I have been using various forms of WordPress as my main blogging and website platform for several years now and am generally quite fond of it. It has taken me a while to feel comfortable with tweaking it, mainly because the defaults just do so much of the job that I don’t really need to be a WP expert.

Earlier this month I moved my main strominator.com blog from being hosted on WordPress.com to my own domain. It went surprisingly well, with just a few hiccups: my database file was nearing the limit of 8 MB which meant I had to split it up to get the entries imported. And it took about a day to reconstruct my full database of categories and labels.

Why bother moving it over? There are several alternatives to the free hosting on WP.com. GoDaddy offers WP hosting packages where they will even automatically update the WP software for you at the same price that they host a minimal server. I don’t recommend this option: WP updates happen frequently and many plug-ins stop working with the newer versions.

Another reason not to use GoDaddy hosting: its uptime isn’t what it could be. I use the service from Anturis to keep track of downtime, and it is quick and free to set this up

Speaking of plug-ins, that is the main reason for moving your blog to your own domain. You have full control over what you can install and how to fine-tune the site’s features. And while it is great to be able to add plug-ins, you need to realize that this also increases your attack surface area pretty substantially. The WP plug-in directory site currently lists 29,000 different ones. Some of them have been downloaded by millions of users and are quite useful, such as Akismet for blocking spam or Jetpack, which adds a number of features.

So like many other things in tech, freedom comes at a price of being more proactive about securing your servers. So before you consider a move to your own domain and be more motivated about securing your WP site, read this article by David Brumbaugh about WP as a secure apps platform over on Dice.

He suggests a number of things to do, including using the “Better WP Security” plug-in to get started. I downloaded this plug-in and found it amazingly comprehensive, and interesting in how many places that I had to tweak and adjust to make sure that my directories weren’t browsable, my defaults weren’t obvious, and other nips and tucks here and there. The screen shot above shows just the main dashboard display of “to-do” items to fix.

In my role as curator of the Dice Security Talent community, here are some of my favorite stories of the past week, including some follow-ups from the Target credit card breech that are worth looking at. And this story in the NY Times about what happened behind the scenes is also worth a closer read.

• 10 Free Or Low-Cost Network Discovery And Mapping Tools
• Starbucks, SSL for Twitter and Why Sensitive Data Must Be Encrypted
• Digitally signed data-stealing malware targets Mac users in undelivered courier item attack
• Adware Vendors Buy and Abuse Chrome Extensions
• The Cybersecurity skills gap is worse than you think
• Mysterious networking error stifles Internet access in China
• Major retail breaches highlight point-of-sale security weaknesses
• Researchers warns about evolution of threats and interests to modern networks
• Target and Restoring Trust After a Data Breach
• When The Internet of Things Attacks! Parsing The IoT Botnet Story

My top security stories of the past week, as part of my efforts to curate the Dice Security Talent Community portal:

• The Changing Face Of The IT Security Team
• Cisco: POS Systems Key Vulnerability in Security Breaches
• SEA hijacks Microsoft Twitter accounts, Xbox support blog and Technet
• Massive denial-of-service attacks pick up steam, new nefarious techniques
• Juniper should reevaluate switching, security products investor says
• Malvertising attacks via Yahoo ads may precede broader iframe attacks
• Dealing With Unrealistic Security Expectations from the Executive Office
• Mobile Devices Taking Part In Enterprise DDoS Attacks?
• Could Your Kids Be Doing Things That Make Them Bully Bait?
• Debunking the “NSA Mass Surveillance Could Have Stopped 9/11” Myth

XP Install screen

The intertubes have been filled with the stories about the coming demise of Windows XP. And I have to admit a certain fondness for the OS, after all, we have been together for 12 years and countless machines. Yes, there was Vista (briefly), and I am still getting used to Windows 7’s quirks just in time to find my way around 8.1. And I am not alone: Kaspersky claims nearly 20% of their current anti-virus customers still run XP. Time is running out, as we all know.

But what hasn’t be covered is what I call the forgotten desktop which runs XP. There are plenty of devices that aren’t actually sitting on anyone’s desk but are connected to your corporate network, and will need upgrading. When you start to look around, you can find them in some surprising places, such as point of sale terminals, ticket kiosks for trains and subway stations, medical equipment, displays at airports, bus stations and train stations, digital payphones, digital LED signage, video conference rooms, red light speed cameras, movie ticket kiosks, and supermarket self-checkout lanes (these have enough problems as is). Take a look at the collection chronicled in the Public Computer Error Board. I am sure you can think of other places XP might be lurking.

“This interconnected world can be a dangerous place when it’s built on an unsupported operating system that’s vulnerable to exploits or simple compatibility limitations,” says Justin Strong, a product marketing manger at Novell. And after all, who would know better than the folks who originally hooked up all these XP machines back in the day?

“IT departments are relieved if they’ve simply migrated their workforce off XP,” says Strong. But that’s not enough.Microsoft’s Craig Mundie at the Techonomy conference last year said, “Even one XP machine represents a major threat.” This is because XP can’t be hardened to avoid today’s threats and has many weaknesses. According to Microsoft,XP machines are six times more likely to be infected with malware than newer versions of Windows. Yikes.

I know many of you still have even Windows NT and 2000 running somewhere on your networks, and maybe even some Novell Netware too. Let’s make a clean sweep. And yes, I will miss XP, we have been through a lot.But it is time to move on.

In my work for Dice’s Security Talent Community, I track down the most interesting stories of the past week. Lots of questions in this batch:

• Continuous Security Monitoring: An Introduction
• FireEye’s $1B Mandiant Buyout: Is the Price Too High or Too Low?
• Firm Bankrupted by Cyberheist Sues Bank
• Have we seen the end of the ZeroAccess botnet?
• Cybercrooks developing dangerous new file-encrypting ransomware, researchers warn
• Yahoo Ads Hack Spreads Malware
• Is rapid detection the new prevention?
• Windows 8.1 security overview: Enterprise features and tools
• US CERT Warns About Point-of-Sale Malware
• Variant of Pony Botnet Pickpockets Bitcoin Users
  

The latest and most interesting security stories of the past week, as culled for the portal of the Dice Security Talent Community page.

• Protecting Brand And Data While Staying Social
• CloudLock Tracks Google Apps Cloud Misuse
• The Case for a Compulsory Bug Bounty
• Are the websites you’re using tracking what you type?
• Advanced persistent threats now hitting mobile devices
• Phishing messages fall markedly in 2013 despite better targeting
• IE 11 security: Has Web browser security technology reached its peak?
• How Connected Consumer Devices Fail The Security Test
• MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages
• WhatsApp With That? Security Flaw in Mobile Messaging Apps

In my weekly efforts to keep up to date on the latest and greatest security stories for the Dice Security Talent Community, here they are:

• Hacking The Zero-Day Vulnerability Market
• Microsoft ‘Telepathwords’ Site Helps Users Craft Stronger Passwords
• Who is the Russian hacker kingpin Paunch?
• Are contractors the weak link in your security chain?
• Review: Best tools for mobile device management
• Using microVM isolation to improve malware detection and defense
• Same Zeus, Different Features
• Many organizations lack DDoS response plan, Corero finds