Interesting post on Cloudflare about how the common banking login system of asking for part of a password is actually not very good security at all.
Source: Banking-Grade Credential Stuffing: The Futility of Partial Password Validation
2020Media is delighted to announce new features to their Managed WordPress hosting plans.
“The 2020Media Managed WordPress service keeps on getting better and better” … Richard Clarke
If you’re looking for a faster, safer website, you’ve got a good start with 2020Media. Contact us on 0370 321 2020 or email sales@2020media.com
Source: Security hotfixes for Joomla EOL versions – Joomla! Documentation
The Joomla project has just released Joomla 3.4.6 to address a Critical Vulnerability.
The vulnerability is also present in discontinued Joomla 2.5 and 1.5 series (Joomla 1.0 is ok). If you still have sites running off these old Joomla versions you must patch them appropriately.
For these old versions, a simply file replacement is all that is needed.
https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions
2020Media will happily undertake this replacement for any Joomla user, whether they are a customer or not. Please let us know if we can help by contacting us.
Drupalgeddon!The recent #drupalgeddon incident and comments from a customer made us rethink how we apply Drupal updates for customers (2020Media is a leading UK Drupal hosting provider. We offer a tuned hosting environment for Drupal that is fast and responsive).
For those who missed it on the BBC news and elsewhere, ‘drupalgeddon’ was a security weakness in the Drupal content management system which allowed attackers to take over websites.
The WordPress brute-force login attacks show little sign of abating and we recommend all users ensure their sites are secured against this attack.
Since spring 2013, hackers have been calling the WordPress login url with “standard” usernames (like ‘admin’) and thousands of passwords. In our experience nearly all users have ‘admin’ as a user account so this makes them especially vulnerable.
Well – not a solution exactly but it should protect your site being hacked.
The solution we propose is to change your username to something only you know about. If you are creating a new WordPress site, don’t use the default ‘admin’. Choose a new username.
If you have an existing site, you can’t simply delete the user ‘admin’ – therefore there are lot’s of free plugins around to change it instead. The one we’ve been using is called ‘Username Changer’. Install it, activate it, change your username and then remove it. It’s a one off job.
Additionally 2020Media would like to see these WordPress attacks stop – realistically this is not going to happen – it’s a distributed attack from botnets, and things will change only when it’s not worth the hackers while any more.
2020Media are happy to change your login username for you plus we can add additional server-side security which will mitigate the denial-of-service aspects of the attack.
The Managed WordPress service from 2020Media is something anyone not logging in to their WordPress site on a weekly basis should seriously consider. Even if you do, get peace of mind as updates to WordPress, Themes and plugins are done for you. Read more
http://www.bbc.com/news/technology-29846539
Mark Stockley, an analyst at security firm Sophos, said the warning was “shocking”. “Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.” There is strong feeling on both sides with many arguing against “dumbing down” Drupal.
Whilst we wait for an auto-update mechanism in Drupal (perhaps in Drupal 8?), we’ve always been able to update Drupal for our customers. It’s a free service but one done “on request”.
We do not apply updates automatically to any and all Drupal sites we host for a very good reason. The risk of breaking a customer’s site is too great. It’s worth noting the Drupalgeddon security problem was the first such in 9 years. So it’s arguable the risk of such a security problem happening again on such a scale is manageably small. Drupal updates typically replace the entire Drupal codebase, leaving just the /sites/ folder untouched. If a customer or their developer has made any changes to a core file, these changes will be wiped out.
Sometimes a bug will be fixed or a feature changed as a result of an update. The site may well have a work around in place already for the bug and the update will then cause the site to break. These are just a few of the reasons.
The problem for us is, we did not build the site in the first place, nor are we familiar with it’s inner workings. So for us to be sure the site is in a working state after an update is very hard to do. A working homepage does not signify the site is 100% working. If the customer is going to be involved, which in our view they have to be, to check the site after the update, they should be involved all the way through – from the point of getting a Drupal notification email of an update, or getting a notification from the Drupal security list through to the timing of the update, to checking the site afterwards in case a roll back is required.
What changes have we made? Actually very little. We have simply streamlined our internal processes to make the technical side of doing the update a lot quicker. A lot of our customers have several sites with us. So we are now using some simply scripting so we can update all a customers sites, once they give us the go ahead.
Inspiration for the scripting came from Dane Powell ‘s blog: http://danepowell.com/node/69
Our version of the script is:
Update Multiple Drupal Sites Script
#!/usr/bin/env bash
installpath[1]=/our/pathtosite1
installpath[2]=/our/pathtosite2
installpath[3]=/our/pathtosite3
for index in 1 2 3
do
filepath=${installpath[index]}
printf "Updating %s\n" "$filepath"
cd $filepath
drush pm-refresh
drush archive-dump --overwrite --destination=/pathforbackups/backup.tar
yes | cp .htaccess ../
drush vset --always-set maintenance_mode 1
drush cache-clear all
drush up drupal --yes
drush vset --always-set maintenance_mode 0
drush cache-clear all
yes | cp ../.htaccess ./
chown -R apache:apache ./
done
Notes on the script.
This script is for discrete Drupal sites, not Drupal multisite.
We copy .htaccess out of the way and put it back afterwards and we noticed Drupal updates sometimes overwrote the original.
The final steps resets the file ownership permissions on the site to whatever your webserver runs as. If using suphp this would need to be changed.
Output is written to the command line so you can see what is going on.
Use at your own risk. Comments and improvements are welcome.