Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.
1. Upgrade Wordpress - In general, keeping your Wordpress installation up to date is a great way to avoid known problems. Do note that the lastest version, especially in the case of major upgrades, may cause more problems then it resolves.
2. WordPress Version - The tag in your header.php that displays your current version of wordpress. Since everyone knows your wordpress version this way, your blog is prone to hackers if you have not upgraded to the new version.
3. WordPress Username - Every hacker knows Wordpress has a user “admin” with god-like administration privileges. Slow the hackers down by removing the “admin” user. Create a Wordpress user with admin privileges using the administration interface. Log out of Wordpress and log back in with the new user. Delete the admin user. The new admin user should be different than your normal post author.
4. WordPress Password - Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! That password is only 6 characters and just numbers and letters. Make it complex and more than 10 characters if you can. Also, try not to use words, make it a nice jumble of letters, numbers, and symbols.
5. Prevent Directory Listing - In many Wordpress installations it is possible to view a list of installed plugins by navigating to the /wp-content/plugins/ directory. This is not a good idea as known plugin vulnerabilities can than be easily exploited. Add an empty default index file, such as index.html, to the directory. You can also protect it using an .htaccess file assuming you're using Apache.
6. Protect Your WP-Admin Folder - You can protect your Wordpress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog.
7. Protect From Search Engines - There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list:Disallow: /wp-*
8. Install Login Lockdown WordPress Plugin - This plugin records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.
9. Install WordPress Database Backup Plugin - You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
10. Install Wordpress Security Scan Plugin - The WP Security Scan plugin attempts to both to audit your blog security and to implement many of the suggestions mentioned above.
Saturday, November 29, 2008
Tuesday, November 25, 2008
Disable WordPress Autosave Plugin
WordPress autosave is the best features which I hate in WordPress. AutoSave will auto save a copy of edited post or page every 60 seconds provided there is a change on the content in the editor. However, there is only ever a maximum of one AutoSave version for any given post. New AutoSaves created will overwrite old AutoSaves. Beside, AutoSaves are stored as a special type of revision so that the auto saved with a more recent version of data does not overwrite actual published content, and is used to restore unsaved work only when necessary.
While each Post Revisions is stored in its own database table, the auto-save is only stored once with previous versions being overwritten by the new auto-saved content. So, if you’re worried about your database growing to massive proportions because of auto-save, you can stop worrying.
These are methods that disable or delay the WordPress autosave functions. The Most easy way is using plugin. The disabling plugin works with versions 2.3 through 2.7 while the delay configuration works with 2.5 and later.
Copy this text to a text file, name it whatever you want (using the .php extension, of course) and upload it to your WordPress plugin directory. Activate it and it works immediately, but you need to clear your browser cache:
While each Post Revisions is stored in its own database table, the auto-save is only stored once with previous versions being overwritten by the new auto-saved content. So, if you’re worried about your database growing to massive proportions because of auto-save, you can stop worrying.
These are methods that disable or delay the WordPress autosave functions. The Most easy way is using plugin. The disabling plugin works with versions 2.3 through 2.7 while the delay configuration works with 2.5 and later.
Copy this text to a text file, name it whatever you want (using the .php extension, of course) and upload it to your WordPress plugin directory. Activate it and it works immediately, but you need to clear your browser cache:
<?php
/*
Plugin Name: Disable autosave
*/
add_action('admin_print_scripts', 'plugin_deregister_autosave');
function plugin_deregister_autosave() {
wp_deregister_script('autosave');
}
define('WP_POST_REVISIONS',false);
?>
Sunday, November 23, 2008
Z-Blog URL Redirect Security Affected Spam Attacks
Z-Blog system contain a security issue that allows spam attack to Wikipedia by using url redirect.
The design of Z-Blog anti-spam encrypts the URL before redirect it. The name of the redirected file is c_urlredirect.asp. With the parameter of this page Z-Blog kann redirect to various pages. Sorrowfully the used encryption is very simple. One just need to put the odd characters together. With this methode blackhat SEO manipulates redirects from other Z-Blog websites to call its own website. Thus even if the original address is listed on the blacklist by Wikipedia, the manipulated redirect would still work and be used as spam.
The solution for this problem is not easy. The most simple way is to delete c_urlredirect.asp. But this method would also prevent the blogger himself make redirects.
Source . thanks for Wing translation
The design of Z-Blog anti-spam encrypts the URL before redirect it. The name of the redirected file is c_urlredirect.asp. With the parameter of this page Z-Blog kann redirect to various pages. Sorrowfully the used encryption is very simple. One just need to put the odd characters together. With this methode blackhat SEO manipulates redirects from other Z-Blog websites to call its own website. Thus even if the original address is listed on the blacklist by Wikipedia, the manipulated redirect would still work and be used as spam.
The solution for this problem is not easy. The most simple way is to delete c_urlredirect.asp. But this method would also prevent the blogger himself make redirects.
Source . thanks for Wing translation
Saturday, November 22, 2008
Google Earth Layer Blocked in China
China appears to have blocked access to the popular internet maps service - Google Earth. Google Earth is a virtual globe program that displays satellite images of varying resolution of the Earth's surface, allowing users to visually see things like cities and houses from a bird's eye view.
Google's map and satellite-photo service offered Chinese Internet users something they rarely could see: a bird's-eye view of the secret compound of Zhongnanhai(located west of the Forbidden City), where the country's top leaders live and work.
But in recent weeks, some layer of Google Earth(such as Google Earth Community) could not load and work in China. The Google Earth Community is an online forum which is dedicated to producing placemarks of interesting or educational perspectives. It may be found on the Google Earth webpage or under the Help section on the program itself. After downloading a placemark, it will automatically run Google Earth (if not opened), and fly to the area specified by the person who placed it. Once there, you can add it to your "My Places" by right clicking on the icon and selecting "Save to My Places". Additionally, anyone can post a placemark for others to download; as long as you have an account.
When I run a proxy program, and open Google Earth again, the Google Earth Community layer is right there, everything is ok.
Then I close the proxy program and click the layer again, it's tell me "Fetch of NetworkLink failed(http://mw1.google.com/): Connect Failed."
That mean the Weather,Gallery and Global Awareness layer is blocked in China. Google Earth Community is in the Gallery layer, so it cannot be open again.
If the Chinese government is blocking its own citizens from seeing where their leaders live, whereas the rest of the world can see just fine, we're talking some major institutional paranoia.
Google's map and satellite-photo service offered Chinese Internet users something they rarely could see: a bird's-eye view of the secret compound of Zhongnanhai(located west of the Forbidden City), where the country's top leaders live and work.
But in recent weeks, some layer of Google Earth(such as Google Earth Community) could not load and work in China. The Google Earth Community is an online forum which is dedicated to producing placemarks of interesting or educational perspectives. It may be found on the Google Earth webpage or under the Help section on the program itself. After downloading a placemark, it will automatically run Google Earth (if not opened), and fly to the area specified by the person who placed it. Once there, you can add it to your "My Places" by right clicking on the icon and selecting "Save to My Places". Additionally, anyone can post a placemark for others to download; as long as you have an account.
When I run a proxy program, and open Google Earth again, the Google Earth Community layer is right there, everything is ok.
Then I close the proxy program and click the layer again, it's tell me "Fetch of NetworkLink failed(http://mw1.google.com/): Connect Failed."
That mean the Weather,Gallery and Global Awareness layer is blocked in China. Google Earth Community is in the Gallery layer, so it cannot be open again.
If the Chinese government is blocking its own citizens from seeing where their leaders live, whereas the rest of the world can see just fine, we're talking some major institutional paranoia.
Thursday, October 30, 2008
Is Blog Dead in China ?
In the past year, there is a continuing discussion in the Chinese blogosphere on whether blog culture is dying down. Moreover, recently bokee.com and blogchina.com, the two earliest BSPs founded by Fang dong-xing in China, are at business crisis. Fang is looking for investing to transform the websites into multi-media community platform.
What we see is: BSP and services related with blogs are slowly disappearing, blog has passed its golden days and walked into a dark future. The main reason is because the services around blogs cannot make a profit.
Why can't they make a profit? The content quality of blog is better than SNS, Twitter and Digg, their traffics are high. They should be able to get income from Ads. However, at present, blogger's income is too narrowed. Basically, they depends on Google AdSense. Which means their profit is affected by Google.
When Google entered the scene, it developed a huge number of blogging tools, such as google reader, feedburner, blogsearch, etc… which destroyed other BSPs dream for profit while google has a monopoly status in the market.
Blog is more open and individualized, its content quality is relative higher. SNS is more closed, especially towards search engine. It contrasts with blog's openness and affects information dissemination. A good article is very difficult to get disseminated via SNS. Now most of the SNS in China are coping the facebook, which is a dead end. The best SNS is Tencent's QQ, but you can't find any similarity between QQ and facebook. The funny thing is Tencent never claimed itself to be a SNS.
Thanks globalvoicesonline translation
What we see is: BSP and services related with blogs are slowly disappearing, blog has passed its golden days and walked into a dark future. The main reason is because the services around blogs cannot make a profit.
Why can't they make a profit? The content quality of blog is better than SNS, Twitter and Digg, their traffics are high. They should be able to get income from Ads. However, at present, blogger's income is too narrowed. Basically, they depends on Google AdSense. Which means their profit is affected by Google.
When Google entered the scene, it developed a huge number of blogging tools, such as google reader, feedburner, blogsearch, etc… which destroyed other BSPs dream for profit while google has a monopoly status in the market.
Blog is more open and individualized, its content quality is relative higher. SNS is more closed, especially towards search engine. It contrasts with blog's openness and affects information dissemination. A good article is very difficult to get disseminated via SNS. Now most of the SNS in China are coping the facebook, which is a dead end. The best SNS is Tencent's QQ, but you can't find any similarity between QQ and facebook. The funny thing is Tencent never claimed itself to be a SNS.
Thanks globalvoicesonline translation
GoDaddy and SourceForge Blocked in China Again
GoDaddy, the world's largest ICANN-accredited domain registrar, and SourceForge, the world's largest development and download repository of Open Source code and applications, appears to blocked in Mainland China again after Beijing 2008 Olympic Games closed.
A screen copy of the command tracert shows that the problem is a router inside China Telecom.
Update: SourceForge unblocked on Nov 2 2008, GoDaddy unblocked on Nov 10 2008.
A screen copy of the command tracert shows that the problem is a router inside China Telecom.
Update: SourceForge unblocked on Nov 2 2008, GoDaddy unblocked on Nov 10 2008.
Friday, October 24, 2008
China Internet Censorship After Olympic Games
As Beijing 2008 Olympic Games closed, the Internet censorship in China further tightened. Undeniably, this deterioration has affected and frustrated an increasing number of netizens in China.
lot's of foreign websites have been blocked again after the Beijing Olympics drew to an end. Meanwhile, although other foreign websites remain approachable in China, some of their touchy contents are actually not accessible.
lot's of foreign websites have been blocked again after the Beijing Olympics drew to an end. Meanwhile, although other foreign websites remain approachable in China, some of their touchy contents are actually not accessible.
Subscribe to:
Posts (Atom)