Author Archives: Janez Troha

About Janez Troha

Janez is the lead developer on Easy Blog Networks.

Security while traveling and using WiFi

I recently attended a conference where I had to stay in a not cheap hotel that had shared WiFi. Being a curious person (as any Mr. Robot fan would be), I wondered how secure accessing the Internet there really is. Well, as you might have guessed, it’s horrible. 

I could see every guest’s device on network, lounge printer and even some hotel guests’ printers. ::shocked::

In this configuration, anyone can inject ads to any page, sniff traffic (credit cards), or run at the moment very popular crypto mining in the browser on any page you visit.

You might be asking yourself at this point, how this affects you (the user), me (the developer) or Easy Blog Networks (the product)?

For starters, Easy Blog Networks staff cannot access the app without “Secure Endpoint”. So, let’s say the staff is traveling (either at a conference or sipping Margarita while watching dolphins swim) and using an insecure wifi, someone cannot just delete all servers or blogs, or get a list of emails from the app.

However, any user or a potential user can still be affected. Previously, everything relied on the user to be cautious. Browser vendors are slowly adding meaningful policies directly to the browser, but they are not enabled by default and each app vendor has to review and enable them.

And this is where Content Security Policy and HTTP Strict Transport Security come in place. As app developers, we can instruct the browser to use Content Security Policy to disallow loading any scripts on a page that are not approved by us.

Comcast injecting ads on a page? Denied.

Starbucks mining crypto coins on our page? Denied.

SEO conference attendee getting list of all your blogs via some clever advertising? You get the idea now. Denied.

And the second even more important one is HTTP Strict Transport Security. This will tell the browser to never load a page over an unsecured connection (HTTP).

I might have gotten you worried now and thinking how to actually verify that using Easy Blog Networks is really safe.

You can check any page using SecurityHeaders.io where Easy Blog Networks has “A” score. However, there is still space for improvement, and as always, we are working toward that goal – making users and staff safe.

Happy and worrisome New Year. :)

SaveSave

SaveSave

SaveSave

SaveSave

Why you shouldn’t use Hide My WP or similar plugins for your PBN

 
LAST UPDATE: August 2017

Plugins to hide WordPress footprints are commonly suggested when people want to have all-WordPress PBN but not have it seen as such.

Unfortunately there are major issues with using these plugins. Yes, you could hide WordPress completely. However that is a very complex task that requires moving of wp-admin and wp-content folder and rewriting paths for CSS and Javascript. It also means most plugins and themes would stop working because they use hard-coded paths to wp-content.

Don't hide WPPlugins like HideMyWP or HideWP do not do that. They do it on a lesser level and as such still leave obvious footprints that the website is WordPress. Two examples of those footprints are directly pingable files xmlrpc.php and wp-cron.php (in root).

Beside that there is another issue, specifically with Hide My WP – server footprints changer. In one case one of our users chose Microsoft IIS as server footprint. The plugin then created system layouts that resemble that server setup. However the server is still easily identifiable as Linux through server headers which makes the whole setup look ridiculous (you can’t run Microsoft IIS on Linux).

Our recommendation: if you want to randomize the backlinks to your sites, build a few Web2.0s instead. Or you can use plain site builders and upload them to a few shared hosts. Here are a few of them (PHP, no MySQL): HTMLy, Pico, Stacey, FlatPress, Razor CMS, GetSimple CMS, PivotX.

As for WordPress, keep it simple and plain as much as possible.