hardening plugins against acronym attacks
Image by misterbisson via Flickr

Before I begin this post I have to make a statement to avoid any misunderstandings – I love WordPress! I strongly believe it to be one of the most versatile platforms for publishing on the web and also one of the most supported. My hat goes off to its developers and community who constantly work on enhancing, improving and what is more important – Securing WordPress!

And while with each major release it becomes simpler and easier to upgrade I know from my experience and from talking to many business customers that sometimes it feels as if decision to use WordPress puts you into constant upgrade cycle….

Upgrade cycle forced by a need to stay secure and one step ahead of “crackers”. Upgrade cycle, urgency of which can be greatly reduced if using some common “Best Practices” and it is exactly what I want to share today…

WordPress 2.8.6 is a security release that addresses 2 vulnerabilities that can only be exploited by active “registered, logged in users who have posting privileges”.

I highlighted that quote for a reason.

My personal quick investigation showed a few more security releases of WordPress that share common problem – vulnerabilities that can be exploited by registered users on your blog or on blogs that have open registration:

  • WordPress 2.8.3 – fixes elevation of privilege escalation
  • WordPress 2.8.1 – small security issue that allows regular user see admin pages for plugins they shouldn’t have access
  • WordPress 2.6.2 – this one is actually an issue with PHP functionality, not the WP itself but it address a problem where “With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.” Not as much of a security issue as it is major annoyance but still…
  • WordPress 2.5.1 – this one fixes a more severe issue identified by CVE-2008-1930 that actually allows remote users to create account on your blog with administrative privileges.

I’m not going to go any farther into releases history as I think I have sufficiently proven my point that leads to a Best Practice I want to share:

Users And Roles Best Practice for WordPress Security

1. Roles for users on your blog is a great mechanism top help you control who and what can do on your blog. If need users, other than your own account on your blog – always follow principle of least required access privileges.

With development of community style blogs, guest bloggers and popularity of outsourcing it is an important to not give a person more access than they need to complete task. Refer to document I linked to above!

2. Disable Open Registration on your blog unless you absolutely must have it and allow unregistered users to comment on your blog. This practice will apply to 99%  of the blogs I know and will help you avoid the rush of upgrading to latest version of WordPress that addresses elevation of privileges security problem.

3. If you simply must have open registration, for whatever reason you might have, be sure to pay attention to security releases and upgrade as soon as possible! It is YOUR responsibility to stay secure!

There are a few more ways to make sure your blog will stay secure by implementing a strategy concept I have called “Triple P Of  WordPress Security” and if you carry out even part of what I share – you can sleep a lot better at night, I promise!

Stay Safe! Be Responsible! Enjoy the great blogging platform we have!

Oh, and don’t forget to comment and tell me what you think!

{SIDE-NOTE} – WordPress 2.8.6 is a simple and safe upgrade in my experience and I implemented it on all my blogs with no issues.