WP Blogsecurify

Sun, 26 Oct 2008 08:09:04 GMT

The WP Blogsecurify 1.0 wordpress plugin is out.

What does it do?

WP Blogsecurify is a security plugin for Wordpress designed to integrate several simple but important security patches for the popular blogging platform. WP Blogsecurify protects your blog by:

  • forcing users to login over a secure communication channel
  • protecting session identifiers from incidental session leaks
  • hiding database errors which could be caused by malfunctioning plugins
  • protecting the entire user session from session hijacking and side-jacking attacks

This plugin is designed to be simple and effective. Future versions will protect against SQLI and XSS attacks. We are also planning to integrate WP Blogsecurify with our social media security testing engine.

Keep in mind that the plugin requires SSL. If you don't have SSL on port 443 and you are locked out because the plugin is enabled then you have to remove wp-blogsecurify from the wp-content/plugins directory in order to allow yourself back in.

diandian
i've been reading your site along time, this one i'm goin to use it in my site after wordpress 2.7 comes out. Thx for the tips guys :)
ehmoehmo
hey, i'm sceptic. so far as i know, mostly blogs running on hostings, which don't have ssl connection allowed. i don't think that this is a good way. i've some others ideas, which will protect ppl, but will not bounds them. but good job anyway.
MartinJMartinJ
Out of curiosity: How does the promised protection against session hijacking work? http_only?
pdppdp
Hi Martin, The plugin does a few things. First of all, it detects whether you want to authenticate or you are already authenticated. If yes, then it forces you over SSL. Underneath it is a bit more tricky. The plugin tries to guarantee that no matter what you do, your session identifiers never get sent over an unencrypted channel. The plugin uses its own cookies to keep your session state when browsing your site while authenticated. This mechanism preserves your user experience while enforcing extra security. In case of XSS, httpOnly is enabled to prevent damages. This only prevents session hijacking attacks though. The plugin is coded in very clear fashion. It is easy to understand once you have a look at what it is inside.