A song softly echoes away...
They ran down every lead
They repeated every test
They checked out all the data on their lists
And then the alien anthropologists
Admitted they were still perplexed
But on eliminating every other reason
For our sad demise
They logged the only explanation left
This species has exploited itself to death
Update, Sept 21: See this: Renaming the WordPress Login Page via a Setup Setting.
Update, June 27: See this for why exploits have increased here and this Hoisted with my own Petard.
Our logs have see an explosion in code exploit attempts these last few months. Here are a few tips to drastically prevent code from being exploited.
No, this is not to install a WAF. As I've written elsewhere, "Mod Security is the new Magic Quotes".
The thing is simply programming into any new Advanced and Powerful software, the ability to have custom Admin, Config, Plugin, Content directories and file names.
Wordpress seems so proud of their "5 minute install" -- it's made them lazy. Spend some time to explain the vulnerabilities of default file names and locations during install. Explain to not install in the known defaults.
Like with default passwords, force your installation code to not use the defaults.
So you will have to eliminate hundreds of in-line strings like
wp-admin/ to be a variable like
$wp_admin throughout your code; and it will take a while; and there are others; and there will be much testing to do -- but do it!
Have you seen the statistics that nearly half of Internet traffic is exploit attempts? Well guess why? They all have known exploitable names and locations!
Please, let us finally see some truly advanced software for a change.
Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses.
- - Default SSH Key Found in Many Cisco Security Appliances June 25, 2015
Here is a good Tips for Internet Security starting point for developers new and old (unless you know everything already). Like tip 5: "Change the Default CMS Settings!"
I think they should add to tip 4: "Sensible User Access", to separate User Login pages from Admin Login pages. (Hint, hint, Wordpress!)
- With all due respect to Amused To Death by Roger Waters.
- They even have a function named:
- If routers and other internet hardware devices forced users to use a unique password, millions of worms, bots and cracks would have been prevented over the last 20 years.
The real Node vs Apache benchmark.
I came across the zgadzaj Node vs. Apache benchmark the other day and was immediately skeptical. Node is not as fast as the benchmark claims as it was an apples to oranges comparison.
Here is The Real Node vs Apache Benchmark.
And as a GIST The Real Node vs Apache Benchmark.
P.S. Even what I have done is not "real" enough as the code should calculate the size of the file, create the date and form the referer and UA strings, etc. The "real" real Node.js code would be much larger...
THIS is an experimental attempt at a blogging API in PHP. No classes. No globals.
Last Update: May 5, 2015
Version: 1.5.7 - Admin much improved.
Version: 1.5.6 - Code reduced in size; better visitor/cookie code; start of Admin CLI.
Version: 1.5.5 - Even more Admin re-design; SQLite3 working.
Version: 1.5.3 - Further Admin re-design; more about SQLite3 problems.
Version: 1.5.2 - Bug Fix and tweak release.
Version: 1.5.1 - Reduced overall memory requirements.
Here is the Download page.
Not Easily Internet Ready
This is not "Internet ready" code like you know all the names of Content Management Systems software.
Yeah, this code works, but it is not user friendly at all. As said elsewhere, this code is not advanced and is not powerful.
It is part good, part sloppy, part odd, part really cool, part stupid. But it is getting better with each release.
- detailed, technical looks at the architecture (still kind of lame).
- invented and real conversations related to coding (that I find amusing).
- various musings about our Apache log file (that range from stupid to bizarre)
The GMLP Language Processor: GMLP Here, and GMLP on GitHub, and as Markuppro on Google Code.
Batch Language Rules Processor: BLRP Here, and BLRP on GitHub.
Debug: Debug Here, and Debug on GitHub.
And the WordPress clone written in GNU Bash -- in under 2000 lines of pure BASH code. Also WordBash on GitHub.