Wordpress Security Release 2.8.6

This version fixes two security problems that can be exploited by registered, logged in users who have posting privileges. So, for the site which have registration open or have many authorized user with the posting privileges. You are highly recommended to update it. But for the wordpress site which haven’t open the registration or those who don’t have unauthorized logged in users who have posting privileges. Just check for the unnecessary users and delete them.

The first problem is an XSS vulnerability in Press This discovered by Benjamin Flesch. The second problem, discovered by Dawid Golunski, is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations.

But what to do if your WordPress site has already been hacked. Most of the souses in the internet tell us to Upgrade the WordPress to the latest version. It somehow fix the issues in many cases but it will not work in the following condition:

• If the hacker have left a back door files hidden in a directory where it wouldn’t get overwritten with an upgrade.
• If the hacker have inserted code into your theme.
• If the hacker have created user account with admin privileges.
• If the hacker have added script in your database.

Under any of the above listed condition the update of WordPress to the latest version will not solve the issue. The hacker will hack again with the use of back door. So, I would like to list out the steps that you should take to clean the hacks and restore your WordPress site.

1. Backup the Files and Database: First thing is to backup the files. In wordpress site, you need to backup your current theme, upload folder and database. All the custom plugin you have developed or modified. Make the list of the plugins you used. For more information on Backup please visit WordPress Backup by WordPress.org
2. Scan the Files and Your Computer: You need to completely scan your computer and the files you have backup for any virus or malware. I use Kaspersky Internet Security 2010 to scan for the virus and malware. You can use any of the top antivirus program. Also don’t forget to scan your wordpress theme. I have recently found the script added in the theme such as iframes, no script tags and display:none style attributes. Check it and delete such codes. For this you need to know detail about the theme or your can hire any wordpress expert.
3. Delete all of the files and folders: After you make sure that all your files, folders, database are backed up from the live server. Now you need to delete all the files and folders in the WP directory from the live server.
4. Change the FTP and Control Panel Password: You need to change all the FTP access and control access. As it might have been hacked by the hacked. So, you need to change the password to make sure they don’t have any access.
5. Upload the Fresh WordPress Installation: Now upload the fresh latest version of the WordPress to your live server. Don’t forget to edit the wp-config.php file. Refer to my article WordPress Security Tips point no 2 for more details about editing wp-config.php file.
6. Run the database upgrade: Now you need to run the databse upgrade. You can do this by just pointing your browser at /wp-admin/upgrade.php (For example: http://www.yoursitename.com/wp-admin/upgrade.php)
7. Change the default admin user and password: Once you have installed a fresh copy and your site is running. Now you need to change the default user admin to some other name you can remember and also change the password. Refer to my article WordPress Security Tips point no 4 and 5 fro more details.
8. Check the Users and change the password: Now you need to check if the hacker have created any users. So, you need to check the list of the user and delete the user which you don’t recognize. After you have list of safe users. Change the password of all the safe users and send them email about the changes and ask them to change again.
9. Now you need to check your Database for any back door: I have seen in wordpress site that has been hacked recently have the scripts such as iframes, no script tags and display:none style attributes. The following query run against the database can help you find out the database file for infection:
   SELECT * FROM wp_posts WHERE post_content LIKE ‘% UNION
   SELECT * FROM wp_posts WHERE post_content LIKE '% UNION
   SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'
   For more please refer to the article How To Completely Clean Your Hacked WordPress Installation by Smackdown point no 8.
10. Check the file permission :There might be file permission 777 which hacker can used it to hack it again. So, you should check the file permission and then give the correct file permission as follows:
            All folder permissions should be set to 755
            All files permissions should be set to 644
            Files that you want to edit in the WordPress Theme editors permissions should be set to 666
            Never ever use 777 for WordPress permissions
11. The following plugins will be very helpful:
    • AntiVirus Plugin
    • WP Security Scan Plugin
    • Login Lockdown plugin
    • WordPress Database Backup plugin
    • WordPress Backup
    • Admin SSL Plugin
]]> http://sakinshrestha.com/wordpress/fix-if-your-wordpress-site-is-hacked/feed/ 1 http://sakinshrestha.com/technology/it-tips-tricks/keeping-that-new-pc-clean-and-pure/ http://sakinshrestha.com/technology/it-tips-tricks/keeping-that-new-pc-clean-and-pure/#comments Fri, 04 Sep 2009 10:15:07 +0000 sakin http://www.sakinshrestha.com/?p=250 A new PC, whether you know it or not, may well have freed you from many malicious programs that steal credit card numbers and other valuable information or otherwise obstruct your safe and private use of the Internet. Now is the time — while you’re getting everything set up just the way you like it — to take some steps to keep your new machine clean and free of malware. Here is what you need to do before you do anything else.

CHECK YOUR FIREWALL SETTINGS Do this before you even connect your computer to the Internet. Firewalls prevent certain unwanted traffic from reaching your computer, including worms that spread through network connections. New laptops and desktops with Windows Vista (and, come Oct. 22, the next version of the operating system, Windows 7) and netbooks using Windows XP SP2 or higher have a firewall that is built in and turned on by default. You can make sure all is well by going to the Windows Security Center, clicking Start, then Control Panel, then Security Center and Windows Firewall.

Mac users can check and adjust their firewall settings by clicking on the Apple icon and going to System Preferences and clicking on Security and then Firewall. At a minimum, choose “allow only essential services.” A better option is to select “set access for specific services and applications” and play gatekeeper, allowing programs to connect as you need them, said Rich Mogull, founder of the security consultant firm Securosis.

UPDATE YOUR SOFTWARE Even though you have a new machine, chances are that security fixes have been issued since the manufacturer loaded the software, so you will want to download those as soon as you get online.

Your new PC may prompt you to check for updates from Microsoft, but, if not, open Windows Update by clicking the Start button, then All Programs and then Windows Update. On the left pane, click “check for updates.” (For more information about Windows Security, see microsoft.com/protect.)

To help you keep Microsoft products up to date, Windows will prompt owners of new machines to sign up for automatic updates. You will see a screen asking if you want to “Help protect Windows automatically.” Choose the first option, “Use recommended settings,” so you get everything and don’t have to worry about it again.

Barring an urgent problem, updates come out on the second Tuesday of the month. To schedule exactly what time your updates are installed — say at 3 a.m., when you are asleep — open Windows Update and select Change Settings and make your choices. This is also a good time to turn on the Internet Explorer Phishing Filter, which can help keep you from turning over personal information to the wrong people.

For Mac users, your computer will automatically check for updates once a week. If you are a paranoid person, have it check more frequently by clicking Software Update in the System Preferences panel and then choose Daily.

ADD SECURITY SOFTWARE Firewalls won’t help fend off viruses or Trojan horses that can come through e-mail messages, Web sites and pop-up ads. Given the frightening number of malicious programs that aim for Windows PCs, owners of these machines really need to use some security software. There are several free antivirus programs, like AVG 8.5 Free, Avast Antivirus and the forthcoming Microsoft Security Essentials, so even penniless students have no excuse to go without. Note that Vista comes with Windows Defender, which blocks spyware and pop-up ads, and that program can be downloaded free by Windows XP SP2 machines.

Since a lot of malicious programs now come through Web sites, you will also want to use one of the many free tools available to help you avoid malicious sites. Microsoft’s newest browser, Internet Explorer 8, will warn you if you try to visit sites it deems unsafe, deceptive or carriers of a common Web attack type called “cross-site scripting” attacks. Other browsers, including Chrome, Firefox and Safari, also warn users about potentially unsafe sites, using a blacklist kept by Google. There is also McAfee’s SiteAdvisor, a free add-on for the Internet Explorer and Firefox browsers (the latter works on both Windows and Mac), that shows site reputation information within search results pages, including warnings about potentially dangerous sites.

There are few malicious programs that aim for Macs, so an antivirus program isn’t essential at this point. That said, some Mac experts think that the days of peace and security for Macs may be waning. There have a been a few Trojan horses recently, and some Web attacks don’t care which operating system you use. If you frequent file-sharing sites, or your employer requires it, buy a Mac antivirus program.

SORT OUT THE APPLICATIONS New Windows PCs typically come loaded with all kinds of third-party programs, many of which you will never use.

“In a lot of cases, that’s extra software that might have vulnerabilities” that hackers could exploit, says Chad Dougherty, a vulnerability analyst at the CERT Program at the Carnegie Mellon Software Engineering Institute.

To avoid problems, eliminate the programs you don’t need by clicking the Start button and choosing Control Panel and then Programs to see a list of what is on your machine. Select unwanted programs and then hit the Uninstall button at the top of the program list.

Then sign up for automatic updates from the makers of any software you intend to keep — or that you later install yourself, for that matter. To help you make sure you have checked out everything, download Secunia PSI, a free tool that will help you make sure that all the programs on your PC get security patches.

Speaking of that, always be careful about which software you install from the Internet, whether you have a PC or a Mac. These programs can contain vulnerabilities, and pirated programs and random add-ons may be outright malicious.

Source: NYTimes

]]> http://sakinshrestha.com/technology/it-tips-tricks/keeping-that-new-pc-clean-and-pure/feed/ 0 http://sakinshrestha.com/wordpress/wordpress-security-tips/ http://sakinshrestha.com/wordpress/wordpress-security-tips/#comments Sat, 29 Aug 2009 02:45:30 +0000 sakin http://www.sakinshrestha.com/?p=255

Wordpress Security Tips

Posted on: September 5, 2009
Updates on: August 29, 2009

As the WordPress is getting popular and used by many people, now the hackers are also being active and involved in hacking wordpress site. I have recently received lot of request to fix the WordPress hacks. I would like to list some WordPress Security Tips to help you protect from hacks.

1. Keep up to date with the latest WordPress Version: Always keep your WordPress site updated with the latest version of WordPress. The WordPress developers do not maintain security patched for older WordPress versions. In August 12, 2009, WordPress released version 2.8.4 as the security release. Older version of WordPress is more open to hacks.My Tips: Regularly update your WordPress site. You can use the plugin “WordPress Automatic upgrade” or Instant Upgrade Plugin Further, you need to keep your plugin and theme to be up to date as well.
2. Populate wp-config.php Properly: Go through each line in wp-config.php, not only the first block for database configuration.My Tips: Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies. To make it more secure modify the the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wp52sk1_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.
3. Correct File Permissions: You should give the correct file permission and if you give full permission to files and folders then the hackers can hack it easily.My Tips: Set the permission as follows:All folder permissions should be set to 755All files permissions should be set to 644Files that you want to edit in the WordPress Theme editors permissions should be set to 666

   Never ever use 777 for WordPress permissions

4. Don’t Use the Default admin Username: WordPress is open source application and now most of people know that it has the administrator username as admin. This make it easy for hackers to to hack the password when they already know the administrator username.My Tips: Change the default administrator username admin to something else. Now i am going to show how to change the default admin username.You may use phpMyAdmin and paste the SQL command (the update line) to execute it.update wp52sk1_users set user_login=’myadmin’ where user_login=’admin’;wp52sk1_ is the database prefex that I change. The default prefex is wp_Alternatively, you may edit the value manually using phpMyAdmin web interface.

   Now your admin user is myadmin instead of admin

5. Pick Secure Password for Admin: Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.My Tips With this assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.
6. Hide WordPress Version in the Header Tag: Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code. This will allow the hacker to know about the wordpress version you are using which will help them to hack it.My Tips: Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
7. Nobody should be allowed to search your entire server: If you allow then the hacker will find the way to hack easily.My Tips; Do not use the following search code in the search.php in your theme folder:<?php echo $_SERVER [‘PHP_SELF’}; ?>Use the following instead:<?php cloginfo (‘home’); ?>

   Also block WP-folder from being indexed by search engines, the best way to block them is in your robots.txt file. Add the following line to your list:

   Disallow: /wp-*

8. Prevent directory listing: The problem in many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folder on your server. Normally it is harmless but some web hosts don’t even bother to turn off directory listing by default. This means that there are several things hackers can do. There might be loop hole in the theme and plugin you used for your site. The author of the plugin and theme might have made mistakes in their code that allow unexpected access, hackers can use your directory listing to find out if you have got those vulnerable files and then attack your site. Also people can browse the non-WordPress contents of your web server to discover folders and files that you might not be ready to announce that you thought were not accessible to the general public. Many directory listing feature a line in the footer telling visitors your server version. Hacker can cross-reference these version numbers with list of known vulnerabilities and bring your site down or gain illegal access.My Tips: Edit the .htaccess file and add the following line at the bottom.Options All –Indexes
9. Protect WordPress Administration Files: WordPress administration files are in wp-admin directory of your WordPress installation, except wp-config.php.My Tips: Use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option. If you don’t know you IP address then you can find your IP my visiting the site: http://whatismyip.com/You need to put a .htaccess file in wp-admin and add the code. See the Example:Order Deny,AllowAllow from 202.79.40.130deny from all

   For more refer to Apache’s documentation on mod_access to see the example: Protecting The WordPress wp-admin Folder

   Alternate Solution through user and password combination: There is another way to protect wp-admin directory with user and password combination. It also adds another level of security. Apache has complete information on authentication, authorization and access control. Example:

   AuthType Basic

   AuthName “WordPress Dashboard”

   AuthUserFile /home/user/.htpasswds/blog/wp-admin/.htpasswd

   Require user adminuser

   and then generate the encrypted password using the htpasswd command.

   $ htpasswd –cm .htpassed adminuser

   If you have cPanel then it is very easy as it has a feature called Web Protect which allows you to accomplish the same thing.

   Note: if you find it hard to use it in code then just use this plugin AskApache Password Protect

   Further, I recommend the plugin Login Lockdown plugin which record the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

   Note: the Htaccess and Htpasswd generator helps to create the necessary files with desired values.

10. Restrict File Access to wp-content Directory: The wp-content directory contains your theme, plugin files and uploaded. WordPress doesn’t access the PHP files in the plugins and themes directory via HTTP. the only request from web browser are for image files, javascripts, and css. For this reason you may restrict wp-content so that it only allows those file extensions but not PHP or any other file extensions. This prevents people from accessing any files directly.My Tips: Include the following lines in .htaccess within wp-content:Oder Allow, DenyDeny From all<files ?\.(jpg|gif|png|js|css)$? ~>

    Allow from all

    </files>

11. Take regular backups of your site and Database: No matter how hard you protect your site there might be some loop for hackers. There is never 100% security when it’s online.
    My Tips: Take regular backups of your file directories as well as the database. So, if there is any problem then you can just upload the backup copy. Use WordPress Database Backup plugin or WP-DB Manager to backup your Database and User WordPress Backup Plugin to backup your upload directory (images), current theme directory, and plugins directory.
12. Stop worrying about your wp-config.php file: During the server problem, i have seen in one of my friend blog that his wp-config.php file can be viewed in the browser and his database username and password are there and it can be hacked anytime.My Tips: You can secure your wp-config.php by adding the following to the .htaccess file at the top level of your WordPress install:<FilesMatch ^wp-config.php$>deny from all</FilesMatch>This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
13. Protect Your Blog With a Solid Password: Easy password with alphabetic and number can be hacked using the software easily.My Tips: Creating a strong password that is also memorable is one of the easiest defenses against being hacked. Use strong password my combining the alphabetic, numbers and symbols. There are a lot of online password strength checker that you could check.Also you might check lorelle’s article on blogherald called Protect Your Blog With a Solid Password , offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.
14. The following plugins will be very helpful:
    • WordPress Exploit Scanner: It searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
    • AntiVirus Plugin: It is a smart and effective solution to protect your blog against exploits and spam injections.
    • WP Security Scan Plugin: It scans your WordPress installation for security vulnerabilities and suggests corrective actions.
    • Admin SSL Plugin: Recommended only for the advance users. It secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL. Once you have activated the plugin please go to the Admin SSL config page to enable SSL, and read the installation instructions.

Further reading:

Hardening WordPress

FAQ My site was hacked

10 Steps To Protect The Admin Area In WordPress

]]> http://sakinshrestha.com/wordpress/wordpress-security-tips/feed/ 6