[Hidden-tech] WordPress security question

[Shel Horowitz]

Thanks to all who responded, and especially Tim Boudreau, who took a lot of
time to give me a thorough explanation of what to do and why.


________________________________________________
Watch (and please share) my TEDx Talk,
"Impossible is a Dare: Business for a Better World"
*http://www.ted.com/tedx/events/11809
<http://www.ted.com/tedx/events/11809>*

Contact me to bake in profitability while addressing hunger,
poverty, war, and catastrophic climate change

Twitter: @shelhorowitz

* First business ever to be Green America Gold Certified
* Inducted into the National Environmental Hall of Fame

http://goingbeyondsustainability.com for the corporate world
http://impactwithprofit.com for entrepreneurs
http://greenandprofitable.com for green businesses
mailto:shel at greenandprofitable.com * 413-586-2388
Award-winning, best-selling (8th) book:
Guerrilla Marketing Goes Green (co-authored with Jay Conrad Levinson)
Coming in April: Guerrilla Marketing to Heal the World
_________________________________________________

On Fri, Jan 15, 2016 at 12:15 AM, Tim Boudreau <niftiness at gmail.com> wrote:

> On Thu, Jan 14, 2016 at 5:36 PM, Shel Horowitz <shel at principledprofit.com>
> wrote:
>
>> Wow, Tim, that's really good advice. I will implement it on my own sites
>> too. Just a quick question--you're only talking about within the admin
>> partition? Or are you saying all pages on the site should be https even if
>> they have no forms?
>>
>
> Google now treats https as a "ranking signal" - as in, you theoretically
> get ranked higher if you do https.  Assuming you're running on reasonably
> recent hardware, there's no reason not to have https at least available if
> not the default.
>
> The conventional wisdom used to be http on pages that have no forms and
> https where there are.  But that's changed (I recently went through Intel's
> internal security review process for a customer of mine's web application,
> and they definitely do not consider anything but https-everywhere secure).
> First, https does more than encrypt - it also lets the receiver verify that
> they're actually getting the web site they think they're getting - no man
> in the middle.  Second, a lot of web frameworks use the same cookie to
> identify the user/session on both http and https - which means if you want
> to fake being that user, all you need is to observe one unencrypted request
> - so, since it's so common that this is done wrong that it's best to avoid
> plain http entirely.  Third, on reasonably modern hardware, encryption does
> not use enough resources to justify not doing it.  Fourth, ISPs are
> starting to do "ad injection" - modifying web pages on the fly to display
> ads that were never part of those pages - but that only works on plain http
>  -
> http://www.pcworld.com/article/2604422/comcasts-open-wi-fi-hotspots-inject-ads-into-your-browser.html
>
> So all in all, there are a bunch of compelling reasons to do https, and
> none that hold much water for sticking with http.
>
> To contradict Rich a little bit:  He's right that a local network is not a
> common attack vector.  But you do not know what is between you and the
> server.  My home wifi/wired router is a Linux box I built, and I can
> observe and play back anything unencrypted on my home network (I can
> observe the rest, just not decrypt it) - it's handy for diagnosing
> problems, in fact. If you're on a public network, you have no idea if
> that's happening.  Wifi encryption is good for some things, but is like
> having a super-sound-insulated pipe you can talk into and nobody in the
> room can hear you...but the pipe is attached to a bullhorn on your front
> door.  Security is either end-to-end - browser to server - or you don't
> have any.
>
> -Tim
>
> --
> http://timboudreau.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hidden-tech.net/pipermail/hidden-discuss/attachments/20160117/dbb73e73/attachment.html