Interview with Deutsche Welle on WordPress Security
I recently did a short interview with Deutsche Welle about WordPress security. Listen to it here.
To expand on the topic, here are some of the details that didn’t make it into the final cut of the interview:
If your blog is compromised, you should install the latest version of WordPress, but first you should remove your old files. This is to prevent a hacker from leaving a back door (something like wp-give-hacker-access-forever.php in your WordPress directory. Just dropping the new version over the old version wouldn’t replace a new file that a hacker may have added, which is the reason for getting rid of the old files. Once you’ve done that (being careful to back up your wp-config.php and all your wp-content files), upload a clean install of WordPress. Restore your custom files. Next, look for any user accounts that weren’t there before, or that have higher access than they should. Sort that out. And lastly, scan through your theme/plugin files looking for backdoors or hidden links. This is mostly a manual process, but there are some common things to look for. Most backdoors use the eval() function, so be on the lookout for that!
The best way to keep your blog safe is to stay updated with the latest WordPress version! We’ve tried to make it as easy as possible to update (one-click!), and we have big plans for making it even easier in the future.
I’ve never had one of my WordPress blogs compromised, and I don’t do anything “fancy.” I just stay updated.
Reminder: if you’re using WordPress.com or another “hosted” blog solution, they take care of security updates for you. The only thing you need to worry about is choosing an unguessable, complex password.
Actually, database integrity should also be verified because it can be used as a way perform attacks.
alex
September 27, 2009 at 5:42 pm
When you say;
“We’ve tried to make it as easy as possible to update (one-click!), and we have big plans for making it even easier in the future.”
Are you guys planning on making WordPress updating itself? I can’t think of anything that should make updating even more easy!
Coen Jacobs
September 27, 2009 at 6:54 pm
WordPress has been able to update itself since version 2.7! One of the improvements we’d like to make is unified core/plugin updating, including advisement about incompatible plugins.
Mark Jaquith
September 28, 2009 at 2:23 am
Okay Mark, that’s not really what I meant to say. I was suggesting a automatic (no clicks required) updating function. Off course, I use (and love!) the automatic update functionality that is provided now.
On the updating plans and advisement about incompatible plugins; can’t wait, it’s sounds good!
Coen Jacobs
September 28, 2009 at 9:09 am
I think we’re going to leave automatic updating to plugins for now, at least until we have a system set up to gather user data on plugin compatibility. Upgrading someone automatically and breaking their blog is going to make them really angry at us.
Mark Jaquith
September 28, 2009 at 11:57 am
[...] da es einige interessante Ansätze der Arbeit von Mark mit WordPress aufzeigt. Ebenso ist der Artikel von Mark zu empfehlen, der einige weitere Tipps zum Thema Sicherheit gibt, die im Interview keinen Platz [...]
Deutsche Welle im Interview mit Mark Jaquith - WordPress, Sicherheit, Zukunft, Mark, Interview, Plugins - WordPress Deutschland Blog
September 28, 2009 at 4:37 am
I can only add one great plugin “WordPress File Monitor” that already have saved my bacon once! It simply scans your WP files time stamp and notifies via email and in dashboard when any changes done to files.
You learn very quickly about hack and exactly which files were compromised – beats manually checking your plugin files in my book
It is very configurable and allows exclusion for commonly modified files such as error_log, etc. I recently wrote about it among a few others that work great for overall WordPress security approach.
Cheers!
Alex Sysoef
September 28, 2009 at 7:25 am
Sounds really interesting!
Mark Jaquith
September 28, 2009 at 11:58 am
Hey Mark!
Great interview! Just for your information, it’s called Deutsche Welle.
Nick
September 28, 2009 at 12:59 pm
Thanks! Fixed the misspelling.
Mark Jaquith
September 29, 2009 at 1:17 pm
[...] Interview with Deutsche Welle on WordPress Security – Mark on WordPress [...]
WordPress Security Guide | Using social media to guide and help you connect to social networks: Twitter, Facebook, Google, LinkedIn, YouTube using social media
October 9, 2009 at 1:18 am
My issue with this being the standard response is that updating WordPress the amount of knock-on-affects it has on systems working side by side.
Generally speaking, themes/plugins/bbpress/forums etc. all get updated after wordpress; and generally there is some time delay between a wordpress update and updates of those systems that connect to it.
If you take BBpress for example, one of Automattic’s products no less, we went through 4 versions of WordPress before a BBpress release came out that worked with WordPress (and that release went through 8 days of alpha testing and No beta testing of the bug fixes). This left us with the dilemma of upgrading versus taking down the website.
For me, and i might be alone on this, the biggest issue i have with “you should install the latest version of WordPress” is that it doesn’t take into account older versions of WordPress that are working fine.
I have 3 websites that run on WP2.5. The sheer amount of work required to upgrade these to Wp2.8 and all the coding changes makes it not worth it, but the flip side of it is, i’ve no idea how ’safe’ WP2.5 is because only the latest point release gets patched.
WordPress is wonderful, but look how many major updates we’ve had in the last 2 years, or more importantly the number of HUGE changes we’ve had to layout / functionality / coding, it becomes more and more of a chore to keep every site updated to the very latest version.
Steve Bank
December 14, 2009 at 6:43 am