Blog post replaced by spam

What do we need to do to secure our sites, since it’s not an issue of password strength?

Im secure ?? Always have been (she says, tempting fate)

Yeah, I’ve always looked up to you in this area. Your ideas are different, and they seem to be working. Mind shooting me an email with some pointers? Pretty please?

I misread your post, I saw this,

What we need to do to secure our sites, …

So I was agreeing ??

As far as tips, I’m just anal as hell, and I watch everything. my mod_security logs are tailed, and read daily.

I try to lock down stuff I dont need.

Ive removed the possibility of anyone getting path info, something WP handles horribly.

Ive blogged about that.

I dont EVER display MySQL errors.

Ive renamed my users table to something completely unique. And I dont use wp_ as a prefix, ever ??

Theres a host of things you can do that can sit in the way of a successful attack.

I log and see 100s of attempts a day, I cant stop the attempts, but I can improve my odds.

Right, almost a week has past and my site still looks OK. My host (Dreamhost) suggested that this could have been an SQL injection error, and WordPress has since then released version 2.3.3, patching “that a specially crafted request would allow a user to edit posts of other users on that blog”. I of course upgraded as soon as possible, from 2.3.2 to 2.3.3

So for now, I think I’ll tag this topic as resolved. Thanks everybody for your help, it is good to see that the community and WordPress responds so fast and thoroughly.

@whooami Gracias.

By the way, the WordPress Podcast Episode 34 mentions this about the security bug that WordPress 2.3.3 should fix: “The security bug affects only blogs that allow users to register”.

My blog did allow anyone to register, so I immediately changed this. Just in case.