Support » Fixing WordPress » Hacker Hits Blog

  • someone posted some code in a post and caused defacing of blog. I have open posting where guest can post a topic also. here’s what the post..
    I wanted to see how EASY it would be to post a comment <ins datetime="2004-10-21T11:1:19-6:00">a + b = c
    <p onclick="javascript:alert('test')>Click it></ins>
    for now i took out the java stuff and it cleared up the defacing which was merely underlining of static text thru out the blog.
    My Questions: what were they trying to do with their java test? how can i prevent something like this besides not allowing open posting? that is can i ban java and other malicious code from being included in the post?
    the blog is the Blogosphere Zoo
    thank you

Viewing 14 replies - 1 through 14 (of 14 total)
  • Hackers have gotten so sophisticated. You’re lucky that’s all that happened to your site. Shelley at has some interesting observations about WP security. Check those out. I don’t know enough about PHP to be able to really discuss security issues. I’m more a danger with my lack of knowledge, I suppose. I rely on others to write safe and secure code, and for the most part, I believe WP is. At least I certainly hope so! I’ll be interested to see who else weighs in here with help on this topic.
    Take care!

    thx joni ..yea i am lucky that is all most do is deface.. ya would think with some of the talent hackers have they would put it to constructive use..

    That’s quite an old post. Many things have changed since then, and as well, some potential issues have been sewn up that were common to applications like WP. I have no more or no less concern using WP online than anything else. As long as you are online, you are at risk of something happening, whether it is spamming or google-bombing or what have you.
    Want to be secure? Stay local, and disconnect your internet feed.

    thx moose ..the post was posted yesterday ..the date within what the dude posted has nothing to do when it was posted.
    as for security, yes the internet if filled with risk ..but i was asking if there was a way to disallow java in post, as it was the java part that defaced. at the sametime i was bringing to the makers of WP a security issue. feedback. i would think you want feedback from ur loyal users, yes?
    perhaps having an option on the next version where html can be disallowed in the same manner as messages boards do, and only allowing BB code, which is a bit safer. or like only certain tags are allowed in comments, perhaps the same option for post?
    thx again..

    I would be surprised if nobody has written a plugin that filters out html tags. I tried looking, but didn’t turn one up.

    thx robot hero ..spose there isnt one yet

    Ryan Boren


    WordPress Dev

    Look in kses.php. wp_filter_kses is run against the comment author and comment text. You can alter the allowedtags array in kses or create your own allowedtags array in a plugin or in my-hacks.php.

    thank you rboren.. i get this back when i try to access the kses…
    Editing wp_filter_kses.php � this is a WordPress file, be careful when editing it!
    Oops, no such file exists! Double check the name and try again, merci.

    The javascript (not Java, that’s different) didn’t do anything…. the tags did. Based on what I can see… the ins tag underlines text until it finds the /ins tag…. BUT, right after the closing /p tag, there’s a >… and I think that’s causing it to miss the closing ins tag that immediatly follows. And/Or, if they left a blank line between the opening ins and the opening p tag, then WP is going to break off the first part and put it into it’s own p tag set. The ins tags then becomes unbalanced and technically never closes. It’s a strange set of circumstances, but the javascript code they insertes is harmless. All that happened was that there was an ins tag that got lose and never closed.

    CafeRg, the file name is just kses.php.
    I made a simple plugin that can be used to remove html tags from posts. (Tested only in 1.2)
    If you use this in conjunction with the BBcode plugin, it will limit the number of things that can go wrong.
    It will still be possible to post though, so you might want to do something further to prevent that.

    and thx to TechGnome too

    It opens a message window that says “test”, which is pretty harmless in itself.
    Those plugins will prevent problems caused by people who forget to close their tags.
    It would still be possible to include JavaScript, though its placement is a little more restricted.

    I have open posting where guest can post a topic also.

    How do you have open posting set up? A specific user with the login displayed? Is there a setting for this that I’ve missed?


    Mark (podz)


    Support Maven

    I have some blogs set up for testing things – go look:

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Hacker Hits Blog’ is closed to new replies.