Tag archive: security

Letting go of Force Strong Passwords

For a while now, I’ve been using the Wordfence plugin to add extra security to my WordPress sites. Since this plugin includes (among other things) the ability to force users to choose strong passwords, I’ve stopped using my own plugin, Force Strong Passwords.

Because of this, I’ve decided to transfer it to someone else. Jason Cosper has kindly stepped up. Jason’s a senior engineer at WP Engine, who I gather use the plugin on their network. With this vested interest in the plugin, I trust it’s in good hands.

Force Strong Passwords multisite support

I no longer use my WordPress plugin Force Strong Passwords, since that functionality’s included in Wordfence. However, the plugin is quite popular, and one aspect of it that has suffered due to my lack of experience is multisite support.

On GitHub, Damien Piquet has submitted a simple fix in a pull request, which I’ve accepted. I’m not in a position to properly test this, so if anyone uses Force Strong Passwords on multisite installations, please grab the code with this commit and test away. Providing no issues arise, this will soon be released on wordpress.org.

Comments will be closed here – please give any feedback via GitHub.

Wordfence’s false positive issue with Developer’s Custom Fields

I use the Wordfence plugin on my WordPress sites for extra security. Generally it’s great, but it can be a bit over-sensitive (granted, it’s best to err in this direction with security!).

Just now I did a scan on a site and it came up with a “critical” “suspected malware URL” issue with a file from my Developer’s Custom Fields plugin. Now, whenever I use a bit of code from somewhere on the web, I always include a link in a comment, both in order to credit the person it’s from, and for future reference. I grabbed a bit of code for this plugin, to read URL parameters in JavaScript, from papermashup.com. It seems that Google has recently flagged this domain as being susipicious, citing unpromted malware downloads while also saying “this site has not hosted malicious software over the past 90 days”.

Anyway, however dangerous (or not) this site is, the URL in the JS file is utterly harmless – it’s in a comment. Furthermore, the URL is only in the dev version of the script. Only the minified version – stripped of comments – actually gets used on live sites.

I’ve removed this URL from the latest version of the plugin on GitHub, but it might be a little while before it gets rolled out on wordpress.org. Until then, please ignore this issue if Wordfence flags it up for you.

Force Strong Passwords for WordPress 3.7

The upcoming 3.7 release of WordPress is getting a new password strength meter, using the zxcvbn library from Dropbox.

It’s a great improvement. However, my Force Strong Passwords plugin is based on replicating the JavaScript password strength check in PHP. And zxcvbn.js is 683 KB (minified). I’m simply not going to be able to convert this to PHP, and I can’t see anyone else taking the challenge on.

So what I’m doing is adding some JavaScript for 3.7+ which simply passes the results of the client-side strength meter through to the server for the enforcement check. This should be fine. Of course, a tech-savvy user could manually bypass the check. But without a PHP port of zxcvbn, I think this’ll have to do.

The new version isn’t up on the wordpress.org repository yet, but you can download it from GitHub. If anyone’s using the beta of 3.7, do please give it a whirl and let me know if there’s any issues. Any other feedback regarding this development is also most welcome.

Force Strong Passwords plugin

I’ve just released a new little plugin: Force Strong Passwords.

The code has been part of my custom themes for a while, and I realized it should be a plugin as I’ve been preparing my talk for this weekend’s WordCamp (eek!). Anyway, the basic idea is that it enforces the password strength indicated by the little meter on the WordPress user edit screen. It only forces strong passwords for users who can do stuff, i.e. change the live site in some way.

There’s all sorts of scope for options, etc., but this has been serving me well for a while. All in good time. For now, it’s an easy way to combat one of the largest vulnerabilities in client sites: people who use weak passwords.

Enforce strong WordPress passwords

UPDATE: You can now get this code as a plugin.

Here we go with some more nifty code for you WordPress developers… As ever, this code is roughly tested but probably not for novices. It’s designed to drop into a custom theme’s functions.php file. It probably should be a plugin, and it might make it one day when it’s thoroughly tested and I get time…

Anyway, it’s a solution to a problem that I’m very surprised isn’t built into the WP core (as an option at least), and isn’t addressed by any easily found plugin or code already out there. As we know, WP provides a good “password strength meter” on the user profile page, which is great as strong passwords are (or should be) one of the first lines of defence against attacks on your site. But it’s just an indicator—there’s nothing stopping someone using “password” as their password, or something dumb like that. All you need is one Administrator or Editor with a dumb password, and the whole site is highly vulnerable.

How about a little enforcement?

Read more »

WordPress hacks and tips: Security

WordPress security image based on image by Net Efekt I well and truly cut my WordPress security teeth last year when my server got hacked. I summarized my lessons learned in that post, but the post also included a lot of things specific to the attack I was subject to. I thought I’d round up my WP security measures here for easy reference.

There’s many, many things you can do to secure WP. I’ll give links for further reading at the end. Documented here are my “baseline” measures that I make sure are in every WP deployment I create.

Read more »

WordPress security

My server was recently subject to a hack attack. In some senses it was pretty serious—many new files containing malicious code, many altered files, new bogus admin accounts in WordPress. But in the end it seems I lost no data, and none of my sites got injected with spam links (which I gather was the intent of the hack).

Needless to say, I’ve been forced to quickly learn a lot about web security, and I’ve been grateful to be forced to do so without major losses. I’ll try and document some useful things I’ve learned here.

NOTE: This post contains some good WordPress security tips, but in response to a specific hacks. For a more general, comprehensive run-down of solid WordPress security measures, see this post.

Read more »

Complete archive

Main index