security

Tag Archives: security

13 years ago
by soulseekah
4 comments

WordPress Escape Functions

The process of escaping data an important one, since the lack of thereof can lead to XSS and other naughty and unexpected things, among the legit data that just breaks specific data formats.

Consider HTML attributes. Imagine you have the following simple code:

$image_src = get_uploaded_image_src(); // not any specific function
echo '<img src="' . $image_src . '" />';

What if the uploaded image is called “Horizons” by LTJ Bukem.jpg? You end up with broken HTML: <img src=""Horizons" by LTJ Bukem.jpg" />… not to worry though, WordPress comes a dozen escape functions for taking care of all these sorts of things. However, with the myriad of escaping functions provided in WordPress, it is often times difficult to remember which is which and whether there is an escape function for a specific case.

Published 13 years ago by soulseekah with 4 comments tagged core, plugins, security in WordPress

13 years ago
by soulseekah
no comments

Random New User Password Generator for WordPress

Inspired by https://wordpress.org/extend/ideas/topic/random-password-for-new-users WordPress plugin idea, and a bit of time on my hands, I decided to code up a simple little plugin that is easy to understand and use.

Meet the Random New User Passwords for WordPress plugin. It’s a minimum viable solution, with zero-configuration, so don’t expect much.

Published 13 years ago by soulseekah with no comments tagged plugins, security in WordPress

plugins security WordPress

13 years ago
by soulseekah
13 comments

The WordPress Meta “generator” Tag Paranoia

…or “WordPress Version Fingerprinting”

I have read dozens of “How to secure your WordPress” articles, and one common “tip” among others is getting rid of the “generator” tag in the HTML head, for additional security through obscurity.

WordPress uses the meta “generator” tag to “disclose” its version. The paranoia surrounding this fact is unbelievable, and they think that by removing it they harden WordPress. And that is absolutely not true.

Published 13 years ago by soulseekah with 13 comments tagged disclosure, rant, security, vulnerability in WordPress

disclosure rant security vulnerability WordPress

13 years ago
by soulseekah
15 comments

The WordPress Plugin and Theme Editor Must Go

…or “How WordPress Gets Hacked”

The prelude

With so many reports of WordPress sites being hacked in one way or another, I decided to see how exactly WordPress sites are being invaded. The WordPress Codex has an excellent FAQ section titled “My site was hacked“, and it’s great. Hardening WordPress is another fantastic entry that deserves even more attention.

Not so long ago, I setup a honeypot on one of my private servers. I grabbed the latest stable version of WordPress and installed it. Waiting for any new WordPress vulnerability to be exploited would not be viable (although the TimThumb vulnerability is occasionally being attempted). I considered the latest stable version of WordPress secure, correctly setup, so I chose the single weakest link in the chain, located between the chair and the screen – the Admin.

Published 13 years ago by soulseekah with 15 comments tagged plugin, security, theme, vulnerability in WordPress

plugin security theme vulnerability WordPress

13 years ago
by soulseekah
no comments

Surviving An Internet Blackout

On the 12th of February an Anonymous posted the following pastebin: Operation Global Blackout. In case the pastebin disappears here’s the plaintext: Operation Global Blackout Anonymous.

To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, the Internet will go Black.

Published 13 years ago by soulseekah with no comments tagged acta, anonymous, bind, dns, operation global blackout, security, sopa, tutorial in General

acta anonymous bind dns operation global blackout security sopa tutorial General

newer posts → back to top

Code, sweet, code!