Micheal Savoie

Editor’s Note:
Since this post was published, I turned it into a PDF file so you can print it out to keep in your binder so you can reach for it whenever you have a Fantastico Blog to fix.
http://myblogginschool.com/fantastico-fix/

We also have a service where for $47 we will fix the security flaw in your blog for you, upgrade it to the newest version (currently 2.7), update your plugins (install necessary ones for SEO, security and Spam control) and back up your database.
http://mybloggingschool.com/hired-fix/

Fantastico is the coolest thing to come to the webmaster world since cpanel!  It makes it a snap to install blogs, content management systems and many other scripts that a webmaster needs to make an interactive blog.

Problem is, the Fantastico script has a fatal flaw…

When Fantastico creates your Wordpress installation (and any installation it ever performs), it uses the same database name and database username… Hackers only need to figure out your database password to hack into your site if they figure out you are using fantastico.

So what do you do?

I recommend always installing your blog from scratch… install using the wordpress download and upload it to your website, then perform the installation manually.  I teach this in my blog installer certification course at MyBloggingSchool.com using video tutorials, to make sure you are following along step by step.

But if you have already used Fantastico and you have a blog you don’t want to delete…

Here Is How To Secure It!

1. Log into your cpanel. Then select the MySQL Databases icon.

   

2. Scroll down until you get to the add a database user section.

   

3. Use the Generate Password button to create a very hacker safe password and once you have chosen to use that password, copy and paste the password it gives you into a notepad document.

   

   

4. Then Click on Create User Button to finish creating the user.

   

5. Make a note of the username and password, to make sure you have it saved in your notepad.  You will see a message like this:

   

6. Now we need to create a BRAND NEW database… (You can actually skip this section and go to step #8 if you feel squeamish about exporting and importing your database.  You are making your installation more secure by changing 2 of the 3 items hackers need to compromise your Wordpress installation, but I highly recommend going all the way through and really securing your installation…)
7. Click Go Back to get back to the database management area. Give your new database a hard to figure out name (don’t use this one…):

   

   Click on Create Database after you have entered a name.

   

   Click Go Back.

8. As you can see, you now have a database with no user attached.

   

9. Let’s add a user to our Wordpress Database by scrolling down to the Add User To Database section:

   

   Select the database name and username that you created. (If you skipped steps 7 & 8, you will use wrdp1 as the database name). Then you click Add.

10. Select the checkbox next to ALL PRIVILEGES before clicking on the Make Changes button.

    

11. Once you have added the user to the database copy the success message to your notepad:

    

    This will make it much easier to edit your configuration file when we get to that step.

12. Here is what you should see in your notepad:

    

13. And when you look at the database table, you will see your database now has a user attached:

    

14. If you are not changing the database ignore steps 15 through 21…
15. Next click on the home button on the top of the page and then select  phpMyAdmin from the Databases Section of cpanel.

    

16. First you will make a SQL backup of your old database.  Select wrdp1 from the drop down menu on the left:

    

    We are going to Export the database in SQL format and save it to your hard drive so that we can then create an exact copy of your database from the  exported file.

17. On the right section of the screen, select Export.

    

18. The next screen will have many checkboxes already checked, but you want to ensure that you check Add CREATE PROCEDURE / FUNCTION because we want to create these tables in the new database.

    

    In the picture, the checkbox directly above the RED LINE is the one you should check.  It is not usually checked by default.

    

    You can leave the file name template as is, and click Go.  You will be prompted to Open or Save the file… choose save.  Make a note as to where you are saving it.

    

19. Now use the drop down menu on the left and choose your new database name.

    

    You should have no tables in this database… but we are going to change that…

20. On the right choose Import:

    

21. Click on Browse to locate the SQL file you just saved to your hard drive.

    

    Click Go once you have found and selected your database SQL file.  It may take a few minutes for it to upload and process, but you will know you have succeeded when you see your database on the left side of the screen with the same tables as the old database.

    

22. Now we are ready to change our configuration file… go back to the cpanel screen (it is probably in another tab on your browser).  Choose File Manager:

    

23. Once File Manager has opened, select the root directory of your blog (you will be able to tell because it will have three folders in it (wp-admin, wp-content and wp-includes in it).  You want to select the file wp-config.php and use the Code Editor (or file editor on older versions of cpanel).

    

    

24. This is what your code editor screen will look like (file editor will not have the line numbers, but will work the same way):

    

    Replace the items between the quotes so that you replace the old wrdp1 database and username are the new ones and replace the old password with your new one.  Like this:

    

    Then click Save Changes:

    

25. Go to your blog and make sure that everything is working the way it was before…
26. At this point you only have to go back to cpanel, and go to the database page and delete the old user and old database from your system.  I would wait a couple of days to make sure that you have no problems with the blog installation before deleting them in case you want to revert back to the old one…

Here is the blog that I did the change on for this exercise: http://yourdirectorywebsite.info/blog
As you can see that it is still going the way it was before…

I hope this was helpful for you. If it was, please leave a comment or link to this article from your blog.

Limited Engagement…

This may be gone before you finish reading this post…

Alex Jeffreys has opened up a coaching program for a very limited time, in fact, it is very possible that he has already closed it because each time someone talks about, another 10 to 15 people sign up!

I spent some time watching the 37 minute video at this link:

http://nexurl.com/WTF

Here is a guy who makes over $20k per month promising to coach you to $6k per month!  How can he promise that?  He has learned from the best, he was a student of Mike Filsaime and Rich Schefren (Mike Filsaime’s mentor) so you know that the basics are covered…

Alex has had a wild couple years and he is headed to 7 figures in 2009, and he want to bring people along as his mentees!  I couldn’t think of someone more exciting to learn the basics to the advanced from.  If you want to do this, you have to watch the video, so make sure you have 37 minutes… he doesn’t give you an early way to the signup page, because he wants to make sure you are committed to it. (If you can’t sit through 37 minutes, how are you going to do what it takes to make $6k per month?)

http://nexurl.com/WTF

Have an amazing day!

Micheal Savoie
http://twitter.com/michealsavoie

PS – If you like the information I am giving about blogs, I suggest you check out MyBloggingSchool.com where I teach setting up blogs from the ground up!  The goal for MyBloggingSchool.com is to train and certify 50 blog installers for a project I am launching in June.  I will be bringing new businesses into the online world, and I will need certified blog installers to do the work (you will get paid).  Easy as that!  If you are interested, go to the link below and sign up for my report on blogging and you will also find out when I am opening up MyBloggingSchool.com for new students!

http://MyBloggingSchool.com

PPS – For a limited time I am allowing up to 50 new students to join My Blogging School for a $30 price reduction.  I will be doing a webinar with all new users once I have 10 signed up.  You can get certified to install a Wordpress Blog in two weeks.  You must sign up at the My Blogging School Blog Installation Certification Course Link.

Technorati Tags: fix fantastico security flaw, database replacement, new user, create new MySQL database, create a new MySQL database user, assigning a user to a MySQL database in cpanel, exporting a MySQL database, Importing A MySQL Databse

1. 
   Micheal Savoie said...
   2:52 pm - November 21st, 2008

   Let me apologize now for the size of the images… This post took me most of the morning to put together but it turned out well. If you have any questions about this, just leave a comment.

   Have an amazing day!

   Micheal

2. 
   Katie said...
   4:13 am - November 23rd, 2008

   Michael, you did a great job here in making this easily understandable.

   Katie’s last blog post..KatieDarden: @kevinriley Cute-we do something similar but don’t have the blankie & don’t sit on the floor-our floor is too cold here! Need to insulate…

3. tutorials on how to hack | CNN.com said...
   9:47 pm - November 28th, 2008

   [...] Fixing The Fantastico Security Flaw … Wordpress installation (and any installation it ever performs), it uses the same database name and database username… Hackers only need to figure out your database password to hack into your site if they figure out you are using fantastico. So what do you do? I recommend always installing your blog … [...]

4. icon editor | IBM.COM IBM - United States said...
   5:33 pm - November 29th, 2008

   [...] Fixing The Fantastico Security Flaw … used Fantastico and you have a blog you don’t want to delete… Here Is How To Secure It! Log into your cpanel. Then select the MySQL Databases icon. Scroll down until you get to the add a database user section. Use the Generate Password button to create a very hacker safe password and once you have … [...]

5. Is your Blog Secure? Better Check… | said...
   1:07 am - December 7th, 2008

   [...] You see, when you create and install a blog using FANTASTICO, it creates the database FOR you that is required to work with that blog. (If you are new…blogs work with a MYSQL database) The username for your mysql database is the SAME as your CPANEL login. How secure is that? Well, these days, I guess hackers have nothing better to do than sit there and figure out passwords…but hey…if they figure out what one is, they have the rest in hardly no time flat. My suggestion for the bloggers out there with your own domain name hosting your blog is to FIX this so that your blog is secure. Now, if you’re not comfortable doing this, there are some instructions you can find HERE. [...]