|
2008-04-28, 01:43 PM | #1 | |
Oh no, I'm sweating like Roger Ebert
|
Wordpress Exploits
They must be on the rise as I just recieved this e-mail from my new host
Quote:
Sometimes the gods just like to fuck with you! |
|
2008-04-28, 09:25 PM | #2 |
old enough to be Grandma Scrotum
|
I shall name today "Upgrade day."
__________________
Promote Bright Desire |
2008-04-29, 02:03 AM | #3 |
Former pr0n slinger.
|
Hmmm... I might do some upgrades today if I find a few spare minutes...
|
2008-04-29, 08:00 AM | #4 |
That which does not kill us, will try, try again.
|
Remember that one thing added to 2.5.x is a new constant called SECRET_KEY in your wp-config.php file. So if you're used to not creating a new wp-config.php file during an upgrade, be sure that you do it this time. Just enter the config info from your old file into your new new one, and set your 'secret phrase' as instructed. This will help secure your blog too.
__________________
"If you're happy and you know it, think again." -- Guru Pitka |
2008-04-29, 12:34 PM | #5 |
Wheither you think you can or you think you can't, Your right.
|
Looks like we have the same host..
|
2008-04-29, 07:19 PM | #6 |
Wheither you think you can or you think you can't, Your right.
|
Gee, I went to post on my newly upgraded blog and for some reason the add image fuction was not working. I went to check the permission settings on my uploads folder, think maybe my host changed it because of all the problems. Come to find out, I found all the stuff every one was talking about! AARGGHH. lol
Sneaky, the blg looked all right and seemed all right. Here is a very prime example why you shouldn't have anything permissioned to 777. Remember some one not long ago saying to set theme's to 777. If mine was I would have stuff in there as well. I was dumb enough to have/leave my uploads to 777 and thats the only place I found the garbage. People don't have anything set to 777! Doesn't take any longer to edit theme's in a web editor either. |
2008-04-29, 07:23 PM | #7 | |
Wheither you think you can or you think you can't, Your right.
|
Quote:
|
|
2008-04-29, 07:55 PM | #8 |
That which does not kill us, will try, try again.
|
Ronnie, that's correct, you'll never need to enter the SECRET_KEY anywhere else. WordPress uses what's entered in your wp-config.php file to help make more-secure cookies.
One very important note for anyone who installed a fresh copy of 2.5.x and just left the default value in the SECRET_KEY. If you leave it that way you're making it very easy for hackers since they can use that default value ("put your unique phrase here") to find their way into some places you'd rather they stay out of. Generate a unique SECRET_KEY for each blog by using this link... http://api.wordpress.org/secret-key/1.0/ .
__________________
"If you're happy and you know it, think again." -- Guru Pitka |
2008-04-29, 08:15 PM | #9 |
old enough to be Grandma Scrotum
|
Thanks for the info on the secret key stuff Simon. I should read the documentation a bit more!
__________________
Promote Bright Desire |
2008-04-29, 08:17 PM | #10 |
Wheither you think you can or you think you can't, Your right.
|
Thanks Simon, makes sense... And ya, can see how leaving the default will make it easier for hackers to find.
Some what similar to leaving the WP default passwords, for reasons I am not going to say (least with 2.3.x), it's pretty easy to at least narrow it down by quite a bit. One thing also for any one getting rid of this exploit, or reading this, kinda got me stuck for a second. Step 5 is kind of vague. You need to remove that entry completely from the DB, which will deactivate all your plugin's. Then go back in and activate your plugin's and WP will add the right entry for that field. At first, I wasn't totally sure if I needed to completely remove it and if I did, if it would mess up my plugins. As I mentioned the image add on one of my blogs was not working, I did the steps above and now works like a charm. Last edited by ronnie; 2008-04-29 at 08:33 PM.. |
2008-04-29, 09:26 PM | #11 |
Wheither you think you can or you think you can't, Your right.
|
One other thing, the above steps are kind of off. You should do step 5 first, then back up your database, otherwise your just backing up the exploit.
You could make a mental note, but I know I'd forget in a couple weeks.. |
2008-04-29, 10:44 PM | #12 |
Is it over already?
Join Date: Sep 2003
Location: the beautiful shores of Lake Erie
Posts: 890
|
Thanks Walrus. I was was going back and forth on whether or not I should upgrade our blogs and this made it clear that it was time. Six upgrades later (4 of which have never been used - 2 really old), here I sit hoping all is well.
Thanks also, Simon.
__________________
Hey buddy... can you spare a sig? |
2008-04-30, 02:44 AM | #13 |
WHO IS FONZY!?! Don't they teach you anything at school?
Join Date: Dec 2005
Posts: 48
|
greate post, thanks man
__________________
There is no money in porn adult messages aggregator. |
2008-04-30, 11:11 AM | #14 |
Wheither you think you can or you think you can't, Your right.
|
Finally done, 15 blogs upgraded and hopefully more secure.
I found this crap on every one of my blogs, including my mainstream one. Actually I think it was a good thing this happened, oddly enough. I was forced to backup, blogs more secure, upgraded to the latest and greatest WP and got to clean up a bunch of junk like unused theme's and plug-ins. So not all bad.. |
|
|