Register

The Most Active and Friendliest
Affiliate Marketing Community Online!

Register
“Propeller”/  Direct Affiliate

WordPress Install File Poses Security Risk

D

djbaxter

Guest
Important Security Fix for WordPress
By Jeff Starr
Tuesday, May 5, 2009

The other day, my server crashed and Perishable Press was unable to connect to the MySQL database...

The problem that I painfully discovered when my server crashed is that WordPress does not always display the default page for all database-related issues. Apparently, if the database is missing entirely, WordPress assumes that it has not yet been installed and loads the Installation Page.

Yikes! This is exactly what happened when my server crashed, MySQL was unavailable, and the WordPress Installation Page was displayed to over 100 visitors while I scrambled to resolve the issue.

During the event, there were several attempts to assume control of my site through the Installation Page. Fortunately, I was working on the site (via FTP, cPanel, phpMyAdmin, and so on) during the attacks, and was able to terminate an inevitable hostile takeover...

It happened to me, and it could happen to you
To me, this scenario represents an enormous security risk for all currently available versions of WordPress (up to 2.8 at the time of this writing). If WordPress serves up the Installation Page the next time your database goes down, anyone could easily gain full control of your entire server...

A temporary solution, until WordPress does it better
After restoring full functionality to my site, deleting multiple ?Hello world!? posts and ?About? pages, and removing the newly added Administrator, it was time to prevent this situation from happening again. The easiest way to do this involves deleting, blocking, or modifying the wp-admin/install.php file, which contains the script that generates the Installation Page.
Click to expand...

See full post for additional measures
 
My blog developer is working on my blog this weekend and I told him about this.
Luckily he had just read this and already deleted my install file!
He rocks!
 
imwebdev is my Wordpress guru and helps me with pretty much anything I need as far as CSS or development of any kind. He's very fast and dependable!!! :)
 
That's good to know, Linda. Hi, imwebdev! :)

One additional caution: Now that WordPress has its own built-in auto-upgrade feature, since they don't warn you to remove the install file after upgrading as for example vBulletin does, we're going to have to remember to delete install.php via FTP after every upgrade.
 
Hi Minstrel!

Yes we will have to ensure it is secured after the auto updates!

If I find any more helpful word press security tips, I will let you know.
 

Similar threads

Drayce
  • Question
Seeking Help Wordpress Contact Form 7 with dr cash API application
Replies
4
Views
1K
Drayce
Drayce
M
Cyber Security App - How to setup an affiliate program for my app?
Replies
4
Views
2K
Eserissen
Eserissen
W
I need conversion tracker bebob installation
Replies
0
Views
779
webscraftdesign
W
Graybeard
JSON-feed API on your WordPress site!
Replies
0
Views
1K
Graybeard
Graybeard
S
my file sharing
Replies
11
Views
2K
Adrenalead
Adrenalead
MI
Back