Security Quest #16: WordPress Edition

Wordpress logo in Black & White Lock in B&W WordPress has released version 2.3.2 which it calls an “urgent security release”. WordPress 2.3.2 contains a total of 7 bug fixes. The security vulnerability would allow someone to see future posts by giving access to draft posts. Sixteen WordPress files were changed in this update.

This version will also suppress some DB error messages to avoid giving out to much information. The error messages will still be displayed if debug mode is enabled. Details on all the changes can be found at Westi on WordPress.

The update was released on the 29th and I got around to installing it this past weekend, along with updating numerous plug-ins. The update wasn’t too tough but mainly because I assumed things would work OK and didn’t do too much testing. I had seven plug-ins to update, although only five were actually in use. Against common sense I updated all the plug-ins and WordPress itself on my test site without doing a backup first. I replaced all the WordPress files rather than picking out the 16 that changed. There weren’t any DB changes but I ran upgrade.php on my test site just to be sure and was told there weren’t any DB changes.

Updating the regular site was just a matter of copying the new WordPress and plug-in files up to the new site. But in this case I did do backups first.

WordPress Update Notifications

With WordPress 2.3 notification about updates began to be included in the admin panel. If WordPress itself needs to be upgraded there a message along the top of the admin panel and down on the footer too. This makes it nice to not have to go looking for updates on a regular basis even if it doesn’t alleviate the annoyance of the moment when an unexpected update notification pops up. The plug-in page also displays info on plug-ins that are out of date, although this requires the plug-in to be hosted in WordPress.org’s plug-in library.

Some plug-ins don’t provide very much information about the update so it’s hard to know if it’s worth the update. I’ve avoided updating just because it says there’s a plug-in update. Instead I tend to group them together for when I have time or when I need to install a security related update (like this time). Some plug-ins can update frequently like the one that was updated twice (at least) this month. I found that out when the update I had download two days previously was out of date when I applied it.

There’s also been other little things that make doing update easier, like a link to deactivate all plug-ins at once.

WordPress Anti-Spam

The Akismet anti-spam plug-in is included with WordPress and it’s probably what most people use. It’s free (for non-commercial use on blogs that make less than $500/mth) so that’s a plus. The actual spam detection process occurs on Akismet’s. This means your server doesn’t have to handle the processing which could be a benefit. But it does mean that it the Akismet servers are busy your comments may not be processed and spam may get through. Paid Akismet users do get priority. Another benefit, at least in theory, is that Akismet can take the knowledge learned as it processed comments for spam and help everyone. I used it at first and have to say it worked well but did let some stuff through, especially trackback spam.

I started using Spam Karma 2 back in October and it’s worked almost flawlessly. I seem to recall a comment/trackback or two getting through but can’t remember anything specific. I also can’t recall it eating any legit comments. While the ability to tweak the settings is nearly endless I pretty much stuck to the defaults. The plug-in was just updated in May and the author recently announced another update is pending. But then he says:

This will also likely be the last update to Spam Karma (which should still give us all quite a few months respite from spam). Barring any unforeseeable circumstances, there will be no more compatibility update to try and keep up with WordPress’ habit of breaking compatibility with each of their [numerous] releases. Furthermore, there is increasingly little point in “competing” against Akismet, when it is bundled and marketed as the principal WordPress antispam tool (even if I personally do not like its approach).

It’s probably an unfair comment, but the bundling of Akismet reminds me of the bundling of IE with Windows. (But Akismet is a plugin so easily avoided, unlike IE) Still, Spam Karma 2 will work for the foreseeable future, hopefully through the next couple of WordPress upgrade cycles.

Dozens of other spam tools are available through the WordPress codex.

EMail Address Harvesting

There are several plug-ins available to protect email addresses from being harvested from WordPress. For awhile I used the email immunizer plug-in and this seemed to work well. This allows email addresses to be specified normally and they can be read by humans but put in their HTML equivalents for spam bots. But if the plug-in breaks or stops working the addresses will also appear in plain text for the bots. I stopped using this simply to reduce the number of plug-ins I used. There are several similar plug-ins at the previous spam tools link.

Backups

As with any security measures backups of data have to be included.

The WordPress Database Backup plugin can be used to backup the WP database. I only use this occasionally as I’ve had some problems with it. If I try to back up all the tables I inevitably exceed the cpu quota with my web host and get locked out for a minute or two. I still use it to back up the basic tables before an upgrade. I also had problems when trying to schedule backups through the plugin, again my web host didn’t seem to like it. The plugin has been updated since I tried scheduling backups but I’m not entirely comfortable sending a copy of my SQL database through email.

These days I’m more likely to use the built-in WordPress export feature to save all my posts, comments and categories to a local file than use the WPBackup plugin although the next two items are my primary backup methods.

I also use my web hosts own backup facility to back up my SQL databases and download the backup to my local computer.

To back up all the files on the site I schedule a nightly backup with Transmit.

WordPress Security Resources & Links

Some additional WordPress security resources:

BlogSecurity.Net – A site with information and tools related to blog security. Most of their content is related to WordPress.

The WordPress Development Blog will bring news of the latest releases.

Help Net Security is a general network security site that contains a lot of WordPress information. Their latest WordPress article is a list of WordPress security plug-ins.

Bad Neighborhood and the Bad Neighborhood blog are primarily SEO related sites but it includes the WordPress Login Lockdown plug-in which can be used to prevent brute force attacks to guess your WordPress admin password.

This article at Quick Online Tips has 3 suggestions for securing a WordPress blog such as removing the version info from the header and preventing the display of what’s in your plug-ins directory.

 

Spam Counts

This weeks spam counts:

Primary Mailbox 30-day spam count: 3

This is down one from last week and none of the spam is new, the last one arriving in the 13th.

Public Mailbox 30-day spam count: 176

The total is unchanged from last week but there was plenty of new spam.

Website comment and trackback spam: 7,500

This means there were 96 new ones from last week.

 

Other News & Links

Some non-WordPress news & links that caught my attention this week.

ArsTechnica.com: Adobe, Omniture in hot water for snooping on CS3 users – A little more info about the snooping being done in Adobe CS3. But no info from Omniture about the curiously crafted URL that the info is sent to.

CNet.com: Problems updating the Flash player in Firefox? Here’s help – The article provides the reasons I hate Flash player. What the rather long article explains is the steps necessary to remove the old, vulnerable versions of Flash Player.

Davidairey.co.uk: WARNING: Google’s GMail security failure leaves my business sabotaged – David has his GMail account hacked due to a vulnerability (since fixed) which led to him having his domain name stolen from him.

Dynamoo.com: Js/snz.a – likely false positive in eTrust / Vet Anti-Virus – Another probable false positive which will hopefully be fixed by the time you read this.

Lifehacker.com: How to Selectively Share Google Reader Feeds – There’s been a bit of a dust up over Google automatically sharing the Google Reader shared items with all contacts. Here’s a way to selectively share feeds.

Security Fix – Brian Krebs on Computer and Internet Security – (washingtonpost.com)- The storm work is now spreading via Google’s blogspot blogs.

Techdirt.com: Will Patent Battles Make Your Computer Less Secure? – TechDirt is concerned that patents could be used to hold back progress and make PCs less secure.

UneasySilence.com: Lies, Lies and Adobe Spies – No specifics as to what’s going on here, but Adobe CS3 seems to be calling home and trying to obscure exactly what it’s doing by using a website name designed to look like a local IP address.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s