WordPress security checkup

If you aren’t using the latest version of WordPress, your blog might have been hacked. There’s an attack going on right now that creates and then hides administrator accounts.

You can see if this has happened on your blog by going to the Dashboard and then the Users panel. The number listed in parentheses after Administrators should match the number of actual admins that you have for the blog!

WP users panel

If that number is higher than the amount of admins for the blog, you probably have hidden users. You could try turning Javascript off in your browser to see those hidden users.

Then, delete them (if you can) from the panel. I didn’t try this myself, but I think it will work.

Or, you can use mysql or phpmyadmin to delete those users from your database. If you don’t remember how to connect to your database, look at the files in your wordpress folder and read the contents of wp-config.php. That will have the username and password and database host name. You might also need to look at the help or FAQ files for your web host.

In phpMyAdmin, you can find and delete the hidden users by connecting to your database, then browsing the users table. Check the boxes by the wp_users and the email fields (or just check all of them) and then click Browse again. This should show you a list of all the users on your blog.

This is what a row of user data should look like in phpMyAdmin:

wp_users-sql-good

This is what a “hidden user” account will look like. It’ll be a name that doesn’t show up in your WordPress Dashboard, and it won’t have an email address in that 5th field. Might be a good idea to delete these users right away.

wp_users-sql-bad

I followed Lorelle’s instructions for how to recover from my WordPress blog being hacked. That worked fine:

* I did an xml export from the Dashboard and made sure I knew what that file was named and where I saved it.
* I did an sql dump of the whole blog (from the mysql command line, but you could do one from phpMyAdmin too) Just to make sure I would have everything, and so that I could do some forensics later on the contaminated db.
* Then I deleted that db, made a new db, and saved the information on how to log into it. You could also drop all the tables in the old one, I guess, and keep using it. While you could leave the old db there, it seems unwise.
* I deleted all the stuff in my wordpress folder on my server. If I’d thought, I would have saved a few custom banners and images first.
* I downloaded WordPress latest version, 2.8.4 and unzipped it, along with some themes and plugins.
* I then went to the url for my blog and told the install screen a blog name and my email address, and got a new admin password. Voila, new empty blog.
* Then, from the WordPress Dashboard, went to Manage and then Import. I imported the xml file as a WordPress import, with its attachments. This brought me all my pages, posts, comments, and so on.

A little tweaking and my blog was as good as new.

Total Crisis Panic Street Sign (While Danger is Eminent sometimes, I don’t think that’s what the signmaker meant!)

I think for your average user, who finds upgrading and installing a bit scary, this will seem even more scary. But it’s not bad at all. It just requires you to follow the steps, write down or cut and paste all the information you will need to keep track of:

– one set of info for your web host account
– one set for your sql database account and phpmyadmin
– the information for your blog itself, for the WordPress install
– where you’re saving the export file with your blog posts and comments!

In a pinch, if you really mess up in this process, you can get a backup and restore from your web host.

Now, even though I went through this process, I think that someone might potentially write a plugin or script to reveal and delete those hidden users. It might not catch all the modified data touched by those users, though. Spam may already have been inserted into your old posts, or some other havoc wreaked, which you could catch with Exploit Scanner or some other useful tool. The problem with this approach might be that there are multiple versions or exploits based on this security flaw and no one is sure yet if it’s modified core WordPress code or created some other exploitable security hole. So at this point, I think it’s best to do a clean install if you think you can manage it.

If you’re not sure, turn off Javascript in the browser, go to the Users panel, and delete the people who shouldn’t be admins — at least. And maybe there will be an easier fix in a few days — keep checking the WordPress development blog to see if it says something more useful than “OMG, you dumbass, why didn’t you upgrade right away, never, never, never do that again!” (Thanks… I know… thanks for the lecture, grumpy sysadmin…)

When I did this — and I had to, because “upgrade WordPress to latest version” was not #1 on my to do list, and a blog of mine got messed with — I had to re-install my plugins and go through the steps to re-create my blog. This goes to show that it’s a good idea to keep a worklog of all the things you’ve done to a blog, or a wiki or any sort of installation, so that you can recreate it from scratch! You can do this on your blog itself, by creating a section in your About page or somewhere else, listing the plugins you use, and when you’ve upgraded, and so on. It is especially useful to share this information a group blog where you might have more than one administrator. If you haven’t done this you could just be sure to do it next time and then write a really cranky blog post about how you don’t understand how anyone in the world could be so clueless. HA.

Good luck and here’s some more links on the subject!

WordPress Codex FAQ: My site was hacked
Old WordPress Version attack warning: please upgrade
Checking your WordPress security

She's Geeky – Tour of WordPress template code

There were 20 or so people at this talk, including non-programmers and programmers wondering if they should install WordPress, and bloggers and admins already familiar with WordPress. We did a round of introductions:

* Graphic designer interested in what degree of control she could have over a WordPress blog.
* Benay, running a blog connecting seniors with caregivers.
* Collie, looking for help with a WordPress upgrade on a complicated blog. Where is community to find help or pay someone to help? (Collie and others: you might try Heather L. Sanders. Anyone else have recommendations?)
* Person who installed WP to force herself to learn more code. Curious about plugins. Which are most useful?
* Terri – uses WP at her job for blogging, thinking about running her own for personal use.
* Nadine – Installed WP for other people many times. Does a lot of troubleshooting.
* Laura – Has installed and messed with WP many times. Wants to create a template from scratch.
* Stephanie – has an HTML site. Might want a blog.
* Olya – is a blogger. sometimes has language barrier while troubleshooting.
* Estella – artist, craisin.com.
* Crystal Marie – adding a blog to her existing web site. Looking at WP and Drupal.
* Beth C – Loves WP. Would like to do more customization.
* Michelle – Is a coder
* Vee – Blogs for her company. Knows HTML.
* Min – Uses MoveableType, is curious
* Karen M. – Thinks there might be entrepenurial opportunities with WP
* StephanieBamBam – Personal blog

I’ve been using WordPress for several years and administer a group blog. As part of my job, I do tech support for bloggers who run into template problems and quite a few of them use WordPress, so I look at a lot of different templates and help people troubleshoot. (The other part of my job, I munge data, write back end tools and infrastructure-y scripts in Perl, Python, and PHP in an aspiring codemonkey way.)

I started out by saying that WordPress was blogging software that you can either use on wordpress.com, or can download for free and install on your own server or web host. You will need an account somewhere and need to have it clear in your mind that you’ve got a username and password for that server account. In that account you’ll be making a folder where you install WP, and then you’ll have an administrative username and password for the WP admin and blogging interface. You may need to pay attention to this in order to change file permissions and make your theme files writeable if you want to edit them from the Theme Editor web interface. This tends to confuse people who aren’t used to web hosting. Also, some people use web hosts which have one-click installs or who install WP for you and then charge to upgrade or maintain it.

We looked at the files and folders in a WP installation. There was some discussion of how you move files around and edit them. (Either from the command line on your server, from the admin interface for theme files, or with FTP; you can download the WP files, and extra themes and modules, to your computer, then upload them to your web host.) It’s a good idea to just look through all the folders, so you know what’s there. You may want to read through the wp-config file. But most of what people deal with is in wp-content, in the themes and plugins folders.

We then looked at the WP administrative dashboard, a bit at Widgets, and then at the Appearance menu and the Theme Editor. I said that editing code in the Theme Editor window sucks. While it’s great for making quick changes, I recommend you edit the files in a text editor that will color code the code and indent it nicely, like vim or Textmate. You can pass code back and forth with other people by putting it into pastebin.com, which will also color code and indent it nicely. Also, it’s amazingly helpful to print out all the template code, and mark it up with pen, and see which bits you can understand; or at least understand more or less what it does.

I explained briefly that anything that looks like a command with parentheses after it, like get_header, is a function and you may need to look for it in functions.php to figure out what’s happening. We looked at index.php for a little bit. It is helpful to read through it. You should be able to mark what is header, what is the content (including “The Loop” which will cycle through your posts), and what’s the footer.

The WordPress codex is your friend. Here’s some great starting points:

* http://codex.wordpress.org/Using_Themes
* http://codex.wordpress.org/Stepping_Into_Templates
* http://codex.wordpress.org/The_Loop

Take a look at your sidebar.php file, header.php, footer.php, and page.php for individual post pages.

At some point, I mentioned the site to look for and download WordPress Themes. You can specify whether you want fixed width or floating; one, two, or three columns; and other parameters such as the main color. It is often best to start with a fairly popular theme.

Keep track of customizations you make to the theme you pick, because at some point you will want to upgrade or change it. Make backups.

There was some discussion of plugins as well. All in One SEO Pack (which sounds a bit evil, but which is great since it makes your URLs a bit more human readable as well as search-engine-friendly) had good recommendations. Stats, Sitemaps, and various Flickr or photo plugins were mentioned by bloggers at the session. On the group blog I co-administer, we had written some code to pull in a list of all our plugins onto a static page called “What we use”, which has come in handy many times when we want to recommend useful plugins to other people. (Whoops; when I tried to show this off, I found that our recent upgrade to 2.7 had broken this code.)

The post template plugin was mentioned for its usefulness and for being able to pick a post or a page and “template-icize” it. This sounded intriguing!

Someone else mentioned that people should be aware that new plugins might break other ones and if you run into trouble, uninstall some plugins and see if that fixes the problem.

Someone else asked if there are good books for learning WordPress theme development or php. I don’t know about books, but php.net is fantastic, and the WP Codex is quite good. The Codex is also editable by its users, so if you use it a lot, make an account, log in, and fix any documentation that’s wrong when you figure out a solution. I also recommended blogging your template or code problems or posting on forums, and then posting the solutions to those problems when you figure them out. This is hard to do sometimes, but the more of us who do it, the better.

When I mention IRC at this conference my general impression is that people aren’t using it that actively and many people don’t know what it is. People who were techy or coding at all or playing on MUDs or smoething before the web, or before about 1995 or 96, know what IRC is. People who learned their stuff or got involved with online worlds after that, it’s much more hit & miss. In any case, I continue recommending people try IRC and hang out in channels on freenode that have to do with the tools or languages they’re using. Here’s some explanation & guidance on IRC and WordPress. Lurk for a while, pick up the culture of the channel, and you might be surprised you can actually answer other people’s questions: when I do this I tend to feel better about asking questions myself.

At some other point I mentioned MAMP again. It’s very handy and easy to install, if you want to run a local web server off your Mac in order to develop and test.
While I was doing this hour long talk, at least two people downloaded and installed MAMP and WordPress and got it running on their laptops.

I enjoyed this session! We didn’t go all that deep, but we covered a lot of ground and people seemed energized by the ideas and possibilities. If you were there, thanks for coming, and let me know how your project turns out!

She's Geeky