Home » Security (Page 2)
Category Archives: Security
The typical scenario of any software project is “get it working first, we’ll secure it later”. This is particularly true of Web packages, since it’s not easy in advance to know all of the possible issues you may run into across all of the possible server instances that exist. WordPress has now become enough established that the idea of “hardening” it against attack is starting to become a major focus. One of the easiest ways to start doing this is to eliminate the known database table structure, so it’s harder for hackers to try to inject password searches or other methods of gaining higher privileges on your server or WordPress. In my tutorial on setting up WordPress I try to stress that you should always change the generic database prefix “wp_” to something completely random to help accomplish this. Unfortunately many people missed this step, or set up their WordPress using an installer program that does not allow this change.
All is not lost though. I have recently discovered a plugin that might help. The folks over at BlogSecurity.net have developed a plugin for WordPress that is designed to alter this prefix. WP Prefix Table Changer gets activated like a regular plugin but will alter things so that you have this vulnerability fixed.
This is a very minor thing to do, but every little security step you can take enhances your overall stability and makes you less of a target.
WordPress 2.3.2 has just been released, and it contains critical updates that fix some vulnerabilities in how WordPress creates Draft entries. Anyone using the WordPress 2.3.x line should immediately go to WordPress.org and download the new version. Unless you’ve done something strange to your core files all you need to do is overwrite your current install with the new version to successfully upgrade–then go to wp-admin/upgrade.php in your web browser to finalize the database update.
WordPress 2.3.1 is now available for download from the WordPress.org website. This release fixes a number of bugs and security issues. I would strongly suggest all current 2.3 version users download and update their version of WordPress.
The first WordPress 2.3 security issue has been found. It is in regard to the blogroll function in WordPress and results in unlimited spam entries being injected into your blogroll. This vulnerability is already being exploited by spammers. An explanation and a fixed file can be found here until a new point release of WordPress is available. This issue apparently also affects older versions of WordPress as well as the newest version, so pretty much anyone using the blogroll on their site should immediately address this issue.
WordPress 2.2.3 has been released and contains some small bug fixes and security updates. Anyone using the 2.2.x branch should update to this new version. (Please note: 2.2.3 is NOT 2.3 and is not the version of WordPress that will break many older plugins–this is just an update to the existing 2.2 branch–so don’t be afraid to update to this version).