Webmasters! For heaven’s sake start using Mac or Linux!

18 May, 2010 | mayank
Topics: Wordpress Tutorials

I’ve written a fair bit on the topic of securing WordPress based sites and blogs however, it seems that no matter how much I write, it still is less. There is hardly any week that goes by where I don’t hear about the horror stories from our clients and various other friends in the trade whose sites get infected with malware. After handling lot of such cases and doing some research about it, I found out that one of the major reasons why the sites get infected is because its webmaster’s own computer was infected with a malware.

I’ll be also listing various resources that can be used to further strengthen the however, firstly I would like to put forth my views on the topic of why web-masters should use Mac or Linux. I would only list those points that are logical and none of them are influenced by any sorts. So here’s why I suggest so and how its easy to switch too -

1. To keep yourself safe from viruses :  I’ve used all three OSes and I’ve personally experienced that Mac & Linux aren’t prone to viruses as Windows is and the simple fact is that the market share of Windows is more than 90% and thats why almost every virus is targeted towards Windows Users. So, if you are using any of those two OSes you’d be safe from viruses and thus you reduce the chances of getting your website hacked.

2. For keeping others safe : As I’ve said that majority of cases that I’ve dealt are those where the webmaster’s computer was compromised. Moreover, once the sites are infected, they infect those computer who visit that site and that’s how they spread so quickly! Now, if at the first place the webmaster would have been using linux or mac, it would have ensured that at least they are not making the situation worse.

3. Switching is pretty easy – Most of the users give a reason that they won’t be able to switch because of the incompatibility issue and that they think that it would be pain to switch the platforms because of unavailability of ssoftware. I agree at one time it would have been difficult for most of the people, however web-masters specifically won’t find any issues in choosing these two platforms as most of their tasks are done online, else most of the software required have either a worthy alternative or if you are an open-source fan then you’d surely find most of them available for all three platforms. Here are some of the resources -

Try a gradual switch and start using these OSes and if you really want to run a windows software then you can try WineHQ or CrossOver (commercial) and most likely the software will work fine for you. If the software still doesn’t work and you don’t find any alternative then you can simply use VirtualBox or Parallels to run Windows inside Linux or Mac.

So when we know that for web-masters it can be easy to switch to Mac or Linux then why not use either of those two operating systems and keep yourself and the world safe from those malware? Anyway, enough of ranting – as I said that during my research, I did read quite a bit about websites, so I would like to share that with you :

How to strengthen the of your ?

  1. Don’t forget to read my articles that I wrote a while back on the topic of securing wordpress.
  2. If possible switch your OS as soon as possible – Don’t think it as a stupid suggestion. Consider this one for sure!
  3. Restrict admin use by IP Address.
  4. Learn to restrict the FTP server access for specific IPs using VSFTPD – I know that not everyone gets a static IP address from their internet service providers, however use of VPN can certainly [I use StrongVPN] help you get over that problem.
  5. More steps that can be done through htaccess file, here are some 11 more steps that you can use.
  6. Jeff Starr has created wonderful instructions for securing servers via htaccess and blocking the know malware techniques.
  7. Blocking spam is equally important – Chances are that some spam comment will have the URL to a site that is infected, so its important to ensure that no spam comment passes through.

What else can be done other than IP address, Htaccess tricks?

Some of ’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images. In short we are talking about CHMOD settings of the server.

All files should be owned by your user account, and should be writable by you and any file that needs write access from should be group-owned by the user account used by the webserver. Of course, learning this can surely take some time, but if you really want to secure your server, then this is one thing you should focus on!

  • / — the root directory: all files should be writable only by your user account.
    • EXCEPT .htaccess if you want to automatically generate rewrite rules for you
  • /wp-admin/ — the administration area: all files should be writable only by your user account.
  • /wp-includes/ — the bulk of application logic: all files should be writable only by your user account.
  • /wp-images/ — image files used by : all files should be writable only by your user account.
  • /wp-content/ — variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).
    • /wp-content/themes/ — theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
    • /wp-content// — plugin files: all files should be writable only by your user account.
    • other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.

that I prefer for securing

1. WordPress File Monitor - Think of it as a watch dog! It monitors your installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. So even if you add files using FTP, it will let you know. This is a fantastic way to ensure that no compromised file will go on server without going through its nose.

2. WordPress Firewall – I personally love this plugin. Of course, using this plugin means that you’d lose out on theme/plugin editing capabilities and few things here and there, however this plugin will ensure that everything will be super secure.

3. Block Bad Queries – Another gem from Jeff Starr. This plugin will ensure that your site will be safe from known vulnerabilities.

Well there have been countless number of posts on the topic of and the worst part is that things aren’t improving a little bit. Its important to choose the right web-hosts as well. If this post of mine was a request towards web-masters, Mark Jaquith has asked web hosts to become more secure and to help web-masters in understanding the of blogs/websites. It is one interesting read, so even if you are not a web host,  I would suggest you to read it.

What are your thoughts about changing the OS for ensuring safe and secure website? Do you think that one should go ahead and change their OS to ensure that their site will remain secure from malware to a large extent? Please share your thoughts in comments.

Bookmark and Share

5 Comments / Add yours

How to have VaultPress like protection for your WordPress blog

5 Apr, 2010 | mayank
Topics: Wordpress Plugins

vaultpress.jpg

From last couple of weeks, I’ve been trying to ensure that how WordPress can be secured enough to avoid any kind of malware attack. In the course, I found lot of new information about securing web applications and realized that how small and little settings can make and break things. While my struggle to know more about was going on, I came across the launch post of VaultPress, a backup and protection service from Automattic.

Please note that the service has been announced in beta and is available for only few users. One can apply for the invite over here. It’ll be a premium service and while signing up you can also mention that how much are you comfortable in paying for this kind of a service. If I were to decide the price, I would keep it around $10/month. I’ve not tested the service myself, however we could gather all the information about VaultPress from the coverage it has received from the biggies like TechCrunch, ReadWriteWeb, Silicon Alley Insider, VaultPress blog and finally my favorite WordPress Tavern.

Features of VaultPress

1. Focused on .org users.com is one of the most powerful and secure services around. However, same can’t be said for the users who use self hosted version on their own servers. There have been many horror stories in the past where many self hosted installs got infected from malware and much hoopla was created. VaultPress has been designed to work with self hosted to ensure that they can also get the quality backup and service to avoid any mishap.

2. Real Time & Complete Backups – VaultPress is an all-in-one backup package. It will backup posts, categories, tags and rest of the data along with themes, files etc. Jeff @ Tavern reckons that VaultPress will face stiff competition from Backupify, BackupBuddy and other backup plugins. According to Matt, founder of , VaultPress will be able to make the backup instantly as soon as one would publish the changes on the or website.

3. Safeguards against Zero-Day Attacks – This is one feature that I would be most interested in as this is one feature that no one else is offering. VaultPress will be able to safeguard your against the Zero-Day Attacks focused towards . It will also monitor your site to alert you against any suspicious or hacking activity.

Well, keeping these features in mind. We can install few that can help us achieve similar level of protection and that too free of cost. We just need to ensure that we configure the in the right manner. Here’s the guide …

Get VaultPress Features Before Hand!

wordpress-backup.jpg

1. Automatic BackupThis little plugin saves all the important files including themes, and database on Amazon S3. The plugin allows you to schedule the backup of the database or just files or if you want you can ask for the complete backup as well. The plugin will send you the confirmation messages over the email, so you will constantly be aware of the happenings. Amazon S3 can be used as a backup service for your ’s important files and believe me in most of the cases this will not cost you more than $5/month. Only in case of large publishers this cost can be more than $15/month i.e. the indicative price of VaultPress. By the way, Amazon S3 can help you in improving the site load time as well, don’t forget to check our guide on how to optimize the WordPress blogs.

2. Firewall – This nifty plugin monitors changes in the files, attacks based on various Zero-day patterns. Of course, this is not the ultimate solution however, our experience has been pretty neat with this plugin. It did alert me whenever I tried to make any change in the theme files or plugin files. It didn’t allow the change until and unless I approved the change. Make sure that if you are planning to install this, then you may get lot of notifications. So keep the settings appropriate or use GMail filters for ease!

3. OSSECossec-security.jpgOSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. Of course, this is something which will not be as easy as installing , however investing a little time on this can ensure that you’ll have real peace of mind in future!! There is enough documentation available for avoiding initial hiccups!

Of course, the first two won’t ensure that you are getting instant and real time backups. However, a regular and weekly backup will ensure that you’ll be able to bring your back from a situation where nothing will look nice in the world. I hope you understand the point that i’m trying to make here! If you install OSSEC then I’m sure one could easily compare this setup with something that VaultPress will offer in future!

Isn’t it neat that you can enjoy the VaultPress like features even before you can get a hand on it or if VaultPress looks out of budget!

The success of VaultPress will depend on the following factors; 1) what will be the cost involved for end users and 2) how effective its monitoring system will be. I’m sure the takers of this service will be much more than any other similar service as it directly comes out from the makers of . However, personally I’ll be willing to test other services if they offer similar features at a competitive price. What are your initial thoughts on VaultPress.

Bookmark and Share

4 Comments / Add yours

WordPress Security Service for free!

18 Jan, 2010 | mayank
Topics: Wordpress Customization

secure-wordpress.jpg
(Image Credit – ClickonF5)

Since few months, I’ve been hearing lot of horror stories regarding the compromises that bloggers have to deal with. It’s open source nature, what has been the boon for , is now standing against it (For Hardcore Open-source lovers – I am in favor of Open-source all the way and that statement of mine should not be taken as personal attack). There have been many blogs that weren’t using the latest version of are now infected with some sort of worm or some hacker gets access to the web server and misuses your precious resources. There are cases where they even harm the website by effecting its search engine rankings.

read full article →

Bookmark and Share

3 Comments / Add yours

Find out if your WordPress theme is worth your love?

16 Jun, 2009 | mayank
Topics: Wordpress Plugins

WordPress, Firefox and many open-source projects are great however, because of their open nature, they generally get targeted by hackers & notorious fellows. Its pretty important to keep your blog software up to date, if its based on any open-source code as the breachers tend to attack on old codes.

read full article →

Bookmark and Share

No Comments / Add yours

Secure your blog using USB key!

10 Jun, 2009 | mayank
Topics: Blogging Tools, Wordpress Plugins

What would have been the ideal time to discover about this wonderful product, more than now when I’ve recently published various posts on security of WordPress blogs. I was amazed to know about YubiKey USB token that secures your with a two-factor authentication mechanism.

read full article →

Bookmark and Share

2 Comments / Add yours

Amazing and quick security posts!

26 May, 2009 | mayank
Topics: Mini Blog

Sherif Elsisi has a wonderful on and related stuff and I was amazed to see the amount of efforts he has put in to ensure that bloggers take care of their . He has posted lot of posts and has written about lots of security plugins and that should help most of you!

Bookmark and Share

No Comments / Add yours

Security Check : Role of Username in securing your WordPress blog

22 May, 2009 | mayank
Topics: Wordpress Customization, Wordpress Tutorials

We’ve already stressed on the importance of strong password in the security check series. And i’m sure that some of you’ll be surprised to find out that “Username” of the plays an important role in the of the . If you don’t tend to agree, then here’s some food for thought – Will it be difficult if you were to guess only password or will it be difficult for you to guess both username & password?

While you ponder over the question (are you still thinking about it? if the answer is yes, go ahead and take these mind exercises or play these games), I would remind you to ensure that you subscribe to our blog for regular tips like these.

read full article →

Bookmark and Share

9 Comments / Add yours