How to Keep WordPress Secure

October 10, 2009

A stitch in time saves nine. I couldn’t sew my way out of a bag, but it’s true advice for bloggers as well — a little bit of work on an upgrade now saves a lot of work fixing something later.

Right now there is a worm making its way around old, unpatched versions of WordPress. This particular worm, like many before it, is clever: it registers a user, uses a security bug (fixed earlier in the year) to allow evaluated code to be executed through the permalink structure, makes itself an admin, then uses JavaScript to hide itself when you look at users page, attempts to clean up after itself, then goes quiet so you never notice while it inserts hidden spam and malware into your old posts.

The tactics are new, but the strategy is not. Where this particular worm messes up is in the “clean up” phase: it doesn’t hide itself well and the blogger notices that all his links are broken, which causes him to dig deeper and notice the extent of the damage. Where worms of old would do childish things like defacing your site, the new ones are silent and invisible, so you only notice them when they screw up (as this one did) or your site gets removed from Google for having spam and malware on it.

I’m talking about this not to scare you, but to highlight that this is something that has happened before, and that will more than likely happen again.

A stitch in time saves nine. Upgrading is a known quantity of work, and one that the WordPress community has tried its darndest to make as easy as possible with one-click upgrades. Fixing a hacked blog, on the other hand, is quite hard. Upgrading is taking your vitamins; fixing a hack is open heart surgery. (This is true of cost, as well.)

2.8.4, the current version of WordPress, is immune to this worm. (So was the release before this one.) If you’ve been thinking about upgrading but haven’t gotten around to it yet, now would be a really good time. If you’ve already upgraded your blogs, maybe check out the blogs of your friends or that you read and see if they need any help. A stitch in time saves nine.

Whenever a worm makes the rounds, everyone becomes a security expert and peddles one of three types of advice: snake oil, Club solutions, or real solutions. Snake oil you’ll be able to spot right away because it’s easy. Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.


Highlight author comments in WordPress

October 10, 2009

commentsA while ago I was looking around for how to make my own comments a different color on my blog. Most of the advice was along the lines of “Add code to check if the commenter’s email is the same as the email address of the blog’s author.” Can you spot the flaw in that logic? If a commenter knows the email address of the blog author, she could use the blog owner’s email address in her comment and get her own comment highlighted. Worse yet, someone could try to discover the blog owner’s email address by trying lots of email addresses until they saw their comments change to a different color.

So I dug a little deeper and found a good answer on this support thread. The trick is simple: instead of checking the author’s email address, check their user id to see if it’s the user id of the blog owner. Pretty smart. After that, it was a simple matter of

1. Changing my theme to add an “authcomment” style

I edited style.css and near the bottom added these lines:

.authcomment {
background-color: #B3FFCC !important;
}

2. Editing my comments.php file to add a little code

My comments.php file had a line that looked like this:

<li class=”<?php echo $oddcomment; ?>” id=”comment…

and I changed it to more or less look like this:

<li class=”<?php
/* Only use the authcomment class from style.css if the user_id is 1 (admin) */
if (1 == $comment->user_id)
$oddcomment = “authcomment”;
echo $oddcomment;
?>” id=”comment…

That’s about it. Now I have a distinctive color for my own comments, so you can quickly scan a thread to see when I circle back around to leave a comment.