Protecting Your WordPress Site from Exploits

April 19, 2010 By Leave a Comment

If you have not upgraded your WordPress lately there is no better time than now.  The latest hacking attempt targets older versions of WordPress and overrides the siteurl field in the database in an attempt to force the web visitor to the hacker’s site.

Upgrading is as simple as clicking a link in the dashboard.  When a new version of WordPress is available you will see a notice near the top of your dashboard.  To manually check for an update click Tools, Upgrade.  Plugins will show in the Upgrade list and will also have a bubble over the Plugins menu option indicating the number of plugins that have updates available.

It is important to install these updates as soon as they are available to reduce the risk of a hacker exploiting your website.  These updates generally include bug fixes and security patches.

In addition to keeping your site up to date with the most current version of WordPress and all plugins, it is a good idea to maintain individual user accounts for everyone needing access to your website rather than sharing one general login.  Do not give users any higher access than necessary.  WordPress comes with four default Roles in addition to the Administrator role.  A complete list of Roles with a chart showing privileges associated with each can be found at the WordPress Codex.

For added security for your database information, it is recommended you change the permissions on your wp-config.php file to 600 which renders the file unreadable and unwritable except by the owner.  If your server settings do not permit you to use 600 the next best option is 644 (the default setting imposed during installation).

You can further deter hacking attempts by adding the following code to your htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

If your site is attacked…

Hopefully you have been keeping regular backups of your website.  Some web hosts include backup services with your hosting plan.  If you do not have recent copies of your website and database drop an email to your host and ask if they may have a backup of your site from the last few days.

If you have backup files you have the option of deleting all of your site files and then re-uploading the uncorrupted files from the backup as well as deleting the tables in your database and re-importing the backup mySQL file.  This is an extreme solution, but depending on the severity of the compromise it may be necessary.

At a minimum you need to do the following after restoring your site:

  • change your database password immediately
  • change the password for all users in your WordPress system
  • change the Unique Keys in your wp-config.php file (this will invalidate all existing cookies and force all users to login again)
  • correct the permissions on your wp-config.php if they are anything other than 600 or 644
Filed Under: Technology Tagged With: , ,

Testimonials Plugin Updated – v3.1

April 15, 2010 By Leave a Comment

There have been several suggestions for added features for the WP-Testimonials plugin.  Version 3.1 is now available that addresses many of the most common requests.

This update includes these changes:

  • Modified HTML to use blockquote and cite for formatting
  • Added option to set number of random testimonials in sidebar
  • Added ability to give access to non-administrators
  • Added option to sort page by user defined sort order

Download the latest version

Filed Under: Announcements Tagged With: , ,

Long awaited WordPress 2.5 is here

March 29, 2008 By Leave a Comment

It’s here. It’s here. WordPress 2.5 is here. For those who haven’t been keeping up with the development, this newest version features a cleaner interface, widgets for the dashboard, tag management, search pages in addition to posts, easier plugin upgrades and tons more.

I upgraded my site tonight and so far nothing has broken. The development folks say there were very few changes to the database, so most plugins that were compatible with 2.3 should remain compatible with 2.5.

My first impressions are:

  • I love the new, cleaner dashboard
  • The one-click plugin upgrades ROCK
  • Built-in galleries look like a great addition, but I haven’t played with it yet

I can’t see anything that jumps out and screams “woah – why did they do that?”. Everything I’ve poked at so far makes perfect sense and it’s obvious the amount of time and thought that went into this release.

Thanks to the WP team and everyone involved with contributing, testing documentation and development.

Filed Under: Technology Tagged With: ,

Testimonials plugin listed in WP directories

August 14, 2007 By 1 Comment

The WP-Testimonials plugin is now listed in the Plugins directory of WordPress Extend. The feedback has been positive so far and I am pleased so many users are giving it a download.

A few people have said the table wasn’t created automatically when the plugin was activated. This is something I did not have happen during development testing, so I am not sure what is causing the problem. The people who encountered this were knowledgeable enough to create the mySQL table manually, but it’s certainly something I want to resolve. I will be looking into it and if I find the issue, I will release an update.

Filed Under: Technology Tagged With: ,

Testimonials plugin released for WordPress

August 8, 2007 By Leave a Comment

Several people have contacted me looking for a testimonials plugin for WordPress. Most times, they found my site because of a similar testimonials plugin I developed for Geeklog awhile back. I searched around for a bit and could not locate a plugin like this for WordPress. So, I decided to create one.

The plugin is online and available for download from the WP-Testimonials page. I have also submitted it to the WordPress plugins directory and am waiting to hear back.

Filed Under: Technology Tagged With: ,
Newer Posts »