Integrating a Drupal 7 website with the University’s EASE authentication service

ease1In the web team we recently took over the technical maintenance and development of the Edinburgh College of Art (ECA) website. Part of this development work involved integrating the University’s standard authentication service (EASE) with the Content Management System (CMS) used by the ECA website, Drupal 7.

Although the Drupal CMS has been used for many years throughout the University, it has not been widely used with EASE. The only exceptions that I am aware of are work I did myself in collaboration with Colin Higgs on the School of Engineering website to implement EASE authentication on a Drupal 6 plaftform in 2010, and which has subsequently been updated to Drupal 7 by Billy Rosendale, and, built using Drupal 6. The University Website Programme (UWP) are currently developing Drupal 7 for use as the main University CMS and part of this development process is support for EASE authentication – and this EASE integration work was used by the web team as a model for the ECA website.

Continue reading

Why you shouldn’t reuse passwords

With so many website accounts to keep track of these days, many people are tempted to use one or two passwords that they can remember for lots of different sites. We have heard that it’s dangerous to write down passwords, and of course no-one can store dozens of random strings of characters in their head for websites that they may only visit occasionally. So, having a small number of passwords to reuse across multiple websites can seem like a sensible compromise.

However, this can be a very dangerous practice. It’s impossible to know how securely a website stores your data, and you should always ask what would be the worst case scenario if this information were to get into the wrong hands. There have been countless examples of password lists being leaked (examples include, eHarmony, LinkedIn, Yahoo!, Phandroid, Writerspace, and Adobe), but often passwords can be stolen without users being any the wiser.

Last week, a vulnerability was found in WHMCS, a billing and support application used by web hosting providers. Potentially, attacks such as this can give hackers control over things such as DNS settings and hosting control panels. In other words, your website itself can be as secure as possible, but hackers can still gain control by extracting your password from other applications.

A good solution is to use software such as KeePass. This allows you to store all your login details in a single encrypted database, so you only need to remember the password for the database, not individual passwords for every website. It also allows you to create much stronger passwords (since you don’t need to remember them), and will even generate them for you. Or if you need access to passwords when out and about, there are versions of KeePass for your phone/tablet.

Some nice WordPress plugins

A few nice WordPress plugins I’ve been using recently:

Better WP Security – A very popular and powerful plugin that takes a range of steps to harden your WordPress installation.

Mail on Update – Emails you to let you know of available plugin updates.

Polylang – Simple and easy to use, it allows you to create a multilingual site (no in-built translation workflows – if you need that try WPML).

Approval Workflow – An easy way to add an Administrator-approval process to your publications.

Blackbox Debug Bar – For plugin developers. It gives useful feedback on SQL queries, page load times, errors, and values of superglobals.

Web Application Security – the Role of Users

For IT professionals, security is an integral part of the job. We must keep up-to-date with the latest techniques being used to target sites, and try to stay a step ahead of the hackers. Most developers foster a healthy paranoia about the range of ways that systems could be exploited, and keep it constantly in mind when designing an application, writing the code, and then deploying and updating.

However, there are also steps that users can and should take to prevent their data being compromised. These three important practices will go a long way to ensuring that your data is secure.

1 – Use strong passwords

Brute force attacks are common, such as this recent attack on WordPress sites. This is where a malicious computer program makes multiple attempts to guess a user’s password. If your password is in the dictionary, related to the name of your website, or too short, there’s a good chance that a brute force attack will crack it. Actually, any password can be guessed given enough time, which is why you should also change your password every few months. Creating a strong random password of 10 or more characters and using a mixture of upper and lower case, numbers, and special characters will protect from most attacks.

You should also be aware of other ways in which your password can be vulnerable. For example, using the same password across multiple sites, leaving a written copy lying around, or connecting over unencrypted Wi-Fi (e.g. in an internet cafe).

2 – Keep your browser up-to-date

Part of the job of IT professionals is to ensure that third-party software and plug-ins are kept up-to-date. This is because, as new exploits are discovered, the software vendors will update their products to protect against them. Therefore using older versions leaves users at risk of being hacked through known vulnerabilities.

As a user, you should also ensure that you keep your browser at the latest version. Older browser versions are often insecure, and some have been abandoned by vendors. Keeping your browser current not only means added protection from hackers, but also that you have all the latest bug fixes and features, and that web pages will display as intended by the web designers.

It’s also good practice to keep your operating system updated with the latest fixes.

3 – Be aware of social engineering techniques

Social Engineering techniques involve attempting to trick people in order to gain access to buildings, systems, or data. The most well-known example is phishing which is an attempt to gain information such as usernames, passwords, or credit card details, normally through emails or impersonating a website. However, scammers use a wide range of con tricks, and it’s important to stay informed and alert.


Having something hacked can be a stressful experience. As well as potential economic costs, there are reputational costs. Whether it is sensitive data being leaked, your site being downgraded by search engines, or your Facebook account being used to send embarrassing messages, the consequences of lapses in security can suddenly become very real when the worst happens. In the case of a hacked website, it can be virtually impossible to fix, since hackers can install sophisticated software to retain control of the server behind the scenes.

There’s no such thing as 100% security, but by bearing in mind some of the most likely exploits, you can at least mitigate the risk.