Top WordPress Plugins You Should Use Pt. 1

I've been running a WordPress blog for over 4 years, and recently started a 'back end'  plugin refresh cycle. I'm also working on new WordPress site for my photography outlet, and did a lot of research into the best-of WordPress plugins. Most of the plugins I'll cover are fairly generic and could work on a variety of sites (blog, ecommerce, etc.). Some plugins are free, freemium (free basic version plus a Pro version), or outright premium. I encourage you to look at and review each plugin to see if it fills a hole in your WordPress site.

1. Ajax Search Pro - This is an amazing WordPress search plugin that literally has hundreds of logically organized customization options. You can configure multiple search 'engines' all with totally unique settings. This lets you have different search experiences on different areas of your site. It's hard to do this plugin justice with the almost infinite configuration controls you have. Try out the search feature on this blog to get a tiny glimpse of what it can do.

ajax search pro

2. All in one favicon -  This adds Favicons to your site (little icons in the address bar of your browser). It's a simple plugin that lets you upload ICO, GIF, PNG and apple touch icons in a couple of clicks. Great for branding!

3. Anti-Spam by Clean talk - This is an amazing plugin that stops 99% of the spam hitting your site via contact forms, comments, contact emails, orders, WooCommerce, etc. I've found it much better than Akismet. You can read my full review here

anti-spam by cleantalk

4. Astra (Pro) Theme - I'm using this for my new photography site, and hopefully this spring convert this blog over as well. It's an amazingly customizable and responsive WordPress theme. It also works seamlessly with page builders such as Elementor and Beaver Builder. There's also a free add-on called Astra Hooks, which let's you "hook" into various elements of the Astra theme via the customizer. 

astra pro theme

5. Child Theme Configurator - This lets you easily create a child theme from your parent theme. Using a child theme is always advisable, so that customizations you make to the theme stay around even if the software vendor updates the parent theme. Great for use with Astra! 

child theme configurator

6. Customizer Export/Import - This plugin allows you to export and import your theme customizer settings, right within the customizer. Great for building a new site, so you can try out various options and roll-back/forward as needed until you get things just right. 

7. Imagify - WordPress page load times are critical, and Imagify will strategically and automatically compress images that you upload to your WordPress site. It's a paid service, and for bloggers, I recommend the "semi hidden" single purchase quota plan vs. their monthly or yearly plans. It's fully automated, and even compresses all thumbnails that your theme creates on the back-end. It can also do bulk compression, great for using it the first time. A 500MB one time plan runs $5.99.

imagify

8. iThemes Security (Pro) - A spectacularly well designed security plugin that has a number of modules, including two factor authentication, malware scanning, and a lot more. I just upgraded to the Pro version, and really enjoy the added modules such as 2FA. Highly recommended, and WPEngine friendly (they disallow many 'security' plugins due to poor performance).  

ithemes security pro

9. iThemes Sync - As a companion to iThemes security, this is a SaaS offering which lets you manage one or more WordPress sites and the iTheme security settings. It supports SSO, meaning once you authenticate to the iThemes Sync portal, you can immediately pop into your WordPress management console. Supports 2FA, and free up to 10 managed sites. What I really like about this, even for a single site, is the ability for it to notify you when ANY updates are available (plugins, theme, WordPress core, etc.). I have it configured for a nightly email if updates are available. You can have it auto-update your site if you wish.

ithemes sync

10. Microthemer - Ever wanted to tweak your WordPress theme? Change a color here, spacing there, widget header colors, etc.? Well normally you'd need to be a CSS expert (which I am not). This tool provides a visual way to select objects/areas on your live site, modify dozens of properties, and then either 1) automatically apply them to your site in the background or 2) Export the CSS so you can put it in the theme customizer or other file. I found it very helpful in changing the look of Astra Pro to better suite my tastes. 

microthemer

Summary

As you can see, there are a number of WordPress plugins that are applicable to a wide variety of sites. This list doesn't cover all the plugins I use, but which I feel are some of the most useful. Some are free, others are freemium and others are paid. I didn't want this post to get too long, so coming up will be a Part 2, covering another batch of plugins that I really like. 

Windows 10 Credential Guard and VMware Workstation 14

Microsoft has been very busy adding new security features to Windows 10. It seems that each release gets something new, or existing features are enhanced. For enterprises, one of the great new-ish features is Windows Defender Credential Guard. What is Credential Guard? It uses VBS (virtualization based security) to help mitigate pass-the-hash or pass-the-ticket attacks. I wrote a how-to blog article many years ago on how one can ‘root’ your Windows 7 PC and ultimately compromise your whole network including domain controllers. It was scary easy. Windows 8 was supposed to make it harder, but Windows 10 with fall creator’s update (1709) has really raised the bar.

But until the release of VMware Workstation 14, you couldn’t easily test these new features in a virtual environment. However, Workstation 14 has explicitly added support for VBS in hardware v14, and the UEFI firmware supports secure boot. This now allows one to test Windows Defender Credential Guard. The whole process is fairly easy. But a few requirements must be met: 1) VMware Workstation 14 (or later) 2) Windows 10 Enterprise edition (no home/pro) 1709 (Fall Creator’s update) 3) Physical host that is modern enough to support virtualization extensions.

Workstation 14 Credential Guard Configuration

Let’s get started with configuring the VM hardware on Workstation 14 to appropriately support VBS and secure boot.  I’ll assume you are familiar with Workstation basics. VM size just for basic testing can be 1 vCPU and 2GB of RAM.

  1. Create a new virtual machine using the custom (advanced) wizard.
  2. Select hardware compatibility: Workstation 14.x
  3. Select ‘I will install the operating system later’
  4. Select ‘Microsoft Windows 10 x64’ guest operating system
  5. Select a VM name and location that you desire
  6. Select UEFI and secure boot firmware type
  7. Choose your processors/core that you desire
  8. Choose the memory configuration you desire
  9. Choose the network connection type you desire
  10. Leave the SCSI controller type and virtual disk type
  11. Create a new virtual disk
  12. Allocate sufficient storage and split as needed
  13. Chose a disk file name that you desire
  14. Click Finish
  15. Edit the VM settings and click on the Options tab
  16. Click on Advanced and check the box next to Enable VBS

Now that your VM hardware is properly configured, next, install Windows 10 Enterprise Edition 1709. I won’t go through that process, as there’s nothing special to do until it’s fully installed and you have a desktop. Once you have a desktop, come back to this post and resume the configuration. Be sure to grab the latest VMware tools, which has updates for Windows 10 Fall creator’s update, here.

Windows 10 Credential Guard Configuration

1. Press the Windows key and type system information.
2. Scroll down on the summary page and look at Virtualization-based security. It should show not enabled.
3. Press the Windows key and type features.
4. Scroll down to Hyper-V, Hyper-V Platform, and check Hyper-V Hypervisor.

5. Wait for the feature to be added, but do NOT reboot.
6. Open gpedit.msc. Navigate to Computer Configuration, Administrative Templates, System, Device Guard.
7. Enable the Turn on Virtualization Based Security policy.
8. Select the options below, or enable UEFI lock for a production environment to prevent remote manipulation of these settings. You can also turn on the UEFI memory attributes table if you wish.

9. Close gpedit and do a gpupdate /force from the command line.
10. Restart the VM. Open System Information and on the summary page scroll down to the very bottom. Verify virtualization-based security is running.

Summary

As you can see from this post, enabling Windows Defender Credential Guard is pretty easy. Workstation 14 supports it out of the box. VBS is a new feature of Hardware Version 14, which vSphere 6.5 does not support. So any support for VBS would come in a future vSphere update. Workstation often foreshadows upcoming vSphere features, so I wouldn’t be surprised to see it in the next version.

Enabling HTTP Strict Transport Security (HSTS) For WordPress

If you are a WordPress site administrator, one of the things you can do to improve SEO results and security is secure your site with SSL. Yes, even if you aren’t doing transactions like ecommerce, paypal, etc. using SSL is still recommended. Depending on your WordPress hosting company, they may even have free SSL certificates for you to use. But there are different flavors and configurations of SSL that can improve or detract from your security posture. One feature that was recently brought to my  attention is HTTP strict transport security, or HSTS.

HSTS, in short, tells your browser that you only want it to use (and enforce) SSL connections. Attempts to downgrade to non-encrypted communications are prohibited. HSTS is a flag that you configure on your WordPress site, and is not enabled by default (that I’m aware of). Since SSL configuration can be tricky, and you can end up with mixed mode content, I recommend a WordPress plug-in called Really Simple SSL.

As the plugin name implies, this makes configuring SSL (with HSTS) super easy and all from the GUI. It also scans your WordPress site for potential mixed content issues and brings them to your attention. My site had a couple of flagged issues that I fixed. The free version of the plug-in doesn’t configure/test HSTS for you, but their premium version does (and makes it 1-click easy).

However, it may still take a bit of configuration tweaking to fully enable HSTS. First, after you enable HSTS in the plugin, go to hstspreload.org and check your results. In my case, I had two errors. My site is currently error free, so I’m using aol.com as an example for what you may see.

First, ignore the no HSTS header error. That is likely caused by the second error and does not mean Really Simple SSL didn’t do its HSTS configuration. I use WP Engine as my provider, so I contacted their help desk and gave them a copy of the error. They did some back-end redirection magic and fixed up the redirection issue in about 15 minutes. My redirection issue was slightly different from AOL’s problem, but caused the same red failure message. After your redirection issue is fixed, re-try the scan. In my case, it came back with a green screen showing everything is good. Next, you can submit your site to be included on the global HSTS list, which I also did. Many browsers like Chrome and Firefox use the HSTS list for additional security measures.

And just to make sure my SSL is in top notch, I went over to SSL Labs and ran a test. And yes, my site is now rated A+, which is exceptionally good. It even catches the fact I’m successfully using HSTS.

And there you go! A simple, but not totally free, way to deploy and check HSTS on your WordPress site. Given the plug-in is just a few dollars, and helps fix up a variety of SSL issues besides HSTS, I think it’s money well spent.

Ignite 2015: Platform security vision

Session: BRK2482

Technology landscape:

Virtualization: VMs decoupled from hardware. Can’t use TPM, UEFI, secure boot, etc. VM mobility, complex lifecycle, strong isolation.

Cloud Computing: Treat your systems like cattle, not pets. Management process at scale. Distributed cloud.

Service Providers: trust boundary between tenant and service provider. Governance, risk, compliance. Cloud adoption blocker? Distributed accountability.

Administrator privileges – a risk factor. Stolen admin credentials. Insiders. Malicious service provider staff. They WILL be compromised.

Principles: Assume breach, trust boundaries.

Microsoft is introducing the “Trust Plane” between the Fabric and the workloads.

Virtual Secure Mode: Separate address space isolated from host OS. Enforced by hypervisor using hardware. Small “trustlets”. NO Windows stack, no network, no drivers, etc.

VM protected at rest and in transit: VM encrypted on disk, encryption key is locked in virtual TPM. Secure key exchange within the trust plane. Fabric and control plane have no access to keys.

Showed a demo where a tenant admin could NOT open a bitlocker encrypted VHDX.

Attestation service – Uses physical TPM, vTPM and UEFI. If a host is rootkited, it will invalidate the trust chain and be evicted from the cloud. Provider admin can’t open a console to a shielded VM.

Protect Workloads from direct attack

Encryption does not protect against legitimate access. Identity management is fundamental.

Demo: Privileged access control. Just in time and just enough privs to do you job. Shows off a portal to request privs, then it contains your privs to a specific part of the system.

Reduce attack surface: Nanoserver

Harden for common attacks: pass-the-hash mitigations (LSA in VSM). Applies only to Windows 10 and Server 2016.

Operations Insights Security Pack

Shows a demo of a pass-the-hash attack where the Microsoft product detected and alerted on it in real time.

Bottom line: Get servers with TPM 2.0 and UEFI.

Critical VMware Security Patches Released

In case you missed it, VMware has released a number of product updates to address critical vulnerability in JRE. JRE is used in many products, so a wide range of products are affected. You can read the full bulletin here. The bulletin details which product version you need to be running to be patched. In many cases patches are “pending” such as vCenter 6.0, and SRM. So keep your eyes out for another VMware announcement when the patches become available. The full patch matrix seems to include products that didn’t made the affected products list. So carefully review the full security bulletin, as a majority (if not nearly all) VMware products are affected.

(Some) Affected Products:

Horizon View 6.x or 5.x
Horizon Workspace Portal Server  2.1 or 2.0
vCenter Operations Manager 5.8.x or 5.7.x
vCloud Automation Center 6.0.1
vSphere Replication prior to 5.8.0.2 or 5.6.0.3
vRealize Automation 6.2.x or 6.1.x
vRealize Code Stream 1.1 or 1.0
vRealize Hyperic 5.8.x, 5.7.x or 5.0.x
vSphere AppHA Prior to 1.1.x
vRealize Business Standard prior to 1.1.x or 1.0.x
NSX for Multi-Hypervisor  prior to 4.2.4
vRealize Configuration Manager 5.7.x or 5.6.x
vRealize Infrastructure 5.8, 5.7

vSphere 5.1 U3 Now Out

Right on the heels of VMware Workstation 11 being released, VMware has released vSphere 5.1 U3. No major new features, but according to the release notes there is support for new guest operating systems (without being specific) and it also resolves a number of issues. Also updated in this release are VMware tools and the SCSI MegaRAID SAS VIB. Some security patches are also included, so be sure to start testing this release and planning your change control windows.

One interesting change in 5.1 U3, which was included in 5.5 U2, is the resetting of the CBT counter when doing a storage vMotion. Now if you do a svMotion CBT state will be maintained. New to vCenter 5.1 U3 is the support for Oracle 12c, and Microsoft SQL 2014. It’s great to see VMware keeping up with database support. vCenter 5.1 U3 also includes an updated Java engine, which addresses a plethora of security issues. So once again, view 5.1 U3 as a security update which you need to plan on rolling out in your environment.

ESXi 5.1 U3 Release notes are here

vCenter 5.1 U3 Release notes are here

As always, you can download the newest updates from My VMware portal. Be sure to conduct thorough testing in a lab environment before deploying this into product. Nutanix supports “U” releases day zero. But remembering back to NFS issues introduced in “U” releases, a good amount of testing is advised before putting this into production.

 

 

SQL 2014 Always-on AG Pt. 3: Service Accounts

This is Part 3 of the SQL 2014 Always-On Availability group series where we setup two service accounts and a security group. One account is for the database engine and the other is for the SQL agent. In order for Kerberos to work properly the database engine account must be Active Directory based. We will also be observing the rule of least privilege. The less privileges the accounts have the more secure you are. So these accounts won’t be given local administrator rights. You don’t want your SQL service running with admin rights!

New to my SQL install series is the usage of a gMSAs (group managed service account) which are new to Windows Server 2012.  For AlwaysOn Availability Groups I use a ‘regular’ service account for the database engine and a gMSA for the SQL agent. Using regular service accounts would work for the SQL Agent, but I like using new OS features. Plus this means you have one less password to change since the gMSA automatically updates the password on a periodic basis. For those of you not familiar with gMSAs, they are special type of account which Windows automatically manages the password for and changes on a periodic basis. You need at least one 2012 domain controller, and use 2012 or 2012 R2 member servers.

Blog Series

SQL 2014 Always-on AG Pt. 1: Introduction
SQL 2014 Always-on AG Pt. 2: VM Deployment
SQL 2014 Always-on AG Pt. 3.: Service Accounts
SQL 2014 Always-On AG Pt 4.: Node A Install
SQL 2014 Always-on AG Pt. 5: Unattended Node B
SQL 2014 Always-on AG Pt. 6: Cluster Configuration
SQL 2014 Always-on AG Pt. 7: TempDB
SQL 2014 Always-on AG Pt. 8: Max Mem & Email
SQL 2014 Always-on AG Pt. 9: SQL Maintenance
SQL 2014 Always-On AG Pt. 10: AAG Setup
SQL 2014 Always-On AG Pt. 11: File Share Witness

Database Engine Account

1. Using ADUC create a service account using your naming convention. I’ll call mine SVC-D002SQL03-DBE. Set a complex password and make sure it does not expire.

2014-09-13_8-25-42

2. Security is always at the top of the list, so let’s enable AES encryption for Kerberos. I’d also set an account description, so that two years from now you know what the service account is for.

2014-09-13_8-27-07

Agent gMSA Configuration

1. On your SQL server enter the following PowerShell command:

Add-WindowsFeature -Name “RSAT-AD-PowerShell” –IncludeAllSubFeature

2. Download the free Managed Service Account GUI from here. Install it using all defaults.

3. If you have never used a gMSA before, enter the following PowerShell command on your 2012 domain controller:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

3. Create a new service account. The account name MUST be equal to or less than 14 characters long. Select “Group MSA.”

2014-09-13_8-38-20

4. When prompted to assign the new service account, say Yes. Enter the two new server names of what will be your SQL AlwaysOn Group.

2014-09-13_8-47-28

User Rights

1. In order to support large page tables and instant database initialization we need to configure a couple of user rights on each node configured in the Local Security Policy. Add to the Lock Pages in Memory and Perform Volume maintenance tasks user rights the database engine service account. If you want SQL to write to the windows security log, then also add the DBE account to Generate Security Audits and Manage auditing and security log.

The lock pages in memory option is somewhat controversial. Some people to say only use it for VMs with 16GB+ RAM, others say don’t use it at all. Later on you will see that I configure the SQL Max memory parameter, which greatly minimizes the potential problems from SQL page locking. The trend seems to be you SHOULD configure it (along with SQL max memory), thus my recommendation to do so. The combination of large pages and locking pages in memory prevents the SQL server buffer pool from being paged out by Windows. This also inhibits the balloon driver, which we don’t want activated since it can tank SQL performance.

You can go ahead and configure this user right now, since large page tables have to be enabled in SQL via a trace flag.

 

2014-09-14_19

3. Reboot both nodes after you configure the user rights, or they will not take effect.

4. Do NOT, I repeat, do NOT add either service account to the local administrators group on the SQL server. This is a security risk, and the SQL service should not be elevated. The SQL server will make the needed permission changes.

5. Lastly, we will create an AD security group that will be assigned SQL administrator rights. This is far better than assigning a specific user account. I called my group SQL_Sysadmin. Add your administrator account to this group.

Summary

This is a very short and simple installment in the SQL 2014 AlwaysOn Availability group series. We created two service accounts, gave them the proper user rights, and created a security group.  Next up in Part 4 we finally get to start installing the SQL server services on the first node.

VMworld 2014: DISA STIG vSphere 5 Deep Dive

Session INF1273

This was a very technical session on how to implement the DISA STIG’s (security lockdowns) for DoD/Government customers. Many of the slides contained script snippets that help automate the process. Thus my session notes are very light. If you are a U.S. Government Federal customer that must comply with the STIG’s, then look at the reference slide I have below. The speaker’s automated scripts and VIBs are located on a CAC-only web site for you to download. If you attended VMworld, then listen to this session and gain some insights on issues the authors found and how to overcome them.

STIGS are broken up into three area: hosts, VMs and vCenter

Checking VM settings with PowerCLI: Easiest report to create since it relies most only VMX settings

Checking ESXi settings with Power CLI: Most host STIG controls cannot be queried via exposed APIs. Shows a script that uses Plink and PowerShell to query settings.

Checking vCenter controls with PowerCLI: Very manual process.

ESXi host hardening requires changing of permanent files or adding new files. They will be non-persistent and disappear upon reboot.

ESXi5-CPT: Graphical tool to create VIBs that can replace files on ESXi hosts.

Use ‘ESXcli vib install -d <path> -no-sig-check’ to install the custom VIB or PowerCLI

Additional tools: vCenter Configuration manager (vCM), Nessus scanner, VMware compliance checker, DoD Forge.mil project

 

IMAG0136

 

 

 

 

VMware ESXi 5.1 Patches Released

VMwareHot off the presses are some ESXi 5.1 patches. This build of ESXi 5.1 (1157734) fixes several bugs and more importantly addresses some security issues. As always in any environment, please test out the patches thoroughly before putting them into production. Each environment is unique, and issues may surface that could cause you some headaches. These bug fixes aren’t earth shattering, so I would not suggest rushing them out to production systems.

ESXi 5.1 Build 1157734

Highlights of the patch bundle included in this release are:

  • Black frames might appear around text boxes in an application running on Virtual Machine Hardware Version 8 or later. This issue occurs on virtual machines with Windows 7 guest operating system and View 5.0 PCoIP.
  • For two ESXi hosts with different host names, identical machine names are generated in the domain controller under certain conditions. As a result, the ctive Directory functionality is lost for one of the two ESXi hosts.
  • After you upgrade to ESXi 5.1 from an earlier version, attempts to power on a virtual machine with static MAC address outside the allowed range (00:50:56:[00-3f] or 00:50:56:[80-BF]) fail with the following error message: The MAC address entered is not in the valid range.
  • If a physical NIC is named using non-standard naming conventions (other than vmnic#) and is added to a vSwitch, host profile creation fails with the following error message: Invalid value chosen for active NICs.
  • ESXi 5.1 hosts might get disconnected randomly from the vCenter Server system. This issue might occur if the heartbeat thread in the vpxa agent does not receive a response from the futex_wait system call. As a result, the heartbeat thread stops responding, and the vCenter Server does not receive heartbeat messages from the ESXi hosts for several hours.
  • Upon reboot, ESXi 5.1 hosts configured to obtain DNS configuration and host name from a DHCP server displays its host name as localhost in syslog rather than displaying the host name obtained from the DHCP server. As a result, for a remote syslog collector, all ESXi hosts appear to be the same, with the same host name.
  • To prevent buffer overflow, the HPSA proc node truncates LUN details on an ESXi host.
  • This patch updates the esx-base VIB to resolve a stability issue.

As always, you can down the ESXi patches from here. The full KB article for the patch bundle is here.

Critical Adobe Flash and Air player vulnerabilites

*Shocked* to see that Adobe has major security problems with Flash Player and Air. Be sure to download the latest versions, released on December 8th, here. You can read the related security bulletin here.