Quick security tip for WordPress
add a .htaccess file the uploads folder (/wp-content/uploads) with the following content:
<Files *.php>
deny from all
</Files>
This will prevent hackers from executing uploaded php files.
Nice one. Thank you.
I am curious if a file called
Quotetest.php.gif
with the following contents
<?
phpinfo()
?>
will still be able to be executed if uploaded into the uploads directory?
My experience says it will run just fine....
Thanks Torben.
I will add that to my increasing list of Wordpress securing
http://www.ukgimp.co.uk/2011/09/05/securing-wordpress-installation/
Jason, won't you need to add a file type to allow execution of php within it for it to run?
try it and see Rich
I just tested it and test.php.gif will not run on my server
I just tested this again on a cheap host and id did run the test.php.gif as PHP, so I guess it depends on the server configuration
It's an old bug that may well have been patched on your up to date server but not on the lower cost host.
IIRC, Apache looks at the extension to see what to do with the file (Addtype directive etc) and if Apache doesn't recognise the filename extension will render according to the previous extension and so on, until there are no extensions left.
While that in itself isn't an issue it does break most regexp based filename upload scripts as they normally only check for the very final extension, not checking to see if there are any earlier ones.
In essence I believe in only allowing certain file types (images), and even then always mungling them somehow to avoid things like Gifar exploits - http://riosec.com/how-to-create-a-gifar
Jason, do you have any specific tips or references to help better secure Wordpress sites especially?
> specific tips
Don't use Wordpress.
That isn't an anti Wordpress issue. I truly believe that WP is as secure (or insecure) as any other mainstream application.
It is simply that because WP is so widespread it is a target worthy of attention and once a flaw has been found it is very easy to scale and you're likely to get hit
It's the same argument regarding Windows & Mac IMO and Macs are now moving to that same tipping point.
Other than the sarcy comment of use another platform, good old fashioned practices are important. Keep everyhting up to date and make sure you know what you are working with. This especially applies to plugins
> specific tips
Stay away from advanced free/premium themes. WooThemes and other theme vendors offer nice themes but they are often built on their own frameworks, which provide easy customization. However, the complexity of the code makes it more likely that security vulnerabilities will slip in the code.
especially useful since the recent timthumb attack.
Also worth looking at password protecting the wp-admin area via .htacess to stop brute force scripts trying for your logins, and also taking up bandwidth
> Basic Auth
Be careful, it is very easy to bypass if done in PHP and potentially other languages too
http://armoredcode.com/blog/bypassing-basic-authentication-in-php-applications/
I am a total Wordpress whore and use it to build pretty much all of my sites both for myself and clients.
That said, I do agree with Jason's point and if he hadn't already, I would have cited the Mac / Windows argument also. Below is some context in terms of the popularity of WordPress. These stats are from Matt Mullenweg's 2011 State of the Word which is well worth watching. http://ma.tt/2011/08/state-of-the-word-2011/
- WordPress 3.2 had 500,000 downloads in the first two days, representing the fastest upgrade velocity ever.
- WordPress now has 15,000 plugins and 200 million plugin downloads, and we're doing a lot of work to make the plugin experience more seamless.
- 14.7 percent of the top million websites in the world use WordPress.
- 22 of every 100 active domains created in the U.S. are running WordPress.
In terms of security tips, check out these articles and the linked resources http://www.codeforest.net/10-wordpress-security-tips-that-could-save-your-site and http://www.askapache.com/wordpress/htaccess-password-protect.html
Also, Paul Madden wrote a very interesting article a while ago about the potential to mess with a Wordpress site via Webmaster Tools without having to resort to traditional hacking methods. http://www.paulmadden.co.uk/how-to-take-down-a-wordpress-site/