SECURITY REVIEW Pt1 :: wp-security-scan plugin

Ian Blackford — Thu, 09 Oct 2008 22:55:05 +0000

Security in anything we do these days is of vital importance. We are only human and we make mistakes so any kind of security back up we can put into place has got to be a good thing. In this series of five security posts I am going to review a different security related plugin and report back what are the pros and cons of each one, and of course if they are indeed making wordpress a little bit safer.

PART ONE: wp-security-scan plugin

Download: WP Security Scan

Author: Semper Fi Web design

Cost: Free

Once you have downloaded and unzipped the plugin upload it to you plugins fold and activate it in your plugins menu in the admin area of your blog.

When the plugin is active you will get a new tab in the top menu like this:

Here is what each tab will tell you

Security Tab

This tab is a ‘dashboard’ for the plugin, it reports to you all of its findings. One of the plugins features is to help you rename the ‘admin’ user and it will report to you here in red if the admin user exists. The way to rename this user is listed on a page called Change WordPress Admin Username. The other items it reports on are:

WordPress version: 2.6.2 You have the latest stable version of WordPress.
Your table prefix is not wp_. Your WordPress version is successfully hidden.
WordPress DB Errors turned off.
WP ID META tag removed form WordPress core
“admin” user exists.
The file .htaccess does not exist in wp-admin/.

Further down the page is a table reporting more system level information which includes:

Operating System
Server
Memory usage
MYSQL Version
SQL Mode
PHP Version
PHP Safe Mode
PHP Allow URL fopen
PHP Memory Limit
PHP Max Upload Size
PHP Max Post Size
PHP Max Script Execute Time
PHP Exif support
PHP IPTC support
PHP XML support

Scanner Tab

Clicking on this tab brings up a list of files and directories which it checks that they all have the correct permissions state. If it’s correct the line is highlighted in green – if it’s incorrect then it is highlighted in red. The correct permission status is displayed so you can change the permissions accordingly.

Password Tool Tab

This is a neat facility which it gives you the ability to check the strength of your passwords. A field is displayed on screen and you are invited to type in a password, a graphical bar indicator progresses as you type, alongside words telling you the strength of the password.

Another nice touch is it automatically generates a random strong password which you can just copy and use.

Database Tab

It seems there are two major vulnerabilities in WordPress the first is the auto-generated ‘admin’ user – this is a security issue because every WordPress blog will probably have this user, therefore a potential hacker already knows half of a Username and Password pair. The second issue is the name of your tables in your database. By default when you install WordPress it auto prompts you with a table prefix of ‘WP_’ if you leave it as this then a hacker also now knows all your table names. This is a simple one to combat because all you need to do when you install is change the prefix to something else then install. This won’t prevent a hacker from getting in but it will make it more difficult.

If you have already installed your blog the Database Tab has the answer. Clicking on the tab presents you with a field populated with your current table prefix. Here you can now change it to something else, but as the big, bold, italic letters say:

Make a backup of your database before using this tool

Support Tab

The support tab is under construction but is a place where you can link back to the publishers changelog and documentation.

Conclusion

My conclusion of this plugin is it highlights the two most over looked vulnerabilities in WordPress – the admin username and the table prefix. Both vulnerabilities are fixable and this plugin shows you how to do it. What’s more having these highlighted to you will teach you to install more securely in the future. Some of the info that the plugin reports will go right over most bloggers heads but so long as you don’t get bogged down with the unimportant stuff you should be OK.

[rating:3.5]

Overall I would give this plugin 3.5/5

Killer feature: the ability to change the table prefix in one go.

Backing up your blog :: WP Codex report on Back up methods

Ian Blackford — Fri, 29 Aug 2008 22:07:40 +0000

Backing up your data is boring, none of us like doing it, we all know we should but most of us never do. I’m going to look like a real swot now – I back up, every day. Actually I back up using two different programs… every day and I do a full back up every fortnight.

Well… when I say ‘I’ back up, I really mean I have bought some software, a second drive and I have configured it on a schedule to back up every day, so in reality I don’t actually do anything but my data is backed up nonetheless.

Well that’s fine for my local data, but what about my beloved blog and those MySQL tables with their ‘Bits’ all exposed? Well that’s a little more tricky because you don’t have full control of a remote computer.

Help is at hand I have found with a great plugin called wp-db-backup it’s really easy to use and offers multiple back up options like:

additional tables (core tables included by default)
back up and saved to a folder on your server
back up and download the SQL file
back up and email the SQL file to yourself
schedule a backup with four time options (hourly, daily etc)

I would recommend everybody get this plugin, your blog should become one of your treasured possessions and you need to look after it.

Another excellent source of back up advice is of course WordPress.org themselves here is a backup article from their codex

bloggingrocket.com » backup