There are thousands of plugins and themes available at wordpress.org and many other third parties. There is every possibility of bad plugins and themes being uploaded, which once uploaded could send info about the site to its owner. It could also send the information in the wp-config.php (A high security risk).
Please tell me how to protect wordpress sites from this other than by reading the code line by line. Also tell me if plugins and themes at wordpress.org are analyzed by the wordpress developers for threats like this before making it available to public.
Thank you.
Peace to All....
As with any code you run on your own server(s), WordPress plugins are caveat emptor.
That said, popular plugins have probably had a fair number of eyes on their code, making it unlikely that they're doing something shady. You probably don't need to go over them with a fine-tooth comb before installing them.
Lesser-known/used plugins, however, should probably be looked over before you install them on a site/server that you care about.
WordPress.org does not review every bit of code that goes into plugins - the only time they even do any review at all is when the plugin is initially submitted to the plugin directory, and that's cursory at best (mostly just to avoid spam). A plugin's code can change drastically after it's initially submitted.
Typically I will look at the feedback the plugin received on wordpress.org What kind of rating does it have? What comments/questions are asked in the 'what others are saying' section.
After making the decision to install the plugin, BACKUP YOUR DATA PRIOR TO THE ACTUAL INSTALLATION.
This is just good practice in any case, whether it's a wordpress core installation, plugin installation, or theme. If something breaks, you will have something to go back to.
Also making sure to keep frequent backups is a must. If you do get infected, you will want a snapshot.
There is a good article about the safety and security of themes that best plugins for wordpress put together. Also you can go some off of the rating given by the community straight from the wordpress plugin site. If you keep with plugins that have a 4-5 star rating and lots of downloads/ratings, you will most likely be ok. However, because this is an open source project, there is really not a 100% way to keep hackers and "bad people" from putting code in a what appears to be good theme/plugin that you are describing.
In this case if you have concern of a theme or plugin, I would always look over the code very carefully and make sure that it all looks good to you. Of course this is always time consuming and if you are not comfortable with code, this may not be an option. If you have questions about a certain set of plugins/themes, im sure if you post them here, there are many people that have used the plugin and maybe the theme before that can help you out.
From "Best Plugins for Wordpress"
1 TAC (Theme Authenticity Checker) Plugin
A very simple and straight forward plugin that will scan all files within your theme to >>check for any malicious or unwanted code.
2 Theme-Check Plugin
You may notice that a lot of free themes aren’t available directly from WordPress.org, >>the main reason for this is that most free themes don’t pass the tests that WordPress.org subjects them too. This nifty plugin will provide you with all the testing tools you will need to conduct the same tests that WordPress.org does. It’s also useful for theme developers who want to make sure their theme supports the latest standards.
3 Exploit Scanner Plugin
This plugin isn’t just for themes, it’s for your entire site, so it’s worth keeping once you’ve checked out the theme you’ve decided to use on your site. It scans all files, posts and comments on your site for any possible exploits or anything that looks suspicious, please note however that this plugin will not remove any files.
Related
Before Some day my client website hacked by some one.
I have sorted many things but still WordPress back-end is not working. I am getting an error :
The exaple.com page isn’t working
example.com is currently unable to handle this request.
500,
landing page is working but other pages are not.
Please help me If some one Solution of this.
Before Some day my client website hacked by some one.
I have sorted many things but still WordPress back-end is not working.
I don't know what you've done to "sort" the problem so far, but if you're going through the system fixing it bit by bit, then you're almost certainly not properly removing the hack. You really need to start from fresh to deal with this, otherwise the hacker will probably still have access.
Firstly, take a snapshot of the site. Now. Get a copy of what you have at the moment and save it somewhere. This will help you if you want to investigate the hack further, and could also be useful for recovery in case you have any data loss from the next steps.
What you need to do next depends on whether you have a backup or not. If you do...
If you had a backup from before the hack, restore the site from that backup.
Once the site is up and running from the backup, install the latest patch release of WordPress.
Check every plugin you've used for security issues. If there are security patches for them, then install them. If a plugin has any known security issues that are not yet patched, then disable the plugin.
Now check your site to see if you've lost any data; eg if any CMS pages were modified since the backup date. If there is any data loss, you may need to manually restore it. Hopefully there won't be too much, so this shouldn't take too much work. (it helps if you caught the hack early).
If you don't have a backup... well, you should have had one! Learn from this and start doing backups for all your sites. But it's too late to fix that now.
Best advice in this case is to re-install WordPress from scratch. Make sure you get the latest version with all current security patches.
Then re-install all your plugins and themes. Make sure none of them have any known security issues.
Then you'll have to manually recover the content from the database. Depending on how big the site is, this could be messy. Use the backup you took of the current site.
Lessons to learn:
Always keep backups.
Install security plugins that can monitor the site for suspicious activity and harden it against hacks.
WordPress has a terrible reputation for security. I suggest teaching yourself how to use an alternative CMS platform (I suggest Joomla), and use that instead for future projects.
I just uploaded a Wordpress theme onto my Website.
I get url redirects to website when I am browsing though my website.
The malicious site it links to clickbank.com.
I have scanned all my files with TAC and exploit scanner, but it did not pick up anything.
this picture may help you to find the problem from Entries RSS.
check function.php or search for windows.location code in all project repo
you can search all code by notepad++
While this may not be a direct and final answer, because there are many possibilities.
You may also tell us what is your theme or installed plugins too if they are free for download, we may try.
You seems to be testing in localhost., IMO you may try to eliminate all possible factors first.
Did you install any plugins? (if so)Did you test also the plugins?
Did you scan your database for this link?
Sometimes this kind of problem also appear from Database side since some problematic plugin may put those link in DB, apart from using exploit scanner, you might have to manually check once.
After all, did you also try a clean install to test the theme?
In addition, if it is a very Wordpress specific questions, you may consider posting in Wordpress Stackexchange
I almost feel dumb/ignorant for asking but I have never used Wordpress in my life. My primary skill of recent has been developing secure internet/intranet applications in PHP for healthcare companies. Every now and then I get asked to do some personal work for friends or coworkers but don't have the time or willingness to learn something new with my busy schedule.
Recently, I was approached to develop a site for a non-profit education group in which the group would need to update content on a regular basis. Simple CMS system should do the trick and while I've never used it, what if I built the site for them on Wordpress? It would give a few of the employees the ability add and update blog posts and keep new content fresh on the site. The site would also need to maintain a member 'log in' area with security being a top concern which I have no idea if Wordpress is capable of on its own. I have no problem building the latter in straight PHP but I am curious, is it possible to truly integrate the two?
I would like to build something like this site:
http://tf.dtbaker.com.au/template/child_care/index.html
but add in the security/member only area features they mentioned while keeping the ability for 'blogging'. I recently came across a few hosted CMS providers (such as Surreal CMS http://surrealcms.com/) as a method to manage the CMS aspects but if there are better solutions, I am all ears.
Note: Using WP solely as a subdomain for any blogging aspects is not an option.
Thank you ahead of time.
WordPress is extendable using PHP and their Plugin system. WP has a basic level of user authentication and permission level to handle site management and maintenance. There are plugins available which allow you to implement member only features. Google search for WordPress membership plugin shows up quite a few hits.
Regarding security of WordPress, we have 3 websites running on WordPress for the last 5 years. Security has improved since version 3.x of WP compared to the earlier versions. There are plugins that help from doing things like scan the system for security holes (wrong permissions on files etc.) as well as plugins that claim to make your site more secure. But the best security is really understanding the WordPress system, how it works, and ensuring that the plugins you install are properly tested and vetted before being installed in production.
HTH
It's hard to make a recommendation without knowing the specifics, but if the majority of the functionality of the site has nothing to do with blogging, you'll probably end up spending a lot of time writing plugins to modify the way Wordpress works, and then you'll have to potentially maintain those plugins as the API changes as new versions of Wordpress are released. Since you're dealing with health care companies and a need for security, not upgrading when a new version of Wordpress comes out could potentially be a security risk. You'll probably also find that Wordpress's "blog-centricness" will start to get in your way.
From what you've said in your question, my inclination would be to use a CMS to build the site if I were in your shoes.
That's not to say that you can't use custom themes and plugins to add CMS-like functionality to Wordpress and end up with some nice looking sites. The folks at WooThemes (http://www.woothemes.com/) are doing a darn good job at that from what I've seen, and there are other folks doing the same thing. I just wouldn't go that route if I were you.
How can you start making changes inside a WP theme and then keep track of them for future them updates ?
You can use some sort of version control software like subversion to track updates. Also in terms of just "hacking", it is all based in PHP so you can just drop into your theme and make changes as needed to any of the files as they pertain to what you want to do. For example in order to make any sort of changes to the header, typically you would edit the header.php file.
One way would be a version control system like Subversion.
My experience has shown that it is best to go with a very well developed and customizable theme (occasionally paid) that allows you to make the majority of changes within the theme's settings rather than hard coding them. When the theme is updated by the author, while not impossible, I find it is rare they've butchered something from a previous version. If they did, they'll often offer not only a reason but a possible work-around.
Another think would be to have a testing environment where you can try out new releases of a theme without risking harm to your live site. Just google 'wordpress testing environment' and that should point you in the right direction. For the record, I run XAMPP on a spare windows pc for this process.
Last bit of advice: if you do make any changes to your theme, back the theme files up regularly. In the event something does go haywire, you wont have to design the site from scratch.
I've used Wordpress and Joomla to build a couple of small websites, and done some hacking about to get them running exactly as I want. But both of these, and probably many other PHP CMSs, are subject to a constant barrage of security fixes. I don't have to time to test the fixes, make sure my customizations are still working, and roll them out before anyone attacks the site, then do the same thing again a month later - I'll never get anything else done with that kind of overhead.
So my question is: Is there a (preferably PHP) content management system that somehow successfully avoids the constant barrage of security updates and resulting testing/sysadmin work? So I can just work on it when I have time, not keep racing to patch the latest attacks?
Bonus points for having a sane plugin model to make it easier to code against. More bonus points if it provides an easy method to import data from Joomla and/or wordpress.
Thanks
EDIT: As rightly pointed out, avoiding updates entirely is not a sensible goal. Rather, I want to minimize the pain of updates. So what I'm really looking for is:
Easy to adapt and theme in a way that is guaranteed not break during updates
Simple update process
there is no cms (no software, for that matter) so secure you never have to update. developers make mistakes, and new exploits appear. so every cms should be "subject to a constant barrage of security fixes". if it is not, you should ask yourself about the security policy of the project and the security of your site. see The Open Security Model, Drupal and ExpressionEngine on Security for a related read.
so unless you don't care about the security of your site, you are asking the wrong question. i think it should actually be: is there a cms that is customizable without modifying core files so that security updates don't break my customizations? or: how can i customize a cms so that security updates don't break my customizations? security updates usually don't break a (even customized) site - unless the customizations are done the wrong way.
my answer to that new question would be Drupal (including bonus points).
The last versions of WordPress (2.7 branch) have auto update for core and plugins making it really easy to upgrade when a fix is available. The api is also awesome - I've done quite a few WordPress based sites and rarely (if at all) needed to hack the core.
As long as you customize through plugins or themes, and use auto update when a new version is available, you shouldn't have any problem at all.
I like CMS Made Simple, which is written in PHP.
In term of security, stability & flexible maintenance I suggest Symfony framework
(see:http://www.symfony-project.org/). It has a lot of plugins, support towards wordpress, joomla and whatever you need.
See also PHPcake at http://cakephp.org
I really like ExpressionEngine, made by EllisLab, its based on their open source framework CodeIgniter, (which I think is one of the best PHP MVC frameworks).
There is a free version of ExpressionEngine for non-commercial use, which is all I've used, but the paid addons + modules look pretty slick.
As for actually really free, ModX is alright, but has a frankly wierd plugin system, that said, Ive built a couple of sites on it, and been happy with the results.