i’m a novice to wordpress, and don’t know much about security in servers, so i’m hoping you gurus can help me out.
the situation: say there are 2 domains in a dedicated server, each with totally separate logins and set up as separate users. if someone hacks wordpress, do they get access to wordpress or mysql in both domains or just the one the wordpress is installed in?
Re: wordpress security question
Depends on how you set it up, if you used a different mysql then only the one, which is why I always suggest when setting up the db, you do NOT use the WP_ default designation but something like X7_ or 7T_ so they can’t go hunting for your wp tables.
Also why WP suggests you hide the version number of WP on your blog, so that hackers can’t figure out which version.
Re: wordpress security question
the WP_default designation? do you mean that the site should be http://www.yourdomain.com/X7_admin rather than http://www.yourdomain.com/WP_admin?
Re: wordpress security question
He’s saying don’t use wordpress or WP something when naming your databases, user name, etc … it’s not about what/where to physically install wordpress … although it’s not a good idea to do a domain.com/wordpress/ arrangement if it isn’t going in the root directory.
Re: wordpress security question
by default wordpress sets up your dbase tables as wp_ , use a different prefix in your database tables.
Re: wordpress security question
Make different mysql users for each wordpress install. They won’t be able to get to both databases if you have separate users.
Jimmy
Re: wordpress security question
This happened to me a few days ago with one of my blogs on a dedicated server that contains several different blogs, each on its own domain.
My blog was using WP 2.6.1 and the hacker used an exploit in the upload script to gain access. With this exploit, they are only able to gain access to that one single MySQL database and wordpress install. Since the other blogs were under different database names and users, they were unaffected.
Luckily in my case Fred from NatNet detected the hacking before I did and was able to intervene. The fix was to upgrade to the latest WP release 2.6.2 which prevents that particular exploit.
Re: wordpress security question
alas, i don’t even know what that means 
these will not only be different mysql users, but entirely different users in the server - as if we were resellers and the users were totally different people who didn’t even know each other.
[quote=Nicedreams;25959]Make different mysql users for each wordpress install. They won’t be able to get to both databases if you have separate users.
Jimmy[/quote]
thanks for the info. sorry that happened, and i’m glad to hear your host caught it 
i wonder if there’s a way to completely disable the upload feature.
[quote=Hammerhead;25963]This happened to me a few days ago with one of my blogs on a dedicated server that contains several different blogs, each on its own domain.
My blog was using WP 2.6.1 and the hacker used an exploit in the upload script to gain access. With this exploit, they are only able to gain access to that one single MySQL database and wordpress install. Since the other blogs were under different database names and users, they were unaffected.
Luckily in my case Fred from NatNet detected the hacking before I did and was able to intervene. The fix was to upgrade to the latest WP release 2.6.2 which prevents that particular exploit.[/quote]
Re: wordpress security question
[QUOTE=Hammerhead;25963]
My blog was using WP 2.6.1 and the hacker used an exploit in the upload script to gain access. [/QUOTE]
Were you using a plugin for uploads?
Jimmy
Re: wordpress security question
[QUOTE=Nicedreams;25985]Were you using a plugin for uploads?
Jimmy[/QUOTE]
No, on that blog I was only using the Flash uploader that comes with WP 2.6.1 by default.