next level without compromising ease of use for those that need it. While not directly related, I’ve used a simple yet effective plugin in the past from John Kolbert called WP Admin Favicon which enables people to provide a favicon strictly for the WordPress administration area. It can get hectic inside a browser with 10 tabs or more open and with only the favicon to go by, choosing the right tab that has your WordPress write panel in it is a nightmare without a custom fav icon. John tells me that his next project related to these two plugins is language localization support.
QuickOnlineTips.com has a list of what they believe to be the best nine security plugins to use with WordPress. Some of the usual suspects have made the list such as WP Security Scan. I’m not sure if it’s good to mention this or not, but I don’t use any of those plugins on the list. What I do use is a strong password, .htaccess blocking of folder indexes, a renamed admin account and a few other little quirks.
In the process of making your WordPress uber secure, I’m wondering if anyone out there has hosed their blog by making it too secure? Maybe you installed the wrong security plugin or perhaps the combination of security plugins created a recipe for disaster? If this has happened to you, please share your stories in the comments, I’d love to read them.
Unfortunately, I bet this is a common question. I should browse the WordPress.com forums to see how many people are inquiring about the recent security upgrade.
I have read that there is an important security update for the WordPress blogging software. Do I need to upgrade my blog www.anopensource.wordpress.com, if so how can I do this?
After the security vulnerability kerfuffle that I reported on the other day regarding my beloved contact form 7 plugin, the plugin author has released an update which contains the necessary security fixes. Based on the changes, we can see that the security problem lied within the fact that the previous version did not apply default restrictions for file types and file sizes.
This version applies default restrictions for file type and file size when you do not set the filetypes and limit (file size) options explicitly. Default acceptable file types (extensions) are: jpg, jpeg, png, gif, pdf, doc, docx, ppt, pptx, odt, avi, ogg, m4a, mov, mp3, mp4, mpg, wav, and wmv. Default acceptable file size is 1 MB (1048576 bytes).
You can grab the new version from the plugin homepage or from the WordPress plugin repository.
Donations:
Last night, I donated $20.00 to the author of Contact Form 7 to bring his total up to $100.00 Not only is it a great plugin, but I wanted to send a token of appreciation for fixing the plugin so quickly. I noticed that many other people use this plugin as well and if you can spare a dollar or two as a donation, I highly encourage it. This marks the third donation I’ve given to a plugin author. If WPTavern can ever pay the bills while having cash left over, I’d use that to donate to plugin authors of the plugins I use on this site.
Yesterday afternoon, I was pretty shocked to see a message over twitter from Mark Jaquith announcing that the WP Contact Form 7 plugin had a security vulnerability in it which was being exploited and that anyone using the plugin should uninstall it immediately.
Contact Form 7 is a popular plugin. In fact, just the other day for the Ask Jeff segment, I explained how to configure it. I use this plugin on both WPTavern and Jeffro2pt0.com and I have since uninstalled it.
A number of people sent replies to Mark trying to figure out more information. According to Mark’s answers, he didn’t want to give out the specifics regarding the vulnerability as this would provide hackers with a roadmap. In terms of what was happening upon exploitation, Mark responded with:
It’s being exploited in… a really bad way. Complete access, insertion of spam links, Google penalties. Bad stuff.
Sounds pretty bad if you ask me. Mark has contacted the plugin author so we can only hope that he responds quickly with a fix. Until then, WPTavern and Jeffro2pt0 will go without a contact form as I simply don’t want to use another plugin if i don’t have to. I’ll give the author a few days to respond.
Mark stated that disabling the plugin should be enough to protect you but for me, completely uninstalling it gives me piece of mind.
Now you might be wondering why I didn’t post about this as soon as I saw the news. Well, even though I trust Mark Jaquith, I was waiting to see if anyone else had picked up on a security bulletin or if anyone had been attacked and since made it public. I asked around all day long, including in the WordPress IRC channel and details were very sparse. I like to know what I’m dealing with before I spread the word, that just makes for common sense and since there was very little to go by, I had a hard time spreading the news. However, spread the news as much as you can before anyone else who uses this plugin turns into a victim.
*Update*
During the night, I discovered a forum thread on WordPress.org started by Len which was then followed up by a reply from Takayukister who is the author of the plugin. Last time I checked, nothing was found within the plugin code that could be causing the vulnerability.
Over the weekend, news quickly spread throughout the WordPress community of a worm that was taking advantage of older versions of WordPress. I found out about the problem through Lorelle’s twitter account where she linked to an article on her blog covering the details of the attack. Mark Ghosh of WeblogToolsCollection.com quickly followed up with a post of his own acknowledging that the plugin competition blog had been compromised. News of the attack quickly spread with over 150 posts in this WordPress support forum thread alone, but unlike so many people, I had no need to panic since this site is upgraded within a day or two of a release whether it’s security related or not.
In this episode, David and I get you caught up on the news of the week which includes a few stories from the WordPress.com side of the world. We give you the 411 on the latest version of WordPress to be released, WordPress getting it’s own URL shortener, and much more. We were also joined by special guest Jane Wells who provided us some great information regarding the happenings with WordPress. 
This is a guest blog post written by Brad Williams, author of the blog, 
