Tag Archives: security

Get security notifications about your WordPress site in Slack

Leave a reply

This post describes how your can receive Slack notifications if any vulnerable themes or plugins are found within your WordPress installation.

Pre-requisite: You’ll need the WordPress Plugin Security Scanner installed and activated.

Here is what we’re aiming to achieve — an automatic Slack notification about a WordPress vulnerability:

To start with you need to add a new incoming webhook integration into your Slack. You can do this by visiting Slack Incoming Webhooks page.

Choose whether you want notifications to go into a channel, or as a direct message

Grab the Webhook URL, you’ll need this later

Under “Integration Settings”, enter “wordpress-plugin-security-scanner” in the “Customize Name” field.

You’ll get a confirmation in your Slack to confirm the integration has been added

Log into your WordPress admin and go to Settings -> General. Tick the Webhook notification option, and paste in the Webhook URL that you copied earlier:

In your WordPress theme’s functions.php file add the following:

function pluginsecurityscanner_webhook_message($vulnerabilities)
{
    $vulnerabilities = json_decode($vulnerabilities);

    if (count($vulnerabilities)) {
        foreach ( $vulnerabilities as $plugin_name => $plugin_vulnerabilities ) {
            foreach ( $plugin_vulnerabilities as $vuln ) {
                $text .= __( 'Vulnerability found', 'plugin-security-scanner' ) . ': ' . $vuln->title . "\n";
            }
        }
    }
    else {
        // if you want to receive a notification when NO vulnerabilities are found, uncomment this line
        // $text = 'No vulnerabilities found!';

        $text = '';
    }

    $msg = array('text' => $text);

    return json_encode($msg);
}
add_filter('pluginsecurityscanner_webhook_message', 'pluginsecurityscanner_webhook_message');

Save your functions.php file and your notification system will be up and running!

Please note: If you are installing the plugin security scanner on a commercial website, there is a support licence available.

Glen Scott

I’m a freelance software developer with 18 years’ professional experience in web development. I specialise in creating tailor-made, web-based systems that can help your business run like clockwork. I am the Managing Director of Yellow Square Development.

More Posts

Follow Me:
TwitterFacebookLinkedIn

Securing your website

Leave a reply

We’ve now reached a tipping point as the web moves from http (non-secure transmission) to https (secure transmission). Over half of the web is now encrypted meaning that if your site is not protected by a SSL/TLS certificate, you’re the exception rather than the norm.

There are big advantages for your business when you move to HTTPS:

  • Increases user trust (privacy concerns)
  • Faster loading times (if coupled with HTTP/2)
  • Possible increases in SEO ranking

Is your site already secure? It’s simple to check your site:

  1. Enter https://yourwebsiteaddress into Google Chrome
  2. Look at the icon to the left of the website address

If you are not secure, then you can follow these high level steps to move your site from http to https:

  1. Get cert from Lets Encrypt
  2. Install and enable cert for your website
  3. Install and enable certificate auto renewals with certbot
  4. Add server-side 301 redirect so all http traffic goes to https
  5. Verify website pages work as expected
  6. Fix mixed-content errors
  7. Add HSTS header to save browsers redirecting
  8. Add new https URL in Google Search Console

If you need any help moving your site to HTTPS, please email me.

Glen Scott

I’m a freelance software developer with 18 years’ professional experience in web development. I specialise in creating tailor-made, web-based systems that can help your business run like clockwork. I am the Managing Director of Yellow Square Development.

More Posts

Follow Me:
TwitterFacebookLinkedIn

Securing your CodeIgniter passwords with bcrypt

3 Replies

Safe

I’ve applied a small modification to the Portable PHP password hashing framework, so it can be easily used in CodeIgniter projects. An example of using it to authenticate users:

$this->load->library( 'PasswordHash' );

    $query = $this->db->query("
        SELECT
            `user_id`,`password` AS `hash`
        FROM
            `user`
        WHERE   
            `username` = ". $this->db->escape($username) ."
        LIMIT
            1
    ");

    // check to see whether username exists
    if ( $query->num_rows() == 1 ) {
        $row = $query->row();

        if ( $this->passwordhash->CheckPassword( $password, $row->hash ) ) {
            return $row->user_id;
        }
    }

To generate a hashed password:

    $this->load->library( 'PasswordHash' );

    $password = ( isset( $_POST['password'] ) ? $_POST['password'] : '' );

    if ( $password ) {
        $hash = $this->passwordhash->HashPassword( $password );

        if ( strlen( $hash ) < 20 ) {
            exit( "Failed to hash new password" );
        }
    }

For more details, please check out the repository on GitHub: github.com/glenscott/passwordhash-ci

Glen Scott

I’m a freelance software developer with 18 years’ professional experience in web development. I specialise in creating tailor-made, web-based systems that can help your business run like clockwork. I am the Managing Director of Yellow Square Development.

More Posts

Follow Me:
TwitterFacebookLinkedIn