Repair Damaged WordPress Installation

Posted by on Jul 27, 2012 in php, web development, wordpress, Wordpress Security | 0 comments

Recently one of my close friend’s WordPress site got attacked and he approached for a possible solution. After some basic assessment I found that the attacker had accessed the database and deleted the entries from wp_users table. So after restoring the values, the site started working smoothly. This experience led to the inspiration for writing this article. Before we start, let’s find the reasons for a possible attack:

  1. Site Hosted on a Vulnerable Server: Most of the times a WordPress site gets attacked just because of a vulnerable server since WordPress is highly secured from various attacks. So running after cheap web hosts isn’t a good decision.
  2. Badly Configured WordPress Installation: Most of the times the site isn’t properly configured in terms of security which leads to many exploits.

Now let’s consider a attack scenario to understand the topic in a better way:

An attacker first of all attacks the most vulnerable site hosted on a server. After that he simply uploads a script known as shell and tries to traverse the whole server, which results in access to many websites. Most of the times a SymLink Attack is done to get access to all the domains hosted on that particular server. This results to access the wp-config.php file of any site using WordPress. Now the attacker gets access to the database and simply adds a new user to the database or modifies the password of the present user. Finally he logs into the admin panel and modifies any theme or plugin with the shell and thus gains full access.

Read More

Securing WordPress Installation

Posted by on Jul 26, 2012 in Online Security Tips, wordpress | 0 comments

Nowadays we can easily setup a blog and start our journey as a blogger and all thanks to wordpress for providing such a wonderful platform for blogging. More than 54% websites are using WordPress and majority installations are quite vulnerable due to improper configuration. Now do we need to become a security expert to secure our wordpress installation? The answer is “NO”, we simply need to follow some steps which would provide sufficient security though it doesn’t mean that the security can’t be breached; reason behind vulnerability may be present in any component of the website or webserver which in turn can cause an attack.

So following are the steps to be followed:

Protecting wp-config.php

The most important file of the WordPress installation is the wp-config.php which needs to be protected at any cost.

  1. File Permission: Permission may be changed to 400 or 440.
  2. .htaccess Protection: This provides a protection from SymLink attacks.
</pre>
<pre>&lt;files wp-config.php&gt;
order allow,deny
deny from all
&lt;/files&gt;</pre>
<pre>
Read More

Quality and Security: Paradise of Success

Posted by on Jul 24, 2012 in Online Security Tips, programming fundamentals, web development | 0 comments

Recently I had attended a two day workshop on Information Security at my college. The workshop exposed to a various topics of the security domain. Out of which my personal favorite was the web based security and truly speaking, a person needn’t become a hacker to breakdown a website’s security since a simple search yields sufficient information required to launch an attack.

It will be foolish to say that a website is fully secured and can’t attacked because vulnerability may be present in any of the component of the website or the server may be using some outdated components which can be sufficient to launch an attack. So it becomes very tough for a normal user to have a determine that is their content secure or not?

In my last semester, we were taught software engineering which was quite an interesting subject since it gave a great exposure to various topics of software engineering. So the most appealing was the software quality; if we follow some rules, regulations, standards, etc. then we can drive-off many issues on both the functional and non-functional end.

Read More

Review of LABNOL Attack

Posted by on Jul 1, 2012 in Black Day Indian Blogging, Latest News | 4 comments

Hey Folks,

After a long time, I had to spare some time for writing this article since today it became the black day in the history of Indian Blogging. The most influential blogging site of India, Digital Inspiration run by Amit Agarwal got attacked and all the data was deleted (link). Amit Agarwal, who is India’s First Professional Blogger and he has always been a source of inspiration for all the indian bloggers. His worthy efforts has allowed India to get a place in the worldwide competition of top blogs. I’m really very dejected with this sort of attack 🙁

About the Attack

Few days back, the hacker(Ocim32) had injected an adf.ly script in www.labnol.org and generated revenue of $28. The script was removed several times though the attacker managed to reinsert it. On 27th June, the site was hacked but somehow recovered (link). Finally on 1st July, the attacker took the extreme step and deleted almost all the websites of the Digital Inspiration Network.

What do we learn?

The main website www.labnol.org was running on WordPress and DreamHost was the hosting firm. Nothing seems to be wrong in the choice of software and webhost. If we look at the insights then WordPress has penetrated the blogging network and majority bloggers are using it. Now if a blog of such high repute got compromised then the warning bells are ringing.

We can’t say that a blog of such value wasn’t using correct security measures. Can we trust on WordPress anymore? This is the only question to be asked since what should we do if something like this happens with us. Every day many websites running on WordPress gets targeted to various types of attack, who is to be held responsible: the hackers or poor security.

We need to form an association for protecting India on the cyber world else everyday one or the other sites will be targeted. Apart from that proper awareness regarding security should be the first priority!

Finally I would like to say that this event is sure shot eye-opener for all the blogger of India. Now make it a point to secure your sites since it’s better to secure than to call up a war!

Read More

Want to become a Certified PHP Professional?

Posted by on Apr 22, 2012 in php, Software, Tech News, web development | 0 comments

Hello Folks,

Most of you might be aware with PHP and the way PHP has penetrated into the nerves of the internet; that we don’t need words to appreciate it. I personally feel that my own freelancing career has given me huge opportunities offshore but whenever I approached anyone in my country always came across a question that from where did you learnt PHP. And there wasn’t much appreciation on saying that I learnt on my own since in India everyone wants a certificate for assurance.

Recently I saw an advertisement of Innobuzz’s Distance Learning Program which certifies us as a PHP Professional. The course has been designed by experts and secondly it is highly effective for newbies as well professionals who are just looking for a certificate.

This program contains videos, presentations, demos and case studies in GUI based environment. The course can be simply ordered online and will be delivered to our doorstep. After completion of this course, we need to appear for an online exam and on clearing it a digital certificate is generated. Also the hard copy is delivered to us. Innobuzz is a globally recognized name in the IT circles for various training and IT projects. So this certificate will be of great value to anyone who enrolls into it. Now the best part about this course is that it comes with a nominal cost of INR 4500 only.

So what are you waiting for………simply apply for this course and become a Certified PHP Programmer 🙂

Useful Links

1. Innobuzz Website

2. Brochure for Certified PHP Professional Course on Distance Learning

 

 

Read More