PART ONE: wp-security-scan plugin

Download: WP Security Scan

Author: Semper Fi Web design

Cost: Free

Once you have downloaded and unzipped the plugin upload it to you plugins fold and activate it in your plugins menu in the admin area of your blog.

When the plugin is active you will get a new tab in the top menu like this:

Here is what each tab will tell you

Security Tab

This tab is a ‘dashboard’ for the plugin, it reports to you all of its findings. One of the plugins features is to help you rename the ‘admin’ user and it will report to you here in red if the admin user exists. The way to rename this user is listed on a page called Change WordPress Admin Username. The other items it reports on are:

• WordPress version: 2.6.2 You have the latest stable version of WordPress.
• Your table prefix is not wp_. Your WordPress version is successfully hidden.
• WordPress DB Errors turned off.
• WP ID META tag removed form WordPress core
• “admin” user exists.
• The file .htaccess does not exist in wp-admin/.

Further down the page is a table reporting more system level information which includes:

• Operating System
• Server
• Memory usage
• MYSQL Version
• SQL Mode
• PHP Version
• PHP Safe Mode
• PHP Allow URL fopen
• PHP Memory Limit
• PHP Max Upload Size
• PHP Max Post Size
• PHP Max Script Execute Time
• PHP Exif support
• PHP IPTC support
• PHP XML support

Scanner Tab

Clicking on this tab brings up a list of files and directories which it checks that they all have the correct permissions state. If it’s correct the line is highlighted in green – if it’s incorrect then it is highlighted in red. The correct permission status is displayed so you can change the permissions accordingly.

Password Tool Tab

This is a neat facility which it gives you the ability to check the strength of your passwords. A field is displayed on screen and you are invited to type in a password, a graphical bar indicator progresses as you type, alongside words telling you the strength of the password.

Another nice touch is it automatically generates a random strong password which you can just copy and use.

Database Tab

It seems there are two major vulnerabilities in WordPress the first is the auto-generated ‘admin’ user – this is a security issue because every WordPress blog will probably have this user, therefore a potential hacker already knows half of a Username and Password pair. The second issue is the name of your tables in your database. By default when you install WordPress it auto prompts you with a table prefix of ‘WP_’ if you leave it as this then a hacker also now knows all your table names. This is a simple one to combat because all you need to do when you install is change the prefix to something else then install. This won’t prevent a hacker from getting in but it will make it more difficult.

If you have already installed your blog the Database Tab has the answer. Clicking on the tab presents you with a field populated with your current table prefix. Here you can now change it to something else, but as the big, bold, italic letters say:

Make a backup of your database before using this tool

Support Tab

The support tab is under construction but is a place where you can link back to the publishers changelog and documentation.

Conclusion

My conclusion of this plugin is it highlights the two most over looked vulnerabilities in WordPress – the admin username and the table prefix. Both vulnerabilities are fixable and this plugin shows you how to do it. What’s more having these highlighted to you will teach you to install more securely in the future. Some of the info that the plugin reports will go right over most bloggers heads but so long as you don’t get bogged down with the unimportant stuff you should be OK.

[rating:3.5]

Overall I would give this plugin 3.5/5

Killer feature: the ability to change the table prefix in one go.

The problem doesn’t actually lie in the WordPress coding, it seems to lie within the settings of the webserver that is dishing out your files. Fortunately there is simple answer to this and it lies in doing a quick edit in your .htaccess file.

It seems that some hosting accounts have SecFilterScanPOST enabled and this is causing the problem.

Alter your .htaccess file by adding these two lines of code:

SecFilterEngine Off

SecFilterScanPOST Off

Now try to upload your picture again and you should find it working.

Please note: I’m not a webserver techie and I have to hold my hand up and honestly say that I’m not sure why turning off these two options makes the difference. I do know that they were on for a reason – that reason may be because it’s a default install and they can be either on or off without making any difference, or it could be that it’s a critical bit of set up that really shouldn’t be turned off.

So here is a shout out to anybody with webserver knowledge to join in the comments on this post and tell me what’s what with these settings. So please follow this post’s comments in either the comments RSS feed or subscribe to the comments below.

As with any of our advice the usual disclaimer applies: back up before you do any alterations and be aware that you do the mod at your own risk.

Here is how you test to see if you are affected:

Call up this URL, remember to change YOUR-DOMAIN to your domain name plus the .com or .co.uk etc:

http://www.YOUR-DOMAIN/wp-content/plugins/

By doing this you are directly asking the webserver to show you the plugins folder. If you are affected by the security issue you will see this:

The above screen shot is a file listing of your plugins folder.

This example is for a WordPress install but If you don’t have a WordPress blog – you may still be affected try and locate a folder on your server and all it directly like this:

http://www.YOUR-DOMAIN/your-folder-name/

You might think: “Well so what?” but the security implications are that any folder that is on your server can potentially be viewed like this because it means that your hosting account has not been fully configured. Imagine if you have an SQL back up of your blog sitting in an uprotected folder, anyone with a bit of trial and error can find it and download it.

I had this problem on this hosting account, it seems that some providers leave it up to you to figure out what the problem is and for you to sort it out. Fortunately for me I knew what the issue was and how to fix it, so now I’m going to tell you. It’s so simple I really don’t know why the ISP’s don’t just configure it like this to begin with.

Fixing the exposed file structure issue

All you need to do is add a simple line of code to your .htaccess file. This file (.htaccess – yes it does have a dot in front of its name) sits in the root of your hosting account and tells the webserver all the extra stuff you have configured. And in this case it tells it:

Options All -Indexes

That’s all you have to add to the .htaccess file to protect all you folders from being viewed in this hosting account.

Two ways to do it

The first way

Boot your FTP program and connect to your hosting account, then look in the root (the first level) of your hosting for the .htaccess file. Once you have located it, download it – a word of caution here on some computers (Apple Mac namely) when you put a ‘dot’ infront of a file name it makes it invisible, the file is still there – but you can’t see it. So it might be wise to change the name of it before you DL. *** Remember to change the name back in the account as soon as you download – just in case you don’t do the amend straight away. Your .htaccess file is important to your blog and you shouldn’t leave it in a renamed state. ***

Once downloaded you should open it in a text editing program (not Word, never open a server document in Word… ever) use something like notepad. Add the above bit of code on its own line at the end of all the code that’s already there.

Save and re-upload. TIP: Here is what I do, to make sure I don’t mess up my install, I rename the existing .htaccess to something like .htaccess_OLD, I then upload my new one called just .htaccess – then I test my site still serves. If it doesn’t I can always roll back to my original file while I sort out what I have done wrong. If it’s all OK I just delete the _OLD file.

The second way

If you are hosting with an ISP that provides you with a cPanel, then it’s even easier. Login to your cPanel and find the icon option called: IndexManager. Click it and choose the root options (if you get a pop up window). When you see the next screen that lists the files in the root of your account, click on the / public_html / (Current Folder) words. This takes you through to another screen that asks you to choose your indexing type, choose “No Indexing” and hit save. Go to your site and check that it’s still serving OK.

Now you need to call the previously exposed folder again and if all has gone to plan you should now see your blogs error page and not your file listing.

Please take care when you are editing any server files and don’t ever open them in Word!

This post is for information only and if you edit your files please note that you do so at your own risk, no responsibility is accepted by bloggingrocket.com or it’s author should anything go wrong with your hosting account / blog website. Also note that this code adjustment alone isn’t a guarantee against being hacked.