Why Websites get Hacked is a good high-level article to sends to clients or friends who don’t understand why someone would want to attack their site — and therefore doesn’t see the need to protect it — or are curious about how it happens.
Category Archives: Security
Preventing Clickjacking on WordPress Sites
WordPress already sends the X-FRAME-OPTIONS header for wp-login.php and the Admin Panels in order to prevent clickjacking, but it doesn’t send it on the front end because that could interfere with remote services that legitimately frame parts of a site. That’s only relevant for a small number of pages, though, so I’ve added a snippet to my functionality plugin skeleton […]
PayPal Security Sucks; or, Why Two Factor Authentication is Worthless Without Strong Account Recovery Policies
Even though two-factor authentication isn’t the silver bullet many make it out to be, I’m still a big fan of it and think that it should be offered by any web service that wants to be taken seriously. It’s completely pointless, though, if the service doesn’t also have strong account recovery policies, or if their customer support […]
Security Reward for new Google Authenticator Plugin
I just released a new plugin into the WordPress.org repository, and am fairly confident that it’s secure, but since it modifies some of the default login behavior, I’d love to get some extra eyeballs on the code. To that end, I’m offering a $150 Amazon.com gift certificate* to anyone who can find a significant vulnerability. By “significant”, […]
How to Create Strong Passwords
We just updated the password advice we give to WordPress.com users so that it focuses on modern techniques like password managers and passphrases. It’s aimed at non-technical users, and very little of it is specific to WordPress.com, so it’s a good resource to share with clients or friends who could use a little nudge towards […]
Web Application Attack and Audit Framework
Tony Perez recently wrote about the Web Application Attack and Audit Framework (W3AF), which is a tool you can use to scan a website for various vulnerabilities, like XSS and SQL injection. You can watch a demo to get a feel for what it does. I think it’s a good thing to run during the testing […]
WordPress Security Plugin Recommendations
I recently spent some time reviewing the WordPress security plugin landscape, since there’ve been some big changes in the past year, and I’ve decided to update some of my standard choices. No single plugin covers all the different requirements, so it’s necessary to use a combination. That can be a problem, though, because the feature-sets […]
GoDaddy.com Doesn’t Protect Customer’s Passwords
Unfortunately from time to time I have the unpleasant task of dealing with GoDaddy in one form or another, and today I noticed another failure with their services that caught me by surprise. If you knew how low my opinion of GoDaddy was to begin with, then you’d realize how bad the problem must have […]
XML-RPC Enabled by Default in WordPress 3.5
XML-RPC will be enabled by default in WordPress 3.5, but I personally think that’s a bad idea from a security perspective. A fellow Seattle WP developer, Ben Lobaugh, explains why on the Trac ticket.. Luckily, it’s easy to disable it. Just add this to a plugin: I’ve added that to my security checklist for new […]
Sharing Passwords Securely
It’s common for developers to share login credentials with clients and team members through e-mail or other insecure mediums, but there aren’t a lot firmly established best practices on how to do it properly. I came across a SuperUser thread yesterday that contains several good ideas, and decided to add one of my own as well.
Don’t Move wp-config.php Outside the Document Root
Most WordPress security guides recommend moving wp-config.php outside of the Apache document root in order to prevent the database password being exposed if the PHP engine fails to parse the file, or from being readable to infected scripts running in the domain. Despite the conventional wisdom, though, this technique doesn’t solve those problems, and can actually […]
Cross Site Scripting Vulnerability in Subscribe2 Plugin
News of the XSS bug in Subscribe2 didn’t show up in any of my RSS feeds or mailing lists, even though it’s a fairly popular plugin, so I wanted to make a note of it in case anyone else missed it. Version 8.2 has a fix for it. Update: It also sounds like an official […]
Why Short URLs are Evil and You Should Never Use Them
Ok, so maybe that title was a bit of a hyperbole, but this is one of my biggest pet peeves on the Web right now. Joshua Schachter has a comprehensive analysis of the concept of Short URLs and the myriad problems associated with it, but the biggest one for me is the fact that the […]
Principles to Apply When Preventing Brute Force Attacks
I just read a good article by Bryan Rite about the security principles involved in preventing dictionary attacks. He makes a good point about offloading the work to a service like OpenID if possible, and has some other tips to use if you have to implement it yourself. Some of it challenges the conventional wisdom, but I think […]
New WordPress Security Plugin
In the past I’ve used Login Lockdown and Login Lock to block brute force attempts against WordPress installations, but Login Lockdown isn’t actively maintained and Login Lock has some serious bugs/security vulnerabilities. Recently Daniel Convissor released a new plugin called Login Security Solution that has the same basic features of Login Lockdown and Login Lock, […]
What Really Makes a Password Strong?
Bob Yexley turned me on to passphrases a few years ago when he linked to what became a seminal article on the topic by Robert Hensing. The argument is that passphrases — random words strung together to form a phrase, e.g., monkey stars hatchback questioning — are both more secure and easier to remember than what are […]
How to Erase Sensitive Data from a Hard Drive
Aaron Toponce has documented a way to overwrite sensitive data on a hard drive that is fast and gives you a running progress meter.
WordPress Plugin and Theme Security
Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against […]