Attack on WordPress – is WordPress secure?

wordpressSecurity firms are reporting a very large attack on what seems to be all sites using WordPress. One WordPress host reported an increase of an average of 40k failed logins per month to 77k failed logins per day! The failed logins are coming from a large amount of different IP-numbers and is therefore hard to block. The advice from Matt Mulleweg, creator of WordPress, is: remove the old standard admin-account (if it still exists), use a strong password and as always, keep your WordPress installation up to date!

This brings up the question “is WordPress a secure platform?”. In my opinion the answer is a resounding YES! If the hackers have a bot network at their disposal and the means of attack is a brute force password attack then there really isn’t much you can do about it. Had WordPress had any known single fatle flaw the hackers would have used that instead. Apparently it doesn’t!

Any platform large enough will be the target of hackers, much like Windows is under heavy attack as a operating system. There have been known bugs in WordPress, allthough the latest such vulnerability was acctually a bug in a popular templates subclass and not in WordPress in itself. The WordPress community quickly responded and fixed the bug.

I feel secure to continue to use WordPress as my main platform for my blogs, so should you!

Surf safely and openly through any firewall

How to surf safe

On a unsecure network where you are afraid that traffic might be sniffed?
Inside a corporate network where the firewall is in your way?
On a network where you do not want to leave a trace of where you’re surfing?

Then this guide is for you! It will enable you to surf any network you’re on as if you where at home.

Requirements

A trusted OpenSSH server that you can administrate (you’re home computer for example?).
Windows: Download and install PuTTY
Linux: Access to the SSH command
Firefox webbrowser

The “secure” site

First of all you have to setup a computer in a network that you trust, you can use your home computer or if there is any other. This computer must run an OpenSSH server.

First off all, we want to change the OpenSSH servers port from 22 (default) to 443 (standard for HTTP SSL traffic). The reason for this is that port 443 is almost always open and usually not monitored by firewalls. To do this log on your home server and type:

sudo nano /etc/ssh/sshd_config

Now find the line that says “Port 22” and change it to “Port 443”. Save the file and exit. Now restart the OpenSSH server.

sudo /etc/init.d/ssh restart

Make sure you’re home network allows access to port 443 to this machine. Now you’re set to use this as you’re home for all surfing.

The “unsecure” network

In order to use our home machine for surfing we need the “unsecure” site to allow us either to use the SSH command or to download and run PuTTY (in Windows). I’ll explain mainly from a Windows client but will also link the Linux-commands that are necessary.

The first thing you need to do is download and install PuTTY in order to use SSH. Once it downloaded start it and try and establish a connection to your OpenSSH server. It might look something like this:

On Linux to connect using SSH on a different port simply write:

ssh user@theremoteserver.no-ip.com -p 443

Try and connect to your home server (tip: the no-ip.com service is great to keep track of dynamic IP home computers). If you type your IP/domain and change to port 443 and choose “open” you should first answer if you trust the computer in question and then be prompted for a username and password. If you log in and it works then we’re set for tunneling traffic through that connection. First disconnect because we need to setup some more parameters for the SSH connection.

We want to tunnel normal HTTP-traffic.¬† To do this we need to create a tunnel in SSH, in PuTTY go into “Connection” then “SSH” then “Tunnels” and choose to add a source port, 1080 for example, with dynamic setting. It would look something like this:

In Linux type:

ssh user@theremoteserver.no-ip.com -p 443 -d 1080

When you choose “add” for the port “D1080” should be shown in the “Forwarded ports” area. Now connect using “open” (make sure all the previous settings are still the same with server and port) and you will once again be prompted for username and password which you supply. When this is done the tunnel is open and ready to use.

Now start Firefox and choose “Tools” from the menu then “Options” then the “Advanced” tab. Choose “Connections” and modify it to use manual configuration with a Socks host to port 1080 on the localhost. It will look something like this (unfortunately the screenshot is in Swedish):

Once that is done just choose ok and start surfing through the tunnel! A good way to test if it worked is for example http://www.hostip.info/. If the tunnel is working the IP shown there should be that of the OpenSSH server and not the client you are surfing from.

A word of caution: this only tunnels HTTP traffic, the DNS requests are still processed the same way as is e-mail and every other service.

Firefox 3 evaluation

Firefox logoWith the release of Firefox 3 I finally made the switch on all my computers to have this as the main web browser instead of Internet Explorer that used to be standard on some of my windows machines (I have too many computers I use daily). There where several reasons I switched and I thought I’d publish them so perhaps other people could find the same benefits I saw.

First of all I have no love for Microsoft in general, while they have some good products I do not find Internet Explorer to be one of them. They seem to invest as little as possible in it and only making changes when “forced” by an outside source (take tabed browsing for example, it wasn’t included into Internet Explorer until Firefox started using it). I’d also like to point out that other web browsers like Safari and Opera might also be great but I haven’t had the time to get acquainted with them. This also only concerns desktop/laptop browsers, on my Wii and phone I use Opera!

Why did I choose Firefox as my main browser? Here is the simple list:

  • Security – this is probably the main reason. Firefox out of the box is a slightly lesser target for hackers at the moment but while that might change there are several other factors making Firefox the number one security choice and one of them is the addon NoScript. A really nifty little program that simply stops all scripts on all pages you visit. With a simple click you can activate a single domain to use scripts either always or just temporarily for your current visit. This really improves security while browsing the Internet. While some pages look terrible these days without scripting ability you can always choose to trust those that you want to visit (and remember you used to trust ALL of them). This still doesnt save you if your favourite site is targeted by a cross-site scripting attack but at least being conservative with who may run scripts on your computer makes the odds work against you being a target.
  • Speed – the rendering engine of Firefox 3 seems faster, I do not know if this is true of just a perception of mine. It may also help that I’ve installed AdBlock Plus. This is another great addon that makes you able to block all incoming adds before they are downloaded, you can either manually block different ad-vendors by domain or different filters or you can also choose to subscribe to a kind of blacklist filter. With the blacklist filter “EasyList” most of the ads are gone! Visiting ad heavy site used to be very slow but with all the flash graphics and different connections to ad servers but with the filter in place you get to download what you really came from and not all the crap the site tries to throw at you. I’ve also found this very helpfull while being out with my laptop and wanting to conserve the amount of traffic I use while browsing the web.
  • AddOns – I’ve allready mentioned two addons but still the ability to customize your browser deserves special mention as well. While the average guy might not be able to develop addons for Firefox the open interface makes it perfect for everybody wanting to add their own idea to the web browser. This is clearly a popular feature and when visiting the official addon site you can download almost anything you could think of to pimp your browser.
  • Privacy – while maybe not a reason to install the web browser at my own computers the privacy settings and features of firefox are very well to my liking, when I use a public computer I use Firefox if they have it since the ability to remove personal data is made so easy.
  • Bookmarks / History – a fresh take on bookmarks and history is made in Firefox 3. I don’t know if I’m alone in having stoped to add bookmarks for everything but the improvements really support my way of browsing. The history list is made part of the bookmarks with features to visit the latest sites (also available in most browsers with history of course) but also the most visited sites. If you choose to skip bookmarks all togheter (like I usually do) and just type the URL the dropdown that used to be only the domains is expanded with domain, icon, title and a small description of the site. This really helps casual browsing and is a nice looking feature.
  • Open Source – while not a major benefit in itself I am a strong supporter of open source and if there are two products, one open source and one proprietary software I would go for the open source alternative any day (on a private level, this might be different in a business point of view depending on the situation).

While there are major improvements in choosing Firefox there are of course also drawbacks. Most of these are minor and will probably change with time. There are a few sites that just doesnt work well in Firefox and one of them is my on-line bank which at the moment only accepts Internet Explorer. These sites are very rare though and I think most site administrators are adapting to the fact that Firefox is becoming one of the major browsers.

Firefox is no longer a browser trying to catch up with Internet Explorer, Firefox just took the lead. Now let’s see some healthy competition and more innovate features ahead in all browsers.