A few weeks back JBoss Enterprise App. Platform 4.3 achieved Common Criteria Certification at Evaluation Assurance Level (EAL) 2+ – here’s the press release and here’s the evaluators updated page.

Common Criteria Evaluation is an internationally recognized standard that defines a  framework for computer systems users to specify security requirements; for vendors to implement them and for third-party evaluators to test them. The Evaluation process ensures that this is all carried out in a consistent, formalized and standard way.

The Evaluation Assurance Level (EAL) describes the “depth and rigour” of the evaluation not necessarily the security hardness. Though products certified at Level 7 (the highest) are likely to be deployed more demanding and secure environments than a product certified at Level 1 (the lowest). EAL 2+ means the products have been evaluated in collaboration with the vendor (eg. to provide development, design and test documentation).

What this means is that customers who care about security (who doesn’t ?) can be assured that JBoss Enterprise App. Platform 4.3 will meet commonly accepted, best practice security requirements. Even outside military and government use, who use Common Criteria as a benchmark, this evaluation should demonstrate Red Hat’s commitment to security. It’s a long and fairly involved process and the costs aren’t insignificant.

This is the first successful evaluation for a JBoss product but the JBoss Data Services Platform is currently in process and we’re already planning for a more stringent evaluation (higher EAL) for JBoss EAP 5.x.

And after a bit of Googling I arrived at the conclusion that my blog had been purposely removed from the Google Index due to a violation of Google’s Quality Guidelines and Google’s WebMaster Tools confirmed this with the explanation that my site had some dubious hidden links. Viewing the source showed a block of hidden links pointing to some shity web-sites advertising all the usual shity stuff that no-one gives a shit about. I trawled through the Word Press templates and found some suspect base64 encoded script in the footer which I deleted and quickly confirmed was the culprit.

So that was a waste of 10 mins. or so and I’ve wasted at least another hour researching Word Press security and analysing my site to make sure nothing else was compromised; then patching things up. To save you some time I’ve included some quick things you can do to make your WordPress Installation less hackable :

1. Give your admin user a really tough password or better yet drop into MySQL and delete the admin user completely (assuming you have another admin user already)

2. Run your site through wp-scanner – it will highlight common potential exploits.

3. Make sure WordPress is up to date. Plugins too.

4. Change the default MySQL table pre-fix (remember to backup first).

I still don’t know how / when my site was hacked or by whom – I really can’t be bothered to trawl through the Apache logs to find out and really don’t want to give the cock-sucking spam hacking time-vampires any more of my time.

It’s interesting to note that this particular exploit is really pointless – if Google pulls the hacked site from their Index – it serves no purpose.

Hope this helps, leave a comment if there are any other good tips for securing WordPress.