LockDown WordPress Plugin

I’ve been a small-time user of WordPress for… probably 12 years or so.  I’ve had friends and colleagues go “full-on” in to the WordPress world, but it’s never quite felt like my cup of tea.   A bit too much magic, or hard-to-determine steps, etc.  Not horrible, but not my favorite tool.  That said, for blogging directly, it’s great.  

However, I’ve had friend and clients that use it as the basis for everything.  And… they get hacked.  Often.  I see a dozen or more ‘hacked’ WordPress installs a year, and by ‘see’ I mean someone’s asked me to help take a look and fix it.  *ALMOST* always, the final culprit was a malicious file was written to the server’s drive, or an existing file was overwritten with malicious code, and the WordPress install was spewing out bad stuff (SEO spam, redirects to porn/gambling, web shells to trigger spam emails, etc).

There have been numerous attempts to prevent these attacks, or, in some cases, to make “cleanup” easier.  But in no case I can think of does any service focus on locking down the actual files first, making them unwritable.  This is, in my view, the biggest bang for the buck – prevent writing in the first place, and the majority of exploits will be averted.  You may still have other exploits (XSS, SQL injection, etc) – of course.  But stopping people writing to your drive *before* it happens should be a bigger priority, and it seems to be overlooked.

Welcome LockDownWP   This is a plugin I’ve put together to help make this easier for people who aren’t server admins.  The focus is pretty simple – make all files unwriteable, until you need to write to them.  Press a button, make your files writeable for, say, 10 minutes, get your file changes done, then lock things down again.

Is this foolproof? Of course not – you’ll still need to keep the system up to date to prevent other exploits, but I can say that since I’ve been using this technique, I’ve not had any malicious code injected on any servers I manage (and, before I took this approach, it was a … not-uncommon thing I was dealing with).

There’s more on the way for this – it’s still a beta version at this point, but I’d love any feedback you have on the plugin, or ideas you’d like to see.

Take a look at LockDownWP

Small new project – mutual NDAs

I meet a fair number of people in the tech world, and many people want to discuss ideas, but often want NDAs…. mutualndas.com was put together. This gives you the ability to send over a mutual NDA with a definable length of enforcement, definable jurisdiction, and allows for basic electronic signature.

Haven’t blogged in a long time…. 🙂

Have had multiple ideas for projects in the back of my mind for years, and rarely get the chance to work on them (or force myself to when I have the time).

As with many ideas, you struggle to even explain them to someone, or you find there’s dozens of options already out there.  Yet we push on…

I meet a fair number of people in the tech world, and many people want to discuss ideas, but often want NDAs.  I don’t often sign them, often because they’re one-sided, or very more one-sided, or even extremely one-sided.  And long.  5 years after we stop talking, or ‘in perpetuity’.  I’ve wanted something a bit more lightweight, and fast, to act as a sign of good-faith while not tying either party to something which will present problems later.  Lastly, I wanted a place to keep track of these sorts of docs (and eventually others) – an NDA has date/timelimits on it, and I often forget where mine are.

So… mutualndas.com was put together.  This gives you the ability to send over a mutual NDA with a definable length of enforcement, definable jurisdiction, and allows for basic electronic signature.  I can send out an NDA, and the other person can sign it (on desktop or mobile device) and send it back, and we each get a PDF emailed to us, all in about 2 minutes (longer if the other party wants to read the whole thing, of course!)

There’s precisely one NDA – a boilerplate – which I’m going to change a bit (and have an attorney give me some input based on those changes), and eventually offer a few options on this.  Again, this is mostly for myself, and lots of small things that could be added, but I’m putting it out there now just to see what sort of feedback I get.  Would like to charge for this service at some point (unlimited docs, alerts before “end of first year”, etc), and potentially some area to document specific “confidential” items.  Often these sorts of NDAs indicate that you have to keep “confidential” info confidential, but the  term can be nebulous.  In a mutual NDA, if you were to document certain items you consider confidential (up front or during the course of the engagement) it would serve as a third party record.

In any event, give it a shot and tell me what you think 🙂

Importance of backups…

Well… here we are.  10 years later, and … no backups.  Or… none of the data that’s important.

Recently had a drive crash in my main server where this blog is hosted.  Had it happen 2 years ago, but the data was recovered, and I put everything on automatic backups.  Using virtualmin, a great control panel, I had it automatically back things up to s3 and to a second local drive.

HOWEVER… I got lazy.  I made some databases by hand, instead of using the virtualmin tools (either CLI tools or web screen) and the blog database had been disassociated with the main domain account, and it wasn’t backed up.

I’ve just lost 10 years of blog posts, comments, etc.  I’ve asked for the drive, if it’s still around, to be shipped to me, and I may try to recover data (a few other bits would be really useful to have as well), but I’ve had to come to terms with the notion that it just may be gone.  🙁

This may energize me to post here more, however.  I’ve gotten a bit lazy and engaged people more on facebook the last year or so, vs here, and I’ve missed posting here, so… I may be back in more volume soon!