Securing Apache for PCI Compliance

For anyone running an e-commerce web site, the term PCI compliance is unlikely to escape the owner’s or developers attention. In essence, if a web site is handling credit card data, regardless of whether they store that data, the web site must be PCI compliant.

For a web site to be compliant, it must pass a rolling three month test by an authorised PCI scanning vendor. There are many out there and from my experience they are not all equal. Some vary with the features they offer but the interesting one is that not all of them return the same vulnerabilities. As a developer, the vulnerability report is key to helping identify and resolve any issues, so I find it surprising when a scanning vendor provides the solution but not the steps to help reproduce the issue or a link on how to resolve. Anyways, to help out here I’ve found that Apache vulnerabilities pop up more than most and so I will address some of these raised issues and present the resolutions.

Continue reading

WordCamp UK 2011 Talk Notes

This post is simply a record of the notes I took when I was at WordCamp UK 2011. I know I’ll find it useful and thought that maybe others will as well. And if not, at least my work colleagues should :)

WordCamp Intro

  • VaultPress – Used for realtime backups. Takes snapshots of site. Can rollback to earlier versions of plugins or themes etc. Paid for, $15 per month for basic account.
  • Research WPMU as a strategy for having separate smaller sites instead of one massive site. Definitely helps to improve performance.
  • Look into Gravity forms. A paid for plugin that is supposed to be awesome for form building. Can use conditionals and integrates with other services such as Campaign Monitor & MailChimp.

Continue reading