Category Archives: Wordpress Security

WordPress website error site reverting to old version

I have been noticing an intermittent problem with this website over the last 6 months or so where the site was reverting to a very old version of the site that showed my old design log and only old posts. At first I thought I had a cache problem on my pc and attempted to flush my local dns hoping that would resolve the issue. The problem manifested itself across multiple machines so I quickly realized that was not the solution but did not seek a more permanent fix since the problem was very intermittent in nature and I have been extremely busy (not a good excuse). When the problem reoccurred today I had finally had enough and logged a ticket with my web hosting support company to work on a permanent resolution.

Problem: Website for this site was having a problem and was reverting to an old version of the site (with an old logo design) and only showing posts as of 1/2012 and older.

Impact: Site design looked dated and visitors were not seeing the improved design/layout of the site or the new material posted on the site. I also suspect this hurt the site from a search engine perspective and lost traffic due to the site appearing old due to lack of new content.

Actions taken to attempt resolution: Thought problem was DNS related so flushed my local dns cache but realized something broader was going on when problem was found across multiple machines. Attempted to research problem using google search engine but most guidance was regarding webmaster tools related options and did not seem applicable. After failing to find a satisfactory fix I logged a support ticket with my webhosting provider.

Root Cause: I had to provide my webhosting technical assistance people admin access to the site and specify what database was used by the site. I created a unique temporary account/password for them and they completed the analysis and resolution very quickly. The root cause of my problem was found to be a corrupted WordPress table and once this table was repaired using the PhpMyAdmin tool the site is now displaying as it should be.

Lessons learned: Do not wait extended periods of time to deal with a problem. I could have had this issue resolved much sooner if I would have taken immediate action and logged a support ticket. The lunarpages support team was very helpful and quickly solved this issue once I provided them the needed access and confirmed the database id.

Information Security Implications: As mentioned above I had to provide site admin credentials to the technical support team to troubleshoot the problem. I followed the following security best practices during the interaction:

  • Had a full backup of my site before the work began
  • Created a unique temporary admin account just for this purpose
  • Deleted the account as soon as my support ticket was closed out successfully

This turned out to be a pretty good operational/security case study so I thought it would be useful to document and share.

How to update PHP to support WordPress version 3.2.1

When a new WordPress version comes out I always like to wait 3-4 weeks to allow for sufficient burn in with the assumption that any major bugs will be corrected by the time I upgrade. One of my cardinal rules of upgrades is to have a working backup and to make sure I have sufficient time to troubleshoot and quickly correct if something goes wrong. I delayed upgrading to the latest version of WordPress longer than my typical 3-4 week burn in time because it required me to be operating at a higher level of PHP configuration vs. what I was currently operating at and I thought it would be a bigger deal to change.

Since this site is dedicated to security I did not want to get more than one version behind the WordPress current version level (got to keep practicing what I preach here). I logged into my hosting account and was pleasantly surprised to learn that upgrading my PHP version was a point and click painless upgrade.

To upgrade my PHP I performed the following:

Logged into my hosting account

Go to cpanel

Software/Services

PHP Configuration

Changed from PHP 4 to PHP 5 and clicked Update

I then checked back in my WordPress site and was now able to upgrade to WordPress version 3.2.1 when previously a not compatible with your version of PHP was previously displayed. I was then easily able to auto update to the latest version like all previous updates.

 

WordPress Plugin Security – Your Sites worst security nightmare?

The WordPress security team recently announced some serious wordpress plugin security vulnerabilities with three popular plugins WPtouch, AddThis, and W3 Total Cache. If you are one of the WordPress site owners using the mentioned plugins who updates plugins as soon as they are available you need to take prompt action to avoid potential information security problems with your site. If you have updated within the last few days you need to quickly update again to avoid problems from potentially malicious wordpress plugins.

Bad versions of each plugin:

Wptouch: versions 1.9.27 or 1.9.28

AddThis: version 2.1.3

W3 Total Cache: Unclear latest version is recommended

Good versions of each plugin:

WPtouch: 1.9.26 or older or the latest version 1.9.29

AddThis: 2.1.2 or older or the latest version 2.2.0

W3 Total Cache: version 0.9.2.3

WordPress security lessons learned/validated

  • WordPress plugins are of unknown security levels and must be treated as such by sites requiring a high level of security
  • WordPress updates and plugin updates should be given a 2-3 week burn in process before applying to avoid defects and issues such as this. This would have helped prevent exposure to the situation described by WordPress and the only caveat would be if failing to update exposes to your site you known exploits that are circulating in the wild.
  • Disable or preferably delete any WordPress plugins that you are no longer utilizing for your site.
  • Make sure your WordPress site administrator is staying in the loop with WordPress security updates, awareness is half the battle.
  • Keep multiple copies of your sites backups so you have your choice of restore points if the worst
  • Security issues can happen even with trusted plugins. WPTouch is probably the most widely used plugin to assist with mobile device compatibility and if it can happen to them it can happen to anyone.

Be sure to understand the risk of installing WordPress plugins prior to doing so and be sure to stay on top of WordPress plugin security news to help your site stay secure.

 

WordPress 3.1.2 Upgrade- What are the information security implications?

I logged into the WordPress admin panel today and noticed it is once again time to consider when to apply the latest WordPress version update. A quick scan of the update shows it is a very minor one with nothing standing out from either a functionality or security perspective that makes a quick upgrade a necessity.

My typical recommendation is two wait about 2 weeks before applying a WordPress version update unless there are some high risk security vulnerabilities mentioned in the release. You can feel safe allowing at least a two week burn in for WordPress 3.1.2 at this point to allow any bugs to be detected and resolved without you playing the role of guinea pig.

Security Details of WordPress v3.1.2

The only element mentioned in the WordPress v3.1.2 upgrade summary is related to a vulnerability in the contributor access permission around post publishing abilities. The contributor role already has a good bit of posting privilege so this seems very minor from a security stand point.

Fixes a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710)

WordPress version upgrade best practices

  • Apply all plugin updates prior to updating the WordPress version.
  • Take a full backup of your entire site prior to the update (a good precaution even though 99 times out of 100 the update is painless)
  • Apply the update at an off peak time when your usage base is smaller and you or your technical resource would be available for troubleshooting if a restore were required.

If you require WordPress backup guidance consult this additional material.

WordPress 3.1 – When should you upgrade?

Everyone who runs a site on the WordPress CMS platform hopefully noticed that WordPress 3.1 (also known as Reinhardt) is now available. Now your probably asking yourself how soon do I need to upgrade to keep my WordPress site secure?

My typical practice is to wait about 2 weeks after an update to apply it to my important sites. I make exceptions if I notice some high priority security vulnerabilities mentioned in the WordPress version upgrade description detail. Looking at the v3.1 upgrade information gave me the impression that this upgrade is primarily an appearance and functionality enhancement versus an upgrade that must be applied rapidly to ensure security.

Some small security changes I see referenced in WordPress v3.1 include streamlining the email reset process to make it more efficient although this affects user experience (which is important) and is not a direct security improvement per se. Another change I noticed was there have been more granular controls added to the administrative sections to help sites with multiple administrators restrict and refine who accesses what part of WordPress administration. Specifically the Super Admin menus and related pages have been moved out of the regular wp-admin/ path and now reside in the wp-admin/network/ path.

When should you upgrade to WordPress 3.1?

Recent WordPress upgrades have been so smooth many administrators forget that things can go wrong causing site downtime during this process and upgrade right away. This is a reasonable approach if you ensure you have a working backup before proceeding (which you should always do) and have sufficient time to troubleshoot if something goes wrong. I plan on waiting 2-3 weeks before upgrading to WordPress version 3.1 and predict that a new update will be available before I upgrade because so many functionality enhancements have been implemented.

Happy upgrading!

WordPress 3.0.5 Update – Install for security improvements

For a recent WordPress version upgrade I recommended to wait two weeks before applying the patch to let potential bugs be worked out. That recommendation was based on a review of the fixes included in that WordPress  update and my overall assessment that they represented a lower risk then potential issues that might go wrong with an upgrade.

For the WordPress 3.0.5 update I am taking a different approach and have already applied the patch successfully. I changed my approach on this update vs. 3.0.2 for the following reasons:

  • My confidence level in the stability of WordPress updates has improved over time based on positive experiences that have been point and click with little trouble. In the IT operations world this would have someone banging on the nearest wooden object at this point, so rest assured I did make sure I had a backup before pushing the update button.
  • A quick review of the WordPress 3.0.5 fix list convinced me this was primarily a security related upgrade vs. a functional upgrade. I view some of the vulnerabilities such as cross site scripting bugs (denoted as XSS) higher risk and wanted to be protected against those threats.
  • I received two WordPress firewall scanning alerts on a test site I have set up and this is quite a rare occurrence. One of the attacks appeared to be injection related but the other one was a possible cross site scripting attempt. The timing of these events and the recent release of WordPress 3.0.5 Update was the tipping point for having me apply this update quicker then the last.

I will keep everyone updated if I detect any additional WordPress security anomalies on any of the sites I monitor.

WordPress Backups – How should you be backing up your site?

Your WordPress site may be a critical part of your business, a source of some extra income, or just a favorite hobby. In any of these scenarios you have put a lot of time into your design and posts and you don’t want to lose it right? If you have not implemented a WordPress backup plan that is exactly what you risk doing.

Critical WordPress Components to Backup

The official WordPress backup guide is specific in mentioning that there are two major components to backup related to a WordPress site, the database and the site files. Few people read the manual so it is a common mistake to back up only one of the WordPress components (usually the site files are overlooked)

WordPress Database -The site database contains all of content on your site including the posts, comments, and links. Since content is the heart of every site you risk starting from ground zero if you neglect to backup your site database. The two major ways to backup a WordPress site database are via your webhosting control panel or utilizing a WordPress plugin.

WordPress Site Files – The site files consist of the core installation, installed plugins, themes, images, files and scripts. The site files give your site its unique look and if you do not backup this component you could be in for a lengthy redesign.

What is my WordPress backup plan?

I utilize the WordPress Database Backup plugin to automate a daily backup of my mysql database. I have the backup emailed to my email account and the eventual plan will be to save it to a secure server directory when the file becomes to large for email.

For my WordPress site files I backup via my web hosting cpanel two times a month. I have strategically opted to backup the site files less frequently then the database since my content is updated a lot more frequently then my site design.

I always have both the site files and database backed up prior to attempting a WordPress version upgrade.  In the future I am going to look into automating my site file backup and will review some plugins that claim to backup both the site files and database to see how effective they are.

To conclude I’d like to review my list of the Top 5 WordPress Backup Mistakes

Mistake #1 – Assuming that because you have installed a backup plugin that you are covered. The backup plugin may only be backing up the database or the site files so you might be missing a critical component of your needed WordPress backup.

Mistake #2 -Neglecting to test your backups. You can’t be sure your backups work unless you have tested and validated the results and successfully recovered your site.

Mistake #3 – Failing to adequately secure your backups. Backups contain sensitive site information such as user login/password information and database credentials. If your backup falls into the wrong hands it could mean bad news for your site.

Mistake #4 – Maintaining a manual backup process. If you do not automate the backup process there is an increased likelihood that you will forget to backup your site on a regular basis.

Mistake #5 – Upgrading WordPress versions without taking a fresh backup. WordPress version upgrades are one of the more risky activities from a site availability standpoint so it is important to take a current backup prior to performing an upgrade. If unforeseen errors occur you can restore your site to the old version with minimal impact.

Make sure you avoid these top 5 mistakes and implement an effective WordPress backup strategy.

WordPress 3.0.2 – When should you upgrade?

Caption provided by http://www.flickr.com/photos/ell-r-brown/

Newton’s Law or some distant relative of his smacked me in the face today when I logged into my site administration panel and saw that WordPress version 3.0.2 was now available for install. After all I just finished my post about WordPress Security Plugins and 3.0.1 compatibility and now we have a new version to deal with. Such is life, but now we have a working example to apply some information security principles regarding upgrades.

You are probably asking yourself when should I upgrade to WordPress version 3.0.2?

I have looked at the WordPress security vulnerabilities addressed in the upgrade from 3.0.1 to 3.0.2 and none appear urgent enough to require an immediate upgrade. I recommend waiting two weeks to perform the upgrade unless news of 3.0.1 exploits in the wild causes the need for a quicker upgrade timeframe. That means I will be looking to update my site around 12/15 which should leave plenty of time for any high impact bugs to be discovered and resolved.

Things to do before you upgrade to WordPress version 3.0.2

  1. Perform a full backup of your WordPress Database. If you are using an automated backup plugin and have tested it you are good to go otherwise you may want to read more about WordPress official backup guidance.
  2. The WordPress documentation recommends disabling plugins prior to upgrading to a new version to prevent an incompatible plugin from making your site inaccessible. This is prudent advice but adds to your administrative burden so my advice is to be aware that it is a risk and be ready to manually disable the plugin via your web account should the need arise. This is a practical risk mitigation step that avoids the extra working of disabling a lot of plugins.
  3. You are now ready to update your site and for most of you that will mean using the automatic update feature. If by chance you are doing a manual update be sure to cleanup the maintenance file as WordPress recommends.

You are now ready to test your site and validate that it is operating as expected. If you have a caching plugin enabled be sure to clear the cache so you are working with the current version WordPress and do not become confused. High value sites with large audiences might also want to consider testing the upgrade on a test site that mirrors their production site and installing the upgrade during off hrs (defined by their particular audience geography) to minimize potential disruption.

WordPress 3.0.1 & Security Plugins Which Are Recommended?

WordPress security plugins can be effective tools to help keep your site secure. Here are the specific security plugins I am currently using with my WordPress 3.0.1 (current version) installation and some  things I have learned along the way about using them.

#1 – Akismet – Current version of the plugin is 2.4.0 and it is fully compatible with WordPress as you would expect since the plugin comes native with WordPress and is the most widely used security plugin.

Is Akismet difficult to install?- The plugin is very easy to install all you need to do is register for a unique API key via email to activate the plugin.

Why do you need Akismet? – Akismet is extremely effective, I have not had a single SPAM message since activating it and do not believe other spam related plugins are necessary at this time.

#2 – Login Lockdown – Current version of the plugin is v1.5. It is compatible with the latest version of WordPress.

Why do you need Login Lockdown? – Provides an additional level of security by locking out an account that has had a certain # of failed login attempts within a specified time frame (both settings are user customizable).

What settings do I use for Login Lockdown? – I altered the defaults to lock my account out after 3 failed attempts from a given IP address in a 30 minute time period and it remains locked out for 1440 minutes

What is the risk of using Login Lockdown? – The biggest risk you face using Login Lockdown is not being able to access and administer your own site from a certain IP address. To mitigate this risk make sure you set the settings explained above at the right level for you and it also helps to have a secure alternative IP address that you can use to access the site (perhaps a relative’s house). It is also possible to edit your database directly to free a locked IP address if your IP address becomes locked out.

#3 – WordPress Firewall 2 – Current version of the plugin is v1.3  and works fine with WordPress 3.0.1

Why do you need WordPress Firewall 2? – Provides an additional layer of security to your site by protecting against web related directory traversal, database injection and other WordPress specific attacks. The verdict is still out there on this one for me as I have not seen any alerts after a few weeks of install so I am either low on the radar or it has not done much thus far.

How to configure Wordpress Firewall 2? – I installed the plugin with the default settings and the only change I made was to configure the alerts to go to my email address.

#4 – Secure WordPress – Current version of the plugin is 1.0.6

Why do you need Secure WordPress? – Tweaks a variety of security settings primarily those related to excessive information disclosure. Click here for a list of security functions performed by the plugin.

#5 – WP Security Scan – Current version of the plugin is 2.7.1.2

Why do you need WP Security Scan? – Provides a variety of useful security functions including looking for password, database, and directory permission vulnerabilities. Helps provide an automated way to regularly check these items.

#6 – WordPress Database Backup – Current version of the plugin is v2.2.2 and it is compatible with the latest version of WordPress. Although it is technically backup software vs. true security software, backup is such an essential component of information security I have included it on this list.

Why do you need WordPress Database Backup? – There are a few other WordPress Database backup plugins available but this is the one I use to perform my daily backups which are automatically emailed to my account. One recommendation I have is to make sure to save your backups somewhere else if your email account is hosted by the same company as your site as this gives you additional protection if they have a catastrophic failure.

How often should I test my WordPress Backups? – Testing your backup and validating it is recoverable the first time is the biggest hurdle. After that I recommend retesting every 6 months and either more or less frequent makes sense depending on the value of your site.

Two other WordPress Security Plugins I am interested in but do not yet have installed:

1. Better WP Security – Disclaimer says it is only in testing stage and it is not recommended for production sites. I will be testing this on a development site soon so I can take a look and check out the tool. I agree with the creator that you should never use a non production plugin on a production site.

2. Ultimate Security Check – Claims to be the #1 Security Plugin for WordPress so I am always intrigued by those type of grandiose claims and would like to check out whats under the hood.

Lastly, I will mention that I have played around with Admin-SSL a good bit as I really want to encrypt administrative traffic but have not had much luck getting it to work with the latest version. Anyway who has a good workaround or a better plugin to perform this function please drop me a line.

WordPress Security – Defense in depth

WordPress Security posts often focus on mentioning a few magic plugins that you can install to get and stay secure. I use many of these plugins myself but they are not silver bullet to keeping your site secure. WordPress like most other technologies being considered from an information security perspective requires defense in depth to do the job right. For those of you not familiar with the defense in depth strategy it means that there is no one magic bullet to get and stay secure. An effective information security program requires a layered approach of multiple techniques to help mitigate the risk of any one control suffering a failure.

What are the different layers of WordPress Security?

Client Security –If the PC you administer your WordPress site on becomes infected with a keylogger your site is likely to be compromised. An attacker can use a keylogger to capture your WordPress, webhosting account, ftp, or database credentials any of which will cause major security headaches.

Network Security – If you administer your WordPress site or access your webhosting administrative log on page on an insecure network your logon credentials can be intercepted via a network sniffer program. Unless you have taken additional security measures such as encrypting your log in sessions with SSL that means your passwords will be captured in clear text making it easy for an attacker to login with your credentials. That is reason enough never to login to your administrative accounts on a network that may not be secure.

Webserver Security – Most of you are hosting your WordPress site on a shared service and are therefore very reliant on your service provider to take the needed steps to secure their DNS and Web servers. The major way you can influence security in this space is with your dollars and via the hosting companies help desk. If you experience or read about serious security incidents affecting your site you have the option to leave when your hosting contract ends and get your web hosting from a more secure provider.

Database Security – When you first install your WordPress site a MySQL Database is created. This database is the backbone of your site containing the structure and table entries that make your site work so it is essential that the integrity of this database be protected. The primary areas of concern here the database administrator password, managing database versions, and SQL manipulation attacks that could lead to unintended data disclosure.

WordPress Application Security – When you first configure your WordPress site you must select an administrative password to protect your account. It is essential that you follow good password practices when setting this password and be sure to change it promptly if you ever suspect it has been compromised or if your client PC becomes infected with malware. In addition, WordPress updates should also be applied promptly to ensure your site is protected against known vulnerabilities. If you run a WordPress site with multiple contributors it is important that you delegate access using role base security to limit their privileges to only what is necessary to perform their function.

WordPress Plugin Security – WordPress plugins should be considered an application and standard application best practices should be followed. Reference these WordPress plugin security tips when you are installing a new plugin.

Now that you are more aware of the various components that must be taken into account to have a secure WordPress site in the next article I will provide detailed recommendations on how to secure each one of these layers to help keep your site secure.