Tag Archives: secure

All About WordPress’ Protection: How Secure is WordPress?

Is-WordPress-Secure

As one of the most used websites in the world, WordPress has mostly been trusted by people for many purposes; however, many web developers are still wondering about whether or not WordPress is secure, since it surely has its flaws too. It is definitely not only the WordPress team’s responsibility to protect the underlying core of WordPress, but the responsibility also ultimately falls on your shoulders too.

Since WordPress is generally discussed online, consequently, the weaknesses of the platform are widely known. This is why hackers can easily target WordPress websites. Therefore, it is important to learn about how secure a WordPress is. Let’s figure out the explanation below.

What You Need to Know About the WordPress Project and Security

Below are things that you may need to know, regarding the WordPress Project and what they are doing to maintain the security of the core.

The WordPress Security Team

The WordPress security team is responsible for identifying security risks in the core. Aside from that, they are also good at reviewing potential issues with the third-party-submitted themes or plugins and then making recommendations on how they can harden their tools or patch known breaches. They also work on their own to identify and resolve issues, even though they may need some other experts in the field sometimes.

How WordPress identifies Security Risks

There are several ways that are used by the security risks to identify and resolute process work.

  • An issue can be identified by anyone. It can be someone from the security team or from outside of the team. For non-project members, you can communicate these detected issues by emailing security @wordpress.org.
  • A report is logged and the security team acknowledges receipt of it.
  • To verify that the threat is valid, team members need to work together on a walled-off and private server.
  • Then, they can track, test, and repair any security flaws detected.
  • After that, the security patch then gets added to the next minor WordPress release.
  • If you have a mild problem, WordPress will notify you within the WordPress dashboard whenever an automatic release occurs.
  • On the other hand, the release will go out immediately and WordPress.org will announce it on the News page of the website in more urgent issues.

Even though WordPress doesn’t always announce these security patches immediately, they will always take immediate action to resolve problems.

A Note about Automatic Updates

WordPress is able to push minor updates automatically to all websites, since version 3.7. In this way, the WordPress security team can get urgent patches out as timely as possible without having to wait for users to accept and make the update on each of their websites.

However, as a WordPress user, you can opt out of these automatic core updates. In fact, if this happens to you, please keep in mind that this may put your site at additional risk, especially when you don’t have time to monitor all your sites all the time for the latest and greatest update.

WordPress Plugins and Themes Security

Even though it may sound impossible to manage the  tens of thousands of plugins and themes out there, at least WordPress can keep a close eye on them to ensure nothing seriously insecure slips through the cracks.

When a security issue is detected, the WordPress Project is the team, responsible for working with developers. However, before that, there is a team of volunteers assigned to review each and every theme or plugin submitted to WordPress. This team is specially formed to work with developers and ensure that best practices are followed.

Nevertheless, there will always be security vulnerabilities found and that’s why we need security team to step in to:

  • Provide documentation for WordPress developers on plugin and theme development and security best practices.
  • Monitor plugins and themes for potential security flaws. Any issues detected will then be brought to the attention of the developer.
  • Remove harmful plugins or themes from the directory if the developers are unresponsive or uncooperative.

Later, when those security patches are available, WordPress will then notify its users via the WordPress admin.

OWASP’s Top 10

With the purpose of protecting organizations from software and programs that could potentially do harm, the Open Web Application Security Project (OWASP) Foundation was created back in 2001. What you may be surprised to learn is that the WordPress Project aims to abide by OWASP’s Top at all times.

Below are the top 10 list comprised by the OWASP of known and very serious security risks. By using the list, the WordPress security team uses those trends to define their own top 10 list of ways to defend the core. Basically, their goal is to protect the core from the following risks:

  1. User account management abuse
  2. Unauthenticated access requests to the WordPress admin
  3. Unwanted or unauthorized redirects
  4. Exposing users’ private data
  5. Requests for access to direct object reference
  6. Server misconfiguration
  7. Unauthorized code injection
  8. Cross-site scripting from unauthorized users
  9. Cross-site request forgeries whereby hackers misuse WordPress nonces
  10. Corrupted third-party plugins, themes, frameworks, libraries, etc.

Summary

Knowing that there is a dedicated team working that keeps the WordPress core secure at all times will surely let WordPress users feel at ease. Still, we have to do what we can do to secure it from every angle, since no matter how good the WordPress Project is at monitoring and securing the platform, hackers will find a way in.

Predictions of IPv6 in 2017

IPv6-Predictions-for-2017_ywf

If you are a web developer, you might have  an experience with IPv6. You might find it either enticing or loathing at the same time. However, many developers discover that 2016 is a great year for IPv6, so it is no longer ramp-up, as using IPv6 advocates have often been frustrating by the pace of adoption. The good news for us was that 2016 was a really great year for IPv6. To discover how many changes that you can find in this new IPv6, you can take a look on the information below:

In a similar format to our IPv6 predictions for 2016, we are simply stating what we think will happen.

  1. The majority of container solutions (Docker, Kubernetes, Mesos) will have IPv6 support by the end of 2017
  2. IPv6 growth worldwide will, again, outpace the US
  3. Major private cloud solutions (OpenStack, AzureStack, VMware) will have production ready IPv6 support
  4. Security will finally start figuring out IPv6
  5. Early IPv6-only data center solutions will start happening

It is predicted in 2017; there will be more developers adopting IPv6 at a faster rate as containers and those that have solutions around containers will continue seeing the massive growth. Containers will become the next generation of operator platforms replacing VMware vCenter or OpenStack Horizon. Many developers believe that this is the solution to run and operate with IPv4 and/or IPv6. It is because more than 33% of native IPv6 services (mainly due to mobile operators) and the rate will grow steadily over 2017. However, since there are still so many countries outside the US which have not had high adoption rates, they have a much higher initial deployment growth curve to leverage. A massive deployment of IPv6 will appear almost overnight, when a single service provider enabling IPv6 for a country. Moreover, other countries, such as China or Russia are also poised to do just that in 2017.

As more and more customers determine that an all-in public cloud strategy does not address all their business requirements or concerns,  you will see an uptick in hybrid-cloud solutions that will require deployment of private clouds. To allow low friction utilization of both public and private clouds, these private clouds will have to be as tightly integrated with their public cloud counterparts. Some of us may have noticed that both AWS and Azure have native IPv6 capabilities and hopefully, Google will be the same.

Furthermore, you will not only see IPv6 specific capabilities within security product portfolio, but also event correlation and matching for dual-stack hosts. Therefore, it is important to understand the relationship between IPv4 and IPv6 and what kinds of features or events are happening. In the end, developers will no longer opt to turn off IPv6 as the standard request from IT security and gain skill and insight into what IPv6 is doing. As a result, stakeholders will become more common with what IPv6 is doing. In fact, the craziest prediction is that many big companies will take a serious look into the option of doing an IPv6-only solution to meet their primary customer needs. To keep providing resources for an IPV4-only host, developers may adopt protocol conversion or proxy functions for IPv4 with IPv6. In addition, compared with a dual-stack, it will be far more cost-effective to deploy and operate a new data center with IPv6

In conclusion, IPv6 will surely become an important part of data center story in 2017. Others, like cloud, containers and global adoption will end up as the big IPv6 stories.

 

Find Out the Right Types of SSL Certificate for Your Website

Find out the right types of SLL certificate fo your website

Since, Google cybercrime gets bigger and bigger nowadays, the way Google assesses a website is change. In fact, Google is among the most proactive, they give better rewards to sites whose adding SSL certificates (or HTTPS). This makes many SEO engineers put a good attention on SSL certificate for their better SEO service. But, you need to be more careful in choosing the right SSL certificate, as there are many types of SSL certificate. Each SSL types use the same standard encryption methods but each option has their own requirements and distinct characteristics.

Option #1. Single Domain

Single domain (or single-name) SSL certificates protect a single domain. This SSL type really works well for simple and straightforward content-based sites. These sites include B2B sites, e-commerce ones where all transactions occur on a single domain. Someone has to get an authenticated domain ownership when she/he wants to get a “Domain-validated”.

Option #2. Multi-Domain (SAN)

Multi-domain SSL certificates are also what they sound like. Multi-domain SSL certificates are also referred to as “SAN” (for Subject Alternative Names). With SAN and one multi-domain SSL certificate, it will cover a suite of sites. So, they provide flexibility for covering sites that might go away or not yet exist.

Option #3 Wildcard

If you want to cover all subdomains on a single root domain or host name, wildcard SSL certificates will be suitable for you. It uses an unsecure, content-driven ‘marketing’ site on the primary domain. Fortunately, this SSL’s type can run all purchase-related through a secure subdomain. With this single wildcard SSL certificate, you can simplify the mess, and it also protects the main site.

Option #4 Organization

Organization SSL certificates works to authenticate a company’s identity and information, such as the company’s primary address, and etc. You may think that this is similar to single domain. But in organization SSL certificates, you will get more content-based sites. By this, you don’t need to secure an e-commerce or payments component.

Moreover, you also will be asked to confirm and authenticate the other organization-related details as well.

Option #5 Extended

The last option, called as extended is better known as the most secure option. They do the extra organization validation bit by verifying the domain. It also double checks the legal corporation. It will also show a green address bar on most modern browsers for your troubles. In Chrome, you’ll also get the company name like this Twitter example below:

1

Credibility is what you’re paying for here. But, the secure connection uses on your site are that different than any other reputable SSL connection.

Hence, by selecting the right SSL certificate types, you’ll get a single certificate to purchase and set up to protect multiple different sites.