HACKED

22nd and 29th April 2021

WordPress Security Workshop

Office Hours

Thursdays 10am-1PM GMT

Book a free 20 minute chat with Tim!

Week 2: Work Notes

Welcome to the Random Mutterings Archive here you can find past copies of Tim Nash’s Random Mutterings Newsletters. For more information and to subscribe see Random Mutterings.

Fancy reading email from Tim?

Usual Disclaimer bits, putting in your email means I will spam you forever MUHHHHHAAAAAA!!!
Alternatively, subscribing means I will send you occasional emails about what I’m up to and cool stuff I want to share with you. I won’t sell your information, and the emails will be sent via the MailChimp platform.


This is part of Random Experiments, a departure from my Random Mutterings newsletter style with the intention to come up with a new format we all enjoy. Also, just to avoid confusion, there is a bit of delay between writing and publishing.

Week 2

Thank you everyone who thumbed up and maybe thumbed down last week’s newsletter; I think, based on the anecdotal feedback, that people like that style newsletter! All the folks who took time to email me with thoughts about the style, thank you, hopefully I have taken the feedback onboard.

Of course, I have evidence of your thoughts in the form of the survey. When I was putting last week’s newsletter to go, I was right on the verge of sending when I realised the thumbs up and down buttons didn’t go anywhere. So I started to write a quick polling solution, and then stopped myself. I am a “Business Person” now and this is a good use of my time? The techie in me of course went “YES” but I looked at Mailchimp and realised it had a “survey” option which, on paper, looked perfect. I set it up but it wouldn’t let me test the poll until the campaign (what they call sending an email) was sent. So I had no idea how the results would show in the analytics. 

I’m pretty sure, 10 people said they liked the new style newsletter… Maybe.

Clearly the lesson to learn here is build everything yourself and never rely on third parties!
Wait, that wasn’t the lesson?
Oh, don’t use things you can’t test maybe, that’s the lesson.

The real lesson is, while I will be using the same poll again, this time I’m going to vote thumbs down and I might get an actual useful gauge.
 

So what have I been up to?

After the buzz of last week, this week has been a bit quieter all round, mainly as I have been doing some client work. However this has meant I have been spending a reasonable amount of times building test bench VMs. A Virtual Machine (VM) is a bit of a catch-all term for self contained instances of operating systems that are managed through the host (your computer or server).

For these VMs, with most of my consulting work focused on security and performance, I wanted to create a pair of templates that I could spin up fully isolated VMs on a dedicated dev server sitting under my desk for testing.

The dev box uses KVM as the virtualisation solution and is provisioned with Ansible, allowing me to provision (create and start) new guests (individual VM) on the machine easily. This means each client’s project spins up in its own VM but the VMs’ toolings are identical; it also means any tweaks I make can be applied to all the VMs.

This week I have primarily been working on the security auditing template, which allows me to take WordPress code (be it a plugin, theme or an entire site) and be able to poke and probe it. One of the nice features is the ability to effectively block all network traffic to and from the virtual machine, allowing me to see each http request being made by the application, to inspect the data being sent and received. It’s nowhere near where I want it but it’s getting there.

Other security related things, I have been setting up blocking IPs at the edge of the network on Google Cloud Platform, like everything in our “Cloud world” GCP has the ability to make API requests to modify rules to their Firewall so I spent some time figuring out the best approach to adding a deny list, and allowing the VPS to automatically add rules without them having access to other options. The result will be a blog post in a few weeks, as it wasn’t that easy.

The end product though, was a new custom action set for Fail2ban that reported jailed IPs to a central processing server which in turn then updated the Firewall. Fail2ban is a brilliant tool for managing access to servers, allowing you to build rules for jail users; a jail is effectively a group where an action is taken against them. One of the additional things I wanted to do was when a comment was marked as spam, add the IP to the deny list, so I started to look at the comment approval filters before again realising I was reinventing the wheel. Instead, as I have the Stream Plugin enabled on all sites I manage, I reached for my Stream to File plugin  and then wrote a Fail2Ban filter for automatically detecting comments flagged as spam and block their IP.

That, I realised, may have gotten a little technical heavy but is a good example where using the server’s tools alongside just WordPress means not only greater flexibility but also using significantly less resources. A far less complicated solution would be to use something like WordFence where they have a lot of similar ideas baked in, but come with performance penalties.

I have been continuing to research analytics options; my own site uses Koko Analytics  which I love  but it is very simplistic and also WordPress only. I have been looking at the 20 or so sites I have some involvement with and thinking it would be nice if we could centralise that. I took a look and trialled Plausible Analytics, it didn’t quite hit the spot, and was going to next have another look at Fathom. However a chance discussion with my friend Chris Butterworth pointed me to Cabin Analytics. So far I have signed up for an account so expect a bit of feedback over the next few weeks but I’m liking what I see.

It has also been a little bit of an expensive week and we can add £125 for a new Apple Keyboard to the list. Ouch! However I am justifying my purchase, on the basis, my previous Apple Keyboard lasted 10 years so if this achieves a similar performance £12.50 a year is more than reasonable investment. I was made to feel a little better when one of my friends confessed he has a £300 keyboard that he doesn’t use because he doesn’t want to damage it. I was struggling to come up with words not containing letters QWZ so the new keyboard came just in time as I feared my most visited Google search would be a thesaurus.

Side-note it’s been a while since I have unboxed an Apple product, they are just so good at packaging.

On the Apple front, there has been fairly big news for them both “good” and bad. The launch of the new range of Macs using their new Arm chips came with a lot of confusion. I use a Mac but I’m no Apple fanboi I would say I am an Arm* one though and for me the future looks interesting and, dare I say, good.

While I don’t expect to be on a new Apple Arm Mac by Christmas I can see me swapping to a Mac Mini for day to day things by the middle of next year. However one thing that caught my attention and nostalgia was this Tweet thread comparing the original Arm1 to Apple M1. It’s well worth a read 

On the bad Apple front, a bug in their OCSP server meant that third-party applications were failing to open for many Mac users for a part of Thursday. A very simplified version of what’s going on, Apple verifies third party apps, and each time an App is opened your computer asks Apple “does it still trust this signature?”. Unfortunately that verification system was so slow to respond that it caused machines to hang and apps to not open. This rightly upset users, the solution for many was to edit their /etc/hosts file to make it so the OCSP servers couldn’t be reached thereby bypassing the verification process.

Sounds fine?

I wonder how many removed it once the problem went away and how they will respond when a bad actor strikes, and while Apple dutifully revoked their certificate the malicious application opened anyway?

Like most things there are lots of sides to this story, and one of the biggest seems to be that many people just were unaware that this is how the system works and are quite rightly questioning the privacy of Apple knowing about every application you open.

Finally I just wanted to give a big shout out to Ross Wintle (who gets a disproportionate amount of shout outs due to the amount of great things he is always up to) but the lovely folks at Yoast gave him $500 and an interview as part of their community care fund! You can read the whole interview here but I basically wanted to embarrass Ross that little bit more and to also pass on my thanks for all he does especially on the UK WordPress Community Slack.

That’s it, as always thank you for reading, engaging and the feedback, I think at least for a little bit I might stick with this weekly style of post but we will make a few adjustments along the way. As always if I can be of any help to you please do get in touch with me, contact details can be found on my site, along with details of my consulting offerings.

If you know anyone who might like this newsletter, please do forward it on to them, and let them know they can subscribe too.

Tim
 

*Disclaimer I hold investments in and around Arm that are lengthy and complicated to explain but make me not-an-unbiased third party.