Welcome Guest. Please Login or Register  
Client Area  |  Softaculous Cloud  |  Calendar  |  Quick Links  |  
   


You are here: Index > Softaculous Auto Installer > General Support > Topic : Security of Installs using Softaculous and WordPress specifically



Threaded Mode | Print  

 Security of Installs using Softaculous and WordPress specifically (6 Replies, Read 11371 times)
karthost
Posted on # January 8, 2011, 8:25 pm
Group: Member
Post Group: Newbie
Posts: 18
Status:
The Good news about WordPress is it is extremely popular, and of course the BAD news about WordPress is that is is extremely popular.

There is an article and conversation taking place over at WP Security Lock (the site is devoted to WordPress Security)
http://www.wpsecuritylock.com/wordpress-security-risks-using-auto-installers-like-fantastico/
Discussing how installing WordPress using a "installer" is not a safe way to install WordPress, or any other software package. While the discussion primarily is centered on Fantastico and Fantastico not really giving you control over the database name, username, database prefix like Softaculous does (a MAJOR plus for Softaculous over Fantastic and SimpleScripts other than the ability to name your own username for the database which should be addressed they have a good point). 

The other two items that where pointed out is the file that is created by Fantastico fantversion.php could be a security risk over installing WordPress manually. Is this addressed in Softaculous? And if so what security measures are in place in case the install script is hacked?

And with the ability in the new WordPress for one button upgrade, this seems to cause a issue with Fantastico.

What issues in Softaculous are there if a install of WordPress is done by Softaculous and the new built in upgrade feature is used in WordPress?


Edited by karthost : January 8, 2011, 8:26 pm
IP: --   

Security of Installs using Softaculous and WordPress specifically
alons
Posted on # January 11, 2011, 7:27 am | Post: 1
Group: Administrator
Post Group: Super Member
Posts: 2280
Status:
Hi,

Softaculous doesnt create a fantversion.php file so there is no chance for users to guess the version.

Softaculous uses the WordPress upgrade tool to upgrade unlike others which create their upgrader.
During an upgrade Softaculous will replace new files and redirect you to the WordPress upgrade utility. We will not in anyway touch the Database of the installation.
We try to automate things that you would rather do manually and not modify things to resemble the upgradation process.

We offer the latest version as soon as its out.

Regards,
Alons

-----------------------
For immediate support please email us at our Support email address. PMs sent to any Softaculous Team member or posting in the forums is not the official way to get support.

Virtualizor - The Next Generation VPS Panel
Webuzo - It is Softaculous Standalone for Enterprises, SMB, Developers. Deploy it on Dedicated Servers, VPS, Virtual Appliances or the Cloud
Pinguzo - Server and Domain Monitoring tool
PopularFX - Marketplace of WordPress, Drupal, Joomla, Bootstrap themes
Remote Installer - Use Softaculous over FTP/FTPS/SFTP
IP: --   

Security of Installs using Softaculous and WordPress specifically
karthost
Posted on # January 11, 2011, 3:19 pm | Post: 2
Group: Member
Post Group: Newbie
Posts: 18
Status:
Hello alons

Thanks for the reply with that information.

I have suggestion that would increase security for the host as well as the site owner. That would to be able to give the MySQL database user a different name than the database (for brute force attacks). This would be one more way to increase security of WordPress (and other sites as well).

Also would like to suggest to allow the host to change the "Note:" text to custom text, at lease semi controlled by the host. For an example the current text when installing says:

"NOTE: Softaculous is just an automatic software installer and
does not provide any support for the individual software packages.
Please visit the software vendor's web site for support!"

to something like this:

NOTE: Softaculous is just an automatic software installer offered by <HOST NAME> and
Softaculous does not provide any support for the individual software packages.
Please visit the software vendor's web site for support or contact <HOST NAME> Technical Support if you have any issues!"

Being able to let the host change that message a little will cut done on possible confusion that a client would have regarding a install and what to do if there is a problem.


Edited by karthost : January 11, 2011, 3:22 pm
IP: --   

Security of Installs using Softaculous and WordPress specifically
alons
Posted on # January 12, 2011, 6:43 am | Post: 3
Group: Administrator
Post Group: Super Member
Posts: 2280
Status:
Hi,

Thanks for the suggestion.
The DB Username is secured. If you want you can rename the DB Name making it hard for hackers to crack it. Also the Password is a random one.

Regards,
Alons

-----------------------
For immediate support please email us at our Support email address. PMs sent to any Softaculous Team member or posting in the forums is not the official way to get support.

Virtualizor - The Next Generation VPS Panel
Webuzo - It is Softaculous Standalone for Enterprises, SMB, Developers. Deploy it on Dedicated Servers, VPS, Virtual Appliances or the Cloud
Pinguzo - Server and Domain Monitoring tool
PopularFX - Marketplace of WordPress, Drupal, Joomla, Bootstrap themes
Remote Installer - Use Softaculous over FTP/FTPS/SFTP
IP: --   

Security of Installs using Softaculous and WordPress specifically
karthost
Posted on # January 12, 2011, 2:33 pm | Post: 4
Group: Member
Post Group: Newbie
Posts: 18
Status:
Quote From : alons January 12, 2011, 6:43 am
Hi,

Thanks for the suggestion.
The DB Username is secured. If you want you can rename the DB Name making it hard for hackers to crack it. Also the Password is a random one.

Regards,
Alons


What I mean by the DB Username being more secure,  I mean a totally differnent name.  Under the current scheme that most everyone does when they create a new database for a script install they name both the username AND database the SAME NAME. If a hacker is able to guess (via a brute force attack) the database name then they will know the username and now the ONLY line of defense is the password.

So lets add another line of defense, simple enough to do.

By giving the username a different name from the database name that gives one more level of security that currently does NOT exist.  That is what I am saying and would provide MORE security to a WordPress (or any script) install than is currently being offered.


Edited by karthost : January 12, 2011, 2:34 pm
IP: --   

Security of Installs using Softaculous and WordPress specifically
alons
Posted on # January 14, 2011, 10:16 am | Post: 5
Group: Administrator
Post Group: Super Member
Posts: 2280
Status:
Hi,

We have made the password a really random one which is 90-100% in strength as per cPanels password strength indicator.

Regards,
Alons

-----------------------
For immediate support please email us at our Support email address. PMs sent to any Softaculous Team member or posting in the forums is not the official way to get support.

Virtualizor - The Next Generation VPS Panel
Webuzo - It is Softaculous Standalone for Enterprises, SMB, Developers. Deploy it on Dedicated Servers, VPS, Virtual Appliances or the Cloud
Pinguzo - Server and Domain Monitoring tool
PopularFX - Marketplace of WordPress, Drupal, Joomla, Bootstrap themes
Remote Installer - Use Softaculous over FTP/FTPS/SFTP
IP: --   

Security of Installs using Softaculous and WordPress specifically
asshu
Posted on # January 14, 2011, 10:34 am | Post: 6
Group: Member
Post Group: Working Newbie
Posts: 73
Status:
Quote From : alons January 14, 2011, 10:16 am
Hi,

We have made the password a really random one which is 90-100% in strength as per cPanels password strength indicator.



Yes I agree ! I don't see any odd with it .When Installing a script using Softaculous...I will follow these

1) I will enter a new DB name

and

2)I will enter a new table prefix

The password is also more critical .What else we need  :xd:

Regards ,

Asshu


Edited by asshu : January 14, 2011, 10:34 am
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Users viewing this topic
1 guests, 0 users.


All times are GMT. The time now is May 14, 2024, 5:44 pm.

  Powered By AEF 1.0.8 © 2007-2008 Electron Inc.Queries: 10  |  Page Created In:0.025