Preventing Clickjacking on WordPress Sites

WordPress already sends the X-FRAME-OPTIONS header for wp-login.php and the Admin Panels in order to prevent clickjacking, but it doesn’t send it on the front end because that could interfere with remote services that legitimately frame parts of a site. That’s only relevant for a small number of pages, though, so I’ve added a snippet to my functionality plugin skeleton […]

Continue reading...

PayPal Security Sucks; or, Why Two Factor Authentication is Worthless Without Strong Account Recovery Policies

Even though two-factor authentication isn’t the silver bullet many make it out to be, I’m still a big fan of it and think that it should be offered by any web service that wants to be taken seriously. It’s completely pointless, though, if the service doesn’t also have strong account recovery policies, or if their customer support […]

Continue reading...

Security Reward for new Google Authenticator Plugin

I just released a new plugin into the WordPress.org repository, and am fairly confident that it’s secure, but since it modifies some of the default login behavior, I’d love to get some extra eyeballs on the code. To that end, I’m offering a $150 Amazon.com gift certificate* to anyone who can find a significant vulnerability. By “significant”, […]

Continue reading...

How to Create Strong Passwords

We just updated the password advice we give to WordPress.com users so that it focuses on modern techniques like password managers and passphrases. It’s aimed at non-technical users, and very little of it is specific to WordPress.com, so it’s a good resource to share with clients or friends who could use a little nudge towards […]

Continue reading...

Web Application Attack and Audit Framework

Tony Perez recently wrote about the Web Application Attack and Audit Framework (W3AF), which is a tool you can use to scan a website for various vulnerabilities, like XSS and SQL injection. You can watch a demo to get a feel for what it does. I think it’s a good thing to run during the testing […]

Continue reading...

GoDaddy.com Doesn’t Protect Customer’s Passwords

Unfortunately from time to time I have the unpleasant task of dealing with GoDaddy in one form or another, and today I noticed another failure with their services that caught me by surprise. If you knew how low my opinion of GoDaddy was to begin with, then you’d realize how bad the problem must have […]

Continue reading...

XML-RPC Enabled by Default in WordPress 3.5

XML-RPC will be enabled by default in WordPress 3.5, but I personally think that’s a bad idea from a security perspective. A fellow Seattle WP developer, Ben Lobaugh, explains why on the Trac ticket.. Luckily, it’s easy to disable it. Just add this to a plugin: I’ve added that to my security checklist for new […]

Continue reading...

Don’t Move wp-config.php Outside the Document Root

Most WordPress security guides recommend moving wp-config.php outside of the Apache document root in order to prevent the database password being exposed if the PHP engine fails to parse the file, or from being readable to infected scripts running in the domain. Despite the conventional wisdom, though, this technique doesn’t solve those problems, and can actually […]

Continue reading...

Why Short URLs are Evil and You Should Never Use Them

Ok, so maybe that title was a bit of a hyperbole, but this is one of my biggest pet peeves on the Web right now. Joshua Schachter has a comprehensive analysis of the concept of Short URLs and the myriad problems associated with it, but the biggest one for me is the fact that the […]

Continue reading...

Principles to Apply When Preventing Brute Force Attacks

I just read a good article by Bryan Rite about the security principles involved in preventing dictionary attacks. He makes a good point about offloading the work to a service like OpenID if possible, and has some other tips to use if you have to implement it yourself. Some of it challenges the conventional wisdom, but I think […]

Continue reading...

What Really Makes a Password Strong?

Bob Yexley turned me on to passphrases a few years ago when he linked to what became a seminal article on the topic by Robert Hensing. The argument is that passphrases — random words strung together to form a phrase, e.g., monkey stars hatchback questioning — are both more secure and easier to remember than what are […]

Continue reading...

WordPress Plugin and Theme Security

Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against […]

Continue reading...