i’m a novice to wordpress, and don’t know much about security in servers, so i’m hoping you gurus can help me out.
the situation: say there are 2 domains in a dedicated server, each with totally separate logins and set up as separate users. if someone hacks wordpress, do they get access to wordpress or mysql in both domains or just the one the wordpress is installed in?
Depends on how you set it up, if you used a different mysql then only the one, which is why I always suggest when setting up the db, you do NOT use the WP_ default designation but something like X7_ or 7T_ so they can’t go hunting for your wp tables.
Also why WP suggests you hide the version number of WP on your blog, so that hackers can’t figure out which version.
He’s saying don’t use wordpress or WP something when naming your databases, user name, etc … it’s not about what/where to physically install wordpress … although it’s not a good idea to do a domain.com/wordpress/ arrangement if it isn’t going in the root directory.
This happened to me a few days ago with one of my blogs on a dedicated server that contains several different blogs, each on its own domain.
My blog was using WP 2.6.1 and the hacker used an exploit in the upload script to gain access. With this exploit, they are only able to gain access to that one single MySQL database and wordpress install. Since the other blogs were under different database names and users, they were unaffected.
Luckily in my case Fred from NatNet detected the hacking before I did and was able to intervene. The fix was to upgrade to the latest WP release 2.6.2 which prevents that particular exploit.
these will not only be different mysql users, but entirely different users in the server - as if we were resellers and the users were totally different people who didn’t even know each other.
[quote=Nicedreams;25959]Make different mysql users for each wordpress install. They won’t be able to get to both databases if you have separate users.
Jimmy[/quote]
thanks for the info. sorry that happened, and i’m glad to hear your host caught it
i wonder if there’s a way to completely disable the upload feature.
[quote=Hammerhead;25963]This happened to me a few days ago with one of my blogs on a dedicated server that contains several different blogs, each on its own domain.
My blog was using WP 2.6.1 and the hacker used an exploit in the upload script to gain access. With this exploit, they are only able to gain access to that one single MySQL database and wordpress install. Since the other blogs were under different database names and users, they were unaffected.
Luckily in my case Fred from NatNet detected the hacking before I did and was able to intervene. The fix was to upgrade to the latest WP release 2.6.2 which prevents that particular exploit.[/quote]