From 28a7df2beae47fba761f449f11c015107a50a56f Mon Sep 17 00:00:00 2001 From: Peter Date: Wed, 4 Jun 2014 00:26:10 -0700 Subject: [PATCH] Updated WordPress Security Tips (markdown) --- WordPress-Security-Tips.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/WordPress-Security-Tips.md b/WordPress-Security-Tips.md index ddd7028..5a146b3 100644 --- a/WordPress-Security-Tips.md +++ b/WordPress-Security-Tips.md @@ -24,6 +24,12 @@ WordPress will look inside the web root directory for the wp-config.php file as WordPress suffers from many [Full Path Disclosure](https://www.owasp.org/index.php/Full_Path_Disclosure) (FPD) vulnerabilities which can be used to facilitate in further attacks such as [Path Traversal](https://www.owasp.org/index.php/Path_Traversal). A bandaid for these bugs is to turn off directory listing in your web server's configuration file. +Solution: disable PHP reporting. +Add this line in the 'php.ini' file. +``` +error_reporting = off +``` + **7. Ensure any TimThumb files are up to date.** TimThumb is a small php script for cropping, zooming and resizing web images which many WordPress themes use. In 2011 a Remote Code Execution vulnerability was found to affect it and was actively exploited. This vulnerability has been fixed in recent versions of TimThumb. If your WordPress theme uses the TimThumb script ensure that it is the latest version.