WP is not ready for CSP

WP is not ready for CSPA Content Security Policy (CSP) relies on code headers to help prevent cross site scripting and other malware, providing a great addition to a layered security approach. I think of it as a reverse firewall. It tells browsers exactly what content should be accepted from my site. All other content – malware for example – should be rejected. So, it doesn’t exactly protect my site. But if my site gets infected, it can prevent the infection from spreading – possibly saving my reputation

A correct CSP is a really good thing, adding to interweb safety. So, why do almost no websites – something incredibly small like 1% of 1% – have a CSP? Partly because it is not very well known yet, but also because it is really complicated to create a correct one. It is much more likely that I will screw up my WP site and deliver false errors to my visitors than it is that my CSP will work properly.

Read more WP is not ready for CSP

Allowing only Cloudflare traffic

No piratesIn other posts I give my point of view on the security advantages of using Cloudflare. But what’s to stop a bad guy, gal, or bot from accessing my site directly by IP address? I can try to keep my IP address secret, but a determined hacker will find it without too much trouble. He or she or his/her robot minions could then avoid Cloudflare security by attacking my site directly – unless I take explicit measures by allowing only Cloudflare traffic.

Read more Allowing only Cloudflare traffic

Bad bot login attempts

Bad bot login attemptsOne thing that consistently amuses me on the usually excellent WP support forum is the experts’ responses to questions about bad bot login attempts …

  • “Don’t worry about it”
  • “It’s normal”
  • “I get way more malicious login attempts than that” – as if it were a badge of honor.

Bots constantly pound away at WP login pages – usually using ‘admin’ as username and a list of common passwords. These hacks are easy to thwart. Just use a non-obvious username and strong password. Problem solved, right? Well, kinda – with a strong password and a username other than ‘admin’, I won’t be hacked by this vector. But I refuse to accept my site being constantly under attack as somehow ‘normal’.

Read more Bad bot login attempts

Web Cache Deception Hacks

Web Cache Deception Hacks

Web cache deception hacks are a fairly recent threat, first described by Omer Gil in February 2017. In certain situations a hacker could leverage a misconfiguration between a web server and a proxy cache like Cloudflare to reveal sensitive information that could help the hacker takeover my account. To be honest, this seems like a very unlikely threat. The situations that could cause it seem complex and obscure, and large scale attacks of this sort have not been observed in the wild.

Read more Web Cache Deception Hacks

WordPress and the Terrible, Horrible, No Good, Very Bad Day

Still reeling from the REST API debacle, and with the Gutenberg Kerfuffle roiling as WP 5.0 approaches, the good people who develop WordPress – and I mean that sincerely, I believe them to be genuinely good people to whom I owe a great deal of gratitude – endured a terrible, horrible, no good, very bad day (*).

First, the Maintenance Release of WordPress 4.9.3 on February 5, 2018. WP 4.9.3 fixed 34 minor bugs, and introduced a great, big, major new one.

WordPress and the Terrible, Horrible, No Good, Very Bad Day

Bug icon by Dmitry Baranovskiy, from The Noun Project, CC BY 3.0

Read more WordPress and the Terrible, Horrible, No Good, Very Bad Day

How are WP sites hacked?

two main ways WP sites get hackedI tend to obsess over WP security. But what should I really worry about? There are two main ways WP sites get hacked:

  • By far the most common attempted WP hack is malicious login, in which a bot or bots attempt(s) to login using lists of common admin usernames and passwords.
  • By far the most common successful WP hacks use vulnerabilities in outdated plugins, themes, or WP core.

Read more How are WP sites hacked?

Protect the WP Admin Directory

security to better protect the WP adminTo access the wp-admin directory (e.g. my Admin Dashboard) I have to login using my administrator username and my strong password. So, my admin directory is already protected. But I might want additional layers of security to better protect the WP admin directory from hackers. There are several ways to do this, and I can implement as many as I want. I should aim for a reasonable balance between convenience and security – each additional security layer will make it less convenient for me to login. In rough order of inconvenience, least to most:

Read more Protect the WP Admin Directory

Automatic updating WP, themes, and plugins

Automatic updating WP, themes, and pluginsThe vast majority of hacked WordPress sites were compromised due to outdated plugins, themes, or WP core. I need to keep my site updated. But should I update manually, or automatically? If I choose automatic, updates will be more timely but there is always a small chance that an update will break something. If I update manually, I can make a full site backup first, and restore if anything breaks – but I am at more risk of a hack occurring in between my manual updates.

Read more Automatic updating WP, themes, and plugins

Custom 404 Error Page

In another post I present a case for using a short, simple text string to report 403-Forbidden errors. For Not Found errors, I want to serve a friendly helpful 404 error page that fits reasonably well with the look and feel of my site. But I still want to limit resource use to the extent practical, otherwise serving a lot of 404 pages could slow my site or even bring it down.

Read more Custom 404 Error Page

WP REST API Exploit – why was the filter disabled?

At the time of this post, the WP REST API exploit is pandemic, with over 1.5 million WP posts defaced. A high-profile California government website – that I am somewhat responsible for – was hit yesterday, causing a great deal of consternation in my office. When news of the exploit first appeared, my personal sites like this one had already updated to WP 4.7.2, and I had long ago disabled the REST API, so I had no worries on that front.

WP REST API exploit is pandemic

Read more WP REST API Exploit – why was the filter disabled?