No we’re not talking about keeping your site up to date with new content. In this post I’m talking about keeping the software you’re running your site on up to date and it’s not a new topic on the blog for us.
I’ll mainly be talking about WordPress (which is at 3.4.1) but it’s the same across the board no matter what software you’re running whether it’s Joomla (currently at 2.5), CMS Made Simple (at version 1.10.3) or one of the multitude of other CMS systems and software out there. You upgrade the operating system your computer runs on and there’s generally a reason for all these upgrades whether they are bug fixes or security exploits.
WordPress being probably the most popular blogging platform available generally sees quite a large number of exploits being made against it or the themes and plugins that are available for it.
So rule number one is to keep your software up to date.
Recently I’ve found myself losing track of the sites / plugins / themes that I manage so it makes sense to create a document to keep track of everything. In general I find that left to myself I use a relatively small selection of plugins. If you’re working with others on a site you may find lots of plugins you don’t recognise / know about. A shared spreadsheet doc can make a lot of sense. It’ll be annoying the first time you go to create it but knowing what’s on each of your sites at a glance can be rather handy.
At a glance you can see what versions of WordPress are running and at the very least know you need to update things when you have some free time.
I also have a simple rule if you install a plugin and don’t use it then remove it from the system (similar can be said for the themes that you don’t use).
Just because the plugin or themes aren’t in use doesn’t mean there aren’t potential exploits in the code base (and themes these days are becoming more and more advanced as well in functionality so there’s a lot of extra code in there as well).
Remember a lot of plugins and themes are labours of love and possibly not updated that often.
As always before doing any upgrades of software it’s good to take a backup. Personally I like to grab all the files and a dump of the database the site is running on. (I’ll generally just FTP all the files down to my local computer for a backup if I’m on shared hosting as well as use the backup tool in the CP if I need to revert for some reason.) There are multiple ways of backing up your database depending on where you’re running your site. The codex over on WordPress.org has further details on backing up your database there’s even a plugin for WordPress to backup your database that you can use.
Once you’ve gotten everything updated it can be worth installing the Exploit Scanner from Donncha O Caoimh. While it can give a lot of false positives on things it’s a good starting point to finding files that shouldn’t be in certain locations. ( For example if you’re not touching any of the core files there generally shouldn’t be anything extra in those folders) It compares hashes it has on file with the files that are currently on your system and warns if there are differences. It also searches for a number of common exploits in the code.
It can also be worthwhile checking your .htaccess file for any strangeness you don’t recognise. Of course if you’re not used to looking at .htaccess files it can all be a bit strange.
Anyways back to the reason behind this post. We were notified by Jim Daly of an exploit affecting a number of plugins / themes that make use of the Uploadify script which is a jquery plugin and so used by a lot of people. You can see some details of the exploit over on ITpixie.com. Similar to a previous post we’d made regarding a TimThumb exploit this one affects a good few plugins and themes so take note and upgrade things if necessary.
It never hurts to mention backing up your system either. Remember to keep your software up to date whether it’s WordPress or not.