Saturday, March 3rd, 2007

Keep your website secure without breaking a sweat


If your website architecture is built using 3rd party software, such as WordPress, ExpressionEngine, or phpBB, it’s important to keep an eye on security issues pertaining to the software you use, or you could find your website replaced with p0rn or casino ads. (WordPress 2.11 users — leave now and read this. Hurry!)

Now even if gambling and p0rn is your thing, you probably don’t want to see it in big all over your home page with a sign in the center that says “h4CkEd 8Y 8R17nEY sPe4r2”.


I got to thinking more about website security today as WordPress just discovered that the download for WordPress 2.11 was compromised and included malicious code that hackers could use to deface and destroy a website. Not good. They are recommended everyone running 2.11 upgrade to 2.12 immediately. To help get the word out they are asking everybody to help and “check out your friends blogs and if any of them are running 2.1.1 drop them a note.”

But what happens if you have no friends? There has to be a better way to stay self-sufficient and secure.

Let’s look at how we get into these messes in the first place

The root of the problem is that once you get your website setup just the way you like it, it is pretty hard to keep up on changes to the software that occur after the point that you’ve installed it. It’s a busy world and who has time to check for security updates regularly at the several different websites. Frankly, it’s sometimes difficult to even remember what software you’ve installed – let alone what version number they are.

The key to good security practices in the real world is to make it all as simple as possible. Here are my 3 steps to sweat-free website security:

Step One: Audit your website

The first step is to make a list of all software and plugins that you use on your website. What I like to do is make a little file called changelog.txt that I keep in my project folder my website. (not the website root folder, as this is not something you usually want to be public). In this file list all the current software and plugins that you have installed, including their version numbers. Each time you make an update to your website software, add a new line note the date, the software component and the new version number.

Step Two: Gather RSS feeds for all the software you use.

Most websites that provide web application related software have an RSS feed where they broadcast updates to the software. Note these feeds, for the next step. The feeds for the software I mentioned above are:

Step Three: Build a custom RSS feed

The Yahoo Pipes service has drag-and-drop tools that you can use to combine feeds and “filter” them by keywords. In this case, you’ll want to add all the feeds that you gathered in the previous step and then filter them for the word “security”. If you also want to be notified of upgrades, you might want to add the word “upgrade” as well.

The software I use doesn’t offer an RSS feed for updates… (sniffle, sniffle)… What should I do?

Write them and politely ask them to get out of the stone age?

Just kidding. I’ve got a solution. An email-to-RSS gateway service can translate emails to an RSS feed that you can remix into your Yahoo Pipes feed. A good way to do this is to setup a forwarding address – something like [email protected] and configure it to point at an email address you can retrieve. Signup to all of the mailing lists that are relevant to your software and then reconfigure it to point at the gateway service.

Final Thoughts

Make sure that you subscribe to your shiny new security feed in something that you read frequently. Also, be aware that keeping up with software security updates are only one aspect of keeping your website safe secure. You’ll also want to make sure that you have a good backup strategy and strong passwords at a minimum.

UPDATE: I’ve prepared a sample website security feed that you can clone and modify in Yahoo Pipes. This sample security feed rolls in the three feeds noted above. Yahoo Pipes is pretty easy to work with — poke around for a bit and I think you’ll find it isn’t too hard to convert this pipe into a custom feed for your own uses. To see the RSS feed itself, go here.

Trackbacks & Pings

  1. Quick security checklist for webmasters | BLACK HAT SEO on 30 Sep 2007 at 4:35 pm

    […] whatever code aggregation you hit installed. Need whatever tips? Blogger Mark solon has a whatever good ones, including making a itemize of every the code and plug-ins utilised for your website and ownership […]

  2. Quick security checklist for webmasters on 07 Oct 2007 at 8:27 pm

    […] updates for any software program you have installed. Need some tips? Blogger Mark Blair has a few good ones, including making a list of all the software and plug-ins used for your website and keeping track […]

  3. 网站安全快速检查清单 | JOE on 02 Nov 2007 at 6:25 pm

    […]       人们经常犯的的错误是在自己的网站上安装一个论坛或博客软件,然后就再也不管了。就像你的车总是要保养一样,保持对你安装的任何软件的最新更新也是很重要的。需要一些小贴士?Mark Blair 的博客上有一些很好的,包括为你网站上所有的软件和插件列个清单,并跟踪版本号和更新历史。他还建议利用任何软件开发者网站提供的 feed。 […]

  4. Website safety checks detailed list quickly on 22 Nov 2007 at 9:05 pm

    […] software that you install is newest updating also is very important. Need a few small stick person? The rich guest of Mark BlairThere is a few on very good, include to be all software on your website and plug-in unit to list a […]

  5. Feliz año Webmasters | mOpLin.com on 28 Dec 2007 at 3:47 pm

    […] Mark Blair en su Blog nos da una serie de recomendaciones. […]

  6. Sicherheits-Checkliste fr Webmaster (von Google) - Security Forum on 07 Jan 2008 at 4:49 pm

    […] Prft die Server-Konfiguration☻ Haltet Software-Updates und Patches auf dem neuesten Stand – http://www.mblair.net/no-sweat-website-security/☻ Schaut regelmig in die Log Files☻ Testet eure Website auf verbreitete Schwachstellen […]

  7. webmaster blog » Blog Archive » Sicherheits-Checkliste für Webmaster on 21 Jan 2008 at 12:52 pm

    […] Programme besorgt. Braucht ihr dazu weitere Tipps? Der Blogger Mark Blair hat ein paar hilfreiche Ideen, so könnt ihr z. B. eine Liste der auf eurer Website verwendeten Software und Plug-Ins erstellen, […]

Comments

  1. Barry Hurd wrote:

    Hey Mark- just checked out your Blairworks site and thought I’d give some kudos to some nice looking work. Keep up the work and writing. 🙂

    Posted 03 Apr 2007 at 8:38 am

  2. AltaGid wrote:

    Hello! Help solve the problem.
    Very often try to enter the forum, but says that the password is not correct.
    Regrettably use of remembering. Give like to be?
    Thank you!

    Posted 08 Aug 2007 at 8:30 am

  3. Vitaliy wrote:

    It was very interesting to read.. But what with xss problem? 🙂

    Posted 21 Sep 2007 at 7:04 am

  4. mblair wrote:

    @Vitaliy — not sure if I follow 🙂 Do you have an xss problem? You want to make sure that you are “cleaning” all input fields for potentially harmful code prior to being saved to your site’s database or displayed on the screen.

    @AltaGid – I’m afraid you lost me.. what forum?

    Posted 21 Sep 2007 at 1:38 pm

  5. kreoton wrote:

    > Vitality

    I’m not quite sure but XSS is a some kind of website hack.

    Posted 22 Nov 2007 at 12:55 am

«
»