Posts Tagged “Wordpress”

Problems

I just checked my Blog today and what did I notice? At First my Template was set back to the default one, don’t know what caused that…but mostly it has the same reason as the cause of this MySQL error:
WordPress Database Error: WordPress isn’t able to create the following temporary SQL file #sql.2076.txt
or something like that was the Message. I was surprised, as well as I had no clue what the cause was. So I started a search on my Server to find some tmp folders, and luckily I found some. I changed to the /tmp dir, and there was already some #sql file in it. After I dropped the file everything was working fine again. The reason for this issue was mostly caused by the latest Server restart, maybe it was restarted after the file was created, but before the file was dropped again…At least that would it explain for me, as the file wasn’t there any more although after several visits of my website.

New WP version

Since one day there’s a new WordPress Version of the latest trunk available, the version 2.3.2 fixes a possible XSS attack, as well as several information leaks are closed. One of the biggest surprises(positive ones) is that WordPress Error messages are now only displayed if your Blog runs in WP_DEBUG mode, so it’s now by default not so easy to gain Informations about your Database structure in order to perform successful SQL Injection attacks on your Website.

So anyone who runs already WP 2.3 should upgrade to the latest release in order to have the biggest possible Protection. For everyone who uses an earlier version, should run BlogSecurity’s bs-wp-noerrors to have this feature as well.

Download WordPress 2.3.2

Tags: none

Tags: BlogSec, release, Security, Wordpress

Comments No Comments »

I never thought about such an step by myself, maybe as I never encountered such a thing upto date.
But if you run your own Webspace you should never steal any ones content or bandwidth. Then as soon as he notice it you can get some real problems, maybe he starts a lawsuite against yours(you maybe ignored some copyright laws, you caused some additional costs for him(bandwidth)). What does happen if he simply replaces the content/redirects your website to something which does harm your visitors, or does blame you?

On the Following WordPress Topic you’ll can read that someone linked to some JS of Website_A. This JS is the Output of some public free available WP Plugin, the JS code even mentions that it’s generated by some Plugin. But somehow the owner of Website_B was too lazy, or wanted to save some bandwidth that he simply linked to this JS file, on Website_A.
After the owner of Website_A recognized that someone was stealing his Bandwidth he created some mod_Rewrite Rule which redirected the Request from this JS to some other JS file, which contained an alertbox which appeared in front of the Visitor and told him that this Website steals some Traffic from another one. After one month the owner of Website_B discovered that JS change and removed the JS.

But it’s important to say that theoretically the owner of Website_A could have written any JS code into that file. So he could steal some Cookies of the Users of Website_B or anything else he would like, he could even start some Phishing attack.
The owner of Website_B made his website vulnerable because he was to lazy to get the script itself.

Every good Webmaster/Site owner does not steal any content, as this is unethical and maybe more important dangerous!

Tags: none
Tags: mod_Rewrite, Steal, Webmaster, Wordpress

Comments 1 Comment »

As there’s currently some discussion ongoing if WP 2.3 should send your plain URL to WP.org (while checking for some newer versions of your plugins you use), or not.
I would like to mention one alternative, at the same time I’ll cover some lacks of this one as well.

WP-Plugins DB

The WordPress Plugins DB is quite new, but already some big resource for Plugin Versions. It’s created and managed by Sugan Shan. You need to install some additional Plugin from the Website in order to use this Website, you can grab your copy here. After you activated that Plugin you can let your Plugin Versions be checked for the latest release, by visiting the Plugin admin page.

Now we reach already some currently big problem of that Project. It’s managed fully by Sugan, so if he hasn’t enough time to update the Plugin versions, you may think you run the latest version, while you don’t do. Maybe it doesn’t even needs to be a lack of time, from what he suffers. He may only don’t know about some never Version of a given Plugin. You can create as well your own Developer account on that Website, but it doesn’t offer the features WP.org does, nor what WP-Plugins.org does.
But this fact doesn’t need to mean anything as the project is quite new, and many exciting features may come with the time.

WP 2.3 Build-in

As mentioned above WP Plugins DB, suffers under the lack of some features, which are offered on WP.org for Plugin developers. Maybe it’s not intended to be anything like WP.org or WP-Plugins. So you can’t keep track upon your Plugin Downloads and you’re not able to compare them with your competitors. But the Plugin doesn’t sends anything home, except your Plugins name and Version, and mostly that data isn’t even stored. Where WP.org does store your URL as well, in plain text. So that may be the biggest pro for that Plugin. Matt doesn’t even know for what these URL data could be useful, so why don’t he add that step if it would be needed(or at least useful)?

How to get rid of it

So if you don’t like to have your Blog URL stored on WP.org and don’t want to use that function at all you can disable it, by doing some change to one WP core file. The file you need to edit is wp-admin/includes/update.php.
After you opened the file move to this line of code:

43 function wp_update_plugins()

Now add after that line this one:


return false;

Save the file. Now your blog doesn’t use the Update Checker from WP any more(as long as you apply the change to every newer Version of that file).

If you only want to prevent it from submitting your real Blog Url, change this line from the same file:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; ' . get_bloginfo('url') . "\r\n";
To something like:
85 $http_request .= 'User-Agent: WordPress/' . $wp_version . '; http://example.com \r\n";

Why WP suffers too

Anyway WP.org repository of Plugins, isn’t anything near to be a complete snapshot of all WP Plugins out there. As only Plugins get added who are under a GPL compatible license released.

And even that isn’t a guarantor to be added.
So it may be that you be better with using WP-Plugins Tracker than the build-in WP function.

Conclusion

So as you see there’s no perfect Solution available currently which covers every area fully. But from my point of view the WP-Plugins DB is the better way for it as everything can get added, equal under which license it’s published or if there’s a commercial Pro Version of it. And why should security checking stop by borders like license or Money?
As the Plugins DB isn’t perfect at it’s current state, we maybe need to use both versions in order to keep track with our Plugins and security.

Update:I just found these Plugins which disable the Core Update and Plugin Update functions.

Tags: none
Tags: Auto Update, Phone Home, Plugins, Security, Wordpress

Comments No Comments »

I just read today the latest issue of Pc Praxis, a german computer magazine. They started a series about WordPress the current issue covers how to install WordPress. The next issue of the series will cover the best tips and Plugins for WordPress, the last issue will then cover the theme how to earn money with Blogging.
For sure it’s nice to see that WordPress gets so much attention within the german speaking area, as WordPress is really nice and it’s popularity and mass of available Plugins can’t be simply kept secret. But it seems that the same mistake the developers of WordPress make or made, this magazine is doing as well.
They’re not covering the area of how to secure your Blog. The only tip you get about how to improve your security is to drop the default admin account and add another Administrator-account who holds the same rights, which is harder to Enumerate, but not impossible to.
Together with BlogSecurity.net I’m trying to get an additional issue which covers the security issue more deep than it’s currently done and planned.

This Post is as well published on BlogSecurity.net

Tags: none
Tags: Magazine, PC Praxis, Security, Wordpress

Comments No Comments »

Some of you have maybe noticed that I joined the Team of BlogSecurity(BS), I found that site just after its release and I had some luck to discover David Kierznowskis Website before(which lead me to BlogSecurity). The first contribution was just in the way to tell my opinion about the covered themes at BS, as well as submitting new flaws found within WordPress. David asked me if I would like to join his team and I agreed, as I ever was interested in the security area. After some discussions about what we can do, I started working on the first Plugin for BS.
The WP Prefix Table changers aim is it to change your WordPress table prefix from wp_ to something different, which should be as much as possible randomly to prevent possible attackers from SQL injections as they don’t know your table names. Or at least you can improve the security, as no 100% guarantee can be given. The tool changes automatically your table prefixes to your new given value, as well as some hardcoded values within the table. If possible the wp-config.php file is updated as well, if that’s not possible you get all needed information to change it manually.
With that tool it’s quite easy to improve your security, and keep it at least in this area quite secure as if something ever should cause a wp-database Error and you saw it/got noticed you can change the prefix in the same step as you fix the reason for the problem.
If you like the plugin, let it us know. Also comment if you dislike something or want something added.

PS: Add BlogSecurity to your favourite websites, as we just started to improve the wp-community security! The next plugin is comming soon!

Tags: none
Tags: BlogSecurity, Security, SQL Injection, Table Prefix, Wordpress

Comments No Comments »

As I just read over at BlogSecurity.com it seems that many users which host their blog independently from wordpress.com. Doesn’t really care about keeping it up to date, and therefore secure. From the scanned 50 blogs where around 46 vulnerable, some do run with versions which are a year and older. Some may now claim that just 50 Blogs can’t represent around 2-3 Million of WP blogs, they may even be right. But if they’re just 300 of them which run with real old, vulnerable versions, that are 300 too much. And I can tell you from my experience with updating other blogs, that there are quite alot of them out.

The Advantage

I will just name one advantage to update your old 1.5 Blog to the current version 2.2, You can use Akismet! I had once an old 1.5 blog, where the owner stopped to use it even, as there where around 60k Spam posts and just 4 legit ones. With Akismet you need just one click to flush all spam away. I had to work with phpMyAdmin to get rid off all Spam, without deleting some maybe hidden, within spam comments, new legit comment. With Akismet this doesn’t happen again!

And there are so many other advantages to profit from, who does still develop plugins for WP 1.5?

It’s Easy!

Most times it’s just as 1,2,3 to update your blog. You make a backup of all your wp files and tables, kill all WP files and upload the new files and the last step is to run the update script and your blog is running the latest version. It cost you just 5 minutes. And how often does it happen that something will broke up with a newer WP version? I would say it’s worth to spend some time to keep your blog updated.

You’re no NERD?

For sure it can be that you’re not too much into PHP and Apache and so forth. For all of yours I’ll offer my help! You want to upgrade your blog but don’t know how to do it? No problem contact me and I’ll take a look where I can help you.
The service will be free(no template adopting to newer versions is supported), but if you like you can handle a small donation, details are handled as soon as the work is done/or will start.

Tags: none
Tags: Update, Vulnerable, Wordpress

Comments No Comments »

The Team around BlogSecurity plans to launch something like an award or recognition system for blogs, themes and/or plugins which are secure. In my eyes this seems to be a real good idea. As if this would be widely spread out you can go out and look for plugins or themes which are secure, and prefer them for unproofen and even unsecure one. Who of us wants his blog cracked into? It would take so much work to gain access again and redo everything(Depending on what the attacker did).

In the current step they’re collecting at first opinions and as well as ideas you have directed to it. I would let my components approve, to grant you that these are secure and you can use them without any strange feeling within your stomach, As these Plugins don’t only interact with wordpress as well they do it with phpbb and Joomla, it seems even more important to show security.

As of the current level of this thought, nothing big is done currently. So there’s currently nothing about if it will cost something and how it will be done available, but if the wordpress community shows real desire for such a service it will come as well as we will see soon deeper informations on this theme. So watch this blog!

Tags: none
Tags: Award, Plugin, Security, Theme, Wordpress

Comments 1 Comment »

As you surely noticed already a few weeks ago, Project Honey Pot announced that they’re now also tracking Comment Spammers. And they’re doing it quite successfully, the current rate of newly catched spammers is around 100 per day. Part of the success is for sure the the http:BL Plugin for WordPress, which can be grabbed here. Which made http:BL more known, and in order to use this Plugin you need a Project Honey Pot Account and if you have an account it’s not much work to get your own Honey Pot.

http:BL the success

Many users from http:BL WP Plugin reported that their daily Spam value dropped dramatically from 100 and above, to just a handful Spam Comments per day, some also report that they don’t receive any Spam at all after setting up this Plugin and Service.
For myself I got some similar figure but not too successful at all, my Spam count is still around 15-20 per day, but the amount dropped around 66%. Read the rest of this entry »

Tags: none
Tags: http:BL, SPAM, Wordpress

Comments No Comments »

As I just read over at heise.de Security(german), a good collection for Security News, a Cross Site Scripting(XSS) hole exist in many templates for WordPress. Affected templates are such popular ones as k2 as well as the classic one.

The problem occurs for many templates which use custom 404 Error pages. Most of these templates which use Error pages, don’t check the variable $_SERVER['PHP_SELF'] for html special chars. Therefore you can perform XSS attacks.
To see if your template is also affected visit this URL

http://www.example.com/index.php/”><script>alert(document.cookie)</script>

If you see an Javascript Popup (activated Javascript assumed) your Template is affected.
Check searchform.php and sidebar.php for:

action=”< ?php echo $_SERVER['PHP_SELF']; >”

Replace it with:

action=”< ?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>”

The original Bug report was posted at Bugtraq

Tags: none
Tags: Template, Theme, Wordpress, XSS

Comments No Comments »

Bad Behavior has blocked 18245 access attempts in the last 7 days.