Mar 14 2011

Tweet

Is Your Blog Contributor Killing Your Site?

So you had your site running for some time now and ready for the next leap? That’s right you know what I mean – Opening a guest blogging opportunity for other bloggers to write guest posts on your site and take your blog to a whole new level with a third-person’s perspective and giving it a fresh feel to your regular readers I don’t further need to tell you the effectiveness of guest blogging let us get down to the most important thing that comes bundled with a guest blogging opportunity – your sites security!

Yes! If you thought that a harmless looking ‘I want to submit a guest post in your site’ is the beginning of it, then I hate to tell you that it might even be the ending of it all unfortunately!

>>>So Let Us Get Down To Evaluating What We Are Battling<<<

Cookie Sniffing Via Javascript Injection

Instead of me scaring you let us go the fun way – Let us try it on our own as an experiment.

You can modify the page source of any webpage using javascript injections:

1. First register at your own site as a guest
2. After logging in paste following script in the URL bar: “javascript:alert(document.cookie)”. This will show the data which the site has stored within a cookie on that site about you, look for a format “user_id=something” or “PHPSESSID=something”. Typically in a default WordPress Installation the string’s value is 1,which corresponds to the admin
3. “javascript:void(document.cookie user_id=1);alert(document.cookie);”. Now the user_id’s value is reset to 1 so refresh the page and you should be logged in as the administrator.

Check for yourself by doing the above and if you are able to successfully login as an admin with the new user name then your site is vulnerable to PHP and javascript injections. If you can’t authenticate as the admin when refreshed then you have a relatively secure installation Imagine a guest blogger or competitor doing that to you Scary isn’t is?

Don’t Panic yet – there is a way to make sure your site is, and stays YOURS!

1. Assign Write permissions to only admin user account
2. Set the default setting for directories as 755 and files as 644
3. Use 750 for wp-config so your login data remains accessible only to you not even your host.
4. Pick up the wp-config.php from its default location (root directory) and place it one location above Your wp-config.php contains all your login details, passwords and access rights. You would not want that file in the root directory which is accessible to everyone since your sites public files lie there. The wp-config.php works fine from a level above and this measure alone will protect you from a host of sniffing attacks
5. Place a blank html file named index.htm in your /plugins folder so that the plugin folder files itself are not accessible and whenever a person tries to access the directory they will be presented with what is there in the index.htm file. This saves you from any vulnerability the plugin creator may have overlooked in his plugins and you never know how a plugin is coded

Conclusion

Any website is like a bank. There are many bad people around and you can never be absolutely sure that the vault is secure even if you have the best security in place. The reason I used the bank analogy is because websites and banks operate in a similar fashion – they need to open the doors a lot of time for people to come in and go out and you cant keep the doors shut all the time in the name of security.

So the only measure we have as online business owners is to prevent an attack right at the source But that would not guarantee a fool proof safe site because new loop holes keep cropping up in the frameworks every day and hence it is always safe to keep a backup of all important files and databases.

Unfortunately Spiderman’s uncle passed away before the boom of the internet marketing era otherwise he would have given a different set of advice to our favorite super hero – With great power comes greater risk of getting hacked!

Let me know if you have worked out these security measures already and also share with us if there are any extra measures you have taken to make sure your site stays secure.

Written By:

Rohan Pawale | SEO tips for business blogs | @Techlunatic

Rohan Pawale is a computer engineer in love with all aspects of organic SEO and blogging and regularly shares advanced SEO tips for business blogs and viral marketing methods on his blog . You can also connect with him on twitter @Techlunatic

More Posts By Rohan Pawale

blog comments powered by Disqus