This can be useful for a hacker to get the username right. A good idea is to display a generic message as given below.

You can easily achieve that by adding the following line to your themes ‘functions.php’ file.

add_filter('login_errors',
            create_function('$no_login_error', 
                            "return 'Oops! Wrong Credentials.';"));

The second argument to the ‘add_filter’ creates a anonymous callback function. This is equivalent to the following.

function no_login_error() {
    return 'Oops! Wrong Credentials.';
}
 
add_filter('login_errors','no_login_error');

WordPress File Monitor
WFM monitors your WordPress installation for any added, deleted or changed files. When a change is detected an email is sent to a specified address. Currently does not support multi-site installations.

Ultimate Security Checker
Ultimate Security Checker helps you identify security problems with your WordPress installation. It scans your WordPress blog for hundreds of known threats, then gives you a security “grade” based on how well you have protected yourself.

<form action="process.cgi" method="post" enctype="multipart/form-data">
 <p><keygen name="key"></p>
 <p><input type=submit value="Submit key..."></p>
</form>

SSL is about “server identification” , “server AND client authentication” and “security”. During the normal SSL handshake the server presents its server-certificate so the browser can be sure that this is the correct server it is connecting to. But what should the server use to identify that it is the same user (browser) it is connecting to once the initial handshake has been done. For this purpose you need a client-certificate. The keygen element is used for creating a key for authentication of the user while SSL is concerned about privacy of communication and the authentication of the server.

It has now been removed and to prevent any such changes to the .htaccess file in the future, I’ve written a small php script that compares the hash (SHA1) of the two major files that usually get compromised and compare them to the one originally stored. The script will run as a cron job and notify me by email if any changes are seen. This is a quick workaround which needs some more work done.

<?php
 
$hash1 = sha1_file('.htaccess');
$hash2 = sha1_file('index.php');
 
if(($hash1 == 'fa7cdb22b81b0b713bfed609acc984591f9bed2f') && 
   ($hash2 == 'b4bb6070800a340566d7d6872516d248d4a7aff3')) {
    mail("EMAIL", "Status Ok!", "Status Ok!");
} else {
    mail("EMAIL", "Alert!", "Files have changed!");
}    
?>

Of-course there are other ways the site can get hacked, but the last couple of times my site got compromised was for these reasons. So at-least I’ve one area covered.

The basic principle behind the library

Every data filtering/validation library hinges on three basic principles.

The first principle is of preventing users from accessing user input via the PHP superglobals, because the “default” action is to retrieve the raw, potentially dangerous data.

The second principle is preventing ad-hoc filtering/validation code at various places in the application which can be error-prone and difficult to modify.

The final principle is that of simplicity. A validation library should make a programmer’s job easier. Complex solutions should be avoided unless they are the only solution, as programmers tend to bypass intricate solutions citing various reasons for the same.

Installing Inspekt

Inspekt is easy to install. Just download the library and include the ‘Inspekt.php’ in your application with the correct path.

require_once('Inspekt.php');

Caging data

Take the following simple code using Inspekt. Here all the POST data is only made available through the ‘post_cage’ object, once it is initialized. The original POST data is immediately deleted preventing you from accidentally using data from the $_POST array. In short all the POST data is now safety ‘caged’ in the ‘post_cage’ object, which can only be accessed by using the various objects functions.

<?php
 
require_once('Inspekt.php');
 
if(isset($_POST['submit'])) 
{
    /* This will print the $_POST data */
    print_r($_POST);
 
    /* Store all the POST data in a 'cage', 
     * this will also automatically delete 
     * all the original POST data.
    */
    $post_cage = Inspekt::makePostCage();
 
    /* This will now return an empty array */
    print_r($_POST);
}
 
?>
 
<html>
<body>
<form id="myform" name="myform" method="POST">
<input type="hidden" name="fname" value="testString" />
<input type="hidden" name="id" value="500" />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>

Example 1.

Accessing ‘caged’ data

Now that we have seen how the POST data is safely stored in a ‘cage’, we will look at how to access and validate the data.

In the above example we have a ‘fname’ html field which we can access from the cage as following, which will print the string “testString”.

.
echo $post_cage->getRaw('fname');
.
.

But wait, what does this buy us, we are just using another object to access the same POST data in a different way. Well this is just one method, which just returns the raw data, the real value comes when we use validation and filtering methods.

Suppose we wanted to make sure that only alpha-numeric characters are allowed in the “fname” variable, we can use the following code which will return the value of the variable if the value is alpha-numeric or ‘false’ otherwise.

.
if($fname = $post_cage->testAlnum('fname')) {
   // Do something here if 'fname' is alphanumeric
}
.
.

Again let us say we have to check if the value of the ‘id’ field lies between 100 – 600, we can use the following:

.
if($post_cage->testBetween('id',100, 600))
{
     // value lies between 100 - 600, do something
}
.
.

Beside the above two, the following are some other useful methods:

* testAlnum (mixed $key)
* testAlpha (mixed $key)
* testBetween (mixed $key, mixed $min, mixed $max, [boolean $inc = TRUE])
* testCcnum (mixed $key, [mixed $type = NULL])
* testDate (mixed $key)
* testDigits (mixed $key)
* testEmail (mixed $key)
* testFloat (mixed $key)
* testGreaterThan (mixed $key, [mixed $min = NULL])
* testHex (mixed $key)
* testHostname (mixed $key, [integer $allow = ISPK_HOST_ALLOW_ALL])
* testInt (mixed $key)
* testIp (mixed $key)
* testLessThan (mixed $key, [mixed $max = NULL])
* testOneOf (mixed $key, [ $allowed = NULL])
* testPhone (mixed $key, [ $country = 'US'])
* testRegex (mixed $key, [mixed $pattern = NULL])
* testUri (unknown_type $key)
* testZip (mixed $key)

Caging other input data

In the above examples we have seen how to add the POST data to a ‘cage’ using the ‘Inspekt::makePostCage’ method. Likewise, we can also use other methods for other input types:

• Inspekt::makeGetCage()
Returns an Inspekt_Cage for the $_GET array

• Inspekt::makePostCage()
Returns an Inspekt_Cage for the $_POST array

• Inspekt::makeCookieCage()
Returns an Inspekt_Cage for the $_COOKIE array

• Inspekt::makeServerCage()
Returns an Inspekt_Cage for the $_SERVER array

• Inspekt::makeFilesCage()
Returns an Inspekt_Cage for the $_FILES array

• Inspekt::makeEnvCage()
Returns an Inspekt_Cage for the $_ENV array

So to ‘cage’ the $_GET data we can use the following:

$get_cage = Inspekt::makeGetCage();

Using the Super Cage

Using a different cage for each different input type can be cumbersome, for this we can use the ‘SuperCage’ method, which encapsulates all the above input data in a single object.

$super_cage = Inspekt::makeSuperCage();

Example 1. can be now be coded as below:

<?php
 
require_once('Inspekt.php');
 
if(isset($_POST['submit'])) 
{
    $super_cage = Inspekt::makeSuperCage();
 
    echo $super_cage->post->testAlnum ('fname') . " ";
    echo $super_cage->post->testBetween('id',220, 600);
}
 
?>
 
<html>
<body>
<form id="myform" name="myform" method="POST">
<input type="hidden" name="fname" value="testString" />
<input type="hidden" name="id" value="500" />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>

In conclusion

I find Inspekt a quite interesting validation/filtering library. Although the development seems to have stalled at Version 0.4.1, the code is complete and simple to use. This post has only covered a small portion of the library, for more information you can visit the original source.

Figure 1.

One other method I recently found is that of ‘naked passwords‘. While creating passwords, the beautiful model in the input box tastefully removes items of clothing as the password grows stronger (Fig 2). Of-course you can alter the images if they are too sensitive for your users tastes, but then you lose the motivational factor.

Figure 2.

With all the different methods I have seen around the web, this particular one takes the cake, at-least for its motivational (and fun) factor. But all said and done, I’d prefer to use the password strength meter (Fig 1.) than the above method. Using this (Fig 2) on a public site will be a sure recipe for disaster as it borders on the obscene and gender discrimination; but now we are entering into philosophical territory, which however interesting to peruse, is not the point of this post. If I plan to use this I’ll surely change the images to something interesting which can be used publicly.

One of my concerns is related to the ‘Challenge Questions’ provided by major websites such as Gmail, Hotmail for authentication, mostly during account recovery. Take for example the Challenge Question offered by Gmail:

What is the name of your manager at your first job?
What is the name of your best friend from childhood?
What was the name of your first teacher?

Answers to most of the above questions can be garnered by a little digging around your social stream, making it easier for the malicious person to hack your account. Aggregators such as IdentEngine, a Javascript library, can make it even easier to locate your profiles around the social web. In short, the social web “leaks” security information.

When Scott McNealy remarked in 1999, “You have zero privacy anyway,Get over it.”, he was right on the technical front but wrong otherwise. You still have control over of how much personal information about you floats around the web; it may be a little harder but not impossible. The important point is to be alert and proactive when divulging important information around the web.

Encoding HTML characters

The function is quite simple. It encodes email, links or other string characters to their ‘Numeric character references’. For example ‘code‘ will be encoded to code – a decimal encoding or code – a hexadecimal encoding.
The function randomly encodes a character to a hex or decimal representation, so each page refresh will encode the same string to a different format.

<?php
 
function encodeString($email)
{
    $enc_email = '';
    srand();
 
    # Convert each character to decimal or hex representation
    for ($i=0; $i < strlen($email); $i++) {
 
        if(rand(0,1) == 0) {
            $enc_email .= "&#" . (ord($email[$i])) . ";";
        } else {
            $enc_email .= "&#X" . dechex(ord($email[$i])) . ";";
        }
    }
 
    return $enc_email;
}
 
echo encodeString("designhouse@host.com");
 
?>

This will convert the email ‘designhouse@host.com’ to

designh
ouse@ho
st.com

As it uses a random base (decimal or hex), the actual results may differ from yours.

Downloading the Zend framework

As the following code requires the Zend framework make sure you download it first. For this code I used Zend 1.11.0 Full version. You can also download the required files at the end of this post.

Which Zend framework files do I need

You only need some selected files to make the below code work. The following is a list of files and directories that I used from the ‘ZendFramework-1.11.0\library\Zend’ directory. The top three in the list are directories. There are also many files in the ‘Filter’ directory that are not required, but for keeping it simple we will use the whole thing.

File (dir)
Filter (dir)
Loader (dir)
Loader.php
Filter.php
Exception.php

Encrypting uploaded files

For the following example I’ve not included the file uploading code. I assume you already have the upload code ready. You can also use the following code by itself to encrypt/decrypt files. The program for file encryption is shown below.

<?php
 
/* Load the Zend file encrypting filter */
require_once('./Zend/Filter/File/Encrypt.php');
 
/*  Set various encryption options. */
$options = array(
                // Encryption type - Openssl or Mcrypt
                'adapter' => 'mcrypt', 
                // Initialization vector
                'vector' => '236587hgtyujkirtfgty5678', 
                // Encryption algorithm
                'algorithm' => 'rijndael-192', 
                // Encryption key
                'key' => 'KFJGKDK$$##^FFS345678FG2' 
                );
 
/* Initialize the library and pass the options */
$encrypt = new Zend_Filter_File_Encrypt($options);
 
/* 
   Set output filename, where the encrypted file will be stored.
   If we omit this, the encrypted file will overwrite the original file.
*/
$filter->setFilename('test.enc.pdf');
 
/* Now encrypt a file */
$encrypt->filter('test.pdf');
 
?>

Decrypting the encrypted files is as simple as above. Note that you need to keep the ‘vector’ and ‘key’ values the same as you used for encryption, or you will not be able to correctly decrypt the file.

<?php
 
/* Load the Zend file decrypting filter */
require_once('./Zend/Filter/File/Decrypt.php');
 
/*  Set various decryption options. */
$options = array(
                // Encryption type - Openssl or Mcrypt
                'adapter' => 'mcrypt', 
                // Initialization vector
                'vector' => '236587hgtyujkirtfgty5678', 
                // Decryption algorithm
                'algorithm' => 'rijndael-192', 
                // Decryption key
                'key' => 'KFJGKDK$$##^FFS345678FG2' 
                );
 
/* Initialize the library and pass the options */
$decrypt = new Zend_Filter_File_Decrypt($options);
 
/* 
   Set output filename, where the decrypted file will be stored.
*/
$filter->setFilename('test.pdf');
 
/* Now decrypt the previously encrypted file */
$decrypt->filter('test.enc.pdf');
 
?>

Selecting a encryption algorithm

In the example given I’ve used the rijndael-192 (AES) algorithm but you can choose some other according to the availability. ‘rijndael’ is fine for most requirements. First you will need to know what algorithms are supported by your installation. A quick way to find out is to use the following code.

<?php
 
    $algorithms = mcrypt_list_algorithms();
 
    foreach ($algorithms as $cipher) {
        echo "$cipher<br />\n";
    }
 
?>

On my system it lists the following algorithms.

cast-128 , gost , rijndael-128 , twofish , arcfour , cast-256 , loki97 , rijndael-192 , saferplus , wake , blowfish-compat , des , rijndael-256 , serpent , xtea , blowfish , enigma , rc2 , tripledes.

Selecting a random Initialization vector

Before we continue our discussion, a brief overview of Initialization vector (IV). An IV is a random string that can be used along with a key for data encryption. IV is used to prevent a sequence of text that is identical to a previous sequence from producing the same exact cipher-text when encrypted.

As you can see from the example code we have used a fixed IV. The disadvantage of this is that there is a possibility that a committed hacker would be able to guess the IV by studying the pattern in the encrypted files and thus break the encryption. The best way then is to let the class generate a random IV for each new encryption. This requires a little change of code, as shown below. The only extra step we now require is to store the generated random IV in a database which will then be used for decryption.

Encryption:

<?php
 
/* Load the Zend file encrypting filter */
require_once('./Zend/Filter/File/Encrypt.php');
 
/*  Set various encryption options. */
$options = array(
                // Encryption type - Openssl or Mcrypt
                'adapter' => 'mcrypt', 
                // Encryption algorithm
                'algorithm' => 'rijndael-192', 
                // Encryption key
                'key' => 'KFJGKDK$$##^FFS345678F54' 
                );
 
/* Initialize the library and pass the options */
$filter = new Zend_Filter_File_Encrypt($options);
 
/* Generate a random vector */
$filter->setVector();
 
/* Set output filename, where the encrypted file will be stored. */
$filter->setFilename('test.enc.pdf');
 
/* Now encrypt a file */
$filter->filter('test.pdf');
 
/* 
    Save the vector in a DB or somewhere else,
    we will need this during decryption
*/
$vector = $filter->getVector();
 
?>

Decryption:

<?php
 
/* Load the Zend file decrypting filter */
require_once('./Zend/Filter/File/Decrypt.php');
 
/*  Set various encryption options. */
$options = array(
                // Encryption type - Openssl or Mcrypt
                'adapter' => 'mcrypt', 
                // Encryption algorithm
                'algorithm' => 'rijndael-192', 
                // Encryption key
                'key' => 'KFJGKDK$$##^FFS345678F54' 
                );
 
/* Initialize the library and pass the options */
$filter = new Zend_Filter_File_Decrypt($options);
 
/* 
   Use the saved vector for decryption.
   Note that using a wrong vector will result in a incorrect decryption.
*/
$filter->setVector('your-saved-vector');
 
/* Set output filename, where the decrypted file will be stored. */
$filter->setFilename('test.dec.pdf');
 
/* Now decrypt the previously encrypted file */
$filter->filter('test.enc.pdf');
 
?>

Selecting the correct ‘vector’ and ‘key’ size

Before you run the code make sure that you set your PHP error reporting to ‘E_ALL’. Mcrypt requires that you use a correct IV and key length, which depends on which algorithm is used. Selecting a wrong IV (if you are using a fixed IV) or key length can generate the following error, which if the errors are disabled will be hidden and you will keep wondering as to why the files are not getting encrypted.:

- in case of a wrong vector length:

Fatal error: Uncaught exception ‘Zend_Filter_Exception’ with message ‘The given vector has a wrong size for the set algorithm’

- in case of a wrong key length:

Fatal error: Uncaught exception ‘Zend_Filter_Exception’ with message ‘The given key has a wrong size for the set algorithm’

To get the correct sizes use the following code. I’ve used ‘rijndael-192′ algorithm here, but you need to substitute whatever algorithm you have selected instead.

<?php
 
$cipher = mcrypt_module_open('rijndael-192', '', 'ofb', '');
$vector_size = mcrypt_enc_get_iv_size($cipher);
$key_size = mcrypt_enc_get_supported_key_sizes($cipher);
print_r($vector_size);
echo "\n";
print_r($key_size);
 
?>

Which on my machine returns the following.

24
 
Array
(
    [0] => 16
    [1] => 24
    [2] => 32
)

So if the IV size returns ’24′ then you need to use a random string of 24 character for the Initialization Vector (IV). The key length can be any from the returned values, 16, 24 or 32.

Downloading encrypted file

To round-off the post, I’ve included code to download a encrypted file via a link, which will be decrypted and passed to the user. For example you can call the download link as below:

http://www.site.com/download-file.php?docname=test.enc.pdf

The code for ‘download-file.php’ is shown below. The code is a bit simplified, for e.g no security validation is done on the $_GET variable.

<?php
 
/* download-file.php */
 
/* 
   The constants UPLOAD_PATH, TEMP_PATH, INIT_VECTOR, ENCRYPTION_KEY
   have to be changed to your particular setup.
*/
 
require_once('Zend/Filter/File/Decrypt.php');
 
$docname = $_GET['docname'];
 
$filename = UPLOAD_PATH . $docname;
$destination = TEMP_PATH . $docname;
 
if(!file_exists($filename)) {
    echo "Error accessing the file.";
    exit();
}
 
/* Copy encrypted file to a temporary folder */
if (!copy($filename, $destination)) {
    die("Error accessing file");
}
 
 /* Zend file decryption */
$filter = new Zend_Filter_File_Decrypt(
                array('adapter'     => 'mcrypt',
                      'vector'      => INIT_VECTOR,
                      'algorithm'   => 'rijndael-192',
                      'key'         => ENCRYPTION_KEY
                      ));
 
$filter->filter($destination);
 
 
$fp = @fopen($destination, 'rb');
 
if (strstr($_SERVER['HTTP_USER_AGENT'], "MSIE"))
{
    header('Content-Type: "application/octet-stream"');
    header('Content-Disposition: attachment; filename="'.$docname.'"');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header("Content-Transfer-Encoding: binary");
    header('Pragma: public');
    header("Content-Length: ".filesize($destination));
}
else
{
    header('Content-Type: "application/octet-stream"');
    header('Content-Disposition: attachment; filename="'.$docname.'"');
    header("Content-Transfer-Encoding: binary");
    header('Expires: 0');
    header('Pragma: no-cache');
    header("Content-Length: ".filesize($destination));
}
 
fpassthru($fp);
fclose($fp);
 
/* Delete the copied decrypted from the temp folder */
unlink($destination);
 
?>

The Rewrite rule

Below is shown the complete htaccess rule to prevent image hotlinking. The details of each line are given next.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?codediesel\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(gif|bmp|png|jpe?g)$ /var/www/images/hotlink.gif [L]

RewriteRule breakup

The first line kicks the htaccess Rewrite engine into action. The second condition checks to see if the image is requested from our own site. If you have another site that you want to be able to link to your images, then add it to your .htaccess. The [NC] at the end is a no-case flag, a rule with this flag will not care whether the text that we are considering is uppercase or lowercase. The default behavior of the RewriteRule directive is to be case sensitive.

# Only allow image linking for 'codediesel.com' and 'friendly-site.com'

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?codediesel\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?friendly-site\.com/ [NC]

The third condition ensures that we accept requests made directly for the image without a referer. This makes sure that we display the images even if for some reason a user-agent sends a empty referrer.This can happen for a variety of reasons. Some browsers, for reasons of privacy can be configured never to return referer information.

RewriteCond %{HTTP_REFERER} !^$

The last line specifies that the file names end in .jp(e)g, .gif, .bmp, or .png. This ensures that the Rewrite rule is only triggered for images and not for other files. When an attempt is made to hotlink a image from a domain other than the ones specified, the image given below will be returned, ‘myhotlink.gif’ here.

RewriteRule .*\.(gif|bmp|png|jpe?g)$ /var/www/images/myhotlink.gif [L]

A variation of this is to use the forbidden flag.

RewriteRule .*\.(gif|bmp|png|jpe?g)$ - [F]

Testing if your htaccess rule is working

A quick way to test if your hotlinking blocking rules are working is use a free online hotlink checker. Or create a simple HTML on your localhost and add a link to your image. Before checking make sure that your browser cache has been cleared.

<html>
<body>
<img src="http://www.your-site.com/images/sample-image.png" />
</body>
</html>

Although there are some other ways to prevent image hotlinking, this is the quickest that I know of. As with any htaccess rewrites, you may block some users behind proxies or firewalls using these techniques.