Security – The Root of The Issue

Sunday, October 26th

Security

Now I have seen a lot of posts recently about blog security – about users who have been hacked and lost their blog contents because they didn’t back up. Now on reading these posts, I thought two things – one, I need to get some backup software! Two, no-one is discussing the root cause of the issue!

Now through my varied searching a few weeks ago, I actually stumbled across a way that some people have been ‘breaking into’ blogs, which would enable them to essentially delete your database. Now I’m not going to give out the precise details, but let it be known that the information needed to ‘delete’ your database is actually available on google through a search!

You see, there is one file which is quite crucial to the working of your blog, and this file would be the wp-config.php file. This file contains all the information regarding your database – your username, password, and where to look for it! If an attacker knows this, then they can easily take your site down. Even worse, if they are very ‘talented’, they could manipulate your posts to their own ends, possibly placing harmful code on your site.

So what can you do? Well, a lot of you shouldn’t have to do anything, once uploaded it should be fine. However, there isn’t any harm in taking up a bit of extra security is there, especially if the unfortunate did happen, and access was someone given to your wp-config file. First, you should make sure that your CHMOD settings on that file are set to 640. You can do that via any ftp program, right clicking on the file and choosing ‘CHMOD’ on the options. A free ftp program is WinSCP. Depending on your hosting provider, you may be able to do this via some form of cpanel also.

A further way to protect your config file is in your .htaccess file. If you add the following to it, it will stop people from accessing the file itself:

#protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

This will protect your config file. To protect your .htaccess file, simply replace the ‘file wp-config.php’ text with ‘file .htaccess’. This will help prevent people getting at your ever-so-important database information! However, I am yet unable to protect you against lions who have learnt to use the internet…they seem to have skills that are incomparable to humans…we should be scared…so very, very scared.

Dan


If you enjoyed this post, make sure you subscribe to my RSS feed, or via email:

2 Comments »

Mitch spoke the following

That’s pretty interesting stuff, Dan. What does 640 mean, if I may ask? And, isn’t another way to try to stay ahead of the game to make sure we’re always up to date with our software?

Mitchs last blog post..Dofollow/Page Rank Discussion


Reply to this comment
Dan spoke the following

Of course you may :) 640 is a numeric policy setting. Each digit represents a type of user; owner, group and ‘other’. The number represents their privileges, so in simple terms the higher the number, the more privileges, and vice versa. You can read more about it here. We should try to keep our software up-to-date indeed, but sometimes the ‘hackers’ get in there too soon sadly!


Reply to this comment
 
 
Name (required)
E-mail (required - never shown publicly)
URI
Your Comment (smaller size | larger size)






RSS feed | Trackback URI

Trackback responses to this post

Dan Gray
£9.37 £8.03
£1.34 difference


Subscribe via email:




Subscribe via rss