wordpress « TechnologyInsanity.com

Tagged - wordpress

New WordPress Permalink Exploit or Hack

Friday, September 4th, 2009

Today I found my permalinks were all screwed up, and guess what I found another admin popped up from who knows where. Was easy enough to fix once I found this article, http://www.journeyetc.com/2009/09/04/wordpress-permalink-rss-problems/.

I’ve been looking around the net to try and find the actual exploit (milw0rm, packetstorm etc.) haven’t been able to find it. I’m guessing it’s private still. Hopefully wordpress fixes this issue soon because from what I’ve read all versions of wordpress are vulnerable right now.

That of course can’t be good can it? Regardless, I’ve went through and upgraded everything possible including plugins, wordpress, and I upgraded some things on my server.In the mean time I’m going to look around for anything else that was messed with and change some things

Anyone else hit with this?

UPDATE: Seems like there was some confusion about which versions of WordPress are effected, it seems you’re safe so long as you’re running 2.8.4. When my blog was attacked, I was running WP 2.8.3. Usually I update right away, this time I didn’t. That’s what I get for slacking off

Tags: exploit, hack, permalinks, wordpress
Posted in Insanity | 2 Comments »

Switching to permalinks

Saturday, February 28th, 2009

If you haven’t already, you should really switch to permalinks. /?p= is an unfriendly, unSEO link. Go to your settings –> Permalink and set custom like this /%category%/%postname%/

Okay, so at first glance that seems easy enough right? Well yeah.. Not so much. First of all, I had to enable mod_rewrite in apache. (Remember I’m on a VPS) That wasn’t difficult, you just use the command a2enmod on Ubuntu/Debian systems. Now with that done, I could use the .htaccess file generated by WordPress to serve up the new fancy URLs. Wait.. My old /?p= are not being forwarded to the new fancy urls. Well, a simple plugin called Permalink Redirect solves that issue.

Now comes the real fun. Everytime I go to try and access my stats, I get a 404. The stats folder is clearly there, but I cannot access it. So, I remove the .htaccess on that folder. I can now access it, but it’s no longer password protected I really wasn’t sure if this was caused by ISPConfig or the .htaccess.

So I searched around for quite some time. The solution is simple, when you go to a password protected area it looks for the 401 and 403 error files first, before giving you a login prompt. With the new rewrite in place, all the errors are now on the WordPress theme. It doesn’t have these errors, so the resulting error is 404 not found.

Anyway, how do you fix this issue? Simple, add the following lines to your .htaccess file in the root directory.

ErrorDocument 401 /[path_to_file]/myerror.html

ErrorDocument 403 /[path_to_file]/myerror.html

That’s it! Problem solved. I can now access my stats directory with the password, and permalinks are working.

Forum

Discussion

Tags: .htaccess, directory, password, permalinks, protected, stats, wordpress
Posted in Software, Tutorials | No Comments »