PDA

View Full Version : Security



billbenson
08-20-2009, 11:39 PM
There were a number of back to back security updates in wp recently. I know one webmaster who was hit two days after the security update became available. He hadn't updated yet.

Some people use htaccess for:

A second layer of password protection
filtering by IP (if you only work from home this is best)



Other things can include renaming config files. Not sure how well that works but some people do it


Anybody do anything along these lines and does it give you some additional protection?

vangogh
08-21-2009, 12:43 AM
The second of those security updates wasn't really a security thing. It was more of an annoyance thing. By going to a certain URL someone could click the link to reset the admin password. The password would still be sent to your email. It wasn't a way for them to gain access to your backend. Still it would be very annoying to have your password reset all the time.

If you're interested here are some of the posts I've bookmarked about WordPress security (http://delicious.com/vangogh99/wordpress+security).

The WordPress developers are actually very good about making updates when a security hole is found. For the most recent one they had a patch available the same day and they've made upgrading so easy now that anyone can do it. It's down to clicking two links so you have no excuses not to upgrade.

I can see adding the second layer of password protection, but I think it would annoy me too much. The IP filtering works if you have a static IP. Most of us have IPs that change so you'd have to allow a range of IPs that would include most anyone in your area with the same ISP. If you don't mind changing the IP when you're assigned a new one it'll work. It also means you won't be able to login from any place other than your home.

Renaming config files could be more trouble than it's worth. Other files in WP need to know the name of those config files. You'd have to change those other files and then you wouldn't be able to upgrade since it would overwrite your changes. I'd rather be able to upgrade easily to get the patch.

The best thing you can do is have a strong password that you don't use elsewhere and keep WordPress up to date. There are also plugins available to limit how many times someone can try a password. Another idea is to limit permissions on files to what's absolutely necessary.

Bill here's one you'll like. You can use .htaccess to make sure any attempt to retrieve your config file comes from within your domain.



<files wp-config.php>
Order deny,allow
deny from all
</files>


You can also move wp-config.php one level up from where you installed WordPress and it will still work.

I'm grabbing most of these from the posts I bookmarked, which have plenty more ideas in them.

billbenson
08-21-2009, 01:22 AM
I can see adding the second layer of password protection, but I think it would annoy me too much. The IP filtering works if you have a static IP. Most of us have IPs that change so you'd have to allow a range of IPs that would include most anyone in your area with the same ISP. If you don't mind changing the IP when you're assigned a new one it'll work. It also means you won't be able to login from any place other than your home.

Actually its not that bad in regards to the password. FF remembers both the wp admin password and the htaccess password. That is a breach,as well because your passwords are in FF. I don't know how significant that is, but its better than typing it in. I also work from home, so theft of my pc would be a problem, but not being in an office environment I don't have to worry about.

As far as IP blocking. Dynamic IP's usually only change the D block. Hackers are more likely to try to get in from china than someone that is in your neighborhood with the same A,B, and C blocks. I don't see that as an issue.

You are correct, its a pain if you frequently work from outside your home or office. If its to work on that monthly business trip, its easy to change the htaccess for the trip.

At one point I wrote a short script that allowed me to update the htaccess on a bunch of sites. You could do it with a local db, text file, or a remote db. If I had a bunch of sites I was managing I'd do that again now.

Oh, on edit. that code you posted is great. Never thought of that.

For anybody interested, here is the code for restricting your IP to you. It doesn't look at the last part of the IP "D Block", so it could allow a neighbor in, but not somebody out of your area. I use it in conjunction with htaccess password protection and the default admin password in in wp or whatever cms. Been doing it that way in oscommerce forever.

<Limit GET POST>
order deny,allow
deny from all
allow from 88.234.266
</Limit>

Substitute the first three segments of your IP in place of the IP above

vangogh
08-21-2009, 02:06 AM
I guess my thinking on the IP blocking is that anyone in the same C-block would still have access. Of course that still does eliminate most people. I have noticed with my IP the C-block also changes at times. At least I think it does.

Maybe it's not such a bad solution. I still think I would get annoyed with the extra password. Even the extra click in FF would get on my nerves. It's a good security solution though.

billbenson
08-21-2009, 01:10 PM
I guess my situation is a little different as I only sign in for a couple of sites and I don't shut my computer off very frequently so its a once a week sign in. I do have to sign in multiple times for admin in oscommerce as it times out. You probably are in and out of different sites which is more of a pain. Its also probably a bad idea for clients of yours. I also do a lot of local development which requires no security. I do find working locally a nice option when practical.

vangogh
08-21-2009, 01:56 PM
Unfortunately my DSL connection is not all it should be. I get disconnected and reconnected with a different IP much more than I should. If the IP was static or didn't change too often it wouldn't be a big deal. My computer is on most of the time, but I am logging in and out of different sites all day.

With clients it would be hard. I could always set things to allow two different C-blocks, but I bet I'd end up dealing with support calls for why a client can't login to their site from the coffee shop down the road.

There are plenty of other ways to harden the admin side of WordPress though.

billbenson
08-21-2009, 02:13 PM
I don't think the C block changes much, but it's probably ISP dependent. I know a guy in LA who uses it and if an ISP was changing them frequently, you would think a large ISP in an area like LA would. I know when I've purchased dedicated IP's from my host, they bought them in blocks and had no choice but to get the same C block.

For a client, it wouldn't make sense unless they ask for it.


There are plenty of other ways to harden the admin side of WordPress though.
What other things do you do?

vangogh
08-21-2009, 03:00 PM
I could be mistaken about the C-block changing. I'm going on memory of my DSL connection at my last place, which for a time did go down frequently when the modem was old. I think the C-block would change at times, but I may simply be remembering wrong.

I don't do all that much to harden WP on my site. Just some basic things like the aforementioned keeping WP up to date and using very strong passwords. If I do see an IP hitting my site a lot in the logs I'll search on the IP and may end up blocking it. I have the usual spam protection to prevent spam comments (not really a security thing though). I do check permissions on files to not allow more access than needed and I like the idea of moving wp-config.php up a level, though I haven't done that yet.

I also backup my files and database just in case something does happen and I have to rebuild the site.

I've been collecting the info I linked to above for awhile, but really haven't implemented as much of the advice as I should. This thread is serving as a reminder that I should give all those posts I bookmarked a read and start implementing more of the suggestions.

vangogh
08-21-2009, 04:00 PM
Bill you may want to watch this video on WordPress security (http://wordpress.tv/2009/07/11/brad-williams-security-montreal09/). It's from a half hour presentation and mentions some of the things we've been talking about here along with some other ideas. There a link to the right of the video to see all the slides, since you won't be able to read them while watching the video.

Thought you might be interested.

billbenson
08-21-2009, 06:49 PM
I'll take a look at the video VG.

I think where some of this becomes crutial is if you have a lot of websites. Not client websites. I'm not saying client sites, as at some point that becomes the clients responsibility.

For me, one important site. IP blocking isn't a big deal and daily backups work as well.

If you are an affiliate webmaster with 30 wp sites. That's a problem. While the updates are easy, being proactive rather than reactive when a problem occurs allows you to do the update in your own time. Also, some updates have bugs. It's nice to wait some period of time before doing the update.

So, you have to take a balance of risk vs practicality.

I used to use IP blocking without a problem. I put it up again yesterday. I still have htaccess password protection on that site and always have. I'll post her if C groups change. I think its pretty rare, but I'm sure it does happen.

vangogh
08-21-2009, 07:34 PM
IP blocking through .htaccess is actually one of the things mentioned in the video. I think he even called it his favorite tip. Maybe I'll have to rethink things.

Let me know what you think of the video. The wordpress.tv site has a lot of other good videos too.

billbenson
08-22-2009, 01:45 AM
Nothing terribly surprising, but good info. The plugin that looks for changes in your website (if thats what it does) is interesting. It would be particularly helpful if it looks at all the file names, size, and dates on your site and keeps that as a benchmark. Then uses that benchmark to look for file additions or changes. I wonder if there is a generic script for that out there that works for any site?

Changing the table name seems to make sense, although I was told by someone pretty knowledgeable that the name change isn't terribly effective.

Moving or renaming the config files makes a lot of sense to me. It would be nice to put them above root, which is where you should also put a htaccess password if you have one (I do).

I always use a password generator and generate complicated passwords including punctuation 12 characters long. I keep them in an excel file.

I did a quick search for security saving passwords in FF. The biggest problem there appears to be people prying into your pc locally. You can apply a password to keep out people trying to look at your password list. I also saw something that said potentially someone could remotely get into your firefox list. Unless I see something that really says "don't save passwords in FF" I'm going to continue to do that. Just to much of a pain otherwise. There is a FF plugin for saving them more easily as well.

And to me, I like the htaccess IP blocking.

While it depends on your application, how you work etc., I think it makes sense to implement some or all of these. With the ease of use and popularity of WP comes a lot more hacking attempts. The day you forget to do a backup is the day you will get hacked. Probably should do that in a cron job, but I never have. There are some scripts that will email you the backups as well.

I've been hacked twice. Once they got credit card info. I quit storing that on the site. Early versions of oscommerce allowed that and I didn't know any better at the time.

The other time I was hacked, they hacked the entire server. Every index page on the server was changed to a Sadam Husien arabic thing. I couldn't have prevented that one, but I had to reload a bunch of sites. The host said they got in through a site on the server that had weak passwords. They started mandating the use of a password generator after that. I'm sure they made other changes as well.

Oh, as a footnote, you really should use use security on a wireless router if you have one. If you don't have visitors connecting from their laptops, MAC address filtering is the best.

vangogh
08-22-2009, 12:50 PM
We had pretty much the same impression of the video. Nothing too surprising, but some good info and new tips nonetheless. I liked the mention of that same plugin and need to install it and see what it does. It doesn't exactly prevent anything, but it does make for a good early detection system.

billbenson
08-23-2009, 01:25 AM
I tried moving wp-config up a level and:
include("../wp-config.inc"); for the config file.

It found the config and connected, but gave me a "headers already sent" error. If I looked at the source it had a <br /> at the top of the page before the error. Any idea why moving it and putting it in an include would do that? The config file isn't echo ing anything.

vangogh
08-24-2009, 01:20 AM
I don't think you needed the include. Why did you add or change that? From what I understood WP will look for wp-config where expected and if it doesn't find it then it will look one directory up on it's own. I think everything else would work as usual.

With the headers it's not necessarily that the file needs to echo something. The headers in the error message aren't something that needs to be printed to the screen. However the header info usually needs to be the very first thing in the file. In order for the file to send the html for the <br /> I believe it needs to send header information.

billbenson
08-24-2009, 01:48 AM
I wanted to do it via the include to put it up two levels - above the root directory. That is only accessible via ftp. I don't think it is necessary, I was just trying it.

Your correct, the headers are the first thing to be sent to a page. If you try to send after that you will get that error. What I don't understand is why moving the file and accessing via an include would cause the error. The file would be accessed and acted on at the same time whether it is in an include or in the config file in its default location.

Again, I'm just curious as to why, I'm really not going to try to do this, its overkill.

If you are putting it above root and your blog is in a subdirectory, you are going up two levels, not one. The idea of putting passwords etc above root is because it's not accessible from the site.

vangogh
08-24-2009, 01:56 AM
I'm guessing that wp-config sends out headers and by having the <br /> before the include you were then sending out html headers. When wp-config tried to send out headers they had already been sent.

I understand now what you were doing with the include. Moving wp-config up a level makes sense if you installed WP in root, but if you installed it in a subdirectory I guess you lose much of the benefit of moving wp-config.