AWSOM.org = Artist Website Setup Options Markup » Security

Wordpress 2.5.1 released, major security fix required

harknell — Sat, 26 Apr 2008 12:44:34 +0000

WordPress 2.5.1 has been released, and all 2.5 users should immediately upgrade to the new version. There is apparently some kind of security vulnerability fix in the new version, so this is a critical upgrade for all users. I suspect it’s probably related to the ongoing series of issues that are causing spam attacks on older versions of WordPress, so this is a pretty big reason to be constantly on the lookout for irregular things occurring on your sites and make sure you always have the most updated versions of plugins and such installed.

So far it looks like all of the AWSOM plugins are unaffected by the upgrade and still work properly. If you encounter any issues though please let me know.

Advertisement: Check Out My Online Store

ShareThis

Spam Hack in Progress across Wordpress sites

harknell — Tue, 15 Apr 2008 15:54:23 +0000

There is currently a large scale spam attack on Wordpress sites that is ongoing and affects primarily Wordpress versions 2.1.x and 2.2.x (it’s not clear if 2.3.x or 2.0.x are affected, but it seems likely they aren’t). The attack results in a large number of spam listings injected into either posts or theme files which are then set to be hidden through css. Your will typically find that you’ve been affected when Google contacts you to say you are being de-listed due to a high number of spam links on your site. It is also typical for the attackers to delete all of your pages from your site for some reason, so if you load your site and all of your pages are gone you may have been hacked.

It’s not entirely clear what method the hackers are using to get admin access to the affected sites, but from my observation it may be a privilege escalation attack using the comment system. In some cases a random user account was created right before the attack. It was also noted that the comments.php theme file was altered to add in a console access applet which allowed for low level server access. If you get hacked make sure you check every theme file to make sure no malicious code was added–or better yet, reload your theme files from a backed up or fresh copy, and delete out any suspect user registrations.

Wordpress 2.5 is apparently not affected by this problem, so an upgrade should help. I have upgraded my sites to 2.5 and have managed to mostly get things working (though my archive page on this site is currently non-functional). It looks like this is the unfortunate little push that will force most people to upgrade, though I strongly suggest making sure first that there are updated plugins that work with 2.5.

Advertisement: Check Out My Online Store

ShareThis

On the Same Track as Last Post

harknell — Tue, 05 Feb 2008 17:12:08 +0000

While it is always more convenient to place as many functions into one centralized site as possible, it is also generally more insecure and prone to problems. Case in point: Forum plugins for Wordpress. While I know the desire to have one centralized administration area for a forum and your blog site might seem like a good idea, it is not always in your best interest to have this as your set up. Apparently there is a bug in the current version of the WP-Forum plugin that allows malicious users to access your database information. Whenever you have a situation where you allow users to add content to your site, you create a potentially vulnerable area for someone to exploit. In the case of a forum, this can be especially difficult to program in a manner that eliminates this risk. (note how often most forums have security updates, it’s a lot). So you end up with a case where you now have 2 different site concepts taken out by the most vulnerable element. I almost exclusively suggest that people simply run 2 different sites with 2 different databases and simply match them using a common looking theme. It’s simply more secure to do things that way.

Advertisement: Check Out My Online Store

ShareThis

Urgent Security Issue, Upgrade Wordpress to 2.3.3 Now!

harknell — Tue, 05 Feb 2008 17:03:48 +0000

There has been an unscheduled Wordpress Security release that upgrades Wordpress to version 2.3.3. This is a critical update that closes a vulnerability that would allow registered users to edit the posts of other users if they sent a specially formatted request. It is strongly suggested that all users on the 2.3.x branch upgrade their version as soon as possible.

Advertisement: Check Out My Online Store

ShareThis

Security a focus as Wordpress Matures

harknell — Thu, 24 Jan 2008 14:26:19 +0000

The typical scenario of any software project is “get it working first, we’ll secure it later”. This is particularly true of Web packages, since it’s not easy in advance to know all of the possible issues you may run into across all of the possible server instances that exist. Wordpress has now become enough established that the idea of “hardening” it against attack is starting to become a major focus. One of the easiest ways to start doing this is to eliminate the known database table structure, so it’s harder for hackers to try to inject password searches or other methods of gaining higher privileges on your server or Wordpress. In my tutorial on setting up Wordpress I try to stress that you should always change the generic database prefix “wp_” to something completely random to help accomplish this. Unfortunately many people missed this step, or set up their Wordpress using an installer program that does not allow this change.

All is not lost though. I have recently discovered a plugin that might help. The folks over at BlogSecurity.net have developed a plugin for Wordpress that is designed to alter this prefix. WP Prefix Table Changer gets activated like a regular plugin but will alter things so that you have this vulnerability fixed.

This is a very minor thing to do, but every little security step you can take enhances your overall stability and makes you less of a target.

Advertisement: Check Out My Online Store

ShareThis

Wordpress 2.3.2 released, Critical Update!

harknell — Sun, 30 Dec 2007 15:22:21 +0000

Wordpress 2.3.2 has just been released, and it contains critical updates that fix some vulnerabilities in how Wordpress creates Draft entries. Anyone using the Wordpress 2.3.x line should immediately go to Wordpress.org and download the new version. Unless you’ve done something strange to your core files all you need to do is overwrite your current install with the new version to successfully upgrade–then go to wp-admin/upgrade.php in your web browser to finalize the database update.

Advertisement: Check Out My Online Store

ShareThis

Wordpress 2.3.1 now available

harknell — Mon, 29 Oct 2007 16:26:43 +0000

Wordpress 2.3.1 is now available for download from the Wordpress.org website. This release fixes a number of bugs and security issues. I would strongly suggest all current 2.3 version users download and update their version of Wordpress.

Advertisement: Check Out My Online Store

ShareThis

First Wordpress 2.3 vulnerability found, same for earlier versions

harknell — Wed, 24 Oct 2007 12:45:22 +0000

The first Wordpress 2.3 security issue has been found. It is in regard to the blogroll function in Wordpress and results in unlimited spam entries being injected into your blogroll. This vulnerability is already being exploited by spammers. An explanation and a fixed file can be found here until a new point release of Wordpress is available. This issue apparently also affects older versions of Wordpress as well as the newest version, so pretty much anyone using the blogroll on their site should immediately address this issue.

Advertisement: Check Out My Online Store

ShareThis

Wordpress 2.2.3 released, Security update

harknell — Mon, 10 Sep 2007 12:58:49 +0000

Wordpress 2.2.3 has been released and contains some small bug fixes and security updates. Anyone using the 2.2.x branch should update to this new version. (Please note: 2.2.3 is NOT 2.3 and is not the version of Wordpress that will break many older plugins–this is just an update to the existing 2.2 branch–so don’t be afraid to update to this version).

Advertisement: Check Out My Online Store

ShareThis