Monthly Archives: March 2011

WordPress Security Plug-ins

Ok, so I was hacked. I am paying more attention now!

My WordPress is the latest update, I’ve done some permissions changes, some new passwords, and it is working. Next up is to check the available security options that should save me time.

This Hardening WordPress codex page at WordPress is a good start.

The first is Secure WordPress. Install this to address some of the simple things. I suggest ticking all the options and checking that it does not interfere with anything. Uncheck the options only if something breaks.

The second one is WordPress Security Scan.  This one checks a lot of settings and options that are addressed by the above and will give a confirmation that it’s working.

With the scanner I found that my hosted server did not have permissions to alter the table prefixes which is recommended. For an existing site this can be daunting but its not really. You will find good support at the authors site Semper Fi Web Design. There is a WordPress forum post on this topic that covers the main process for doing this manually.

There is another issue that one of the recommendations is that you should change the admin user account name to something a bit more random. This will break WP 3.1 Network Admin (the new version of MU). This may have changed check the forums post on this topic.

I also configured .htaccess for my admin directory but that created 404 errors on my MU / Network site. Since first writing this I have spent some time on why .htaccess did not work. It works now and the details can be read in a post on WordPress Admin pages and htaccess password protection.

As a result of this I found that I could use the AskApache plug-in (v4.6). The install was easy enough and I recommend it for single site WP installs. It breaks in MU or Network configuration due to the rewrite rules. Now I have to admit I have also reviewed the AskApache admin area since my ordeal of sorting this out and the author does make mention of the 404 error issue, unfortunately it is inside the admin panels which are inaccessible when the error occurs. The author also suggests checking his blog but there is no link, so I am a little vague as to where to contact or report issues. One other issue with the plug-in is that it breaks the css in FF. IE seems ok? But it is a minor issue.

There are other plug-ins but the 3 mentioned here should be sufficient to bolt it down pretty well.

Password management for iPhone, iPad, PC & Mac

I have been pretty good at recalling a range of passwords across a large number of systems but as I age my memory ain’t what it used to be.

So this morning I thought I should look for an iPhone and iPad password manager that would also have a local PC application. Sounds like something a lot of folks would be wanting.

Google “iphone pc password manager” and the list was lengthy. So some quick culling was in order.

What did I really want?  An application that would securely store passwords with the details of where the password is used. Compatible and transferable / sync’d with iPhone, iPad, Mac, and PC.

First up was http://www.logonce.com/toolbar/iphone.htm but I have concerns that it is a browser plugin on the PC or a hosted system. The opportunity for IE to be hacked is pretty high as is the thought of having my passswords stored in the cloud. Hmm…  might come back if there’s nothing else.

Second up was eWallet which reads really well but put me off with the $20 price tag plus another $10 to get the iPhone version. Bundle it or something guys! Having looked further it appears that this is around the market price so I’ll keep it in the list for the moment.

Ok, I browsed a bit more and located KeePass and it is opensource, but the iPhone extensions are not made in house and are out of date. Probably good for PC but does not fit the other criteria.

Hmmm..  I think Ascendo DataVault is looking good with both desktop and iPhone iPad but I cannot find the prices. Weird site setup. If you click on Products you get the Blackberry option with a Buy Now and all the variants but no Buy option. You have to go to the home page and select from the right menu to get the correct links. In any case $10 for desktop and $10 for iOS devices.

In a similar style is 1Password which apparently has all the platforms covered. $30 for the Windows version and $15 on iOS which is deader than DataVault.

Another one that will make my short list is Strip. Not yet on all platforms but close and should be classed with the above.

SplashID is another that covers all the platforms that I need. Alongside this is mSeven Password Manager.

Ultimate Password Manager for iPhone and iPad looks like a nice app for those platforms but the only sync process is via DropBox. Not one for me.

Wallet Pro for iPhone (and Windows phones) is one that I would say is still early days but it is another cloud style offering which I do not want.

I did find links via Google and from this review listing at BrightHub but given that the review appeared to have been written by someone not paying any attention to detail I would not rely on it.  One of the reviews rates as “Overall, this is a well done password manager app for your iPhone.”  Someone is confused as the link and the maker of Skeleton Key have it listed as a GAME for the iPhone!

RoboForm is another one that stores in an online account so that sync’ing takes place across the platforms. Password Touch is another one alongside My Eyes Only which gave me a chuckle with their “Click below to download your 15 day trail.” misspelling (do I want to walk for 15 days on a trail?). Aside from this MEO relies on wifi and Apple Bonjour and another of their own products. This must increase the risk of compatibility issues over time as well as still being cloud oriented.

Another one that will make the list is SafeWallet although I am not impressed with their website, there is an active support forum.

I really want something that does not use the cloud.

 

Ok, so I have a shortlist in no particular order:

  1. mSeven Password Manager
  2. SplashID
  3. 1Password
  4. Strip
  5. Ascendo DataVault
  6. eWallet
  7. SafeWallet

I’ll take this off-line and do a review of features to try and get to a 2 or 3 way trial comparison.

WordPress Hacked and issues that raised

Wow!  It’s been a week of WordPress hacking MySQL backups and google trawling.

Late last week I was working on oscMax and getting along quite well when I went to write a blog entry and discovered that my blog pages had been converted to some islamic protest site.

Now just to make one point clear I am indifferent to religion, whatever works for you is fine, just dont try to force me to follow you because you must be right!

That said, this entry is about the crippling effect of a hack and links to what I read and used to rectify it.

Things I did wrong:

  1. WordPress was out of date an older 2.8.6 mu install (multi user because at one time I was going to host other blogs, but that has not happened)
  2. MySQL backup had been failing for some weeks after I did a password change (I knew what it was but let it go as a minor concern that I would get to, eventually)

Things I had done right:

  1. The area of the site that could be accessed was a sub-directory and the uploaded rubbish was contained within one directory
  2. I have rsync backups of the application directory running on a schedule

So I firstly closed up the site, renamed the compromised directory and contacted my ISP support to check logs. Their logs rotate to quickly and one of the security team was over-zealous and ‘helpfully’ removed all the files that were compromised….  without noting the date/time stamps on the files for me to be sure of when the hack occurred. I had noted that the files I saw were consistent with only being in place within the previous 24 hours but as he did not keep a list I dont know what else(if any) he found and deleted.

I’ll write up some separate blogs on the various topics I encountered on this week long journey elsewhere, for the moment these are the references that I have used this week that I found helpful. Most from WordPress codex:

Have a read of this first (dont do anything, read & think first): WordPress FAQ My Site Was Hacked

Download the latest version of WP from WordPress Download

For multi-user equivalent do this after installing WP: Create A Network

When it does not work: Debugging a WordPress Network

Noting that I updated this section with one of my issues: Debugging a WordPress Network « Other Lesser Known Issues

Have a read through this for ideas: Hardening WordPress « WordPress Codex

There are others that I am still reviewing, in particular the security oriented plug-ins, filter for the WordPress category for my latest posts on this topic.

My site is still not working the way I want and I found that the latest version for MU (or Network as it is now called) is apparently very dependent on Apache or other server settings. On SME Server it will not work (yet) while on my hosted site it works first time. Lost around 3 days on that issue alone.

Trying to reinstate the WordPress 2.8.6 mu from the WordPress Archives fails because the mu archive is the same as the WP archive. I’ve manually extracted the database tables/entries that I needed.

And of course I have changed lots of passwords and done lots of chmod’ing to tighten up the access.

osCmax Security contrib 2.5beta3

Update: Changes in osCmax between this version (beta3) and the RC1 release in early April 2011 has required an update to the osCmax-Security-2.5 bundle. The new information can be found in a post on osCmax Security 2.5RC1.

As I was working with the Check Permissions and the Site Monitor contribs I decided to save myself some longer term pain and bring the two together as the basis for my own Security setup for the sites that I manage.

In the process I have made changes that enable:

Single install process
Check Permissions saves the file and directory permissions to the database for consistent use
Check Permissions now recognises the Site Monitor files that need to be writable
Site Monitor & Check Permissions work with osCmax 2.5 (minor changes)
Both contribs appear within a dedicated Security menu option

You can grab a copy of osCmax-Security-2.5 from here and shortly from the osCmax projects area.

I’ve tested the quick install with a fresh copy of osCmax 2.5 and against an already installed ‘slow install’ with edits and it all seems ok.

Once installed just follow the instructions for each of the two contribs.