I'd Rather Be Writing » security

WordPress Tip: Making Your WP-CONFIG File Secure

Tom Johnson — Wed, 15 Sep 2010 05:18:33 +0000

A lot of people don’t realize that they’re missing unique authentication keys in their WordPress’s wp-config.php file. These unique authentication keys will help keep your WordPress site more secure. In this screencast, I show you how to add the necessary authentication keys.

http://www.youtube.com/watch?v=eKqXDV5gJEo

Blog Sponsors

WordPress Tip: Avoid Getting Hacked through Bluehost’s cPanel

Tom Johnson — Sat, 27 Feb 2010 16:19:16 +0000

It’s always hard to tell exactly why or how a site gets hacked. One of the WordPress sites I created for a client kept getting hacked. I took more extreme security measures, changing the database table prefix, adding an htaccess file to wp-admin that filtered IP addresses, adding a plugin to encrypt logins, adding a firewall, moving wp-config to another directory, and other measures. I thought the problem was with WordPress.

Then last weekend, I checked the site, and it was totally gone. Completely? Yeah, completely. I logged into cPanel and the entire database had been deleted. Previous hacks had just deleted all posts, pages, and users tables in the database. Now the hacker turned it up a level and deleted the entire database.

I looked at the log files and noticed that an IP address from Calgary rifled through the client’s cPanel and finally deleted the database. After about 30 minutes with Bluehost tech support, the support person mentioned that someone had requested the password to be sent to the email address on file. It’s common to have a retrieval method in case you forget your password. Almost every website with a login offers this. Somehow the hacker retrieved the password this way — either by retrieving it from the client’s email or through another method (intercepting it?).

I pressed the support rep about the security and encryption for the password retrieval tool, and he did say that you can request the password for any domain by plugging in https://www.bluehost.com/cgi/forgot?domain= or http://www.bluehost.com/cgi/forgot?domain= and adding your domain after the = sign.

He then said, ”I think our issue might be from our password request tool. I am reporting it now.” But he also suspected that the client’s email account had been compromised. He said changing the password may solve the problem entirely.

I don’t know if the password retrieval method is a common way to hack a site. But it’s a sneaky way to gain access. You may have a 25 digit hexadecimal alphanumeric password for your web host account, but probably not for your email. And do you really use different passwords for email, Facebook, Twitter, and the 75 other websites you log into? Guess one password and you probably have access to nearly all of them. With access to email, all you have to do is retrieve the password from the web host, and within minutes you have access to the MySQL database, where all posts and pages are stored.

What I’ve learned from the experience is to immediately look at the log files. As hard as log files are to read, log files allow you to trace the path of the last visitor to the site. You can look at the origin of the IP address through who.is. The log files tell you what part of your site the hacker visited. If the entry point is cPanel rather than your site, you might ask support if someone retrieved the password on your account. (The information about the password retrieval is something only tech support knows — it’s not in the log files.)

So after hours of looking at WordPress for the security vulnerability, going through theme code, plugins, and everything else, it turns out the vulnerability was with Bluehost”s password retrieval and the client’s email account. The hacker was getting in through cPanel, not WordPress.

It’s not such an alarming problem, though. Because even if your entire site gets hacked and deleted, the web host usually backs up the site once a week or so. The worst scenario is that you’ll lose the last couple of posts (which you can retrieve via email if you’re subscribed to email delivery of your posts).

The real issue is getting hacked repeatedly and not knowing where the security vulnerability is. My advice is to look at the log files, who the last visitor was, and where they entered the site. Did they hack into WordPress or cPanel? Find out if someone retrieved the password. Is your email password easy to guess? Is it the same password that you use everywhere?

3/2/2010 update: A user in the comments informs me that the password retrieval tool is not part of cPanel but rather Bluehost. I had assumed otherwise. Sorry cPanel.

Blog Sponsors

Your WordPress Site Can Get Hacked If You Don’t Have This

Tom Johnson — Wed, 27 May 2009 01:00:54 +0000

I helped another person whose WordPress site was hacked this weekend. I’ve noticed a trend about sites that get hacked. Most of the people installed their WordPress blog either long ago, before the right security phrases were included in the wp-config.php file, or they installed WordPress through an auto-installer that didn’t insert the right security phrases.

The wp-config.php file is the key file that contains your database name and password. It’s the file that makes the WordPress files talk with your MySQL database, where all your posts and pages are stored. wp-config.php has also been upgraded with stronger security phrases over the past couple of years.

If you have a self-hosted WordPress site, FTP into your root directory and download the wp-config.php file. Then download the latest copy of WordPress from WordPress.org and compare the wp-config-sample.php file in the WordPress download with your version of wp-config.php. After the database, username, and password details, there should be a section of security phrases that looks as follows:

* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
*
* @since 2.6.0
*/
define (‘AUTH_KEY’, ‘put your unique phrase here’);
define (‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define (‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define (‘NONCE_KEY’, ‘put your unique phrase here’);

If you don’t have these security phrases, just go to the URL provided and the site will automatically generate random, difficult strings for each of the security phrases. Paste the phrases into your file.

Note: Even if you have the latest version of WordPress (2.7.1), if you’ve been upgrading for the last couple of years, you might have omitted upgrading the wp-config.php file, since the upgrade instructions say to leave it alone. If so, check to see if you have all the security phrases in there.

I’m sure there are dozens of ways to hack a WordPress site, but certainly not having these security phrases puts your site at risk.

Caution: While you’re editing the wp-config.php file, make sure you don’t have any extra spaces at the bottom of the file. For some reason, if you have even one extra space at the bottom, you’re site will show an error about retrieving “headers already sent.” Also, if you add the character code enforcement at the top, you may suddenly see funny characters in your site where apostrophes and other character marks appear. Enforcing a character set is optional.