Understanding and Preventing User Enumeration in Web Applications
User enumeration is a common security vulnerability in web applications that presents serious consequences for organization or users of the application. In this article we will look at (1) what is user enumeration, (2) why it’s a problem, (3) and strategies that prevent it. By having a better understanding of the issue and implementing […]
Web Security Due Diligence
Web Security Due Diligence Whilst it is seemingly impossible to cover all the bases we have a primary duty of care to : Identify risks – treat or mitigate Demonstrate that security is taken seriously Constantly improve Unfortunately too many organisations take a knee jerk approach to Website Security Due Diligence – reacting to legislative […]
Web Security Risks Impact
Web Security Risks Impact What are the risks and their impact on your business from your website? Data Theft Malicious Code Unauthorised Access Fraud – through impersonation Punitive Fines for GDPR breaches Loss of business and revenue Reputational Damage Unfortunately the internet and the software tools we use in the environment are not stable. Each […]
WordPress Malware Scan & Fix
A significant proportion of website owners are unaware of malware present in their hosting and infecting their websites – and even if they were they wouldn’t know what to look for. An effective WordPress security maintenance check should include a scan for known malware and suspicious files – identify them and suggest a fix – […]
Login Activity Audit
We have encountered additional administrator accounts on clients websites that no one seems to have created or can account for. As part of a WordPress Security Maintenance check the following needs to be done, at minimum: Remove all unaccounted for admin accounts – restrict it to one or two If feasible whitelist yours and the […]
Form CAPTCHA
Contact forms are without fail prime candidates for spammers be they human or automated ‘bots’. They can also be use in brute force attacks to gain access to your website administration. CAPTCHAs have come a long way since having to answer a simple challenge question or solve a mathematical formula. Where contact forms are in […]
SSL Encryption
Install SSL certificate and verify SSL Certificates were once the preserve of ecommerce sites and corporates handling sensitive client data – not so today. For any site to be taken seriously and to have credible ranking in Google the trusty padlock has to be there in the address window closely followed by the https:// prefix. […]
Disable File Editing
Turn off file editing WordPress allows editing of themes and plugins via the administration panel. Hackers or unauthorised users can subvert the intended use of your website or change the displayed content unless this vulnerability is mitigated. As part of a wordpress site security review file editing should be turned off and its status checked […]
Disable PHP Error Reporting
Disable PHP error reporting PHP error reporting can be exploited by hackers to glean information about your hosting, website platform or CMS and where to focus their attention to take advantage of known weaknesses in software or applications. Interrogating error messages and the header information provided can yield the following information : Host operating system […]
Sectigo SSL Certificates
Most have heard of Comodo or Comodo CA when the conversation is had regarding SSL Certificates. No surprise as Comodo issued 91 million certificates to more than 200,000 customers worldwide. Comodo is now owned by and branded as Sectigo who describe themselves as follows : ” Sectigo is the world’s largest commercial Certificate Authority (CA) […]