Independent Digital

In the past, I always did a manual upgrade…and it took time, a long time. I would first delete all the files and directories (keeping some), then upload all the new files and directories, then if I’m lucky it all worked as before. Mostly not, as in the upload phase, due to some unknown issue, something went wrong and one or more file was corrupted. More time to sort it out till eventually I managed to get everything working as before…then another upgrade came along and I had to go through the whole painful process again. Not anymore, I won’t! I’ll just do it automatically!

I was hesitant to upgrade automatically at first but I took a chance and hit the button…surprise, surprise. Literally 2 or three minutes later and my site had been upgraded to 2.9.1. Painlessly, no problems. What a pleasure. Thank you Wordpress!

Your email:

 

Setting up a new website but not sure which open source software to use? Well I suppose it very much depends on what you want to do with the website. On the top of the pile of free, open source software options that you can use for a website are Joomla and Wordpress. Both are tried and tested with millions of users worldwide. Both have excellent support forums. So which one is right for you?

If you want a blogging site then I would suggest that you use WordPress. It is first and foremost a blogging software package. If you want a CMS (content management system) then go for Joomla, the major open source CMS software package. What if your site is a blog with an online store? Well then you need software that can manage your content as well as your blog. Both Joomla and WordPress can do that. Both have extensive add ons (plugins) that can extend the power of your website. So the choice can become quite difficult. Perhaps a good starting point would be to have a look at the available extensions. If you find one that suits your needs, check it out thoroughly, is it popular, what’s the support like, etc. If it passes your scrutiny then go for the software that it was created for, WordPress or Joomla.

Your email:

 

Security-Related mysqld Options

The following mysqld options affect security:

–allow-suspicious-udfs

This controls whether user-defined functions that have only an symbol for the main function can be loaded. By default, the option is off and only UDFs that have at least one auxiliary symbol can be loaded

If you start the server with –local-infile=0, clients cannot use LOCAL in LOAD DATA statements

Force the server to generate short (pre-4.1) password hashes for new passwords. This is useful for compatibility when the server must support older client programs.

–safe-show-database

–safe-user-create

If this option is enabled, a user cannot create new MySQL users by using the GRANT statement unless the user has the INSERT privilege for the mysql user table or any column in the table.

–secure-auth

Disallow authentication for accounts that have old (pre-4.1) passwords.

–secure-file-priv=

This option limits the effect of the LOAD_FILE() function and the LOAD DATA and SELECT … INTO OUTFILE statements to work only with files in the specified directory.

–skip-grant-tables

This option causes the server not to use the privilege system at all. This gives anyone with access to the server unrestricted access to all databases.

–skip-name-resolve

Hostnames are not resolved. All Host column values in the grant tables must be IP numbers or localhost.

–skip-networking

Do not allow TCP/IP connections over the network. All connections to mysqld must be made via Unix socket files.

–skip-show-database

With this option, the SHOW DATABASES statement is allowed only to users who have the SHOW DATABASES privilege, and the statement displays all database names.

Want to be notified when new posts are published?

Your email:

 

Securing MySQL Against Attackers

The password is encrypted when you connect to the MySQL server and as of MySQL 4.1.1 is very secure. However, it is advisable to upgrade if you are still using an earlier version of MySQL as hackers could quite easily crack your password. For those using MySQL Enterprise, the Enterprise Monitor enforces best practices for the maximum security of the MySQL server.

Besides the password, all other information is not encrypted and is transferred as text and can be read by hackers. Use the compressed protocol if you are concerned about this as it makes it more difficult to hack. You can also use MySQL’s internal SSL support to make the connection even more secure or use SSH to get an encrypted TCP/IP connection between a MySQL server and a MySQL client. (See http://www.openssh.org/ for an Open Source SSH client).

Consider the following in order to improve your MySQL security:

• Require all MySQL accounts to have a password.

• Never run the MySQL server as the Unix root user – mysqld should be run as an ordinary, unprivileged user.

• Do not allow the use of symlinks to tables

• Make sure that the only Unix user with read or write privileges in the database directories is the user that mysqld runs as.

• Do not grant the PROCESS or SUPER privilege to non-administrative users.

• Do not grant the FILE privilege to non-administrative users.

• Use IP numbers rather than hostnames in the grant tables.

• Restrict the number of connections allowed to a single account – by setting the max_user_connections variable in mysqld…

Want to be notified when a new post is published?

Your email:

 

?The Cult of the Dead Cow? announced last week, the release of Goolag Scanner, a free open source web-auditing tool. Goolag Scanner enables anyone to examine their website via Google for any security holes. The scanner technology is based on “Google hacking” developed by Johnny I Hack Stuff. Goolag Scanner can be used by web site owners to detect and correct any security flaws in their web site.

Johnny previously published a collection of these “Google Hacks” or “Google Dorks” on his web site, which are used by ?professional? hackers. Goolag scanner has now packaged these into a GUI automated tool that allows an unskilled hacker to use these very same techniques.

Goolag Scanner is a standalone windows GUI based application using about 1,500 pre-configured Google search queries or dorks. It searches for links to vulnerable web applications, back doors, or documents containing sensitive information. You can select individual searches or sets of them. You restrict the search to your own server, or extend it right up to an entire top-level domain. The results are displayed as a list of URLs that can be opened in the browser. However, if you use the tool too much, Google may block your IP address and there may also be legal implications so be cautious when using it.

Want to be notified when new posts are published?

Your email:

 

WordPress themes can be dangerous as far as security is concerned so be very careful when you install any theme. Before downloading any theme consider:

1. Is the download site official, avoid 3^rd party download sites? If it is not an official site nor the authors site, then check the code carefully.
2. Is it the latest version?
3. Are you running the latest version of WordPress?
4. Do research. Check the net to see if there are any security issues concerning the theme that you want to download.

So what are the security issues when using WordPress themes? There are 2 ways that themes can become a risk:

1. The first is when someone intentionally ADDS code to the theme. This could be code which ads a link to the theme. When you display the website using that theme, links are displayed but are probably not visible (see article on spamdexing). The person that included the code is hoping to increase the number of links to his website so that his Google ranking increases. Unfortunately Google will then pick this up and remove your site from their search engine. A double whammy! Quite innovative considering the number of sites using the popular themes. They also imbed code that will allow the mailing of scripts for spam (see artcicle on spam and how to deal with it), phishing or random ads to be served.

2. The second is usually unintentional. The theme author has code in their theme which is not secure and allows a cracker (see article on Search Engine Optimization) to infiltrate the website using the theme. A common example, known as cross-site scripting (XSS) is the use of PHP_SELF without pre-pending htmlspecialchars:

form id="searchform" method="get" action=

"<?php echo $_SERVER['PHP_SELF']" ?>"

This form allows the use of HTML characters when getting the URL of the user. A secure version would include the PHP function, htmlspecialchars() as seen below:

form id="searchform" method="get" action=

"<?php echo htmlspecialchars($_SERVER['PHP_SELF'])" ?>"

This problem is usually seen in the:

• 404 page
• search page
• header page

Here are 2 good articles on cross site scripting:

• http://blog.phpdoc.info/archives/13-XSS-Woes.html
• http://www.net-security.org/dl/articles/xss_anatomy.pdf

Only download your themes from the official WordPress Theme Viewer or directly from the authors’ site.

Want to be notified of any new posts?

Your email:

 

Be careful when installing plugins. It is a dangerous world out there with many strange people doing strange things. Now not all plugins are dangerous and neither are their authors. Some plugins, however, have simply not been tested enough with the result that malicious hackers manage to find flaws, which they can exploit to do their dirty deeds. They then search the net for WordPress sites running that plugin. When they find it, they?re in and before you know it, your WordPress blog is performing erratically or your database has been deleted.

One example of this plugin security issue is the wp-forum 1.74 plugin. According to the securityfocus website, ?it is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. (This would allow an)? attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.?

Another example is the wp-db-backup plugin, which had a serious vulnerability issue. Now I am not saying that it is the intention of the plugin author to create plugins containing devious code which allows a security breach. It is more likely that the authors themselves are unaware of the security flaw. As far as I know, there is no standardized validation of plugins to ensure that they are not a security problem. So we need to be very careful before we install any plugin. Do research, check on the web and within forums to see whether others have experienced security issues when using that plugin. If there are no known issues, make sure that you have backed up your website and database before installing the plugin. The WordPress team are continually upgrading WordPress to ensure that it is as secure as possible so remember that the most important step that you can take to secure your site, is to ensure that you are running the latest version of WordPress.

Have a look at this excellent article on plugins and security issues.

Some plugins with known issues

• WordPress BackUpWordPress plugin Php File inclusion vulnerabilities 2007-11-06

• WordPress WP Photo Album Plugin “photo” SQL Injection 2008-02-20

• WordPress Search Unleashed Plugin “s” Script Insertion Vulnerability 2008-02-5

• WordPress DMSGuestbook Plugin Multiple Vulnerabilities 2008-02-05

• Wordspew Plugin for Wordpress “id” SQL Injection Vulnerability 2008-02-04

• WordPress WP-Footnotes Plugin “admin_panel.php” Cross-Site Scripting 2008-2-04

• WordPress WassUp Plugin “to_date” SQL Injection Vulnerability 2008-01-31

• WordPress AdServe Plugin “id” SQL Injection 2008-01-30

• WordPress WP-Cal Plugin “id” SQL Injection 2008-01-29

• WordPress Permalinks Migration Plugin Cross-Site Request Forgery 008-01-24

• WordPress WP-Forum Plugin “user” SQL Injection 2008-01-21

• WordPress PictPress Plugin “path” Disclosure of Sensitive Information 2007-12-07

• WP-FeedStats Plugin for WordPress Script Insertion Vulnerabilities 2007-07-27

• WordPress AdSense-Deluxe Plugin Cross-Site Request Forgery 2007-05-22

• WordPress wp-Table Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress wordTube Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress myGallery Plugin “myPath” File Inclusion 2007-04-30

• WordPress WP-DB Backup Plugin Directory Traversal Vulnerability 2006-08-15

• FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability 2007-10-04

Here?s a list of plugins that you can install to make your WordPress blog more secure.

Want to be notified when there is a new post?

Your email:

 

Wanting to customize the look of your WordPress blog? Then look at the following articles:

• Using WordPress Themes – Themes are what gives your WordPress blog its unique (or not so unique) look. This article explains what themes are, where to get them and how to use them.
• Blog Design and Layout – More on themes plus CSS, plugins and design specifics.
• Using Pages – All you ever wanted to know about WordPress pages.

The following simple guides will help you customize your WordPress Theme:

• Lessons on designing your WordPress site ? Covers WordPress for beginners, site design, template files, website development and more.
• CSS Overview, Tips, Techniques, and Resources This article briefly describes the use of CSS in WordPress, and lists some references for further information.
• All about Template files. Template files are the building blocks of your WordPress site. Read this article to find out more about them.
• What are Template Tags ? Well, if you want to know, then read this article.
• WordPress Template Tags Template tags are used within your blog’s templates to display information dynamically. Read this and you?ll be a Template Tag specialist.
• Understanding the WordPress Loop – Crucial if you?re going to make changes within the code to customize your WordPress site.
• The WordPress Loop in Action ? More on the LOOP with a simple example.
• Editing Files in WordPress – To customize your WordPress site, you will need to edit the code. This article discusses that.
• Design help ? Some good links to information on designing your WordPress blog.
• Frequently Asked Questions about Site Layout and Design – A good starting point regarding layout and design.

Want to be notified of new posts?

Your email:

 

You’ve installed WordPress, set it up and now it’s running like a finely tuned Ferrari. Here are a couple of helpful articles to help you keep it that way:

? Introduction to Dealing with Comment Spam - A great intro to SPAM and what WordPress is doing about it.

? Moderating Comments - Covers the basics of how you can deal with comments.

? Using the Links Manager - Explains how you can deal with links on your WordPress blog.

WordPress in Languages Other than English ? Check this out if you want to use WordPress in another language.

Notify me of any new posts

Your email:

 

 

Okay, so you have successfully installed WordPress, now it?s time to set it up. Have a look at the following for help:

• First Steps With WordPress – Takes a step-by-step tour through your WordPress site. Explaining the different functions and how to customize it.
• Administering Your Blog – This is a quick look at the various activities involved in administering your WordPress site. Have a look at the administration panel. The available options include:
  • Users > Your User Profile – set the user information you want published on your site
  • Your User Profile > Other Users – add authors and users that will be using your site, if applicable
  • Options > General – set your site name and other site information
  • Options > Writing – set the settings of your Write Post screen
  • Options > Reading – set how many posts to show on the front page and in categories and your feed requirements
  • Options > Discussion – Turn on or off comments and set how to handle them
  • Manage > Categories – add a few categories to get started from your category list
  • Manage > Posts – After you have written a few posts, this is where you will manage them by editing or deleting
  • Presentation > Themes – maybe change the look of your site?
  • Manage > Pages – add a Page or two like “About Us” or “Contact Me”
  • Write > Write Post – start adding content to your site
  • Writing Posts – step-by-step instructions on writing posts

Happy blogging!

Notify me of any new posts

Your email: