Tag: security

Simple small business proxy server using squid

When I was figuring out how to enable our team at the newspaper to work in a more distributed fashion while maintaining network security, I looked at a variety of VPN and proxy options. In the end I settled on a simple proxy server setup using the squid open source proxy software.

I needed a solution that would work not only for our staff, where I could have some significant control over the setup of their work computing devices, but also for our contractors, where they would be using devices that were not under our control and presumably used for a mix of other things. I didn’t want anything locked in to a hardware vendor or dependent on a specific physical office location having connectivity. I wanted something fast to set up for each individual user, and that wouldn’t require installation of special software, activating/monitoring connections, or worrying about variations in network rules about what VPN connections were allowed.

I settled on squid:

  • We have a proxy auto-configuration file (PAC) that we serve publicly.
  • We set up a squid username/password for every user that needs one
  • Users tell their device the URL of the PAC file
  • Their device uses our squid proxy for the hosts/IPs we specify in the PAC file, and otherwise uses their default network configuration.
  • The first time their device attempts to connect via the proxy, they’re prompted to enter their username/password, and that typically is saved in their OS settings forever.

Using this approach we can ask network traffic bound for one of our internal services/servers to go through our proxy instead of over the public Internet. That in turn allows us to limit connection attempts to only trusted internal hosts (including the proxy), creating a kind of simple private network.

Continue reading Simple small business proxy server using squid

How long does it take between when a plugin update is released and when auto-updates install it on your WordPress site?

Auto-updates for WordPress themes and plugins were released this year in WordPress version 5.5. They allow WordPress site owners to opt-in to automatically have new versions of plugins and themes installed when they are released, without any intervention from the site owner.

If you use auto-updates, one question might be on your mind:

How long will it take between when the author of a plugin releases a new version and when that new version is installed on your WordPress site?

This question is vital for site owners and managers. Especially in scenarios when new plugin or theme versions contain critical security fixes, time is of the essence to avoid possible unauthorized access to your WordPress site.

To get to the answer, let’s first review how plugin and theme releases happen.

The Plugin and Theme Release Process

When a plugin or theme author is ready to make an update to their software, they upload those changes to the directory on WordPress.org. This is where the code for their theme or plugin is hosted publicly.

Most theme and plugin authors also indicate the release of non-trivial changes by increasing the version number associated with their plugin. Maybe it’s a small “point release” like going from version 1.1 to version 1.2, or maybe it’s a major release like going from version 3.0 to version 4.0. The change in version number lets everyone know that there’s new functionality and fixes available. It’s a convenient way to refer to how software has changed over time.

Once the updated software and version number change is live on WordPress.org, it’s immediately in effect for new installations of that plugin or theme. Anyone downloading and installing a plugin or theme from that directory will now be using the latest code made available by the author.

But what about existing sites that already have that theme or plugin installed? How do they learn about the new changes and new version?

How WordPress Sites Discover Updates

You might think it happens through a “push notification” sent to your site from WordPress.org. But the WordPress.org systems would have to contact thousands or maybe millions of sites to tell them about an update to a single plugin. That’s just not practical.

Continue reading How long does it take between when a plugin update is released and when auto-updates install it on your WordPress site?