Let's says I want give someone access to wordpress admin panel so he can edit posts, settings etc.
My question is: Is admin panel in plain wordpress installation safe so new user won't be able to run any PHP server-side code? He won't be able to install plugins obviously (no ftp access, chmod +r-w and on all wp folders).
he can put as many javascripts to posts as he wants, I know he will be able to hijack my cookies etc, I don't mind. I am asking only about server-side code.
If your WordPress installation is up to date, you are only using plugins from trusted developers, and you have your user roles properly configured for your specific security needs, then yes you can expect WordPress admin to be safe from server side scripting.
Out of the box WordPress ships with user roles that can be modified to your liking. For instance, I'm a super admin of a multisite and can access all sites and network admin, but I don't want my admins to have either. I can set the access level for network admin area, and what sites each admin can access.
This can be further customized to disable things like the theme / plugin editors so you would only be able to manipulate core files from FTP etc. Also, disable the ability to install plugins.
I use a plugin called User Role Editor and Adminimize to control various parts of any role i.e. editor, admin etc. I've also written my own plugin to further customize the user experience.
By default I believe you will find any js or other scripting gets stripped out of the wp editor in pages / posts. You can circumvent this by using a text widget or a plugin I use called HTML Javascript Adder.
Adminimize
User Role Editor
HTML Javascript Adder
To be honest this is not something that can be answered here with a cut and dry answer.
As far as I can remember there is not a location where an admin can edit a file, upload a file or enter PHP to be executed.
This does not mean that there are no ways to execute PHP however. As far as we know at present there are no known security vulnerabilities with the current version of Wordpress however only time will tell if this will remain the same. It might be possible for example to exploit a form and enter PHP that can be executed unintentionally. It may also be possible to edit the URI with PHP code that is not sanitized correctly on the server.
Take a look at this site which will show the numerous vulnerabilities that Wordpress has had in the past.
https://wpvulndb.com/wordpresses
I am sure the Wordpress developers did not knowingly release the software with these bugs but yet it happened.
AFAIK by default you can only do that via the template editor.
Now... if you don't allow any file to be modified, in theory there is no other OOTB functionality that allows arbitrary code execution, so it should be safe, BUT...! It's Wordpress, come on... it has always had security issues, and it will continue to do so because it is full of legacy code and it is poorly designed.
Plus, to be honest, you shouldn't make such safety assumptions even for well engineered software.
Related
I had a PHP Website which had a "admin.php" page, where I could set some special settings like activating an infobox e.g.
Now I am rebuilding my Website with TYPO3 and I am asking myself, how I have can make something like a "admin.php" where I can do settings.
Can someone help me with that? I hope I could explain my issue so you understand it, otherwise please tell me if you didn't get the point of it!
TYPO3 is a Content Management System, the M stands for what you are searching for! As user with administrator role, there are multiple modules where you can configure extensions, change output of things, ....
So it could be the Constant Editor what you are looking for, otherwise ask a more concrete question.
The BackEnd, which you access by domain.tld/typo3/ is the place where all modifications to the FrontEnd output is done. That includes the normal content of text and images or other Content-Elements like plugins, records like news or tt_address and of course pages to get the structure.
Here an editor also decides the visibility of content.
The BackEnd is also the area where the behaviour of the site is configured, mostly with TypoScript. With TypoScript you can configure the behaviour of Plugins or the general rendering of pages.
maybe you had all configurations in one admin.php file, in TYPO3 the configuration might be distributed to different places, but as there are very much possibilities to configure there are also much places to configure.
I just uploaded a Wordpress theme onto my Website.
I get url redirects to website when I am browsing though my website.
The malicious site it links to clickbank.com.
I have scanned all my files with TAC and exploit scanner, but it did not pick up anything.
this picture may help you to find the problem from Entries RSS.
check function.php or search for windows.location code in all project repo
you can search all code by notepad++
While this may not be a direct and final answer, because there are many possibilities.
You may also tell us what is your theme or installed plugins too if they are free for download, we may try.
You seems to be testing in localhost., IMO you may try to eliminate all possible factors first.
Did you install any plugins? (if so)Did you test also the plugins?
Did you scan your database for this link?
Sometimes this kind of problem also appear from Database side since some problematic plugin may put those link in DB, apart from using exploit scanner, you might have to manually check once.
After all, did you also try a clean install to test the theme?
In addition, if it is a very Wordpress specific questions, you may consider posting in Wordpress Stackexchange
There are thousands of plugins and themes available at wordpress.org and many other third parties. There is every possibility of bad plugins and themes being uploaded, which once uploaded could send info about the site to its owner. It could also send the information in the wp-config.php (A high security risk).
Please tell me how to protect wordpress sites from this other than by reading the code line by line. Also tell me if plugins and themes at wordpress.org are analyzed by the wordpress developers for threats like this before making it available to public.
Thank you.
Peace to All....
As with any code you run on your own server(s), WordPress plugins are caveat emptor.
That said, popular plugins have probably had a fair number of eyes on their code, making it unlikely that they're doing something shady. You probably don't need to go over them with a fine-tooth comb before installing them.
Lesser-known/used plugins, however, should probably be looked over before you install them on a site/server that you care about.
WordPress.org does not review every bit of code that goes into plugins - the only time they even do any review at all is when the plugin is initially submitted to the plugin directory, and that's cursory at best (mostly just to avoid spam). A plugin's code can change drastically after it's initially submitted.
Typically I will look at the feedback the plugin received on wordpress.org What kind of rating does it have? What comments/questions are asked in the 'what others are saying' section.
After making the decision to install the plugin, BACKUP YOUR DATA PRIOR TO THE ACTUAL INSTALLATION.
This is just good practice in any case, whether it's a wordpress core installation, plugin installation, or theme. If something breaks, you will have something to go back to.
Also making sure to keep frequent backups is a must. If you do get infected, you will want a snapshot.
There is a good article about the safety and security of themes that best plugins for wordpress put together. Also you can go some off of the rating given by the community straight from the wordpress plugin site. If you keep with plugins that have a 4-5 star rating and lots of downloads/ratings, you will most likely be ok. However, because this is an open source project, there is really not a 100% way to keep hackers and "bad people" from putting code in a what appears to be good theme/plugin that you are describing.
In this case if you have concern of a theme or plugin, I would always look over the code very carefully and make sure that it all looks good to you. Of course this is always time consuming and if you are not comfortable with code, this may not be an option. If you have questions about a certain set of plugins/themes, im sure if you post them here, there are many people that have used the plugin and maybe the theme before that can help you out.
From "Best Plugins for Wordpress"
1 TAC (Theme Authenticity Checker) Plugin
A very simple and straight forward plugin that will scan all files within your theme to >>check for any malicious or unwanted code.
2 Theme-Check Plugin
You may notice that a lot of free themes aren’t available directly from WordPress.org, >>the main reason for this is that most free themes don’t pass the tests that WordPress.org subjects them too. This nifty plugin will provide you with all the testing tools you will need to conduct the same tests that WordPress.org does. It’s also useful for theme developers who want to make sure their theme supports the latest standards.
3 Exploit Scanner Plugin
This plugin isn’t just for themes, it’s for your entire site, so it’s worth keeping once you’ve checked out the theme you’ve decided to use on your site. It scans all files, posts and comments on your site for any possible exploits or anything that looks suspicious, please note however that this plugin will not remove any files.
I'm helping a client with their website (it's manually written using a Dreamweaver template and a ton of quadruple-nested table elements for design. Ouch), and I want to offer them a break from using Dreamweaver to write things.
I was thinking of using Wordpress or a similar CMS to do the job, as Wordpress is clean, fast, and really easy to design for. I've done it a few times, and it's almost as easy as just coding pure HTML.
My main concern is that the site has been hacked a few times before, even though it was pure HTML with no server-side code whatsoever. I can setup a manual Linux server for them, because the hosting company they use is one that I've never heard of.
The site owners are completely technologically impaired, so I don't want to scare them off by showing them a dynamic CMS with tons of features, as they think pure HTML is so much safer, they have to go out of their way to work with it.
I know this is a ton of writing, but what would be the most appropriate CMS for such a setup (hard-coding or dynamically generating content) for such a setup? I don't want to keep having the person manually write non-standards compliant quadruple-nested table layouts anymore, but I don't want to be responsible for having their site hacked...
Thanks!
A solution that allows for local editing, and the uploading of only static HTML files, would be the safest way to go. If it's a high-risk site, I would consider staying on that track.
If a site containing only static HTML was hacked, then most likely through some problem on web server or even operating system level - I am not aware of any exploits concerning static HTML resources. Problems usually come up when dynamic languages are involved.
Whatever you do, don't use Wordpress. It is bound to be subject of exploits and attacks simply due to its popularity.
If the site is pure HTML, then the insecurity is in the server, or the connection made between the server and the client.
I'd look into how to make the server more secure before making changes to the site, although doing both is a good idea. CMS's like WordPress use MySQL databases to store posts, etc, so that means client -> server connections. A way to make transfers of data more secure is to use https:// instead of vanilla http://. You can redirect using a .htaccess file if need be.
To summarise, I'd look at the server side of things for any vulnerabilities.
James
Wordpress has become a pretty wonderful CMS. If the site is high-risk, you might want to shy away from it, but I haven't had a site that I thought was too high-risk for WP myself. The site should keep up with regular updates and regular backups and there are some security tips that you can follow to help keep it more secure and less of a target.
First. Hide WP on the front end
Add this to your functions.php:
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
That will remove default header info that can be searched for by scripts.
Install wp in a directory that will help obscure its location and obscure the admin URL.
Change the name of wp-contents folder to something else and move it outside of the main wp directory. For instance, you could name it "includes" and put it into the root folder. and then links to template files will not have wp-contents in them.
On top of that, use a secure host, lock down your files (especially on shared hosting), and you can look at something like vaultpress, but it seems like if you use a solid backup plugin and a good host, that is unnecessary. You can also look at some of the security audit plugins, but don't keep them running after you get feedback.
This code in your wp-config.php file will help to install in a directory and move wp-contents outside of it into an "includes" folder:
define('WP_HOME', 'http://domain.com');
define('WP_SITEURL', WP_HOME .'/admin');
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/includes');
define('WP_CONTENT_URL', WP_HOME .'/includes');
Wordpress is good for blogs
Typo3 is a good cms but hard to learn at start
Joomla and Drupal can be used as cms
My company is building a platform on top of a heavily extended Drupal core. I have multiple customers who will be using separate instances of this system and will want to customize both the theme and the functionality.
I'm trying to design a system to allow them to add themes and modules, some of which might interact with some of my modules, without giving them access to the actual code. (This isn't open source)
The way that Facebook and Ning do this is to have the developer host their own custom code, and have a callback to it. This won't really work for me, as these sites need the ability to be fully customized, so callbacks for specific integration points don't really work.
One option is to set up a sandbox environment where the custom developers only have access to a couple specific directories to build their themes and custom modules. We could then integrate with git to commit these when they're ready and deploy them with the rest of our code into production. The problem with this setup is that developers have to develop remotely and have to use our source control system.
A more typical setup is to allow the developers to download something to build their custom code against. They can develop locally and use whatever source control practices they already have. As we don't want specific point integrations, I don't think this can be a library that runs against a separate server. The alternative is to download our full core Drupal system and develop locally against that, uploading the custom code when it's ready, but then they would have access to all our code and IP.
Thus the predicament, as I don't think there is any way to effectively obfuscate PHP.
Anyone have any brilliant ideas here?
It sounds like your system is a derivative work of Drupal and thus covered by the GPL. If you distribute the code to your clients they have all of the rights provided by the GPL, Including modifying and redistributing it.
Be aware that distributing obfuscated GPLed code is not allowed. To quote the GPLv2 "The source code for a work means the preferred form of the work for making modifications to it."
Obfuscated code does not comply with this clause of the GPL.
That said, if you really want to provide your clients a way to customize your system you could provide your clients access to the existing Drupal module and theme system but only on your sandbox.
Of course since the modules and themes are PHP and you "don't want specific point integrations" it seems they would have the sort of freedom that would allow them to write a module that reads all of the source code for the rest of your system and then tar it up and send it to themselves.
I think you've painted yourself into a corner by depending on GPL. Keeping your IP private while allowing your clients to extend/customize the system in general ways doesn't really work.
I hope you're aware that Drupal is GPL licensed, be sure to read their licensing FAQ before you start obfuscating.
Why not just create an FTP user for them which can only access /sites/theirsite? What am I missing?