Add salt to your encrypted passwords for extra tastiness
There’s a good post at the Errata Security blog (The Importance of Being Canonical) that discusses going behind encrypting passwords in your database, to appending or prepending random characters (“salts”) to your password hashes, effectively neutralizing a common way of cracking encrypted passwords.
In the first two “wordpress as CMS” posts, I discussed the benefits of WordPress as compared with other free, open source CMSs and how to take advantage of recent WordPress improvements when using it as a CMS. In this installation, I’ll go into detail regarding a few plugins that are a “must” if you want to use WordPress as a CMS.
But first a word about plugin security. Unfortunately, WordPress plugins have a bit of a reputation for being insecure, due largely though not exclusively to the lack of proper sanitation of user input. Neglecting to check whether a user has entered malicious code into an input field into a form, for example, or tacked it onto the end of a query string can leave your server vulnerable to SQL injection and similar attacks. With that in mind, it’s prudent to check around for any security issues with a plugin before you install. If you have the PHP skills, you perhaps check the plugin yourself for any code that might leave your system open to being compromised.
But that aside, there are many secure and well-tested WordPress plugins, as well as many (perhaps most?) that do not introduce any user-interaction features beyond the WordPress core and thus aren’t even really candidates for opening up additional security holes. The following is a list of just a few.
Continue reading “Using WordPress as a CMS – Part 3”