[wp-hackers] SQL Injection again

[Frederic de Villamil]

> Semi-related to this, I know the dashboard by default already 
> includes the last handful of posts from the WP Development blog that 
> lists any updates but a lot of the time I just breeze past that page 
> so I don't realize there are any updates. Now of course you could 
> say the due diligence should be on me to read it, but wouldn't it be 
> a good idea to make security alerts stand out so people see it and 
> understand that it is important they upgrade straight away?

I think there is already a mailing list for release announcement. If people 
are concerned with security, they will subscribe at download I think. And 
telling them there is a security flaw won't make 90% of them upgrade. Thay'll 
just think "this won't happen to me, my blog is not known enough".

> Also it might be a good idea if we recommended people used a table
> prefix other than the default and if possible use a MySQL database
> user that only has access to the WP database and that doesn't have
> DROP privileges, this would help restrict what someone could do with
> an SQL injection attack. I had a quick look in the Codex but couldn't
> see anything along the lines of how to harden your WP install at all
> so is this soething worthwhile looking into?

Basically, the user running wordpress should only have insert, delete, update 
and select rights, and only on the wordpress database. Those privileges 
should only be changed at upgrade time.
I can write a little something about it and post it on the codex (also with 
perms issues and some server configuration ideas) and add it to the codex 
when I get home tonight.

Regards
Frederic / neuro

--
Frédéric de Villamil
Ce qui est à moi est à moi, ce qui est à toi ça se négocie. (proverbe 
motokiste)
http://www.eretzvaju.org