WP Blogsecurify 1.0

TheWP Blogsecurify 1.0 plugin is out. It was announced on the Blogsecurify blog and I am going to announce it here once again just in case you somehow missed the news.

WP Blogsecurify is a security plugin for Wordpress designed to integrate several simple but important security patches for the popular blogging platform. This plugin was developed by the Blogsecurify team – a special division of GNUCITIZEN Information Security Think Tank.

WP Blogsecurify protects your blog by:

forcing users to login over a secure communication channel.
protecting session identifiers from incidental session leaks.
hiding database errors which could be caused by malfunctioning plugins.
protecting the entire user session from session hijacking and side-jacking attacks.

This plugin is designed to be simple and effective. Future versions will protect against SQLI and XSS attacks. We are also planning to integrate WP Blogsecurify with our free social media security testing engine.

In simple words, the current version will do a pretty good job to project your user session from session hijacking and session side-jacking attacks. It requires you to have SSL enabled. If you don’t have SSL on port 443 and you are locked out because the plugin is enable then you have to remove wp-blogsecurify from the wp-content/plugins directory in order to allow yourself back in.

Safe blogging all!

Comments

dian responds:

i’ve been reading your site along time, this one i’m goin to use it in my site after wordpress 2.7 comes out. Thx for the tips guys :)

ehmo responds:

hey, i’m sceptic. so far as i know, mostly blogs running on hostings, which don’t have ssl connection allowed. i don’t think that this is a good way. i’ve some others ideas, which will protect ppl, but will not bounds them.

but good job anyway.

MartinJ responds:

Out of curiosity: How does the promised protection against session hijacking work? http_only?

pdp responds:

Hi Martin,

The plugin does a few things. First of all, it detects whether you want to authenticate or you are already authenticated. If yes, then it forces you over SSL. Underneath it is a bit more tricky. The plugin tries to guarantee that no matter what you do, your session identifiers never get sent over an unencrypted channel. The plugin uses its own cookies to keep your session state when browsing your site while authenticated. This mechanism preserves your user experience while enforcing extra security. In case of XSS, httpOnly is enabled to prevent damages. This only prevents session hijacking attacks though.

The plugin is coded in very clear fashion. It is easy to understand once you have a look at what it is inside.

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation

Comments

Respond

The Others

GNUCITIZEN Products

Recent Posts

Random Posts

From The Cutting-edge Network