| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 122699 | 2012-01-08 00:07:00 | Hijacked wordpress site | Chilling_Silence (9) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1252836 | 2012-01-10 02:10:00 | I'm not sure I follow that logic. / The logic - Windows is always having updates released to fix vulnerabilities right? PHP is too. It doesn't stop the hacking attempts and the updates go on and on....that's what I mean....an endless process. Fix one and there's another along next day... |
pctek (84) | ||
| 1252837 | 2012-01-10 02:15:00 | No, PHP isn't, software that's written using PHP is. Just like "C" isn't having security updates all the time. | Chilling_Silence (9) | ||
| 1252838 | 2012-01-10 05:19:00 | No, PHP isn't, software that's written using PHP is. Just like "C" isn't having security updates all the time. So, the logic is, PHP is there to develop software. Then it's the responsibility of developers to look carefully at the security of what they're developing - the finished product? |
jcr1 (893) | ||
| 1252839 | 2012-01-10 19:29:00 | Bingo! :) | Chilling_Silence (9) | ||
| 1252840 | 2012-01-10 21:14:00 | Another question if I may? I have it in my mind, that with the likes of programming languages such as c++, where ever the application or website goes then that code is dragged along with it. But with PHP it triggers off a connection to a data base, that holds all sorts of amazing stuff, on a remote server. Is that a fair assessment, or a bit simplistic? |
jcr1 (893) | ||
| 1252841 | 2012-01-10 21:41:00 | Well C is compiled code, PHP isn't. No database required, it's usually used as a server-side scripting language to tell the web server "This is how you display X". So in this instance, PHP is used in wordpress to say "Is the referrer a Google search page?", if yes, then it sends your browser the code for "301 permanently moved". If not, then it displays your website as-per normal. It's not quite an apples and oranges comparison between C and PHP, but it's close enough ;) |
Chilling_Silence (9) | ||
| 1252842 | 2012-01-11 00:20:00 | Thanks Chill. I'd like to learn a bit more about programming, instead of just copying and pasting simple html etc. Especially since I now am not involved so much with community stuff; gives me more thinking time. I mentioned wordpress vulnerabilities to my son in the UK - without being too specific about the contents of this thread, so his reply is I guess, generalisations. "The issue of wordpress security is generally down to poor setup, its easy to just set dirs to 777 rather than apply the right groups etc. I use WP and have no real issues with it.........." He has offered to help me with a bespoke site, if I want to ditch wordpress and I guess he might feel that's the way I possibly should go, as he has said that WP is not ideal for displaying photo albums. Although, in saying that, I got around that one by simply just linking to my jalbum albums from links in the WP sidebar (widgets). Phew, this thread has got me thinking. |
jcr1 (893) | ||
| 1252843 | 2012-01-11 01:14:00 | Yeah luckily I've setup a number of them. You've *got* to have write access to certain files to be able to modify them when you install things like plugins etc, or in the case of one of the site we had to modify the headers and things in order to install flowplayer for video hosting / streaming. PHP's actually a *real* cool and flexible language, combined with some basic HTML knowledge and I find it makes web dev a whole lot easier and more powerful! |
Chilling_Silence (9) | ||
| 1252844 | 2012-01-11 04:20:00 | My son is actually a bit of a fan of PHP, has been since his AUT days. He was actually quite surprised at "Kev the computer guy"'s attitude to the thought that I might want a LAMP server (I guess he's got enough to think about with guiding people like me through building a secure server). That data base setup stuff though, it's a study all in itself, let alone PHP and Apache. For a few years I've been using software, on various servers, and more recently on my Synology NAS, called "Simple Invoices", which needs a LAMP setup. So I've installed it, and used it, but feel I lack understanding - but it works:eek: As regards permissions, WP, on my server is 755 and that applies to the major folders such as admin, content and includes but drops to 644 on index.php and 666 on config.php. So, it appears it's more secure than the example of 777 that Steve was using. I just wonder if I should tighten it up a bit more with making it's group root, instead of www-data. Mind you I wouldn't want to muck up anything I can do with Filezilla (sftp); I can always change it back I guess - Webmin is pretty cool:thumbs: Another question, yet again (I hope I'm not too tedious here), Chill, have you done anything with Apache rewrite rules? I want to simplify the web address for the Wordpress site and Steve reckons I can do it using the above i.e. simpler web address for the whole world (well family members I chose anyway) and I know what the real address is. |
jcr1 (893) | ||
| 1252845 | 2012-01-12 17:57:00 | Yeah but the thing is visitors don't magically have write access to the server, the only time you *would* is if the software you're running is flawed enough (As this bug apparently in WP is) to allow the user to do-so. You don't need to mess with mod_rewrite for what you want, if you've only got one website then it'll be the 'default' that apache serves up if you have vhosts turned on no doubt (vhosts allows you to host different sites from the one PC, for example it knows if your gues wants to go to pressf1.co.nz vs pcworld.co.nz (They're not on the same server but I forget the other site that's on this PF1 server). This means that all you need is some description of dynamic DNS to point it to your home IP Address. Usually your router will support the likes of dyndns.org or no-ip.com so check in your router coz it'll be easiest to get your router to update a dynamic DNS service if it supports it :) Just a bit of an update, I had a few of my *own* on a share-hosting server. Forgot that I had a wordpress install in one of the subfolders somewhere on a testing domain. Long story short reinfected the whole bloody lot of about 7 sites I host from that one share hosting. Was not a happy chappy, but I seem to have cleaned it all up now. Only have about two left of other peoples to clean up now :D |
Chilling_Silence (9) | ||
| 1 2 3 4 5 6 | |||||