Latest Posts

Review of Easy Voice Recorder Pro Apk

Easy Voice Recorder Pro Apk is a program that allows you to record voice quickly and easily. It has all the features you would...

5 Best Online Multiplayer Android Games

There is no want to fear about staying up to date with the brand new games that you can play on your  system. In...

Best Free Android Games to Download

Angry Birds sport has created quite a hype in Android gaming scene. The sport has been downloaded in report numbers and emerge as one...

Automobile Companies – The Significance of the Latest Automobile Technology in India

In today's aggressive global, the state-of-the-art vehicle technology performs a chief function in making your enterprise a hit and green. From 100 years, the...

Got WordPress? Time to get it hardened – and scan for exploits

Oh, that in the picture above? It’s a control panel that I discovered inside the Free Our Data blog. Click on the buttons and it would let you do pretty much anything you liked in the directory. Though as you may have surmised from the dire layout and colour choices, it’s not WordPress-approved.

Not at all: this is a control panel installed by a hacker, who I suspect used one of the holes in user registration on WordPress to install this. (I surmise that because the blog is on shared hosting, and other WordPress installs on the same host that I know of which didn’t allow user registration haven’t been affected in the same way. If it were an exploit across the whole web server, you’d expect that all the blogs there might be affected.)


You’ll recall that there was a recent scare over WordPress vulnerabilities: pretty much every installation not hosted at WordPress.com was suspected of being at risk.

WordPress is important because it’s so widely used by people who have been looking for a quick, free blog install for their own hosting: getting it running is a cinch if you’ve got MySQL and PHP on your system. It’s widely used, for example, in the civil service, where getting blogs up quickly has become an important consideration.

However, keeping ahead of the hackers is rather different, and over the years there have been multiple occasions where quick updates have been urgently required. There was even one occasion where an update turned out to have been poisoned by a hacker who’d inserted their own stuff into the base code.

It turns out that turning off user registration is probably one of the simplest and most effective ways of hardening WordPress. (Allowing other users to, in effect, have access to your database leaves the way open for privilege escalation that you won’t like.)

And now, some more.

First, there’s been another upgrade to WordPress (it’s now at 2.8.5). The WordPress blog describes it as a hardening release.

Much more important, in my view, is the release of the WordPress Exploit Scanner plugin. Plugins are little extensions to WordPress; and Exploit Scanner is probably the next one you should install. (The first you should install, in my opinion, is Dr Dave’s Spam Karma 2 – which weeds out spam comments more effectively than anything I’ve ever seen, and is specific to your blog.)

The Exploit Scanner does a number of things: it compares your files against an MD5 hash of the WordPress files for whatever version of installation you’re running; it finds examples of suspicious code in your files – three principal ones being the use of invisible text through CSS; the use of iframes to embed code from other sites; and base 64 encoding, which can be used to obfuscate entire programs. It will also look through your posts and users to see if there’s anything suspicious or spammy about them.

 

Related Articles : 

It was the third of those suspicious behaviours – using base_64 encoding – that Exploit Scanner pointed out on the Free Our Data blog, leading me to the control panel pictured above. You could call it an accomplished bit of programming, using just 21Kb to put in a program that will analyse your system for any vulnerabilities, will try to hack your password directory (there’s even a button called BRUTE FORCE – for slogging through trying to get at those passwords), and notes everything potentially weak about your system. Remember that this, though, is the hackers’ tool. Once Exploit Scanner had pointed me there, that part of the hacker’s toolbox was quickly wiped.

I should mention though that Exploit Scanner didn’t notice the files that the hacker had added pointing to a Canadian pharmacy – it is limited to comparing the files that are there with the ones that it knows WordPress should have; those which are there which shouldn’t be it ignores.

One point about the default WordPress installation – from this experience – is that the hackers hid a stack of pages in the default WordPress theme. Among the security steps worth taking is to install a different theme and delete the default: that might make the hackers’ task more difficult.

A final note: Exploit Scanner, like Spam Karma 2, is donationware. I’m making mine. How much is it worth to you to have a secure installation?

Latest Posts

Review of Easy Voice Recorder Pro Apk

Easy Voice Recorder Pro Apk is a program that allows you to record voice quickly and easily. It has all the features you would...

5 Best Online Multiplayer Android Games

There is no want to fear about staying up to date with the brand new games that you can play on your  system. In...

Best Free Android Games to Download

Angry Birds sport has created quite a hype in Android gaming scene. The sport has been downloaded in report numbers and emerge as one...

Automobile Companies – The Significance of the Latest Automobile Technology in India

In today's aggressive global, the state-of-the-art vehicle technology performs a chief function in making your enterprise a hit and green. From 100 years, the...

Don't Miss

Translation gadget ad goes viral over sexual harassment claims

It could be just what every tourist needs – an unobtrusive gadget that offers instant, accurate translations in three languages. While there had been widespread...

The kitchen gadgets Easter special: ‘An Exxon Valdez of liquid sick’

In my time reviewing kitchen gadgets, I’ve learned it would not be good to be reborn as a chicken, because the sickest, most disturbing...

Enjoy All That You Like With Pornhub Apk

If you are a PornStar, you must know about the Pornhub Android app's latest version. This new release is the biggest and the most...

Inspect a gadget: cutting-edge kitchen aids put to the test

As a child, my favourite book was the Innovations catalogue. It was stuffed with gadgets promising to transform domestic tasks. My mum and I...

Kitchen gadgets review: the Egg Master – a horrifying, unholy affair

What? The Egg Master (£29.99, DecentGadget, Amazon) is a vertical grill encased in silicone housing. Ingredients poured into the plastic tube are heated by an...

Stay in touch

To be updated with all the latest news, offers and special announcements.