WordPress Security Tips - Unsecured Forms and Plug-ins
(Page 5 of 5 )
Beware of installing plug-ins and using forms in un-updated WordPress versions. It will increase your site's risk of attack by MySQL injection.
The test for a plug-in is simple. Great plug-ins are rated highly on Wordpress.org. Also, read the comments of the plug-in users. If the rating is great and comments are good, then most likely the plug-in does not have security issues.
A while ago I was talking about forms; these are the most common malware injection entry points. The best way to sort out this issue is to sanitize user input. Discussing the PHP scripts you can use to filter bad user inputs is beyond the scope of this tutorial. The essence is: filter user input before it goes to the database.
When a user inputs a malicious code, a blog with this security measure in place returns an error, so the data entered will not be transferred to the database but back to the user.
Most contact form plug-ins in the old version are not protected from this problem, so it is worth the time spent double checking this issue. Also, once the database has been hacked, the attacker gains access to all the passwords of all users, including the admin, and this information can (and probably will) be used to hack user accounts and gain administrative access throughout the blog.
Exposed WordPress Plug-in Directory
Again by default, the WordPress plug-in directory located in /wp-content/plug-ins/ is visible to the public. This will again raise some security issues, as these plug-ins could be poorly written and have security risks. Hackers can then exploit their weaknesses to gain access to your blog.
The best way to correct this problem is to upload a blank HTML file, name it index.html, and hen upload it to the plug-ins directory.
The result is that when someone tries to view the plug-in you are using: /wp-content/plug-ins/, the browser will give a blank result.
Detailed steps:
Open a notepad.
Do not put anything in it; just leave it blank.
Save it as index.html
Upload it to/wp-content/plug-ins/
Open the directory using a browser; it should give a blank page.
I hope you've found this information for securing your WordPress blog or website against hackers helpful. Be careful out there!
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
