How to block your WordPress site from being scanned by WPScan with Nginx

Hello! First and foremost, why would you want to block WPScan from probing your site? Well we all know that security through obscurity is a bad practice. That said the risks of malicious activity on your site is undoubtedly heightened through many points of information disclosure that is freely available to parse and organize to make an accurate security risk assessment of your WordPress site. This type of information is easily attainable through automated scanners like WPScan. Tools like this scan for version tags in readme files, file size fingerprints and meta tags to determine not only the version of WordPress you are running but the version of each of the plugins you have installed. Why is information disclosure bad? Some would argue its not bad. Others would also point out that a 0-day WordPress core or plugin vulnerability could mean that minutes and hours of circumvention or lowered risk […]

How to protect WordPress media files and only allow the users who uploaded them to view

Hello! In the past we have written about how to protect your WordPress media files. In the past exercises we utilized a strategy to set a session cookie with encrypted details that can be read and validated at the http service (i.e. nginx) as well as application (php/wordpress) level. Since then we have refined this process to be much more secure, flexible and efficient. We have abandoned the cookie validation process for verifying the request before serving it and replaced it with a slightly more complicated but much more secure method. First before getting into the details, why would we want to protect WordPress media files? Well the answer depends on what sort of site you have and what you are trying to do, obviously. In our scenario, which isn’t necessarily unique, we have end-users that register for an account in order to check out of a Woocommerce store. We […]

How to implement a government ID verification system with Woocommerce and WordPress

  Need this implemented on your site? Click here and fill out our quote form!   Hello! There are many reasons why your Woocommerce store may need a system to accommodate verifying the identity of your customers. Depending on what your selling and the local or federal laws that are in place, having the identity of your consumer verified may be needed for liability or compliance reasons. Additionally under certain conditions within your Woocommerce store (such as orders over a certain amount of money), validating the identity can dramatically reduce the risk of fraud and fraudulent transactions on your site. I’m going to go into details with how to implement a system into your Woocommerce store that will accommodate the following : Provide a section within the Woocommerce “my account” area for end-users to upload a digital image of their ID Add a new field for the user details to […]

WordPress plugin to remotely manage and automate multiple WordPress sites

Hello! Being a Toronto based web design and development agency means that we interact with a significant number of WordPress sites. This tends to happen when a project starts (obviously), but often continues after a site is launched. This is something that we offer along the lines of “post launch maintenance”. By no means once a site is launched is our job done, and I’m sure a lot of other people in the industry can relate. If you follow the WP Vulnerability database notifications (if you don’t, you should), then you will see many notifications per day with various plugin or core vulnerability announcements. For this reason, among many others, we found ourselves struggling to automate and streamline the management of many client websites. We’re a fan of automation and have published articles on our efforts to integrate WordPress with Jenkins. With that particular plugin, we were able to automate […]

How to craft an XSS payload to create an admin user in WordPress

Hello! XSS (or cross site scripting) attacks are a common method to maliciously execute actions against a website installation. In particular this type of attack vector is useful when dealing with a CMS like WordPress where you have administrative user accounts to target. This means that if you are able to craft an XSS payload that will ultimately be executed by the administrator of that site, you can essentially do whatever you want. In javascript of course. What I’ll go through in this post is exactly how to capitalize on a particular (old) WordPress plugin vulnerability to deliver a persistent XSS injection (not logged into WordPress) that will later be executed by someone logged into WordPress with higher privileges, such as an administrator. Persistent versus Reflected XSS This is debatable, but to simplify things it would be easiest to describe XSS attacks as being two high level methods : persistent […]

WordPress plugin to get geolocation coordinates from a visitors IP address

Hello! We recently had a requirement from a client to generate content on a page specifically based on the geolocation coordinates of the visitor’s IP address. Now this sort of mechanism isn’t totally new, however we decided to develop a WordPress plugin called Shift8 GeoIP that would obtain this information and set it into an encrypted cookie. The reason why we wanted a plugin to set your coordinates in a cookie was because the mechanism to obtain the geolocation coordinates would never need to change. We could then develop the custom content generation (i.e. finding a “store” nearest to your location) could be done directly in the WordPress theme for the particular page in question. Furthermore, we decided to ensure that the cookie data was encrypted using OpenSSL in PHP to ensure that this geolocation data could not be obtained by third parties by simply reading the cookie data. Below […]

WordPress Woocommerce plugin to disable payment methods based on zip or postal codes

Hello! Woocommerce is a great easy-to-implement and versatile e-commerce platform. With the robust development community, expanding the core functionality can be relatively straight forward with the availability of a wide assortment of 3rd party plugins for Woocommerce. One of the things that we felt was missing, but a simple requirement, was the ability to manipulate the payment methods available based on the zip or postal code of the customer. This means that under certain conditions, the end-user will have a catered list of payment methods available to them. The system would need to have the ability to “Remember” the user, and subsequently the available payment methods, even if they came back later to purchase with a different postal or zip code. Why is this necessary? There could be many different justifications for this type of behavior with Woocommerce. If you are offering products and services to customers on a national […]

IP Address Reputation and intelligence plugin for WordPress

Hello! With WordPress security, there are many methods for hardening and tightening controls, methods for preventing common attack vectors including best practices from a development, systems administration and even 3rd party plugin perspective. Since the rising popularity of “IP Reputation Intelligence” with Corporate networks and streaming services like Netflix, I thought it would be a great opportunity to integrate one of the more powerful machine learning IP Intelligence services into WordPress : Shift8 IP Intel. IP Intelligence is a free service among many paid / commercial alternatives. Though the free tier is limited by a request threshold, the opportunity to significantly reduce malicious traffic from visiting your site is obvious. How this service works is it uses machine learning techniques developed by the service developer to identify your reputation and identify a scoring system associated with your IP. The higher the score, the more likely your IP address is part […]

How to encrypt and execute your PHP code with MCRYPT or OPENSSL

Hello! While the scenario may not necessarily be common in which you would want to encrypt your PHP code and execute it, it is something that I would consider an interesting discussion nonetheless. I fully support free and open source software, however if you are developing an application that manages or monitors systems or services or an application that needs to reside in a “hostile” environment, it might be pertinent to consider encrypting the code before executing it. This protects your code from even being read (and ultimately executed) unless the proper key is passed in order to decrypt it. In the following example & breakdown, we will be (separately) using both the Mcrypt and OpenSSL to encrypt a block of code with a specified key. We will then use that same key to decrypt the encrypted code in order to run it. The reason why I am giving both […]