Brad Williams was out this week since he’s getting married and enjoying a bit of a vacation (congrats you two!). Tony Perez was kind enough to join Dre and I for this week’s episode of WP Late Night, and we had a great time.
The WP Late Night crew is also looking for folks interested in partnering with the show. If you’re interested in sponsoring WP Late Night, email firstname.lastname@example.org.
Dre Armeda is, without question, one of the top WordPress security professionals in the world. Dre runs Sucuri Security[ref]Or Sucuri Shecurity if you prefer.[/ref] and I’m lucky enough to co-host a podcast with he and Brad Williams called WP Late Night. But you probably already know all that, so why am I telling you all of this now?
It’s because there just isn’t enough Dre Armeda on the internet. Yet.
Very soon the show you see promoted above, #askDre, will debut. It will of course feature your favorite taco loving, Harley driving, malware smashing member of the WordPress community answering all of your security questions in handily little video form. Security question? Have a confusing security conundrum you have a question about? No problem. Dre smash.
Now we just need your questions to, you know, get started. Drop your security questions for Dre into the comments below or, even better, tweet them to us using the #askDre hashtag. Like I did here, for example:
Security is an important topic, and one that I want to be a topic of conversation a bit more at WPCandy. Partnering with Dre and doing this show makes perfect sense, and I’m excited to see him drop knowledge on everyone (especially me) each week.
Get those questions (either #askDre on Twitter or below in the comments) in soon so we can get to work making an awesome new show for you!
WP Engine has really been on top of the interviews lately. In this video Austin Gunter speaks with security guru (and WP Late Night co-host) Dre Armeda. Grab your drink of choice and sit back for about an hour to learn a thing or two about WordPress security at the community level.
Along with the spam, the same group’s “Advanced Search” plugin includes hidden links and another callback to the WPStats.org website. The plugin itself has been removed from the WordPress.org plugin directory. If you’re already using the plugin, you should remove it immediately and run your site through a scanner (like Sucuri’s SiteCheck tool) right away.
For a breakdown of the offending code snippets, and exactly what to look out for on your blog, see Sucuri Security’s blog post.
Sucuri Security has redesigned their website, from front page to their free SiteCheck scanner tool. Sucuri worked with WebDevStudios on the redesign, starting on the design and finishing with the development, well, yesterday.
Tony Perez, Sucuri CFO, explained their thought process when considering doing a full redesign:
The discussion as you might imagine, revolved around when would be the right time to change our virtual storefront, our website. We had the normal back and forth, “It’s fine” “We just did it two years ago” “People know who we are” etc.. but in the end we decided, that YES, it was time.
I think we’ve all gone through that thought process before, right? As you’d expect, comparison screenshots of the redesign are posted just after the jump.
Dre Armeda, on the StudioPress blog:
The key to being a safe rider is the acceptance of risk.
I have to consider a lot of variables, but ultimately I’ve decided that I want to ride, and I’ve accepted that there will always be a certain level of risk to that activity.
Running a website site [sic] is not unlike motorcycle riding when it comes to risk acceptance and overall risk management.
Over the weekend a vulnerability was discovered in the TimThumb image resizing script. On Monday Mark Maunder, the CEO of Feedjit and the one who originally discovered the issue, blogged about his site becoming compromised and how he discovered TimThumb was the weakness that allowed it to happen. Since that blog post the issue has been confirmed by TimThumb’s creator and patches have been published in an attempt to fix the problem.
TimThumb is a script primarily used for on-the-fly resizing and cropping of images, though another feature allows images from remote websites to be fetched and cropped as well, storing them on the server. The list of allowed remote websites is listed within the plugin, and checked against any fetched files.
As John Ford explained on the VaultPress blog, TimThumb’s vulnerability “allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory.” This file would allow the attacker to further compromise the site in any way. VaultPress further recommended deleting the TimThumb file from any sites that don’t explicitly require them, and updating it in cases where they do. Ford also recommended using the built-in WordPress functions such as
add_image_size to resize images, avoiding TimThumb entirely.