Articles

This week, we take a look at the security issues in cheap video doorbells and security cameras, as well as tutorials and webinars on protecting APIs running in Kubernetes, JSON web tokens (JWT), and web and API authentication and authorization.

Oh, and we also have a link to DZone community awards where you can vote for this newsletter!

Source de l’article sur DZONE

I was playing around with the CLI to see how I can incorporate it into demos and wanted to share a couple of things to remind people of its capabilities.

1. Log In as a Human

Note for interactive usage of the CLI, i.e., as a human, you can log in to the platform using your organization’s domain name and password if your organization is delegating authentication to your corporate IdP. Typing the command below will open a browser for you to log in:

Source de l’article sur DZONE

A hacked WordPress site is as damaging as having your home burgled. It can completely shatter your peace of mind and adversely impact your online business. 

Why do hackers target WordPress sites? The answer is relatively simple: WordPress is the single biggest platform for website creation these days, so there’s a larger base to attack; this attracts the attention of online criminals. 

So, how can a hack impact your website? 

Depending on the type of attack, your website could suffer any of the following:

  • It could be defaced completely;
  • It could load or operate very slowly on any device;
  • It could completely crash and malfunction;
  • It could display the dreadful “White Screen of Death”;
  • Its incoming visitors could be redirected to other suspicious websites;
  • It could lose all your valuable customer data.

This list is not exhaustive but you get the idea.

Now that we know how a successful hack can impact your website and online business, let us look at the top 10 reasons behind WP hacks and prevent them.

1. An Insecure Web Host 

Like any website, WordPress is hosted on a web host or server. Unfortunately, most site owners do not pay much attention to the web host they select and choose the cheapest they can find. For example, it is more affordable to host a website on a shared hosting plan — one that shares its server resources with many other websites like yours.

This can make your site vulnerable to hackers as a successful hack into any website on the shared server. A single hacked site can consume the overall server bandwidth and impact all the other sites’ performance.

The only way to fix this problem is to opt for a reliable host and a virtual or dedicated server.

Pro tip: If you’re already using a shared hosting plan, check with your hosts if they offer VPS hosting and make the switch.

2. Use of Weak Passwords

Weak passwords are the main reason behind successful brute force attacks that target your account. Even to this day, users continue to use weak and common passwords like “password” or “123456”; if you’re one of them, your website could land in trouble!

Guessing weak passwords allows hackers to enter the admin accounts where they can inflict the maximum damage.

How do you fix this problem? Simple, ensure all your account users (including admin users) configure strong passwords for their login credentials. With at least 8 characters, passwords must be a mix of upper- and lower-case alphabets, numbers, and symbols. 

For added safety, install a password management tool that can automatically generate and store strong passwords.

Pro tip: You can use a plugin to reset passwords for all your users.

3. An Outdated WP Version

Outdated software is among the most common reasons why websites get hacked. Despite being free to download, most site users defer updating their site to the latest version, for fears of updates causing their site to crash.

Hackers take advantage of any vulnerability or bug in an older version and cause issues like SQL Injections, WP-VCD Malware, SEO Spam & other major issues like website redirecting to another site.

How do you solve this problem? When you see a notification about an update on your dashboard, update your site as soon as possible.

Pro tip: If you are worried about updates crashing your live website, you can first test the updates on a staging site.

4. Outdated WP Plugins and Themes

Similar to the previous point, hackers also take advantage of outdated, unused, or abandoned plugins and themes installed on websites. With over 55,000 plugins and themes that are available, it is easy to install a plugin or theme, even from unsafe or untrusted websites. 

Plus, many users do not update their installed plugins/themes to the latest version or do not find the updated version. This makes it easier for hackers to do their job & infect sites.

How do you avoid this problem? As with the core WP version, update each of your installed plugins/themes on your site regularly. Take stock of all the unused ones and remove them or replace them with better alternatives.

You can update your plugins/themes from your hosting account.

Pro tip: We suggest setting aside time every week to run updates. Test them on a staging site and then update your site.

5. Common Admin Usernames 

In addition to weak passwords, users also create common usernames that are easy to guess. 

This includes common usernames for admin users like – “admin”, “admin1”, or “admin123”. Common admin usernames make it easier for hackers to get into admin accounts and control backend files in your WP installation.

How do you avoid this problem? If you are using any such usernames that are easy to guess, change them immediately to a unique username. The easiest way of doing it is through your hosting account’s user management tool, by deleting the previous admin user and creating a new admin user with a unique username.

As the first step, change the default username of your admin user and limit users who have administrator privileges.

Pro tip: WordPress has 6 different user roles with limited permissions. Only grant admin access to users who really need it.

6. Use of Nulled Plugins/Themes 

Coming back to the importance of plugins/themes, users have access to many websites that sell nulled or pirated copies of popular and paid plugins and themes. While these are free to use, they are often riddled with malware. They can compromise your website’s overall security and make it easier for hackers to exploit. 

Being a pirated copy, nulled plugins/themes do not have any available updates from its development team, hence will not have any security fixes.

How do you fix this problem? Simple, for a start, only download original plugins and themes from trusted websites and marketplaces.

Pro tip: If you don’t wish to pay for paid or premium plugins and themes, opt for a free version of the same tools that will have limited features but are still safer to use than the nulled version. 

7. Unprotected Access to wp-admin Folder

To take control of your site, hackers often try to break into and control your wp-admin folder in your installation. As the website owner, you must take measures to protect your wp-admin directory.

How can you protect your wp-admin folder? First, restrict the number of users having access to this critical folder. Additionally, apply for password protection as an added layer of security for access to the wp-admin folder. You can do this using the “Password Protection Directories” feature of the cPanel in your web host account.

Pro tip: Besides these fixes, you can also implement Two Factor Authentication (or 2FA) protection for all your admin accounts.

8. Non-SSL Website

You can easily migrate your HTTP website to HTTPS by installing an SSL certificate on your site. SSL (or Secure Socket Layer) is a secure mode of encrypting any data transmission between your web server and the client browser.

Without this encryption, hackers can intercept the data and steal it. Plus, a non-secure website can have many negative implications for your business – lower SEO ranking, loss of customer trust, or a drop in incoming traffic.

How do you fix this problem? You can quickly obtain an SSL certificate from your hosting company or SSL providers. It encrypts all data that is sent from and received by your website. 

Pro tip: You can get a free SSL certificate from places like Let’s Encrypt, but these provide limit protection that will only be sufficient for a starter site or small site.

9. No Firewall Protection

Lack of firewall protection is another common reason why hackers can bypass website security measures and infiltrate the backend resources. Firewalls are the last line of defence against hackers and work like the security alarm installed on your house. Firewalls monitor web requests coming from various IP addresses, including the suspicious (or bad) ones. 

They can identify and block requests that are known to be malicious in the past, thus preventing easy access for hackers to your website domain. Web application firewalls can thwart various attacks, including brute force attacks, XSS, and SQL injections.

Pro tip: A firewall provides much-needed security and is  your first line of defence. But it’s important to also have a malware scanner installed.

10. Lack of WordPress Hardening Measures

Typically, hackers target the most vulnerable areas or weaknesses within a WP installation, to illegally access or damage the website. The WordPress team has identified these vulnerable areas and has devised a list of 12 hardening measures recommended for every website.

A few of these include:

  • Disabling the File Editor;
  • Preventing PHP execution in untrusted folders;
  • Changing the security keys;
  • Disallowing plugin installations;
  • Automatic logout of inactive users;

How do you implement these hardening measures? While some steps are easy to understand, others require the technical expertise of how WordPress works. 

Pro tip: You can implement hardening measures on your own. However, some measures require technical expertise so in these cases, it’s much easier and safer to use a plugin.

 

Featured image via Pexels.

Source


Source de l’article sur Webdesignerdepot

BitCoin is basically a digital ledger system, allowing for keeping transactions based upon cryptographic signatures in a decentralised database, ensuring the transaction was initiated by the person owning the private key. From a philosophical point of view, it’s simply authentication and authorisation based upon a private asymmetric key, period! What if I told you the same idea could easily be transferred to code in general. As in, keeping a ledger of invocations towards some HTTP endpoint, where the client decides what code the server should execute? The obvious example can be found below.

Plain Text

 

x
1

transfer.money

2

   to-account:1234567890

You’d have to be pretty stupid to not see the use case for the above snippet, especially considering it’s arguably (probably) the foundation of Revolut, a FinTech company, threatening to driver every single European bank out of business these days.

Source de l’article sur DZONE

This week, we take a look at API vulnerabilities in HashiCorp Vault, Azure App Services, and more. There is also an introductory video on finding information disclosure in JSON and XML API responses, and another cheat sheet and a webinar on OWASP API Security Top 10.

Vulnerability: HashiCorp Vault

Felix Wilhelm from Google’s Project Zero has written a very detailed write-up on an authentication bypass he found in the Amazon Web Services (AWS) and Google Cloud Platform (GCP) integration of HashiCorp Vault. As a central storage of credentials, Vault makes an attractive target for attackers, and therefore a vulnerability in it is also very bad news. Looking for the silver linings, this attack was definitely quite advanced, and thus not easily exploitable.

Source de l’article sur DZONE

This month’s collection of new tools, resources, and freebies for designers is a smorgasbord of sorts. You’ll find everything from useful APIs to icons to tutorials to fonts.

Let’s get right into it, here’s what new for designers this month:

Tooltip Sequence

Now that your app or website is ready, you might need to help users engage with it. Tooltip Sequence is a simple JavaScript package that helps you create a series of small tooltips that will guide users through product features with a small description of what they need to know. It looks great and the best part is this tool saves you from having to create each tooltip description manually on each page and link them together.

Serenade

Serenade allows you to free up your hands with voice coding technology. Use natural speech and stay productive with this tool that allows you to code without typing. It works across multiple coding languages and platforms. It’s as easy as “add function hello” and the tool knows what syntax to use.

Gazepass

Gazepass, which is still in beta, is a nifty API that allows for passwordless multi-factor authentication for any website or mobile app. It uses biometrics on any device or platform to make getting into apps or websites easier for users.

Filters.css

Filters.css is a CSS-only library to apply color filters to website images. Installation only takes three steps and includes a variety of filers, such as blur, grayscale, brightness, contrast, invert, saturate, sepia, and opacity.

Sidebar Webring

Sidebar Webring is a collection of blogs and websites that are focused on web design. The curated list is handpicked for superb content for designers and developers. But, what’s a webring? It’s a collection of linked websites in a circular structure that are organized around a theme. The term is a throwback to the early days of the web in the 1990s and 2000s.

Wicked Templates

Wicked Templates is a set of responsive HTML templates made with Bulma and Tailwind CSS that you can style and use as you wish. Use these templates to jumpstart projects. Free and paid options available.

WP Umbrella

WP Umbrella will help you keep sites running in a healthy and safe manner on WordPress. Monitor uptime and performance, PHP errors, and keep up with hundreds of websites from one dashboard.

Servicebot

Servicebot helps you create customer-facing embeddable billing pages that work with Stripe payments. This premium tool is quite user-friendly and works with websites or SaaS.

Custom, Accessible Checkboxes with Perfect Alignment

Create custom, accessible checkboxes with perfect alignment every time. This walkthrough shows you how to use CSS to align elements and labels.

Sombras.app

Sombras.app is a nifty tool that creates 3D object shadows. Use the easy on-screen controls to get just the right orientation and shape.

urlcat

Urlcat is a tiny JavaScript library that helps you build URLs with dynamic parameters and without mistakes. The friendly API has no dependencies, includes TypeScript types, and is just 0.8KB minified and gzipped.

Reacher

Reacher is a real-time email verification API that lets you check the validity of an address before you send the email. Reduce bounce rates in an instant. (The personal version is free.)

Swell

Swell is a most powerful headless ecommerce platform for modern brands, startups, and agencies. Create fast and flexible shopping experiences with the API and headless storefront themes. This is a premium tool but does have a free trial.

No Code Founders 2.0

No Code Founders 2.0 is a platform for discovering the latest startups built with no-code and the tools used to build them. Browse startups, tools, perks, interviews, jobs, meetups, posts, and more as part of the no-code movement. The community engages on Slack and requires an email to sign up.

How to Pick More Beautiful Colors for Your Data Visualizations

Beautiful color choices will make your data visualizations that much more impactful. This tutorial by Lisa Charlotte Rost will help you make better color choices on the way to better infographics and charts. Plus, it’s well developed, designed, and packed with useful information.

IconPark

IconPark is a collection of more than 1,200 high-quality icons with an interface that allows you to customize them. It uses a single SVG source file that can be transformed into multiple themes. The library includes cross-platform components and is free to use.

Mono Icons

Mono Icons is a simple and consistent open-source icon set that uses mono spacing. The collection includes 136 icons.

BGJar

BGJar is a free SVG background generator for digital projects. Pick a category and customize the result to fit your project or needs.

HitCount

HitCount is almost too simple to be true. This tiny tool lets you add a hit counter to your website that’s as easy as adding an image. Copy the code and make any customizations you want. Then paste it to your design. That’s it!

Blacklight

Blacklight is a real-time website privacy inspector. The tool by Surya Mattu scans any website you enter in the scan bar and shows what user-tracking technologies are used on the website. This allows you to see who might be gathering data about your visit.

Alter

Alter is a customizable – and experimental – three-dimensional typeface that you can experiment with. It’s as fun to play with as use.

Autobus Omnibus

Autobus Omnibus is a simple all capitals font with new wave styling. The character set has 96 glyphs that are perfect for display use.

Deathmatch

Deathmatch is a seasonal blackletter font that’s ideal for the upcoming Halloween holiday. The character set includes plenty of options and there’s a full version (paid) for commercial use.

Futura Now

Futura Now is a premium typeface and update to a font you may already know and love. The new version has 107 styles in a massive family.

Pumpkin Soup

Pumpkin Soup is a fun almost handwriting style typeface with a cartoonish vibe. It includes a regular and italic style and is most appropriate in limited use.

Source


Source de l’article sur Webdesignerdepot

As B2C companies look to offer an elevated user experience across all touchpoints, app developers are increasingly turning to customer identity and access management (CIAM) solutions that can help protect customer data and enhance the customer experience.

Customers have become increasingly receptive to new technologies and are using a wide array of digital solutions such as smartphones, wearable devices, virtual reality (VR), and Internet of Things-enabled systems in their daily lives. These digital solutions have made the execution of tasks easier and faster, bringing about a major change in customers’ behavior – i.e. the need for instant gratification of their demands. 

Source de l’article sur DZONE

Imagine having an app where you can write and store your notes efficiently. Today, we are going to build an app that will keep track of your notes. We’ll use ASP.NET Core to build the app. We’ll also use .NET Core’s OAuth 2.0 authentication middleware to make sure the personal notes are kept secure.

My Private Notes App

As mentioned earlier, you’ll use an ASP.NET app to build your note-keeping app. Here’s how the app works: The home page will keep track of all your recent notes, and if you include more than three notes, the oldest will be shelved. Once we’ve built the app, you’ll learn how to secure it with OAuth. Read this starter project from GitHub to get started. 

Source de l’article sur DZONE

Recently I was looking for a way to implement access control for microservices. I needed a solution that would allow defining complex authorization rules that could be enforced across many services. After searching the web, I discovered a very promising Open Policy Agent project that seems to be the right tool for the job. In this series of three blog posts, I am going to introduce Open Policy Agent to you and highlight how it can help you.

What Is Open Policy Agent?

Open Policy Agent (OPA) is a policy engine that can be used to implement fine-grained access control for your application. For example, you can use OPA to implement authorization across microservices. However, there is much more that can be accomplished with OPA.

Source de l’article sur DZONE

If you’re building custom applications owned by the same organization, there are many benefits of implementing single sign-on (SSO). You get shorter development time, increased security, and improved user experience. One of my favorite aspects of SSO is that instead of upgrading a large codebase all at once, you can do it a piece at a time.

What do I mean by that? Well, let’s say you’re looking to shift an app written in ASP.NET MVC 5 to ASP.NET Core MVC. You can do so by migrating each service at a time instead of rewriting the entire thing. You can then connect the two apps like they were one by enabling SSO. 

Source de l’article sur DZONE