Security in WordPress: Are you still showing YOUR plugins?
February 7, 2008 | Posted by InvestorBlogger | Comments Off
Michael Kwan’s blog was recently hacked by a clever hacker who managed to hide his visit neatly. Michael will tell you all about the story at his blog. This event plus a couple of other events has got me thinking about blog security . I’ll be doing a fuller post on my own experiences, ideas and suggestions.
It’s going to be a long post, so it will take some time to put all the pieces together. In the meantime, why don’t you sign up for my feed… so you don’t miss it!
â€â€Ã¢â‚¬â€-
For more interesting articles on running a business, making money, operating your blog, , and so on…, subscribe to the RSS feed or email newsletter. There’s a lot more in the Random Walk to Wealth on InvestorBlogger dot com.
â€â€Ã¢â‚¬â€-
Apart from the obvious tactics of keeping your blog software, themes, and plugins uptodate, several bloggers have suggested ways to make it more difficult to find out which version of the blog platform, and which plugins, you are actually running.
The typical solution is to add a blank html file to the /wp-content/plugins/ directory which will show a blank page, or in John Cow’s case a Moo! But I was surprised to learn that this technique fails to stop an easy way around this. It is possible to discover quite easily any plugin that you can guess is installed and retrieve the directory listing for that plugin even though the higher level directory is masked. Take a gander:
(This image was taken from one of my other blogs with the WP-Cache plugin installed and active.)
I found the directory for the wp-cache folder for another blogger who had otherwised masked his plugins directory with the standard blank HTML file. Unfortunately, a determined hacker will be able to figure out which plugins you likely have, rifle your directory of files to see which files exist in the subdirectory of plugins, and perhaps hack your blog… I could see the contents of this wp-cache directory, plus all the other ones I knew this blogger to have been using. Mmm! I didn’t think that was particularly secure.
What alternatives are there?
Standard .htaccess
Yes, you could simply use an ‘htaccess’ file to secure the plugins from display but you would have to manually write and upload the file to each and every plugin directory that you already have. This could be done more than ten times on my blog, I think. It would look something like this:
Redirect 301 /index.html http://www.your-domain.com/
Redirect 301 /index.htm http://www.your-domain.com/
Redirect 301 /index.php http://www.your-domain.com/
But I realized that with the most commonly suggested solution to prevent viewing plugins, namely a 301 redirect, it is still possible to view the contents of any directory of any plugin below the directory in which the htaccess file is placed. So even if you place the htaccess in the directory of any particular plugin, some plugins also contain subdirectories (for images, etc.) that will still be visible. Tiring work…, so…
IndexIgnore
If you have a lot of directories in the plugins folder, the simple and easy solution is to create an htaccess file with the following command: “IndexIgnore *” and place it in the /wp-content/plugins folder. This should prevent anyone seeing the listing in that folder or any folders below that level. It generates an error like this:
It’s not very pretty but it’s effective so browsers won’t display the contents. It could also be an opportunity wasted. Why?
HTML file
The standard blank HTML file mentioned above looks something like this:
<HTML>
<HEAD>
<TITLE>Blank Page</TITLE>
<META HTTP-EQUIV=”Content-Type” CONTENT=”text/html; charset=utf-8″>
</HEAD>
<BODY>
</BODY>
</HTML>
Then Michael Kwan suggested adapting it to a page redirect in a chat we were having. He wrote: “…i’m thinking that it’s also possible to do a index.php and then put in a redirect… if you keep this file handy then you can upload it each time you install a new plug-in…” I began to think: What a good way to turn a problem into an advantage! I’m using an HTML file, though, not a PHP file.
The blank HTML file doesn’t show anything, and inadvertent visitors will not know what’s wrong. And the 404’s only show that a page was not found. So why waste the opportunity? I’ve adapted some simple code that I use, and it should work a treat. I would like to attribute this code, but I can’t remember where it came from!
Page Redirect
With this page redirect, it’s easy to redirect visitors quickly and conveniently to the most recent posting or indeed any specific page you want:
<html>
<head>
<title>Your Domain</title>
<meta name=”robots” content=”noindex,nofollow”>
<script>window.location=http://www.yourdomain.com;</script>
<meta http-equiv=”refresh” content=”1; url=http://www.yourdomain.com“>
</head>
<body>
<p align=”center”>You are going to Your Domain Name now…
<br>If the page does load after 5 seconds or if you are (like me) impatient,
<a href=”http://www.yourdomain.com“>just click here</a>.</p>
</body>
</html>
The only downside is that you’d have to add this to every plugin directory the first time. But you could easily keep a copy somewhere and copy it to any subsequent plugin directory before you upload the plugin.
Thanks to Michael Kwan, and others for providing information that helped to write this blog. I’d appreciate any updates on security, so just drop me a line, especially if I got something wrong.
(Post edited for language, clarifications, and so on.)
DashBoard Editor: Changing your Dashboard in Wordpress
November 21, 2007 | Posted by InvestorBlogger | Read these 2 comments
Sometimes as a blogger, I get tired of the traditional feel and look of the Administration Panel, and the slow loading of the Wordpress feeds drives me nuts. I’ve already tinkered with the Administration page before on more than one occasion, but recently, I’ve been trying two plugins that are pretty neat: DashBoard Editor (this post) and MyDashBoard (Thursday).
DashBoard Editor
The first is Dashboard Editor, which is a simple panel that adds a dashboard configuration switch under the Dashboard editor. Currently, I can’t get the website to load but you can try again later.
It’s very simple to operate. And, most importantly, it works in a non-destructive way, so you can simply disable the plugin, and everything’s back to normal.
At the top you will see a text area that you can type in. This text will appear in the dashboard. Formatting is very similar to the bb-code style of posts and pages. If you used to blog in WP1.0+, you will already be familiar with the switches.
Below that area are a number of check boxes, all of which are self explanatory. They will allow you to remove the feeds, incoming links, news and so on. Of course, you can simply clean everything and start from nothing. One of the neatest features is that you can use Plugins, too. If you look at the last switch entitled “Use Sidebar Widgets”, this will create a separate column under your Presentation >>> Widgets menu. Simply create, add or move any widgets you want to show up on the Admin panel.
There are some limitations that you may wish to consider:
1. There’s no obvious way to have a widget in two places, though, ie. in your Admin Sidebar as well as the general sidebar(s). Also, the Admin sidebar is only available to those who login.
2. If your blog has many users who can register and login, you may wish to think carefully about the information you enter. For example, putting passwords for your email account in there may not be the wisest thing to do! Currently, there is no way to change the Admin area for different levels of users.
Overall, it’s easy to implement, easy to use, and easy to remove. We are looking forward to the developer adding features in the future!
Techniques: 5 ways to speed up Wordpress
October 6, 2007 | Posted by InvestorBlogger | Read these 7 comments
The last few weeks haven’t been the happiest time for my blog because of hosting issues, network problems, and server problems. But with them out of the way, I came across an interesting article on Lorelle on speeding up your WP installation. So I’m putting this in my ‘Sunday Projects’ category:
The 3 Easiest Ways to Speed Up WordPress
So, in the past 2 weeks I’ve had 3 articles hit the front page of Digg. Let me just tell you, the onslaught of traffic can bring a server to it’s knees. Over the last many months I’ve learned a thing or two about tweaking WordPress, and while this is not meant to be an exhaustive tutorial on how to survive a Digg, it will give you some tips that can definitely improve your blog’s performance for all of your visitors.
OK, what have I done? Let’s see, I’ve done five things to speed things along.
1. Unused Plugins: Or what do you do when you have more than 30 plugins?
On Lorelle’s advice, I moved ALL my unused plugins to a separate folder in my root folder, out of the way of the Wordpress Software. If I need them, I can move them back. If not, why are they are there? She noted that they will slow down a WP installation.
2. Unused themes: 49ers?
I also moved my 49 unused themes (some of them quite hideous) to the same location. I don’t know if it made any difference or not, but finding the theme should be much quicker when there is one in the theme presentation folder!
3. My Sidebar
I cut down, removed, and converted elements in my sidebar. I cut down on useless stuff such as Javascripts to online services (I only kept Payperpost, Google Adsense and Analytics, and Alexa). I trimmed my comments and recent posts to only five items each to see how that would fare. Also, I decided only to have twelve categories after all. I simply copied the text from the front page, pasted it into a new post, switched to code view, retrieved that new HTML code, and pasted it into an already used widget. You can’t tell, can you? I also did the same thing to the blogroll. Still can’t tell, can you?
4. Maximum number of posts per page
I trimmed the number of posts on each page to three. Most people have five or even ten, but I can’t at the moment. It slows the server down too much. So I opted for three. It’s not ideal, but…
5. Standard PHP Code
I am slowly thinking of following another of her suggestions: switching ’static’ php code to its html equivalent to speed up things. For example, in this theme, a PHP call for the blog URL and title and so on would require three separate routines for the same information (ie. the same everytime it’s called). I’ve kind of already done it with the sidebar itself. I’m thinking of switching to HTML from PHP for some of the plugins that I use or use to have: such as using a real robots.txt file instead of a plugin, re-adding my signature as HTML with local hosted images, and so on. I already removed the footer PHP for that reason and the Archives page has become static HTML, too.
Anyway, we’ll see how it goes. In the meantime, I’d like to thank Jorge at Investing Adventures dot com for keeping an eye on things and giving me feedback when my blog is slow. It was taking 20 seconds or more for a page to load, right now as I type this pages are loading in under 10 seconds. But I’ll keep an eye on the load, speed and traffic over the next few days to make sure things are ‘normal’.
Quotation: Tim Ferriss
September 26, 2007 | Posted by InvestorBlogger | Read this comment
The specialist who imprisons himself in self-inflicted one-dimensionality  pursuing and impossible perfection  spends decades stagnant or making imperceptible incremental improvements while the curious generalist consistently measures improvement in quantum leaps. It is only the latter who enjoys the process of pursuing excellence.
Tim Ferris on Being a Jack of All Trades.
Wordpress version 2.3: out and about
September 25, 2007 | Posted by InvestorBlogger | Comments Off
I saw the news, and I wanted to be the first to post about it (I was actually) but I was too tired to do it before I went to bed… That John guy has beaten me to the punch. So here’s my take on what is in the release:
1. Native tagging support allows you to use tags in addition to categories on your post, if you so choose. We’ve included importers for the Ultimate Tag Warrior, Jerome’s Keywords, Simple Tags, and Bunny’s Technorati Tag plugins so if you’ve already been using a tagging plugin you can bring your data into the new system. The tagging system is also wicked-fast, so your host won’t mind.
Ahem… Do I need another system for Google to find even more ‘duplicate’ posts…? I don’t think so.
2. Our new update notification lets you know when there is a new release of WordPress or when any of the plugins you use has an update available. It works by sending your blog URL, plugins, and version information to our new api.wordpress.org service which then compares it to the plugin database and tells you what the latest and greatest is you can use.
This could be seriously useful, as I do get behind with my plugins on the different blogs I manage.
3. We’ve cleaned up URLs a bunch in a feature we call canonical URLs which does things like enforce your no-www preference, redirect posts with changed slugs so a link never goes bad, redirect URLs that get cut off in emails on similar to the correct post, and much more. This helps your users, and it also helps your search engine optimization, as search engines like for each page to be available in one canonical location.
Ah… A link that never goes bad. Should be helpful when I change my options in permalinks (again!).
4. Our new pending review feature will be great for multi-author blogs. It allows authors to submit a post for review by an editor or administrator, where before they would just have to save a draft and hope someone noticed it.
While this is not relevant for my primary blog, I’m looking forward to that feature as an alternative to Role Manager. I’ll be using it on my business website, though, (probably along with Role Manager).
5. There is new advanced WYSIWYG functionality (we call it the kitchen sink button) that allows you to access some features of TinyMCE that were previously hidden.
Some of the features were already via a short cut on the keyboard, wonder if that is better than the short cut trick.
Interesting, but I think I will stave off the upgrade till version 2.3.1 comes out squatting the bugs. I may try the release on a minor site of mine, just to play with it.
Products and Services
