little Bobby

Posted March 7th, 2009 | Published in security

exploits_of_a_mom1

7 easy steps to a more secure Wordpress blog

Posted February 6th, 2008 | Published in Wordpress, security

There are many things you can do to secure your wordpress blog – a lot of them are pretty technical are require programming and/or sysadmin knowledge. Here’s a list of easy things that YOU can do to secure your wordpress blog:

  1. Remove unused themes (by removing the whole directory)
  2. Disable and remove unused plugins.
  3. Keep your wordpress version up to date.
  4. Keep your used plugins up to date.
  5. Add an empty index.html file into the themes and plugins directories. This stop people from browsing to see what themes/plugins you have installed.
  6. Install the XSS-Me and SQLInject-Me Firefox plugins and run them against your site.
  7. Remove the XMLRPC.PHP file from the root directory of your blog if you are not using XML RPC.

Securing Wordpress

Posted February 1st, 2008 | Published in Wordpress, security

Danial Cuthbert has written and excellent paper about securing Wordpress using mod_security for Apache.

Read it on BlogSecurity.

The best software security ever seen

Posted October 26th, 2007 | Published in security, software engineering

This is impressive. It’s a user’s story submitted to the Worse Than Failure blog. The story was submitted by Noah – one of his relatives had a problem with an expired application that they wanted to use and they wondered if he could help:

http://worsethanfailure.com/Articles/Classic-WTF-Lock-In-Key-Security.aspx

He quickly gained some l33t hax0r skills and managed to get the app to run.

Stronger passwords?

Posted September 9th, 2007 | Published in security

There’s a great article at Coding Horror that makes an interesting proposal for strengthening passwords: using pass-phrases rather than pass-words.

The idea is to use a phrase rather than a single word. For example, a worst-case scenario would be:

old password: password

new password: this is my password

Whilst I agree that a passphrase may be marginally stronger than a password, I still think they will suffer the same weakness: the user. User’s pick passwords that they can remember and these are nearly always weak – their dog’s name, their favourite book, etc. A phrase would be no different, people would use a quote from a film, a common saying or something else easily recognisable.

As stated in the comments of the Coding Horror post, the problem with passwords will always exist: a user needs to remember a password and because of that they will nearly always choose weak ones.