corenominal

Full stack web developer, interested in all the things, but especially the web, code, design, Linux, OS X, PHP, WordPress, JavaScript & robots.

Tagged: security

WordPress Security: This wp-config.php Protects Your Website image/svg+xml

There are many ways to protect your WordPress-based website from getting hacked. The optimization of the wp-config.php can be considered to be an important part of a proper security strategy. Of course, the site won’t turn into the Bank of England, but you’ve made it a little harder for the hackers.

Some good tips for hardening your WordPress installation.

Distrusting New WoSign and StartCom Certificates image/svg+xml

Mozilla has discovered that a Certificate Authority (CA) called WoSign has had a number of technical and management failures. Most seriously, we discovered they were backdating SSL certificates in order to get around the deadline that CAs stop issuing SHA-1 SSL certificates by January 1, 2016. Additionally, Mozilla discovered that WoSign had acquired full ownership of another CA called StartCom and failed to disclose this, as required by Mozilla policy. The representatives of WoSign and StartCom denied and continued to deny both of these allegations until sufficient data was collected to demonstrate that both allegations were correct. The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates.

Oh, that’s not good. I use StartCom services for a number of domains and so this is a worry. I should probably look at completely switching to Let’s Encrypt.

New iPhone, Transformation to Apple Fanboy Accomplished

Last week, I purchased a new iPhone. It’s my first iPhone, ever. And, I love it.

Prior to the iPhone, I’d been using Android devices, with my last phone being a HTC One M8. Now, I thought my M8 was a good phone, but, just one week on from purchasing my iPhone, I now realise how disjointed and kludgy my M8 was.

In the past, many people have lauded Apple’s accomplishments with the iPhone, attributing much of the iPhone’s success to the fact that Apple tightly control both the hardware and software. As an Android user, it was easy for me to read these statements and not give them too much attention, but now as an iPhone user, it’s clear to see what these people were talking about.

On my iPhone, everything just works.

Here’s an example of something just working, seamlessly: yesterday, I was working on my Macbook when my daughter called. When the call came through, a notification popped up on my desktop asking if I wanted to accept the call. I clicked accept and the call was routed to my Macbook, where I proceeded to have a conversation about a joint of gammon.

Mind blown.

For any long-time Apple users, you might be thinking, duh! But, for someone like me who has been using Linux on the desktop and Android phones, this kind of seamless integration is like voodoo magic. In my experience, it just didn’t happen with my previous hardware and software choices.

There are plenty of other features and services (reliable Bluetooth, Siri, iTunes – yes iTunes, Force Touch, Touch ID) that I’m enjoying on my iPhone, too many to mention here, but to summarise, in comparison to my previous Android devices, my iPhone feels and works how I would expect a premium-luxury device to work.

And all this, before touching on the topic of security, which is one of the main reasons I opted for an iPhone. For the past few years, I’ve not felt at all confident about my Android device. Even though I was running the latest CyanogenMod builds, it still felt like I was walking around with a pocketful of known exploits. I simply couldn’t shake the feeling that my device was dirty.

Meanwhile, my iPhone carrying friends and colleagues were receiving OTA security patches and updates.

Then this happened, and it was the final nail in the coffin. As soon as I’d read that, I’d made my mind up, I was moving away from Android.

For a while, I did consider purchasing an Ubuntu phone, but then I came to my senses. There was really only one option. Buy an iPhone, and in the process, complete my transformation into a fully-fledged Apple fanboy.

For anyone who might be interested, I opted for a Space Grey iPhone 6S with 128GB storage. This might seem a little strange considering the iPhone 7 has just been released, but I figured the 6S was a solid device, plus the price had just been reduced by £100.

A week later, satisfied that I’d done the right thing, I purchased another iPhone (same model, but in Silver) as a gift for Becky. And now, Becky loves her new iPhone too.

DEF CON 24 – Chris Rock – How to Overthrow a Government image/svg+xml

Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself.

Thoroughly entertaining, if not a little scary.

If You Don’t Know what WP Release Day is, You’re Already Doomed image/svg+xml

Yesterday was WP Release Day. If you manage WordPress websites and have no idea what I’m referring to, you’re already doomed.

I spent Release Day updating and testing development servers, before updating and testing production servers, so I’m definitely not doomed. Phew.

If you are responsible for managing websites, either prepare for Release Days, or stop managing websites.

I hate to be so blunt, but it’s really the bottom line. Managing a website means exactly that: Manage it! If you aren’t prepared, then you can only blame yourself.

Sometimes it’s good to be blunt.

How To Prevent Direct Access To Your Plugin image/svg+xml

As developers, one of the most important things we can do is prevent direct access to your plugin. By this, I mean if someone gets clever and tries to access to one of the files located in any given plugin’s directory, they should not be able to execute any of the code in the script.

Some sensible security advice for WordPress plugin developers.

About pwgenGUI

At work, I often have to create new passwords for users. It’s not terribly difficult to do and I usually open my browser, navigate to one of the many password generating sites and grab a new password. Easy, but then I thought to myself, could it be even easier? I mean, I really should be able to do this with just 1 click of the mouse.

So, the other night, I created a little Python+GTK GUI application to do just that. pwgenGUI is basically a front-end for pwgen, a command line tool for generating passwords. I’m not sure if anyone else will find it useful, but I’ve packaged the application for Ubuntu and installation instructions can be found here.

SVG uploads in WordPress (the Inconvenient Truth) image/svg+xml

WordPress is an excellent CMS “out of the box”, very easy to use and “just works” for the large majority of users. So why aren’t SVGs allowed in the first place? Why do we have to jump through hoops to make SVGs work?

Short answer: SVG files are extremely unsecure.

A good explanation of why WordPress doesn’t support SVGs. I’m a big fan of SVGs, but I can’t think that I’ve ever needed to upload any via the WordPress media uploader. I tend to use them for styling purposes, or as icons, but rarely (never say never) for content, so I’ve never considered this a problem.

That said, this post did make me wonder about how the Openclipart developers handle SVG security? I would imagine that they have to be even more cautious with their users as anyone can sign-up for an account and upload clipart in the form of SVGs. I’m not sure if the Openclipart site is open-source, I couldn’t find any details on the site, but it would be good to take a look.

Via CSS-Tricks