Posts Tagged “Security”

Problems

I just checked my Blog today and what did I notice? At First my Template was set back to the default one, don’t know what caused that…but mostly it has the same reason as the cause of this MySQL error:
WordPress Database Error: WordPress isn’t able to create the following temporary SQL file #sql.2076.txt
or something like that was the Message. I was surprised, as well as I had no clue what the cause was. So I started a search on my Server to find some tmp folders, and luckily I found some. I changed to the /tmp dir, and there was already some #sql file in it. After I dropped the file everything was working fine again. The reason for this issue was mostly caused by the latest Server restart, maybe it was restarted after the file was created, but before the file was dropped again…At least that would it explain for me, as the file wasn’t there any more although after several visits of my website.

New WP version

Since one day there’s a new WordPress Version of the latest trunk available, the version 2.3.2 fixes a possible XSS attack, as well as several information leaks are closed. One of the biggest surprises(positive ones) is that WordPress Error messages are now only displayed if your Blog runs in WP_DEBUG mode, so it’s now by default not so easy to gain Informations about your Database structure in order to perform successful SQL Injection attacks on your Website.

So anyone who runs already WP 2.3 should upgrade to the latest release in order to have the biggest possible Protection. For everyone who uses an earlier version, should run BlogSecurity’s bs-wp-noerrors to have this feature as well.

Download WordPress 2.3.2

Tags: none

Tags: BlogSec, release, Security, Wordpress

Comments No Comments »

As there’s currently some discussion ongoing if WP 2.3 should send your plain URL to WP.org (while checking for some newer versions of your plugins you use), or not.
I would like to mention one alternative, at the same time I’ll cover some lacks of this one as well.

WP-Plugins DB

The WordPress Plugins DB is quite new, but already some big resource for Plugin Versions. It’s created and managed by Sugan Shan. You need to install some additional Plugin from the Website in order to use this Website, you can grab your copy here. After you activated that Plugin you can let your Plugin Versions be checked for the latest release, by visiting the Plugin admin page.

Now we reach already some currently big problem of that Project. It’s managed fully by Sugan, so if he hasn’t enough time to update the Plugin versions, you may think you run the latest version, while you don’t do. Maybe it doesn’t even needs to be a lack of time, from what he suffers. He may only don’t know about some never Version of a given Plugin. You can create as well your own Developer account on that Website, but it doesn’t offer the features WP.org does, nor what WP-Plugins.org does.
But this fact doesn’t need to mean anything as the project is quite new, and many exciting features may come with the time.

WP 2.3 Build-in

As mentioned above WP Plugins DB, suffers under the lack of some features, which are offered on WP.org for Plugin developers. Maybe it’s not intended to be anything like WP.org or WP-Plugins. So you can’t keep track upon your Plugin Downloads and you’re not able to compare them with your competitors. But the Plugin doesn’t sends anything home, except your Plugins name and Version, and mostly that data isn’t even stored. Where WP.org does store your URL as well, in plain text. So that may be the biggest pro for that Plugin. Matt doesn’t even know for what these URL data could be useful, so why don’t he add that step if it would be needed(or at least useful)?

How to get rid of it

So if you don’t like to have your Blog URL stored on WP.org and don’t want to use that function at all you can disable it, by doing some change to one WP core file. The file you need to edit is wp-admin/includes/update.php.
After you opened the file move to this line of code:

43 function wp_update_plugins()

Now add after that line this one:


return false;

Save the file. Now your blog doesn’t use the Update Checker from WP any more(as long as you apply the change to every newer Version of that file).

If you only want to prevent it from submitting your real Blog Url, change this line from the same file:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; ' . get_bloginfo('url') . "\r\n";
To something like:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; http://example.com \r\n";

Why WP suffers too

Anyway WP.org repository of Plugins, isn’t anything near to be a complete snapshot of all WP Plugins out there. As only Plugins get added who are under a GPL compatible license released.

And even that isn’t a guarantor to be added.
So it may be that you be better with using WP-Plugins Tracker than the build-in WP function.

Conclusion

So as you see there’s no perfect Solution available currently which covers every area fully. But from my point of view the WP-Plugins DB is the better way for it as everything can get added, equal under which license it’s published or if there’s a commercial Pro Version of it. And why should security checking stop by borders like license or Money?
As the Plugins DB isn’t perfect at it’s current state, we maybe need to use both versions in order to keep track with our Plugins and security.

Update:I just found these Plugins which disable the Core Update and Plugin Update functions.

Tags: none
Tags: Auto Update, Phone Home, Plugins, Security, Wordpress

Comments No Comments »

I just read today the latest issue of Pc Praxis, a german computer magazine. They started a series about WordPress the current issue covers how to install WordPress. The next issue of the series will cover the best tips and Plugins for WordPress, the last issue will then cover the theme how to earn money with Blogging.
For sure it’s nice to see that WordPress gets so much attention within the german speaking area, as WordPress is really nice and it’s popularity and mass of available Plugins can’t be simply kept secret. But it seems that the same mistake the developers of WordPress make or made, this magazine is doing as well.
They’re not covering the area of how to secure your Blog. The only tip you get about how to improve your security is to drop the default admin account and add another Administrator-account who holds the same rights, which is harder to Enumerate, but not impossible to.
Together with BlogSecurity.net I’m trying to get an additional issue which covers the security issue more deep than it’s currently done and planned.

This Post is as well published on BlogSecurity.net

Tags: none
Tags: Magazine, PC Praxis, Security, Wordpress

Comments No Comments »

We all know that’s really difficult to stay upto date with your applications and to be honest if the application doesn’t check for new updates itself and notice you about newer versions not many people take the time to check their applications if they’re up to date.
And for sure it’s no easy job to take care of all applications you’re using, the more popular ones and more often used ones are checked from time to time, or when some error occur. But what about some not so often used apps you catched ages ago and you can’t remember where you got them from? For each app you have to search and see if there’s a newer version, and if so you have to update it to the latest version…that’s no pleasure.

But there’s now a light on the end of the tunnel:Personal Software Inspector(PSI) by Secunia(Secunia is the leading Security firm currently) will cover this gap. It’s aim is to provide you with all informations needed to check your applications if they’re up to date and if needed to update them fast and easily.

How it works

After you installed the application, it does a system scan to find all known applications(currently it detects 4,2k different apps, more to come). After the Scan is done you see a list with all out of date applications which where detected, as well as all applications which are no longer supported. You can also view all secure applications, if you like to.
For all out of date apps you get a direct link to an update package, for some you get as well a Secunia Advisory-page link, where you can read something about the vulnerability which is closed in the never version.
All you need to do is to click the link next to your outdated software and an update will be installed, and whoosh you run the latest version, without many work of yours! Isn’t that great?

Read the rest of this entry »

Tags: none
Tags: Personal Software Inspector, Secunia, Security

Comments No Comments »

Some of you have maybe noticed that I joined the Team of BlogSecurity(BS), I found that site just after its release and I had some luck to discover David Kierznowskis Website before(which lead me to BlogSecurity). The first contribution was just in the way to tell my opinion about the covered themes at BS, as well as submitting new flaws found within WordPress. David asked me if I would like to join his team and I agreed, as I ever was interested in the security area. After some discussions about what we can do, I started working on the first Plugin for BS.
The WP Prefix Table changers aim is it to change your WordPress table prefix from wp_ to something different, which should be as much as possible randomly to prevent possible attackers from SQL injections as they don’t know your table names. Or at least you can improve the security, as no 100% guarantee can be given. The tool changes automatically your table prefixes to your new given value, as well as some hardcoded values within the table. If possible the wp-config.php file is updated as well, if that’s not possible you get all needed information to change it manually.
With that tool it’s quite easy to improve your security, and keep it at least in this area quite secure as if something ever should cause a wp-database Error and you saw it/got noticed you can change the prefix in the same step as you fix the reason for the problem.
If you like the plugin, let it us know. Also comment if you dislike something or want something added.

PS: Add BlogSecurity to your favourite websites, as we just started to improve the wp-community security! The next plugin is comming soon!

Tags: none
Tags: BlogSecurity, Security, SQL Injection, Table Prefix, Wordpress

Comments No Comments »

The Team around BlogSecurity plans to launch something like an award or recognition system for blogs, themes and/or plugins which are secure. In my eyes this seems to be a real good idea. As if this would be widely spread out you can go out and look for plugins or themes which are secure, and prefer them for unproofen and even unsecure one. Who of us wants his blog cracked into? It would take so much work to gain access again and redo everything(Depending on what the attacker did).

In the current step they’re collecting at first opinions and as well as ideas you have directed to it. I would let my components approve, to grant you that these are secure and you can use them without any strange feeling within your stomach, As these Plugins don’t only interact with wordpress as well they do it with phpbb and Joomla, it seems even more important to show security.

As of the current level of this thought, nothing big is done currently. So there’s currently nothing about if it will cost something and how it will be done available, but if the wordpress community shows real desire for such a service it will come as well as we will see soon deeper informations on this theme. So watch this blog!

Tags: none
Tags: Award, Plugin, Security, Theme, Wordpress

Comments 1 Comment »

Bad Behavior has blocked 2161 access attempts in the last 7 days.