Security
Posted by Peter 7 September 2009
You may have seen some recent reports about successful hacker attacks against WordPress sites.
PodHawk users may find the following helpful in making their sites as secure as possible:
- There is no substitute for a strong password. There are several online facilities which will test your password for you and tell you how strong it is.
- PodHawk allows you to have a login name (to access your admin pages) which is different from your ‘nickname’ or screen name. Your screen name can be read by anyone who visits your webpage. Make sure that you set a completely different login name.
- Turn off error messaging (admin settings page). Error messages contain information about the structure of your site. You can always turn error messaging on again temporarily if you encounter a problem.
- Protect your configuration file by adding the following little .htaccess file in your podhawk/custom directory.
<Files config.php>Order deny,allowdeny from all</Files>
Test it by using your browser to navigate to[yoursite]/podhawk/custom/config.php.You should get an “access denied” error. - The commenting system is an obvious possible route for an attempted SQL injection attack. If you use the Disqus commenting system, the problem belongs to Disqus, not you, as comments are not entered in your database. If you use Akismet, turn off the facility to store spam messages for 14 days. Most comment spam is simply an attempt to insert a link to a porno site in your post, but some may also contain an attempt at malicious code. Don’t take the risk of entering it on your database.
- Don’t enter any data about your ftp username, password etc in the ftp section of the settings page unless you want to use the Java Applet to upload your audio files. This information has to be stored in unencrypted form in the database, so someone who successfully hacked your site would have access to your ftp settings as well.
- SQL injection attacks may rely on the attacker knowing the names of the tables in your database. If you are making a new install of PodHawk, the installation programme allows you to insert a ‘database prefix’ (ie a string of letters or numbers which will precede the ‘proper’ name of the table). Originally, the idea was to allow you to run more than one PodHawk installation off the same database. But the database prefix can also be a valuable security tool. Without a database prefix, a hacker will know that all your database tables have names which look like “lb_tablename”. If you set a datbase prefix of, say, “jvx37pv_”, the tablenames will look like this “jvx37pv_lb_tablename”, which a hacker is unlikely to be able to guess. So, set a secure database prefix if you are installing PodHawk for the first time.
- Can you retrofit a database prefix to an existing PodHawk database? Yes, with all the usual warnings about backing up everything first. The SQL command you want has the form
RENAME TABLE tablename TO newtablename
Use SQLMyAdmin to run the command; then add the new prefix in the following line in your config.php file.
"pref" => "[insert your new prefix here]". Don’t forget that the ‘lb_’ bit is part of the database name and must be preserved in the new name. If you have a second database user, you will need to change that user’s permissions to refer to the new table names.
UPDATE Podhawk 1.5 contains security enhancements which overtake many of the points in this posting. Details here.
ShareThis
Share this posting on Facebook
Categories news
Tags
Comments (0)
RSS Feed