Important Security Fix for WordPress

Home
About

Themes / Design

Plugins / Hacks

Security

SEO

Tutorials

Home » Security

Submitted on June 6, 2009 – 23:12hr444 views | No Comments Yet...

Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic.

A couple of weeks ago Jeff Starr of Perishable Press came with the post "Important Security Fix for WordPress".

Jeff's server had crashed and all of a sudden his entire website was wide open for any hostile take-over, because people visiting his site were seeing the install.php screen of WordPress!

This is a much overlooked issue and there are 3 fixes available to make your WordPress installation a lot safer:

1. delete the wp-admin/install.php file entirely
2. prevent access to your install.php file by adding this code to your .htaccess file:

# PROTECT install.php

 Order Allow,Deny
 Deny from all
 Satisfy all

3. rename the install.php file into something like install-disabled.php; then create a new install.php file to which you add the following code:

<?php // install.php replacement page: http://perishablepress.com/press/2009/05/05/important-security-fix-for-wordpress/ ?>
<?php header("HTTP/1.1 503 Service Temporarily Unavailable"); ?>
<?php header("Status 503 Service Temporarily Unavailable"); ?>
<?php header("Retry-After 3600"); // 60 minutes ?>
<?php mail("your@email.com", "Database Error", "There is a problem with the database!"); ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
	<head>
		<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
		<title>Error Establishing Database Connection</title>
	</head>
	<body>
		<img src="images/wordpress-logo.png" />
		<h1>Error Establishing Database Connection</h1>
		<p>We are currently experiencing database issues. Please check back shortly. Thank you.</p>
	</body>
</html>

Once this new file is uploaded into the wp-admin folder and your database become unavailable, the visitor will see a static page instead of the WordPress 5 minute install screen.

Apart from showing the static page, you will also receive an email to inform you that your database is experiencing problems.

So which of the 3 solutions you choose, the sooner you fix this, the better!

Popularity: 27% [?]

News »

bug in WordPress 2.8

Once you click on automatically update plugin, you will see the following message: Unpacking the update.
Incompatible archive PCLZIP_ERR_BAD_FORMAT (-10) : Invalid archive structure

More articles »

Alex explains that for example when switching themes it is not very useful to have this category “featured” hanging around and therefore the following hack is a great solution in avoiding exactly that.

More articles »

Security »

Important Security Fix for WordPress

A couple of weeks ago Jeff Starr of Perishable Press came with the post Important Security Fix for WordPress. eff’s server had crashed and all of a sudden his entire website was wide open for any hostile take-over, because people visiting his site were seeing the install.php screen of WordPress!

More articles »