WordPress is a well-known open-source PHP based CMS (Content Management System) platform used for writing blogs and developing websites. Easy accessibility of WordPress leads to a variety of threats and malware attacks. WordPress security is the highest priority for any organization that has a website. In addition, Google’s rule on blacklisting all websites with malware and threats, is yet another reason to consider WordPress security cardinal.

Reasons that lead to WordPress Website Hacking

There are umpteen reasons how and why a WordPress website is hacked. Here the top of the charts list.

1. WordPress Update: WordPress is highly maintained and updated regularly and these updates need to be implemented on the WordPress website instantly. By ignoring WordPress website updates, one allows threats to harm your website. WordPress ensures that every latest updated version involves improvements and security updates, which addresses existing threats, and when a website is not adhering to these updates, the organization is exposing the website to threats, malware, and hacking.
2. Default Admin Login: Even kids these days understand that the default URL for an admin panel login page is probably the most used link, for instance, com/wp-admin. This predictability makes it easy for attackers to hack/phish the website. Hackers and attackers usually try various combinations of username and password for hacking a program; setting an obvious or easy to hack username and password will aid bots crack the credentials and access the admin panel with ease, allowing the attackers to go ahead with their malicious activities.
3. Common WordPress Folders: WordPress has common folders across all websites, such as Plugins folder, Themes Folder, Uploads folder, etc. The website owner can add a different folder, and so can hackers. They can enter malicious code in it.
4. Insecure HTTP Server: A WordPress site can be hosted on an insecure HTTP server, which gives way to hackers to steal credit card information by intercepting the connection.
5. Inactive Users: Users, especially Administrators, have access to modify content, and every User with a weak Username and Password is a threat to the website. When it is necessary to retain users, it is advised to change the role of the User from Administrator to Subscriber to avoid weak links.

Measures to ensure WordPress Website Security

1. Keep it up to date: Keep your WordPress, plugins and themes up to date with their respective latest versions. Every new version of WordPress brings new features along with bug fixes and security fixes. Avoid unnecessary plugins and themes to reduce the vulnerability of the website. Always download plugins and themes only from trusted sources. Reading about the plugins, checking the reviews and number of downloads will help make the decision. Also, ensure that these plugins and themes sources provide regular updates, meaning even if there are bugs, the source should ensure an update or a fix.
2. Security Firewall Plugin: Install a security firewall plugin to scan your website regularly. The firewall plugin allows periodic scanning of the website, malware removal, and track any update on the website such as login details, documents trail, suspicious login attempts, etc.
3. Customize Admin URL: Change admin login default URL /wp-admin to your custom URL using the updated plugin and limit the wrong login attempts, to reduce the exposure to unauthorized users.
4. Rename WordPress Database Prefix: While setting up a website, the default prefix used for the database is ‘wp_’, and most admins ignore changing the default settings, making it easier for hackers. Spammers and hackers run codes that mass attack ‘wp_’ files. Rename the default WordPress database prefix, rename WordPress tables, and User Meta tables. Always remember to backup WordPress files before making any changes.
5. Avoid Common Usernames: Admin, wp-admin, etc., are truly common usernames that do not hold any strength against hackers. Using these usernames for the primary administrator user account makes the website vulnerable and easy to hack. Always have complex usernames and never have a username that appears anywhere on the website; for instance, you should not have an author name as is as a username.
6. Strong Password: Using a strong password is given. However, users do not pay great attention to work-related passwords as much they need to. As a brand guideline, encourage all users to use unique username and passwords. Every password should be at least eight characters and should include all of the following.
   1. One uppercase
   2. One lowercase letter
   3. One number
   4. One special character
   5. No spaces
7. Timely Backup: Be prepared for any adversity that the future holds, and make regular backups of all files and databases of WordPress website. Even in drastic conditions where an administrator is locked out, the backups can come handy.
8. Disable PHP Execution: Block the PHP execution to untrusted folders manually by using the .htaccess file or plugin. Folders such as uploads, themes, plugins by default have read and write access, ensure these rights are allocated based on user roles.
9. SSL Certificates: Secure WordPress website through Secure Sockets Layer (SSL) to avoid any data leaks. Run your website HTTPS server to protect the data from getting stolen.
10. User Rights: There are five different default users in WordPress. Each role has its own significance. Understand the user roles and assign access rights for each user role. Always remove access to any abandoned users. If an employee leaves an organization, the respective User should be either removed or transferred based on the requirement. Any unused or dormant user can be a weak link for hackers to enter.

Ensuring these measures are implemented effectively will close doors to any hackers or spammers or anyone phishing.

WordPress is an Open Source CMS which is free, but it does have some paid plugins. To secure the WordPress website, we need to take some actions on a regular basis. Always keep security and firewall plugins active to avoid all vulnerabilities. The best way is to keep a regular tab on your website and have a monthly or a fortnightly maintenance calendar to avoid missing out on any checks and maintain a secured website.
MetaSys has hands-on experience for more than two decades in providing custom software solutions. If you are looking for a WordPress expert to help you with WordPress website development or WordPress Security integration, you are at the right place. Get in touch with us and we will solve all your tech challenges.

Happy Coding!

Power BI is a tool used for generating business intelligence reports, charts and graphs, that incorporate easy to understand visuals. It is a self-service BI tool that is particularly useful for data analysts who create and distribute BI reports throughout the organization. With moderate knowledge of SQL, one can develop simple power BI visuals after only very basic training.

The first important point is that it is essential to determine the Storage mode before starting to develop any power BI report. Storage modes that can be used for accessing the data can include:

1. Import mode
2. DirectQuery mode
3. LiveConnect mode
4. Push mode

My experience in developing a power BI report increased quickly, as I started by developing a very simple report and ended up learning a huge amount about more advanced elements of Power BI as the project requirements changed.

In the beginning, it was exciting to work on the first simple power BI report, which I developed using a database like SQL Server and Storage mode as Import.

As shown above, the visualisation was for a count of orders for the time period indicated by the date slider. The stacked column chart on the right shows the orders based on service type on a yearly basis. The visualisation can be done for any date hierarchy including daily, weekly, monthly, quarterly and yearly. In the pie chart on the left, the total orders are shown as both a total count and a percentage breakdown. As specifically requested by the client, we also added a reset button to restore the initially selected filters values.

Later on, during the deployment phase, we had to search for an on-premises data gateway to maintain the continuous connection with the data relying on the SQL server. We installed the on-premises data gateway on our database server connecting to the datasets created on the Power BI portal as shown below:

We maintained daily refresh schedule as shown below:

After deploying this report to production, the client requested a live report that showed current statistics without needing a page refresh. After some research I found that automatic page refresh can be achieved using the DirectQuery Storage mode. Unfortunately, my report was developed using the Import mode. This is when I learned the hard way that choosing the right storage mode from the beginning is very important, as I had to recreate the whole report using the DirectQuery storage mode. Meeting the clients’ needs required converting the storage mode to Direct Query, recreating the report and setting the automatic page refresh option to 5 seconds.

We can develop a variety of reports using the Visualization options as shown in the image below.

We can even use visuals other than those available in the Visualization pane, such as the Search tool shown below:

At MetaSys, we  are focused on investing time into new and innovative projects like Power BI, to meet our clients’ needs.

For more information refer to  https://www.metasyssoftware.com/contact

At MetaSys, we place great importance on writing unit tests, as it leads to faster development and reduces the time it takes for software to get to the production stage.Unit testing is the first step of software testing, where individual units/components of a software are verified. A unit refers to the smallest module of any software, and usually has one or more inputs and often a single output. The purpose of unit testing is to check whether the units are working as expected.

Unit tests help in finding regressions, test error cases and reduces the requirement for manual testing significantly. Unit tests also help in improving the code quality, e.g. if you are not able to write a unit test for a particular scenario, then it typically means that the code needs to be refactored. For a better understanding of the topic, I recommend reading Kent Beck’s book on unit testing ‘Test-Driven Development by Example’.
Having said that, here are my comments on Unit testing –

● Any *newly*developed app feature should not be considered complete until a unit test has been performed. This means, the development estimates should always include the unit testing time. For example, a developer might build a feature without writing a unit test and perform manual testing instead for which he might spend 24 hours plus an additional 24 hours to fix bugs and regressions. Instead, it would be better to spend 48 hours or less for building a feature by writing the unit tests, as it will ensure that the code quality is better. The developer will have more confidence in the code after completing the unit test. Unit testing is particularly useful for identifying regression bugs, as the same tests can be reused to prevent future regressions.

● Some existing applications do not have any unit tests because they have been developed by developers who have not prioritized unit testing, or may not have been aware of its benefits. When new developers who are aware of unit test concepts start working on the application, they should not necessarily interrupt the work to start writing unit tests for all components immediately. Instead, the process can be undertaken gradually. For instance, if they are working on specific components that lack tests, they should take the opportunity to write unit tests, at least to verify the newly added functionality. It is important that the project manager takes care of estimates for development time for writing unit tests for old components. Over time the code coverage for these components will increase and at some point in time, it may become sensible to set a goal specifically to increase test coverage.

Advantages of unit testing –
1. It reduces the level of bugs in the production environment.
2. It builds confidence in the developer.
3. It allows the code to be easily refactored or changed.
4. Regression bugs can be caught easily.

Disadvantages of unit testing –
1. In our experience, writing unit tests requires about 20-30% more time at the beginning of the project. For a complicated project, it may require even more time.
2. If the architecture/design of the project is not correct from the beginning, then tests need to be rewritten when the project is re-architected. This can turn into a major time loss.
3. For big/complex projects, unit testing alone is not enough. Typically, integration tests and e2e tests will be required alongside the unit tests to have proper test coverage.

As developers, we always look to reduce costs whilst still fulfilling all the project requirements. Unit testing can play a big role in achieving this. Unit testing helps any developer to produce bug-free and quality software with confidence.
Over the years, MetaSys has successfully built a robust testing environment to build custom software solutions. Feel free to reach us and do share your feedback in the comments section below.

In this article I will share some information about a recent barcode scanning implementation we did for a web based application for one of our clients.

Barcodes are nothing more than a machine readable form of data represented in the form of lines.  Nowadays, barcodes are an essential part of inventory management for a number of reasons. Firstly, saving time both in terms of data entry, and the automatic processing of the entries. Secondly, entry errors are reduced as the barcode scanning process has a very low error rate. Finally, barcodes help companies track the product across the entire production pipeline. Even after the product is shipped out, the company can track the product throughout its entire lifecycle.

Recently, we worked on a project for a client who wished to include barcode scanning capability in a personal health tracking software application. The required functionality was that the end-user could scan various food items and store the data in the applications web portal. This would allow the user to record their daily food intake conveniently, without wasting much time entering the data.

The first step in the implementation was a data import of standard food item barcodes, which we imported from an available data library. This gave us over 200,000 records of day-to-day food items of popular brands.

Since the users don’t typically own barcode readers, we required a solution that allowed the users to scan the barcodes using their personal electronic devices. Since most people carry mobile phones with a camera, we started looking into the option of using phone cameras as barcode readers.

Since we had a web-based application, it was preferable for us to use a client-side code library or plug-in. After evaluating a few possible options, we decided to use ‘QuaggaJS’ which is a JavaScript-based advanced barcode reader. ‘QuaggaJS’ can read various types of barcodes such as EAN, CODE 128, CODE 39, EAN 8, UPC-A, UPC-C, I2of5, 2of5, CODE 93 and CODABAR.

‘QuaggaJS’ implements the following steps:

1. Read the image and convert it into a binary representation
2. Find the location and rotation of barcode
3. Decode the barcode

We wanted to allow the users to scan barcodes using their laptop as well as mobile phones. We kept specific benchmarks about camera resolutions, and if a user’s laptop or mobile camera met those benchmarks, then they could scan the barcode. We also required an alternative solution for users with older mobile phones which did not have cameras that met the benchmark. We decided to let the user choose any of three options to enter a food on the portal:

1. Live scan: using the mobile camera to scan the barcode
2. File upload: upload an image of the barcode on the portal
3. Manual entry: enter the barcode numerically

After entering the barcode, the user can look up various information about the item if it is in the library. The library includes valuable information such as calories, portion sizes, and nutritional content. Our goal was to make food tracking on the application very user friendly, and using barcode scanning we managed to provide the user a very quick and easy way to track packaged foods.

Feel free to contact us if you are interested in a similar implementation for your application.

 

Today data security during financial transactions is super important and critical. The protection of sensitive user data should be a major priority for developers working on applications that use financial or personal information of the clients.

These days, many apps are accessed through multiple devices including desktops, laptops, mobile phones and tablets. Both web apps, and native apps can use web APIs for accessing data and providing services. This article addresses the topic of ensuring client security of a web API during the development phase. I will share my experience with using JSON web tokens (JWT) to ensure security of a representational state transfer (REST) web API.

There are a two simpler alternatives to JWT that I will briefly mention first:

1. Basic authentication:
   

   This method is very easy to implement. A username and password is passed and validated in a database to identify legitimate users. Since the username and password are sent as plain text, every request is very susceptible to cross-site request forgery (CSRF). The security can be improved somewhat by passing the details in the headers section of the web API instead of the URL, nevertheless this method is not very secure as it does not involve any encryption.

2. API keys:
   

   This technique is used to overcome the drawbacks of basic authentication. In this method, a unique key is assigned every time the user signs in indicating that the user is known. A user can use the same key to re-enter the system. The security issue with this method is that the key can easily be picked up during network transmission. Often, the key is passed as a query string in the URL, making it easier for someone to compromise the security of the web API.

JWT avoids the security flaws of the two simpler methods, by providing a bearer token authentication of the Web API. With this method, the user name and password validates, whether, the user exists in the system. Information about the validated user like name, email address and UserID can be fetched. These items are included in the ‘claim’. Claims are pieces of information about a user that have been packaged and signed into security tokens.

A JWT token consists of three parts, the header, the payload and the signature.

Header – Contains the type of token and signing algorithm used

Payload – Contains the issuer of the claim, the subject of the claim and the audience, which refers to the intended recipient of the claim. Other information can also be included, such as an expiry time of the token, or additional user information.

Signature –Contains the encoded header, encoded payload and a secret key

Implementation

To give you more details about JWT implementation, I’ll be going through the steps I took to implement JWT in my web API. First I created a web API project in .Net core 2.2. Next I installed two packages via npm of visual studio, using the following commands:

• Install-Package System.IdentityModel.Tokens.Jwt -Version 5.6.0
• Install-Package Microsoft.AspNetCore.Authentication.JwtBearer -Version 3.1.0

In the appsetting.json file, I added my JWT keys including the secret key, issuer, subject and audience as follows:

Next, I registered a JWT authentication schema by using the “AddAuthentication” method and specifying JwtBearerDefaults.AuthenticationScheme. in the ConfigureServices section of the start-up class.

I also added app.UseAuthentication() in the configure method of the startup class.

Next, I created a token controller in the web API. This token controller action GetApiToken took the two input parameters: Username and Password, and validated these details against the database. Once the user is validated, I generated a token using the secret key, claims information and signing credentials.

The generated token was then stored as an item in sessionStorage.

For all my web API requests, I used the following key in the header section of each Ajax web API  call request.

Finally, I applied the [Authorize] attribute to my controller to which I was calling the web API.

These were all the steps I required to implement JWT authentication in my Web API. The tokens are encrypted, so they are difficult to tamper with. They expire at specific intervals and are cryptographically signed using a cryptographic algorithm.

The final implementation step is to remove the generated token item which was stored in sessionStorage when a user logs out of the system.

MetaSys has extensive expertise in building secure web APIs for web applications. Our team has experience in building custom software solutions for clients across different industry verticals. Please feel free to contact us if you are in need of a partner to build a secure web API.  For more info, visit our website: https://www.metasyssoftware.com/dot-net.