Security Researcher 🔓
My name is Vladimir Smitka and I’m a security researcher/hobbyist from the Czech Republic. I specialize in WordPress security&performace and secure infrastructure for running websites. I do massive scans of the internet for my research. I’m also the owner of Lynt, a PPC Agency and Spirit Radar, a global service for tracking prices of Rums and Whiskies. I’m also an active member of the Czech WordPress community and one of the WordCamp Prague organizers. For a quick understanding of my approach, check out my WordCamp EU security talk.
Latest articles on bugs found, scan results and tips.
I published an artice about my latest security scan aimed to the exposed git repositories. The results: 230 000 000 domains checked (the list was build mainly from the Rapid 7 OpenData), 390 000 affected sites found, 100 000 alerts send. The most of affected sites use PHP: But after normalization the numbers according to the…
Few months ago we decided to change our backup workflow. I found an ultimate tool for backing up our web servers to Digital Ocean Spaces (object storage, cheaper then Amazon S3). Restic – backups done right! Main features: easy encrypted fast wide range of backends You can backup your files to local, via SFTP, Amazon…
There is REST-API integrated into WordPress from version 4.7. It is the way how we will use WP in future, but there are some downsides currently. The problem is, that WP use gravatars in default settings – you can find them in the comments and in user profiles. Both of them has their own endpoint…
MACsec = Media Access Control Security (802.1AE IEEE). It provides point-to-point encryption (AES-GCM-128 by default) over ethernet traffic. MACsec support is included from kernel 4.6Â or in Centos/RHEL 7. This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals…
I scanned all slovak *.sk domains and prepared statistics about WordPress sites for my WordCamp Bratislava talk (2018-04-28). Source: Lynt.cz
Akismet is fine, but I decided to write a simple WordPress comments antispam for research resons. There are some proven methods to fight against spammy comments: honeypot field “nick”, it is hidden by CSS – only bots will fill it block comments with BB code [url=…] HTTPBL (DNSBL) from http://www.projecthoneypot.org – you need API key Block comment…
You can find few useful tiny mu-plugins in my example Nginx configuration for WP. Must-use plugins (a.k.a. mu-plugins) are plugins installed in a special directory inside the content folder and which are automatically enabled on all sites in the installation. Must-use plugins do not show in the default list of plugins on the Plugins page of wp-admin…
There is a DoS vulnerability in all WP installations. It is hidden in the load-scripts.php and load-styles.php files. Their purpose is to combine scripts and styles in the administration to load the admin faster. You can ask them to combine a huge amount of files, the result will be a huge load and it may…
VPN is very important part of security. I prepared a set of script, so it is easy to run your own VPN server on VPS. The scripts are available in my Cloud Tunnels respository. There are 3 types of technologies: IKEv2 VPN with StrongSwan and Let’s Encrypt certificate (the best option) L2TP VPN server with…
Enter your email below to receive updates.