By Jeffro on May 17, 2013
In late 2012, VaultPress announced that they had acquired security company Code Garage. At the time, the acquisition seemed like a talent grab more than anything else. Even though VaultPress stated that they would continue to work on the Code Garage product, it didn’t make much sense to have both services. When I initially reported on the acquisition, I told Code Garage customers to watch the situation closely because at some point, Code Garage was going to close up shop in favor of VaultPress.
VaultPress has now confirmed that they will be shutting down Code Garage after July 1st.
Today we’re happy to announce a migration plan that provides Code Garage users with the protection they’re used to — while letting us improve security and backup services for everyone by focusing our resources on VaultPress. Through July 1, all Code Garage customers are invited to migrate to VaultPress. To sweeten the deal, your first two months are on us — you won’t see a charge from Code Garage or VaultPress for two months after the migration. After those 2 months, your Code Garage bill will remain unchanged – you’ll keep paying what you’ve been paying as a Code Garage customer.
If you’re not interested in migrating, we’ll maintain your service at Code Garage through July 1, and give you your last month free.
Any Code Garage customer that migrates to VaultPress will automatically be placed on the VaultPress Lite plan with the addition of daily security scans. For a detailed look at how Code Garage was founded and how Timthumb played a role in the company’s success, read this blog post by founder Peter Butler.
Posted in News | Tagged codegarage, migration, security, vaultpress |
By Jeffro on May 16, 2013
BuddyPress 1.7.2 was released a little while ago. It contains some bug fixes but the most notable items include several MySQL Injection possibilities that have been patched. 1.7.2 is being classified as a recommended upgrade for anyone using BuddyPress 1.5 or above.
I’m keeping tabs on BuddyPress because at some point in the future, this site will be utilizing it combination with bbPress.
Posted in BuddyPress | Tagged bussypress, patches, release, security |
By Jeffro on May 14, 2013
It’s time to clear up the debate once and for all. Despite all the doubts (and some haters), WordPress core is without a doubt one of the most secure platforms you can choose to put a site on. Of course, a WordPress install is only as secure as the plugins it leverages — but that’s another post for another time.
That pretty much sums everything up but I highly encourage you to read the entire post as Jason Cosper brings up a number of good points that illustrate just how secure the core of WordPress is. Outside of the big brute force attacks on WordPress sites which really had nothing to do with the security of WordPress, I can’t remember the last time I updated due to a critical security vulnerability in the core. There are so many variables that are sometimes out of the control of the end-user. Unfortunately, all too often, webhosts put the blame on software such as WordPress when the real issue is their server setup.
Check out this comment from Mark Jaquith in 2011, in response to someone claiming that running WordPress was akin to running Windows 95 without patches, as comical as that sounds.
Posted in WordPress | Tagged Plugins, security, wordpress |
By Jeffro on May 10, 2013
The wait is over for those that have wanted an affordable offering from VaultPress. The service announced on May 8th that a new service level called VaultPress Lite would be available for an astoundingly cheap $5.00 per month, per site. The plan covers the basics:
- Daily backups that happen automatically, so you can focus on creating, not logistics.
- Automated site restores, so you can restore your entire site with a single click.
- Thirty days of saved backups, so you can go back in time to restore the last clean version of your site.
Customers also have access to their support staff as well. Since VaultPress launched, there have been a number of people who have exclaimed their jubilation of being able to easily restore their sites after a catastrophe. I bet it only takes one experience like that for VaultPress to seem like a bargain, regardless of the price.
Posted in News | Tagged backup, security, services, vaultpress |
By Jeffro on May 8, 2013
Earlier today on Twitter, WordPress community member Travis Ballard @Ansimation published a link to a plugin that will have people thinking twice before they sign up to a WordPress based website. Ironically, it’s called WPEvil and saves passwords into plain text instead of hashes. One thing I’ve learned over the years is that passwords are to never be stored in plain text, for any reason. I reached out to the creators of this plugin to see if they could give me a couple of legitimate use cases. Here is what they had to say.
Legitimate use would be I guess to tell one of your users their password if they can’t reset it for some reason. There are no appropriate uses for this plugin, I guess you could do your own research to see what people actually use as passwords.
Motivation? Bored.
Travis also got in touch with the plugin author on Reddit to discuss legitimate uses for this plugin and was greeted with an insult that it was above his pay grade.
So if you come across a WordPress powered website that you can tell is using this plugin, would you register your account there? How does it make you feel to see a company release such a plugin to the wild? Should anyone be worried that this plugin exists?
Posted in Plugins | Tagged passwords, security, text |
By Jeffro on December 28, 2012
Automattic or more aptly VaultPress, has acquired security company, CodeGarage. This is the first time I’ve ever heard about CodeGarage but they appear to be a VaultPress alternative. Looking over the pricing and plans for each service, I see that CodeGarage was definitely cheaper as you can monitor 5 websites for $25 a month while VaultPress charges a flat fee PER website. The acquisition appears to be a talent grab as well as being a learning exercise. As an example, CodeGarage has a great pricing structure that allows businesses to have multiple websites monitored for a nominal fee, something which VaultPress doesn’t have.
I have to say though, I’m a bit perplexed as to why Automattic/VaultPress would continue to build and expand upon CodeGarage considering the existence of VaultPress. Even though it was not announced, if I were a customer of CodeGarage, I’d be watching the news very carefully to watch for any hints of the service shutting down and everyone having to migrate over to the VaultPress platform.
Posted in News | Tagged acquired, codegarage, security, vaultpress
By Jeffro on December 28, 2012
Over the past few days, I’ve read various posts regarding a security hole discovered in the popular W3 Total Cache plugin. According to a security bulletin published by Jason Donenfeld on Seclist.org, after installing the plugin from the WordPress plugin repository through the backend of WordPress, there are two avenues of attack left open.
1) Directory listings were enabled on the cache directory, which means anyone could easily recursively download all the database cache keys,
and extract ones containing sensitive information, such as password hashes. A simple google search of “inurl:wp-content/plugins/w3tc/dbcache” and maybe some other magic reveals this wasn’t just an issue for me. As W3 Total Cache already futzes with the .htaccess file, I see no reason for it not to add “Options -Indexes” to it upon installation. I haven’t read any W3 documentation, so it’s possible this is a known and documented misconfiguration, but maybe not.
2) Even with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that “deny from all” isn’t added to the .htaccess file. Maybe it’s documented somewhere that you should secure your directories, or maybe it isn’t; I’m not sure.
However, within the plugin’s support forums on WordPress.org, Otto suggested that until a fix is released, to check and see if you’re using “Disk: Basic” or “Disk: Enhanced” for database caching. If so, disable database caching and clear out those caches.
Posted in Plugins | Tagged Plugins, security, w3 total cache
By Jeffro on April 30, 2012
As if WooThemes.com being attacked was not bad enough, there is also a critical security issue that’s been fixed in the latest release of the WooFramework. The issue dealt with the shortcode generator.
The latest version (and most likely many previous versions) of the WooThemes WooFramework has a bug that allows any website visitor to run and see the output of any shortcode. This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.
While the Gist author for that post took some heat for releasing the information the way that he did, others chimed in and stated the vulnerability should have never existed in the first place. According to Jason Gill who is a WooThemes paying customer and also the one who announced the vulnerability on the Gist website explained that he made every effort to try and contact WooThemes or at least, see if the patch was already in existence but was unsuccessful.
While at the time of writing this article WooThemes.com is offline, I advise you to check back often to update your themes as soon as possible.
Posted in Themes | Tagged security, update, woothemes |
By Jeffro on April 18, 2012
As part of their Make Waves series, iThemes will be conducting a free webinar with Dre Armeda of Sucuri.net to discuss how to lock down a WordPress installation. In this webinar, viewers will learn how to reduce their risk of being attacked by hackers and malware threats. The webinar takes placed on Wednesday, April 25th at 1 P.M. CDT. I’ve linked to Sucuri a number of times during the year because these guys know what they’re talking about when it comes to website security.
Posted in News | Tagged securi, security, webinar |
By Jeffro on April 13, 2012
VaultPress is a cool security service by Automattic, but if you take a look at the pricing and plans, some may think that this is the luxury line of data safekeeping. However, tons of people that have had to utilize the restoration feature of VaultPress say it’s worth every penny. Boles University.com has a non-profit WordPress multi-site installation with about 14 sub-domains under its belt. VaultPress supports multi-site but if the subscription is for the main site, only the main sites files and data will be backed up, sub-sites will be ignored. In order to backup everything, each site within the multi-site installation needs their own individual subscription. As you can imagine, it wouldn’t take long for that to be expensive. As David W Boles points out in his article, it would be nice to see VaultPress come up with some sort of plan that allows non-profits the ability to backup their main site along with their satellite sites for a much more affordable price. I’m not sure how VaultPress would be able to verify whether a multi-site installation is non-profit or not without paperwork validation but it certainly seems like this is a missed oppurtunity market segment for VaultPress.
This is the world of WordPress which means there are alternatives when it comes to safekeeping your data. A relatively new service called BackupPress performs many of the same functions as VaultPress but at a much more affordable price. In fact, taking a look at their comparison page, they support WordPress multi-site at just 25$ per year. At the time of publishing this article, I couldn’t locate any specific text that states restrictions similar to VaultPress in that each sub-domain within a multi-site network would need it’s own subscription. Hopefully, a representative from the service will stop by the comments section and fill us in on the details.
Posted in WordPress | Tagged backuppress, security, vaultpress |
Page 1 of 5123...5...»Last »
In late 2012, VaultPress announced that they had acquired security company Code Garage. At the time, the acquisition seemed like a talent grab more than anything else. Even though VaultPress stated that they would continue to work on the Code Garage product, it didn’t make much sense to have both services. When I initially reported on the acquisition, I told Code Garage customers to watch the situation closely because at some point, Code Garage was going to close up shop in favor of VaultPress. 
