Security issues in WordPress
1. Author pages
WordPress as a much used content management system always suffers from hacks. These hacks mostly try to login to the admin desktop and inject malware code into wordpress.
To login to WordPress the hackers use a known issue from WordPress, the author request.
Syntax is:
http://www.somedomain.com/?author=x
where x is a number, starting from 1.
If a user with the id exists, WordPress open the author page with all the posts written by this author.
Using this “feature” from WordPress, the hacker is able to get existing user names.
To deny the access to this feature, you can extend your .htaccess file with the following lines:
# No author requests RewriteCond %{QUERY_STRING} ^/?author=([0-9]*) RewriteRule ^(.*)$ http://%{HTTP_HOST}/? [L,R=301]
Every call to http://www.somedomain.com/?author=x is now translated to http://www.somedomain.com/
If you don’t want to show the author pages, add the following lines:
# No author pages RewriteCond %{REQUEST_URI} ^/author/ [NC] RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,R=301]
Every call to http://www.somedomain.com/author/someauthorname is now translated to http://www.somedomain.com/
2. Login error messages
When you login to the WordPress admin page and you have a typing error in the username, the error message from WordPress directly hints you at this problem.
Error Message is something like
If you provide a wrong password, the error message is
So everybody knows when you have entered a valid username but the wrong password.
This means, every hacker gets a feedback if the username he tried is a valid one.
Best and simplest way to disable this is to provide one error message for both login error.
To do this, you only have to insert the following code in your function.php or your own plugin.
add_filter('login_errors', 'your_login_errors'); function your_login_errors($error) { global $errors; $err_codes = $errors->get_error_codes(); if (in_array('invalid_username', $err_codes) || in_array('incorrect_password', $err_codes)) { $error = __('ERROR: Invalid username or incorrect password.'); } return $error; }
So you always get the error message
whether you entered a invalid username or a wrong password.
Keine Kommentare bisher