Tag Archives: wordpress

It doesn’t matter how secure your WordPress installation is if you have insecure hosting

Posted on by
1

I recently struggled with a nasty case of Pharma spam on my blog. I’ll post soon with a more detailed run-down of what happened and how I dealt with it. In a nutshell, however, it appears that the hackers got in through poor security on my hosting, rather than any vulnerability in WordPress.

At the time, I was using Dreamhost’s shared hosting plan, which I previously never had anything negative to say about. When the hacks started, I spent months focused on possible problems due to WordPress. I upgraded everything, changed my passwords repeatedly, disabled all plugins, did complete fresh installations and scoured my database for any references to the hacks, all to no avail.

Eventually, I was forced to concede that the problem probably originated from the hosting plan I was on. I switched hosts, and was able to clean everything up. Since then, I’ve discovered two settings in Dreamhost’s control panel that probably contributed, so I’d like to share them with you.

Dreamhost Domain Security

Check the Extra Web Security option on the edit domain page.

When editing a domain, make sure the “Extra Web Security” option is checked. Here’s what the Dreamhost wiki has to say about the option:

The Extra Web Security option (you see it when adding a new domain or editing the web settings for an existing domain) enables the use of a very special security module for your website. Many common attacks that can compromise your website will be blocked by this option. We cannot guarantee that all attacks will be blocked but we will do our best to ensure the most common known attacks will be prevented.

Dreamhost User Account Security

Check the Enhanced Security option on the edit user account page.

When editing a user account, make sure the “Extra Security” option is checked. I would also check the “Disable FTP” option, since FTP is notoriously insecure. Again, here’s what the Dreamhost wiki has to say:

The Enhanced User Security setting prevents other users from accessing your home directory. It can be enabled separately for each user in the panel under Manage Users. It is disabled by default.

This option is particularly dangerous if you’re a WordPress user, since the WordPress password is stored in a plain text file in your website’s root directory. So if this option is unchecked ANY USER on your Dreamhost server can view your database credentials. I cannot understand why Dreamhost leaves this option unchecked by default.

Who needs a backdoor if you leave the keys in the door?

How to Convert Your Old WordPress Database to UTF8

Posted on by
1

When I upgraded my WordPress installation recently, I ran into a chracter encoding problem. Long story short, it turns out that older WordPress installations like mine tend to have been created in latin1, but the data is actually being saved in UTF8. If you update your wp-config file to a newer version, it adds a DB_CHARSET option, which will cause your site to puke, because the database character set doesn’t match the data that’s actually stored in it.

Thankfully, the fix is relatively simple, if a bit of a hassle:

  1. From your command line, use the mysqldump command to export your database in latin1 format. Since MySQL sees your database is already in latin1 format, it won’t re-encode it (which would break the UTF8 data in the database). The command should look something like this: 
    mysqldump -u username -p --add-drop-table --default-character-set=latin1 databasename > databasename.sql

    Note: You must do this from the command line, because PHPMyAdmin doesn’t allow you to specify the characterset of the export file, so you will end up with re-encoded data, that will get scrambled and kill your database.

  2. Copy that dump file somewhere safe for a backup, in case something goes wrong.
  3. Using a text editor, open the MySQL dump file and replace all instances of latin1 with utf8. There should be one reference in each CREATE TABLE line.
  4. Import the database over the top of your existing one. Since you did a complete dump, with the add-drop-table option, this will drop all your existing tables, and recreate them. And since you changed the character sets, this will effectively update your database to UTF8. The command will look something like this: 
    mysql -u username -p databasename < databasename.sql

Now, if you’re anything like me, those instructions are terrifying. But trust me that there is relatively little risk. The very first thing you’re going to do is make a backup. If anything goes wrong, the worst case scenario is that you restore your backup, and you’re back to square one. I can’t tell you that it’s totally safe, but I can assure you that I did this to two of my databases, and it went off without a hitch.

How to Convert from Community Server 2007 to WordPress

Posted on by
Reply

It’s safe to say that no one at Pop Art was ever really happy with Community Server. We selected it as a platform for a variety of reasons, some of which turned out to be based on faulty assumptions. Once we finally made the decision to switch to WordPress, the conversion was a huge pain, but ultimately worth the effort. Continue reading

WordPress Automatic Theme Upgrade Deletes Custom Files

Posted on by
Reply

When I made Dojo, one of the main features of the theme is the ability to add a custom.css file in the same directory, and the theme will load it – that way you can use the theme as a starting point, and just change the colors and stuff to match what you want. That’s how Sean’s blog works. It’s a stock installation of Dojo with a single custom.css file.

A few days ago, I released an upgrade to the theme to add support for some new features in WordPress 2.7, so I logged into Sean’s blog to upgrade the theme. Newer versions of wordpress added the ability to automatically notify users when a new version of a theme is available, and let them click on a link to automatically upgrade. Since I wasn’t sure how it would work, I backed up Sean’s files first, and then used the Upgrade Automatically feature.

It worked perfectly, except it deleted all his custom files! His custom.css file and some other images in the theme directory were just gone. No notification, nothing. Thankfully, I had the backup, so I could restore those files quickly, but I hate to think that someone out there is going to upgrade their installation of my theme this way, and lose all their work.

So please, if you use the Upgrade Automatically feature, make sure you have a backup of your files first, otherwise your custom files will be deleted!