Ghost Security Tips for WordPress

ManageWP Adds security analysis to its service

admin — Tue, 17 Apr 2012 13:50:27 +0000

The WordPress management platform ManageWP.com has continued to add new features to allow people managing many WordPress installs simultaneously to have a dashboard that monitors traffic, updates plugins, and performs many of the routine maintenance tasks that web folks hate to do with a click of the button.

When you right click on a site in ManageWp, here is what you see:

When you click the Security Scan option, ManageWP does a securi.net scan on your site and displays the results. So you can see the following:

Security report (No threats found):

Blacklisted: No
Malware: No
Malicious javascript: No
Malicious iFrames: No
Drive-by Downloads: No
Anomaly detection: No
IE-only attacks: No
Suspicious redirections: No
Spam: No

For those managing multiple sites, this is a handy service.

Using Exploit Scanner (the Plugin) to scan for malware

admin — Mon, 16 Apr 2012 11:47:25 +0000

One of the plugins that I like best for security on WordPress sites is Exploit Scanner. (It is in the repository). The first thing is that it is easy to use. All you need to do is install it and then go to Tools>>Exploit Scanner and then run the scan.

You will see a list of the files in your sites that may be affected by malware and exploits. This is where the cleanup gets to be the most interesting. You need to resolve each of these files if the threats are severe.

So if the files that are corrupted are in your WordPress install (the wp-admin folder or the root or the wp-includes) then by overwriting them with new files will be your first step.

Step 2 is to delete extraneous files that malware has potentially left on your system. By going through and looking at the DATE of the latest change after overwriting with a backup copy, you can quickly see what has not been changed and thus is a deletable file.

Finally, you may need to delete and reload ALL of your plugins one at a time and get them to perform correctly again.

Then re-run the scanner until all severe issues have been dealt with.

Tim Thumb Exploit continues to plague WordPress sites

admin — Fri, 16 Mar 2012 11:39:06 +0000

One of the things that continues to plaque WordPress sites is the Tim Thumb exploit. For many, their theme providers or theme framework builders solved this problem for them. Here is where it gets more difficult. For those on an older theme that it NOT maintained, you need to check and see if your site is vulnerable.

A quick and easy way to do this is to install the Tim Thumb Scanner plugin from the repository and run it.

It will not only show you if there is a vulnerability, it will then correct it, leaving your with a protected site.That said it is important to remember to make SURE to get in and fix any malware caused by this exploit.

Getting beyond “Keep your WordPress Up to Date”.

admin — Sat, 07 Jan 2012 20:18:58 +0000

OK, so if you have gone beyond the very basics of WordPress and installed more than a site or two, you kinda know the importance of keeping things up to date. That is what updates are for is to fix things like security flaws and holes in the system. Pretty simple right?

Well, yes and no.

There are a couple of problems with that scenario. For starters, WordPress started as a blogging platform. And there are literally MILLIONS of inactive blogs out there that are lying around un updated. This is the joy and curse of open source. The software is FREE so many folks will start to use it. The problem is that they leave their sites around like so much space junk when they are done. Or when they give up. Or when they switch jobs. Or whatever.

So while we want to get beyond the basics of “Keep your WP up to date…” we can only do that if you in fact DO keep ALL of your WP installs up to date.

Nuff said.