bloggingrocket.com » Hosting your Blog

SECURITY REVIEW Pt1 :: wp-security-scan plugin

Ian Blackford — Thu, 09 Oct 2008 22:55:05 +0000

Security in anything we do these days is of vital importance. We are only human and we make mistakes so any kind of security back up we can put into place has got to be a good thing. In this series of five security posts I am going to review a different security related plugin and report back what are the pros and cons of each one, and of course if they are indeed making wordpress a little bit safer.

PART ONE: wp-security-scan plugin

Download: WP Security Scan

Author: Semper Fi Web design

Cost: Free

Once you have downloaded and unzipped the plugin upload it to you plugins fold and activate it in your plugins menu in the admin area of your blog.

When the plugin is active you will get a new tab in the top menu like this:

Here is what each tab will tell you

Security Tab

This tab is a ‘dashboard’ for the plugin, it reports to you all of its findings. One of the plugins features is to help you rename the ‘admin’ user and it will report to you here in red if the admin user exists. The way to rename this user is listed on a page called Change WordPress Admin Username. The other items it reports on are:

WordPress version: 2.6.2 You have the latest stable version of WordPress.
Your table prefix is not wp_. Your WordPress version is successfully hidden.
WordPress DB Errors turned off.
WP ID META tag removed form WordPress core
“admin” user exists.
The file .htaccess does not exist in wp-admin/.

Further down the page is a table reporting more system level information which includes:

Operating System
Server
Memory usage
MYSQL Version
SQL Mode
PHP Version
PHP Safe Mode
PHP Allow URL fopen
PHP Memory Limit
PHP Max Upload Size
PHP Max Post Size
PHP Max Script Execute Time
PHP Exif support
PHP IPTC support
PHP XML support

Scanner Tab

Clicking on this tab brings up a list of files and directories which it checks that they all have the correct permissions state. If it’s correct the line is highlighted in green – if it’s incorrect then it is highlighted in red. The correct permission status is displayed so you can change the permissions accordingly.

Password Tool Tab

This is a neat facility which it gives you the ability to check the strength of your passwords. A field is displayed on screen and you are invited to type in a password, a graphical bar indicator progresses as you type, alongside words telling you the strength of the password.

Another nice touch is it automatically generates a random strong password which you can just copy and use.

Database Tab

It seems there are two major vulnerabilities in WordPress the first is the auto-generated ‘admin’ user – this is a security issue because every WordPress blog will probably have this user, therefore a potential hacker already knows half of a Username and Password pair. The second issue is the name of your tables in your database. By default when you install WordPress it auto prompts you with a table prefix of ‘WP_’ if you leave it as this then a hacker also now knows all your table names. This is a simple one to combat because all you need to do when you install is change the prefix to something else then install. This won’t prevent a hacker from getting in but it will make it more difficult.

If you have already installed your blog the Database Tab has the answer. Clicking on the tab presents you with a field populated with your current table prefix. Here you can now change it to something else, but as the big, bold, italic letters say:

Make a backup of your database before using this tool

Support Tab

The support tab is under construction but is a place where you can link back to the publishers changelog and documentation.

Conclusion

My conclusion of this plugin is it highlights the two most over looked vulnerabilities in WordPress – the admin username and the table prefix. Both vulnerabilities are fixable and this plugin shows you how to do it. What’s more having these highlighted to you will teach you to install more securely in the future. Some of the info that the plugin reports will go right over most bloggers heads but so long as you don’t get bogged down with the unimportant stuff you should be OK.

[rating:3.5]

Overall I would give this plugin 3.5/5

Killer feature: the ability to change the table prefix in one go.

Hosting Security Issue :: WordPress Flash Uploader Errors

Ian Blackford — Fri, 19 Sep 2008 09:26:34 +0000

If you have a problem uploading images into your blog using the ‘Add media -> Add an image’ pop up window, it might be because you are using the default flash based uploader.

The problem doesn’t actually lie in the WordPress coding, it seems to lie within the settings of the webserver that is dishing out your files. Fortunately there is simple answer to this and it lies in doing a quick edit in your .htaccess file.

It seems that some hosting accounts have SecFilterScanPOST enabled and this is causing the problem.

Alter your .htaccess file by adding these two lines of code:

SecFilterEngine Off

SecFilterScanPOST Off

Now try to upload your picture again and you should find it working.

Please note: I’m not a webserver techie and I have to hold my hand up and honestly say that I’m not sure why turning off these two options makes the difference. I do know that they were on for a reason – that reason may be because it’s a default install and they can be either on or off without making any difference, or it could be that it’s a critical bit of set up that really shouldn’t be turned off.

So here is a shout out to anybody with webserver knowledge to join in the comments on this post and tell me what’s what with these settings. So please follow this post’s comments in either the comments RSS feed or subscribe to the comments below.

As with any of our advice the usual disclaimer applies: back up before you do any alterations and be aware that you do the mod at your own risk.

Hosting Security Issue :: File Structure Exposed

Ian Blackford — Mon, 08 Sep 2008 23:46:59 +0000

There seems to be an issue with some hosting providers where your file structure is left exposed by default. This mean that hackers / others can see the files that are in the folders on your webserver and obviously this is potentially a dangerous situation.

Here is how you test to see if you are affected:

Call up this URL, remember to change YOUR-DOMAIN to your domain name plus the .com or .co.uk etc:

http://www.YOUR-DOMAIN/wp-content/plugins/

By doing this you are directly asking the webserver to show you the plugins folder. If you are affected by the security issue you will see this:

The above screen shot is a file listing of your plugins folder.

This example is for a WordPress install but If you don’t have a WordPress blog – you may still be affected try and locate a folder on your server and all it directly like this:

http://www.YOUR-DOMAIN/your-folder-name/

You might think: “Well so what?” but the security implications are that any folder that is on your server can potentially be viewed like this because it means that your hosting account has not been fully configured. Imagine if you have an SQL back up of your blog sitting in an uprotected folder, anyone with a bit of trial and error can find it and download it.

I had this problem on this hosting account, it seems that some providers leave it up to you to figure out what the problem is and for you to sort it out. Fortunately for me I knew what the issue was and how to fix it, so now I’m going to tell you. It’s so simple I really don’t know why the ISP’s don’t just configure it like this to begin with.

Fixing the exposed file structure issue

All you need to do is add a simple line of code to your .htaccess file. This file (.htaccess – yes it does have a dot in front of its name) sits in the root of your hosting account and tells the webserver all the extra stuff you have configured. And in this case it tells it:

Options All -Indexes

That’s all you have to add to the .htaccess file to protect all you folders from being viewed in this hosting account.

Two ways to do it

The first way

Boot your FTP program and connect to your hosting account, then look in the root (the first level) of your hosting for the .htaccess file. Once you have located it, download it – a word of caution here on some computers (Apple Mac namely) when you put a ‘dot’ infront of a file name it makes it invisible, the file is still there – but you can’t see it. So it might be wise to change the name of it before you DL. *** Remember to change the name back in the account as soon as you download – just in case you don’t do the amend straight away. Your .htaccess file is important to your blog and you shouldn’t leave it in a renamed state. ***

Once downloaded you should open it in a text editing program (not Word, never open a server document in Word… ever) use something like notepad. Add the above bit of code on its own line at the end of all the code that’s already there.

Save and re-upload. TIP: Here is what I do, to make sure I don’t mess up my install, I rename the existing .htaccess to something like .htaccess_OLD, I then upload my new one called just .htaccess – then I test my site still serves. If it doesn’t I can always roll back to my original file while I sort out what I have done wrong. If it’s all OK I just delete the _OLD file.

The second way

If you are hosting with an ISP that provides you with a cPanel, then it’s even easier. Login to your cPanel and find the icon option called: IndexManager. Click it and choose the root options (if you get a pop up window). When you see the next screen that lists the files in the root of your account, click on the / public_html / (Current Folder) words. This takes you through to another screen that asks you to choose your indexing type, choose “No Indexing” and hit save. Go to your site and check that it’s still serving OK.

Now you need to call the previously exposed folder again and if all has gone to plan you should now see your blogs error page and not your file listing.

Please take care when you are editing any server files and don’t ever open them in Word!

This post is for information only and if you edit your files please note that you do so at your own risk, no responsibility is accepted by bloggingrocket.com or it’s author should anything go wrong with your hosting account / blog website. Also note that this code adjustment alone isn’t a guarantee against being hacked.

Installing WordPress in a 1&1 Hosting Account

Ian Blackford — Wed, 03 Sep 2008 18:51:02 +0000

It’s always better to get information straight from the horses mouth, so it’s my belief that it’s far better for the integrity of Blogging Rocket’s advice to link out to fellow bloggers who have actually done the thing they are describing.

1&1 are amongst the top European hosting providers, so it’s very likely that many people will be hosting their blog with 1&1. I used to have a 1&1 account and I have set up WordPress blogs there in the past, but I don’t have a tutorial ready to describe the process.

This is why I am going to recommend that anybody with a 1&1 hosting account should go and read the tutorial written by Anthony Baggett entitled: How to Install WordPress with 1 and 1 Hosting The post is a good solid read and will help anyone wanting to install WordPress on their system.

Installing WordPress in a GoDaddy Account

Ian Blackford — Thu, 28 Aug 2008 15:33:49 +0000

I don’t host with GoDaddy (but I know lots of people do) so unfortunately I can’t advise on how to set up WordPress on those hosting accounts.

However…

Da BlogMother does!

For all interested parties please take a moment to zoom on over to the post Installing WordPress.org on GoDaddy and take a look at what to do.

Hosting your blog

Ian Blackford — Fri, 08 Aug 2008 21:13:00 +0000

Please make sure you have read Registering your domain name before you continue with this page.

This is the partner post to registering your domain name and it explains all that you need to know about hosting so that you don’t fall into any traps by buying the wrong hosting package or by using an ISP that isn’t quite up to scratch.

Click the tabs to continue reading

Intro

Introduction

Once you have settled on your domain name you need to turn your attention to purchasing a hosting package. Like domain names, you can pay all sorts of prices for hosting, and again cheap is bad. To install WordPress you need a MySQL database, normally databases aren’t a feature of the cheaper hosting packages so by default you won’t be looking at the bargain basement options.

When you are shopping around for hosting take a look further than just the feature list, look at the backup mechanisms they are offering (more frequent is better) look at the support facilities they offer (do they offer telephone lines, online chat etc) and check out their server up time if you can find it. Go for quality here because this is what is going to power your site, if you go for an ISP that hasn’t got good facilities your site will suffer and of course so will you. Try and go with a provider that hosts as close to the main internet backbone for your country, the least amount of hops through nameservers they have to do before they connect to the main trunk the better.

continued…

Typical Hosting Spec

Typical Hosting Spec

There is no real minimum spec for hosting but as a rough guide, here is a list of basic requirements:

FTP access <– only really need one FTP account
100mb server space <– this is more than enough to be starting with
10gb server bandwidth <– this is enough to start with but a busy site will need more in future
POP3 email mailboxes <– enough to cover your needs most packages come with unlimited
1 x MySQL database <– WordPress only needs one – but buy an account that has more in case you want to expand your blog with forums etc
PHP <– PHP is the web language that WordPress is written with, ensure the build of WordPress you are using will run on the version of PHP your ISP is offering
Stats package <– very useful for tracking your traffic
Cpanel <– very useful for admin

Your hosting package will come with a lot more stuff than I have listed above, most of it you won’t need but sometimes it’s nice to know the options are there.

Tip: Don’t buy a hosting package that serves form a Windows webserver. Windows servers are the first point of call for hackers. While any webserver can potentially be hacked, it seems that Windows is the most probed and got-at platform out there. It’s my advice to take a Linux server where possible.

continued…

Host Local?

Host Local in Your Own Country?

There are rumblings around the net at the moment that Google, and others, but Google especially are looking to localise their search results, which means if you are in the UK and you search for something then UK websites served from UK servers will rank higher in the results pages than UK websites served on servers based in other countries. I have mixed feelings about this because my findings at the moment (as of August 2008) is that it’s a load of hyped up nonsense. I own a website business (www.designconscious.com) and right from the word go I hosted in America, my site is a blog and is optimised for the key words “website design telford” here is what google thinks of my site using that key phrase

The internet is such a big place and website design is such a big market place I reckon it’s better to compete locally so my site is optimised for where I live and even though I’m hosting in America Google seems to like me anyway. But that said – this might not always be the case, so to save yourself hassle in the future it might be better to err on the side of caution and host your site in your country of origin. Best advice and future proofing – that’s what you should do.

But….

If you are like me and think it’s all a load of bullshit, then why not think about hosting at Hostagor? Hostagor are an enormous American ISP with a 24/7 online chat support team and a wealth of features that go way beyond what you really need. Take a look – and of course if you are reading this in America, you won’t go far wrong if you take one of their packages.

END.