Archive for the ‘Security’ Category

Protecting your WordPress admin areas

January 28, 2009

Just in case you are not aware of the things you can do to protect your WordPress admin areas I highly recommend you take a look over at Smashing Magazine’s article “10 Steps To Protect The Admin Area in WordPress”. While I’ve not done some of the more aggressive suggestions I’m very pleased that the WordPress developers have made 2.7 so much easier to keep up to date.  That can go a long way plus I no longer have to wait for Fantastico to update their installations on my host.

From this article I was also pleased to run into some lockout plugins.  I had thought about the lack of brute force blocking being a problem, but I had not gone so far as to look for a solution.  Now, the solution has found me.  One of these plugins coupled with a strong password will stop many attacks.  If you’re not familiar with what strong passwords are, take a look at RIT’s “How to Choose a Secure Password” (PDF link).

Make sure you read the comments on the post.  There’s some good information about both the post itself and other aspects of WordPress security that might be relavant to you situation.

Advertisements

A bit of security by obscurity

January 13, 2009

I’m writing this post in case you are not aware of  a couple of “features” of WordPress that concern me.  WordPress has decided to include in the HTML head tag:

  1. What version of WordPress is running, and
  2. Hooks for Windows Live Writer

The headers look something like this:

<link rel="EditURI" type="application/rsd+xml" title="RSD"
     href="http://www.yourblog.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml"
     href="http://www.yourblog.com/wp-includes/wlwmanifest.xml" />
<meta name="generator" content="WordPress 2.7" />

Sometimes I’m a bit paranoid, but I don’t see any reason to advertise what version of WordPress I’m using.  Why put information directly into peoples hands that can tell them what vulnerabilities are in your installation?  Its a simple task to go look up what’s vulnerable in a specific version.  Along with that, if you’re not using Windows Live Writer, why expose the manifest and EditURI?  Someone has even reported problems with anti-virus software interfering with access to their WordPress blog and potentially tied it back to the Windows Live Writer headers.

These three headers are injected as part of the wp_head() function call that’s typically in the header.php of a theme.  We have the choice of removing that function call which potentially interferes with other header hooks or we can find some plugins to help us.

I was able to find two nice plugins over at http://blog.taragana.com:

Two uploads and two activations later and my concerns are soothed.

Filtering Post Content

January 10, 2009

Every now and again I run across information that really shouldn’t be put on the web.  Typically, there are references to missionaries in a sensitive areas – people and places that shouldn’t end up co-located in a search engine.  When the reference is in text it becomes my job to remove the reference (often having to rewrite the content to make it work with the reference removed).  When the reference is part of an audio recording I’ll typically not put the audio online (its a fair amount of work to parse through an audio clip and either chop out or blank over the sensitive information).  We don’t have a specific policy on this, yet.  I’m wondering if anyone else is thinking about this and what you might be doing about it.