I am building a web consisting of MediaWiki and phpBB as its subcomponents. Also WordPress may be added in future. My current problem is to choose a single unified authentication method (not to force users to have a special MediaWiki account, a special phpBB account, etc.).
Which approach would you recommend me? The basic limitation is that it is a simple LAMP server (no LDAP database). Possibilities I know about:
Use a decentralized protocol such as OpenID, OAuth 2.0, etc. I would prefer this approach. However, OpenID is not supported by Google any more so OAuth 2.0 would be probably more appropriate.
Use DB of users from phpBB and install some plugin to other subcomponents (MediaWiki extension for phpBB auth.)
Use DB of users from MediaWiki and install some plugin to phpBB.
Use some specialized web application for user credentials management and install plugins both to MediaWiki and phpBB.
I think the main point you already understand: You need one of your new platforms to be the central user store. The problem you know have to find out:
What platform has the plugins to interact with each other? It's possible, that you find plugins, that only works "in one direction", and for mediawiki itself you will find a log of outdated extensions, that maybe won't work anymore with the latest mediawiki versions and updates.
The other point is, that you should think about WordPress now, too. After you selected one central user store you mostly can't change it with a lot of work, so I would check for an integration of WordPress now, too.
Looking at that and a short search i wouldn't prefer MediaWiki to be the central user storage, and i'm not sure, if phpBB is the best solution, too :/
I think one of the best would be to use LDAP, extensions and plugins seems to be supported and working for the latest versions of each software. You yould have a central user store, which could be easily integrated in other applications, too. What is the reason you can't use it, an LAMP stack could handle this, too?
The second solution i would consider to choose is to use Google's user store and access it vi OAuth 2.0. MediaWiki, phpBB and WordPress supports this with plugins and/or extensions.
At the end of the day a login is a login is a login. All the custom fields specific to individual applications can be properly bridged with plug-ins. Make the app that will require the most babysitting your main database and thus login system. In many cases it's the forum, but that really varies by site.
I would caution that many new forum admins eventually want to upgrade from phpBB to something that's more powerful and modern. I was one of those admins. Yes, phpBB is as good as an open-source forum gets, but it just doesn't compete with the commercial forum apps. So keep that in mind if you make phpBB your main database.
Related
We are currently trying to use Concrete5 to create an internal Intranet for the company I work for (this is a web-based server). What we would like to do is allow our employees to sign in using their Gmail and be able to see their personal calendars amongst other things on sign in.
I would like the employees to just sign in once, get automatically asked for granting permissions during the login, and then be taken to the home page.
I'm having trouble figure out how to modify Concrete5's built-in Google login to request these scopes. I am pretty bare-bones in my PHP knowledge and no amount of Google searching has really answered my question specifically for modifying the authentication for Concrete5.
So to sum up my question:
How would someone go about modifying Concrete5's Google authentication to request additional permissions? We are using 5.8.3 and are always updating as necessary, so modifying the core is not really an option to prevent overwrites in the future.
The best way to do that would be to copy the core Google login system to create a new one. You could call it Google Custom or anything you want. You could include it in the folder application/authentication or in a package, with the appropriate modifications.
But to be honest, if you're bare-bones in your PHP knowledge, it all might be a bit too difficult to achieve
I have made the case for using WordPress as a CMS for an important project.
IT has challenged me to build out this base WP installation alongside the local (WAMP) served intranet and lock it down the best I can. They will then attack the installation with enterprise level penetration testing software.
I am only privy to a minimum amount of details however some security tools I am up against have been mentioned and will be used in conjunction with enterprise level software:
Kali.org
Tools from darknet.org.uk
Watabo
What I've done:
Wiped all basic WP out-of-the-box data such as Administrator username, changed login page URL, removed ajax calls, leveraged all options within iThemes Security plugin (which is pretty impressive) and a few of my own.
My question is for advanced advice on securing WordPress running 2015 theme and its PHP framework and Database. Proper htaccess configuration and possible pitfalls. Advice on any advanced methods of securing a website where it's likely to fail a pen test.
It's not easy to make a website completely invulnerable, especially if you have chosen Wordpress.
You should update your Wordpress website constantly. It means that you have to follow all the updates and install them immediately. Sometimes it's not easy to do, if everything is working as it should, and the database is not small. Wordpress is the most popular open source CMS in the world and many people want to crack it, write crawlers which are searching vulnerabilities online etc.
Simple steps to increase the security of any website:
Close a port if you don't use it or install firewall, tcpwrapped etc.
Don't use FTP, ever. Use SSH instead.
Don't make rights 777 on the whole folder. Make it 555 and when you need to upload some image or something else change the rights to 777 or 755 (if you do it by ssh). After doing your job change rights back to 555. Nobody couldn't upload payload or other malicious code to your website through the front end if it's not allowed for writing.
Check your website for sql injection vulnerability.
Don't use simple passwords. You could even change your passwords every month.
Don't duplicate passwords.
Regularly update your software.
For back end security you could use some IDS, for example Snort - https://www.snort.org/, but it's not easy to configure properly. Furthermore you should understand how a network works, tcp/ip, attack types and so much more.
Use OpenBSD as your server operating system if you do not understand the information security well. It was created with an emphasis on increased security.
Take some network scanner (for example nmap) and test your server for vulnerabilities.
Finally: I wouldn't recommend to use Wordpress for the reliable security :) and to say more I need to take a look at the website.
We are planning to create an asp.net website (probably mvc), that needs a cms for news items.
Our content managers and others who require to publish news have asked if they can use wordpress for content management.
Our users have different roles, and news items should be visible to certain roles, or even specific users if possible.
The reason they want wordpress is the manager's user friendliness, so if some other alternative with the same kind of user experience would be ok.
Could anyone please point me in some direction?
NOTE: I'm still doing research at the moment, so I've got nothing holding me back at this point.
There is an API plugin that has been developed to spit out information in JSON, but I have not actually implemented a site with it:
http://wordpress.org/extend/plugins/json-api/
Perhaps you could have the authors work on a wordpress install and create your app to draw content via that plugin?
I too was facing the same issue, little different. We want to have WP as CMS so that our site can take the benefit of SEO which is very easy with WP. SO we installed WP under a folder in the Main ASP.net based website. Initially there were issues, I was unable to run it. Finally managed to run it. Solution is posted here - http://www.wwwlabz.com/how-to-run-a-php-based-website-from-a-subfolder-in-asp-net-website. Hope it will help someone. Actual site where we implemented this is http://www.periproperties.com/content/.
Now I want to have specific section of WP to be accessible on my site. SO I am exploring different options and will post, if found something
Thanks.
DotNetNuke is the most popular ASP.NET based CMS (source). I am implementing my first project in it and so far I am very happy with it.
Note the free edition will not work for you since you need customizable security roles and free has a limited set of predetermined roles. You'll need the pro edition.
I don't know how similar it is to WordPress. Overall, WordPress is much more popular but of course there are platform issues with WordPress since it is Apache based and you want to create an ASP.NET website.
Is there a serviss or plugin (better service), that can use it in this way:
First, if a am guest, then i can use twiter, facebook, etc, commenting, but if i log in on site with local user, then i have only post comment with my user. (all comments need one system, not spliting on local and service)
Also in plugin need existing username protection.
I tray this: intensedebate.com but dont have local user implations on plugin.
Also in servise or system need comments integration in exsisting wordpress system.
One word say: defolt wordpress commenting features with soc commenting system.
Better i need use some of commenting servisies, becouse i also use phpbbwp bridge plugin, that make wordpresss users intro phpbb3 and reverse.
Is there any good solution, for my advanced system?
There are two options - use a plugin or implement Facebook/Twitter/etc auth manually. If you want the easy way - try one of these plugins:
http://wordpress.org/extend/plugins/rpx/
http://wordpress.org/extend/plugins/social/
They both allow users to register/login via social network accounts as well as some more handy features. Hope this helps.
These two are the best, and fulfill your requirements:
http://wordpress.org/extend/plugins/intensedebate/
http://wordpress.org/extend/plugins/disqus-comment-system/
I'm looking into building database driven websites based on opensource platforms in a sandbox area rather than having them accessible via the final URL until clients have paid up.
Is anyone aware of any problems this may cause with paths or functionality, or, know of any good articles on the subject?
many thanks
Shaun
There is no bad effect on functionality just because it is in sandbox. Generally, Joomla is almost location independent (untill and unless you are driving multiple websites from same joomla installation)
For security purpose secure the URL via .htaccess file (if more security required then setup a cron to update password every X hours, and email new details to user)
I would suggest having a cut-down, less privileged or demo account for signup users that can still enjoy the overall experience of your site without the full functionality of your killer-webapp services. "Restricting" them in a Sandbox area that is not even the actual site would not be as appealing and convincing as it could be for them to go from "freemium to premium" customers.
I develop all joomla sites on a local server and then upload to the production server once approved. In Joomla, when I upload the files to the production server, I usually need to change the mysql server as well and it can all be changed from the configuration.php file