Enabling WordPress Automatic Background Updates after using Version Control (svn)

Today I decided to enable automatic background updates on my WordPress blog. Previously I had been using SVN to keep WordPress up to date, but this was a manual process and meant that I could sometimes be a few weeks behind when a security update was released.

Since version 3.7, WordPress has been able to keep itself up to date whenever a new version is released. By default, it only applies minor security releases which theoretically shouldn’t break your blog.

So if, like me, you have previously checked out your WordPress via version control, and you wish to enable auto updates, you will need to follow these steps.

WARNING – THIS WILL REMOVE ALL TRACE OF SVN FROM YOUR WORDPRESS INSTALL, AND WILL MAKE YOUR SCRIPTS WRITEABLE BY THE WEB USER. DO THIS AT YOUR OWN RISK.

First make a backup of your WordPress, in case this goes wrong!

cp -Rp /path/to/wordpress /path/to/wordpressBACKUP

Next remove .svn folders

find /path/to/wordpress -type d -name .svn | xargs rm -rf

To set the permissions to make the files and folders writeable by apache. BE VERY CAREFUL

chown -R apache /path/to/wordpress

Now go to your WordPress admin and install the WordPress Background Update Tester plugin. If all has gone well, all it’s test should pass, and give you an output like the following:

  • PASS: Your WordPress install can communicate with WordPress.org securely.
  • PASS: No version control systems were detected.
  • PASS: Your installation of WordPress doesn’t require FTP credentials to perform updates.
  • PASS: All of your WordPress files are writable.

Has your WordPress been hacked?

There have been a number of vulnerabilities discovered in WordPress since it started, including one earlier this month. They all have pretty much the same objective: to try to get access to your blog in order to post links to their own sites.

In this post I am going to look at ways you can tell if your blog has been hacked, suggest some ways to fix it, and then discuss techniques to prevent being hacked again.

Before we start, the most important thing you can do to prevent being hacked in the future is to regularly update your blog software. The easiest way is to use subversion. I’ve written how to upgrade your blog with subversion in an earlier post.

Symptoms

So firstly, you’ll probably want to find out if your blog has been compromised. There are a few things to look out for:

Unauthorised Admin Users

Disable JavaScript in your web browser, then navigate to the Users page in the WordPress admin panel. If you see some additional administrator users there that you didn’t expect, you have probably been hacked. They sometimes use an e-mail address like [email protected]

Strange Files in the Uploads Folder

Strange files may also appear in your WordPress uploads folder, including ones that have hidden PHP code inside them (try grepping for “events or a cale” or php).

grep -R -l "php" wp-content/uploads/

The files might have random names like:

faceboutique-spot-less-150×150.bak.php
mandseyeshadowpalette.bak
cliniqueblusher_old.jpeg
.wp-cache.cache.php

The uploads folder is writeable by apache, so hackers use this area to save malicious code to your server. They may then include such code as a plugin.

Strange Records in the Database

Check for suspicious data in wp_options by running the following queries:

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE 'active_plugins';

Hackers use the plugin system to include their rogue scripts. You may see some strange files being listed as a plugin. You can delete this row and manually re-activate any plugins via the admin.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  'permalink_structure';

This will show you the permalink structure – the most recent vulnerability modified this so look out for anything abnormal.

SELECT *
FROM  `wp_options`
WHERE  `option_name` LIKE  '_transient_rewrite_rules';

You can delete this row if it exists (it should be rebuilt dynamically)…. it may contain cached

SELECT *
FROM wp_posts
WHERE post_content LIKE  '%iframe%' OR post_content LIKE  '%noscript%' OR post_content LIKE  '%display:%';

This will look for posts that contain iframes, or hidden links.

Fixing a hacked WordPress Installation

The cleanest way is to re-install WordPress, re-import your posts and comments via the import tool and then to copy in any files that you know are safe…

  • Back up your database and site code.
  • Export your posts, comments, tags and categories in a WordPress WXR File (Tools – Export).
  • Set up a new mysql database, username and password. Ensure the user only has access to the WordPress db.
  • Install a fresh copy of the latest version of WordPress (with the correct permissions), and configure it to point at the new db.
  • Delete any files that include PHP from the uploads folder.
  • Import your posts, comments etc from the WordPress WXR XML file. There is an option to get WordPress to fetch image uploads, but I haven’t had that much luck with this. To get it to work, you will need to install your new blog in a parallel location so that it can access the old blog. When I tried, it seemed to grab the files, but not update the location urls in posts, thus requiring a script to update the urls in the db. Instead, you might find it easier to just copy your uploads folder across – but they won’t then show in the media gallery. Neither route seems ideal!
  • Re-install your themes and plugins.
  • Move the old blog to a location outside your web root as a backup, or delete it all together.
  • Set up new WordPress users with secure passwords.

It’s not a fun job!

Securing WordPress

  • Ensure you have the right permissions set on your WordPress scripts. Only the uploads folder should be writeable by the web server.
  • Use a separate database, db username and db password for WordPress.
  • Add an additional layer of authentication above the WordPress admin area, e.g. http authentication in Apache. NB: When I did this, it seemed to stop uploads from working with the flash uploader (gave a HTTP ERROR), so I had resort to using the basic browser uploader.
  • Some people also recommend removing the default “admin” user, and setting up an administrator with a new name – to make it harder to brute force crack your passwords.

Further Information

Here’s some of the pages I read while researching this article….

Mollom beats Akismet at blocking spam

I’ve been using the WordPress Mollom plugin for about 6 months now, and I have say that I’m very impressed. In that time, I can count on one hand the number of spams that have slipped through the net. When I was using Akismet, spam comments were getting through daily.

Here are the stats that Mollom produced for my blog:

mollom-statistics

Which anti-spam plug-ins do you use on your blog? and how successful are they? Let us know by posting a comment!

Install WordPress and WP plugins with Subversion

In my opinion, the best way to install WordPress (WP) is by using subversion (svn). This can also be used to install WP plug-ins. Subversion makes it incredibly easy to upgrade / update when future versions of the software is released. You simply run either svn update or svn switch.

The following instructions assume you have shell access and subversion installed on your system.

WordPress

Installing WordPress with Subversion

Run the following command to check out the WordPress code to your blog directory:

svn co http://svn.automattic.com/wordpress/branches/2.7/ /path/to/blog/

Follow the 5 minute installation instructions, ignoring steps 1 & 5.

Updating WordPress to the latest minor release with Subversion

Navigate to your wordpress installation directory and run:

svn update

Upgrading WordPress to a new major release with Subversion

Navigate to your word press installation directory and run:

svn sw http://svn.automattic.com/wordpress/branches/2.8/

Replacing the repository url with the version you wish to upgrade to.

Plugins

Installing a plugin with svn:externals

If you install WordPress using subversion, it should already be set up with akismet as an svn:external plugin. If you want to install any other plugin this way, just follow these steps:

cd wp-content/plugins
svn propedit svn:externals .

If this command complains about not having an editor set you may need to run something like

export SVN_EDITOR=vim

before trying again. Otherwise, you should now be in your favourite text editor with the svn:externals file open for editing. Add an additional line for the plugin you wish to install. In this example, I’m going to use the Mollom comment spam protection system. The line should look like:

wp-mollom http://svn.wp-plugins.org/wp-mollom/trunk/

Save and exit the text editor, then run:

svn update

This should check out all the plugin files. You can then configure the plugin in the WordPress admin panel.

Updating a plugin with svn

The beauty of using subversion to install your plugins is that it’s a breeze to update them. From your the top level WordPress directory, just run:

svn update

This will update all of your plugins along with your main WordPress installation. If you want to update the plugins on their own, then just run that command from inside the plugins folder.