BernadSatriani.NET | Catatan Perjalanan » Wordpress

WordPress 2.8.3 Vulnerability

bernadsatriani — Sun, 06 Sep 2009 23:23:47 +0000

Beberapa minggu lalu mendapat informasi melalui twitter milik @milw0rm, bahwa telah ditemukan bug baru pada WordPress 2.8.3 yaitu Remote Admin Reset Password. Bagi yang masih menggunakan WordPress versi 2.8.3 hendaknya mengupdate ke versi terbaru yaitu versi 2.8.4

Bug ini menyerang pada file wp-login.php dengan mengubah nilai aray $key pada file wp-login.php tersebut. Maka otomatis password akan tereset sendiri. Konsepnya serangannya adalah menginput url setelah wp.login.php

http://DOMAIN_NAME.TLD/wp-login.php?action=rp&key[]=

Untuk mengatasinya, selain mengupdate versi wordpress adalah memodifikasi isi dari file wp-login.php

Edit file wp-login.php, lalu cari script if ( empty( $key ) )

Lalu ubah script tersebut menjadi if ( empty( $key ) || is_array( $key ) )

Cara tersebut dilakukan untuk mencegah attacker mengubah nilai aray $key untuk mereset password.

What's Wrong With Bad Behavior ?

bernadsatriani — Thu, 16 Jul 2009 00:10:03 +0000

Yesterday morning, when I checked my blog for umpteenth time. I try to view the log of my blog from Bad Behavior plugin. Wow, I surprised when I saw my password is show there

What’s wrong with this plugin ? I dont know exactly..

I see ip address and its time, yeah maybe they are my ip address that I used when I logged into my dashboard.

Hm.. Anyone can give me the reason ?

5 Steps To Protection WordPress

bernadsatriani — Mon, 13 Apr 2009 19:24:36 +0000

1. Create .htaccess

Create .htaccess file like this :

RewriteEngine On
php_flag register_globals off
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Order Deny,Allow
Deny from All

2. Create Robots.txt

User-agent: *
Allow: /
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/

3. Create file index.html

Create index file with blank content or whatever do you want in plugin directory wp-content/plugins/index.php

4. Remove Meta Name Generator WordPress

5. Upgrade your WordPress with newest version

Source :

- Google

- wp-magz.com

I'm Using WordPress 2.8-bleeding-edge

bernadsatriani — Sat, 11 Apr 2009 23:14:54 +0000

Yesterday, my web server at this blog getting down because someone has attacking / DDOS this server. Until 1 days, my server is down. So my friend, Hamid asking me whether to move to his server. I answer if i do. So, at tonight I backing up all of my database and files from old server.

So, now I was moving host server that’s same like Hamid. And also using WordPress 2.8-bleeding-edge. Thanks for the support from bro Hamid for hosting and upgrading my WordPress to WordPress 2.8-bleeding-edge.

This version of WordPress same like Matt’s WordPress.

Note : Thanks a lot to Hamid at Bocahmiring.Com