Tag Archives: Wordpress Security

Is WordPress 3.3.2 tied to the MAC OS X security issues?

Blogging platform king WordPress has gone quite a long time without an update, until today that is. When I logged into my blogs I noticed that WordPress update 3.3.2 was awaiting my installation. I have read via SANS that compromised WordPress sites were the major attack vector for this high profile MAC attacks. Putting two and two together it makes quite a lot of sense that there is a new WordPress update to install to mitigate discovered issues with the platform.

Upon review of the update it contains fixes for several cross site scripting vulnerabilities as wells as a limited privilege escalation vulnerability. I decided to break with my normal policy of installing WordPress updates after 2-3 weeks stability and experimented with applying the patch right away. My test site worked with no problem so I applied it to my other two sites and no issues were experienced across the board.

It feels like it is only a matter of time until iOS gets hit big time and iPhone and iPad users learn that they are not isolated from the security issues that have faces Windows users for over a decade. With popularity comes scrutiny.

 

How to update PHP to support WordPress version 3.2.1

When a new WordPress version comes out I always like to wait 3-4 weeks to allow for sufficient burn in with the assumption that any major bugs will be corrected by the time I upgrade. One of my cardinal rules of upgrades is to have a working backup and to make sure I have sufficient time to troubleshoot and quickly correct if something goes wrong. I delayed upgrading to the latest version of WordPress longer than my typical 3-4 week burn in time because it required me to be operating at a higher level of PHP configuration vs. what I was currently operating at and I thought it would be a bigger deal to change.

Since this site is dedicated to security I did not want to get more than one version behind the WordPress current version level (got to keep practicing what I preach here). I logged into my hosting account and was pleasantly surprised to learn that upgrading my PHP version was a point and click painless upgrade.

To upgrade my PHP I performed the following:

Logged into my hosting account

Go to cpanel

Software/Services

PHP Configuration

Changed from PHP 4 to PHP 5 and clicked Update

I then checked back in my WordPress site and was now able to upgrade to WordPress version 3.2.1 when previously a not compatible with your version of PHP was previously displayed. I was then easily able to auto update to the latest version like all previous updates.

 

WordPress 3.1 – When should you upgrade?

Everyone who runs a site on the WordPress CMS platform hopefully noticed that WordPress 3.1 (also known as Reinhardt) is now available. Now your probably asking yourself how soon do I need to upgrade to keep my WordPress site secure?

My typical practice is to wait about 2 weeks after an update to apply it to my important sites. I make exceptions if I notice some high priority security vulnerabilities mentioned in the WordPress version upgrade description detail. Looking at the v3.1 upgrade information gave me the impression that this upgrade is primarily an appearance and functionality enhancement versus an upgrade that must be applied rapidly to ensure security.

Some small security changes I see referenced in WordPress v3.1 include streamlining the email reset process to make it more efficient although this affects user experience (which is important) and is not a direct security improvement per se. Another change I noticed was there have been more granular controls added to the administrative sections to help sites with multiple administrators restrict and refine who accesses what part of WordPress administration. Specifically the Super Admin menus and related pages have been moved out of the regular wp-admin/ path and now reside in the wp-admin/network/ path.

When should you upgrade to WordPress 3.1?

Recent WordPress upgrades have been so smooth many administrators forget that things can go wrong causing site downtime during this process and upgrade right away. This is a reasonable approach if you ensure you have a working backup before proceeding (which you should always do) and have sufficient time to troubleshoot if something goes wrong. I plan on waiting 2-3 weeks before upgrading to WordPress version 3.1 and predict that a new update will be available before I upgrade because so many functionality enhancements have been implemented.

Happy upgrading!

WordPress 3.0.5 Update – Install for security improvements

For a recent WordPress version upgrade I recommended to wait two weeks before applying the patch to let potential bugs be worked out. That recommendation was based on a review of the fixes included in that WordPress  update and my overall assessment that they represented a lower risk then potential issues that might go wrong with an upgrade.

For the WordPress 3.0.5 update I am taking a different approach and have already applied the patch successfully. I changed my approach on this update vs. 3.0.2 for the following reasons:

  • My confidence level in the stability of WordPress updates has improved over time based on positive experiences that have been point and click with little trouble. In the IT operations world this would have someone banging on the nearest wooden object at this point, so rest assured I did make sure I had a backup before pushing the update button.
  • A quick review of the WordPress 3.0.5 fix list convinced me this was primarily a security related upgrade vs. a functional upgrade. I view some of the vulnerabilities such as cross site scripting bugs (denoted as XSS) higher risk and wanted to be protected against those threats.
  • I received two WordPress firewall scanning alerts on a test site I have set up and this is quite a rare occurrence. One of the attacks appeared to be injection related but the other one was a possible cross site scripting attempt. The timing of these events and the recent release of WordPress 3.0.5 Update was the tipping point for having me apply this update quicker then the last.

I will keep everyone updated if I detect any additional WordPress security anomalies on any of the sites I monitor.

WordPress Backups – How should you be backing up your site?

Your WordPress site may be a critical part of your business, a source of some extra income, or just a favorite hobby. In any of these scenarios you have put a lot of time into your design and posts and you don’t want to lose it right? If you have not implemented a WordPress backup plan that is exactly what you risk doing.

Critical WordPress Components to Backup

The official WordPress backup guide is specific in mentioning that there are two major components to backup related to a WordPress site, the database and the site files. Few people read the manual so it is a common mistake to back up only one of the WordPress components (usually the site files are overlooked)

WordPress Database -The site database contains all of content on your site including the posts, comments, and links. Since content is the heart of every site you risk starting from ground zero if you neglect to backup your site database. The two major ways to backup a WordPress site database are via your webhosting control panel or utilizing a WordPress plugin.

WordPress Site Files – The site files consist of the core installation, installed plugins, themes, images, files and scripts. The site files give your site its unique look and if you do not backup this component you could be in for a lengthy redesign.

What is my WordPress backup plan?

I utilize the WordPress Database Backup plugin to automate a daily backup of my mysql database. I have the backup emailed to my email account and the eventual plan will be to save it to a secure server directory when the file becomes to large for email.

For my WordPress site files I backup via my web hosting cpanel two times a month. I have strategically opted to backup the site files less frequently then the database since my content is updated a lot more frequently then my site design.

I always have both the site files and database backed up prior to attempting a WordPress version upgrade.  In the future I am going to look into automating my site file backup and will review some plugins that claim to backup both the site files and database to see how effective they are.

To conclude I’d like to review my list of the Top 5 WordPress Backup Mistakes

Mistake #1 – Assuming that because you have installed a backup plugin that you are covered. The backup plugin may only be backing up the database or the site files so you might be missing a critical component of your needed WordPress backup.

Mistake #2 -Neglecting to test your backups. You can’t be sure your backups work unless you have tested and validated the results and successfully recovered your site.

Mistake #3 – Failing to adequately secure your backups. Backups contain sensitive site information such as user login/password information and database credentials. If your backup falls into the wrong hands it could mean bad news for your site.

Mistake #4 – Maintaining a manual backup process. If you do not automate the backup process there is an increased likelihood that you will forget to backup your site on a regular basis.

Mistake #5 – Upgrading WordPress versions without taking a fresh backup. WordPress version upgrades are one of the more risky activities from a site availability standpoint so it is important to take a current backup prior to performing an upgrade. If unforeseen errors occur you can restore your site to the old version with minimal impact.

Make sure you avoid these top 5 mistakes and implement an effective WordPress backup strategy.

WordPress 3.0.2 – When should you upgrade?

Caption provided by http://www.flickr.com/photos/ell-r-brown/

Newton’s Law or some distant relative of his smacked me in the face today when I logged into my site administration panel and saw that WordPress version 3.0.2 was now available for install. After all I just finished my post about WordPress Security Plugins and 3.0.1 compatibility and now we have a new version to deal with. Such is life, but now we have a working example to apply some information security principles regarding upgrades.

You are probably asking yourself when should I upgrade to WordPress version 3.0.2?

I have looked at the WordPress security vulnerabilities addressed in the upgrade from 3.0.1 to 3.0.2 and none appear urgent enough to require an immediate upgrade. I recommend waiting two weeks to perform the upgrade unless news of 3.0.1 exploits in the wild causes the need for a quicker upgrade timeframe. That means I will be looking to update my site around 12/15 which should leave plenty of time for any high impact bugs to be discovered and resolved.

Things to do before you upgrade to WordPress version 3.0.2

  1. Perform a full backup of your WordPress Database. If you are using an automated backup plugin and have tested it you are good to go otherwise you may want to read more about WordPress official backup guidance.
  2. The WordPress documentation recommends disabling plugins prior to upgrading to a new version to prevent an incompatible plugin from making your site inaccessible. This is prudent advice but adds to your administrative burden so my advice is to be aware that it is a risk and be ready to manually disable the plugin via your web account should the need arise. This is a practical risk mitigation step that avoids the extra working of disabling a lot of plugins.
  3. You are now ready to update your site and for most of you that will mean using the automatic update feature. If by chance you are doing a manual update be sure to cleanup the maintenance file as WordPress recommends.

You are now ready to test your site and validate that it is operating as expected. If you have a caching plugin enabled be sure to clear the cache so you are working with the current version WordPress and do not become confused. High value sites with large audiences might also want to consider testing the upgrade on a test site that mirrors their production site and installing the upgrade during off hrs (defined by their particular audience geography) to minimize potential disruption.

WordPress 3.0.1 & Security Plugins Which Are Recommended?

WordPress security plugins can be effective tools to help keep your site secure. Here are the specific security plugins I am currently using with my WordPress 3.0.1 (current version) installation and some  things I have learned along the way about using them.

#1 – Akismet – Current version of the plugin is 2.4.0 and it is fully compatible with WordPress as you would expect since the plugin comes native with WordPress and is the most widely used security plugin.

Is Akismet difficult to install?- The plugin is very easy to install all you need to do is register for a unique API key via email to activate the plugin.

Why do you need Akismet? – Akismet is extremely effective, I have not had a single SPAM message since activating it and do not believe other spam related plugins are necessary at this time.

#2 – Login Lockdown – Current version of the plugin is v1.5. It is compatible with the latest version of WordPress.

Why do you need Login Lockdown? – Provides an additional level of security by locking out an account that has had a certain # of failed login attempts within a specified time frame (both settings are user customizable).

What settings do I use for Login Lockdown? – I altered the defaults to lock my account out after 3 failed attempts from a given IP address in a 30 minute time period and it remains locked out for 1440 minutes

What is the risk of using Login Lockdown? – The biggest risk you face using Login Lockdown is not being able to access and administer your own site from a certain IP address. To mitigate this risk make sure you set the settings explained above at the right level for you and it also helps to have a secure alternative IP address that you can use to access the site (perhaps a relative’s house). It is also possible to edit your database directly to free a locked IP address if your IP address becomes locked out.

#3 – WordPress Firewall 2 – Current version of the plugin is v1.3  and works fine with WordPress 3.0.1

Why do you need WordPress Firewall 2? – Provides an additional layer of security to your site by protecting against web related directory traversal, database injection and other WordPress specific attacks. The verdict is still out there on this one for me as I have not seen any alerts after a few weeks of install so I am either low on the radar or it has not done much thus far.

How to configure Wordpress Firewall 2? – I installed the plugin with the default settings and the only change I made was to configure the alerts to go to my email address.

#4 – Secure WordPress – Current version of the plugin is 1.0.6

Why do you need Secure WordPress? – Tweaks a variety of security settings primarily those related to excessive information disclosure. Click here for a list of security functions performed by the plugin.

#5 – WP Security Scan – Current version of the plugin is 2.7.1.2

Why do you need WP Security Scan? – Provides a variety of useful security functions including looking for password, database, and directory permission vulnerabilities. Helps provide an automated way to regularly check these items.

#6 – WordPress Database Backup – Current version of the plugin is v2.2.2 and it is compatible with the latest version of WordPress. Although it is technically backup software vs. true security software, backup is such an essential component of information security I have included it on this list.

Why do you need WordPress Database Backup? – There are a few other WordPress Database backup plugins available but this is the one I use to perform my daily backups which are automatically emailed to my account. One recommendation I have is to make sure to save your backups somewhere else if your email account is hosted by the same company as your site as this gives you additional protection if they have a catastrophic failure.

How often should I test my WordPress Backups? – Testing your backup and validating it is recoverable the first time is the biggest hurdle. After that I recommend retesting every 6 months and either more or less frequent makes sense depending on the value of your site.

Two other WordPress Security Plugins I am interested in but do not yet have installed:

1. Better WP Security – Disclaimer says it is only in testing stage and it is not recommended for production sites. I will be testing this on a development site soon so I can take a look and check out the tool. I agree with the creator that you should never use a non production plugin on a production site.

2. Ultimate Security Check – Claims to be the #1 Security Plugin for WordPress so I am always intrigued by those type of grandiose claims and would like to check out whats under the hood.

Lastly, I will mention that I have played around with Admin-SSL a good bit as I really want to encrypt administrative traffic but have not had much luck getting it to work with the latest version. Anyway who has a good workaround or a better plugin to perform this function please drop me a line.

WordPress Security – Defense in depth

WordPress Security posts often focus on mentioning a few magic plugins that you can install to get and stay secure. I use many of these plugins myself but they are not silver bullet to keeping your site secure. WordPress like most other technologies being considered from an information security perspective requires defense in depth to do the job right. For those of you not familiar with the defense in depth strategy it means that there is no one magic bullet to get and stay secure. An effective information security program requires a layered approach of multiple techniques to help mitigate the risk of any one control suffering a failure.

What are the different layers of WordPress Security?

Client Security –If the PC you administer your WordPress site on becomes infected with a keylogger your site is likely to be compromised. An attacker can use a keylogger to capture your WordPress, webhosting account, ftp, or database credentials any of which will cause major security headaches.

Network Security – If you administer your WordPress site or access your webhosting administrative log on page on an insecure network your logon credentials can be intercepted via a network sniffer program. Unless you have taken additional security measures such as encrypting your log in sessions with SSL that means your passwords will be captured in clear text making it easy for an attacker to login with your credentials. That is reason enough never to login to your administrative accounts on a network that may not be secure.

Webserver Security – Most of you are hosting your WordPress site on a shared service and are therefore very reliant on your service provider to take the needed steps to secure their DNS and Web servers. The major way you can influence security in this space is with your dollars and via the hosting companies help desk. If you experience or read about serious security incidents affecting your site you have the option to leave when your hosting contract ends and get your web hosting from a more secure provider.

Database Security – When you first install your WordPress site a MySQL Database is created. This database is the backbone of your site containing the structure and table entries that make your site work so it is essential that the integrity of this database be protected. The primary areas of concern here the database administrator password, managing database versions, and SQL manipulation attacks that could lead to unintended data disclosure.

WordPress Application Security – When you first configure your WordPress site you must select an administrative password to protect your account. It is essential that you follow good password practices when setting this password and be sure to change it promptly if you ever suspect it has been compromised or if your client PC becomes infected with malware. In addition, WordPress updates should also be applied promptly to ensure your site is protected against known vulnerabilities. If you run a WordPress site with multiple contributors it is important that you delegate access using role base security to limit their privileges to only what is necessary to perform their function.

WordPress Plugin Security – WordPress plugins should be considered an application and standard application best practices should be followed. Reference these WordPress plugin security tips when you are installing a new plugin.

Now that you are more aware of the various components that must be taken into account to have a secure WordPress site in the next article I will provide detailed recommendations on how to secure each one of these layers to help keep your site secure.

WordPress Plugin Security – Is it risky to install plugins?

WordPress is loved by the masses because it is free, easy to use, and has 1000s of plugins that add tremendous functionality to the usability of a site. While all this is true and I myself use and love WordPress,  a site owner should also remember that installing WordPress plugins is the equivalent of installing a new application and brings with it increased risk and additional support requirements that must be met to keep a site secure and functioning properly.

Risk #1 – Availability of your site

How extensive has the testing been for the plugin or plugin update you are installing? I have already discussed a recent plugin upgrade incident I experienced while installing a WordPress plugin update that rendered my admin panel inaccessible. Fortunately for me I had backups and was able to restore the admin panel quickly but it is an eye opening experience for any site owner the first time this type of event occurs. A WordPress plugin is only as good as the support and testing that goes into it otherwise it poses a big security risk to the availability of your site.

Risk #2 – Plugin compatibility issues

WordPress plugin developers are a creative bunch but are often limited financially in their ability to test plugin compatibility with different versions of WordPress and different combinations of  plugins. This leaves you as the equivalent of a beta tester if you are an early adopter of a new plugin or a plugin update. This can lead to site performance issues and cause other more important parts of your site to stop functioning correctly.

Risk #3 – Security vulnerabilities that can lead to the compromise of your site

Every plugin installed is additional code installed on your site that increases the complexity of your site and opens additional potential vulnerability sources. This is not meant to scare you as it is important to balance the risk vs. reward of any type of business activity but is only meant to give you additional awareness into the risks.

Risk #4 – Increased administrative burden

Installing a new wordpress plugin should be looked at as both an opportunity and a commitment to stay current with that plugins security vulnerabilities and plugin patches. This leads to an increased administrative overhead and while it is relatively easy to apply a patch most of the overhead comes due to support complexities caused during the 1 time out of 50 when something goes very wrong.

Tips to manage the risks of using  WordPress Plugins:

#1 – Check the plugin support box to make sure your intended WordPress plugin is compatible with the version of WordPress you are running. Avoid installing any plugins that are not supported with your WordPress version unless you are very technically savvy and have a backup/recovery plan.

#2 – Run the latest version of WordPress to minimize your chances of compatibility issues when new plugin updates are released.

#3 – Wait about two weeks to install a new WordPress plugin update unless there has been a critical security exploit that is actively compromising sites. Being on the bleeding edge put you at an increased risk of suffering an outage or causing additional technical troubleshooting that take away from your other site activities.

#4 – Implement a strategy of regular backups and test your backups to ensure your site can be recovered as expected. Failing to test your backups could lead to undesired surprises and unneeded stress during an already stressful time.

#5 – Only install WordPress plugins that you intend to use and remove plugins that you tested but no longer want. It is better to limit your installed plugins to those you need for the operation of your site to minimize additional potential vulnerabilities and plugin updates.

Some security professionals would say you should review all of the lines of plugin code prior to installing a plugin but I believe that is impractical for the average site owner and overkill. This step may be necessary if your site is bringing in the bulk of your business revenue but otherwise follow the security tips outlined above to minimize your chances of having WordPress plugin related problems.

WordPress Security – Plugin update causes wp-admin access problem

WordPress security tips have been on my short list of topics to write about for quite awhile now and I planned to cover them right after focusing on security for popular Smartphone devices. Fate had other ideas. Many people theorize that experience is the best teacher and it is impossible to teach without learning yourself and to a large extent I agree with that. So now that I have experienced my first WordPress plugin update problem I am better prepared to share my learnings and reflections with you.

WordPress plugins are popular and add a lot of functionality to a WordPress site but are potential sources of security vulnerabilities that could lead to your site getting hacked. For this reason I regularly check my admin panel and quickly update my plugins when a new version is released. Today, I caught myself on the bleeding edge of the upgrade curve as I experienced my first ever issue while applying a WordPress plugin update. The end result was that my wp-admin panel was inaccessible and I was no longer able to administer my own site. One of the central principles of of information security is to ensure availability and I no longer had it due to a security upgrade, how Shakespearean!

Lesson # 1 – Don’t panic, you have a current WordPress backup right?

Fortunately for me I have a daily automated backup created so I was confident that I could restore my site with minimal inconvenience (ironically a handy plug in helps me with that). This gave me the peace of mind to be calm and know that I would recover so if you do not perform regular backups I recommend that you do.

Lesson # 2 – You can solve nearly anything with Google, including when a plug in update corrupts your wp-admin section.

Since I had never experienced an issue with a WordPress plug in update before I was not quite sure how to handle the situation. Luckily for me we have Google. On the first page of my search query titled “WordPress plugin made wp-admin inaccessible” I was able to find a quick and easy solution which involved accessing my web hosting file manager, navigating to my site’s plugin directory and renaming the plugin that caused the denial of service on my admin page. After performing these actions my admin panel was again operational.

Lesson #3 – Security patches need time to test most of the time you don’t want to be on the bleeding edge

In the name of all things security I was on the bleeding edge of applying new patches to avoid potential hacker issues. In general that is not a bad approach but security patches themselves may have bugs that can lead to the lack of availability of your systems. It is often a balance to apply an update right away (prevent a hacker) vs. creating a corresponding risk to the availability of your system. For a WordPress site that can be quickly restored this may not be as big an issue but if you were dealing with a mission critical ERP system it would be an altogether different equation requiring detailed development environment testing of the patch.

Information security is always a bit of a balancing act and this is a great example of assessing the risks between being bleeding edge vs. allowing for patch burn in testing time. No matter which approach you choose make sure you have balanced the risks of both scenarios.