Archives for 2017

Using SSL on WordPress? Not All Hosting is the Same

Introduction

I'm a huge fan of WordPress, and I've had this blog hosted on WordPress for many years. Given my security background, I always try and make my site as secure as possible, while not breaking functionality. One important feature, both for SEO and security is SSL. All you need a SSL certificate, right? Nope! And that's the basis of this post.

Not all SSL Configurations are the Same

Under the hood of SSL are a number of configuration options that you are probably not even aware of. Most of these relate to the supported protocols and cipher suites that can be negotiated with your site. These are generally web server back-end settings. A lot of SSL protocols and cipher suites have not lasted the test of time and are deemed flat out insecure or weak. For example, RC4, is pathetically insecure and should never be used. 

Most quality WordPress hosting companies provide free SSL certificates. So many people think it's just a single click (or even automated) to get your site secure with SSL. Not so! Your hosting company configured which protocols and cipher suites are available. And if your hoster isn't security conscious they can leave your website vulnerable and degrade your site's security. Never for a second think just because you have a SSL certificate that you are secure! 

How to test your SSL

Fortunately, it's dead easy even for a non-techie to test the SSL security of your site. All you need to do is go over to SSL labs and run a test against your domain. After a couple of minutes it will give your site a letter grade, and a lot of tech details about what it found. For example, on my WP Engine hosted WordPress sites I have an A+ rating. With a shared hosting plan with another company I got a poor B score with numerous security warnings. Take a minute and check your site now so you can see a full report.

The "A+" SSL Lab Report

First let me start with a site that passes with flying colors, this blog site. As you can see in the graphic below, it scores an A+ and also uses HSTS. HSTS is a super-strict form of TLS/SSL that you can read more about how to configure in a blog post I wrote here. This test result is from my current provider, WP Engine, using their managed WordPress offering. It's not cheap by any means, but frankly you get what you pay for with hosting, in most cases. 

As you scroll down the report you also get a list of protocols and cipher suites that your site supports. Looking at the report below, you see that none of the cipher suites are tagged as insecure or weak. That is good! Looks exactly like what we want it to. Thank you WP Engine! 

The "B" SSL Lab Report

Recently I got an economical (entry level, shared plan) WordPress hosting account with InMotion hosting, just for experimentation purposes. I could try out new tools, check out another hoster's performance, and see if there was any compelling reason to consider a future move away from WP Engine to something less expensive. 

I stood up a new domain, got their free SSL certificate, and then ran a SSL Lab report scan. I was horrified to see the results. Overall it got a "B" which may not sound bad, but digging into the details really made me uneasy. And I had to contact their tech support, but more about that later in this post.

Looking into the details of the "B" grade you can see that RC4 is supported (very, very insecure) and that forward secrecy is not supported. But let's dig deeper into the cipher suites to see what's going on.

Right off the bat you can see three cipher suites are enabled that use RC4. Really bad! And another three cipher suites are labled 'weak'. Also not good, but not as bad as 'insecure'. Clearly, this is significantly worse than the WP Engine scan. 

Fixing the Issues

Because the protocols and cipher suites are back-end configuration settings, I contacted InMotion tech support to see what they could do. And there was bad news, and good news. Firstly, for the shared plan I was using NOTHING could be done. As the TLS/SSL configuration is set across numerous customers. However, if one went with their VPS plans, individual sites can be configured per customer requirements. If I was on a VPS plan, then the hoster would take care of all the configuration. You should then re-test, and see if the security holes were plugged. An A+ rating is not to hard and doesn't require techie level skills. 

Summary

Even if you have an SSL certificate on your site, that does NOT mean you are optimally configured. Your hoster could be using very insecure settings, but you'd never know without testing it. So if you have never tested your website's SSL, do it immediately. You may be shocked with what is lurking in the results. On the flip side, most of the work is done by your hosting service so you don't need to know what files to configure. I'd just send them a screenshot of the 'bad' results and tell them to fix it. 

You also need to be conscious of which plan you are using with a provider, and how that impacts security. For example, my shared plan with InMotion doesn't allow them to tweak the SSL security whereas their VPS plan would. Whether you want to spend the additional money for VPS (or find another provider that's more secure by default), that's your call. 

Knowledge is power, and knowing where your site's SSL stands is important. It's up to you whether you want to fix it and get an A+ rating or not. If you are running any type of security sensitive transactions like payments or storing personal information, I'd urge you to configure your site for an A+ SSL labs rating. 

Top WordPress Plugins You Should Use Pt. 1

I've been running a WordPress blog for over 4 years, and recently started a 'back end'  plugin refresh cycle. I'm also working on new WordPress site for my photography outlet, and did a lot of research into the best-of WordPress plugins. Most of the plugins I'll cover are fairly generic and could work on a variety of sites (blog, ecommerce, etc.). Some plugins are free, freemium (free basic version plus a Pro version), or outright premium. I encourage you to look at and review each plugin to see if it fills a hole in your WordPress site.

1. Ajax Search Pro - This is an amazing WordPress search plugin that literally has hundreds of logically organized customization options. You can configure multiple search 'engines' all with totally unique settings. This lets you have different search experiences on different areas of your site. It's hard to do this plugin justice with the almost infinite configuration controls you have. Try out the search feature on this blog to get a tiny glimpse of what it can do.

ajax search pro

2. All in one favicon -  This adds Favicons to your site (little icons in the address bar of your browser). It's a simple plugin that lets you upload ICO, GIF, PNG and apple touch icons in a couple of clicks. Great for branding!

3. Anti-Spam by Clean talk - This is an amazing plugin that stops 99% of the spam hitting your site via contact forms, comments, contact emails, orders, WooCommerce, etc. I've found it much better than Akismet. You can read my full review here

anti-spam by cleantalk

4. Astra (Pro) Theme - I'm using this for my new photography site, and hopefully this spring convert this blog over as well. It's an amazingly customizable and responsive WordPress theme. It also works seamlessly with page builders such as Elementor and Beaver Builder. There's also a free add-on called Astra Hooks, which let's you "hook" into various elements of the Astra theme via the customizer. 

astra pro theme

5. Child Theme Configurator - This lets you easily create a child theme from your parent theme. Using a child theme is always advisable, so that customizations you make to the theme stay around even if the software vendor updates the parent theme. Great for use with Astra! 

child theme configurator

6. Customizer Export/Import - This plugin allows you to export and import your theme customizer settings, right within the customizer. Great for building a new site, so you can try out various options and roll-back/forward as needed until you get things just right. 

7. Imagify - WordPress page load times are critical, and Imagify will strategically and automatically compress images that you upload to your WordPress site. It's a paid service, and for bloggers, I recommend the "semi hidden" single purchase quota plan vs. their monthly or yearly plans. It's fully automated, and even compresses all thumbnails that your theme creates on the back-end. It can also do bulk compression, great for using it the first time. A 500MB one time plan runs $5.99.

imagify

8. iThemes Security (Pro) - A spectacularly well designed security plugin that has a number of modules, including two factor authentication, malware scanning, and a lot more. I just upgraded to the Pro version, and really enjoy the added modules such as 2FA. Highly recommended, and WPEngine friendly (they disallow many 'security' plugins due to poor performance).  

ithemes security pro

9. iThemes Sync - As a companion to iThemes security, this is a SaaS offering which lets you manage one or more WordPress sites and the iTheme security settings. It supports SSO, meaning once you authenticate to the iThemes Sync portal, you can immediately pop into your WordPress management console. Supports 2FA, and free up to 10 managed sites. What I really like about this, even for a single site, is the ability for it to notify you when ANY updates are available (plugins, theme, WordPress core, etc.). I have it configured for a nightly email if updates are available. You can have it auto-update your site if you wish.

ithemes sync

10. Microthemer - Ever wanted to tweak your WordPress theme? Change a color here, spacing there, widget header colors, etc.? Well normally you'd need to be a CSS expert (which I am not). This tool provides a visual way to select objects/areas on your live site, modify dozens of properties, and then either 1) automatically apply them to your site in the background or 2) Export the CSS so you can put it in the theme customizer or other file. I found it very helpful in changing the look of Astra Pro to better suite my tastes. 

microthemer

Summary

As you can see, there are a number of WordPress plugins that are applicable to a wide variety of sites. This list doesn't cover all the plugins I use, but which I feel are some of the most useful. Some are free, others are freemium and others are paid. I didn't want this post to get too long, so coming up will be a Part 2, covering another batch of plugins that I really like. 

VMware Tools 10.2.0 Released

Hot off the press is a new version of VMware tools, 10.2.0. This has a number of bug fixes, and an updated OS support list. For security geeks, VMware tools finally supports ASLR (Address Space Layout Randomization). There’s also a Windows 10 fall creator’s (1709) fix tucked in there as well. You can find the full release notes here.

One cool feature of this release, is a VIB for vSphere 5.5, 6.0 and 6.5. This lets you update the ‘baked in’ tools of the ESXi hypervisor. This VIB can be pushed via VMware Update Manager (VUM).

Direct downloads are available here.

Windows 10 Credential Guard and VMware Workstation 14

Microsoft has been very busy adding new security features to Windows 10. It seems that each release gets something new, or existing features are enhanced. For enterprises, one of the great new-ish features is Windows Defender Credential Guard. What is Credential Guard? It uses VBS (virtualization based security) to help mitigate pass-the-hash or pass-the-ticket attacks. I wrote a how-to blog article many years ago on how one can ‘root’ your Windows 7 PC and ultimately compromise your whole network including domain controllers. It was scary easy. Windows 8 was supposed to make it harder, but Windows 10 with fall creator’s update (1709) has really raised the bar.

But until the release of VMware Workstation 14, you couldn’t easily test these new features in a virtual environment. However, Workstation 14 has explicitly added support for VBS in hardware v14, and the UEFI firmware supports secure boot. This now allows one to test Windows Defender Credential Guard. The whole process is fairly easy. But a few requirements must be met: 1) VMware Workstation 14 (or later) 2) Windows 10 Enterprise edition (no home/pro) 1709 (Fall Creator’s update) 3) Physical host that is modern enough to support virtualization extensions.

Workstation 14 Credential Guard Configuration

Let’s get started with configuring the VM hardware on Workstation 14 to appropriately support VBS and secure boot.  I’ll assume you are familiar with Workstation basics. VM size just for basic testing can be 1 vCPU and 2GB of RAM.

  1. Create a new virtual machine using the custom (advanced) wizard.
  2. Select hardware compatibility: Workstation 14.x
  3. Select ‘I will install the operating system later’
  4. Select ‘Microsoft Windows 10 x64’ guest operating system
  5. Select a VM name and location that you desire
  6. Select UEFI and secure boot firmware type
  7. Choose your processors/core that you desire
  8. Choose the memory configuration you desire
  9. Choose the network connection type you desire
  10. Leave the SCSI controller type and virtual disk type
  11. Create a new virtual disk
  12. Allocate sufficient storage and split as needed
  13. Chose a disk file name that you desire
  14. Click Finish
  15. Edit the VM settings and click on the Options tab
  16. Click on Advanced and check the box next to Enable VBS

Now that your VM hardware is properly configured, next, install Windows 10 Enterprise Edition 1709. I won’t go through that process, as there’s nothing special to do until it’s fully installed and you have a desktop. Once you have a desktop, come back to this post and resume the configuration. Be sure to grab the latest VMware tools, which has updates for Windows 10 Fall creator’s update, here.

Windows 10 Credential Guard Configuration

1. Press the Windows key and type system information.
2. Scroll down on the summary page and look at Virtualization-based security. It should show not enabled.
3. Press the Windows key and type features.
4. Scroll down to Hyper-V, Hyper-V Platform, and check Hyper-V Hypervisor.

5. Wait for the feature to be added, but do NOT reboot.
6. Open gpedit.msc. Navigate to Computer Configuration, Administrative Templates, System, Device Guard.
7. Enable the Turn on Virtualization Based Security policy.
8. Select the options below, or enable UEFI lock for a production environment to prevent remote manipulation of these settings. You can also turn on the UEFI memory attributes table if you wish.

9. Close gpedit and do a gpupdate /force from the command line.
10. Restart the VM. Open System Information and on the summary page scroll down to the very bottom. Verify virtualization-based security is running.

Summary

As you can see from this post, enabling Windows Defender Credential Guard is pretty easy. Workstation 14 supports it out of the box. VBS is a new feature of Hardware Version 14, which vSphere 6.5 does not support. So any support for VBS would come in a future vSphere update. Workstation often foreshadows upcoming vSphere features, so I wouldn’t be surprised to see it in the next version.

CleanTalk anti-spam WordPress Plug-in Review

I’ve been running this blog for a number of years (since 2009), and one thing that really irks me is the amount of spam comments my blog gets. I use comment moderation (sorry for sometimes being way behind in moderation, BTW), so my blog isn’t full of spammy comments. Spammy contact emails can happen as well. But it can obscure real comments that I need to moderate. For example, over the last few years my blog has over 9,500 spammy comments:

CleanTalkNeedless to say, I’m not manually reviewing/deleting 9638 comments! I’m starting up a parallel photography site on WordPress, and thought it was about time to find a new anti-spam solution. I had previously been using Akismet, which clearly was not doing a good job. In fact, I would call it a poor to very sucky job. After some research, I found CleanTalk.  Reviewers said it was much better than Akismet, which was music to my ears.

I disabled Akismet and installed CleanTalk. I gave it approximately a week, to see how well it did. It’s vastly better, and blocked more than 4,600 spam attempts. Only 4 got through and that was before I enabled the SpamFirewall option.

Since enabling the SpamFireWall options, I haven’t had any slip through! Yippee! While I don’t expect any solution to work 100%, CleanTalk is a most significant upgrade and well worth the small fee. Speaking of fees, yes, it’s not a free service. Depending on the number of sites, number of years, and their add-on packages, it still is quite the value. For example, I did 3 web sites for 3 years and it was a whopping total of $38.

They do have a mobile phone app as well, but frankly, don’t bother. While I appreciate their attempt at adding a mobile dashboard, it’s pretty pathetic. And, it’s not like you need to routinely access the service. So for me, it’s just a set it and forget it service and ditch the mobile app.

If you run a WordPress site and tired of spam, give CleanTalk a try. It has a free trial period, which proved to me that it works as advertised and held up to the positive reviews.

Enabling HTTP Strict Transport Security (HSTS) For WordPress

If you are a WordPress site administrator, one of the things you can do to improve SEO results and security is secure your site with SSL. Yes, even if you aren’t doing transactions like ecommerce, paypal, etc. using SSL is still recommended. Depending on your WordPress hosting company, they may even have free SSL certificates for you to use. But there are different flavors and configurations of SSL that can improve or detract from your security posture. One feature that was recently brought to my  attention is HTTP strict transport security, or HSTS.

HSTS, in short, tells your browser that you only want it to use (and enforce) SSL connections. Attempts to downgrade to non-encrypted communications are prohibited. HSTS is a flag that you configure on your WordPress site, and is not enabled by default (that I’m aware of). Since SSL configuration can be tricky, and you can end up with mixed mode content, I recommend a WordPress plug-in called Really Simple SSL.

As the plugin name implies, this makes configuring SSL (with HSTS) super easy and all from the GUI. It also scans your WordPress site for potential mixed content issues and brings them to your attention. My site had a couple of flagged issues that I fixed. The free version of the plug-in doesn’t configure/test HSTS for you, but their premium version does (and makes it 1-click easy).

However, it may still take a bit of configuration tweaking to fully enable HSTS. First, after you enable HSTS in the plugin, go to hstspreload.org and check your results. In my case, I had two errors. My site is currently error free, so I’m using aol.com as an example for what you may see.

First, ignore the no HSTS header error. That is likely caused by the second error and does not mean Really Simple SSL didn’t do its HSTS configuration. I use WP Engine as my provider, so I contacted their help desk and gave them a copy of the error. They did some back-end redirection magic and fixed up the redirection issue in about 15 minutes. My redirection issue was slightly different from AOL’s problem, but caused the same red failure message. After your redirection issue is fixed, re-try the scan. In my case, it came back with a green screen showing everything is good. Next, you can submit your site to be included on the global HSTS list, which I also did. Many browsers like Chrome and Firefox use the HSTS list for additional security measures.

And just to make sure my SSL is in top notch, I went over to SSL Labs and ran a test. And yes, my site is now rated A+, which is exceptionally good. It even catches the fact I’m successfully using HSTS.

And there you go! A simple, but not totally free, way to deploy and check HSTS on your WordPress site. Given the plug-in is just a few dollars, and helps fix up a variety of SSL issues besides HSTS, I think it’s money well spent.

Perl.exe 0xc0000142 Failure Solution

The other day I was trying to use Jeffrey’s “Metadata Wrangler” for Lightroom plugin. However, it was failing with a perl.exe 0xc0000142 error. I had just updated my computer to Windows 10 Fall Creator’s update (1709), so it crossed my mind maybe that was the cause. I had also increased the security settings, but hadn’t experienced any issues thus far. After some digging, I found the issue with Perl and the solution.

In Windows 10 Fall Creator’s update, Microsoft has added new security options that were previously in Microsoft EMET. They call this Windows Defender Exploit Guard. You can find these new settings at: Windows Defender Security Center > App & Browser Control > Expoit protection. Typically everything is on by default except Mandatory ASLR. I had turned it on a few days ago, as I’m kind of a security nut.

Mandatory ASLR

I tried the failing perl.exe on another Windows 10 fall creator’s update without ASLR enforced and it ran. Bingo! So I turned off mandatory ASLR, rebooted, and now perl.exe work fine. This solved the problem with Metadata Wrangler, and it now works as advertised. The Exploit Protection center does allow you to add specific program exceptions, as well. So you could add perl.exe and turn off ASLR, but leave it on for the rest of the system. I suspected I might run into other compatibility issues, so I just turned if off system wide.

VMworldl 2017: What’s new in storage

Session: SER1317BU

Faster storage need faster networks
-10/25/40 NICs are now the norm
-Protocol stack needs to be upgraded with new storage protocols
-Performance of AFA depends on network connection with low latency
-32Gbps FC is shipping, 64Gbps is coming

NVMe – A logical device interface to NVM devices
-PCIe is the physical interface and NVMe is the protocol
-up to 64K queues and 64K queue depth
-All major OSes support NVMe

NVMeoFabric
-Allows large number of external NVMe drives into external storage
-Aims for no more than 10 microseconds latency overhead compared to local NVMe

vSphere 6.5 Features
-VMFS 6.0
*meta data is 4K aligned
*supports 64-bit addressing
*NO in-place upgrade from VMFS 5.0. See KB 2147824

Automatic Unmap in 6.5
-Automatic unmap support when VM is deleted/migrated
-Space reclimation requests from guest OS which supports UMAP
-Only automatic unmap on arrays with UNMAP granularity LESS than 1MB
-Background impact is minimal: set to 25MB/sec max
-Future: Possibly throttle/accelerate UNMAP rate based on array load

High Capacity Drives in 6.5
-Support 512e drives
-Requires VMFS 6
-vSphere 6.0 supports physical mode RDMs mapped to 512e drives
-FAQ: KB2091600

New Scale Limits
-512 LUNs & 2048 paths
-If using 8 paths per LUN, you can now have 256 LUNs

NFS 4.1 Plug-in and strong crypto & HW acceleration support
-NFS 4.1 supported since 6.0
-HW acceleration (VAAI) now supported
-Stronger crypto with AES
-Supports IPv6
-Better security with NFS 4.1

Virtual NMVe in 6.5
-NVMe 1.0 device emulation
-Hot add/remove
-Multi-Q support – 16 queues with 4K depth

VMworld 2017: Advanced ESXi troubleshooting

Session: SER2965BU

Note: This session had a number of log examples and what to look for. Review the session slides for all the details. EXCELLENT session!

Goal: 7 log files, 7 ESXi commands, 7 config files for enhanced troubleshooting

7 Important Log Files

-Host abruptly rebooted – vmksummary.log
-Slow boot issues – /var/log/boot.gz .  You can also enable serial logging (Shift + o)
-ESXi not responding – hostd.log & hostd-probe.log
-VM issues – vmware.log
-Storage issues – vmkernel.log
-Network and storage issues – vobd.log
-HA issues – fdm.log   /opt/vmware/fdm/prettyprint.sh hostlist | less

7 ESXi Commands
-Monitor & configure ESXi – esxcli
-VMkernel sysinfo shell command – vsish get /bios; /hardwareinfo;


-Manage ESXi * VM config – vim-cmd

-VMFS volumes & virtual disks – vmkfstools
-Detailed memory stats – memstats
-network packet capture – pktcap-uw
-monitoring – esxtop

7 Configuration Files
-/etc/vmware/esx.conf – storage, networking, HW info
-/etc/vmware/hostd/vminventory.xml – VM inventory
-/etc/vmware/hostd/authorization.xml – vCenter to ESXi host connection
-/etc/vmware/vpxa/vpxa/cfg – vCenter and ESXi connectivity
-/etc/vmware/vmkiscsid/iscsi.conf – iSCSI configuration
-/etc/vmware/fdm – HA config
-/etc/vmware/license.cfg – license configuration

VMworld 2017: DR with VMware on AWS

Session: MMC2455BU, GS Khalsa

Legacy (physical) DR solutions are not adequate – Long RTOs, lots of surprises, unreliable
vSphere is an enabler for DR – consolidation, hardware independence, encapsulation (VM is a file)

Long distance DR solutions with async replication
-Active/passive
-Active/Active
-bi-directional failover
-Shared site recovery

Metro DR Solutions with sync replication
-Availabiity – Zero RPO/RTO
-Mobility – active/active datacenters
-Disaster avoidance

DR to the cloud with AWS
-Co-located DR costs are high
-DR to the cloud is less expensive

VMware Cloud on AWS
-Managed SDDC stack running on AWS
-Consistent operational model enables hybrid cloud
-Leverage cloud economics
-Goals of DR: Deliver as a service, build on VMware (SRM, vSphere replication, etc.)
-Working on flexible SRM pairing – Decouple on-site upgrade from VMC/AWS
-Loosening version dependencies across vCenter, SRM & vSphere Replication releases
-Working on major UI improvements – HTML5 and “clarity” UI standard
NEW: SRM Appliance based on photon OS

GS then shows a number of video demos showing the full SRM configuration, setup, and failover process. Anyone familiar with SRM will be accustomed to the same workflow, but with a nice new coat of paint on the GUI.