Tagsecurity

Fail2ban + WordPress + Nginx

I’ve been using the Limit Login Attempts plugin for WordPress for quite a while. It basically logs failed login attempts and automatically blocks multiple attempts from a single IP address. A few days ago I’ve switched to fail2ban instead, which is pretty new to me. Fail2ban is a fairly simple yet very flexible framework that monitors log files for certain patterns, and runs...

Don’t Hide the Fact That You’re Using WordPress

There are quite a few blog posts, plugins and hacks suggesting to hide the WordPress version number, or hide the overall fact that you’re using WordPress. Don’t do it — it’s pretty useless. There are hundreds if not thousands of ways to not only find out the fact that you’re using WordPress, but also find out the exact version number, regardless of any plugins or...

Github’s Asking for my Password

“Why is Github asking me to input my username and password when I try to push changes to a repository I own?” I asked this myself a couple of times before I figured out I had cloned it the wrong way: git clone . As opposed to: git clone git@github.com:kovshenin/publish.git . Where the former will use the HTTP protocol, and thus require basic authentication (username and password), and...

Thoughts on “Too Much Escaping” in WordPress

While sanitizing and escaping everything is very important when dealing with websites, I think there are times when we need to back off a little bit, and trust the functions that have been given to us by WordPress. <a href="<?php echo esc_url( get_permalink( get_the_ID() ) ); ?>" title="<?php echo esc_attr( sprintf( __( 'Permanent Link to %s', 'domain' ), the_title_attribute( array(...

Dear WordPress Theme Developers, Stop Using TimThumb

Just a reminder, since this weekend I had to help out with yet another TimThumb-powered WordPress theme, broken by a “security patch” at the web hosting provider. This time it was Acquisto by Press75. The problems of Acquisto are not limited to thumbnails.

Protected Meta in WordPress

I was doing a few tweaks to the Twitter Embed plugin earlier today and found out that authors that access to the custom fields interface could exploit them to print unfiltered HTML. This happened because I cached the HTML retrieved from the Twitter API in an unprotected meta field to the post. The easiest workaround was to add an underscore prefix to the meta key, so my_meta_key for example...

Wired News & Twitter

I’ve read an entry in the livejournal webdev community today – a link to a great blog post on Wired News about “the battle of the browsers”. Following the link I got onto the Wierd News Blogs website, and with a timeout of about 5 seconds I received a javascript popup message asking for my Twitter username and password. This looks like scam. Why the heck would a PR9 news...