Results 1 to 13 of 13

Thread: Important Reminder for those who use WordPress

  1. #1
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Exclamation Important Reminder for those who use WordPress

    Just a reminder, if you are using WordPress, make sure you at least once a month, if not once a week apply any updates to the core, plugins and/or themes.

    Also, if you are not using a plugin or theme, not only deactivate it from the site, remove the files and folders from the server. In the root of your wordpress install, after every update look for "readme.html" and DELETE IT, it tells hackers what version you are running. (try it, go to http://mydomain.com/readme.html if you have WP)

    I just came across a WP site, that is version 3.2.1 (current is 3.5) that doesn't have any extra plugins or themes installed, yet it was hacked. How do I know what was installed? Part of the hack was a pretty powerful hack script that let me view all files on the account, which means if I wanted to, I could have also looked at database login and fully access the site's database, all from within the SINGLE hack file on the server.

    This tool not only lets you read, but also lets you write anywhere that a regular script file can write to (if you are on a cPanel environment, the default is any file on your user account, INCLUDING email still sitting on the server.) And it does have a nice built in tool to find ALL writeable files and directories that it can.

    So yes, it is easy to set up, just keep it cleaned and updated. If you have SSH access and know how to use it, right before you do any updates, run a command that will list any .php file modified since the last time you ran it. Look for anything you don't recognize and check it out!!!

    Remember, there are sites out there that list what vulnerabilities are on each version of WP and the popular plugins and they know what to look for (ie, the readme.html I mentioned earlier).

    And if you are hacked, remember, you have to check most everything on your account, not just where you found the hacked files.

    -Greg
    This space intentionally left blank.

  2. #2
    Junior Member
    Join Date
    Aug 2012
    Location
    Houston, TX
    Posts
    1

    Default

    Thanks for the information!

  3. #3
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    I will try to remember to update this thread any time a new update comes out..

    Current version is now 3.5.1 which does include some fixes for security vulnerabilities.
    This space intentionally left blank.

  4. #4
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    A good blog post by a friend of mine:

    Should you upgrade WordPress?
    February 19, 2013 by Tim Priebe

    http://www.tandswebdesign.com/2013/0...ade-wordpress/

    My personal comment on Tim's article:
    It is better to have a WP install that breaks from an update and have to fix it than to sit with an exploitable copy and then your ISP shut you down for send hundreds of spam of having a phishing page placed on your site you don't know about.
    Last edited by Greg K; February 19th, 2013 at 06:41 AM.
    This space intentionally left blank.

  5. #5
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    Still at version 3.5.1, but wanted to let those who use WordPress know about the following...

    Huge attack on WordPress sites could spawn never-before-seen super botnet
    The [hackers] are using more than 90,000 IP addresses to brute-force crack administrative credentials of vulnerable WordPress systems
    http://arstechnica.com/security/2013...-super-botnet/

    So if you haven't lately, make sure you are up to date on everything, and anything you don't need removed, Make sure you have strong passwords on all WP user accounts (as well as your hosting account logins)

    PS, if you have trouble making up stong passwords, when I have to change a bunch, here is what I use... http://www.pctools.com/guides/passwo...word_generator
    This space intentionally left blank.

  6. #6

    Default

    Thanks for sharing Greg K

  7. #7
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    Oh yeah, forgot to update this thread, 3.5.2 is now available.
    This space intentionally left blank.

  8. #8
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    Latest version just released, 3.6
    This space intentionally left blank.

  9. #9
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    Just released Wordpress 3.6.1
    WordPress 3.6.1 is also a security release for all previous WordPress versions and we strongly encourage you to update your sites immediately
    This space intentionally left blank.

  10. #10
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    Wordpress 3.7 was rolled out yesterday.
    This space intentionally left blank.

  11. #11
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    Wordpress is now up to version 3.8


    This space intentionally left blank.

  12. #12
    Senior Member Greg K's Avatar
    Join Date
    Apr 2002
    Location
    Upper Arlington, Ohio
    Posts
    578

    Default

    I haven't updated this so much anymore, as if you were current on Wordpress, it now does the minor updates automatically by default now.

    However, if by chance you are still running an older copy and/or disabled the auto updates, it is very important to get updated ASAP, there was a major vulnerability fix that was just released yesterday, and of course, along with that, publication of how to do it.

    This is a particular reason why the auto updates are nice. The current version is 3.9.2, the patched version for the previous major version is 3.8.4 (the auto update will not take you from 3.8 to 3.9 that is still something you have to do)

    For those who want to read the technical side of the issue, see here: http://mashable.com/2014/08/06/wordp...ml-blowup-dos/

    -Greg
    This space intentionally left blank.

  13. #13
    Senior Member
    Join Date
    Apr 2008
    Location
    N.C. - Raleigh/Sanford/Pinehurst
    Posts
    514

    Default

    As always, good info Greg. Thanks for keeping us updated
    Jerry Thomas

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •