Archive for the ‘Security’ Category

« Older Entries
Newer Entries »

IP Logger WordPress plugin review

Sunday, January 24th, 2010

IP Logger Review

IP Logger Review

Plugin Name:IP Logger v.2.8
Date of review: 24th January 2010
Rating: 3.0
Author profile: M. Retzlaff
WordPress plugin directory link: IP Logger

“IP Logger” WordPress plugin tracks records about every visitor of your site in the separate MySQL table in your WordPress blog database. Visitor’s information has a lot of data including IP-address, user agent, country code, country name, city, etc… Convenient graphical visual presentation for that data is available via admin dashboard widget. Data can be exported into CSV or XML format. Plugin offers undesirable visitors blocking feature also.

Read the rest of this entry

Tags: wordpress plugin review
Posted in Security, WordPress, plugins | View Comments

How to change WordPress User Role capabilities

Sunday, November 22nd, 2009

User Roles

User Roles


Every WordPress blog owner knows that WordPress 2.8 and higher user standard roles are: Administrator, Editor, Author, Contributor, Subscriber.
What is the difference? What the “Author” can do but “Contributor” can not? Comprehensive information about it can be found here, at WordPress.org
But where all that data are stored? How to change the role if you really need it? Interested? Read this article and you will get some answers on that questions. Recently I met with the following problem at the multi-authored blog. User with role “Author” can upload images to the blog server, but can not use it in his/her posts. Any HTML tags are immediately hidden from post text after “Author” saves his draft or post.
Read the rest of this entry

Tags: Security, WordPress
Posted in Security, WordPress | View Comments

WordPress 2.8.6 Security Release Details

Saturday, November 14th, 2009

Wordpress 2.8.6 Security Release

Wordpress 2.8.6 Security Release

WordPress 2.8.6 Security Release was published. Official page at wordpress.org doesn’t say too much about it, just that:
2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended. The first problem is an XSS vulnerability in Press This. The second problem is an issue with sanitizing uploaded file names that can be exploited in certain Apache configurations.
Is it interesting for you what changes were made in terms of PHP source code? Let’s try to discover WordPress 2.8.6 Security Release details together.
Read the rest of this entry

Tags: PHP, Security, WordPress
Posted in PHP, Security, WordPress | View Comments

Limit Login Attempts 1.4.1 Wordpress Plugin Review

Tuesday, November 10th, 2009

WordPress Plugin Review

WordPress Plugin Review

Plugin Name: Limit Login Attempts v.1.4.1
Date of review: 10th November 2009
Rating: 4.8
Author profile: Johan Eenfeldt
WordPress plugin directory link: Limit Login Attempts

“Limit Login Attempts” WordPress plugin limits the number of wrong login attempts possible through normal login dialog as well as (for WordPress 2.7+) for cookies authentication mechanism.

Read the rest of this entry

Tags: Security, WordPress, wordpress plugin review
Posted in Security, WordPress, plugins | View Comments

Login LockDown WordPress plugin Review

Saturday, September 19th, 2009

WordPress Plugin Review

WordPress Plugin Review

This review is made for Login LockDown v.1.5 WordPress plugin.
Date of review: 19th September 2009
Rating: 4.0
Author profile: Michael VanDeMar
WordPress plugin directory link: Login LockDown

According to author’s description Login LockDown WordPress plugin adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Plugin records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that IP range. This helps to prevent brute force password discovery.
After testing and using it on live site I confirm that Login LockDown WordPress plugin really has functionality declared by its author. But plugin has some security and usability issues.

Read the rest of this entry

Tags: plugins, Security, wordpress plugin review
Posted in Security, WordPress | View Comments

WordPress under gpc_10805 attack

Tuesday, September 8th, 2009

WordPress

WordPress


A lot of information about last attack on WordPress managed sites can be found:
http://mashable.com/2009/09/05/wordpress-attack/
http://www.netpassiveincome.com/wordpress-mysql-injection-permalink/
http://www.warriorforum.com/main-internet-marketing-discussion-forum/121131-wordpress-mysql-injection.html
http://www.andysowards.com/blog/wordpress/breaking-wordpress-mysql-injection-how-to-fix-latest-attack-evalbase64_decode_serverhttp_referer/
http://www.seanrees.com/2009/09/02/well-an-update-worth-its-salt/
But pay attention that not only WordPress sites are attacked in this manner, look at the
http://www.webdeveloper.com/forum/showthread.php?p=1032611
Sites in the HTML only are attacked by this robot too.
Read the rest of this entry

Tags: PHP, Security, WordPress
Posted in General, PHP, Security, WordPress | View Comments

WordPress Security: Silence is golden. Part 2.

Sunday, September 6th, 2009

display_errors OFF

display_errors OFF


Some shared hosting providers don’t turn off php error showing by default. If you don’t change this default PHP configuration settings too, your blog has vulnerability issue or even security problem. Why I talk about security problem? Be cause of this can lead to exposure of the absolute path to your WordPress blog installation. Let’s check together. Put this little script into your blog root folder, for example name it phpinfo.php:

< ?php
phpinfo();
?>

Call it from the browser as http://yourBlogURL/phpinfo.php
You will see standard ‘PHP Info’ page with values of different PHP configuration parameters. Check display_errors parameter value under ‘PHP Core section’ now.

Read the rest of this entry

Tags: display_errors, error_log, error_reporting, log_errors, PHP, Security, WordPress
Posted in PHP, Security, WordPress | View Comments

« Older Entries
Newer Entries »