@Mark – you need to run “htpasswd /path/to/htpasswd myusername” where the htpassd is the file created earlier with “htpasswd -c /path/to/htpasswd”. However… I have not yet managed to get htpasswd for the wp-admin directory working with WP 2.7, though I had it working fine for WP 2.6.5 (different blog and not so many plugins).

#this file should be outside your webroot. AuthUserFile /srv/www/user1/.htpasswd AuthType Basic AuthName “Blog” require user youruser #making this username difficult to guess can help mitigate password brute force attacks.

Thanks I have it all working but dont know what the username is or how to set my own.

http://perishablepress.com/press/2009/05/05/important-security-fix-for-wordpress/

Cheers and keep up the good work,
Tom

I’m not aware of Spambam having problems with sessions in this way. Maybe your php installation isn’t configured with sessions?

If you’re sure it is let me know the spambam version and I’ll take a look. Spambam is quite old now and I do plan to update when I get chance.

I’ve sent Gareth (the author) an email about this but I’d suggest you contact him directly, details here if you continue having problems:

http://wordpress.org/extend/plugins/spambam/

Warning: session_start() [function.session-start]: open(/home/aborigin/tmp/sess_bc297b661baddbdbc9bafec084c40ae2, O_RDWR) failed: Permission denied (13) in /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php on line 188

Warning: session_start() [function.session-start]: Cannot send session cookie – headers already sent by (output started at /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php:188) in /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php on line 188

Warning: session_start() [function.session-start]: Cannot send session cache limiter – headers already sent (output started at /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php:188) in /home/aanraken/public_html/wp-content/plugins/spambam/spambam.php on line 188
Warning: Unknown: open(/home/aborigin/tmp/sess_bc297b661baddbdbc9bafec084c40ae2, O_RDWR) failed: Permission denied (13) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0

I’ve been mailing back and forth with my host to solve this issue, but all they could come up with in the end, was to delete the spambam plugin.

I’m particularly concerned about the first line in de error messages: Warning: session_start() [function.session-start]: open(/home/aborigin/tmp/sess_bc297b661baddbdbc9bafec084c40ae2, O_RDWR) failed

/home/aborigin/tmp is not any site of mine…

The versions of WordPress are 2.6.5 and 2.7; the only thing these sites had in common was that they all had spambam activated.

Does anybody here have a clue what happened?

Thanks in advance,
Patricia

Look out for the new version its coming soon!

1) re 2.3.3 – Is version 2.3.3 secure? Are there any security issues with this version?

There have been some whispers in the dark so to speak, but no hard evidence that this version is vulnerable, see: http://blogsecurity.net/wordpress/wordpress-231-sql-injection-vulnerability/

2) re 2.5 – Are the 3 security file updates in the 2.5.1 upgrade only for 2.5? Does the security hole that is fixed in 2.5.1 exist in 2.3.3 as well?

No, I believe 2.3.3 is unaffected by some of the recent vulnerabilities in 2.5x.

3) Can I safely assume that if WordPress’s “Hardening WordPress” procedures
http://codex.wordpress.org/Hardening_WordPress

or BlogSecurity.net’s “How to create a secure WordPress install v1.1″
blogsecurity.net/projects/secure-wp-whitepaper.pdf

are applied that ANY version of WordPress would then be secure?

Applying these guidelines would certainly provide additional layers of security buying you time to apply the needed fixes as they are released, however, it cannot guarantee your security.

4) It seems that 2.5.1 only has feature enhancements?
Do I have to go with version 2.5.1 for security reasons?

At the moment a number of people are still using the latest 2.3x branch, however, WordPress does suggest you upgrade to 2.5.1.

Hope this helps.

I have several questions regarding security and version 2.3.3.

1) re 2.3.3 – Is version 2.3.3 secure? Are there any security issues with this version?

2) re 2.5 – Are the 3 security file updates in the 2.5.1 upgrade only for 2.5? Does the security hole that is fixed in 2.5.1 exist in 2.3.3 as well?

3) Can I safely assume that if WordPress’s “Hardening WordPress” procedures
http://codex.wordpress.org/Hardening_WordPress

or BlogSecurity.net’s “How to create a secure WordPress install v1.1″
blogsecurity.net/projects/secure-wp-whitepaper.pdf

are applied that ANY version of WordPress would then be secure?

4) It seems that 2.5.1 only has feature enhancements?
Do I have to go with version 2.5.1 for security reasons?

Will have to take a look at this in more detail.