Okay, looks like WordPress released a ‘hardened’ release for 2.8 which will jack your release version to 2.8.5. It’s very important to stay upgraded to ensure that your sites will run properly, but more importantly to maintain security. You don’t want your money-making sites to go down, or to have your account suspended due to your site being compromised. As they say, “A ounce of prevention is worth a pound of cure”.

Details of the release can be found here: http://wordpress.org/development/2009/10/wordpress-2-8-5-hardening-release/

The headline changes in this release are:

• A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins.

Related posts:

1. Thinking about security for Affiliate Marketing
2. Twitter troubles
3. CJ web service issues – unable to access WSDL (UPDATE)

It’s like the saying..

A ounce of prevention is worth a pound of cure

This was the saying generally for people to stay healthy by avoiding things that make you sick, be it lifestyle and behaviour or what you put into your body. This saying really applies to security as well.

I’m currently a web developer and server administrator, so I have a background of security. I’ve seen things when they’ve gone ‘bad’. I’ve also seen the damage that can be done to your business and way of life when a security breach directly affects you. To say a ounce of prevention is worth a pound of cure really applies to internet security. This topic can fill a book, but I’ll try to keep it short and cover some basic points, from a affiliate marketer point of view.

Platforms
It seems like most affiliate marketers are using various application platforms like WordPress, Drupal or BANS, etc, etc. These tools are great. They’re free (open source) and are easy to install and configure. The problem is that since it is open source any one can download a version and reverse engineer or scour the code for potential security holes and vulnerabilities. From there, a attacker would only need to Google a specific ‘footprint’ to find the same application and version to attack.

The damage this can cause is catastrophic. A attacker could gain priviledge of the entire server and have access to all of your sites. If you’re running dedicated servers, this is even more of a threat, since you would be managing the server and the attacker would recruit this server as a potential tool in his bot army. If you’re on a shared environment, the hosting facility will most likely shut down your site and stop services for you until you correct the problem.

Normally when exploits are discovered the author of the application (WordPress, etc) would be notified, and their developers would create a fix and release a update to correct this issue, usually in a extremely timely manner. Plugins are outside of the WordPress relm, so I would recommend plugins that show ‘activity’ and a community or development team that actively works on it. Stale plugins could be a security vulnerability.

The ounce of cure in this case… UPDATE YOUR WORDPRESS PLATFORM AND PLUGINS! It is so simple and easy.

I know I’m focusing on WordPress in this example, but this would be applied to any 3rd party software application or platform.

Services
If you’re running a dedicated server you must stay on top of your service updates, specifically PHP, Apache, MySQL and SSH. Just like in Platforms, these are all open source products and have potential bugs or exploits that are discovered at times. Either work with your hosting provider or perform the updates themselves. Depending on your flavor of Linux there are various ways to perform these updates.

I’m only mentioning Linux, Apache, MySQL, PHP (LAMP) since you don’t see a lot of Windows based hosting at affordable costs. Plus.. I hate talking about Windows.

ACL (Access Control Lists)
This is something that is not mentioned often out there, but I really feel strong about. Using firewalls (iptables, etc) to manage access to your dedicated server is important. Limit SSH access to certain IPs (assuming you have a static IP at your home or office.. which you should). Along with SSH access to the servers, I also like to limit access to administrative areas and control panels. No reason these should be open to the world. This includes my wp-admin access as well.

Hardening Services
There are certain items you can do to ‘harden’ services. Basically making PHP harder to hack or limiting access to the system with a chroot, etc. Along with that you can control error messages (don’t display error messages) to prevent information disclosure. Usually attacks start with information gathering (finding versions, file path info, etc).

Passwords
Work on your passwords. Make them difficult. Think in pass phrases and include alpha numeric characters. DO NOT USE THE SAME PASSWORD FOR EVERYTHING! The more important the information, make the passwords more difficult. For instance, I don’t want people guessing my domain registrar passwords, etc. Think defensively with passwords, watch out for potential insecure Twitter applications, etc. 75% of people use the same password in other areas, so your Twitter password, could be quite valuable if you’re one of the 75%.

Okay, so those are a few items (many more actually while I’m thinking about it), but I wanted to talk about some worst case scenarios.

I had a client that was working on affiliate marketing. He was primarily working with AdSense and creating review and community sites (forums, etc) and was doing quite well. Some how a hacker was able to get is FTP password for the site and infiltrate his host. He had a dedicated server and was then locked out of all of his sites. My client also used the same password for his registrar and the hacker was able to take control of his domains.  This was when I was called in. The hacker tried to ransom the sites asking for $100K to return control of all his domains (over 100).

My client was able to start piecing over some of the domains, and even had the FBI involved. Unfortunately, the hacker was in Asia and little could be done. About 3 months later the client was able to get his domains back, but had to create a new hosting solution. After the client recovered the domains, the hacker began a very brutal DOS (Denial of Service) attack on his domains in a last stand type move, but the damage was severely done.

While the hacker had control of the domains, he was PMing invidivduals in the forums and causing mass havoc and confusion. Lots of members left, not to mention that the hacker probably stole all of there user credentials and emails. My client was also ranking very high in Google, and with content changes (pornographic and exploit software) he lost rank and had to start it up again. He also lost his AdSense account and had to re-apply and explain the situation. It was a major blow to his finances but he was able to recover  after about 6 months.

So the lesson? If he worked on his password management, this would have been avoided. A ounce of prevention, is worth a pound of cure.. or at least 6 months of cure.

Related posts:

1. Twitter Security
2. Update WordPress!
3. Build A Niche Store (bans) – Security issues are being addressed (continued)

Today I wanted to chat about Twitter security. With all of the great Twitter apps out there, I was curious about security relating to Twitter account. I notice that alot of these apps require you to supply your Twitter username and password. Personally, I think this is a bit crazy. The thought of submitting my user credentials to a third party app. What I’m mostly surprised is the amount of people that do this. I am blown away that Twitter hijacking isn’t widespread and out of control. Seems like a malicious person could write a simple twitter application and start gathering credentials for spamming purposes or selling the information to others?

To me, it’s the same as supplying your mail user/pass to access this site. I don’t think many would. With that said, I do use twitter apps that require me to login via Twitter’s authentication interface and get redirected back to a application. To me there is a level of security there, since the authentication piece happens at Twitter.

I’m curious, do other have similar feelings in regards to security?

On this topic, I re-tweeted a nice little article titled “Twitter Security Do’s and Don’ts” that discusses some great practices to improve security.

Here is a quick breakdown:

1. Never use your password on suspicious third party sites (this is what I’m talking about)
2. Don’t be too specific
3. Don’t spit excessive personal information
4. Call the police, don’t tweet about it
5. Don’t tweet about moving servers, etc
6. Try to use oath whenever possible (this is something I recommend highly)
7. Choose a strong password ( I also recommend changing it on occasion)
8. Do use direct messages when appropriate
9. Having a private separate account for work.

Also, I came across another article titled “11 Useful Twitter Tools That Don’t Require Your Password“, which has some good tools listed there.

It’s seems like it’s a matter of time before Twitter hijackingor malicious abuse will run rampant. I’m hoping for the best, but trying to prepare for the worst.

Related posts:

1. Thinking about security for Affiliate Marketing
2. Cloudberry’s Tweet Fox – Great Firefox Add On
3. Including Twitter updates in your site

As I stated earlier today, I migrated Money-Code.com from a Drupal platform to the WordPress platform. The first steps were to move the data from their old tables to their new tables. Next was to configure tags, categories and add functional plugins. The other areas I wanted to make sure was working was getting my popular posts to be redirected to their new locations here. I went with SEO friendly URLs so had to do some redirects using my .htaccess file.

Along with rewrites, I made some security adjustment to them and thought it would be good talk about those as well.

First to do redirects you can use mod_rewrite or something simple like Redirect. Here is what I did for my redirects of my popular posts:

Here we’re using Redirect 301 which is “Moved Permanently”. It’s looking for the node variable with was Drupal’s page handling and redirecting to the new SEO friendly WordPress URLs.

The next item I always like to include is adding proper 403 and 404 handlers in .htaccess. Basically when a 403 (Client Denied) or 404 (File not found), I like to redirect the user back to the home page instead of giving them a crappy Apache message. You can get fancier by creating custom error pages, but redirect works find for me. Here is what you would add for this:

The other piece that is really important, and often not used is turning OFF indexes. Basically if you go to a directory without a index page (ie: index.php), it will list out the contents of that directory. This is a potential security risk, it can show what items you have installed, or provide files for download that you did not want downloaded. By simply adding this, it will throw a 403 to the user that hits a page without a index file.

I primarily did this since I don’t want people seeing my wp-content/plugins directory, but I see as of 2.8, they’ve added a index.php with nothing in it, causing a white page. This is good, but I think it’s still good practice to prevent directory browsing like this.

The other piece I like to do is restrict administrative access to my IPs. I’m a freak this way. I have static IPs at my office, and I also have VPN access, so I like to restrict access to certain IPs on my network. Basically, I have to be at my office OR VPN’d to my office to edit my pages. This is a pain to many people, and I can understand people not into this, and that’s fine, but it really reduces the risk of brute force attacks to your admin area. If you’re interested in this measure here is the code you would include in the .htaccess file residing wp-admin/:

Obvisouly, xxx.xxx.xxx.xxx would be your static IP or subnet xxx.xxx.xxx.xxx./16 for example.

I’ve always been uneasy with WordPress due to it’s history and potential damage it can cause on the server it lives on. The bottom line is to keep your install up to date, and that includes your plugins. I’ll also be setting a subdomain for testing purposes (only available to my IP) to handle large WP updates.

Related posts:

1. URL Masking (cloaking)
2. Migrating Money-Code from Drupal to WordPress
3. Update WordPress!

So the drama continues. Apparently all the issues that I have brought up are ‘cosmetic and not security related’ coding issues. I raised 5 different points, 2 of which they said they would implement (funny … since they are cosmetic) in the future. The other 3 (1 they just don’t get at all and the other two are up for debate in my opinion).

Cosmetic would mean, I didn’t like the ‘grey’ that they used in the header.. not the issues I brought up. Security related, even though some are mild, and I’ve stated that, are still security related.

So where does that leave me. I was presented with the ‘get the refund but can’t use the product or use the product but lose the full $97′ option again. I’ve stated in previous correspondence with them… keep your $97. I’ve modified my version of the code to address the issues I brought up and will use it. As presented in my earlier post, I said I was a unsatisifed programmer.. which led to me being a unsatisfied customer. No turning that around.. and sorry BANS if you think that was unfair. It’s my opinion and I have every right to state that. I’m sorry that you think I was pressuring you for a refund, but I felt the product didn’t meet my (the customer’s) satisfaction. I’ve never asked for a refund from a software vender EVER. I’ve never blogged about a software vender (in this way) EVER.

What I want to do is bring awareness with this blog, definitely off tangent from my initial launch mission. Now people can see that there could be issues, and take a close look before intalling it. The fixes are easy (from my perspective, and if applied from BANS side). If this is a kick in the pants to make things a touch tighter.. then cool.

Maybe, now I can get back to writing about code.

UPDATE:
One of my issues that I addressed (and said it was up for debate) was the ability of BANS to edit physical files directly on the file system with fwrite(). They pointed out to me that many other software application/venders use this (ie: WordPress). I was able to verify that WordPress does in fact do this and one of my favorite pieces of software, vBulletin, does this as well. I feel uncomfortable with this functionality because, if admin access would ever get compromised, a malicious user could overwrite files or add their ‘evil’ PHP to existing templates and execute those instructions. I think that is a bad thing, but obviously other venders don’t think it’s a big deal.. should I?.. hence the debate. I think it comes down to how secure the administrative access is. So for the record, I would like to concede my point about File System writing as one of the 5 items.

And I would like to offer ways to harden this section. If you have .htaccess ability you might want to consider limiting access to your IP or IPs (I understand if you have a dynamic IP or want the ability to administer from different locations, this might not be ideal). Another preventative measure would be to then add BasicAuthentication so you must log into get to the administrative directory (this would be a dual login then). This would also be done using .htaccess on that particular directory. The point is to prevent random anonymous attempts to circumvent access or brute force (make sure your BasicAuth pass is strong) their way into the administrative area. Why two logins? Because I trust BasicAuth.

I, myself, will add IP restriction for that area… as I do for other applications.

Related posts:

1. Build A Niche Store – Security Issues
2. Build A Niche Store (BANS) – Unsatisfied Programmer
3. BANS – security issues are being addressed