» wordpress security</h1> <article> <h1>WordPress admin cracking script shows importance of security</h1> <p>j-atchison — Mon, 30 Nov 2009 20:44:41 +0000</p> <p>I stumbled on a very interesting article floating around Twitter this morning, one worth pointing out I believe.</p> <p>The short write up, titled <em><a href="http://isc.sans.org/diary.html?storyid=7663">Distributed WordPress admin account cracking</a></em>, exposes a malicious script which was written specifically to crack WordPress admin passwords.</p> <blockquote><p>The acquired script is written in PHP and performs brute force cracking attempts to WordPress admin accounts</p> <p>[...]</p> <p>Now, the interesting thing about the script is that it allows distributed cracking. Information is saved in a MySQL database and the script actually connects directly to the main database. This allows the attacker to run many simultaneous scripts – each of them will take 200 new URLs and mark them with the brute forcer’s ID ($colo).</p></blockquote> <p>There is nothing new or revolutionary about this script. If you have a beefy password and are up-to-date (2.8.6 as of today!) there’s no reason to worry. But I believe this illustrates the importance of doing everything possible to secure your website.</p> <p><a href="http://www.jaredatchison.com/files/2009/11/wp-bruteforce2.png" rel="shadowbox[post-122];player=img;"></a>In my last post, I embedded <a href="http://jaredatchison.com/2009/11/wordpress-security-tips/">Brad’s WordPress security presentation</a> he gave at WordCamp NYC. It contains simple yet effective ways to secure your WordPress installations – definitely worth a quick look.</p> <p>I’ve had a few people ask me what are the quickest/easiest ways to get started securing their WP site. Almost every single thing in Brad’s presentation is important, but in my mind 2 things are the most important and can be executed in a matter of minutes.</p> <p><strong>Delete your ‘admin’ account</strong>. Yes, that’s right. Nuke it. Scripts such as the one mentioned above try to gain access to your website by logging into the admin account – the account with the user name <em>‘admin</em>‘. Create a new account, something like RobSmith (or anything other than admin!), give it admin privileges, and then delete the default admin user. You will thank me later.</p> <p><strong>Don’t use wp_ as your default prefix</strong>. You probably don’t remember, but when you were flying through WordPress’s famous 5 click install one of the options it asked you for was the default WordPress prefix to use with the database. That’s right, I figured you didn’t remember. By default it’s set to <em>wp_</em> – this should be changed. If you have already setup your blog, you can change it using some phpmyadmin trickery, but make sure you know what you are doing first.</p> <p>As WordPress becomes even more mainstream (gasp!) it will continue to be attacked by script kiddies and other nefarious characters. However by staying up to date and taking the appropriate steps to secure your site, you really don’t have anything to worry about.</p> </article> <article> <h1>WordPress Security Tips</h1> <p>j-atchison — Thu, 19 Nov 2009 23:21:44 +0000</p> <p><a href="http://twitter.com/williamsba">WDS-Brad</a> from <a href="http://webdevstudios.com/">WebDevStudios</a> had a good presentation on WordPress Security at Wordcamp NYC. Here’s the slideshow:</p> <div style="width: 425px;text-align: left"><a title="WordPress Security - WordCamp NYC 2009" href="http://www.slideshare.net/williamsba/wordpress-security-updated">WordPress Security – WordCamp NYC 2009</a> <p> </p> <div style="font-size: 11px;font-family: tahoma,arial;height: 26px;padding-top: 2px">View more <a href="http://www.slideshare.net/">presentations</a> from <a href="http://www.slideshare.net/williamsba">Brad Williams</a>.</div> </div> </article> </main></body></html>