WordPress security under pressure
So there it is: a popular WordPress installation got hacked. Obviously it was an old version which has some security flaws. And yes, there was an update available for WordPress which unfortunately was omitted.
Running WordPress? You’re toast!
Now there is a question in my mind: is WordPress kind of notoriously unsecure as some may think? And what is the solution for these security flaws coming now and then? It seems everybody agrees that there is no 100% secure software. So we must live with the risk of getting hacked? I definitively don’t feel good with this.
Besides, there is alt least one WordPress plugin out there to identify infected blogs (Did I said a plugin to hinder infection? Certainly not.) Plugin solutions may come in handy but they also must be updated and installed on every new WordPress and – as we’ve learned – this may be the common point of failure. So what to do now? Never ever again feel safe with WordPress?
WordPress out-of-the-box security!
What if WordPress would come with security out of the box?
There is a method of filtering incoming data by checking type and length against expected definitions. Only what passes the filter will be let through to the internal code (which may have security flaws). This very blog of mine is running such a filter. Want to see what kind of attacks it catches? Some log file lines:
SSEQ-LIB log file
06.09.2009, 15:46:24, 204.xx.xxx.xxx, [_GET], Global VAR overwrite detected, _SERVERDOCUMENT_ROOT, GET, /index.php, libwww-perl/5.79,
06.09.2009, 18:04:58, 91.xxx.xx.xx, [_GET], p: INT param not INT, 446//index.php?str=http://www.trxxxxxxx.eu/roxx.jpg???, GET, /index.php, libwww-perl/5.803,
All these attacks do not pass the filter, get deleted and cannot harm the WordPress installation. Having a set of those filters being delivered with every WordPress installation, will make sure that even if there is a bug inside the code, attacks will not go that deep but be stopped at the gates.
What is filtering with SSEQ-LIB all about?
Catching the attack before it reaches the application is already implemented in SSEQ-LIB security library. Including the filter into your WordPress installation is as easy as inserting 2 lines of code into „wp-load.php“ (see below)
The filter file contains line by line a filter definition which is to be read this way:
Check a variable name („cat„), coming from „p„ost and „g„et, which has to be an „INT„eger between the interval of „1“ and „9999999„, encode against XSS („true„), escape against SQL-Injection („true„).
// VARIABLE NAME # SOURCE # TYPE # MIN # MAX # XSS # SQL &<br />
cat # pg # INT # 1 # 9999999 # true # true &<br />
p # pg # INT # 1 # 9999999 # true # true &<br />
page_id # pg # INT # 1 # 9999999 # true # true &<br />
m # pg # INT # 1 # 9999999 # true # true &<br />
attachment_id # pg # INT # 1 # 9999999 # true # true &<br />
feed # pg # STR # 1 # 50 # true # true &<br />
I don’t know if you will sleep better after having SSEQ-LIB running on your blog. I do. You may download SSEQ-LIB from here and secure your WordPress blog too. There is also a configured filter file which you should use by default. You may add more filter to improve security. If you do so, send me a copy of it to share it with others.
Download SSEQ-LIB security library+ WordPress filter definition
Create two additional folders on your web server: sseq-lib and sseq-filter.
Put the content of the filter ZIP („wordpress_2.6.x_filter_v.0.3.zip“ or similar) into the folder: sseq-filter
UnZIP the SSEQ-LIB ZIP („sseq-lib_0.7.1.zip“ or similar) and read the „readme.txt“. After that copy the folder sseq-lib out of the ZIP to your web server.
Open the WordPress file „wp-load.php“ and include 2 lines of code. After that the file should look like this:
/** Define ABSPATH as this files directory */
define( 'ABSPATH', dirname(__FILE__) . '/' );
error_reporting(E_ALL ^ E_NOTICE ^ E_USER_NOTICE);
// including SSEQ-LIB
include_once(ABSPATH . 'sseq-lib/seq_lib.php');
// loading and using filter data
On your web server the SSEQ-LIB structure should look like this:
|- sseq-lib<br />
| |<br />
| |- seq_lib<br />
| |- seq_log<br />
| |- seq_dump<br />
|- sseq-filter<br />
|- wp-includes<br />
Testing SSEQ-LIB installation
Now go to your blog and try something like: „http://www.erich-kachel.de/?p=2ATTACK“ and you’ll be redirected to your start page. Now go check the log file on your web server: „sseq-lib/seq_log/log.txt„. You have to do this with your FTP connection because this file should not be reachable through HTTP.
Too much work?
Give WordPress a hint about this security solution. They may think about including SSEQ-LIB by default to guarantee security for longer time than just until the next security release.