22 Feb
2012
22 Feb
'12
4:41 p.m.
I think Wordpress is much better now than it was in the past, and is certainly better than
other CMSes I've used in the past, which got hacked every two weeks despite my best
efforts.
I've got a plugin on Wordpress called WSD security which advises on security measures
you can take, such as changing table prefixes from wp_, putting a .htaccess file in the
wp-admin folder, removing/rebaming the admin user, and others.
There are a lot of updates on a regular basis (although this obviously depends on how many
plugins and/or themes you have installed), but it's so painless to update that
it's hardly onerous staying up to date! :-)
Paul
Sent from my iPhone
On 22 Feb 2012, at 14:10, "Ian" <ian(a)lovingboth.com> wrote:
Dom Latter said:
- don't install Wordpress unless you can stay
on top of updates 24/7.
A bit cruel given how many websites use WordPress: it's not surprising
that some get hacked. It's been a while since there's been a remote
exploit - the vast majority of problems have been with user rights
escalation, where mere users can behave like admins, so the real
advice is
Don't install WordPress and let anyone you don't trust completely have
an account on it.
Don't have an WP user called 'admin' either - the vast majority of
attempts at WP password hacking try for that one - and add a plugin to
catch and block these anyway.
Quick check at Secunia for WP3: one unpatched vulnerability (attackers
can determine valid user names, but clearly don't), then looking up
the list of patched ones, it's user rights, user rights, attackers
could insert stuff into links with comments (2010), user rights, a
denial of service related to comments (2011), user rights, user
rights, and finally user rights :)
There are quite a few plugins with published issues though, so we
could add 'be careful about which plugins you install'.
Ian
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users