26 {{ upvoteCount | shortNum }}
26 {{ upvoteCount | shortNum }}

Wordpress Blogger : Your Blog In Danger !

by Raja Kamil
21 replies
Hi there;
I just read something very important to all of us, blogger !

For those who had wordpress blog, your blog is in danger !

Why.

Try this.
Go to your blog and check it source code.
(for chrome and firefox, hit Ctrl+U)

Then, search for 'style.css' (without ')

You will then see something like

domainname.com/wp-content/themes/themename/style.css

What you need to do now is go to

domainname.com/wp-content/themes/themename

and an error message will come out like below;

Fatal error: Call to undefined function get_header() in /home/username/public_html/wp-content/themes/themename/index.php on line 1


So what's the dangerous?
the username. When hacker know that, they are one step to hack your blog.


Ok, I leave it here for you to think, while I'm recording a video how to solve this.


Till then....see ya.
#blog #blogger #danger #wordpress
  • Profile picture of the author Raja Kamil
    For those that not understand what I'm talking about, see the part one here :

    {{ DiscussionBoard.errors[4267236].message }}
  • Profile picture of the author Raja Kamil
    meanwhile, any volunteer to give me your blog url, and I'll point out your cpanel username.
    {{ DiscussionBoard.errors[4267239].message }}
  • Profile picture of the author ~kev~
    Originally Posted by Raja Kamil View Post

    So what's the dangerous?
    the username. When hacker know that, they are one step to hack your blog.
    I dont guess you have ever sent an email to anyone?

    and let me guess, your username on warriorforum is Raja Kamil, how dangerous is that?

    So what if someone knows your username, its only dangerous if your using a weak password.
    Signature
    Country Lifestyle Network
    {{ DiscussionBoard.errors[4267289].message }}
  • Profile picture of the author Spyder77
    His subject line is accurate enough, although the danger lies in the fact that you're handing all the keys to your business to Blogger: platform software, host, and domain.

    Not a good model for a commercial enterprise to run on. Better to diversify all 3 so that you retain control instead of giving it away. Beyond that, its fine if you just want an easy & free set up to post something like your daily musings (or rants) and aren't looking to make money on it.

    -Spyder
    {{ DiscussionBoard.errors[4267323].message }}
  • Profile picture of the author Raja Kamil
    part 2 - defend your blog


    here the code used in the video,

    <?php ini_set('display_errors', 0); ?>
    hope this helpful
    {{ DiscussionBoard.errors[4267445].message }}
  • Profile picture of the author Cool Hand Luke
    my passwords are all between 16-30 characters, completely random, and they are changed every month. So thanks, but I'm not worried.
    {{ DiscussionBoard.errors[4267468].message }}
  • Profile picture of the author Claire Sharp
    Oh my! This could happen to anyone. I guess i'll have to try this before it's too late. There's no harm in trying, right?. Thanks for the thread!
    {{ DiscussionBoard.errors[4267470].message }}
  • Profile picture of the author christopher jon
    Ignore this false information.

    Sorry buddy but this post is so ignorant it's funny.

    First of all, your method only works if you are logged into your account. If you are not logged into your account you will see something like,

    Fatal error: Call to undefined function get_header() in /home/content/public_html/wp-content/themes/themename/index.php on line 1

    Not your username.

    You can stop recording that video now.

    Give the wordpress security people some credit for not being complete morons.
    Signature
    It buys my product or it gets the hose
    {{ DiscussionBoard.errors[4267472].message }}
    • Profile picture of the author Cool Hand Luke
      Originally Posted by christopher jon View Post

      Ignore this false information.

      Sorry buddy but this post is so ignorant it's funny.

      First of all, your method only works if you are logged into your account. If you are not logged into your account you will see something like,

      Fatal error: Call to undefined function get_header() in /home/content/public_html/wp-content/themes/themename/index.php on line 1

      Not your username.

      You can stop recording that video now.

      Give the wordpress security people some credit for not being complete morons.
      Wow. Thanks for the info there, and no thanks for the bad info from the OP.
      {{ DiscussionBoard.errors[4267490].message }}
    • Profile picture of the author SteveJohnson
      Originally Posted by christopher jon View Post

      Ignore this false information.

      Sorry buddy but this post is so ignorant it's funny.

      First of all, your method only works if you are logged into your account. If you are not logged into your account you will see something like,

      Fatal error: Call to undefined function get_header() in /home/content/public_html/wp-content/themes/themename/index.php on line 1

      Not your username.

      You can stop recording that video now.

      Give the wordpress security people some credit for not being complete morons.
      The post isn't ignorant at all.

      The OP is actually spot-on, except for the referral to WordPress.

      His 'method' works for any hosting account that will throw a PHP error. Being logged in has absolutely nothing to do with it, just as WordPress has nothing to do with it. He's just using a WP address to cause a PHP error, which in turn reveals the file path.
      Signature

      The 2nd Amendment, 1789 - The Original Homeland Security.

      Gun control means never having to say, "I missed you."

      {{ DiscussionBoard.errors[4268256].message }}
  • Profile picture of the author Raja Kamil
    want real example?

    I just pick up website randomly from google searching "make money online"

    Here the url 101 Ways To Make Money - Learn How To Make Money Online

    Here the fatal error message :

    Fatal error: Call to undefined function get_header() in /home/makXXXX/public_html/wp-content/themes/livewire2/index.php on line 1


    PS : I purposely live the url live, so that the web owner will have a chance to fix this.
    PPS : this method works on most linux hosting
    {{ DiscussionBoard.errors[4267501].message }}
    • Profile picture of the author ~kev~
      Originally Posted by Raja Kamil View Post

      want real example?

      Fatal error: Call to undefined function get_header() in /home/makXXXX/public_html/wp-content/themes/livewire2/index.php on line 1
      That is the way web hosting works.

      How else is the server supposed to tell the difference in accounts?

      So what if someone knows your account name, well, unless you have a blank or weak password

      I think your making a big deal out of nothing.
      Signature
      Country Lifestyle Network
      {{ DiscussionBoard.errors[4267519].message }}
    • Profile picture of the author AnniePot
      OK - I think we definitely need the intervention of Istvan Horvath on this one. Step forward Istvan :confused:
      {{ DiscussionBoard.errors[4267525].message }}
  • Profile picture of the author christopher jon
    That would be the name the owner has given to their hosting account. The path is also different depending who you are hosting with.

    With GoDaddy you'll get something like this,

    Fatal error: Call to undefined function get_header() in /home/content/s/k/i/myhostingaccount/html/1221/wp-content/themes/framework3/index.php on line 1

    But that is just the name I've given to my hosting account and not my username. Like Kev said, this is the way web hosting works and it's been this way forever.

    However, with the blog you used as an example I can tell you that you can login using admin and Mika is the admin nickname.

    oohh... scary hackers.
    Signature
    It buys my product or it gets the hose
    {{ DiscussionBoard.errors[4267599].message }}
  • Profile picture of the author retsek
    No need to scare anyone.

    This is avoided if you follow Wordpress's basic security recommendations.

    In php, set display_errors = Off
    there's no need to display error messages in the browser.

    That setting instead gives you a nice White screen of death and you go to your error_logs to investigate whenever it happens.
    {{ DiscussionBoard.errors[4267612].message }}
  • Profile picture of the author SteveJohnson
    This has NOTHING WHATSOEVER TO DO WITH WORDPRESS.

    There is some validity to what the OP is saying - because of the way that most hosting accounts are created on shared hosting (WHM/cPanel setups) this can reveal the username of the account that the hosting is on.

    What to do about it? Practice good security -
    • turn off PHP error reporting on production sites
    • do virus scans on your computer to defeat keyloggers
    • use secure passwords - 12 characters, upper/lowercase letters, numbers, punctuation
    • change your passwords at least monthly, if not weekly
    • don't FTP into the root account of your hosting, use separate accounts for each domain (which is why I recommend using a 'throwaway' domain as the main domain on an 'unlimited domain' hosting account)
    • use SFTP rather than plain FTP to transfer files

    If you do the above, you should never have to worry about your hosting account getting hacked, even if the hacker DOES know your account name.
    Signature

    The 2nd Amendment, 1789 - The Original Homeland Security.

    Gun control means never having to say, "I missed you."

    {{ DiscussionBoard.errors[4268225].message }}
  • Profile picture of the author sscot
    My WordPress username is ogilmiln. You don't need to read the source code now.
    Signature



    {{ DiscussionBoard.errors[4268546].message }}
  • Profile picture of the author simonbuzz
    Banned
    my user name is: allen01675244197 and my pass is: 34 character long...best of luck to all the hacker try hacking my site...
    {{ DiscussionBoard.errors[4268718].message }}
  • Profile picture of the author Klemen Znidar
    use strong passwords and you should not worry about this problem.
    Signature
    DOUBLE your sales on ANY website - ClickTrait
    {{ DiscussionBoard.errors[4268776].message }}
  • Profile picture of the author mrbawb
    Originally Posted by Raja Kamil View Post

    and an error message will come out like below;

    Fatal error: Call to undefined function get_header() in /home/username/public_html/wp-content/themes/themename/index.php on line 1


    So what's the dangerous?
    the username. When hacker know that, they are one step to hack your blog.
    Holy crap Raj! Thanks for the heads up on this!
    {{ DiscussionBoard.errors[4268845].message }}

Trending Topics