Print This Post

Security issues in WordPress

1. Author pages

WordPress as a much used content management system always suffers from hacks. These hacks mostly try to login to the admin desktop and inject malware code into wordpress.

To login to WordPress the hackers use a known issue from WordPress, the author request.

Syntax is:

http://www.somedomain.com/?author=x

where x is a number, starting from 1.

If a user with the id exists, WordPress open the author page with all the posts written by this author.

Using this “feature” from WordPress, the hacker is able to get existing user names.

To deny the access to this feature, you can extend your .htaccess file with the following lines:

# No author requests
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://%{HTTP_HOST}/? [L,R=301]

Every call to http://www.somedomain.com/?author=x is now translated to http://www.somedomain.com/
If you don’t want to show the author pages, add the following lines:

# No author pages
RewriteCond %{REQUEST_URI} ^/author/ [NC]
RewriteRule ^(.*)$ http://%{HTTP_HOST} [L,R=301]

Every call to http://www.somedomain.com/author/someauthorname is now translated to http://www.somedomain.com/

2. Login error messages
When you login to the WordPress admin page and you have a typing error in the username, the error message from WordPress directly hints you at this problem.

Error Message is something like

ERROR: Invalid username.

If you provide a wrong password, the error message is

ERROR: Invalid password for user someusername.

So everybody knows when you have entered a valid username but the wrong password.

This means, every hacker gets a feedback if the username he tried is a valid one.

Best and simplest way to disable this is to provide one error message for both login error.

To do this, you only have to insert the following code in your function.php or your own plugin.

add_filter('login_errors', 'your_login_errors');
function your_login_errors($error) {
    global $errors;
    $err_codes = $errors->get_error_codes();
    if (in_array('invalid_username', $err_codes) || in_array('incorrect_password', $err_codes)) {
        $error = __('ERROR: Invalid username or incorrect password.');
    }
    return $error;
}

So you always get the error message

ERROR: Invalid username or incorrect password.

whether you entered a invalid username or a wrong password.

Weitere Artikel zum Thema
weiter

WordPress Settings: Dynamic Fields

When you have a lot of settings fields with the same type, it is often annoying to write a...

WordPress Hints

  Menu poisitions in wordpress admin menu 2 Dashboard 4 Separator 5 Posts 10...

Inject PHP variables into Javascript

Wordpress offers a simple way to add javascript code to...

Kommentare

Keine Kommentare bisher

Hinterlassen Sie einen Kommentar

Meistgelesene Artikel zum Thema
Mehr Meldungen

13.05.2015

Inject PHP variables into Javascript

Wordpress offers a simple way to add javascript code to your site. Example: wp_deregister_script('scriptname'); // Optional wp_register_script('scriptnamey', ...

09.10.2015

Security issues in WordPress

1. Author pages Wordpress as a much used content management system always suffers from hacks. These hacks mostly try to login to the admin desktop and inject malware code into wordpress. To...

12.01.2016

WordPress Hints

  Menu poisitions in wordpress admin menu 2 Dashboard 4 Separator 5 Posts 10 Media 15 Links 20 Pages 25 Comments 59 Separator 60 Appearance 65 Plugins 70...

27.01.2016

WordPress Settings: Dynamic Fields

When you have a lot of settings fields with the same type, it is often annoying to write a display function for every field. There is a simple and better way to do this. Example: You want to...

Sonstiges