protection

How to mitigate CVE-2018-6389 – the load-scripts.php DoS “attack” in WordPress

A little sensationalist written blog post by Barak Tawily claims that WordPress is vulnerable to a DoS attack because of the load-scripts.php file which concatenates JavaScript files on the fly.

February 12, 2018 · 5 min · Bjørn Johansen
collapse

Another day, another “WordPress security vulnerability”

OMFG, BREAKING NEWS: Thousands of WordPress sites affected by some vulnerability.{{ double-space-with-newline }}

January 27, 2018 · 5 min · Bjørn Johansen
wordpress-security-budget

WordPress security for the casual blogger or small business with limited resources

The resources you have available to spend on WordPress security for your website usually vary vastly whether you’re an international corporation or just a hobbyist blogger. But since most attacks are automated by bots looking for vulnerabilities, a lot of the threats are the same. Here are some WordPress security measures that bloggers and small business with limited resources easily can take.

August 10, 2017 · 8 min · Bjørn Johansen
secure-email

Secure email: Encrypt and sign your emails with PGP/GnuPG

Email is fundamentally insecure. There are such a plethora of issues with it, it is crazy to think about the kind of information sent with it. It is probably even crazier when you realize we’ve had a solution for sending secure email since 1991.

May 25, 2017 · 5 min · Bjørn Johansen
forgery

How to perform and mitigate a WordPress session donation attack

WordPress doesn’t use a nonce for the login form, which opens up for you to perform a WordPress session donation attack.

March 22, 2017 · 7 min · Bjørn Johansen
stopping-emergency

How CloudFlare handled CloudBleed

Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with their service. It turned out that in some unusual circumstances, they would bleed memory that contained private information.

February 24, 2017 · 1 min · Bjørn Johansen
assistance

Giving users a helping hand when authorizing them in WordPress

Inspired by how Facebook assists their users when they log in, I decided to implement something like the same for WordPress.

January 24, 2017 · 4 min · Bjørn Johansen
To www or not to www

To www or not to www – Should you use www or not in your domain?

For 20 years or so, there has been the debate over whether you should use www or not in your web site’s canonical hostname. So should you use www or not?

January 20, 2017 · 7 min · Bjørn Johansen
encrypt

Encrypt and decrypt a file using SSH keys

If you have someone’s public SSH key, you can use OpenSSL to safely encrypt a file and send it to them over an insecure connection (i.e. the internet). They can then use their private key to decrypt the file you sent.

January 5, 2017 · 3 min · Bjørn Johansen
SVG

SVG uploads in WordPress (the Inconvenient Truth)

Enabling uploads of SVG files in WordPress is quite easy, and there is a tonne of posts on the Interwebs explaining how you do it. Usually along the lines of: function add_svg_to_upload_mimes( $upload_mimes ) { $upload_mimes['svg'] = 'image/svg+xml'; $upload_mimes['svgz'] = 'image/svg+xml'; return $upload_mimes; } add_filter( 'upload_mimes', 'add_svg_to_upload_mimes', 10, 1 ); And that’s pretty much it. Except it is not.

May 26, 2016 · 4 min · Bjørn Johansen