Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Getsited

32 posts

Geek


#208880 3-Mar-2017 16:14
Send private message

Hi all,

 

We run a wordpress site and custom PHP application on a linux server. Wordpress seems to be pretty flaky in the security department and I am worried our dev's might introduce a vulnerability in our custom application. 

 

Has anyone had any experience with security scanning for servers and web applications? I'm looking for something good and affordable. 

 

Regards,

 

Gareth


Create new topic
marpada
475 posts

Ultimate Geek


  #1729516 3-Mar-2017 16:42
Send private message

http://www.openvas.org/

 

https://www.metasploit.com/




timmmay
20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #1729525 3-Mar-2017 17:14
Send private message

Your best bet is probably to run a WAF, which will prevent common exploits reaching your server - SQL injection, XSS, the OWASP top ten and more. AWS WAF, CloudFlare Pro Business, RedShield (NZ, expensive but good), Incapsula. Static scans are probably not worth the effort.

 

Wordpress security is quite good. It runs 10% of the internet, or more, and reports of widespread hacks are rare.


timmmay
20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #1729526 3-Mar-2017 17:20
Send private message

Also, it sounds like you need to look at a few more things:

 

  • Your process around code and security reviews (which might be what you were really asking about)
  • Automated penetration testing
  • Deployment architecture - DMZ with a reverse proxy might be prudent
  • IDS / IPS systems. Trend Micro has one. On AWS you can buy services like this by the hour. Some route your traffic through them, some use an agent on your server.

Look on youtube for "re:invent security", it will tell you some of the things AWS does for security. They're typically best practice.




mattwnz
20141 posts

Uber Geek


  #1729528 3-Mar-2017 17:32
Send private message

Any CMS is potentially vulnerable to hacking, and I don't think Wordpress is any worse. It is just that that wordpress powers so much of the internet, so hackers can concentrate on trying to find holes in it. It is similar to windows vs Mac OS, hackers tend to target windows due to the numbers. 


sclazarus
6 posts

Wannabe Geek


  #1735575 13-Mar-2017 10:26
Send private message

I don't know if you're still looking, but the company that I work for hosts peer reviews of software and you can find a list of popular security software, along with reviews from people that have used them. I don't know much about it, but HP Fortify on Demand seems to be a popular choice (it's ranked at the top of the list) so you can take a look at that if you want (https://goo.gl/7f5K1L).

 

I hope this helps.

 

 


freitasm
BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1735648 13-Mar-2017 11:41
Send private message

I have been looking at TinfoilSecurity for scanning lately.





Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


Getsited

32 posts

Geek


  #1736429 14-Mar-2017 17:39
Send private message

Thanks for the suggestions ! 

 

 

 

I've turned on ModSecurity with a comodo rule feed (its free!) and also started using a WAF with sucuri.net. Sucuri also do the scanning thing. 

 

 

 

Thing is the WAF you have to load your SSL cert in - private key and CRT. So if they get compromised you will be truly screwed. Apart from that it looks good. 

 

 

 

The problem with Wordpress is the plugins. There is no checking to make sure the code is up to scratch. 


 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
freitasm
BDFL - Memuneh
79250 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #1736431 14-Mar-2017 17:45
Send private message

So why not Cloudflare?




Please support Geekzone by subscribing, or using one of our referral links: Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSyncBackblaze backup


timmmay
20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #1736435 14-Mar-2017 17:51
Send private message

freitasm:

 

I have been looking at TinfoilSecurity for scanning lately.

 

 

Tinfoil is pretty awesome. I found a bug and emailed them, they came back to me pretty quickly. I've emailed a couple more suggestions. I've found it super useful.


Getsited

32 posts

Geek


  #1749226 28-Mar-2017 10:23
Send private message

freitasm: So why not Cloudflare?

 

I found this report which shows modsecurity is the best - https://perezbox.com/2013/03/protect-your-website-vulnerabilities-with-a-waf-new-compairson-report-cloudflare-vs-incapsula-vs-modsecurity/. It's quite old but doesn't seem to be too much info out there to make decisions with. 

 

I'm using Comodo's rule set and modsecurity is free. Comodo got a mention here - http://www.newsweek.com/best-antivirus-protect-cia-spies-hackers-computer-security-565710 - anything that annoys the CIA must be good. 

 

I've got a server admin guy running his own penetration testing to give it the once over. 

 

Ongoingly I will need to find a good automated scanner to make sure everythings working as it should. 


timmmay
20574 posts

Uber Geek

Trusted
Lifetime subscriber

  #1749303 28-Mar-2017 11:31
Send private message

Getsited:

 

freitasm: So why not Cloudflare?

 

 

 

Ongoingly I will need to find a good automated scanner to make sure everythings working as it should. 

 

 

Tinfoil security above would qualify. If you want free there are open source tools, but they take more effort.


Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.