Fantastico Security Vulnerabilities
When installing WordPress on your own domain, avoid using auto installers that come with your hosting account, such as Fantastico. Auto installation scripts come with security risks.
Avoid unnecessary security vulnerabilities and malicious hackers by doing a manual installation of WordPress.
Why install WordPress manually?
Because you control what and how things are installed.
Installing WordPress manually is a breeze. It only takes a few minutes longer than auto-installers and it's well worth your time to do it right.
Recently, a reader of our blog asked…
What security issues have you seen with installing WP with software installers like Fantastico, SimpleScripts, Softaculous, etc?
~ Roy Randolph
karthost.com
Roy, thanks for your question. Although auto installer scripts are quick and easy, they do put your website in harms way by not implementing security measures from the start.
For example, I just installed WordPress using Fantastico Deluxe on HostGator shared hosting. I found several key security elements that I was unable to add/change during the installation.
Fantastico security vulnerabilities found installing WordPress…
- An outdated version of WordPress. It installed WP version 3.0.3. The current version today is 3.0.4. Not good to start out with outdated WordPress since 3.0.4 was a important security update.
- Created database name of wrdp1. This is standard. If I created another one it would be wrdp2. Malicious hackers know this is how they're created and it gives them more ammo.
- Created a database username the same as my database name. Why make it so easy for evil doers? They just need to guess my password now.
- The database password is 12 characters long and contains upper and lowercase letter and numbers. Not too bad, but I prefer 14 characters minimum and some symbols too.
- The table prefix created was wp_. I was given no option to choose the table prefix. Crackers know this is standard. You should use something other than wp_.
- Created a file named fantversion.php, which is common for all auto installers. This is a security risk if crackers know how to break into it.
- After I installed, I got this note… We only offer auto-installation and auto-configuration of WordPress but do not offer any kind of support. For the WordPress beginner this would have them confused as to where to find help if it didn't install properly.
- I've read online that there have been times during upgrades that they stall or have conflicts and at times break websites.
It's always best to customize what you can during installation to make it as secure as possible.
How to install WP manually?
An easy to follow, step-by-step guide can be found on WordPress.org Codex called “Installing WordPress.” If you get confused or need help, just let us know.
We can install WordPress securely with our Done For You services. It's inexpensive, quick and secure! And if you used Fantastico or another auto-installer, we can delete the associated files that may leave your site at risk!
Leave your feedback
Do you install your WordPress manually or do you find it too difficult? What do you think of auto installers? Have you had any problems with Fantastico, SimpleScripts, Softaculous? What about other security vulnerabilities with auto installation scripts? Share your thoughts by leaving your comment below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
Thanks for this informative post. Good to know why not to use Fantastico.
You’re welcome MaryJo.
Regina,
Your information is always bang on the button, since you helped me sort my site out after being hacked I have listened to your advice and yes it is logical. Whenever I have downloaded WP from Fantastico I have always had to update it, so why not install the right version from day one.
Your information and advice is first rate – THANK YOU.
Graham
Thank you Graham. I’m glad I can help.
Hey Regina!
Something else I’ve noticed …with every hosting company..When I hosted with GoDaddy (I’m no longer hosting with them)… there was a virus where several sites including my own were infected…I had already manually updated to the current version of WordPress…but about a week later ..I get a phone call from GoDaddy telling me that I needed to upgrade to the latest version WordPress..webhosts only look at the Fantastico initial install..when you update to newer versions nothing changes on the installer.
So when I told him I was already running the latest version he proceeded to tell me that according to the Fantastico info…I was still running an older version. I told him to login to my WP and take a look. He did…and apologized.
I was very surprised that they didn’t seem to know that a site can be running an updated version of wordpress but Fantastico will only show the initial install.
Hi Shirley,
I looked at the fanvtersion.php file yesterday during my test and it showed 3.0.3. After I did an auto upgrade to 3.0.4, it did not update that file. It’s funny how hosting companies say that WE, the website owners, are using outdated software and place blame on us many times, but WE used their service to install it.
I looked at Fantastico’s support forum and found this…
Q. WordPress is now allowing you to automatically upgrade to the next version from the admin panel. I was wondering if doing this would cause any problems with Fantastico-installed versions of WordPress?
A. Yes (because the WordPress upgrade utility does not recognize and update the file fantversion.php).
It’s a bit dated (6/24/2009), but still remains the same. You’d think they’d do something about it. You can view it here.
Another interesting point is that Fantastico De Luxe 2.10.4 r45 (LATEST and STABLE release) updated WordPress 3.0.1 to 3.0.3 on December 16, 2010. WordPress 3.0.3 came out on December 8. WordPress 3.0.2 came out November 30. Their update prior to that was on October 6.
I took a look at simplescripts and their script list says WordPress 3.1-RC1. I don’t have simplescripts in my hosting so I an unable to verify if that’s the “available” version that installs. But if so, I certainly don’t want to have a release candidate on a production site.
This just enforces my decision not to use the dreaded one-click installers. Thanks so much for your comment.
Great post, Regina. Thanks for doing the footwork in researching how WP auto-installers set up WrodPress. I’ve only used one once and the installation failed. Much better to just do it the old fashioned way.
You’re welcome Chris. I second that… do it the old fashioned way.
I’ve been using WP since before my hosting co. offered an automatic install, so I have devised a few shortcuts to help me on my way. I keep the most current version of WP expanded on my hard drive – yeah I know it’s quicker to transfer the zipped file and unzip it on the server. I prefer to drive a car with a standard transmission also ;>) I keep an updated directory of the plugins that I use and copy them into my WP package before I upload it. I also include the theme I want to use on the site. That way I just use my ftp client and upload the whole thing in one sitting. I can go have a cup of coffee, do my daily flopping around on the floor or whatever while it uploads. No muss, no fuss, no stress.
One other thing I do is change the default admin to something else. Gives the hackers one less easy point of entry.
Excellent way of doing it, Mr. Idea. Others should follow this same format. And you’ve also got a backup if the worst happens. Only thing missing are your uploads. Do you also add those to your working copy as well?
Since my uploads are more specific to each site, I keep them in a directory of the site and upload them later.
Since I’m a suspenders and a belt kinda guy, once the site is up and running to my satisfaction, I make a backup (export) from the tools directory and then ftp the whole site back to my hard drive. I never worry about how long it might take to ftp the site as I have lots of other work to do while this is going on – I used to watch the progress at first – but like watching grass grow, it becomes boring after a time ;>)
I have a plugin that emails me a backup of the site each week, but I repeat the export and ftp process every month or two – sooner if I have made some significant changes.
I’m glad to see you are on top of things. You’re a good example of taking your backups seriously. You are armed in case you ever have to restore your website. Thanks for sharing.
Hello Regina,
Thanks for much for sharing this information. I have to confess that I have made some of these mistakes, however note to hackers, I will be changing all of this information on all my sites so that you cannot hack my site 😛 (at least without great difficulty and no its not a challenge, why would you want to hack my site anyway, its not like I have the secret code hidden inside my WP install to crack fort knox)
That being said Regina, thanks again. I’m going to stop being and start installing wordpress the old fashioned way from now on.
Get’ em Matt!
Love your stop being and start installing comment.
Thanks for sharing!
Valuable information about Fantastico. Sounds like it needs some hardening and until then it would be better to install via the Automatic WordPress Plugin .
Fantastico seems to be behind the times for updates with WordPress and other applications. If they could keep up with updates, allow for more secure installations and less conflicts then it would be so much better.
Is Fantastico open source or not?
Thanks for your question Robert.
Fantastico is a commercial script library that hosting providers add-on for their customers.
I have used the nice and simple Fantastico install method on a couple sites. Looks like that was not the best idea!
With that said, is there an easy way to correct the imperfections of the install? For example, is there an easy (or not easy) way to change the database name from wrdp1 to something else? Or change the prefix of wp_ ?
Thanks for this information!
Be Well.
Paul.
Thanks for your question.
You could create a new database and import your existing database into it. Then you can manually change the table prefixes on the new database via phpmyadmin.
Then update your wp-config.php file with the new info. Test your site. It should work. If not, you can revert back to the old database easily.
Note: Be very careful when changing your database, one error could break your site. Take your time.
Hope that helps.
Thank you for the great post, I always wondered if autoinstallers posed a threat and have been doing manuel installs and updates. You are right, it’s bit more work (not much) but if you’re serious about your site, then worth the extra work. My question is… are there any CHMOD setting you’d change after a “stock” manuel install?
Any other related security “setup” settings you recommend for a fresh install?
Thanks for clarifying this issue. I have gone round and round with some folks who insist that Fantastico is the best way to go. Maybe if they see it point for point in print……….???
I usually replace the themes and plugin folders w/ one that includes the ones I use, remove any unnecessary files like the readme, etc, before uploading it- just to save a couple steps.
Regina – as always you have provided great information on securing our sites. Starting with the installation makes sense. Building a secure foundation beats going back to fix and patch.
I have suggested to friends not to use the auto-pilot installation wizards, but you have given us solid reasons WHY!
Regina – Nice article, if you do not mind I would like to add more about Fantastico and Softaculous, a more recent installer.
Owner of a web host company I for one have never been a fan of Fantastico (nor cPanel), in fact we only have one server left with Fantastico installed on it. One of the major reasons I never liked cPanel (until recent times) is its security issues I had with it. While Fantastico is not a cPanel product, it is only for cPanel. I personally didn’t like the way Fantastico loaded scripts to the server for many of the reasons you mention.
Here are some of the differences of Fantastico & Softaculous
Today when I attempt to load a new WordPress install with Fantastico the New Installation version is showing 3.0.3 while the latest version offered by Softaculous is 3.0.4.
1) During the Install process Fantastico only gives you the option of installing on any given domain that is attached to your cPanel account.
Softaculous does the same
2) Softaculous allows you to choose your Protocol http:// http://www https:// or https://wwww
Fantastico Does Not
3) Both Fantastico & Softaculous allows you to choose the location of the location either root or sub directory.
4) Softaculous allows you to name the database on set up, if you do not Softaculous will predetermine at random a database name, at the time of this post in my example the Database name was “wp545”
Fantastico does NOT give you this opportunity
5) Softaculous allows you control the Database Name Prefix, the default is “wp_” but you can change it to anything you would like.
Fantastico Does NOT
6) Softaculous allows you to set up your Site Name and Site Description
Fantastico does as well.
7) Both Fantastico and Softaculous allows you to use any Admin Name and Password and associated email address.
8) Softaculous allows you to send an email to a 3rd party with login details, if you so wish
Fantastico does Not.
In regards to upgrades Softaculous uses the WordPress upgrade tool to upgrade WordPress unlike Fantastico.
Plus Softaculous does not create a file like Fantastico’s fantversion.php or anything like it which will improve on security.
I have requested to Alons (of Softaculous) that he allow the database username to be separate than the actual database name.
I personal find Softaculous light years ahead of Fantastico in both # of scripts offered, in the way the scripts are loaded, which results in a much more secure script when loaded with Softaculous. Because of this reasons we only offer Softaculous as auto loaders on our servers, with the one exception.
Thanks again Regina for picking up on my question, as I always felt script loaders were an area of concern. But with Softaculous coming on the scene and working with other web hosting control panels besides cPanel like Fantastico is limited to, I am sure Softaculous will be the leader in auto loaders soon, if not already.
Hi Roy,
Thanks for pointing out the differences between the two auto installers. I’m glad to see that Softaculous has taken care of many of my concerns when doing a review of Fantastico. I’m also thrilled that you, as a web host company owner, takes these things into consideration for your clients.
Thanks again.
Hi Regina
I think both Fantastico & Softaculous have major issues with security. Earlier I had used Softaculous, even I had changed all directory, dadabase name but website was hacked every time.
Now I am not using any auto installer and still my site safe and secure.
Also thank for sharing knowledge.
Sandeep
Thanks for the great post.
Having installed hundreds of WordPress installations, the only time I have ever been hacked is when using Fantastico.
I would also suggest a few additional plugins to beef up your security. Try Login Lock Down, AntiVirus and WP Security Scan. Thanks for the post.
Thanks for the info.
So is there a way one can do if Fantastico Deluxe is the only installer available on your host.
And also can they access the c-panel login password after they hack the wordpress website
Hi, Regina
Good information! Can you advise me on where I can find out how to secure my domains (the steps to do it) that I previously installed Fantastico on?
Hi,
Regina your post is actually very informative about Fantastico and sheds light on why you must not use Fantastico. But the question that was asked was not just for Fantastico :
“What security issues have you seen with installing WP with software installers like Fantastico, SimpleScripts, Softaculous, etc?”
Softaculous (I dont know about SimpleScripts) is better and addresses these concerns.
You have branded all auto installers BAD by considering Fantastico.
Many hosts have moved away from Fantastico to Softaculous, SimpleScripts.
Even I as a webhost have moved away from Fantastico to Softaculous and our customers love it.
Hence I feel you should UPDATE your original POST and not brand other auto installers you havent tried as bad. We use Softaculous as it also provides a way for us webhosts to install for our users when they sign up.
People still use Fantastico because many STUPID datacentres like mine (Softlayer) FORCE us to use Fantastico when we buy cPanel. But I hope they soon realise they should update the software list they offer.
I have since learned to install manually, although I still have a site or two out there that were originally installed using Fantastico… and I would like to learn how to manually change some things to better secure them… perhaps a post on that would be great. (if there is already one, let me know where it is). 🙂
Regarding Softaculous, Simple Scripts… I have never seen or used… so really can’t comment. But, I did pop it into a Google search, and didn’t see much recent posted… more like 2009 – 2010… which personally, gives me pause.
I’ll stick with manual installs; back up buddy, etc. and am still learning so much here that I’ll be staying in touch here often! 🙂
I’ve always done manual installs so that I can change the database prefix and all that just due to habit. But now that it’s late 2012, is Fantastico any better, or more secure? Or do you still recommend using manual installs?
Hi William,
Great question. I still say avoid auto-installers and always do manual WordPress installations. It only takes 5 minutes — I’ve got it down to 3 1/2 🙂
One of the benefits of installing WordPress manually is you actually get to see what you’re uploading, create a database and connect to it. It’s a great education tool to understand “where” the site comes from.
As far as I can tell auto-installers are no better or still pose security risks. Be sure to read this post about auto-installers too DreamHost One-Click WordPress Installed Timthumb Vulnerability and Security Risks. It’s amazing what some hosting companies offer to make to give their customers “choices.” Yikes!
Hi Regina,
I’m late getting into this post and Thank You for the great information.
I have been using Fantastico for my installations so far but will now take the time to learn how to do it manually (I know you say it’s easy but creating databases and renaming files sounds kinda scary to me 🙂 ).
Since I already have sites that I created using Fantastico – can they be fixed after the fact?
Hi Debbie,
For the sites you have used using Fantastico, you can remove the fantastico_fileslist.txt and fantversion.php files from your server. As far as doing manual installs, see http://codex.wordpress.org/Installing_WordPress. We also have a step-by-step training video on installing WordPress securely inside our membership site, http://safewp.com 🙂
Thanks Regina – and I signed up on your Membership site too 🙂
We have used Softaculous many a times. All our websites are safe. Softaculous also Auto Updates our website whenever a WordPress update is out. I agree fantastico is bad. But Regina, have you used SimpleScripts and Softaculous that you simply have passed your judgement on them ? If you have not used them, I think you are doing your readers injustice as you are simply breaking their trust. I agree installing manually is good. But there are 1000s of non technical people who dont even know what is MySQL, let alone installing WordPress. Auto Installers are good if they are secure and I know Softaculous is for sure. My two cents.
Thanks for sharing your opinion Jigar. I appreciate that.
I understand what you’re saying about people with no technical skills. However, people can get step-by-step instructions with by clicking the link at http://wordpress.org/download/, including making a database. And plenty of people out there that can help them along the way.
There is absolutely no reason for someone to update WordPress thru an auto-installer when they can do it right in their Dashboard. Auto-installers put files on the server that can be a security risk.
>> Auto-installers put files on the server that can be a security risk.
Some do but the newer like Softaculous and SimpleScripts don’t. Also not everyone has the time to do stuff manually. If my sister were to install WordPress she would have to waste more than 2 days figuring out what is MySQL, let alone completing the install.
Also I think if you haven’t tried Softaculous or SimpleScripts, you actually shouldn’t comment on it. Its like saying that if one webhost is bad, everyone is bad.
Regards,
Jigar