Archive for March, 2009
Posted on March 29, 2009 - by CDS
Tips to Secure Your WordPress Blog
I’ve just been through the ringer curing a client’s hacked wordpress blog. There are dozens of ways people can maliciously attack your blog, including DB injections, adding scripts to writable files, writing to your .htaccess files, and more. Below are a few things you can do to prevent people or autobots from commandeering your wordpress blog:
Use a Strong Password
You should use a strong, randomized password with uppercase, lowercase, numbers and special characters. It may be inconvenient to memorize, but it’s an important aspect to securing your blog. If you must have the password on file somewhere, it should be a hardcopy (ie on paper), and not stored on your computer somewhere. You should never use any part of your domain name in your password, or the word “blog”, or common names like your pets, kids, or birthdate. All of these things are quite easy to figure out.
Set Security Keys in config.php
In config.php (or config-sample.php if this is a new install), find the following lines:
define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(’NONCE_KEY’, ‘put your unique phrase here’);These should all be replaced with secure information, preferably long strings of random uppercase, lowercase, numbers, and special characters. You can go to https://api.wordpress.org/secret-key/1.1/ to generate random strings.
You can also add SECRET_KEY. Right under the code snippet above, add the following:
define(’SECRET_KEY’, ‘0000000000000000000000000′);
Replace the zeros with a long set of uppercase, lowercase, numbers, and special characters. You can go to http://api.wordpress.org/secret-key/1.0/ to have random strings generated.
For more information about what Security Keys do, see http://codex.wordpress.org/Editing_wp-config.php
Change mySQL table prefixes
By default, wordpress uses the table prefix wp_. Since it’s the default, it’s pretty easy for malicious persons to figure out. When setting up wp-config.php, you can change the table prefix to pretty much anything you want (letters, number, underscores only). In wp-config.php, around line 57 you’ll find the code:
$table_prefix = ‘wp_’;
Simply change wp to something more complex. Be sure to keep the underscore at the end.
Plugins
askApache Password Protect - This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site. This is the probably the most effective security plugin available, however, I’ve found that it does not work properly on a lot of servers. Hostmonster and GoDaddy, for instance, do not support Basic or Digets Authentication and therefore do not support this plugin. If your server allows all of the functionality required, this is your best bet to protect your blog.
BTEV - Bluetrait Event Viewer (BTEV) monitors events that occur in your wordpress install. BTEV tracks the following events, password_reset, delete_user, wp_login, lostpassword_post, profile_update, add_attachement, wp_logout, user_register, switch_theme.
Login Lockdown - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Replace WP-Version - Security your WordPress-Installation and eliminate or replace your wp-version and database-version on easy way with a small plugin. If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog. This plugin replaces the WP-version with a random string < WP 2.4 and eliminate WP-version > WP 2.4.
WP Security Scan - Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
Stealth Login (or any similar plugin) – Allows you to define a different path to your login pages so that they are hidden from viewers. I discovered the importance of this function the hardway when someone successfully and continually was able to change the admin email address by running sql commands through the login form. They would run some command that changed the email address in mySQL, and once that was done they reset the password, which was then emailed to their address.
The good thing was that the BTEV event viewer plugin logged their ip address, and their failed login attempts. It basically provided me with a timeline of the hackers events, so I could pinpoint exactly when and from what page they were able to change the email address. Since they were apparently running sql commands through the login form, I installed stealth login (and banned their ip range). If they manage to gain access to the site again somehow, they won’t be able to find the login form to run the commands again.
*Note* I’m not sure if the comment forms are vulnerable as well, but I don’t think so because of where they write to the sql database. Again, I’m not 100% sure of that.
*Note* You should note also that Stealth Login (and probably other similar plugins) write commands to your .htaccess file, so you need to also make sure that chmod of the .htaccess file is set to 644. Otherwise, a more clever hacker could write to your .htaccess file and undo the redirects that Stealth Login creates.
.htaccess – restrict access to admin files
It’s a good idea to protect certain directories with .htaccess, particularly wp-admin folder. If you have a .htaccess file in your wp-admin folder already, download it first and append it with the information below. If you do not have a .htaccess file in wp-admin, create a new one in notepad and add the following:
# allows access to images, CSS, javascript to everyone
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files># restrict access to your ip address only
Order deny,allow
Allow from 00.000.00.000 #replace this with your static ip address
Deny from allThis will restrict access to the admin folder to only the ip addresses specified. If you have multiple admins, add each of their ip addresses to a new line. Save the file, and upload it to your wp-admin folder. Be sure to chmod your .htaccess files to 644 so they are not writeable by the public.
.htaccess – ban ip address or ip range
There are many ways to find the ip address of those who try or succeed in breaking into your wordpress blog. You can view the server logs, but I like to use the BTEV Event Viewer plugin. It lists all activity by ip address in a user-friendly manner. You can sort the events by “warnings”, “errors”, “notices” “debug”, or “display all”. This makes it really easy to monitor exactly who is doing what on your blog, and when. Regardless of how you determine if a ip address should be blocked, it is an easy task with .htaccess. The following code will block a single address. If you have a .htaccess file in your root directory already, download it first and append it with the information below.
# block a specific ip address
order allow,deny
deny from 00.00.00.00 #replace with ip address. repeat this line if blocking more than one
allow from allIf you find that you’re always blocking ip addresses from the same range (they will have similar beginning digits), you can block and entire range using the CIDR number or the ip range if you know it. Use the code below to block by CIDR number or ip range.
<Files *>
order allow,deny
allow from all
deny from 00.0.0.0/0 # CIDR number or ip range
</Files>You can find the CIDR number of a given ip address at: www.subnet-calculator.com/cidr.php
Disable Annonymous FTP
Unless you need this function for some reason, you should have annonymous FTP disabled for your website. This is usually done in your hosting account admin panel. The procedure and allowances differ greatly across the many hosting platforms, and if you need assistance doing so you can always contact the support team of your hosting company. Some hosting companies do not allow you to delete the anonymous user, but you can restrict or deny its priveledges. Other companies may not have an annonymous user setup as a default… it all depends on the hosting company.
A really bad scenario would be having annonymous FTP enabled, coupled with a writeable .htaccess…. you could very easily have your entire website deleted.
That’s it for now…. I will be updating this post when additional information is available. Happy blogging!
Posted on March 25, 2009 - by CDS
Corvus Awards & Recognition
We wanted to thank everyone for the great feedback to our new website. We submitted it to all the award and recognition sites and got great feedback. Instead of doing a single post for all of the additional recognition we’ve received, we’ve put together a list below with links to the award and compilation sites. The admins of these great sites were kind enough to add us, so we’d like to return the favor by linking to them and maybe bringing a little traffic.
Award & Mixed Sites:
Web Design Awards, Design of the Day, view our award
My Design Award, view our award
RGB Garden Garden of the Day, view our recognition post
HTTP Artist, view our recognition post
The Design Gene, view our recognition post
CSS Sites:
CSS Star, view our recognition post
Creamy CSS, view our recognition post
CSS Mania, view our recognition post
CSS Design Yorkshire, march 2009 entry
CSS Style.me, view our recognition post
One CSS, view our recognition post
CSS Based, view our rcognition post
CSS Burst, view our recognition post
CSS Scoop, view our recognition post
eCSSited, view our recognition post
Swell CSS, view our recognition post
CSS Illustrated, view our recognition post
CSS Impress, view our recognition post
Your Site is Valid, view our recognition post
CSS Elite, view our recognition post
CSS Heaven, view our recognition post
I hope I didn’t leave anyone out, but if I did, this list will be ammended accordingly. Thanks everyone for the positive feedback!
Posted on March 21, 2009 - by CDS
Latest Project: SC41 Furniture
We’re happy to announce the launch of SC41’s revamped website, www.sc41.com. SC41 is located in Santa Cruz, CA, and specializes in environmentally-friendly furnishings and bedding. SC41 really epitomizes what is means to be truly eco-friendly, from organic linens and low-impact manufacturing, to reclaimed wood and bamboo furnishings… even the floors and paint inside the showroom are eco-friendly. In addition, most of the furniture at SC41 is simply beautiful…. just see for yourself at www.sc41.com.
The design was inspired by the texture of organic fabrics, with the contrast of rich colored woods. We wanted to do something elegant, but trendy, and that incorporated the modern feel of SC41’s branding. This site includes valid CSS and XHTML, WordPress Blog, email signup, Flash goodies here and there, and tons of useful eco information.
Posted on March 12, 2009 - by CDS
CDS on The Best Designs
We’ve had some of our work featured on The Best Designs in the past, but our own website was always passed up. We’re happy to say that our new design made the cut today! Please have a look at all of the amazing sites on The Best Designs… there are some simply phenomenal websites out there. All designers have that one coveted award or recognition they always strive for, and this site is mine. It’s been in existence for quite some time, and I’ve been following it for years.
Posted on March 11, 2009 - by CDS
Magnetic Movie by Semiconductor Films
This is one of my favorite films. Created In NASA’s Space Sciences Lab, it shows the chaotic life of magnetic fields. Very cool!
“The secret lives of invisible magnetic fields are revealed as chaotic ever-changing geometries . All action takes place around NASA’s Space Sciences Laboratories, UC Berkeley, to recordings of space scientists describing their discoveries . Actual VLF audio recordings control the evolution of the fields as they delve into our inaudible surroundings, revealing recurrent ‘whistlers’ produced by fleeting electrons . Are we observing a series of scientific experiments, the universe in flux, or a documentary of a fictional world?”
Source: Semiconductor Films
Posted on March 11, 2009 - by CDS
First Photos of the Barreleye
I remember reading about the Barreleye back in college when I was majoring in BioChem. It’s a deep sea fish with a transparent head and barrel eyes. Very interesting looking… and strange. NatGeo has the first photos ever taken of a live Barreleye.
Source: National Geographic
Posted on March 11, 2009 - by CDS
Dell Latitude E6400 XFR
All I can say is WOW!
Built tough for tough environments, Latitude E6400 XFR was designed and engineered to be the highest performing fully rugged laptop in its class. Equipped with reliable data protection, simplified IT management and investment protection that you’ve come to appreciate from Dell.
|
Link: Dell
Posted on March 11, 2009 - by CDS
New Site Design
Hello fellow bloggers and design freaks, you’ve probably noticed the new site design this week. We received quite a bit of kudos for the last design, mainly for its use of bold colors and giant header. We wanted to keep that appeal with this new design, but add a bit more “organic” feel to it. I’m a big fan of the watercolor look and wanted to do something like that for a long time. It’s always risky to change something that has been received so well, but after a year or so we get the itch for something new. Hope you like it!
Posted on March 11, 2009 - by CDS
CDS Noted for Creative Header
We’re happy to see that we’ve been added to Vandelay Design’s list of 30 Creative Website Headers. Although it is for our last design. Hope you guys like the new design just as much 
