After the recent discussion about the hacks that are used to break into blogs with the WordPress software, I came up with a few ideas on how to make WordPress more secure.
More security for adding administrators
First of all I really would like to have a method in WordPress that sends an administrator an email once a new admin is created. This email has to be verified (by clicking a link inside the email for example) and only after that has been done the new admin user is allowed to login and change settings and permissions.
This of course only works if the new user is created via the web interface. If an attacker has rights to the underlying layer, the database, this method is useless.
WordPress Table Names
Which brings me to my second suggestion. Each and every WordPress installation uses tables in the format of “wp_“. This simplifies the method to inject SQL. A simple solution to this is to have a random string in front of wp_ at the installation. Currently the default is just wp_. But what, if the default is randomly generated? Each installation would be in different tables. So instead of wp_users my users would be in as3202_wp_users.
What about a system that checks once a day what content has been changed on my blog. Like for example a hacker creates 100 new pages, the system sends me an email in the morning with all the changes. This allows me to have a quick overview what happened and has been changed. Or I can even tell the system I am on vacation and it should send me an email as soon as any content is altered. This sounds a little like a watchdog :-).
Of course, it is not all WordPress’ fault. What about faulty plugins? Everybody can create a malicious plugin or even a theme and distribute it. But there I see more the webmaster or blog owner to be responsible.
These are just three ideas that quickly came to mind. I am sure there are many more ideas and things one could use to make WordPress more secure.
What do you think? Do you have your own ideas? Or think mine are crap? Please, share your ideas and thoughts in the comments!
Update: Matt just posted an entry on the WordPress.org that explains a little bit what the worm does and that you always should update as soon as possible.
Your suggestion about creating a new admin user email is a good one, but ultimately wouldn’t help. All methods for hacking WordPress inevitability are trying for the goal of executing their own PHP code. Once they can do that, they can bypass any security measure you put in place, including creating admin users without email and such.
Their only goal in creating hidden admin users is to leave themselves a backdoor to be exploited later. If you find the hack, clean up the files, and upgrade the software, you might not notice those hidden admin users in the database. The current exploit even went to the trouble of trying to conceal its new admins on the user interface, using javascript trickery.
Creating a randomized table name prefix might help, but unfortunately straight SQL injection isn’t a common problem anymore with WordPress. The exploits that have been found most often are privilege escalation ones, where a user can gain abilities they should not have, and this then usually results in execution of arbitrary code. A random table prefix won’t help there. Also, it’s a “club” solution, it only protects by the lowest hanging fruit principle. If every blog implemented it, then it’s no longer any good, since the hacker could code around it if necessary.
A notification system would indeed do what you want, but it seems like you’d just get notified after the fact. Also, it really falls into plugin territory. There are security plugins that monitor the filesystem and can notify you of new files and/or file changes on a regular basis. These *would* have caught this hack and notified the user rather quickly. Not sure that should be in core though.
Thanks for your message Otto
Yeah, I see your points. I just think there should somehow be a way to block hackers/script kiddies more efficient.