ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Wordpress and Hackers

<< < (6/6)

Stoic Joker:
Wordpress.com didn't let you install custom plug-ins last time I checked.-Tuxman (August 24, 2014, 12:02 PM)
--- End quote ---

Just because they aren't "custom" doesn't mean they've been thoroughly vetted for security. It just means that they're popular enough to be on everyone's radar..

app103:
While this is 110% solid advice, it's really hard for most people to do this. Very few people, and even few programmers, are qualified to actually determine security vulnerabilities. It's not easy.
-Renegade (August 24, 2014, 11:21 AM)
--- End quote ---

You would not believe how many plugins have known security vulnerabilities, unpatched by their developer, and reported on the plugin's pages on wordpress.org. A little time researching the plugins you are using and any you are thinking of adding, can go far, even if you don't know any PHP.

I have uncovered a ton of them while auditing the security of other people's websites and looking for replacements for those vulnerable plugins.

For example, stay away from SMTP plugins, unless you want your email address and its password displayed in the generated HTML code of your site, in plain text, or stored in plain text in your database. They are all vulnerable. I have not found a single SMTP plugin yet, that isn't.

Do yourself a favor and either handle the sending of mail through your web host, or if that is disabled by your host, change hosting companies. If you are running your own server, don't be lazy. Set it up right, instead of funneling the mail sent from your site through your personal email account with a vulnerable plugin. And if you don't know how to set it up right, pay for hosting and save yourself the headaches.

And yes, I have reported them all to wordpress.org, and nothing has been done about them. They are all still available and still vulnerable.

wraith808:
It's not just renamed, it's deleted.  I always make my account first as an admin, then delete the admin account.

But that last part is inspired... :)
-wraith808 (August 21, 2014, 07:38 PM)
--- End quote ---

Oh, and one more thing I'd forgotten in relation to the admin login- I also automatically lock out anyone that tries to login as admin.  Just because I'm that way.

Navigation

[0] Message Index

[*] Previous page

Go to full version