Tim Nash – WordPress Cambridge

I recently went to my local WordPress group WordPress Cambridge), where Tim Nash gave a talk about WordPress security.
He works for a hosting company 34sp.com on the security side, so has a slightly different perspective to a normal user or developer.

He outlined some of the tools you could use to inspect a customers site for vulnerabilities. (wpscan.rb, sqlmap.py, xssstrike)

I gave wpscan.rb a go, its quite surprising when you have not used this before how much it can find out. Just pointing it at a few websites, revealed more information than I might want disclosed. I didn’t for example realise how simple it was to list all the sites user names by default.
wpscan –url http://example.com –enumerate u

Its probably good as a quick way of identifying versions of plugins themes and WordPress itself. Its also interesting what it thinks it found that isn’t actually there. So its interesting to run over one of your websites and see what it can discover.

Tim also talked about the merits and otherwise of security plugins and how it’s in their interests to stress the large number of attempts they have blocked in order to sell them selves and other paid for extensions. How its worthwhile asking your hosting company what they have set up on their systems in terms of firewalls and mod security etc to see what they are already doing. Something they can be very vague about in their documentation.

I added something to change version numbers in urls and other generated bits of a WordPress site I was working on the next day. The site is up to date, the main thing, but I thought it would make the automatic probing scripts work a bit harder. Even if I’m just annoying them :)

Its always a bit worrying when you think about this all to much, it can feel especially when you start looking at logs. Tim did point out that at the end of the day its not going to be the end of the world even if despite your best efforts, someone gets at the website. Especially if you have proper backups.

Why you should always add a subject to your emails.

It will make it easier for the receiver to find and understand and then respond to your message.

It will make it easier in the future for you to find your past emails.

It will help you track if you have received a response to your messages.

It makes your message less likely to be classified as spam.

It is considerate of the other people in the conversations time.

It is polite.

It is professional.

Small Worlds Hypothesis

In the 1960’s Stanley Milgram and Jeffrey Travers tried an experiment sending letters.

  1. They sent letters to randomly selected individuals. In each letter was letter explaining the experiment and details of the target person.
  2. If the person receiving the letter knew the target they could forward the letter directly. If they didn’t know the target they were to forward the letter on to to someone they knew who would be more likely to know this person.
  3. Each time to letter was forwarded the forwarder added their name and sent an attached postcard to the researchers. In this way the progress of the letters could be tracked.

The result as its widely spread is the 6 degrees of separation in that on average it took 6 steps between the person who began the process and the person receiving it. So what gets spread about is you are on average 6 people away from anyone else in the world.

Actually it isn’t quite that simple

In fact if you read the experimental paper its not that simple. The target is a stockbroker in Boston of the starting points

  • 196 were solicited by mail in Nebraska of these:
  • 100 were owners of blue chip stocks.
  • 100 volunteers were solicited through a Boston Newspaper

so 296 altogether.

Because the each person forwarding the letter could see who had previously handled it loops were avoided.

217 of 296 letters were sent on of which 64 actually reached the target. Of the completed chains the average distribution of links was 5.2 which is the number that gets rounded up to 6 degrees. So your discounting all the broken or abandoned chains.

To be fair the experimenters spot many of the issues and knowledge them these include

  • The starting points had a strong bias towards being middle class and the target was also middle class.
  • It depends very much on how well the participants were motivated.
  • Your avoiding the odd cases recluses and people who travel constantly for example.

Partly they were interested in how the letters were traveling was it based on geography, or through professional networks.

Failing or incomplete chains

The mean distribution of failed chains in 2.6 there was also a difference between the letters that originated in Boston where the chain was 4.4 and from Nebraska random where the chain length is 5.7 and Nebraska stockholders were 5.5.

Interestingly there was a lot of convergence with people towards the end of the chain occurring repeatedly. Think this is probably one of the more interesting things and linked to ‘super influencers’ and the hubs between networks.

So its interesting but its not so simple as everyone is separated by 6 degrees of separation.