Web site (and server) security

These are the top ten potential security holes in your site.

security camerasThese are the top ten potential security holes in your site. Your site is probably WordPress which is a major source of hacks.

OWASP recommendations

  1. SQL injection – could someone get at your database remotely? Escape your SQL!
  2. Broken auth – is your login system safe?
  3. Data exposure – is your web server locked down? -Indexes in the Apache world.
  4. XML External entities – XML can execute files. Don’t do that!
  5. Broken access control – are important files inaccessible?
  6. Security misconfiguration – is your security software properly configured
  7. XSS – has someone uploaded a malicious JS script?
  8. Using components with known vulnerabilities – keep up to date!
  9. Insufficient logging and monitoring – know what’s going in and out of your system
  10. Insecure deserialisation – be careful of the serialised data you accept

Make sure you have DDoS protection. I use Cloudflare. Is has the added bonus of running my DNS. I trust them.
Snort or equivalent. This is part of your monitoring. Snort is an IDS or Intrusion Detection System.
On WordPress use a security plugin. I use Wordfence.

Site attackers can:

  • Inject SEO spam on the page
  • Drop a backdoor to maintain access
  • Collect visitor information or credit card data
  • Run exploits on the server to escalate access level
  • Use visitors’ computers to mine cryptocurrencies
  • Store botnets command & control scripts
  • Show unwanted ads, redirect visitors to scam sites
  • Host malicious downloads
  • Launch attacks against other sites

Asset inventory and management can be taken one step further into the following subcategories:

  • Web properties
  • Web servers and infrastructure
  • Plugins, extensions, themes, and modules
  • Third-party integrations and services
  • Access points/nodes

Monitoring should be in place to verify the security state of:

  • DNS records
  • SSL certificates
  • Webserver configuration
  • Application updates
  • User access
  • File integrity – monitor file modification times of plugins and themes

A proper incident response plan includes:

  • Selecting an incident response team or person
  • Reporting of incident to review findings
  • Mitigating the event

The incident response process, as defined by NIST, is broken down into four broad phases:

  • Preparation & planning
  • Detection & analysis
  • Containment, eradication & recovery
  • Post incident activities

You can base all further actions on the following tips:

  • Restrict global access to your site (or certain areas) via GET or POST methods to minimize exposure.
  • Update directory and file permissions to ensure the read/write access is properly set.
  • Update or remove outdated software/themes/plugins.
  • Reset your passwords immediately with a strong password policy.
  • Activate 2FA/MFA wherever possible to add an extra layer of authentication.

TODO list:

  1. Update everything
  2. Have strong passwords – I use lastpass.
  3. Use a password cracker (eg. John the Ripper)
  4. Limit user access
  5. File permissions
  6. Have backups
  7. Audit server configuration files
  8. Use SSL everywhere
  9. Install scanning and monitoring tools
  10. Ensure PCs are secure
  11. Have a WAF
  12. Monitor search engine blacklists (esp. Google)

The best practices for you to have a strong password are:

  • Use a password manager,
  • Do not reuse your passwords: Every single password you have should be unique.
  • Have long passwords: Try longer than 12 characters. The longer the password is, the longer it will take a computer program to crack it.
  • Use random passwords: Password-cracking programs can guess millions of passwords in minutes if they contain words found online or in dictionaries. If you have real words in your password, it isn’t random. If you can easily speak your password, it means that it is not strong enough. Even using character replacement (i.e. replacing the letter O with the number 0) is not enough. There are several helpful password managers out there, such as LastPass (online) and KeePass 2 (offline). These tools store all your passwords in an encrypted format and can easily generate random passwords at the click of a button. Password managers make it possible to use strong passwords by taking away the work of memorizing weaker ones or jotting them down.

The principle of least privilege centers around a principle that looks to accomplish two things:

  • Using the minimal set of privileges on a system in order to perform an action
  • Granting those privileges only for the time the action is necessary

Here are the things to look for when deciding which extensions to use:

  • When the extension was last updated: If the last update was more than a year ago, it’s possible the author has stopped working on it. Use extensions that are actively being developed because it indicates that the author would at least be willing to implement a fix if security issues are discovered. Furthermore, if an extension is not supported by the author, then it may stop working if core updates cause conflicts.
  • The age of the extension and the number of installs: An extension developed by an established author that has numerous installs is more trustworthy than one with a few number of installs released by a first-time developer. Not only do experienced developers have a better idea about best security practices, but they are also far less likely to damage their reputation by inserting malicious code into their extension.
  • Legitimate and trusted sources: Download your plugins, extensions, and themes from legitimate sources. Watch out for free versions that might be pirated and infected with malware. There are some extensions whose only objective is to infect as many websites as possible with malware.

A good backup solution should fulfil the following requirements:

  • First, they have to be off site. If your backups are stored in your website’s server, they are as vulnerable to attacks as anything else in there. You should keep your backups off-site because you want your stored data to be protected from hackers and hardware failure. Storing backups on your web server is also a major security risk. These backups invariably contain unpatched versions of your CMS and extensions, giving hackers easy access to your server.
  • Second, your backups should be automatic. You do so many things every day that having to remember to backup your website might be unthinkable. Use a backup solution that can be scheduled to meet your website needs.
  • To finish, have reliable recovery. This means having backups of your backups and testing them to make sure they actually work. You will want multiple backups for redundancy. By doing this, you can recover files from a point before the hack occurred.

Here are a few best practices to add for a particular web server:

  • Prevent directory browsing: This prevents malicious users from viewing the contents of every directory on the website. Limiting the information available to attackers is always a useful security precaution. Use -Indexes in Apache.
  • Prevent image hotlinking: While this isn’t strictly a security improvement, it does prevent other websites from displaying the images hosted on your web server. If people start hotlinking images from your server, the bandwidth allowance of your hosting plan might quickly get eaten up displaying images for someone else’s site.
  • Protect sensitive files: You can set rules to protect certain files and folders. CMS configuration files are one of the most sensitive files stored on the web server as they contain the database login details in plain text. Other locations, like admin areas, can be locked down. You can also restrict PHP execution in directories that hold images or allow uploads.

Here are some free website security tools:

  • SiteCheck – Free website security check and malware scanner
  • Sucuri Load Time Tester – Check and compare website speed
  • Sucuri WordPress Security Plugin – Auditing, malware scanner, and security hardening for WordPress websites
  • Google Search Console – Security notifications and tools to measure websites search traffic and performance
  • Bing Webmaster Tools – Search engine diagnostics and security reports
  • Yandex Webmaster – Web search and security violation notifications
  • Unmaskparasites – Check pages for hidden illicit content
  • Best website security software – Comparison of paid website security services
  • Best WAF – Comparison of the best cloud-based web application firewalls
  • Netsparker – (Free community edition and trial version available). Good for testing SQL injection and XSS
  • OpenVAS – Claims to be the most advanced open source security scanner. Good for testing known vulnerabilities, currently scans over 25,000. But it can be difficult to setup and requires a OpenVAS server to be installed which only runs on *nix. OpenVAS is fork of a Nessus before it became a closed-source commercial product.
  • SecurityHeaders.io – (free online check). A tool to quickly report which security headers mentioned above (such as CSP and HSTS) a domain has enabled and correctly configured.
  • Xenotix XSS Exploit Framework – A tool from OWASP (Open Web Application Security Project) that includes a huge selection of XSS attack examples, which you can run to quickly confirm whether your site’s inputs are vulnerable in Chrome, Firefox and IE.

WordPress plugins cost?

wordpress logoIntroduction

You’ve installed WordPress. It’s free. That’s amazing, and you get to stand on the shoulders of giants with all those great plugins. BUT! Developers need to get paid and a lot of the plugins have paid versions with the full range of features. So what can a fully fedged WordPress installation cost? This is the unspoken secret of WordPress.

The Plugins

These are the plugins I’m using:

  1. Hosting. Not really a plugin. It’s easy to get free/cheap hosting but with a WordPress site taking multiple seconds to load, especially if you have plugins enabled. As a benchmark, the personal purchase on wordpress.com is $39 (£30) per year, but doesn’t really give you that much.
  2. Akismet anti-spam adds better statistics and support for £44 per year.
  3. Cloudflare. You are running this, right? For free it gives you SSL, translation of http to https, DDoS protection, CDN caching (for the speed!), for $20 (£15) you get more as well as firewalling.
  4. With Jetpack you get a load more content stuff and lazy image loading for $9 (£7) per month.
  5. WP-Smush, one of my favrourites which crushes images, for really useful enhancements will set you back $49 (£38) per month.
  6. Updraft plus, the dedicated backup solution, for many, many more features and support will cost you £54 in total.
  7. WP Total Cache with more, possibly useless, caching features will be $99 (£77) per year.
  8. Wordfence security, which bugs me nearly daily to upgrade plugins and also does much more, is $99 (£77) per license.
  9. Yoast SEO which has certainly enhanced my writing for the web, is £79 per license.
  10. And finally something not WP related but which I think is REALLY useful is Grammarly which has also knocked some corners of my writing style.  This is £108 per year, and if I were a professional writer, it would be totally worth it.
  11. The AliExpress plugin is worth it if you want a drop shipping store, and who doesn’t? This is $14 (£11) per month.

Therefore in total, we’re looking at £1156 for the first year! Not insignificant, but developers have to eat!

Run WordPress? Stay secure!

Quite a large proportion of us run blogs, typically WordPress if we want a degree of control or growth, whether for techie stuff or political agitation.

Whenever I work anywhere, I try to make sure the top priority is security. There’s no point doing anything unless you’re secure. The recent Typeform breach shows anyone is liable and their breach exposed data from Monzo bank. In the grand scheme of things, it wasn’t the end of the world: no passwords were leaked.

If you’re running WordPress and therefore relying on somebody else’s software, these are the things you need to do to stay secure:

  1. Install a security plugin. Yes, it’s a pain in the neck getting daily emails to update your site as themes and plugins update but given (1) above, it’s useful. I use Wordfence.
  2. Make sure you use SSL. As well as Google encouraging us to use SSL and gain SEO advantage, being secure is just generally a Good Thing. Worried about SSL certificates? Don’t be. Just hand your DNS management over to Cloudflare and gain SSL, DDoS protection and much more for FREE. My favourite price.
  3. Use strong passwords. Better still use something like Lastpass to generate secure passwords and store them for you safely.
  4. Use two-factor authentication. Make it one step harder to get into your site. Now they won’t get in unless they have your phone. There’s a plugin for that. We use the Google Authenticator.
  5. Keep up to date. 54% of WordPress vulnerabilities belonged to out of date WordPress. You should also keep themes up to date, things like cross-site-scripting exist, and plugins also.
  6. When installing plugins go for the widely used ones, ones with 4*-5* ratings and thousands of satisfied users. Make sure if you go down, LOADS of people go down with you too!
  7. Remove unused plugins and themes. I did that with my personal site and sped it up hugely. Same goes for browser plugins but for different reasons.
  8. Do backups. Second to security. It won’t prevent hacks but it’ll let you get back in the saddle quickly if something awful happens. I use Jetpack which does loads of other stuff too. Make sure you test restoring a backup! Write-only backups are so 90s.
  9. Change the “admin” name”. Trivial but will prevent 99% of brute force attacks.
  10. Limit the number of login attempts. Again, trying to foil brute force.
  11. Don’t let people get at your wp-config file. Put this in your .htaccess file:
    <files wp-config.php>
    order allow, deny
    deny from all
    </files>
  12. And don’t forget, if you find a security hole, report it! That’s how stuff gets better. Finally, make sure you’ll keep the government happy and please don’t provoke GDPR emails.

WordPress spice with plugins

Wordpress logoSo, PHP and MySQL, two slightly suboptimal technologies run a fairly large chunk of the internet in the form of WordPress. You have the idea for a blog or maybe want to knock up a quick corporate web site. What’s your first step?

Themes

  • Choose a WordPress theme. There are loads out there, some free some paid for. My site of choice for finding themes free or otherwise is Themeforest. A fair number of the themes are free, and you can choose 2 or 3 column, responsive and so on.

Having chosen your host (we use bluehost.com for www.pandaandpolarbear.com and this site), then it’s time to flesh out the functionality of your site with plugins.

Plugins

  • Akismet – a pretty good comment spam filter plugin. It will mark spam for you so you can you through and trash it. Not sure I’ve ever had a spam comment go through.
  • Cloudflare – These guys are making the internet better. A DDoS, CDN and free SSL solution. 128 data centres. Who is to argue with that?
  • Cookie Consent – Everyone needs this, right?
  • XML sitemaps. Does what is says on the can!
  • Jetpack – Even more themes, stats, SEO tools, Security stuff.
  • Loading Page – while the page is loading, shows a pretty graphic. Given the stats on site abandonment, any distraction is worth it.
  • NextScripts: Social Networks Auto-Poster – lets you spam nearly 30 social media channels.
  • P3 (Plugin Performance Profiler) – Really useful to see where the CPU time is going and if a plugin is taking the time. In my experience, plugins take about 50% of the page render time.
  • W3 Total Cache – caching is good. Most site are not that dynamic so caching is relly good to have.
  • Wordfence Security – useful to have. We’ve had someone uploading rogue JavaScript to WordPress and this spotted it.
  • WP Smush – optimise graphics for the size you’re rendering them at. This is a cool speedup. When you’ve got four years of art, it’s a big win.
  • Yoast SEO – If you’re wordy like me, it’s good to have something reminding you of the good stuff to put in your posts to get the attention of the search engines.
  • Amazon Associates Link Builder  – nice integration with Amazon associates.
  • Finally, Link checker – useful to check for broken links, or destination pages that have gone away.

Other stuff

Don’t forget to sign up to the Google suite, Google analytics, Google webmaster tools, and Google Lighthouse.

Conclusion

That’s a small selection of the plugins we use. There are a whole bunch of Woocommerce related WordPress ones and others related to selling stuff.

I did a site for Dusty Knuckle Pizza, which was working great until they foolishly decided to spend money and get something worse. IMHO.

So that’s that. Your site is now standing on the shoulders of giants.

Remind me, why do people still build web sites manually?