Can anyone speak to this series of courses?
Some books and sites I’ve found read like unhelpful cookbooks to me.
An example of a helpful cookbook would include Cal Peternell’s Twelve Recipes.
I’d like to continue improving my WordPress practice which has been stop and start, off and on (1/16 time?) for years on orphaned bootstrapped projects for nonprofits with limited IT budgets.
No but we can speak to the maybe not so trustworthiness of the Stacksocial BoingBoing store.
Thank you. Anything you feel comfortable sharing?
(Out of likes so )
Mostly just anytime anyone has dug into it, 50% off our 100% inflated price type of stuff or the fine print says that the courses may or may not be available, and of course the good ones are not, etc.
I’ve reached the maximum number of likes today. Okay, I will wait 11 minutes before trying again.
Just please, please, please make sure to keep that stuff updated, and read up on the proper permissions to put on the various directories involved!
- someone who has had to fight with far too much spam and other crap due to Wordpress installations
Can you recommend readable sources on concepts, methods of approaching problems, rules of thumb for assessing issues?
Most of what I find reads like Ikea instructions. I’d rather sit on the floor than read Ikea instructions.
oof… that’s a big topic.
Hardening Wordpress is a good starting point for looking at a lot of the security issues for Wordpress. I’d recommend the “File Permissions” section as a need-to-read for anyone setting it up.
Unfortunately, securing a webapp isn’t a one-size-fits-all kind of thing. Even some of the advice in that page can fall down depending on how the server you’re running on is set up - if the webserver’s running your php scripts under your user’s permissions rather than something separate, for example, then restricting a directory to 755 permissions doesn’t do much. The simplest rule-of-thumb I use for my personal work boils down to “whenever possible, prevent writes to places that have execute access”… but depending on your skill level that may or may not be any use.
I’m afraid I don’t have a lot of useful information myself - most of my experience is in shutting down exploit vectors on other people’s servers and installations, which is attacking things from the opposite direction. Sort of like the difference between keeping a room clean through consistent good habits, and coming in to a room that looks like an episode of “Hoarders” and taking a flamethrower to it.
[edit] Trying to be a little more useful… Excluding situations where someone’s password has been brute-forced, almost every exploit I’ve seen boils down to using a bug in either a Wordpress built-in file or some plugin/theme to upload a new php file into the directories that the webserver can access, so the attacker can then browse to that new file and make the webserver execute it. So, in general, the goal is to either prevent the upload in the first place or prevent it from being executed by the webserver once it’s there. Simplest ways to do that are:
- Keep the install and any plugins/themes updated regularly.
- Vet any plugins/themes before you install by seeking out any reports of them being exploited in the past.
- Set the most restrictive directory permissions you can without breaking things.
Thank you! I really appreciate this patient and thoughtful help which I’m sure is normally compensated at a professional rate.
I shared the hardening wordpress link with my study buddy and will read it. The other tips are helpful too for spotting gaps in my grasp of fundamentals.
For example, I understand the concept of file permissions and why limiting permissions is desirable. I understand that generally the scripts on a site deliver content for the browser from a database which is somehow stacked on the server software which is in turn stacked on the operating system of the ISP’s computer.
I don’t have a basic template or simple map in my head of how the directories and specific files in the directories interlock at each level in the stack. I don’t have a checklist in mind for a basic set of pop-the-hood indicators to assess and diagnose basic problems (like with a car).
I think I need the template and the checklist because there is so much unique combination and iterative variation on any given WP site to follow a one size fits all recipe of steps.
I get that it’s mostly practice, practice, practice, but big picture views like yours help highlight important landmarks (vital signs) and minimize wheel spinning.
You need a course on how to use periods and line breaks.
Do you think that will help you?
This topic was automatically closed after 5 days. New replies are no longer allowed.