topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday December 14, 2024, 7:47 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Wordpress and Hackers  (Read 16580 times)

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Wordpress and Hackers
« Reply #25 on: August 24, 2014, 01:09 PM »
Wordpress.com didn't let you install custom plug-ins last time I checked.

Just because they aren't "custom" doesn't mean they've been thoroughly vetted for security. It just means that they're popular enough to be on everyone's radar..

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,885
    • View Profile
    • Donate to Member
Re: Wordpress and Hackers
« Reply #26 on: August 24, 2014, 02:59 PM »
While this is 110% solid advice, it's really hard for most people to do this. Very few people, and even few programmers, are qualified to actually determine security vulnerabilities. It's not easy.

You would not believe how many plugins have known security vulnerabilities, unpatched by their developer, and reported on the plugin's pages on wordpress.org. A little time researching the plugins you are using and any you are thinking of adding, can go far, even if you don't know any PHP.

I have uncovered a ton of them while auditing the security of other people's websites and looking for replacements for those vulnerable plugins.

For example, stay away from SMTP plugins, unless you want your email address and its password displayed in the generated HTML code of your site, in plain text, or stored in plain text in your database. They are all vulnerable. I have not found a single SMTP plugin yet, that isn't.

Do yourself a favor and either handle the sending of mail through your web host, or if that is disabled by your host, change hosting companies. If you are running your own server, don't be lazy. Set it up right, instead of funneling the mail sent from your site through your personal email account with a vulnerable plugin. And if you don't know how to set it up right, pay for hosting and save yourself the headaches.

And yes, I have reported them all to wordpress.org, and nothing has been done about them. They are all still available and still vulnerable.
« Last Edit: August 24, 2014, 03:31 PM by app103 »

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Wordpress and Hackers
« Reply #27 on: August 24, 2014, 04:27 PM »
It's not just renamed, it's deleted.  I always make my account first as an admin, then delete the admin account.

But that last part is inspired... :)

Oh, and one more thing I'd forgotten in relation to the admin login- I also automatically lock out anyone that tries to login as admin.  Just because I'm that way.