A Complete Guide on WordPress FileSystem Permissions and Ownerships

WordPress is a CMS platform that keeps on dictating the trend for all the obvious reasons. The ease with which it lets users achieve higher goals for their site and embed new capabilities to make it stand out, is something that’s difficult to find in any other CMS out there. But, irrespective of its blockbuster features, WordPress can be easily beleaguered with security attacks. Cyber criminals out there can drive ways to leave out rough spots to cripple the legitimacy of your site. As the tools used to hack a website have evolved, security has become a primary concern for most website owners.
(more…)

Read More

Building a simple Node.js crypto hash server

The Crypto module is one of the important modules available for Node.js, and allows you to use it for encrypting content, creating digests and creating public-key signatures. In this post we will work with creating a simple message digest from some given content. Here we will create a Node.js server that responds with a cryptographic hash for the content provided. e.g if we query with the following url, passing the text helloworld and the hash function name md5 the server will return the digest of the text. Note that the crypto module requires OpenSSL to be available on the underlying platform. Although a toy program, this is an exercise in using the ‘crypto’ and ‘querystring’ modules.
(more…)

Read More

Changing WordPress admin login error message

It can be surprising how easy it is to overlook security issues in software design. WordPress for example, after all the versions, still displays login error information that can be informative for a potential hacker. Rather than displaying a generic login error message, WordPress admin specifically displays whether a ‘username’ was entered wrong or a ‘password’ as the following screenshot shows.
(more…)

Read More

WordPress plugins to check for security threats

With WordPress installations on the rise, security threats are a common concern for users. Below is a small collection of WordPress plugins that I found adequate for use on most WordPress installations to keep security in check. As always security is not 100% achievable, but the following plugins will help you find any loopholes in your site and help you monitor for any security breaches.
(more…)

Read More

Security ‘Challenge Questions’ and the social web

Lately I’ve been a little paranoid about posting details about myself on the social web, especially Facebook. In fact I’ve completely gone off it (never been a fan of it from the first). I’m surprised by the amount of personal information people post on the social web.

One of my concerns is related to the ‘Challenge Questions’ provided by major websites such as Gmail, Hotmail for authentication, mostly during account recovery. Take for example the Challenge Question offered by Gmail:

What is the name of your manager at your first job?
What is the name of your best friend from childhood?
What was the name of your first teacher?

Answers to most of the above questions can be garnered by a little digging around your social stream, making it easier for the malicious person to hack your account. Aggregators such as IdentEngine, a Javascript library, can make it even easier to locate your profiles around the social web. In short, the social web “leaks” security information.
(more…)

Read More

How to Fix PHP Vulnerabilities (So Your Site Won’t Get Hacked)

As a programming language, PHP has many advantages but security has always been a major issue. Partially these security problems are inherent to the language itself because PHP was meant to be an easy and powerful programming language, while security came second. However, when you add bad coding and non-adherence to even the basic security rules, the situation gets out of control.

Fortunately, it is possible to fix PHP vulnerabilities and make PHP applications more secure. Some of the defenses are common for all programming languages, while others are found only in PHP. Here are some of the best defenses you have when you want to fix PHP vulnerabilities and make your site more secure.
(more…)

Read More

Scanning web pages for malicious scripts

With the recent surge of malicious JavaScript injections on web, it has become necessary to regularly check for malicious code injections on your web sites. I created a small php script that checks a list of urls for malicious Javascript code. This can come handy if you have many client websites under your control.

The PHP script reads two text files – ‘malicious.txt and ‘urls.txt’ : the first containing a list of web pages to be scanned and the other containing malicious script signatures. The script scans the urls for malicious scripts and if any infections are found it saves the result in the ‘infected.txt’ file. The script needs to be run from the command line as you can easily see the progress of the scan if you are scanning a large number of urls.
(more…)

Read More

Top 25 Most Dangerous Programming Errors

Security has always been an issue in software development; mainly due to ignorance, laziness and a nonchalant attitude of programmers (I’m one of the guilty ones). ‘Security’ is the one section in a project scope that gets consistently ignored by not only the developers but also management. In defense of myself and other programmers I would have to say that writing secure software is hard work, and with all the pressure from management and clients to get the software delivered, its no wonder that programmers turn a blind eye towards security. But that is surely not an excuse to deliver a product full of security vulnerabilities.
(more…)

Read More