The MU forums have moved to

What about the "bad" users? (7 posts)

  1. dagboek
    Posted 17 years ago #

    I was able to set this up very quick. But i have a few questions.
    How can i control the user security settings.
    I have installed wpmu on a live domain, therefore i need a quick"update" on the things that need to betaken care of.
    My blog systems always seem to be found first by spammers and hackers or script kiddies, they tend to fool around with everthing they can find, just to make use of it for the purpose of ;sending spam;installing spyware or viruses on their blogs.
    I've already written ablog system wich allows very little to be done by users(actually only the basics are allowed, text,links,images.
    Not allowed are ;iframes;javascript;script;meta-tags;and a lot more..
    Since i am new to wpmu i would like to know if there're things that i need to know , to prevent these kind of "attacks".

    I plan to use wpmu on about 20 other domains, therefore I care more about wpmu webmaster issues and problems than user specific problems or desires.
    Can anyone enlighten me about the possible (bad)things that can happen to me, by registered users?
    Are there possible xss attack (cross site scripting)issues, or can anyone exploit javascript in anyt way?
    Furthermore,can anyone tell me what the user e-mail server setting does, is this dangerous or can this be exploited in any way, looking from a webmasters point of view?
    My wpmu is installed at dagboek if anyone familiar with wpmu on a live site can check if everything is set up right, that would be greatly appreciated.

    Ps If you know anything that i need to know of, but if you don't want to post it here(it's a sensative subject), please e-mail it to me.(There is definately a lot depending on this server so really nothing can go wrong with one of the scripts installed on my account, please fill me in with the security stuff!

  2. donncha
    Key Master
    Posted 17 years ago #

    Users aren't allowed to edit templates so you don't need to worry about xss attacks from that direction. Otherwise, your site is protected by the same code that runs on everyone elses wordpress site so it's quite secure.

    email server setting?

  3. dagboek
    Posted 17 years ago #

    I used to have a stand alone wp blog, wich unfortunately i had to disable due to the xmlrpc file, this was a highly targeted file by "script kiddies". At that time i found out a month later that there was a vulnerabiltiy with this file.
    Even up to today my server still gets scans for this file, wich doesn't exist anymore.
    Anyway the standalone version was ment for people to install themselves therefore you could be sure that the one that installed wp also would take responsibilty.
    Since wpmu is installed on my hosting account i cannot know for sure that my registered members even care if they
    "accidentaly" mess up the server or my hosting account.

    I would like to know if anybody with a live wpmu has had problems with registered users, so i can learn from that.
    Furthermore it would be highly appreciated if an experienced wpmu user/webmaster could try my install at
    When you edit a users blog (wpmu/wp-admin/wpmu-blogs.php?action=editblog&id=20 )you'll see a mailserver to fill in default is

  4. donncha
    Key Master
    Posted 17 years ago # uses it and has almost 250,000 blogs with the same or more number of users. We have had very few problems with registered users and we had a couple of troublesome people on there!

    You can delete the mail settings stuff if you want. It's in there because it's part of WP but unless it's configured it's useless.

  5. dagboek
    Posted 17 years ago #

    Hello Donncha, Thanks for your replies and heads up!

    I am still curious about the size of the havoc caused by these troublesome users. I bet my money that one of those users will come by my site one of these days and i would like to be prepared so i can give them a nice welcome :0)
    Is there anything i need to take care of(regarding those troublesome people)
    Furthermore at my work office we've a proxy server wich uses port 8080 for connecting to the internet.
    Users are able to register but login seems to be impossible through this port, is there anything i can do about this? (Should i make a new post for this Q?)

  6. donncha
    Key Master
    Posted 17 years ago #

    I don't know what is wrong there except the proxy is probably stripping cookies or something from requests.

  7. dagboek
    Posted 17 years ago #

    I shall make a new post for this Q

About this Topic