How to sanitize and reset all WordPress user accounts with linux shell scripting and wp-cli

Hello! There are several key best practices insofar as how to deal with security intrusions, including but not limited to restoring from backups on a clean server. In this article, I will be going over how to create an automated shell script that completes the following actions across multiple WordPress sites on your linux server : 1. Sanitize user and group permissions 2. Sanitize WordPress core admin and include files 3. Update WordPress Core 4. Update All installed plugins 5. Iterate through all WordPress user accounts and reset the passwords The above actions can be implemented as part of a broader security policy when dealing with shared hosting environments where you are hosting multiple WordPress sites. I will touch on each of the above items including the shell script snippets that are required to implement each. At the bottom of this article I will share the entirety of the shell […]

How to build a port scanner with Javascript using React Native

Hello! Why bother writing a port scanner in Javascript you might ask? Well javascript is many things, however the majority of its use is based on its original design to be synchronously executed in-browser using a single thread. Because of this, it becomes a challenge to write code outside of this original use case, though not impossible. The challenge of interacting with a local network using a language like Javascript then becomes an interesting endeavour (at least to me). If you take this type of a challenge and integrate it into a javascript based framework like react native, the potential increases exponentially. If one can successfully implement this type of network analysis on react native, then the use-case expands to platforms like iOS and Android. Same goes for AngularJS or Apache Cordova. There are many functions, libraries and modules that will help write asynchronous code. One of which is async. […]

How to cache queries to admin-ajax.php in WordPress to improve performance

Hello! Working with wordpress for a while now, we noticed that many actions, whether administrative in nature or building a WordPress query on the front end, are dependent on the built-in admin-ajax.php or WordPress AJAX API. Since many 3rd party plugins depend on this Ajax API to dynamically push and pull data, it is unfortunately a common occurrence to have the performance of a site impacted when many AJAX API calls are happening. One of the tell tale signs of admin-ajax.php performance issues can be seen when inspecting the network connections of rendering a particular page on your WordPress site. If you filter “admin-ajax.php” in your network tab of the developer console in your browser, you should see clearly the admin-ajax.php POST that may be taking too long. In our experience, some post grid plugins that make it easy to render a grid of posts on your page heavily rely […]

How to protect WordPress media files and only allow the users who uploaded them to view

Hello! In the past we have written about how to protect your WordPress media files. In the past exercises we utilized a strategy to set a session cookie with encrypted details that can be read and validated at the http service (i.e. nginx) as well as application (php/wordpress) level. Since then we have refined this process to be much more secure, flexible and efficient. We have abandoned the cookie validation process for verifying the request before serving it and replaced it with a slightly more complicated but much more secure method. First before getting into the details, why would we want to protect WordPress media files? Well the answer depends on what sort of site you have and what you are trying to do, obviously. In our scenario, which isn’t necessarily unique, we have end-users that register for an account in order to check out of a Woocommerce store. We […]

How to implement a government ID verification system with Woocommerce and WordPress

  Need this implemented on your site? Click here and fill out our quote form!   Hello! There are many reasons why your Woocommerce store may need a system to accommodate verifying the identity of your customers. Depending on what your selling and the local or federal laws that are in place, having the identity of your consumer verified may be needed for liability or compliance reasons. Additionally under certain conditions within your Woocommerce store (such as orders over a certain amount of money), validating the identity can dramatically reduce the risk of fraud and fraudulent transactions on your site. I’m going to go into details with how to implement a system into your Woocommerce store that will accommodate the following : Provide a section within the Woocommerce “my account” area for end-users to upload a digital image of their ID Add a new field for the user details to […]

#DeleteFacebook : How to poison, obfuscate and purge your facebook data before deleting your account

* Update : Thank you Vice for writing an article about my script! Unfortunately it seems as though facebook is actually blocking the ability for anyone to share the article. I wonder why? * Update 2 : Facebook is now allowing the Vice article to be shared, only after about 24 hours of blocking the ability. Hello! Through the course of web design and development, whether it be interacting with frameworks such as Laravel or WordPress, it is sometimes necessary to develop unit, load or stress tests with certain aspects of the user interface. A great set of tools to simulate real world interactions with websites in an automated way is the PhantomJS Webkit. PhantomJS is a “headless” (meaning no actual browser is required) kit that allows you to interact with elements of a rendered webpage. This will allow you to simulate Ajax calls, form submissions and essentially everything that […]

How to use Jenkins and Git to automate code pushes for your Laravel project

Hello! Recently we published guides how to push WordPress sites with Jenkins or how to push WordPress sites with a simple shell script. We thought it might be useful to give an overview of how to streamline your code integration process with Jenkins , GitHub and Bash shell scripting. The script I will outline below is definitely a starting point. There are of course efficiencies that could be made within this script, or perhaps that could be found with porting the logic within the script to Python. The idea behind this process is to automate and streamline code integration across your local development environment and potentially to a “staging” server where unit and other tests can be performed. Lastly a “production” push is included in this script. The strategy is to create a separate git branch for staging and production and to either push code directly or create a pull […]

How to craft an XSS payload to create an admin user in WordPress

Hello! XSS (or cross site scripting) attacks are a common method to maliciously execute actions against a website installation. In particular this type of attack vector is useful when dealing with a CMS like WordPress where you have administrative user accounts to target. This means that if you are able to craft an XSS payload that will ultimately be executed by the administrator of that site, you can essentially do whatever you want. In javascript of course. What I’ll go through in this post is exactly how to capitalize on a particular (old) WordPress plugin vulnerability to deliver a persistent XSS injection (not logged into WordPress) that will later be executed by someone logged into WordPress with higher privileges, such as an administrator. Persistent versus Reflected XSS This is debatable, but to simplify things it would be easiest to describe XSS attacks as being two high level methods : persistent […]

WordPress plugin to integrate Jenkins to streamline your build process

Hello! We love integrating Jenkins into development workflow. Typically Jenkins would be used for custom development projects to streamline the development “push” process in order to seamlessly integrate code changes from a testing / staging environment over to the live environment. For frameworks like Laravel or Django, this works very nicely. Until recently, we haven’t considered integrating Jenkins into our development workflow for WordPress projects simply because it seemed like overkill. It wasn’t until a few larger WordPress projects came along that required a standalone staging site to push changes that we considered actually integrating the push process with Jenkins into the WordPress administrative interface. What this means is that our clients wanted a staging environment to make content and other front facing changes, approve them internally and then initiate a content push from the staging site to the production / live site. From a development perspective we would be […]

IP Address Reputation and intelligence plugin for WordPress

Hello! With WordPress security, there are many methods for hardening and tightening controls, methods for preventing common attack vectors including best practices from a development, systems administration and even 3rd party plugin perspective. Since the rising popularity of “IP Reputation Intelligence” with Corporate networks and streaming services like Netflix, I thought it would be a great opportunity to integrate one of the more powerful machine learning IP Intelligence services into WordPress : Shift8 IP Intel. IP Intelligence is a free service among many paid / commercial alternatives. Though the free tier is limited by a request threshold, the opportunity to significantly reduce malicious traffic from visiting your site is obvious. How this service works is it uses machine learning techniques developed by the service developer to identify your reputation and identify a scoring system associated with your IP. The higher the score, the more likely your IP address is part […]