Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of

By Joel Lee, MakeUseOfFebruary 26, 2013 at 04:31PM

wordpress vulnerabilitiesI have a lot of great things to say about WordPress. It’s an internationally popular piece of open source software that allows anyone to start their own blog or website. It’s powerful enough to be extensible by seasoned coders, yet simple enough that tech-illiterate people can still benefit from it. We even have a mini-guide for starting your own WordPress site.

However, as with all Internet-related software, there will always be security holes that need patching. Even when past holes are fixed, new features will inevitably introduce new holes, and then those holes need to be fixed. It’s a process that never ends, which is why it’s so important for you to update your WordPress regularly.

Updating WordPress is the best way to patch the latest WordPress security vulnerabilities. What sorts of security vulnerabilities? Here’s an overview of the most common ones you’ll encounter.

1. Default Admin Account

wordpress vulnerabilities

When you first install WordPress, your basic administrator account will be called “admin” with an equally simple password. Keeping security credentials at their default settings can be a big vulnerability because hackers and crackers will know what those default settings are and, thus, will exploit them with ease.

Actually, this isn’t a problem unique to WordPress. Anything that comes with product-wide default access credentials (such as router logins or phone unlock codes) will inherently have this WordPress vulnerability. But while routers and phones usually require your physical presence for mischief, anyone can potentially hack your WordPress site as long as they have the URL.

So what can you do? The easiest solution is to create a new administrator account on your WordPress site and delete the default “admin” account. This leaves no predictability in terms of administrator access.

2. Default Database Prefixes

wordpress vulnerability lis

When WordPress is first installed, the database tables are named with a default prefix of wp_. This is done so that all of the tables remain organized in your database in case you’re working with other software packages in the same database. The wp_ signifies that those specific tables are related to WordPress.

But here’s the catch – if a hacker is attempting to mess with your WordPress site, then this bit of predictability automatically makes him one step closer to tampering with your database tables. By knowing the names of your database tables, a hacker can manually poke at it until he gains access.

Think of it this way. Suppose a thief wants to steal something from your home but your home is equipped with special doors that have hidden keyholes until you call out the right “name” for that door. If the thief knows that your door’s name is “Sandy”,  then all he needs to do is pick the lock, but if the thief doesn’t know your door’s name, he needs to first figure that out somehow before he can even start to pick it.

So what can you do? Simple. WordPress allows you to install using a table prefix that is different from the default prefix.

3. Accessible Files & Directories

wordpress vulnerability lis

With any website, the number of files that you actually want users to access is far smaller than the number of files that are necessary to power that website. You may have a lot of function files, class files, template files, configuration files, and more – none of which should be publicly available. The same is true for directories.

Using CHMOD, you can set permissions on various files and directories to prevent unwanted users from accessing sensitive materials. If a user had access to your configuration file, for example, he could tamper with your WordPress settings and break your website. WordPress is vulnerable when your website’s files and directories aren’t secured behind proper permission settings.

So what can you do? I actually had to deal with this problem recently, and the fix isn’t too difficult. Make sure that your WordPress installation is in accordance to the WordPress permission scheme.

4. SQL Injections & Hijacking

wordpress vulnerabilities

SQL injections are not unique to WordPress; in fact, they are one of the most common (and destructive) forms of web server attacks in the world. Not familiar with the term? Give my introduction to SQL injections article a quick peek to give yourself a basic understanding of the problem.

In essence, WordPress has had a few SQL injection security holes in their code over the years. Some have been patched while others remain uncovered or undetected. If a hacker gains access to one of these holes, he can inject malicious SQL code into your database, which can be used to steal data or just delete it altogether.

So what can you do? Well, here’s the catch – if you aren’t well-equipped enough to know how to defeat SQL injections, then you probably don’t have the technical know-how for building up a protection in the first place. You can probably look around for WordPress plugins that might address potential injection holes, but most users will simply need to wait for the next WordPress security patch.

Recommended Plugins

  • WP Security Scan – this plugin will scan your website setup and look for potential security vulnerabilities. It covers all sorts of areas from file permissions to database holes to password management and more.
  • WordPress File Monitor Plus – in case someone has gained access to your site’s file structure, this plugin will let you know. It regularly monitors your system’s files and directories and makes note of any discrepancies.
  • WordPress Firewall 2 – this plugin sets up a metaphorical wall around your site, scanning all inputted data and traffic for malicious intent. It’s pretty good at preventing attacks like SQL injections and other database attacks.
  • Wordfence – Wordfence is something of an all-in-one security suite plugin that includes malicious attack protection, anti-virus scanning, a firewall, and more. Definitely worth a try.

Conclusion

While WordPress may be both open source and widely popular, that doesn’t mean it isn’t without its flaws. WordPress vulnerabilities pop up from time to time and when one is fixed, another one is usually right around the corner. With careful monitoring and preventative steps, you can minimize the risk that your WordPress site faces.

The post Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of appeared first on MakeUseOf.

Not from The Onion

By Jason Kottke, kottke.orgFebruary 25, 2013 at 10:12PM

The On1on gathers news that seems like it should be from The Onion but isn’t. Like “Russian man busted for cheating on girlfriend when she spots him on the Russian version of google maps with the other woman”, “Accused of being gay, Spanish priest challenges Church to measure his anus”, and “China Bans Reincarnation Without Government Permission”. (via waxy)

Tags: journalism   The Onion

The AR-15 Is A Gadget

By Steve (Editor-In-Chief), The Firearm BlogFebruary 25, 2013 at 08:59PM

lmt-booth

Wired Magazine has published an excellent long form article explaining what the AR-15 is and what it is not to Wired’s geek/tech audience. Jon Stokes, the author, is a gun enthusiast and friend who has published articles on TFB.

From the morning that ArmaLite opened its doors in 1954 to the present, most of the innovation that has gone into the AR-15 has been aimed at making the gun as accurate and pleasurable to shoot as possible. The result is a gun that really is an order of magnitude easier to use effectively than many of the traditional wood-stocked rifles that black-rifle-hating hunters grew up with. For someone who enjoys shooting a $2,500 AR-15 from a company like Lewis Machine and Tool, Black Rain Ordnance, Daniel Defense, or KAC, is like a driving enthusiast sitting behind the wheel of an Italian or German supercar. It’s a revelation, and the experience doesn’t wear off quickly.

Once you have SHOT a very high-end AR-15. It is hard to go back.

The AR-15 Is A Gadget originally appeared on The Firearm Blog on February 25, 2013.

10 Secrets to Locating Non-Patent Prior Art

By Dennis Crouch, Patent Law Blog (Patently-O)February 25, 2013 at 07:07PM

Guest Post by Stuart Soffer, IPriori, Inc.

1. Finding prior art is a ‘degrees of separation problem’:
you are separated from your art by some number of people and connections.

2. Build a timeline

Timelines aid visualizing the evolution of technology and locating the sweet spot of your prior art. Build multiple timelines in parallel (looking like a sheet of music) each line tracking a separate aspect. Possible lines to include are: the prosecution history of each patent; an industry timeline, i.e., the sequence of releases of Microsoft Windows operating systems; corporate history and accused product development; and prior art as you assemble it.

3. Get on the phone

Don’t fear cold-calling. If the patent identifies people, or papers cited look promising, locate and contact the authors to see what materials they maintain, or if they can refer you to others. One search led me to the cell phone number of a CEO, was on a golf course when I called – he was very helpful pointing me to the right person.

4. Find the packrats and hoarders – those that build their own collections, either from their career, or interest. These folks exist, but they don’t publicize their collections, it isn’t indexed, and they may not appreciate visibility. Other sources are from estate sales and antique stores, but this is better for proactively building a collection for future use.

5. A by-product of the non-patent prior art search is identification of potential testifying experts. Sign ’em up.

6. Accused ‘infringers’ could have their own prior art

Long established companies, especially those with formal research groups and product evolution, will possibly have their own prior art to current products.

7. Days and weeks matter

Relevant prior art dated mere days or weeks after the effective filing date for a patent is frustrating. This is instructive for parties contemplating filing patent applications that the time you delay filing can come back to haunt later on with prior art dated a few days earlier. There are instances where the prior art is just a short time after the effective filing date. In one instance the relevant non-patent art was an article in a conference proceeding. Presumably publication date is the conference date. That date didn’t predate the priority date, however I researched the date submittals were due for peer review. That date was before the priority date and, under the right circumstances, that can count as prior art. 

8. Establish a company historian

One search some years ago led me to the AT&T Corporate Historian. This was an actual position.

9. Multiple path searchers and searchers; don’t rely on only one modality. Different searchers don’t get identical results. They come to the problem with different personality, background, preferences in search sources and search techniques. An important search will use more than one searcher or company to get better coverage.

10.Always be on the lookout for prior art

Some searchers continue a search under the understanding the likelihood of similar requests in the future. Be opportunistic: visit museums or antique stores as you travel. Have a camera to take pictures of artifacts you encounter to aid in recall (easy to do with smartphones.)

11.(Bonus) Be aware domain taxonomies, such as Library of Congress Subject Headings, Medical Subject Headings (MeSH), ACM Computing Reviews Categories. Build a vocabulary of synonyms with which to vary search queries. Here are some samples:

  • Memory, storage, disk, array, RAM, DRAM, flash
  • Signal, indicator, message, bit, semaphore, indicia, flag
  • Display, window, CRT, VT100, terminal emulator
  • Connected, attached, communicates with    
  • Module, program, server, layer, client, abstraction, applet, application

8 TED Talks Videos Under 5 Minutes Long You Want to Watch

By Nancy Messieh, MakeUseOfFebruary 25, 2013 at 07:01PM

ted talksHave five minutes to kill? What better way to spend that time than to watch an fascinating or informative TED Talks video. There’s a lot of great content available to watch on TED but sometimes you have just a few minutes – and rather than waste that time playing a game or checking your email for the 20th time in two minutes, watch a TED video instead.

We’ve put together a list of eight videos. Just bookmark this post on your phone and you’ll have a short playlist ready to come back to every time that you need a quick distraction, a moment of inspiration or simply want to take a short break from your work.

If you have more than 5 minutes on your hands, be sure to check out our other recommended TED videos – we’ve got something in there for everyone: 4 must-see talks on creativity, inspiration and passion, 5 fascinating TED talks that explore the edge of technology and 6 mind-blowing TED talks about psychology and human behaviour.

Thank You

Counselor and life coach Laura Trice talks about the importance of two very simple little words – “Thank you.” Too often, people don’t feel that they can’t ask for praise, and won’t ask for a ‘thank you.’ In under 5 minutes, she manages to explain why we resist asking the people around us to thank us, to praise us, and why it’s so important that we have to be honest about the praise that we need to hear, and important to ask the people around us – what they want to hear.

The Best Gift I Ever Survived

In under 4 minutes Stacey Kramer will give you goosebumps, inspire you, and make you want to live your life to the fullest. Rather than give away what Stacey has to say, why not just watch the video for yourselves? She describes a ‘gift’ in exquisite detail – and after what seems like 3 very long minutes – she reveals what that gift is. Watch the video to find out what it was.

How To Tie Your Shoes

Did you know that the chances are you’re tying your shoelaces incorrectly? That’s what Terry Moore discovered a few years ago. As he says in the video, “I would have thought that by age 50, one of the life skills I had really nailed was tying my shoes.” It turns out that there’s two ways to tie your shoes (and no it doesn’t involve bunny ears).

Watch the TED talk video, which happens to be TED’s first ever 3-minute talk, to discover the weak and strong forms of tying your shoelaces and how to find out if you did it right.

Why Is ‘x’ The Unknown?

We couldn’t resist adding another Terry Moore video. In this one, he explains how ‘x’ came to be the symbol for the ‘unknown’. As it turns out, its all thanks to a bunch of Spaniards who decided to transliterate a word from Arabic into Latin, by way of Greek.

Confused? Watch the video and Moore does a great job of explaining the idea.

A Story Of Mixed Emoticons

You probably wouldn’t imagine that poetry and emoticons can really mix. After all, poetry is a beautiful form of expression, while emoticons are pretty much the complete opposite. Ask any writer and they’ll probably tell you that texting has ruined the art of communication.

And yet Rives, the 2.0 poet, manages to create a touching and sweet story, illustrated with none other than, typographical emoticons.

How To Start a Movement

In just over 3 minutes, entrepreneur Derek Sivers is able to break down how to start a movement. His short talk is accompanied by an amusing, illustrative video, that proves that all it really takes is two people to get the ball rolling. As Sivers put it – while it takes a lot of courage to be a leader, it takes even more courage to be the first person who stands up, and takes a risk, by choosing to follow.

Print Your Own Medicine

Lee Cronin is doing what sounds like the impossible. The chemistry professor is working on a 3D printer that could potentially be used to print your medicine. Using a unique combination of printing objects and molecules (yes you read that right), you could print chemical components.

While you won’t be able to stop going to the pharmacy just yet, the very fact that your kids could download medicine and print it out, without ever leaving their homes.

Bobby McFerrin Plays The….Audience

As a bonus, here’s a video we discovered through the TED talks website, but that is actually part of the World Science Festival. Bobby McFerrin is best known for his upbeat optimistic song, Don’t Worry Be Happy. While we’re sure that song can bring a smile to just about anyone’s face, this video can to.

With a deceptively simple method, McFerrin reveals how the human brain is wired to do certain things at the drop of a hat – and that includes turning an auditorium full of people into a single instrument.

Looking for more tips and tricks on how to find and watch the best that TED has to offer? Check out our guide here, and don’t forget to share your favourite short TED talks videos with us in the comments.

The post 8 TED Talks Videos Under 5 Minutes Long You Want to Watch appeared first on MakeUseOf.