29 {{ upvoteCount | shortNum }}
29 {{ upvoteCount | shortNum }}

Is Your WordPress Theme 'Leaking' Security Info?

by David Pankhurst
24 replies
Yes it is - and anyone visiting your site can tell what version of WordPress you're using, and whether you have one that can be hacked.

(Look at your blog page, use your browser's 'view source' command, and search for the word 'generator' to see it).

You can read more about it here:

Wordpress Security: Version Numbers and Themes - Make Money With WordPress Blogs AND ActiveBlogging!

Revision Control In WordPress - Or, How To Keep Your Database Small - Make Money With WordPress Blogs AND ActiveBlogging!

Included is a quick solution I came up with - one line of code you add to your theme, or a simple plugin you can get free from my site.

Enjoy!
#info #leaking #security #theme #wordpress
  • Profile picture of the author MatthewBass
    Thanks for the tip!
    {{ DiscussionBoard.errors[290070].message }}
  • Profile picture of the author Bishop81
    Man, I just wrote the same plugin last night for this. Guess I don't need to post about it any more.
    Signature

    I'm tired of my signature... Deleted.

    {{ DiscussionBoard.errors[290138].message }}
  • Profile picture of the author TheRichJerksNet
    The version of wordpress you run does not matter... even 2.6.5 has been hacked. The version is not the problem, the problem is the script itself that you need to do security on...

    James
    {{ DiscussionBoard.errors[290140].message }}
    • Profile picture of the author Bishop81
      Originally Posted by TheRichJerksNet View Post

      The version of wordpress you run does not matter... even 2.6.5 has been hacked. The version is not the problem, the problem is the script itself that you need to do security on...

      James
      That's true, but if somebody can see the version that you're running, then they would know which exploits to use to try and hack it. Now, this is important if you don't go through all the steps that you propose in your system. With that, the generic hacks that they have just won't work anyway.
      Signature

      I'm tired of my signature... Deleted.

      {{ DiscussionBoard.errors[290270].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by Bishop81 View Post

        That's true, but if somebody can see the version that you're running, then they would know which exploits to use to try and hack it. Now, this is important if you don't go through all the steps that you propose in your system. With that, the generic hacks that they have just won't work anyway.
        Yes this is true if someone does not have WordPress Secured methods installed.. But -- even removing the version all the hackers need to do is send a bot to try out the different version exploits.. A Bot can run the processes at 1,000 per minute or higher so it would not take long to figure it out for a hacker...

        This is why it is important for everyone to Secure their blogs properly now...

        James
        {{ DiscussionBoard.errors[291664].message }}
  • Profile picture of the author jacstone193
    Thanks for this advice. Much appreciated.
    Signature
    Jack Stone - Who strongly believes that helping others is the best way to help yourself !
    {{ DiscussionBoard.errors[290170].message }}
  • Profile picture of the author Chris Lockwood
    Or you could just have a blog that is so unpopular nobody would bother trying to hack it.
    Signature
    Comprehensive membership site training
    My other blog
    {{ DiscussionBoard.errors[291734].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by Chris Lockwood View Post

      Or you could just have a blog that is so unpopular nobody would bother trying to hack it.
      Most of the time Chris, that is the blogs that are targeted ...

      Al Gore's Blog is a classic example ..

      James
      {{ DiscussionBoard.errors[291749].message }}
  • Profile picture of the author AlexKaplo
    Oh wow, that's for the great tip man!


    Best regards,

    Alex Kaplo
    Signature

    {{ DiscussionBoard.errors[291752].message }}
  • Profile picture of the author VeraRaposo
    Great advice. Hacking is something we all have to watch out for and you just proved it is so easy for them to sneak right in.
    {{ DiscussionBoard.errors[291791].message }}
    • Profile picture of the author csm
      This is a very timely thread as I just discovered two newly-built Wordpress sites hacked. I'm waiting to hear from my web host about how to resolve those two sites, but as I have 30 more sites running Wordpress, I need to know how to secure them.

      I downloaded the utopia51 plug-in and activated it on one domain, but it does not hide the version when I view source. I'm not sure why.

      What other security measures should I put in place to protect my Wordpress sites from being hacked? They were just built in the past two weeks, via Fantastico. However, some were version 2.6.2 and some were version 2.6.3, the lastest available in my host's Cpanel. I prefer to install via Fantastico since it's so easy, and upgrading is a snap when available within Fantastico.

      It also appears as though they may have been hacked via the Caffeinated Content plug-in, as those were the files that appear to be affected.

      Any advice for how to tighten up the security on my current sites?

      Susan
      {{ DiscussionBoard.errors[292838].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by csm View Post

        This is a very timely thread as I just discovered two newly-built Wordpress sites hacked. I'm waiting to hear from my web host about how to resolve those two sites, but as I have 30 more sites running Wordpress, I need to know how to secure them.

        I downloaded the utopia51 plug-in and activated it on one domain, but it does not hide the version when I view source. I'm not sure why.

        What other security measures should I put in place to protect my Wordpress sites from being hacked? They were just built in the past two weeks, via Fantastico. However, some were version 2.6.2 and some were version 2.6.3, the lastest available in my host's Cpanel. I prefer to install via Fantastico since it's so easy, and upgrading is a snap when available within Fantastico.

        It also appears as though they may have been hacked via the Caffeinated Content plug-in, as those were the files that appear to be affected.

        Any advice for how to tighten up the security on my current sites?

        Susan
        Hi Susan,
        Yes see my signature for the best security you can have for your blog.. WordPress Secured has made more than 200+ customers very happy..

        Also includes a pre-config install for 2.6.5 with security measures already done for you, you just install as normal...

        James
        {{ DiscussionBoard.errors[293378].message }}
        • Profile picture of the author Eric Lorence
          Most if the WP exploits have to do with the Database and SQL injection attacks.

          SQL security should be primary, but for the regular marketer, DB user permissions and renaming the tables on installation can get complicated.

          Better to consult an experienced webmaster to secure a WP site then to rely on a plugin.

          Though every little bit helps!
          {{ DiscussionBoard.errors[293462].message }}
  • Profile picture of the author TheRichJerksNet
    Fully agree with Eric there on plugins... This is why I created a pre-config installtion of a secured wordpress. This is a full wordpress install only coding has been modified for you and during configuration you have options to change certain things on the fly, no editing of database needed.

    Plugins used for security purposes I don't really agree with. Full security of your blog should be your concern ...

    James
    {{ DiscussionBoard.errors[293477].message }}
    • Profile picture of the author csm
      Thanks, James, I'll take a look.

      My host has restored my two blogs, and he first suspected that the hack came via either a plug-in, a theme, or my WHM. Upon further investigation, it appears that it was a hack via my WHM account.

      I'm quite certain now that there was no vulnerability in Caffeinated Content, so I don't want anyone to have the impression there might be a weakness there. I think when the hacker got in through my WHM, he altered some of the files in the CC folder which is why I was initially concerned about that.

      It is possible I had used a theme that was vulnerable as my host has cautioned me that I should not use themes from free distribution sites, but only from the authors themselves. I was not aware that these could be suspicious and I have, in fact, grabbed some free themes from distribution sites. I've deleted these and will be more cautious in future.

      Susan
      {{ DiscussionBoard.errors[293706].message }}
      • Profile picture of the author Eric Lorence
        Any file you install, either a theme, plugin, or script can contain a back door to allow access to your site.
        {{ DiscussionBoard.errors[293768].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by csm View Post

        Thanks, James, I'll take a look.

        My host has restored my two blogs, and he first suspected that the hack came via either a plug-in, a theme, or my WHM. Upon further investigation, it appears that it was a hack via my WHM account.

        I'm quite certain now that there was no vulnerability in Caffeinated Content, so I don't want anyone to have the impression there might be a weakness there. I think when the hacker got in through my WHM, he altered some of the files in the CC folder which is why I was initially concerned about that.

        It is possible I had used a theme that was vulnerable as my host has cautioned me that I should not use themes from free distribution sites, but only from the authors themselves. I was not aware that these could be suspicious and I have, in fact, grabbed some free themes from distribution sites. I've deleted these and will be more cautious in future.

        Susan
        Hi Susan,
        I can almost bet they went through your wordpress install.. Hacking cpanel/whm is not that easy and only true hackers really go there and even then when on a proper host most of the time the amount of firewalls you need to go through is not worth hacking an actual cpanel unless the site itself is very popular.

        Script kiddies will go through your wordpress and once they have access through your wordpress then they can get access to other parts of your server. Most of the hacks are done by script kiddies ( wannabee hackers) as a true hacker will not waste his/her time on a website that has no value to them, they actually go after sites of value to them which would be popular sites that get huge amounts of traffic in the millions.

        What WordPress Secured does is use the actual wordpress software but it has been modified for security methods. The install is just as easy as wordpress itself but I have removed the actual install files for further security measures.

        James
        {{ DiscussionBoard.errors[293949].message }}
        • Profile picture of the author csm
          James,

          Would I have to re-install my existing 31 Wordpress sites using WP Secured? I've got those sites built now with the plug-ins and settings as I want them, as well as quite a bit of content.

          Or would WP Secured best be used when starting a new site from scratch?

          Susan
          {{ DiscussionBoard.errors[293970].message }}
          • Profile picture of the author TheRichJerksNet
            Originally Posted by csm View Post

            James,

            Would I have to re-install my existing 31 Wordpress sites using WP Secured? I've got those sites built now with the plug-ins and settings as I want them, as well as quite a bit of content.

            Or would WP Secured best be used when starting a new site from scratch?

            Susan
            Susan,
            It can be used for new or currently running sites... The pre-config system is simple..

            1. Make a backup
            2. Delete your wordpress (not the database, just the files)
            3. upload wordpress secured
            4. fill in the config form
            5. Upload your themes and plugins from the backup
            6. You have a installed secured wordpress blog

            It's pretty much that simple ... I have full documentation on everything with included screenshots...

            James
            {{ DiscussionBoard.errors[294071].message }}
  • Profile picture of the author Bishop81
    Yes, make sure that any theme or plugin that you are not using is not only deactivated, but also deleted from your site. Just deactivating it is not enough. I have purchased James's security product (the older one) and recommend it for anyone who is concerned with the security of their blog.
    Signature

    I'm tired of my signature... Deleted.

    {{ DiscussionBoard.errors[293897].message }}
  • Profile picture of the author David Pankhurst
    I didn't mean to open a can of worms on security with this post - just offer a little extra plugin to help casual viewers from knowing too much.

    In line with that, I decided to do a post on security on my blog - I hope it helps with balance:

    Wordpress Security - Or Should You REALLY Be Scared?
    {{ DiscussionBoard.errors[295563].message }}
  • Profile picture of the author jmorris18
    Susan , I also understand James will be releasing a step by step video showing you how to do this as well. I am a customer of his and plan to be long term. I would take him up on any offer that he has available. He has over 15 years in code development and he has some great ideas on how to protect yourself when it comes to WP.

    Thanks,
    Jason
    Signature

    Jason Morris

    {{ DiscussionBoard.errors[296108].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by jmorris18 View Post

      Susan , I also understand James will be releasing a step by step video showing you how to do this as well. I am a customer of his and plan to be long term. I would take him up on any offer that he has available. He has over 15 years in code development and he has some great ideas on how to protect yourself when it comes to WP.

      Thanks,
      Jason
      Thanks for the support Jason.. By the way your blog is looking great ...

      James
      {{ DiscussionBoard.errors[296123].message }}

Trending Topics