How To Make Money With Your Blogs!

BlogForumManagerReportsVideosPluginsDownloadsHelp

WordPress Security - More On Themes And Plugins

by David Pankhurst - March 26, 2008

Although readers of my report on WordPress security already know about the problems with themes and plugins, it’s still interesting to read about some real world examples of how these can be abused.

  • Blogsecurity.net (an excellent security blog and well worth bookmarking) reported on the security flaws of some packages and poorly formed mySQL input. Note this isn’t malicious coding of plugins - it’s just code that hasn’t been checked thoroughly in its inputs. Still, the end result is someone gets access to something they shouldn’t.
  • 5thirtyone.com talks about care in downloading themes, explaining how one was hacked. Digging into the malicious code chunk myself, I found that the code goes out and loads a file from one of three sites (logging the visit as well, by the way). Once loaded, the code can be either displayed on the blog, or actually executed.

To get an idea of how bad this last item is, we spend a lot of time keeping people from poking around our sites - here, every page view of WordPress invites someone to drop in ANYTHING and your blog will happily accept it.

So, since plugins and themes are a problem, what do you do?

  • Use trusted plugins and themes only. Find the author of the theme and get it directly from his or her site. Or use a trusted site, like themes.wordpress.net
  • Scan through the code. If you know PHP, go through the code - if you don’t, get someone else. For plugins, look for unescaped input, code that is taken from the user and displayed on the page without filtering (ideally with a call like htmlentities($x,ENT_QUOTES,'UTF-8')) for echoed code, or mysql_escape_string() for mySQL).
  • Look for oddities. Even if you don’t know PHP, you can look for code that seems deliberately obtuse, such as eval(base64('5F9C80F12FFAE8B2400528E81B34...')) which is a common way to run code without openly identifying it. If there is hiding going on, the next question is, what for?
  • Check everything. Check all the files in a theme or plugin - after all, just because a file doesn’t end in .php doesn’t mean it can’t be loaded and run by another file. So look over everything. And of course if you do find code in a misnamed file, get very suspicious.
  • Do your research. A simple Google search on a theme or plugin might yield something - add the word ’security’ to the search and you’ll find out if anyone has talked about it in that context.

It’s a shame everyone has to be this paranoid, but as others have reported, someone IS doing it, and there are people who will use any opportunity to get control - so that means YOU have to be vigilant.


ActiveBlogging.com - for information on making your blog successful! Get information like this - and more - inside! Details here or Join Today!

This entry was posted Wednesday, March 26th, 2008, 10:10 pm and is filed under General. You can follow any responses to this entry through the feed. Comments are open. You can use this trackback URl.

Leave a Reply



Signup Today And Get My FREE Guide On Money Making With Blogs!
Name:

Email:



Members Login
Username
Password


Lost password? Enter your info to get it sent to you.
Email or Username

Latest Issue:

  • August 2008

  • What's New With ActiveBlogging

  • How To Make PDF Reports For Free - With Open Office

  • What Exactly To Write To Make Money

  • Pay Per Post And The "Insider's Guide" To REALLY Making Money With It

  • Words Count - Count Yours With This Easy To Use Word Counter Plugin For WordPress

  • Are You Writing For Your TARGET AUDIENCE?

  • Executive Summary: The Art Of The Book Proposal, by Eric Maisel

  • This Month's "Best of ActiveBlogging.com"

  • Internet Offers And Current Deals

Click Here To Subscribe To My Feed

Pages

Links

Archives

Testimonials | Contact Us | Member Info | Log In | Log Out
Copyright © 2006-2008 ActiveBlogging - All Rights Reserved.