WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Is my blog secure? (17 posts)

  1. tomsol
    Member
    Posted 7 years ago #

    I'm using WordPress 2.03 and a web hotel with cpanel.

    I want to use wordpress as a private company intranet in order to improve communications between people and departments.

    I logged in to Cpanel and chose "Password protect directories" where I protected the subdomain "intranet".
    Only this subdomain points to the blog.

    So whenver someone enters the URL http://intranet.site.com - they are prompted with a username and password.

    My question then is: is this blog now secure?
    Well, except for the chance that someone gets their hands on the username and password of course. But except for that, is it secure?

    Can search engines still access the pages in the blog?
    What about the RSS-feeds? Are they secure?

    Security is important here so I'm very thankful for any information or help you can provide.

    Thanks in advance!

  2. kickass
    Member
    Posted 7 years ago #

    It's a low level of security.

  3. tomsol
    Member
    Posted 7 years ago #

    Ok but what does that mean? Could you be more specific?

    And I'd appreciate any suggestions on how to improve security.

  4. eston
    Member
    Posted 7 years ago #

    I think your best bet would be to filter the IPs on the server end so the DNS entry for the subdomain was only accessible from the internal network.

  5. whooami
    Member
    Posted 7 years ago #

    mod_auth is NOT a low level of security.

    to answer your first questions, tomsol,

    1. no, search engines cannot spider your site.

    2. your RSS feeds are secure in that someone cannot simply browse them, HOWEVER thats not to say that pinging out might not have unintended and unwanted results. You will definitely want to disable "notifying update services" or whatever that option is thats in the admin area.

    mod_auth is a very good and simple way to protectext a hierachy of directorys, tomsol. Make sure your chosen password(s) are secure and make sure that you actually protect your .ht files from being read.

    There is nothing totally secure, but youve got a good start.

    One other suggestion: I would stear clear of intranet as the subdomain name, unless its a very obscure domain name that soneone wouldnt associate with a business.

  6. tomsol
    Member
    Posted 7 years ago #

    Ok then! Thanks whoami.

    It sounds like the blog should be sufficiently secure.

  7. manstraw
    Member
    Posted 7 years ago #

    people wanting to read your rss will need to add a user/pass. if their rss program doesn't otherwise have an option for that, they can add the user pass in the uri. as in h ttp://user:pass@intranet.site.com

  8. Brian Layman
    Member
    Posted 7 years ago #

    I strongly urge you not to teach them to use the username and password combination that way.

    There are several reasons why this is a bad idea:
    1. It won't work on XP machines with security updates as of last June. There are several scams that use that method to make people think they are connecting to their banks and such. So, Micrsoft eliminated that URI syntax.

    You CAN re-enable it via a registry change, but I don't recommend it.

    2. You throw your whole network - not just the blog - wide open to attack from inside and outside the building. The get request is sent plain text and depending upon your network configuration it is possible that anyone with a packet sniffer could pick it up. Additionally, if even one employee has a wifi device configured that way - and with WEP encryption or less, you'll be making that information available to anyone monitoring your wifi traffic. WEP is easy to crack. You can just pull WEP passwords out of the air. WPA is also crackable but it takes longer. I'd post a link with backup info, but its OT. So, I just say you simply should not send unencrypted passwords across wifi.

    You should also tell your users to never save their passwords in IE on laptops and other non secure systems. Anyone can walk up to a computer with a thumbdrive, insert it, run a program that grabs the passwords from secured storage, save them on the thumbdrive and remove that entry from the start->run log.

    All that said, you've done a good job of securing your blog.

    If security is a real concern, get a certificate and require https access to your site instead of http. That will eliminate the packet sniffing issues.

  9. tomsol
    Member
    Posted 7 years ago #

    Ok, now I feel I have to ask a question to clearify.

    Can we use the RSS-feeds as they are or do I need to remove them completely? Alternatively make them safer somehow.

    I've just managed to educate people at work what RSS is and how to use it so I'd rather keep it.

    Security is not super important as this is no military institution and the work we do is not super secret. Basic company security will do, if there is such a thing.

  10. manstraw
    Member
    Posted 7 years ago #

    although I agree with everything brian just said, we're talking about read access to a web page, and not access to any other part of a server. unless the pages contain corporate secrets, or otherwise confidential information, I don't consider your situation as 'risky', and would be very comfortable with my suggestion regarding reading rss (assuming you even want that). and of course, you would be the best judge of that want and it the risk level. if you're in control of the passwords (which you are), people can't be tempted to use their regular password. that's about the only real risk otherwise, that someone would sniff a password that is also used to access a more sensitive area of the server.

    so what is your situation? how sensitive is this info? do you need to worry about people eavesdropping your people connected via wifi? do you need to encrypt the page? should you firewall the site so that only intranet people can access it?

    as much as security is 'the new black', I find a lot of people overreact to this concern. I guess I'm suggesting you rate your security concern level, and act accordingly. more gold means more locks sorta thing.

  11. manstraw
    Member
    Posted 7 years ago #

    you responded while I typed the above post, so I guess you answered a lot of what i was asking.

    If you've educated people on RSS, have you provided them with a proper RSS reader? One that handles http authenication would be good in this case. You can keep your rss in my opinion.

    Are you concerned about corporate spy types?

    Or are you just worried about stopping the casual viewer stumbling into the page?

    There are gizmo's that can be pointed in the direction of a crt computer monitor a hundred yards away, and it will display everything on that screen. If it really needs to be kept safe, use a pencil. You can spend a long time securing your data and never fully protect it.

  12. Brian Layman
    Member
    Posted 7 years ago #

    lol - you're right, there's "Secure" and there is "SECURE". For most people it is good enough to 90% there.

    Manstraw makes some good points, but I just don't think a coporate policy using something like h ttp://user:pass@intranet.site.com for storing network passwords in favorites or subscription fields is a good idea. Most people consider certain parts of their network "secret". Doing things like using the president's password to snoop around his word docs would be considered a no-no. That's mostly why I spoke up. Storing passwords in plain text just doesn't get you even to 70% secure. If rss feeds are important, investing in or finding a free feed reader that can handle logging in on its own, does get you there.

    Oh, and I just reread this sentence: "if you're in control of the passwords (which you are), people can't be tempted to use their regular password. that's about the only real risk otherwise, that someone would sniff a password that is also used to access a more sensitive area of the server."

    I was assuming that you were using domain security windows was automaticly providing access to its user names and passwords. If you are configuring seperate passwords for the blog, then you are in great shape. That isolates your blog security from the rest of the network. That would make it safe to store the feed addresses with the username and passwords embedded. Worst case then, people who already have already gotten access to the network could read the blog. No big deal.

    In any case, your rss feeds are secure and can be used.

  13. manstraw
    Member
    Posted 7 years ago #

    I should state that it's my impression that he's using a separate password system. But I don't *know* that. So, like, what Brian just said there is well put.

  14. AlfonsoEMunozLama
    Member
    Posted 7 years ago #

    I had many concerns about this issue and this post was very useful. Thanks to all.

    Alfonso E Munoz Lama

  15. tomsol
    Member
    Posted 7 years ago #

    You guys are amazing :)

    Here's some more info.

    The blog is on a web hotel specifically hired for this purpose.

    The blog is in a directory which is also a sub domain.

    The URL for this subdomain points to this directory.

    This directory is password protected. I did this in the web interface to the web hotel. The interface is called cpanel.

    I'm in control of this very long password and it's a bunch of letters and numbers.

    So whenever a user wants to access the intranet/blog they type in the URL. They get prompted with username and password.
    Then they can read anything in the blog.
    (to write they need to log in to the wp-admin but that's not relevant here)

    I've recommended the web based RSS-reader Netvibes.com here because it's very easy to use.

    We're not using username and passwords in the RSS-feeds. I have no idea how to do that. I'm using the default RSS-feeds that came with the theme. One for posts and one for comments.

  16. manstraw
    Member
    Posted 7 years ago #

    So everyone shares the same password? And I guess you can easily change it in the future, requiring people to find out the new password from you, right?

    How confidential is this information? What would happen is someone read it that you didn't authorize?

  17. tomsol
    Member
    Posted 7 years ago #

    I just want to say that I'm changing this topic to "resolved".
    Thanks everyone for all your input!

Topic Closed

This topic has been closed to new replies.

About this Topic