Tag Archives: Security

The Secure Programmer’s Pledge (by Anthony Ferrara; 16 Jul 2012)

Posted on by hakre | 1 Comment

WordPress: Vulnerability Statistics (CVE)

WordPress : Vulnerability Statistics (via CVE Details)

Posted in Linked, Pressed, WordPress Support | Tagged , , | Leave a comment

Many stops equal a U+002E full stop

Posted on by hakre | Leave a comment

HTTP Strict Transport Security (HSTS) –

Posted on by hakre | 1 Comment

Too Yellow to Name a Ticket – WordPress Security Bites Itself Again in 3.0.4 (Updated 2x)

WordPress 3.0.4 is out. What?! [UPDATE: The advisory is now online: Persistent XSS vulnerability – wordpress 3.0.3 (kses.php) ] Keep cool. There is an release (all 3.0.2 to 3.0.4 changes), but actually Matt Mullenweg is asking for a security review … Continue reading

Posted in Pressed | Tagged , , , , , , , , | 5 Comments

Websocket Protocol Vulnerability

Linked: Disabling the WebSocket protocol (by Anne van Kesteren; 08 Dec 2010). This HTML 5 looks to be a scary mess security wise. I hope the browser vendors do their jobs.

Posted in Linked, Surviving the Internet, Uncategorized | Tagged , | Leave a comment

Slow Crawling Fixes

WordPress 3.0.2 went out some days ago. Announced as security release (full 3.0.2 Changelog) for the stable wordpress version. While taking a look into the changelog, I got a little flashback. The most prominent security issue was in fact an … Continue reading

Posted in Pressed, Surviving the Internet | Tagged , , , , | 3 Comments

WordPress.com on SSL

If you want to know about protecting your wordpress.com login with SSL, you can read the support page about it. It shows you the checkbox you need to tick. You need to enable it first (Users -> Personal Settings: Browser … Continue reading

Posted in Pressed | Tagged , , , , , | 3 Comments

Fun to Play: WordPress 3.0 Multisite SQL Injection Vulnerability Regression?

One reason why the MU Fork was re-introduced into the WordPress main trunk was that security updates did creep in very slow or not at all. Development went pretty low in the end of the fork. That left it open … Continue reading

Posted in Hacking The Core, Pressed | Tagged , , , , , | 1 Comment

HTTP/HTML: Missing HTTP-Body/HTML on Redirect

This bothers me often: unfriendly redirects.

Posted in Code Smells, Hacking The Core, Surviving the Internet | Tagged , , , , , , , | Leave a comment

Prevent XSS on your wordpress Blog with CSP

CSP – short for Content Security Policy – is a Mozilla driven specification to reduce or eliminate a site’s XSS attack surface. In Ticket #10237 Denis De Bernardy suggested to implement the new Mozilla feature to prevent XSS. That was … Continue reading

Posted in Hacking The Core, Hakre's Tips, Patched, Plugin Plugout | Tagged , , , , , , , , , , , , , | 1 Comment

Enhancing Feeds: Comment RSS Security

There is a known bug in WordPress that is about displaying feeds for private posts publicly. If you’re using the private post feature, you should consider taking a look to this plugin which is not officially available in the plugin … Continue reading

Posted in Enhancing Feeds, Plugin Plugout | Tagged , , , , , | Leave a comment

Stripslashed to death? – End the Madness!

Another highly biased post with much #WTF potential as it’s typed on twitter: In WordPress there is some pretty stinky code. I always make a joke about the plain wrong slogan “Code is poetry” [sic!] where if that would be, … Continue reading

Posted in Surviving the Internet | Tagged , , , , , , , , , , | 3 Comments

Cheap Hack/Worm Protection for your WordPress Blog

This on its own might be only security done half, but I thought the idea is not that bad to spread the word. It can be normally setup in seconds on the various linux based hostings out there: disable eval. … Continue reading

Posted in Hacking The Core, Hakre's Tips, Tools, WordPress Support | Tagged , , , , , , , , , , , , | 3 Comments


Was there a security Issue or wasn’t there for that what many wordpress users have been recently experienced in the beginning of April? Google is still full of in that way hacked wordpress sites.

Posted in Pressed | Tagged , , , , , | 2 Comments

Prevent Code Injection in PHP include files

While discussing Coding Standards it was not long ago I argued against adding ?> at the end of php files. But miqrogroove pointed to me an interesting aspect why it actually can make sense to have it and an additional … Continue reading

Posted in Code Smells, Hakre's Tips, PHP Code Smells, Pressed | Tagged , , , , , | Leave a comment

Free PHP Security Poster

Ther germany located security company SektionEins, which is specialized on Webapplication and PHP security, has a freebie to offer: You can download or order a PHP Security poster. They even send it in format A0 for free to you within … Continue reading

Posted in Hakre's Tips, Pressed | Tagged , , , , , , | Leave a comment

PHP Open Basedir degrades Security (Bonus)

Some hosters are using the open_basedir restrictions because they think this makes hosting somewhat more secure. Well normally it is not because a hoster in need to enable it often shows that the system is not properly configured in respect … Continue reading

Posted in Pressed | Tagged , , , , , , , | 1 Comment

The short memory of WordPress.org security

For the wordpress project it’s said: If you find a bug, report it. That’s the same if it is security related. For those who feel – for whatever reason – uncomfortable to publicize it in trac directly, can shoot an … Continue reading

Posted in Hacking The Core, Patched, Pressed | Tagged , , , , , , , , , | 10 Comments

mysql_real_escape_string and SET NAMES

In #11819 I was so hardly looking for a clear documentation for mysql_real_escape_string() combined with the usage of SET NAMES. I finally found it where I should have looked first: within the MySQL manual. PHP is using the MySQL client library … Continue reading

Posted in Hacking The Core | Tagged , , , , , , | Leave a comment