WP is not ready for CSP

Posted on September 27, 2018 by Kenny

A Content Security Policy (CSP) relies on code headers to help prevent cross site scripting and other malware, providing a great addition to a layered security approach. I think of it as a reverse firewall. It tells browsers exactly what content should be accepted from my site. All other content – malware for example – should be rejected. So, it doesn’t exactly protect my site. But if my site gets infected, it can prevent the infection from spreading – possibly saving my reputation

A correct CSP is a really good thing, adding to interweb safety. So, why do almost no websites – something incredibly small like 1% of 1% – have a CSP? Partly because it is not very well known yet, but also because it is really complicated to create a correct one. It is much more likely that I will screw up my WP site and deliver false errors to my visitors than it is that my CSP will work properly.

My full list of WP security settings, plugins, etc..

Posted on September 6, 2018 by Kenny

I am convinced that for most WordPress users one of the popular all-in-one security plugins like WordFence or All In One WP Security & Firewall is a good solution. I like to tinker though, and to choose the best tool for me for each aspect of security. I also like light solutions, and a layered approach to security.

Allowing only Cloudflare traffic

Posted on July 23, 2018 by Kenny

In other posts I give my point of view on the security advantages of using Cloudflare. But what’s to stop a bad guy, gal, or bot from accessing my site directly by IP address? I can try to keep my IP address secret, but a determined hacker will find it without too much trouble. He or she or his/her robot minions could then avoid Cloudflare security by attacking my site directly – unless I take explicit measures by allowing only Cloudflare traffic.

Bad bot login attempts

Posted on June 22, 2018 by Kenny

One thing that consistently amuses me on the usually excellent WP support forum is the experts’ responses to questions about bad bot login attempts …

“Don’t worry about it”
“It’s normal”
“I get way more malicious login attempts than that” – as if it were a badge of honor.

Bots constantly pound away at WP login pages – usually using ‘admin’ as username and a list of common passwords. These hacks are easy to thwart. Just use a non-obvious username and strong password. Problem solved, right? Well, kinda – with a strong password and a username other than ‘admin’, I won’t be hacked by this vector. But I refuse to accept my site being constantly under attack as somehow ‘normal’.

http or https

Posted on June 3, 2018 by Kenny

Should my websites use standard plain text http, or https (i.e. SSL)? I need to consider ease of implementation, search engine optimization (SEO), security, and speed.

Web Cache Deception Hacks

Posted on June 1, 2018 by Kenny

Web cache deception hacks are a fairly recent threat, first described by Omer Gil in February 2017. In certain situations a hacker could leverage a misconfiguration between a web server and a proxy cache like Cloudflare to reveal sensitive information that could help the hacker takeover my account. To be honest, this seems like a very unlikely threat. The situations that could cause it seem complex and obscure, and large scale attacks of this sort have not been observed in the wild.

Cloudflare Hotlink Protection

Posted on May 12, 2018 by Kenny

Hotlinking is the practice of directly linking to images on a website and embedding them in another website. It has legitimate uses but is frequently used as a dastardly means of stealing both images and bandwidth.

WordPress and the Terrible, Horrible, No Good, Very Bad Day

Posted on February 11, 2018 by Kenny

Still reeling from the REST API debacle, and with the Gutenberg Kerfuffle roiling as WP 5.0 approaches, the good people who develop WordPress – and I mean that sincerely, I believe them to be genuinely good people to whom I owe a great deal of gratitude – endured a terrible, horrible, no good, very bad day (*).

First, the Maintenance Release of WordPress 4.9.3 on February 5, 2018. WP 4.9.3 fixed 34 minor bugs, and introduced a great, big, major new one.

Bug icon by Dmitry Baranovskiy, from The Noun Project, CC BY 3.0

How are WP sites hacked?

Posted on January 28, 2018 by Kenny

I tend to obsess over WP security. But what should I really worry about? There are two main ways WP sites get hacked:

By far the most common attempted WP hack is malicious login, in which a bot or bots attempt(s) to login using lists of common admin usernames and passwords.
By far the most common successful WP hacks use vulnerabilities in outdated plugins, themes, or WP core.

Update 2019-11-15: There is now a third main way that WP sites get hacked. Site admins are installing the malware on their own sites! See Free Professional Themes and Plugins.

htaccess tricks

Posted on January 3, 2018 by Kenny

Along with the excellent 6G firewall (update: 7G firewall) from Jeff Starr at Perishable Press, certain htaccess tricks improve WP security. Examples …

Protect the WP Admin Directory

Posted on June 16, 2017 by Kenny

To access the wp-admin directory (e.g. my Admin Dashboard) I have to login using my administrator username and my strong password. So, my admin directory is already protected. But I might want additional layers of security to better protect the WP admin directory from hackers. There are several ways to do this, and I can implement as many as I want. I should aim for a reasonable balance between convenience and security – each additional security layer will make it less convenient for me to login. In rough order of inconvenience, least to most:

Automatic updating WP, themes, and plugins

Posted on March 19, 2017 by Kenny

Update 2020-08-28: Auto-updates for plugins and themes is now built into WP 5.5 and later.

The vast majority of hacked WordPress sites were compromised due to outdated plugins, themes, or WP core. I need to keep my site updated. But should I update manually, or automatically? If I choose automatic, updates will be more timely but there is always a small chance that an update will break something. If I update manually, I can make a full site backup first, and restore if anything breaks – but I am at more risk of a hack occurring in between my manual updates.

Custom 404 Error Page

Posted on March 9, 2017 by Kenny

In another post I present a case for using a short, simple text string to report 403-Forbidden errors. For Not Found errors, I want to serve a friendly helpful 404 error page that fits reasonably well with the look and feel of my site. But I still want to limit resource use to the extent practical, otherwise serving a lot of 404 pages could slow my site or even bring it down.

WP REST API Exploit – why was the filter disabled?

Posted on February 11, 2017 by Kenny

At the time of this post, the WP REST API exploit is pandemic, with over 1.5 million WP posts defaced. A high-profile California government website – that I am somewhat responsible for – was hit yesterday, causing a great deal of consternation in my office. When news of the exploit first appeared, my personal sites like this one had already updated to WP 4.7.2, and I had long ago disabled the REST API, so I had no worries on that front.

Overrated WP Security Tips

Posted on January 18, 2017 by Kenny

WordPress security tips abound. As of the date of this post a Google search on the phrase “wordpress security tips” returns over 36,000 results. I give my list of essential security practices in another post. Certain other tips are overrated, providing little in the way of practical security benefits. Full disclosure, I practice some of these anyway.

Read more Overrated WP Security Tips ›

Security