What is WordPress?

Key Takeaways

WordPress makes it easy to create websites.

How easy? That depends on your skill level.

  • At its core, WordPress is really just an easy way for you to make updates to your website. You can update text and images, and create new pages without touching a line of code.
  • WordPress is actually two things: WordPress.com and WordPress.org.
  • WordPress.com is for non-developers. It’s where you go to launch a cat blog or a portfolio site. You can’t do much customization over there.
  • WordPress.org is for developers. With WordPress.org, you’ll get complete customization over your site. WordPress.com is currently being used by CNN, Time, TED, and millions of other people.

Your Assignment

Decide if you want to learn WordPress.com or WordPress.org. Spend 10 minutes browsing the two sites to learn more.

If you want to learn WordPress.com, start your first site for free today by registering at WordPress.com. If you’d like to learn WordPress.org, check out the resources below.

Additional Resources to Learn WordPress Today

Digging Into WordPress is a great book for getting started with WordPress.org

WordPress Step-by-Step is a free guide for building your first WordPress.com theme. Just click on the titles to get started with each lesson. Chris Castiglione made this (that’s me).

And now we have added a great WordPress course to our library of offerings. Learn how to build your own WordPress themes. Sign up today! 

Defensive Hacking: How to prevent a brute force attack

Your password’s never as safe as you think it is, and understanding how to protect your website will help you from becoming the next iCloud. Today I want to look at the security weaknesses that led to brute force attacks.

Most brute force attacks work by targeting a website, typically the login page, with millions of username and password combinations until a valid combination is found. The same concept can be applied to password resets, secret questions, promotional and discount codes, and/or other “secret” information used to identify a user.

To perform a brute force attack, we need to do a few things:

  • Confirm account lockout/request throttling is disabled or easy to bypass
  • Determine the format of the username
  • Create a list of potential usernames
  • Confirm which usernames are valid
  • Test passwords for each valid username

The first step is to determine if an account lockout exists. This can be done by failing the login for a user. Next we need to figure out the format of the username. These can be significantly from one site to another, but the current trend is to use an email address since it’s easy to remember and can be used for password resets.

Here is the login page on our example site that we are targeting:

The first thing to notice is that the username is an email address. If the login screen didn’t tell us that, we may have been able to figure it out by trying to register or signup for an account. It’s pretty obvious from the signup page that an email address is used for the username:

If it’s a large public site, generally people sign up with gmail, yahoo, or other well-known email domains. Unfortunately, with the rampant hacking on the internet these days, it’s fairly easy to find massive lists of email addresses from compromised databases (https://haveibeenpwned.com/), (users.tar.gz, Adobes hacked list of 135M users). For the iCloud hack, the attackers probably started with the email addresses of the celebrities they wanted to target.

Let’s say we were (HYPOTHETICALLY) targeting James Franco’s use of our site here. First, I enter jamesfranco@gmail.com and a password then click login.

No dice. However, there is an interesting error message — “jamesfranco@gmail.com doesn’t exist!”

Determining Usernames

Now that we have our first clue, the website telling us if the username is registered or not, we need to build a list of usernames. If this was a company site, determining the email format and then creating a custom list is pretty simple. Corporate email addresses generally consist of one of the following formats:

  • firstname.lastname@company.com
  • james.franco@company.com
  • firstinitiallastname@company.com
  • jfranco@company.com
  • lastnamefirstinitial@company.com
  • francoj@company.com
  • firstname@company.com
  • james@company.com

A quick google search (http://www.wordstream.com/blog/ws/2009/09/23/find-anyones-personal-email) for the email domain will generally give you one email address from which you can deduce the format from.

For our example application, we know that the domain is onemonthsimple.com (which we found in the domain and footer), so we can start there.

Guessing Accounts

Let’s guess a few accounts and see if we can find a valid username. Manually testing a few common usernames with the @onemonthsimple.com domain is our first step. Let’s try these users:

  • Joe
  • Kate
  • Brian
  • Eric
  • Kristen
  • Emily
  • Jon
  • Chris

Wow — a few of those worked. When we guess the correct username we get an error message about the password being incorrect. We have a valid username and are on our way to breaking in!

Lets review what we already know:

Usernames are email addresses. The application will tell us if the email address is valid or not. If we find a valid email address with the wrong password, an “Incorrect Password” error message is shown. Since it is a (demo) corporate HR application, we guess correctly that most users have the @onemonthsimple.com as the email. Using this, we can create or use a list of common names and try to find out more users!

Manually guessing these usernames takes awhile. In order to find as many usernames as possible, an attacker would automate the process of trying usernames and matching the error messages to determine which ones are valid.

Automating Attacks

First, we need a larger list of names. In hacker terms, these are called dictionaries or wordlists. Based on what we know about this app, we need a wordlist of first names. Let’s grab the most popular 10,000 baby names from the US census (http://www.ssa.gov/OACT/babynames/limits.html) as a starting place.

Next, we need a way to automate the login process. For this, you can either write a small custom program or use a variety of different brute force hacking tools such as brutus or hydra. For this example, let’s just write our own. All it needs to do is:

  1. Read a file of usernames line by line
  2. Send the username to the website login
  3. Review the error message to see if the user is valid or not

Here’s the code:

require "net/http"
require "uri"
uri = URI.parse("http://localhost/sessions")
http = Net::HTTP.new(uri.host, "3000")
File.open("onemonth2013-users.txt", "r").each_line do |username| # remove the newline
  username = username.chomp
  request = Net::HTTP::Post.new(uri.request_uri)  
  request.set_form_data({"email"=>username,"password"=> "n0taL1k3lyp@ssw0rd","commit"=>
"Login"})

  response = http.request(request) 
  # If response contains incorrect password then the username is valid  
  if response.body.include? "Incorrect"
    puts "Found: #{username}"
  end
end

After this tool is run, we have a list of users for the site. Next, we rerun the script, but slightly modified. For each valid user, we try thousands of different passwords until we stop seeing the “Incorrect Password” error message — then we know we have the right username and password! Game over.

Defending against brute force attacks

Brute force attacks work because developers tip their hand to attackers by revealing critical information in error messages, fail to properly enforce account lockout and password complexity, and do not implement any form of request throttling. Let’s take a look at each one of these areas and see how you can protect your site.

Leaking Information

In our example, the login page revealed if the username was invalid or not. This is how we were able to determine valid usernames. The same thing happens with the password. This problem exists all over the Internet, just try a few favorite sites (https://secure.meetup.com/login/) and use the wrong password, does the site give you any hints you can use to break in?

The best way to prevent these types of attacks is to return a consistent error message for failed logins. Don’t give hints to hackers with verbose error messages!

Also, don’t forget the password reset functionality!

Account Lockout

Now that we have fixed the error message, we still want to strengthen the login further to prevent brute force password guessing attacks. To do this, we will add an account lockout to users when they fail the login after a certain number of times. This will prevent our script from testing millions of passwords for each account. Here is how we add the account lockout in Rails when using devise (http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable):

First, make sure the devise initializer is properly setup for account lockout:

config/initializers/devise.rb
# Lock account based on failed login attempts
config.lock_strategy = :failed_attempts
# Lock and unlock based on email
config.unlock_keys = [ :email ]
# Email the user the unlock link
config.unlock_strategy = :email
# Lockout the account after 5 failed logins
config.maximum_attempts = 5
# Make sure devise has:lockable set in your model:
devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :lockable

Give it a quick test and make sure accounts are getting locked out and can be reset. If you are adding this to an existing site, you may need to run a migration to add the required devise database fields.

If you are not using devise, then you can manually add a counter in the user model and increment it for each failed login during the authentication process. However, you should use devise!

Password Complexity

Next, we want to make sure the passwords are a little more complex (http://www.sans.org/security-resources/policies/general/pdf/password-protection-policy) so that user’s cannot enter in a weak password, such as “password” or “wizard1”. There are a couple ways to do this, although I personally like the “Devise Security Extension”. This gem provides the ability to configure a number of security controls around passwords, including complexity. Check out the github project for all the details:

https://github.com/phatworx/devise_security_extension

Again, without devise, a decent option is to create a regular expression and make sure that all new passwords meet the requirements. In general, I think it’s best to require at least one number and one special character, with a minimum character length of 10. Passphrases, or passwords that are more than one word are the way to go!

Throttle Requests

Finally, we want to slow down the attackers. One common way developers do this is to implement a security control called a captcha. A captcha is a special image that is intended to be easy for humans to understand, but difficult for automated tools (like our Ruby script). In general, captchas can be annoying and lead to a poor user experience. Also, there are a few tricks hackers use to get past captchas including things like optical character recognition tools, (http://www.zdnet.com/blog/security/inside-indias-captcha-solving-economy/1835), or tricking users into solving captchas.

A better solution is to add in some form of rate limiting based on IP address after a certain amount of failed login attempts. However, be careful as this could be abused by attackers to deny access to legitimate users coming from the same IP range (think your office, coffee shop, or school). Ideally, combining the rate limiting with displaying a captcha is a fairly secure way to go to stop these types of attacks.

The best Ruby gem I’ve seen for throttling requests is rack-attack (https://github.com/kickstarter/rack-attack). Rack-attack was built by Kickstarter to stop brute force attacks. Not only can rack-attack be used to protect login pages, it can be used to protect any page on your site from brute-force attacks.

With our security fixes in place, retest your site and make sure you’ve crushed these types of bugs! If only Apple had enabled these basic login controls, maybe iCloud would be a safe place to store pictures!

Learning Hack: The Pomodoro Technique

Pomodoros are a simple learning and productivity technique. We all get burnt out or spend time doing stuff that’s not really effective or valuable, right?

Take a kitchen timer (a Pomodoro timer) and set it to 25 minutes.

Work on one thing for those 25 minutes. If you’re able to do that, when the 25 minutes are up make a little X on a piece of paper, like a post-it, and take a 5 minute break where you’re NOT thinking about work. Go walk around, or drink a cup of water, or use the bathroom, or stretch a little bit.

Then decide what you’re going to work on next and do another Pomodoro.

After about four Pomodoros cycles (with 5 minute breaks in between each), you should take a longer break of 20 minutes or so.

The goal will be to hit a certain number of Pomodoros in a day, like 8 or so, and then hit that number again or more the next day.

If you get really distracted during a Pomodoro (like you end up spending a few minutes on Facebook) then the Pomodoro doesn’t count and you have to start over.

The Pomodoro Technique accomplishes a few things:

  1. It gives you an accepted relaxation / bucket time. Then you don’t feel bad taking a break. In fact, studies show that breaks are important for optimal learning and focus. If you don’t take breaks, you might not be as productive as you could be.
  2. It lets you recalibrate what you’re working on every 25 minutes. I know that for me I often get unproductive when I’m working on the same thing for a long-time because I start focusing on stuff that isn’t important but tricking myself into thinking its super important. (Have you ever found yourself spending more than 15 minutes agonizing over the formatting of a powerpoint slide?) The more often you step back and check in with the self, the more you’ll feel like you actually worked on the tasks that you were supposed to.
  3. It provides a small, but reasonable challenge for you to maintain focus. You can defer distractions to a time that is at most 25 minutes away.
  4. It sets a personal challenge for yourself. By quantifying how many Pomodoros you’ve accomplished during the day, you’ll naturally feel a desire to at least match that never the next day.
  5. You feel better at the end of the day. Most of us spend way too much time hunched at our desk and then we feel like shit at the end of the day. It’s usually because we haven’t been physically active, we didn’t drink enough water, or stretch enough throughout the day. These 5 minute breaks are perfect for that. I find that at the end of a day when I practice pomodoros, I usually feel awesome.

So how can you get started?

Well it’s as simple as getting a timer, a piece of paper, and a pen, really. But there are a few things I’d recommend:

  • There’s an app for that. Pomodoro Timer for the iPhone is a good one. There are a lot of fancy apps out there that track all your Pomodoros and are adjustable and whatnot, but this app does all I really want. It vibrates when your 25 minutes are up, and lets you pick whether you want to take a short or a long break when that’s done.
    (My friend Jon notes that there’s a cool desktop alternative called E.gg Timer, which has a pomodoro option at this url: http://e.ggtimer.com/pomodoro)
  • Get a notebook, a day calendar, or even just a post-it at your desk to track your Pomodoros. This will actually be a good reminder at the start of your day that you should be doing Pomodoros in the first place.
  • While you’re at it, buy a nice pen.

Hope you enjoyed this post. Do you have a learning technique you’d like to share? Or do you think Pomodoro is a stupid idea? Post about it in the comments below.

Use This Technique to Beautifully Manage Your Database

Use This Technique to Beautifully Manage Your Database

If you’ve ever said to yourself, “I’d love to learn how to use a database, but I don’t have time to learn SQL, PSQL or any of those funky coding languages!”

… then I have something you.

Active Admin!

It’s beautiful. It’s free. And best of all, you can get started by adding just 1 line of code to your Rails app.

Watch the video above to learn the “Who, What, Why & When” in less than two minutes. And then give Active Admin a try.

PS. Don’t have time for coding right now? Click here to view a running demo of Active Admin that you can peak at.

Video Highlights

  • Active Admin helps you manage data (and your database) using Rails.
  • With Active Admin you can quickly create, read, edit and delete data.
  • Active Admin is free (and open source). You can get started right now by visiting Active Admin on Github or by adding the following to your gemfile:
gem 'activeadmin', github: 'gregbell/active_admin'