2 Simple Tips To Secure Your WordPress Installation And Uploads Directory

Lately, I’ve seen a flurry of WordPress attacks that uploads files or alters the WordPress core files to make your sites do things that they really shouldn’t do.

This nefarious tasks can range from using your site to email spam to making your site a billboard for online drugs sales and injecting visitors’ browsers with malware. You can imagine that it can be quite tricky to hunt these things down – or even be aware that they are happening if you’re not careful.

So here’s a few steps that you can take to ensure that your WordPress site is secure from these attacks. If you manage the server, then you might want to update your httpd.conf and add the following configuration.

<locationmatch "wp-content/uploads/.*\.(php\d?|phtml)$">
 AllowOverride None
 Order Deny,Allow
 Deny from All

What this does is prevent PHP files from being accessed from a browser. Our server is configured to allow PHP extensions with .php2 through to .php5 as well as .phtml. To prevent this from being accessed – I’m using a regular expression to find all of these file types. The AllowOverride directive will prevent any .htaccess files being used as well. If a script has managed to upload files to your server, there’s nothing to stop them allowing access back to the php files so this is necessary to prevent this.

This configuration applies to any location that is matched, which applies to all of your websites, rather than using the Directory method, which is based on the local file system.

Another security measure to consider is making the WordPress site read-only. I know that it’s a chore to manually update your site and plugins – but I have seen WordPress core files modified to inject headers and redirect certain requests. This is a complete pain to find, so save yourself the bother.

If you do find that your site is hacked – the first thing that you should try is to reinstall the WordPress core files. If you haven’t made the files read-only, then you can do this by clicking on the Dashboard > Updates link in WordPress and then click ‘Re-install Now’. This downloads and installs a fresh version of WordPress over your current core files with no configuration changes.

If you’re still noticing unusual behaviour, then you should try removing unnecessary plugins and themes and check the wp-config.php file in in your site.

If you at least use the above two tips, then the chances of your site being exploited are greatly reduced.

ASpell, PHP and IIS

I’ve been trying to introduce spell checking into my PHP application and have been hitting a small snag. It’s called ASPELL.

For the uninitiated, aspell is a command-line spelling utility to, well, do clever spelling stuff.

In Apache, aspell works wonderfully. In fact, I wouldn’t have even thought that there was a problem. IIS on the other hand has different issues.

It’s easy to ask why I’m running my application on both servers, so I’ll quickly explain that one.

When I’m developing, I use Apache. For me this is an internal facing server which facilitates my needs of having simple-to-use easily editable configurations.

IIS faces the rest of the world because it hosts my email server (Exchange), so I don’t really have a choice about what I have on port 80.

Because of this, I always run demos on port 80 as a lot of sites I work in only have port 80 available, so IIS the the chap.

Anyway, the bottom line is that when aspell wants to run in IIS, you’ll end up with something like the following error on the client browser:

System error: Aspell progrem execution failed ('aspell -a --lang=en_US < C:WINDOWSTEMPasp1FB.tmp 2>&1')
Catchy, eh?

The problem is that the Windows security model is not allowing PHP to use the shell_exec() interface. And quite rightly, too.

To work around this, you must set permissions for cmd.exe in %windir%\system32 to allow your website visitors to run these external applications.

NOTE Allowing this means that website visitors can theoretically upload scripts that can execute commands on your system. Be very very careful that you are the only person able to upload scripts. Take all other web-security precautions.

A good idea would be to create a dummy user account solely for the website you have created, and give that user minimal permissions on the server.

Finally, don’t blame me if your system gets hacked!