SFNdesign

Category: Uncategorized

  • Should You Force Periodic User Password Resets?

    Recently this audit summary from US local governments and courts came up in the security channel for a client. Specifically item 2.1 which recommends that users are routinely asked to change their passwords. Specifically it says:

    Without requiring passwords to be periodically changed, the likelihood that accounts could be compromised and used by unauthorized individuals to gain access to sensitive information is increased.

    Ensure passwords are periodically changed to prevent unauthorized access to computers and data

    On the face of it, this sounds like a good idea. If there is a password breach, then making sure that you’re users are regularly rotating their passwords should help ensure that any compromised passwords are periodically changed. No more worries about those compromised passwords…right?

    What Forcing Password Changes Really Does

    By nature, humans are lazy. That’s why we reuse passwords and why password is consistently a common password found in breaches. When you force password changes on users regularly, they just get lazier. password becomes password1 then becomes password123, both of which are on the list above of regularly compromised passwords.

    That brings us to this 2010 study that examines the utility of getting people to change their passwords. It finds…that users just transform their passwords in predictable ways I highlighted above. The study shows that around 41% of passwords that were regularly changed would be crackable with the techniques shown in their study. It shows that 17% of passwords would be crackable in 5 guesses.

    So forcing password recycling seems like a good idea, but does little to improve security.

    What Should You Do Instead?

    Let’s talk about some of the things you should be doing with your passwords to keep them strong and secure according to NIST Guidelines.

    First, and this isn’t specifically in the guidelines, you should be using a password manager like 1Password or Bitwarden. One of the biggest reasons users choose insecure passwords is that they try to remember them. Human memory isn’t great for random strings of text, so they use insecure password practices like including their username or the site name in their password. By having a password manager generate your passwords for you, you can be more sure that you’re getting truly random unique passwords.

    Second, when you’re accepting user passwords check them against data breach databases and reject passwords that match these databases. Password databases from breaches are used regularly in attacks that try to guess passwords so just don’t allow them.

    Third, use two-factor (2FA) authentication, but don’t allow SMS as a way to send SMS codes. It’s not hard to spoof SIM cards, or to use social engineering to get access to an account you shouldn’t have access to. If you’re able to do this then you have access to SMS 2FA codes. You should be using a tool like Authy to store your 2FA codes.

    Fourth, lock users out of accounts and require admin intervention after 10 password attempts. I suppose it would be okay to lock someone out for a limited amount of time on the first 10 guesses, but then if you allow them to try again after 20 minutes those next 10 guesses should lock them out entirely until an admin deals with whatever is going on. The higher the risks to a breach, the more strict you should be.

    Fifth, don’t allow password hints they make passwords trivial to guess. So much data is out there that someone could find out that the name of my first dog was…nope not going to tell you. Still, I’m sure I’ve said it on social media before. A good rule of thumb is that if your password has a hint that would let you guess it, it’s a bad password.

    Finally, context specific items such as the username or site for the account should not be allowed as part of the password.

    For IT managers, get people using a password manager and do whatever you can to ensure that people use it. Forcing them to change their passwords periodically is so much less secure than using 2FA and using proper passwords. Just stop the practice.

  • Fixing No Sourcemaps Problem in Laravel Mix

    We recently started to update an old gulp based build process at work by using Laravel Mix. Mix is a wrapper around webpack which helps take a bunch of the setup headache away. If you have a very complex build, then Mix may not be for you, but for 90% of the needs of developers mix is going to serve you well.

    I was able to get everything compiling easily, and then realized that I wasn’t being provided with sourcemaps for my css files. This means that I won’t be able to use a browser’s developer tools to see the source .scss file for a given css rule.

    According to the mix documentation I should be able to take the code below and add a .sourceMaps(); parameter to it if I want sourcemaps to be generated.

    mix.scss( 'source-file', 'destination-path');

    This code should generate sourcemaps.

    mix.scss( 'source-file', 'destination-path').sourceMaps();

    Unfortunately, it doesn’t work. I was still left with my rendered css without sourcemap files generated alongside them. There is even an issue from 2017 highlighting the problem

    Like many things as a developer, the solution was found by reading through a bunch of comments on the issue and forum posts. In the end the code below rendered my .css.map files as expected.

    mix.webpackConfig({ devtool: "source-map" });
mix.scss( 'source-file', 'destination-path').sourceMaps();

    You need to both configure webpack to generate sourcemap files and tell mix to generate sourcemap files.

    Yup this is contrary to the documentation, which makes no mention of the webpack configuration needed. One of my biggest frustrations as a developer is the lack of care put into documentation. Though the upside is that I can write about it and that generates business for me as people find solutions I write about and then hire me because they figure I can solve other problems they have.

  • Choosing a WordPress Membership Plugin for your Membership Site

    One of the first choices you need to make when you’re starting a membership site is, which membership plugin do you use? There are lots of options out there, but after dealing with membership sites and clients for years I only every recommend three outside of the one I wrote.

    Let’s talk about them in no particular order.

    Restrict Content Pro

    Restrict Content Pro is actually my favourite membership plugin to work with. I’ve known the founder of the plugin for years so maybe that’s part of it, but the code is easy to read and use. There have been a number of times when I’ve needed to accomplish something for a client and in communication with the developers had an answer and change to the core code for the next version done in under an hour so we can achieve the features we want.

    On top of that, the customer support is awesome. I can’t think of a better company than Pippin’s for providing amazing customer support. You’re in good hands long term here.

    Restrict Content Pro has just enough features built into the core plugin to get deal with any standards membership site. For some of the extra features you may want, there is a great selection of official add-ons and a number of 3rd party add-ons as well.

    I’ve already mentioned this, but I’ll do it again. As a developer is very easy to dig in and create any custom functionality that my clients need as well.

    WooCommerce and WooCommerce Memberships

    WooCommerce and WooCommerce Memberships is probably the biggest player on the market. I get the most requests for this setup because that’s what clients feel they need already.

    If you want to sell recurring memberships you’ll need to also purchase WooCommerce Subscriptions.

    This plugin has some more complexity to it than RCP does but I don’t regularly get clients emailing me asking how the plugin works again because the documentation is decent.

    The code under the hood is readable and has many options to customize it and WooCommerce.

    Easy Restricted Content for WooCommerce

    I wrote Easy Restricted Content for WooCommerce because at the time every single membership plugin for WooCommerce was terrible. They had 12 settings screens and 82 steps you needed to take to get anything setup.

    It was a nightmare and my clients always had questions and updates needed and never understood how to use the plugin I had provided to them. This wasn’t good for my clients or for me.

    I wrote Easy Restricted Content for WooCommerce to be easy. Purchase the plugin, turn it on and then go to the content you want to restrict and tell the plugin which product or subscription is required to have access to that content.

    There are no other settings.

    There is no prorating of accounts. It doesn’t figure out upgrades or anything like that. It just only shows content to users that have purchased the product specified.

    Just like WooCommerce Memberships, if you want to sell recurring access you’ll need WooCommerce Subscriptions.

    Paid Memberships Pro

    Paid Memberships Pro is another good option for your membership needs. They have good support and a wealth of extensions available when you’re a paying member.

    From the developer perspective, I find the code in Paid Memberships Pro a bit more frustrating than the code in Restrict Content Pro or WooCommerce Memberships. It’s not that it’s wrong, it’s just a step or two below my ideal quality.

    Now this doesn’t mean that it’s going to break on you. Nor does it mean that they wrote bad code, I just always end up spending more time working around what Paid Memberships Pro does when I’m trying to extend it than I do with other options.

    All the others???

    So there are lots of membership plugins I haven’t even mentioned. I’ve worked with most of them and in short, they’re usually a pain. Some try to keep their code secure by doing fancy stuff to make it unreadable. That just makes my life harder as a developer since I have to email support to do anything with the plugin that’s not clicking settings in the admin area.

    Others have terrible support that might get back to you 2 weeks after

    So how do I decide on a membership plugin?

    So, how do you decide exactly which option you should be using. The first place to start is to write down a list of your “must have” features. Then, you can probably trim a few of your must haves, because most people make that list way to long to start.

    Then it’s time to look at which of the options solve most of those problems.

    If you’re less technically savvy or want something without all the extra options, then look at my plugin Easy Restricted Content for WooCommerce.

    If you have a bunch of access options required, then maybe WooCommerce Memberships is right for you.

    If you feel like the options in WooCommerce are just too much, then look at a dedicated memberships solution like RCP or PMPPro. I lean towards RCP here, but if PMPPRo solves more problems out of the box for you then it’s the right choice.

    If you’ve got any specific questions about your membership needs, let me know in the comments and I’ll do my best to answer them.

  • Evidently Pippin Trusts Us

    Have you heard of Easy Digital Downloads? Well you have now.

    It’s the easiest platform to use for selling downloadable products. It integrates easily with Affiliate WP for affiliate programs and Restrict Content Pro for membership sites.

    SFNdesign is a trusted consultant for EDD. Which means they think we know what we’re doing and can build you an awesome solution.

    But wait, who is Pippin? I mean he’s mentioned in the title right? Pippin is the lead developer/founder/guru behind EDD.

  • We love to use Vagrant

    Sure it’s a bit technical but we love to use Vagrant for our client sites. Using Vagrant means that we can start up new servers and on board new team members fast.

    We particularly love VVV as a way to get our projects off the ground quick.

    Curtis even wrote a few tutorials about using VVV.

    1. Working with WordPress and Vagrant – Basics
    2. Vagrant and Custom Domains with WordPress
    3. Adding a new domain to an existing VVV box
    4. Connecting to MySQL in Vagrant with Sequel Pro

  • Not every implementation of WooCommerce sells products

    Yeah you read that right, sometimes we use WooCommerce and don’t actually sell products with it.

    So why on earth do we use it?

    Well if you need a product catalogue you usually need all the ‘product’ features of WooCommerce without the checkout process. So why roll all the product features custom?

    We wouldn’t that would be stupid and waste everyone’s time.

    Instead we remove the purchase buttons and add a pre-filled inquiry form.