Blog posts under the Security category https://webdevstudios.com/category/security/ WordPress Design and Development Agency Mon, 15 Apr 2024 16:01:56 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 https://webdevstudios.com/wp-content/uploads/2022/07/cropped-wds-icon.white-on-dark-60x60.png Blog posts under the Security category https://webdevstudios.com/category/security/ 32 32 58379230 The Scariest WordPress Website Security Horror Stories We Know https://webdevstudios.com/2023/10/17/wordpress-website-security-horror-stories/ https://webdevstudios.com/2023/10/17/wordpress-website-security-horror-stories/#respond Tue, 17 Oct 2023 16:00:43 +0000 https://webdevstudios.com/?p=26627 Your WordPress website is often the first encounter a visitor has with your business in today’s ever-evolving digital landscape. It serves as the virtual storefront and online face of your brand, making it crucial to keep it secure. Unfortunately, the digital realm is not immune to threats, and cybercriminals lurk around, waiting for vulnerabilities to Read More The Scariest WordPress Website Security Horror Stories We Know

The post The Scariest WordPress Website Security Horror Stories We Know appeared first on WebDevStudios.

]]>
Your WordPress website is often the first encounter a visitor has with your business in today’s ever-evolving digital landscape. It serves as the virtual storefront and online face of your brand, making it crucial to keep it secure. Unfortunately, the digital realm is not immune to threats, and cybercriminals lurk around, waiting for vulnerabilities to exploit. Light the campfire and take a seat. We’re about to share some of the creepiest WordPress website security horror stories we know.

But first… Why is WordPress website security important?

Ensuring the security of your WordPress website is crucial as it is a constantly evolving entity that faces numerous challenges and changes. With the increasing threats that pose a risk to the digital landscape, it is no longer acceptable to be complacent and assume that the security measures that worked a year ago are still effective.

Any WordPress plugin, theme, and custom code can be vulnerable. You must remain aware and vigilant about your WordPress website security. All businesses, regardless of their size or industry, have a personal responsibility to maintain a secure website. A security breach can compromise sensitive data and damage the trust that has been built over the years, potentially ruining the reputation of the company.

Continue reading as we explore real-life WordPress website security horror stories demonstrating the harsh realities of inadequate security measures. We aim to provide you with the knowledge and insights required to strengthen your online security and ensure a safer and more secure digital experience for everyone involved.

Spooky SEO Spam Malware

SEO spam malware is horrifying because these spam links and junk pages are injected into a website without the owner’s knowledge or consent. Imagine someone living within the crawl spaces of your home. That’s what SEO spam malware and spam links are like!

SEO spam malware redirects visitors to malicious websites that contain malware, phishing scams, or other harmful content and hinder WordPress website security in several ways.

  • It ruins your website’s reputation. When visitors click on a spam link and are redirected to a malicious website, they may associate the original website with the scam. This can lead to lost traffic and revenue.
  • Your SEO will take a hit. Once your website is injected with SEO malware, Google will penalize you as though you’re the culprit instead of the victim.
  • These spam links can infect visitors’ devices with malware. Malware can steal personal information, damage devices, or render them unusable.
  • SEO spam links can be used to launch phishing attacks. Phishing attacks trick users into revealing sensitive information, such as passwords or credit card numbers.

Malicious Website Redirects

Malicious website redirects are pieces of code injected into a website without the owner’s permission or knowledge. They are designed to redirect visitors to other websites, often harmful ones. Malicious website redirects can be very dangerous as they can contain malware, phishing scams, or other harmful content.

These malicious redirects can be used for various purposes, including stealing personal information. Phishing websites often use them to trick users into entering their sensitive information, such as passwords, credit card numbers, or Social Security numbers. Malware can also be installed on users’ devices without their knowledge or consent through these redirects. This malware can damage devices, steal personal information, or render them unusable.

Some attackers use malicious redirects to generate advertising revenue by redirecting users to websites that contain advertisements. They can charge the advertisers for each click, leading to a significant amount of revenue. It is crucial to protect your WordPress website from these malicious redirects to ensure the safety and security of your visitors.

Multisite Network Hack

This is a concept art style image of a green monster with purple hair popping through the screen of a laptop.Worse than any zombie invasion, a multisite network hack is a cyberattack that compromises your entire WordPress multisite network. This type of hack can be particularly detrimental to companies, as it can affect multiple websites simultaneously.

One example of a multisite network hack is a SQL injection attack. SQL injection is a type of attack that allows attackers to inject malicious SQL code into a website’s database. This code can then be used to steal data, modify data, or even delete it like a ghost in the night.

Another example of a multisite network hack is a cross-site scripting (XSS) attack. XSS attacks allow attackers to inject malicious code into a website’s pages. This code can then be executed by other users who visit the website. This can steal cookies, session tokens, or other sensitive information.

What Can Happen

Multisite network hacks can be very detrimental to your brand. They can cause a variety of problems, including:

  • Data breaches: Multisite network hacks can lead to data breaches, where sensitive customer or employee information is stolen.
  • Website downtime: Multisite network hacks can also cause website downtime, leading to lost revenue and productivity.
  • Damage to reputation: Multisite network hacks can also damage a company’s reputation, as customers and clients may lose trust in its ability to protect their data.

What to Do

To protect against multisite network hacks, companies should:

  1. Keep their WordPress installation and plugins up to date. WordPress releases security updates regularly, so it is important to keep your installation and plugins up to date to protect against known vulnerabilities. A healthy website is always kept updated.
  2. Use a web application firewall (WAF). A WAF can help to protect your multisite network from a variety of attacks, including SQL injection and XSS attacks.
  3. Implement strong security policies and procedures. Companies should have strong security policies and procedures in place to help protect their multisite networks. These policies and procedures should include password management, data encryption, and incident response.
  4. Act quickly. If you think your multisite network may have been hacked, it is important to take immediate action. You should contact a WordPress security expert like WebDevStudios to help clean up the hack and restore your network to its previous state.

It’s not all doom and gloom.

This is a concept style artwork of bats flying out of and around an open laptop.Never fear. There are many ways you can beef up your WordPress website security and save it from dangerous digital trolls.

2FA

Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to verify their identity. This makes it much harder for attackers to gain unauthorized access to user accounts, even if they have stolen a user’s password.

Two-factor authentication is also known as multi-factor authentication (MFA), two-step verification, and dual-factor authentication. Regardless of the name, 2FA works by requiring users to provide a combination of two different factors of authentication.

2FA is more secure than single-factor authentication because it makes it significantly more difficult for attackers to access user accounts, even if they have stolen a user’s password. In addition, it is easy to use, and various methods are available. In addition, a variety of online services widely support it.

SSO

Single sign-on (SSO) is a security system that enables users to access multiple applications using a single set of login credentials. This eliminates the need for users to remember multiple passwords, reducing the risk of password fatigue.

SSO functions by utilizing a central authentication server to authenticate users. Whenever a user tries to log in to an SSO-integrated application, the SSO server redirects them.. The SSO server authenticates the user and grants them a token that they can use to access the application without having to log in again.

You can use various protocols, such as SAML, OAuth 2.0, and OpenID Connect, to implement SSO. The specific protocol you choose depends on the SSO solution and the applications you are integrating.

Hardened Password Policies

A hardened password policy is a set of rules that govern the creation and use of passwords for a company’s website. These rules make it more difficult for attackers to crack passwords and gain access to them.

Having a hardened password policy is important for your WordPress website security because it protects sensitive data, prevents data breaches, and ensures your company is compliant with regulations. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires companies to implement a password policy that requires passwords to be at least eight characters long and to include a mix of upper and lowercase letters, numbers, and symbols.

Here are some ideas for keeping a hardened password policy:

  • Minimum password length: 12 characters
  • Password complexity requirements: Passwords must contain a mix of upper and lowercase letters, numbers, and symbols.
  • Password history: Users must not reuse their previous 10 passwords.
  • Password expiration: Users must change their passwords every 90 days.
  • Account lockout: Users are locked out of their accounts after five failed login attempts.

In addition to these rules, companies should also educate their employees about the importance of creating strong passwords and keeping their passwords safe, too.

Automatic Expiration of Passwords

This is an image of a spooky grandfather clock in a haunted house setting.Automatic password expiration is a security measure that forces users to change their passwords regularly. To configure a password expiration policy in the website’s security settings, set it up. Then, the website will prompt users to create a new password before they can continue using it once their password expires.

This WordPress website security measure is important because it helps to prevent attackers from gaining access to user accounts, even if they have stolen a user’s password. If a password expires before an attacker has a chance to use it, the attacker will be unable to gain access to the user’s account.

Set Up Monitored Events

Setting up monitored events on a company’s WordPress website is a good security measure because it allows the company to detect and respond to security incidents more quickly and effectively. When a monitored event occurs, the security team of the company gets an immediate alert. This allows the security team to investigate the event and take steps to mitigate any potential damage.

Examples:

  • Suspicious login activity: This could include login attempts from unusual locations or times or login attempts with known compromised credentials.
  • Changes to critical files or settings: This could include changes to the website’s configuration files, database, or other critical files.
  • Unauthorized access to sensitive data: This could include attempts to access customer information, financial information, or intellectual property.
  • Malicious code execution: This could include the execution of malware, such as viruses, Trojans, or worms.
  • Alerts when the site goes down: Set email and text alerts to the website support team and engineers when the website is down. It helps to restore the backup and bring the site back up and running quickly.

No, Regan, you don’t need an exorcist, just a website audit.

This is a concept style image of two super heroes standing in a Halloween setting holding an open laptop with the WebDevStudios logo on the screen.
If you’re concerned that your website is possessed with SEO spam malware, malicious redirects, and other entities, put away the holy water and perform a website audit. A full website audit will uncover any and all suspicious activity, plus give you some insight into the next steps.

While our team isn’t composed of demonologists and psychics, it is made up of WordPress security experts and technologists who have the problem-solving skills of Sherlock Holmes himself. When you need help uncovering your website poltergeists and strengthening the security of your WordPress website, contact us.

The post The Scariest WordPress Website Security Horror Stories We Know appeared first on WebDevStudios.

]]>
https://webdevstudios.com/2023/10/17/wordpress-website-security-horror-stories/feed/ 0 26627
Why You Should Use Cloudflare for All Your Websites https://webdevstudios.com/2021/03/23/cloudflare/ https://webdevstudios.com/2021/03/23/cloudflare/#comments Tue, 23 Mar 2021 16:00:27 +0000 https://webdevstudios.com/?p=23444 What even is Cloudflare? According to Wikipedia… “Cloudflare, Inc. is an American web infrastructure and website security company that provides content delivery network services, DDoS mitigation, Internet security, and distributed domain name server services.[2] Cloudflare’s services sit between a website’s visitor and the Cloudflare user’s hosting provider, acting as a reverse proxy for websites.[3][4] Cloudflare’s Read More Why You Should Use Cloudflare for All Your Websites

The post Why You Should Use Cloudflare for All Your Websites appeared first on WebDevStudios.

]]>
What even is Cloudflare?

According to Wikipedia

“Cloudflare, Inc. is an American web infrastructure and website security company that provides content delivery network services, DDoS mitigation, Internet security, and distributed domain name server services.[2] Cloudflare’s services sit between a website’s visitor and the Cloudflare user’s hosting provider, acting as a reverse proxy for websites.[3][4] Cloudflare’s headquarters are in San Francisco.”

For those who aren’t giant nerds like we are, Cloudflare is an easy-to-set-up tool that turbocharges your website, protects it from the bad guys, and tells you where your audience is coming from. So, let’s talk about what all this really means.

Speed

GIF: Kid in a sliding car.

Faster DNS

Everyone likes a fast website, right? But did you know that there is a lot more to loading times than just a fast web host?

One common issue that causes sites to load slowly is having poor DNS lookup times. Cloudflare helps trim this time down by stepping in as your DNS manager. If you are migrating from a poor DNS manager, you could see your site load speeds reduced by as much as 2,000 milliseconds! For more information see Cloudflare DNS.

Distributed CDN

Ever heard of cache? A cache isn’t money misspelled, but when it’s properly configured, it can make you some.

I’ve covered caching in greater detail in Diagnosing a Slow WordPress Site, but the short answer is it helps your website load faster for all your users. A major factor of website load speeds is distance. In other words, how far away is your server from your audience?

The farther the user is from your host server, the longer it takes for your site to load for your users. Unlike caching solutions that are hosted on just your host server, Cloudflare provides you multiple cache servers distributed across the globe free!* In practice, if you have a global audience, they are served a copy of your website from a server that is closer to them. That means faster load times.

Bonus fact: Since Cloudflare can save a cached copy of your website, in the event your web server goes down, Cloudflare is able to continue to serve your users from its saved copy until your web services are restored. For more information see Cloudflare CDN.

Analytics

Note: This is not a real dataset for WebDevStudios. This is a sample provided for informational purposes.

Another major benefit that Cloudflare provides is in-depth analytics of all your site’s traffic out of the box. Knowing where your audience is coming from is helpful for your marketing strategy. Perhaps you didn’t know you were popular in Germany. These types of insights aid you in making more informed business decisions, such as opening up a version of your site in German or load balancing your website to be closer to your real customers.

If you are a fan of Google Analytics, you can still use it in conjunction with Cloudflare. For more information see Cloudflare Analytics.

Security

Cop on a segway gif.While speed and analytics certainly are important, as a backend engineer, the biggest reason I love Cloudflare is for the security resources it provides. Better than a mall cop, Cloudflare provides free denial-of-service (DDOS) protection to all of its users.

A DDOS attack is when a bad actor wishes to make a website (or any network resource) unavailable to other users. One way this can be accomplished is when a pool of thousands of infected computers are instructed to load a particular website in the hopes of overwhelming that server’s capacity, and thus bring down the website.

The reasons why someone nefarious would do this are plenty; sufficed to say, it’s not a good thing to happen when your its next target. Being a leading provider of DDOS protection Cloudflare has a database of most bad actors and can block their requests from ever reaching your website, thus keeping it online. For more information see Cloudflare DDOS.

Conclusion

Animated gif of a mic drop.

If you like your website to go faster, become more secure, and ultimately know where your customers are coming from I hope you give Cloudflare a consideration.

To address the asterisk after free earlier, all the services I mentioned in this article are provided free for all the sites you own and should be all smallest to mid-sized websites should need. Who doesn’t like free stuff? If, however, you are a larger enterprise client, Cloudflare provides an extended range of paid services to help you even more.

So, whether you’re leveling up your current website or launching a new web project, consider my advice. If you’re seeking a team of pros to help you with that, contact us!

The post Why You Should Use Cloudflare for All Your Websites appeared first on WebDevStudios.

]]>
https://webdevstudios.com/2021/03/23/cloudflare/feed/ 3 23444
Cybersecurity Tips for Remote Workers https://webdevstudios.com/2020/05/14/cybersecurity-tips-for-remote-workers/ https://webdevstudios.com/2020/05/14/cybersecurity-tips-for-remote-workers/#comments Thu, 14 May 2020 16:00:46 +0000 https://webdevstudios.com/?p=22264 There’s no question we live in interesting times. The recent global pandemic has had everyone scrambling to try and meet customer demand and keep employees working. For the lucky ones who get to continue working during this crisis that means making changes to how we work, largely doing everything remotely. With millions of people working Read More Cybersecurity Tips for Remote Workers

The post Cybersecurity Tips for Remote Workers appeared first on WebDevStudios.

]]>
There’s no question we live in interesting times. The recent global pandemic has had everyone scrambling to try and meet customer demand and keep employees working. For the lucky ones who get to continue working during this crisis that means making changes to how we work, largely doing everything remotely. With millions of people working from home, who may have never had to manage their cybersecurity, this new way of working brings with it some potentially serious security concerns. That’s why we’re taking this time to offer you some cybersecurity tips for remote workers.

I’m lucky enough to work for WebDevStudios as a Support Engineer. We are a fully distributed company. That means we all work from home. WebDevStudios has been 100% remote for over a decade, and we’ve all learned some important lessons and acquired expert knowledge.

Before we jump in, though, what exactly is cybersecurity? To oversimply it a bit for the purposes of this article, it’s basically best practices for defending your computers, servers, corporate assets, and electronic systems or data from malicious actors who try to take advantage of vulnerable systems. With even more people working online, there are even more scammers and hackers trying to take advantage of this terrible situation. Apply these cybersecurity tips for remote workers and keep your computer safe during all this.

Use Antivirus Software

You should already be running antivirus software, but if not, that needs to be your number-one priority. Everyone is human and we are going to make mistakes and click on things without thinking or download a file from someone else who isn’t running antivirus software.

There are a lot of great antivirus software brands, and your company may even provide licenses for one of the popular antivirus packages. If not, however, know that there are free options for every operating system (Mac, PC, Linux). For the purposes of this article, we’ll mostly be focused on Mac and PC.

Free options are great, but having solid antivirus protection is what is super important. There’s a reason I started this list of tips with this one. If you aren’t running antivirus, even viewing an image can be a potential point of attack. Someone could infect your system with a virus or malware and cause all kinds of damage. Viruses can do things, such as copy sensitive data (like usernames and passwords, especially financial ones) and send it to the hacker’s server where they collect and then sell your information on the black market, usually via the dark web.

Malware can be almost as bad and is often used to insert intrusive ads on your system. Both types can also use your computer as a zombie to try and infect other systems. So, do yourself a favor and make sure you are running antivirus software. The free ones are indeed pretty good, but like with anything, you get what you pay for. Check with your employer’s IT department to see if they provide licenses to a specific antivirus software. If not, the premium options are often affordable at around $30-$50 per year and are worth every penny.

Trust No One

Next, before we get into another favorite bit of software, do not trust anyone online. It should be your default position. The number-one source of system intrusion is typically employees not being vigilant with sensitive information. Something innocuous, like clicking on a random link, can lead to your computer getting infected.

If you get a link from someone you don’t know, DO NOT OPEN IT! This is often a “phishing” scheme where the attacker learns about you or tricks you into installing something you shouldn’t by getting you to visit a special URL (link) designed to compromise your system.

You should also guard your own and your company’s private information. Use common sense and be suspect of anyone you don’t know online. To complicate things even further, you have to watch out for people pretending to be people you know. Just the other day, I got a Facebook friend request from my aunt and it turned out to be someone pretending to be her. She was asking me for money, and red flags went up immediately. I checked and sure enough, my aunt and I were already friends on Facebook. This new account was trying to pretend to be her to scam our family out of money. Stay aware!

Use Strong Passwords and a Password Manager

Speaking of sensitive information this next tip is all about passwords. First and foremost, you should be using unique passwords for everything. I know this is a major hassle, and remembering a password for every site seems impossible. You’re right; it is. That’s why we recommend using a password manager like 1Password or LastPass.

Once you install these apps, they’ll remember all your passwords for you and store them in a secure vault. Then, you just need to remember ONE password to get access to all your passwords. This protects you in a number of ways.

For example, if you do somehow get a virus that searches your computer for passwords, it won’t be able to find them as your passwords will be inside a secure, encrypted vault. It would take a hacker many decades to break into with today’s computers.

Also, using a different password for every service means that if one service gets hacked, and your password is leaked, then it won’t effect any other accounts you have. This is super important, as it seems like there isn’t a month that goes by where some service or another isn’t hacked and customer data stolen or exposed. Bottom line: use strong, unique passwords and store them in a secure password manager like 1Password or LastPass.

Use a VPN

This cybersecurity tip is a little more technical. A VPN is a virtual private network that you can connect to and then browse the internet and complete your work safely. You’ll need a VPN service to do this, and they usually have their own software, as well.

A VPN provides protection against a number of exploits like people “sniffing packets” from your computer to steal passwords or other sensitive information like bank accounts. This is more critical when you are working on a public network, like at a coffee shop or airport, where other people you don’t know are on the same shared network as you.

With a VPN, you connect to a virtual private network and then your connection is encrypted and made anonymous. It is much more difficult for hackers to gain access or see your passwords with an active VPN. Remember, when you are connected to any network, including your own cable/fiber internet, your service provider can see all your activity, as well. A VPN will keep your internet usage private and protect your connection from malicious hackers.

Don’t Share Your Zoom Links Publicly

I shouldn’t have to even be saying this, but some unscrupulous folks have decided to invade unprotected Zoom chats (and other open chat systems) and play pranks on the calls, or worse, listen in and gain inside secrets. So far, it’s mostly been stupid pranks, but one of our executives was on a public meetup where someone broke into the chat and played pornography. There really is serious potential for someone to wreak havoc and expose (pun intended) you and your company to liability or harassment all the way to corporate espionage.

Zoom has taken steps to lock things down by default, so make sure you have the latest version of Zoom (or any app you are running, for that matter; staying up to date is part of the security process). If you do have to share your Zoom link, make sure you require passwords to join or that you manually approve people who join your chat (that’s now the default behavior in Zoom). You can read more about “zoombombing” on WikiPedia. It sounds cute, like photobombing, but it’s so much worse!

Hide Your WiFi

Wait, what? Hide my WiFi? Yeah, hide it so that not just anyone can probe your network.

You should already be using a WiFi password (and hopefully a strong one; I know typing them sucks!), but if your network SSID (network ID or network name) is set to “broadcast,” that means attackers know it exists and can start probing for ways to get in. By changing your network settings to have the SSID to not broadcast, when anyone wants to join your network, you’ll need to personally tell them the network name and the password.

That also means that strangers sitting outside your house can’t see your network just by parking outside at the curb. This is a bit of “security by obscurity,” and I don’t usually recommend that, but with WiFi, it’s an extra step that can really help keep your network more secure. Changing this setting requires you to have admin access to your router. If you have one from your internet service provider, the password is likely on the side or back of the modem/router provided.

Have a Strong Security Policy and Follow It

Even if your company doesn’t have an official security policy you should set out guidelines for yourself. Everything is online these days and most of these tips will apply to anything you do online. Make sure you have a least a basic understanding of how to work securely online.

Back Up Your Computer

I know this doesn’t sound like much of a security tip. I even debated making it the first item in the list; that’s how important it is. No matter how careful you are, things happen. The last thing you want to do is lose important work or data that can’t easily be recovered.

A bad virus can infect and delete or encrypt data in such a way that you can no longer access is. They may even try to ransom the data back to you in extreme cases! So, make sure you are backing up your computer. You should be doing this already.

I personally have a cheap USB drive that I back up my computer to weekly, and I use an online service call BackBlaze to automatically back up my computer to the cloud. It works pretty well. There are other services out there, but please, back up your computer locally and remotely for the best coverage.

Keep Software and Apps Up To Date

Make sure you keep your software and apps up to date! I can’t believe I left this out originally, as it’s super important. Out of date software is one of the most common ways a computer system gets compromised. My advice is turn on auto updates if you can (I do this for all my mobile apps any software that supports it), and if not, you can set a reminder to check for updates at least once per week.

I usually do my updates and backups on the same day. I set a reminder for Sunday evening and then do any software updates that need to be done and then hook up my USB drive to get a local backup. Thanks to Nick Franklin via Twitter for reminding me of this one!

Some Quick Bonus Cybersecurity Tips for Remote Workers

  • If you are out in public, make sure people can’t easily see sensitive data on your screen.
  • Use encryption where possible (example: you can use PGP encryption to encrypt your emails).
  • Don’t leave your device open/logged in when you walk away from it, especially in public.
  • Don’t use/trust a USB device you found or were given by someone you don’t know.

Lastly, remember that human behavior is the weakest link in almost every security policy. Stay alert, aware and suspicious of everything to improve your chances of not getting hacked, infected or otherwise compromised. This is true whether you are working from home or once you go back to the office.

Did you enjoy these cybersecurity tips for remote workers? Read more of our remote work articles and stay safe!

The post Cybersecurity Tips for Remote Workers appeared first on WebDevStudios.

]]>
https://webdevstudios.com/2020/05/14/cybersecurity-tips-for-remote-workers/feed/ 1 22264
WDS Single Sign-On https://webdevstudios.com/2018/12/13/wds-single-sign-on/ https://webdevstudios.com/2018/12/13/wds-single-sign-on/#comments Thu, 13 Dec 2018 17:00:07 +0000 https://webdevstudios.com/?p=19481 Single Sign-On (SSO) is one of those features every pointy-haired boss in the world wants on their websites. Managing user accounts and passwords across dozens of work-related sites gets very old, very quickly. The longer time went on, the greater the need for an SSO solution at WebDevStudios (WDS) became. I’ll tell you a little Read More WDS Single Sign-On

The post WDS Single Sign-On appeared first on WebDevStudios.

]]>
Single Sign-On (SSO) is one of those features every pointy-haired boss in the world wants on their websites. Managing user accounts and passwords across dozens of work-related sites gets very old, very quickly. The longer time went on, the greater the need for an SSO solution at WebDevStudios (WDS) became. I’ll tell you a little about our implementation of Single Sign-On using WordPress and Google accounts, and how it helps both WDS and our clients simultaneously.

What is it?

In the simplest terms, Single Sign-On is a way for someone to access multiple websites using one set of username and password credentials.

The WDS-specific implementation uses Google authentication, primarily because we use the Google apps suite for our work tools. But WDS-SSO can easily support any standard OAuth service. Here’s a list of features we built into our SSO solution:

  • Google Auth support (including Two-Factor Authentication)
  • Client/Proxy configuration makes setup a one-time task
  • Enforces all sites involved to use HTTPS
  • Uses industry standard JavaScript Web Tokens (JWT)
  • Multisite support
  • Selective role maps (including Super Admin) for individuals and/or sites
  • Support for selective (multiple) domain authentication
  • Optional SSO user removal feature on deactivation
  • Extensible to work with any standard OAuth implementation

Why is it important?

At WDS we build a lot of websites. Currently there are almost 30 projects being worked on concurrently. When you consider that each site will have at least one staging site for quality assurance and client approval, it’s more than double that number.

What happens if a team member leaves WDS? Do we have to go through dozens of sites to track down their accounts and deactivate them? We used to do that. Now, most access is handled through their Google account. Deactivate that and they can no longer log into any site that uses Google authentication—including all of our SSO-enabled sites.

Not only do managers love this feature, it’s ultimately easier for everyone who uses it. Instead of entering a username and password for every site and clicking the blue Log In button, you just click the big orange WebDevStudios Login button.

How it works

Here is a flow diagram of how our SSO plugin suite works. Each circle represents a different site involved in the process. By splitting the responsibility up between a client and proxy site, only the proxy site needs to talk to Google—and it’s the only site that needs any API configuration. Client plugin installation is very simple.

As a user, it’s all very seamless. If you’re already authenticated with Google, it’s simple. Just click the big orange button:

If you’re not authenticated with Google, the process looks like this:

Part of the process you didn’t see (off-screen) was the Two-Factor Authentication piece, which is required per our security policy. I used my fingerprint and the Gmail app to double-check that it is indeed me.

Other security concerns that we address is the inter-site communication. If one of the sites (client, proxy, or Google) isn’t using HTTPS, there’s a chance for a man-in-the-middle attack where the token could be intercepted and altered, leaving the attacker to possibly pose as an authenticated user. WDS-SSO requires that all sites involved use HTTPS for this reason.

How our clients benefit

There are several benefits for our clients. It makes it easy for the right people—active WDS employees—to have the appropriate access to their development sites without having to bother the client.

As a policy, when it’s time to go live, we remove the WDS-SSO plugin. Upon deactivation, there’s an option to remove WDS-SSO users and reassign any content produced by them. What this does is remove WDS developer accounts and re-attribute their created content to the client. That way, a year down the road, a client isn’t wondering who this “Justin Foell” guy is and, “Why does he have access to my website?”

It’s a win-win for both WDS and our clients.

The post WDS Single Sign-On appeared first on WebDevStudios.

]]>
https://webdevstudios.com/2018/12/13/wds-single-sign-on/feed/ 2 19481
Ongoing Website Maintenance: Why the Transition from WDS to Maintainn Makes Sense https://webdevstudios.com/2018/06/21/ongoing-website-maintenance/ https://webdevstudios.com/2018/06/21/ongoing-website-maintenance/#respond Thu, 21 Jun 2018 16:00:59 +0000 https://webdevstudios.com/?p=18770 Growing up, I can vividly remember my father threatening to take away my car if I didn’t get the oil changed every three months. The younger me liked to “ride the line” and stretch that three months out as long as possible, but that did not come without ramifications to my vehicle. As I got Read More Ongoing Website Maintenance: Why the Transition from WDS to Maintainn Makes Sense

The post Ongoing Website Maintenance: Why the Transition from WDS to Maintainn Makes Sense appeared first on WebDevStudios.

]]>
Growing up, I can vividly remember my father threatening to take away my car if I didn’t get the oil changed every three months. The younger me liked to “ride the line” and stretch that three months out as long as possible, but that did not come without ramifications to my vehicle. As I got older, I realized the significance of regular oil changes and check-ups on my car. In fact, there are not many things these days that don’t require some version of extended service and support. That’s why I’m taking the time now to address the importance of ongoing website maintenance and why the client transition from WebDevStudios (WDS) to Maintainn makes sense.

My iPhone, laptop, even a new air purifier I recently purchased all had the option to buy some form of a maintenance plan. I’ve never regretted purchasing one because while I’d like to think of myself as responsible, I’m far from graceful. Working in the tech industry now as the Director of Client Strategy at WDS, I’m often asked whether or not an ongoing website maintenance and support plan for a website is necessary. My answer is always the same, “Absolutely.”

I understand being hesitant to engage in this extra expense. I’ll be the first to admit that YouTube tutorials, online classes, and documentation have me believing that I’m an expert developer at times; and while these tools are helpful, they don’t always account for the unexpected. There are many reasons why ongoing support is critical but let me just share a few.

Plugin, Theme, and WordPress Updates

All of the code that goes into making WordPress work is often referred to as the “core.” WordPress sends out updates a few times a year to ensure that the core is always in tip-top shape. Some releases are small, but some are important, containing things like critical security updates. Every update is worth taking seriously.

Plugins are created by this amazing open source community to extend the functionality of your website. Plugins can update more or less frequently depending on how engaged the developer is in improving the tool.

There’s also your website theme to think about. Whether you’re using a free or premium one, chances are that as WordPress releases new updates, so will your theme.

I hesitate to hit that “update” button sometimes. You don’t always know how your website will be affected. While most agencies develop websites to be as update-proof as possible, there are no guarantees. Having a professional on deck to handle these updates for you is critical in the ultimate performance and health of your website.

Security

Hacking: it’s a term we are all familiar with. A quick look at the news and there is a story of some website being hacked somewhere. There are numerous measures you can take to protect your website. Some are easy and could merely require a plugin, but others tend to be a bit more complex. With ongoing support, trusted professionals will ensure the health of your website. One thing you may want to consider is if your website is being monitored on a regular basis. Constant security scans alert the website owner if a file has been tampered with, if there are irregular logins, or even if there have been DNS changes. Regular monitoring can detect if these changes are out of the ordinary and quickly put things back to normal.

Backups

Here is a typical scenario—you hire someone new to work on your website. It could be a new developer or maybe someone just adding content. They are given more access than they need, and accidentally something happens, and your site is not looking like it should. If you have regular backups being performed on your website, restoring to the last one should be a painless process. Without backups, you are in for a ton of investigation and work. Having regularly scheduled backups is the insurance policy you need most.

Big and Small Changes

The real hero of a maintenance and support plan us simply having access to a team of experts available to help. That form you want to add to the website, those images that you just haven’t had a chance to upload, the new ads you want to put on the homepage; with a support team, it’s as simple as letting them know your plans and then allowing them to take it from there. Think of your support team as an extension of your business. They are here to support you. No task is too small or large.

This may seem like a lot, and it is. There is no need to tackle all of this yourself. That’s why WDS has Maintainn. At Maintainn, a brilliant team of support specialists is there to answer your questions, help plan for changes, secure your website, back it up regularly, and update it consistently. All of this is to ensure you have a high performant and rock-solid website. Not only does this bring you peace of mind but it also assures your visitors are enjoying their experience. Yeah, there may be some additional investment, but it can’t compare to the investment needed if these safeguards are not in place.

The post Ongoing Website Maintenance: Why the Transition from WDS to Maintainn Makes Sense appeared first on WebDevStudios.

]]>
https://webdevstudios.com/2018/06/21/ongoing-website-maintenance/feed/ 0 18770
The Part You Play in Your Website’s Security https://webdevstudios.com/2017/06/29/the-part-you-play-website-security/ https://webdevstudios.com/2017/06/29/the-part-you-play-website-security/#respond Thu, 29 Jun 2017 16:00:25 +0000 https://webdevstudios.com/?p=17161 When it comes to the security of a company’s website, most people think that the responsibility relies solely on the IT department. This couldn’t be further from the truth. In reality, every single person who has a login for your site, from admins to authors, all have a part to play in website security. You don’t have Read More The Part You Play in Your Website’s Security

The post The Part You Play in Your Website’s Security appeared first on WebDevStudios.

]]>
When it comes to the security of a company’s website, most people think that the responsibility relies solely on the IT department. This couldn’t be further from the truth. In reality, every single person who has a login for your site, from admins to authors, all have a part to play in website security.

You don’t have to be a technology expert or a seasoned software coder to keep your website safe. Just by using the following tips, every team member who contributes to your website can assist with strengthening its security, no matter what their job role is in the organization.

Password Managers and Passphrases

I know, I know. You’ve already been preached to on the importance of a strong password. That hasn’t stopped people from using passwords like “123456,” “qwerty,” or any variant of “Pa$$w0rd!” So I’ll say it again, a strong password is vital.

Writing your password down on a piece of paper stuck to the back of the monitor is a no-no, too. But you knew that already, right?

“I’ll never remember a really long, complicated password,” is an argument I’ve heard several times. I have two recommendations to get around this.

  • Invest in a password manager. Consider setting up accounts with Last Pass, or my personal favorite, 1Password. With a password manager, having a 30+ character random password for a website is no problem. When it comes time to log in, you simply copy/paste it from your password manager rather than having to recall it from memory.
  • Use a passphrase. Maybe you prefer to keep your password memorized. That’s fine. But I urge you to consider using a passphrase. I tend to use full sentences comprised of song lyrics or a quote from a movie. For example, “Carry on my wayward son. For there’ll be peace when you are done.” or “You want the truth? You can’t handle the truth!”

Staying Protected While Using Public WIFI

When we travel, or even if we’re just working from the local coffee shop, we typically don’t think twice about connecting to the free WIFI and diving into work. While you may think it’s far fetched, having your login credentials stolen while on public WIFI is a very real possibility. And while there’s no way to 100% guarantee it’s not going to happen, one thing you can do to limit the risk of hacking is to make sure you are connected to your site using a secure connection.

In the screenshot above, the Chrome browser has displayed the word “Secure,” and the URL starts with https://. This lets us know that the website we’re browsing has a Secure certificate, and the data passed between the browser and the website’s server is being encrypted prior to being sent. If you do not see the word “Secure” and the URL starts with http://, data passed between the two is being done in plain text. If that’s the case, I would think twice about logging in over public WIFI, and encourage your IT team to set up an SSL Certificate right away.

Another option for those who frequently use public WIFI, you might want to consider investing in a VPN (Virtual Private Network).

Question Everything

Criminals, hackers, and ne’er-do-wells are always looking for new ways to steal sensitive data.

I’m sure you’ve heard the term phishing, and if you’re like me, you probably think that you’re too smart to fall for a phishing attack. But under the right set of circumstances, I don’t care how careful you are, it can happen to any one of us. Don’t think so? Check out this post and let me know if this makes you think otherwise.

Not all security attacks happen online. In one of my favorite books, The Art of Deception, the author explains the art of Social Engineering and how it can be used to trick somebody into simply handing over their login credentials. Again I say, if you don’t think it can happen to you, I strongly suggest you read the book.

Keeping your website safe and secure is a team effort. Staying on your toes and always being alert is the key!

The post The Part You Play in Your Website’s Security appeared first on WebDevStudios.

]]>
https://webdevstudios.com/2017/06/29/the-part-you-play-website-security/feed/ 0 17161
The Six Questions Developers Need to Ask Before Turning in Tasks https://webdevstudios.com/2016/09/01/six-questions-developers-need-to-ask/ https://webdevstudios.com/2016/09/01/six-questions-developers-need-to-ask/#respond Thu, 01 Sep 2016 17:05:30 +0000 https://webdevstudios.com/?p=13578 Everyday I spend time working on products for our great clients, I specifically spend a great deal of it writing code and building features. But I’m not just creating new features, I’m also creating new opportunities…opportunities to break that product. Here are the questions developers need to ask before turning in their tasks, and how they’re going to help Read More The Six Questions Developers Need to Ask Before Turning in Tasks

The post The Six Questions Developers Need to Ask Before Turning in Tasks appeared first on WebDevStudios.

]]>
Everyday I spend time working on products for our great clients, I specifically spend a great deal of it writing code and building features. But I’m not just creating new features, I’m also creating new opportunities…opportunities to break that product. Here are the questions developers need to ask before turning in their tasks, and how they’re going to help you code smarter.

  1. How can I break this?
  2. Where’s Murphy hiding?
  3. Who do I trust?
  4. What’s dangerous?
  5. What are the real limits?
  6. Who is this for?

For example, what could go wrong with this example?

<?php _e( 'What could go wrong here?' ); ?>

Well, it turns out, a lot.

Developers, ask yourself these six questions before turning in any task

Have you ever tried breaking this by adding malicious scripts in language file? Turns out an innocent function, like this, opens a huge opportunity for people to break things. This was my own revelation a few weeks ago, and it dawned on me that I do not spend enough time trying to break things and learning the skills I need to detect these hidden opportunities in my code. The first step was simply realizing that with every new feature, comes new opportunities, but the following are a few steps I’ve been taking before I complete and turn in any new feature.

How can I break this? (Go break it)

A man hackingDuring the drudge of daily tasks and code commits, we often can overlook the need to go in and actually break things we build. The definition of hacking isn’t necessarily malicious; it’s simply taking something and re-purposing it for a different reward. MacGyver was famous for this kind of hacking! That said, hacking is commonly used to break things, and that’s what we’re looking to fix, which is why we should try to break our own stuff.

It takes more than just trusting functions and methods to get the job done. You have to actually get in there and try and break what it is you just made. I feel we aren’t encouraged enough to go in there (and especially spend the time) and be a hacker. But I call all developers out! Become a hacker daily! Break your stuff! In doing so, you are going to build better products, serve your clients better, increase the reliability of your company, and, ultimately, become a better developer.

I also encourage CEOs, business owners, leads, and project managers to change the rhetoric behind security to go beyond just coding, but making the actual act of hacking your own solutions a part of the development process. Tell your developers to ask themselves, before turning in a task or pull request, “How can I break this?” And give developers permission to take the time to become a hacker.

Where’s Murphy hiding?

Anything that can go wrong, will go wrong. – Murphy’s Law

So we’re trying to hack our new feature, and we find a way that a user can pass a combination of query arguments, and somehow, logged in as a subscriber, could possibly run a server-intensive script we just built over and over. I feel (admittedly, through my own experience) we tell ourselves too much that they would never figure out how to do that, and we move on. But someone will!

I’ve just created a problem that will happen in the future. Thinking of these findings as problems that will undoubtedly happen, no matter how unlikely we think it is, will help us keep the internet and clients safe. It allows us to strategize.

Who do I trust?

Developers can be too trusting, and we shouldn’t be. Never trust anyone.

<?php _e( 'What could go wrong here?' ); ?>

In our example here, we might admit that the only one who could really cause a problem are the people who translate. Maybe they’re our own people, maybe they’re strangers, or maybe they’re future translators that a client hired six months down the road that know nothing about WordPress. Whoever it is, I say, they automatically get the “I don’t trust you” stamp of non-approval. It’s strange, but developers have to live in a very untrustworthy world, and we’re better developers for it! Having an skeptical approach will lead you to creating more secure code and features. Take your paranoia and make something rock solid.

What’s dangerous?

Skull and bones poison

In the spirit of Murphy’s Law and trusting no one, you have to see information itself as a potential transmitters for viruses, illnesses, and things that cause bad things to happen and blow up the Internet. Data and information are dangerous! By shifting your view of information to something dangerous, and hiding some disease inside, we can be better devs.

An example.

$image = get_the_post_thumbnail();
echo $image;

In this example, we might view $image as completely innocent and trustworthy.

But it’s not.

Did you know that get_the_post_thumbnail() has a filter? Yeah, it’s post_thumbnail_html and anyone can filter the output and push out a harmful script! $image is dangerous; variables are dangerous! How do you know someone with server access didn’t inject a Must-Use plugin that filters that output?

If we put on our Hat Of Mistrust, we’ll be aware that leaving that variable alone is risky, and take action:

$image = get_the_post_thumbnail();
echo wp_kses_post( $image );

This should allow img tags that are allowed in the WordPress post editor, and if anyone tries to inject a harmful script, it won’t let them. We need to start seeing information as potentially dangerous, and ask ourselves if it is, because we don’t know all the filters or ways people can turn information against us. Using critical thinking and strategy in the ways we work helps us stay one step ahead of people who either don’t know or possess malintent.

If we were really paranoid, we might write something like:

$image = get_the_post_thumbnail();
echo ( is_string( $image ) && stristr( $image, '<img' ) ) ? wp_kses_post( $image ) : '';

What are the real limits?

Another question I think developers rarely ask themselves are, “What are the real limits?”

Really thinking about this question can produce interesting answers.

For instance, what is the limit of get_posts? At first, you might think, well -1 (I did). Set that posts_per_page to -1 and we’ll get all the things, yeah baby! But, a smarter developer might find that…

  • The server’s execution time is a limit
  • The server’s memory is a limit
  • 15, the limit is 15; there will always be 15

We should be thinking about real limits, not just limits in code, and what happens when these limits are reached. Like the server’s execution time or memory limits resulting in a 503. Or, getting fifteen posts–no harm there, right? Have you ever asked yourself how many posts_per_page actually result in a timeout or a 503 on your server? It’s a good question.

Our job as developers is to eliminate the harmful effects of reaching real limits and we need to be aware of what these limits are and make sure we’re not breaking them.

Who is this for?

Zoolander, what is this a center for ants?The last question I pose developers to ask is,

“Who is this for?”

I think every feature should have a name associated with it. Is it all administrators, or all authors? Is it just Jane or Joe? Is it the United States? Are they English speakers or Spanish speakers? Who are these people!?

Knowing (or even guessing at) who will be using our features, by giving our features ownership, helps make sure we’re prepared to create features with privilege in mind.

Even if your answer is “everyone,” we probably should be looking hard at the detailed, real time answers. For instance, “everyone” includes many languages; how many Spanish speakers need to use your product? Do you have a plan to have your content translated? What about A11y? That includes everyone too! Thinking of your features as privileged and belonging to someone helps us take more responsibility with our features, who has access, and who shouldn’t. This also allows you expand your reach and make sure that people who might otherwise be excluded in a generic “everyone” can access what you made.

What about you?

Do you have any tactics that help you build more secure features? What are some ways you work secure features into your build?

The post The Six Questions Developers Need to Ask Before Turning in Tasks appeared first on WebDevStudios.

]]>
https://webdevstudios.com/2016/09/01/six-questions-developers-need-to-ask/feed/ 0 13578