Security issues, most concering issues and I always looks for stable things from WordPress but somehow I still don’t feel safe about WordPress. It happens frequently, if you missed, hacker hacked — you simply hacked too. Lets see, how without botnet, expert hacker — anyone can hack your wordpress site.
Someone asked me after the session if they needed to be aware of anything to help protect their blog from damage. Bear in mind what I am about to explain is probably illegal and this isn’t a guide, its a warning on how to avoid the problem.
So, is it possible to take down a wordpress site without knowing hacking or renting a botnet, paying a hacker etc etc
Say you have a wordpress site and haven’t prevented directory browsing in your plugins directory (add a line to your .htaccess that says ‘Options All -Indexes’ to prevent that).
The competition could look for plugin names in your source code then confirm it exists by browsing the plugins directory. If they then found a plugin that wasn’t too popular they could set up a way of trying to dupe you.
They could set up a one page site about that plugin with an announcement saying that they had taken ownership of the plugin and now supported it.
They could email you saying that they had taken over the plugin from its author and that you needed to upgrade your version due to a potential security issue and helpfully attach a zip file of the new upgraded plugin.
You might trust them and install that new version. The new version however isn’t that new, its the same as the old version but now they have inserted a few lines to add a hook in the header.
These lines insert the verification code for Google Webmaster Tools.
Now you have a competitor who has verified control of your domain on a fake google account.
They can remove files (removal request on the root?)
They could mess with the config of the www v non www
In short they could make your site disappear
So to avoid: –
Never accept a plugin from anywhere other than wordpress and vet the code
Watch the notifications in Webmaster Tools to spot anyone else getting verified for your domains.
Content credit goes to Paul Madden.
- Rest Soundly, 3.0.4 Hotfix Deployed (vaultpress.com)
- Use WordPress Login Plugins for Better Login Page Customization (forthelose.org)
- WordPress plugin, theme and site managers get ready (thekencook.com)
- Tutorial: How To Create a WordPress Plugin (crenk.com)
- Learn to make your First PHP WordPress Plugin in 10 Minutes (techie-buzz.com)
- WordPress Plugins Wishlist – Plugins I Would Like To See Created & Working (digitalvegetarian.com)
- Google Analytics Plugins WordPress Bloggers May Need (forthelose.org)