Keep your website secure without breaking a sweat

If your website architecture is built using 3rd party software, such as WordPress, ExpressionEngine, or phpBB, it’s important to keep an eye on security issues pertaining to the software you use, or you could find your website replaced with p0rn or casino ads. (WordPress 2.11 users — leave now and read this. Hurry!)

Now even if gambling and p0rn is your thing, you probably don’t want to see it in big all over your home page with a sign in the center that says “h4CkEd 8Y 8R17nEY sPe4r2”.

I got to thinking more about website security today as WordPress just discovered that the download for WordPress 2.11 was compromised and included malicious code that hackers could use to deface and destroy a website. Not good. They are recommended everyone running 2.11 upgrade to 2.12 immediately. To help get the word out they are asking everybody to help and “check out your friends blogs and if any of them are running 2.1.1 drop them a note.”

But what happens if you have no friends? There has to be a better way to stay self-sufficient and secure.

Let’s look at how we get into these messes in the first place

The root of the problem is that once you get your website setup just the way you like it, it is pretty hard to keep up on changes to the software that occur after the point that you’ve installed it. It’s a busy world and who has time to check for security updates regularly at the several different websites. Frankly, it’s sometimes difficult to even remember what software you’ve installed – let alone what version number they are.

The key to good security practices in the real world is to make it all as simple as possible. Here are my 3 steps to sweat-free website security:

Step One: Audit your website

The first step is to make a list of all software and plugins that you use on your website. What I like to do is make a little file called changelog.txt that I keep in my project folder my website. (not the website root folder, as this is not something you usually want to be public). In this file list all the current software and plugins that you have installed, including their version numbers. Each time you make an update to your website software, add a new line note the date, the software component and the new version number.

Step Two: Gather RSS feeds for all the software you use.

Most websites that provide web application related software have an RSS feed where they broadcast updates to the software. Note these feeds, for the next step. The feeds for the software I mentioned above are:

Step Three: Build a custom RSS feed

The Yahoo Pipes service has drag-and-drop tools that you can use to combine feeds and “filter” them by keywords. In this case, you’ll want to add all the feeds that you gathered in the previous step and then filter them for the word “security”. If you also want to be notified of upgrades, you might want to add the word “upgrade” as well.

The software I use doesn’t offer an RSS feed for updates… (sniffle, sniffle)… What should I do?

Write them and politely ask them to get out of the stone age?

Just kidding. I’ve got a solution. An email-to-RSS gateway service can translate emails to an RSS feed that you can remix into your Yahoo Pipes feed. A good way to do this is to setup a forwarding address – something like [email protected] and configure it to point at an email address you can retrieve. Signup to all of the mailing lists that are relevant to your software and then reconfigure it to point at the gateway service.

Final Thoughts

Make sure that you subscribe to your shiny new security feed in something that you read frequently. Also, be aware that keeping up with software security updates are only one aspect of keeping your website safe secure. You’ll also want to make sure that you have a good backup strategy and strong passwords at a minimum.

UPDATE: I’ve prepared a sample website security feed that you can clone and modify in Yahoo Pipes. This sample security feed rolls in the three feeds noted above. Yahoo Pipes is pretty easy to work with — poke around for a bit and I think you’ll find it isn’t too hard to convert this pipe into a custom feed for your own uses. To see the RSS feed itself, go here.