Saturday, November 29, 2008

Top Ten Wordpress Security Tips

Below are 10 security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.

1. Upgrade Wordpress - In general, keeping your Wordpress installation up to date is a great way to avoid known problems. Do note that the lastest version, especially in the case of major upgrades, may cause more problems then it resolves.

2. WordPress Version - The tag in your header.php that displays your current version of wordpress. Since everyone knows your wordpress version this way, your blog is prone to hackers if you have not upgraded to the new version.

3. WordPress Username - Every hacker knows Wordpress has a user “admin” with god-like administration privileges. Slow the hackers down by removing the “admin” user. Create a Wordpress user with admin privileges using the administration interface. Log out of Wordpress and log back in with the new user. Delete the admin user. The new admin user should be different than your normal post author.

4. WordPress Password - Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! That password is only 6 characters and just numbers and letters. Make it complex and more than 10 characters if you can. Also, try not to use words, make it a nice jumble of letters, numbers, and symbols.

5. Prevent Directory Listing - In many Wordpress installations it is possible to view a list of installed plugins by navigating to the /wp-content/plugins/ directory. This is not a good idea as known plugin vulnerabilities can than be easily exploited. Add an empty default index file, such as index.html, to the directory. You can also protect it using an .htaccess file assuming you're using Apache.

6. Protect Your WP-Admin Folder - You can protect your Wordpress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog.

7. Protect From Search Engines - There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list:Disallow: /wp-*

8. Install Login Lockdown WordPress Plugin - This plugin records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range.

9. Install WordPress Database Backup Plugin - You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.

10. Install Wordpress Security Scan Plugin - The WP Security Scan plugin attempts to both to audit your blog security and to implement many of the suggestions mentioned above.

Tuesday, November 25, 2008

Disable WordPress Autosave Plugin

WordPress autosave is the best features which I hate in WordPress. AutoSave will auto save a copy of edited post or page every 60 seconds provided there is a change on the content in the editor. However, there is only ever a maximum of one AutoSave version for any given post. New AutoSaves created will overwrite old AutoSaves. Beside, AutoSaves are stored as a special type of revision so that the auto saved with a more recent version of data does not overwrite actual published content, and is used to restore unsaved work only when necessary.

While each Post Revisions is stored in its own database table, the auto-save is only stored once with previous versions being overwritten by the new auto-saved content. So, if you’re worried about your database growing to massive proportions because of auto-save, you can stop worrying.

These are methods that disable or delay the WordPress autosave functions.  The Most easy way is using plugin. The disabling plugin works with versions 2.3 through 2.7  while the delay configuration works with 2.5 and later.

Copy this text to a text file, name it whatever you want (using the .php extension, of course) and upload it to your WordPress plugin directory. Activate it and it works immediately, but you need to clear your browser cache:

<?php
/*
Plugin Name: Disable autosave
*/
add_action('admin_print_scripts', 'plugin_deregister_autosave');
function plugin_deregister_autosave() {
 wp_deregister_script('autosave');
}
define('WP_POST_REVISIONS',false);
?>

Sunday, November 23, 2008

Z-Blog URL Redirect Security Affected Spam Attacks

Z-Blog system contain a security issue that allows spam attack to Wikipedia by using url redirect.

The design of Z-Blog anti-spam encrypts the URL before redirect it. The name of the redirected file is c_urlredirect.asp. With the parameter of this page Z-Blog kann redirect to various pages. Sorrowfully the used encryption is very simple. One just need to put the odd characters together. With this methode blackhat SEO manipulates redirects from other Z-Blog websites to call its own website. Thus even if the original address is listed on the blacklist by Wikipedia, the manipulated redirect would still work and be used as spam.

The solution for this problem is not easy. The most simple way is to delete c_urlredirect.asp. But this method would also prevent the blogger himself make redirects.

Source . thanks for Wing translation

Saturday, November 22, 2008

Google Earth Layer Blocked in China

China appears to have blocked access to the popular internet maps service - Google Earth. Google Earth is a virtual globe program that displays satellite images of varying resolution of the Earth's surface, allowing users to visually see things like cities and houses from a bird's eye view.

Google's map and satellite-photo service offered Chinese Internet users something they rarely could see: a bird's-eye view of the secret compound of Zhongnanhai(located west of the Forbidden City), where the country's top leaders live and work.

But in recent weeks, some layer of Google Earth(such as Google Earth Community) could not load and work in China. The Google Earth Community is an online forum which is dedicated to producing placemarks of interesting or educational perspectives. It may be found on the Google Earth webpage or under the Help section on the program itself. After downloading a placemark, it will automatically run Google Earth (if not opened), and fly to the area specified by the person who placed it. Once there, you can add it to your "My Places" by right clicking on the icon and selecting "Save to My Places". Additionally, anyone can post a placemark for others to download; as long as you have an account.

Google Earth

When I run a proxy program, and open Google Earth again, the Google Earth Community layer is right there, everything is ok.

Google Earth

Then I close the proxy program and click the layer again, it's tell me "Fetch of NetworkLink failed(http://mw1.google.com/): Connect Failed."

Google Earth

That mean the Weather,Gallery and Global Awareness layer is blocked in China. Google Earth Community is in the Gallery layer,  so it cannot be open again.

If the Chinese government is blocking its own citizens from seeing where their leaders live, whereas the rest of the world can see just fine, we're talking some major institutional paranoia.