|
|
A Word About WordPress
Security... |
By Andy Havens
Security is not really my "thing" but as someone who
has been hacked more than once, I've learned the hard way.
Whenever someone asks about WordPress in particular, I find
myself saying the same thing so it just seemed easier to write
this article so I can post a
link.
If you blog or want to blog, chances are someone
recommended WordPress and no wonder... with all the themes and
plugins available, it's a great choice for beginning and
veteran bloggers alike. But there is a problem with WordPress
that could shut you down before you can blink an
eye...
Friday, June 11, 2010 9:47:53
AM
It has to do with security. The
popularity of WordPress and it's Open Source code, combines to
offer enticing opportunities for mischief makers who like
nothing better than to break in to web sites and wreak
havoc.
Part of the problem is with PHP
- the underlying programming language for the WordPress
script. Bear in mind, I am far from a programming expert, as a
matter of fact I'm not a programmer at all. All I know is what
I've learned from working with scripts for the past several
years. What I've learned is this:
PHP scripts are among the most
popular around. And I've had more PHP scripts hacked than any
other type. That tells me PHP has some inherent problems.
Here's one I know about...
Many PHP scripts are capable of
creating or modifying files and folders. To do this, they
require permission from the webmaster. (Often this is you.)
These permissions are what control who has access to what
files on your site. PHP generally requires global (777)
permissions to do what it needs to do. The problem is, global
permissions gives anybody permission to create, modify, or
even delete that file... even hackers.
While some web hosts have take
measures to prevent this - one of which is installing another
script called "suEXEC" -
With both of the above problems,
there is some controversy. I've seen some folks post that the
problem runs deeper than this and is due to shared servers
(cheap web hosting relies on sharing your server with lots of
other sites) and inefficient server management. In other
words, your host may not be dealing well with these issues on
their end.
Okay, that may be true but I've
been hacked several times on different hosts and I can
tell you it's ALWAYS the files with a 777 permission that are
hacked.
So what do do about
all this?
First, be careful about what
scripts you install. Whenever possible, I try to opt for cgi
scripts (another language - you'll notice every domain and
subdomain has a cgi folder) whenever possible -
these have presented less of a problem over the years.
I still install plenty of
PHP scripts - especially WordPress blogs. These days, I
monitor those installs much more closely. One of the easiest
ways is to log on to your account with an FTP (File Transfer
Protocol) program and look at the "modified" dates of folders
and suspect files. Investigate any that look out of place.
How to spot a
hacked file:
What I do is simply open the
suspect file in a text editor. Most of the time I'll transfer
a copy from my site to a folder I create on my computer
(I"ll call it hacked files-August-2010 or something) and then
open with wordpad or some other simple text editor.
After you've seen a few php
files, you'll soon be able to tell right away but if in doubt,
open the original file and compare the two. If it's hacked
they will look different. Usually the inserted code is right
at the top.
Can hackers be
stopped?
In the real world? No. Not
really. Like someone said to me once - locks just keep honest
people out. But, just as you can do things to make your house
or car less attractive to burglars, you can make changes to
your website to encourage hackers to move on to easier
pickings.
As I said before, watch those
file permissions. Make sure every folder has a file named
"index.htm", "Index.html", or "index.php" - these are the most
common. If your folder has no such file create one. It need
not have anything on it. All you want to do is have something
for browsers to see - even if it is blank space - if someone
stumbles upon your folder. For example:
Let's say you have an "images"
folder on your website. Pretty common. On some hosts if you
navigate to http://mysite.com/images/
and it has no index file in place, your browser will list
every file in that folder. It may be possible to see more of
your file structure too. If the folder contains sensitive
files, anyone can look at or download them. My host tells
me this is no longer necessary but I do it anyway.
Now about WordPress
Security...
I'm not going to go into this
because it's already been done by people much more
knowledgeable than I. But I will provide links so you can get
this information yourself.
You
can find an excellent white paper on WordPress Security
here You'll also find loads of other security
information on this site too. It's well worth a look and a
bookmark.
Here
is another good post on WordPress Security
There are others but between
these two, you should be a lot better off than if you just
installed your blog and hoped for the best.
By the way, I don't always
utilize every technique these publications recommend. But
there are several I always do - like install the role manager
and use it. And change my prefixes. (don't worry, you'll soon
know what I mean :-)
This article is far from a
definitive work on security. But it will get you started in
the right direction and the information can help protect you
from a lot of heart and headaches.
Andy Havens
Havens Communications
P.S. Most of the time, I help
business folks develop better relationships with their
prospects and customers. How? By offering "relationship advice
and coaching" and writing "love notes and letters".
If you have a business
relationship issue you'd like to run by me, use the contact
form below or call my toll-free number 443-254-3703
and leave a voice message (as I'm probably elbow deep in a
writing project).
|
About Havens
Communications
"I help businesses find more ways to serve
their customers. And I help customers better
understand how a particular business can better
meet their needs. Like a trusted friend, I look at
each relationship objectively and see things both
parties miss."
Andy
Havens |
Havens Communications
believes in helping businesses build ongoing
relationships with their prospects and customers.
Our goal is to help
businesses find more customers, understand them
better so they can satisfy them more effectively.
By combining
hard-hitting copywriting with cutting-edge testing and
tracking technology to produce Marketing for Measurable
Results
We concentrate on
marketing methods that can be tracked, measured and
improved. Our goal is to take the guesswork out of
marketing so business owners can make sound judgments
based on return on investment rather than gut
feelings. |
|
Copyright 2010 Havens
Communications |
| 