2009-08-11 Wordpress Security Problem


This was not as serious a security problem as the original announcements made it out to be. However, the procedures below will be useful should any future security problems appear that make it necessary for you to lock down admin access to Wordpress.

The problem was discovered in Wordpress 2.8.3 and earlier releases, and was fixed in Wordpress 2.8.4.

Original Announcement

There is a security problem in Wordpress for which no fix is yet available. Details are here:

If you are using Wordpress in your DirectAdmin account, please seal the admin access as follows. Use either one of the methods below (not both).

After applying either of these procedures, please verify to make sure admin access has been correctly blocked. Also check to make sure visitors to your blog can still view your postings.

To block all admin access

This is quick and easy and requires an ssh login.

Log into your account via ssh, then cd into the 'domains' subdirectory, then cd into the directory whose name is the same as your domain, then cd into public_html. If your domain is example.com, then you should end up in the subdirectory domains/example.com/public_html at this point, relative to your home directory.

Now use the following shell command:

  chmod 000 wp-admin

This denies all access (even to you) to your wp-admin directory. This will prevent all admin logins.

Later, to restore access, the complementary command is:

  chmod 755 wp-admin

To allow admin access but add another layer of security

  1. Log into your DirectAdmin control panel.
  2. Go to the menu item: Password Protected Directories.
  3. Go to the menu item: Find a Directory to Password Protect.
  4. Find a directory called “wp-admin”.
  5. Click on “Protect”.
  6. Enter any word, e.g., “Admin”, in the Protected Directory Prompt box.
  7. Enter any username, e.g., “wordpress”, in the Set/Update user box.
  8. Enter any password (twice) in the password boxes.
  9. Check the box labeled “Protection Enabled”.
  10. Click on the Save button.

This should seal off admin access. If all goes well, you will need to enter the directory protection password you selected above to get admin access, before Wordpress will even prompt you for your admin password.

Please check this very carefully, and make sure normal access to your Wordpress blog is not affected.

Once a fix is released, you should upgrade your Wordpress installation. And then, if you wish, you can undo the directory protection by following essentially the same instructions to select the directory, but then leaving the “Protection Enabled” checkbox blank before doing the Save.

issues/2009-08-11_wordpress_security_problem.txt · Last modified: 2009-08-15 22:21 by admin
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki