Private and Secure Contact: tutorial

Often amateur genealogists are looking to find a family member, and turn to GenWeb coordinators for help. And, in order to help them, they need to share a bit, or a lot, of quite private information – possibly about living persons (like themselves!)

We need to make available a secure, private channel of communication. One simple method of doing so is to set up your genweb.io website to transmit e-mail which is encrypted. Here is a simple tutorial which will walk you through the process – it assumes you have an e-mail service provider (such as GMX Mail, Zoho, or Gmail) and you are using some form of PGP/GPG e-mail encryption (there are many many many tutorials on this, just search for e-mail encryption with the name of your preferred e-mail client.)

Overview

Using three different WordPress plugins you will lock down all e-mail communications from your GenWeb.io project, and give your site a beautiful form system which you can use for more than just a “contact form”.

GenWeb.io provide many plugins which can help with various aspects of managing an internet website. The three we will be working with in this tutorial are WP-Mail-SMTP[WPP], WP PGP Encrypted Emails[WPP], and Contact Form 7[WPP].

The first step will be to send e-mail from your GenWeb.io project through your e-mail service provider. This prevents GenWeb.io from knowing what you and your users are doing via e-mail. Without this step e-mail first goes through our server’s system before being forwarded to the internet, which is just one more place it could be logged and tracked (this is not something we do, but you should not just trust us.)

The second step is to install a tool which encrypts e-mails which originate from your site. This, again, is to ensure that GenWeb.io cannot log your or your user’s e-mails, and it also prevents anyone snooping on the traffic from being able to know anything more than the sender and the intended receiver. Incidentally, it also prevents your e-mail service provider and the receiving e-mail service provider from knowing the contents – GMail, for example, is known to use the contents of e-mails to build your advertising profile.

The third step is installing one of the most popular form-managing tools for WordPress – Contact Form 7. This tool can help you build almost any kind of form you might want, from a shopping cart to research survey. But we will only use the tiniest fraction of its abilities – a shortcode which lets you add a feedback/contact form anywhere you would like in your project.

Setting up SMTP

The de facto standard for sending e-mail is the Simple Mail Transfer Protocol, SMTP. This is what your e-mail client uses to talk to your e-mail service provider, and the same information you used to set up your client is going to be necessary for setting up WP-Mail-SMTP: you will need the name of the server, the port number it communicates on, the type of security layer used (if any), and the type of authentication your service provider uses.

The first thing to do is activate the plugin: Dashboard -> Plugins and click the activate link for WP-Mail-SMTP. This will add a new menu item, Dashboard -> Settings -> Email, which is our next click.

The first setting is the e-mail address. If you plan to use the same e-mail address as you used when setting up your GenWeb.io project you can leave this blank and it will use that address.

The second setting is for the From text. You may want to put the name of the region you are coordinating – for example “Marshall County, Minnesota”. This will show up in messages sent from the site as “Marshall County, Minnesota <your.email@address.com>”

The third setting is a radio button. We are setting this up to use SMTP, so it does not need changing. The other options are a service which can deliver mails for a fee, or the normal WordPress delivery method. (Using the normal WordPress method will currently result in all e-mails from your site being discarded as spam by most e-mail services.)

The fourth setting allows you to decide to use a Return path. If you are using a different address than the default for your site you may want to set this.

Below this are the SMTP settings, which are the items provided to you by your e-mail service provider. These need to be entered exactly the same as when you were setting up your e-mail client.

For example, if I were setting up to use a gmail address I might used the following values:

  • SMTP Host: smtp.gmail.com
  • SMTP Port: 465
  • Encryption: SSL
  • Authentication: Yes, use SMTP authentication
  • Username: Example@gmail.com
  • Password: MySecretPassword

Note: The password will be displayed in plain text. This is not insecure! you are already working via SSL. But it makes me nervous, too.

Click to save your settings, then type in your e-mail address in the Send a Test Email box, and click send test. This will display the results of talking to the mail server, and hopefully will be successful immediately. The test e-mail should arrive at your inbox nearly immediately; make sure all of this is working before the next step.

Setting up PGP Email

Pretty Good Privacy is a very nifty and light way to reliably encrypt and decrypt e-mail using public-private key sets. Activate the WP PGP Encrypted Emails plugin: Dashboard -> Plugins WP PGP Encrypted Emails, click on the activate link.

The plugins page will reload, with a button at the top in a notification box “Generate PGP signing key”. Clicking this generates a reasonable key, so go ahead and do so. It also raisess the General Settings screen (Dashboard -> Settings -> General), where this plugin’s settings are now available to be edited.

Scroll down to Admin Email PGP Public Key. This is where you need to paste your public key. The website will use your public key (not your private key!) to encrypt e-mails it sends to you, so it stands to reason you need to enter it here.

Encrypting an e-mail is like putting it inside an envelope: the only thing visible should be the address of the receiver, and the address of the sender. The next setting, Always empty subject lines for PGP-encrypted emails, moves the subject line to the inside of the encryption envelope. Other wise your e-mail is sort of like a postcard: anyone can read what it is supposed to be about, even if they cannot read what is inside.

You will probably want to download the newly-generated public key to your computer, and then import it into your e-mail encryption system. This will let you actually read the e-mails sent! The public and private keys can also be manually set – if you have generated keys yourself – and can also be re-initialized.

For other people who are going to receive e-mails from the site, they may be out of luck being able to decrypt unless you set the next setting: Sign email sent to unrecognized addresses. This will include the public key signature on each e-mail. Note the word “unrecognized”! Enabling this plugin allows each user to store their public key in their account on the server allowing encrypted communications.

Finally, ‘Delete the PGP signing keypair on uninstall’ will completely delete the keypair when you disable this plugin. It is good practice to delete unused keys, however archived encrypted e-mails will become impossible to decrypt without the key. On the other hand, if you never disable the plugin you will never need to worry about this.

Now go back to Dashboard -> Settings -> Email and send yourself another test e-mail. Everything on the server side should be completely unchanged. You should get an encrypted message, and you should be able to decrypt and read it. Make sure this works before moving on!

Creating an e-mail form

This is by far the easiest step. Dashboard -> Plugins and click on the activate link for Contact Form 7. When the plugins page reloads there is now a link to the Contact Form 7 Settings. Clicking this will show you a page indexing all the contact form templates, at the moment there is only one entitle Contact Form 1. The next column over is the shortcode column; it should look something like

[contact-form-7 id="401" title="Contact form 1"]

If you click the shortcode it highlights so you can copy it.

Now create a new page: Dashboard -> Pages -> Add New. Give it a name like “Contact us”, and then in the body paste the shortcode. Click the preview page to see what the form will look like. You will probably want to write a brief introductory sentence/paragraph.

Please use this form to send us a private e-mail.

[contact-form-7 id="401" title="Contact form 1"]

Save it, and now you have a working contact form which will e-mail your reader’s inquiries directly, and privately, to you. And, of course, now you need to test the form! Fill out the form with your own information, including a subject and at least a brief sentence for the message, and click the send button. Notice the nice javascript notification that the message has been sent, and the form is reset, without a page reload. The encrypted message should arrive in your inbox right away, and you should be able to decrypt it without any problem. Check that the subject line for the e-mail is empty, but that the subject is included in the message body of the e-mail.

When everything is working, add the contact page to a menu and/or link to it somehow. It may not be the main way people will get in touch with you, but it is an important tool to keep handy.

Preparing for 2017

As we the end of the year draws close, and we look ahead to the coming year, it is time to assess where we are at and where we are going.

The past six months have been challenging – new server equipment, moving the server hardware to a new hosting location, new ISP, and dealing with physical issues (one of which is ongoing.) We have just upgraded to the latest stable release of WordPress, and a dozen or so of the opensource and commercial plugins, themes, etc. We have added a Piwik server for counties which wish to monitor their site traffic, and increased storage for all sites dramatically.

In the next six months we hope to add an installation of WebTrees, a collaborative genealogy presentation and management software, and an authentication platform which will work across our primary services (but has yet to be determined.)

Another security update…

There has been another security update, so here is a brief run-down (this one is simpler than the previous one:)

What we did about it

We have installed the upgrade, which updated the two third-party libraries which had newly-discovered vulnerabilities.

What the vulnerability was

There were two, separate, vulnerabilities; both were in third-party tools used in WordPress.

The first issue was in Plupload, a tool used for managing file uploads, which in certain circumstances could allow a remote person to perform actions on the site which the user did not initiate. This is called a Same Origin Method Execution (SOME) vulnerability. In this case other security measures in WordPress limited the risk, and it only affected the 4.5.1 release, therefore not a high-profile (but still high-priority) issue.

The second issue was in MediaElement.js, a tool used in WordPress to stream audio and video content through WordPress syntax. This was Cross-Site Scripting (XSS) vulnerability, and there was little mitigation of the risk, and so both a high-profile and high-priority issue. Effectively a maliciously formed url could be fed into the javascript and the remote person could execute code on the server.

What this means for you

Nothing, as far as we are aware. The issues are completely fixed.

However, it exposed that WordPress is not strictly using HTML5 audio and video. Everyone on the internet should be using a modern browser which supports HTML5; there are inherent risks to older browsers which simply cannot prevent certain types of internet security and privacy attacks which have been resolved in newer browsers. By supporting old, vulnerable browsers (by using MediaElement.js) WordPress is enabling users to continue being at risk rather than encouraging them to update/upgrade.

Upgrades and vulnerabilities

WordPress released a recent upgrade to address a security issue[1], and also warned operators of servers using ImageMagick of security issues possible when processing insecure images[2].

What we did about it

GenWeb.io has upgraded to the current stable version (we always do, usually within minutes of the release.) We have also addressed the so-called “ImageTragick”[3] vulnerability in the ways currently suggested by the ImageMagick developers. But, just for your own peace of mind (and ours!), please ensure that your regional site does not allow users, forum posters, or commentors to upload photos. Also, please do not ‘upload’ images using urls as this is another vector for this exploit to be used. If you are using the PressThis tool to republish articles from the internet, this is another way to infect your site.

What the vulnerability was

The issue addressed by WordPress potentially allowed someone to run a script in a visitor’s browser when displaying/streaming certain kinds of media. Obviously could not directly affect your website, but it could get your site blacklisted as a source of malicious scripts even though it wasn’t really your site doing the harm to the visitor. This is completely fixed by the security update.

The issue with ImageMagick potentially allowed remote code execution (RCE) on the server. When images are used in WordPress they are processed in various ways using ImageMagick – to create thumbnails, or change a photo’s dimensions, or in other ways – and during that processing ImageMagick could be convinced to execute instructions on the server. This could in theory do almost anything the webserver has the ability to do, including severely harming your site or the webserver itself. This is not completely fixed by the security update from ImageMagick, and so the vulnerable portions of ImageMagick have been disabled. Most likely this will not affect your site, but be aware of possible issues if you use .svg or .mvg graphics. There are known attempts to use this exploit in the wild, but GenWeb.io sites should no longer be vulnerable.

What this means for you

Nothing, as far as we are aware. When a more-complete fix for ImageMagick is available we will re-enable the possibly vulnerable portions again. In the meantime, if you have any issues with any media on your site (especially media which do not resize correctly) please use the secure contact form to get in touch with us immediately.

[1] WordPress 4.5.2 Security Release
[2] ImagMagick Vulnerability Information
[3] ImageTragick

Slider captcha

Captchas are attempts to identify automated processes to keep them from abusing resources. The most common abuse of CMSes is spam – in comments, in forums, in usernames… if you can think of it, it has probably been tried as a method of spamming people.

Many of the methods used to combat spam are also problematic. One of the most common tools on the web is reCaptcha, a “free service” provided by Google. Like everything “free” on the internet, you are the product being sold. Google uses captcha to A) spy on your users, B) get them to ‘solve’ a problem (like identifying street signs) which they then use to improve their mapping software and data. In the past they ‘borrowed’ computer cycles to work on distributed computing problems, and they may do that again in the future. Other ‘free’ captcha services have had similar histories of privacy invasion and/or bandwidth/cpu theft.

GenWeb.io has limited bandwidth and storage, and encourages all County Coordinators to use methods to avoid spam and related abuses. CCs are encouraged to register an Akismet account and enable Akismet anti-spam, even though this gives WordPress.com some access to spy on visitors. They are also encouraged to use a captcha for at least registration and login, but preferably not a known bad-actor like Google’s reCaptcha. (The GenWeb.io site uses Slider Captcha, which as far as we know does not involve any spyware.)

Creating a regional coordination page on GenWeb.io/WordPress

GenWeb.io is set up primarily for the purpose of hosting regional coordination pages like the County Coordination sites of the state-level organizations of The USGenWeb Project. And it does so using the open-source WordPress software.

WordPress is popularly known as one of the, if not the, pre-emminent blogging platforms. But a regional coordination site is not a blog, in fact almost nothing like a blog! Yes, and no.

Backgrounder

The software is actually a content management system (CMS), an application for publishing, modifying, organizing, deleting, and curating all kinds of content and media on the internet. It also offers tools to support collaboration in doing so. Although they are intended to avoid the need for hand-coding html, CMSes may also facilitate writing code by hand.

One of the ways a CMS reduces the amount of html-writing is with reusable templates, so you can focus on writing what goes into a page rather than putting most of your effort into creating what each page looks like. With WordPress specifically, every page loads with a similar look-and-feel with some variations for type of page content and depending on the specific ‘theme’ you select.

wordpress-logo-simplified-rgbWordPress, while it is a great blog, also lets you display a ‘static’ page instead of a blog when visitors first arrive at the site. You can edit this page within the same editing environment used for writing blog entries. This editor lets you choose either a WYSIWYG view (Visual), or a source code view of the almost-raw html code (Text).  And you can flip between the two views with a mouse click. Now the magic of this static page is that it, too, is displayed inside that look-and-feel template, allowing you to add the USGenWeb and state project logos and links to every page in your site.

The step-by-step process

Once you have your GenWeb.io account and domain, the steps are extremely simple.

  1. Create your landing page.
  2. Tell WordPress to use it as your static page.
Create the page

Go to your site’s Dashboard, which is the control panel for site administrators. Select Pages from the left sidebar, and then Add New to create a new page. (Normally we abbreviate this as Dashboard->Pages->Add New. Less typing for me, and I am lazy.) This brings up the page editor, with two primary editing fields – the title field and the larger body field which has several editing toolbars above it.

Enter the title you wish to use for your landing page; Welcome or the name of your region are pretty good choices to start.

In the body field you can do almost anything you like to create your new home page. The editing toolbars are self-explaining, for the most part. Use the ‘Preview’ button in the right side-bar to load a new tab with exactly how it will look for your guests (minus that top toolbar – guests don’t get that.) You can change this at any time, so for now just throw some text up there as a place holder – LOREM IPSEM…

Now save it by using the ‘Publish’ button in the right side-bar. The page is now published on the internet. But it is not your landing page, yet.

Tell WordPress to use it

Once you have the page how you want it, hit the publish button in the right sidebar. This page is now available on the internet! but it is not your landing page yet.

Go to Dashboard->Settings->Reading. The top item is ‘Front page displays’. Click the radio button beside ‘A static page (select below)’. Select the page you just created from the ‘Front page’ drop-down menu. Then click the ‘save changes’ button.

Voilà! your visitors will now be landing on the page you created! BUT – what about the posts? Most of us will still want to use WordPress’s blog abilities to make announcements, report news or events, or even to keep subscribers organized. Create another page – and it can be just a title and no body – and go back to Dashboard->Settings->Reading, select the ‘Posts’ drop-down menu, and select this new page, and save changes again.

You will probably want to add a link to your new Posts page from your new Front page, but that is another how-to article at a later date.

Conclusion

By creating a static page for WordPress you magically turn a blogging software into a website management software, and you can still blog on it. Using the WordPress ‘themes’ you can focus time tweaking your ‘look’ once, and it will be applied everywhere all the time. With WordPress you can arbitrarily add pages filled with your own html code, or you edit from a WYSIWYG editor view.

But don’t start dreaming up menus and sidebars yet – because WordPress has that all covered for you, and makes it so easy you won’t believe it.

Registration is (slightly) broken

Always fun to find something not working in a new system!

WordPress simplified logo, from WordPress.Org
WordPress simplified logo, from WordPress.Org

Apparently newly registered users – the ones who do not have a website created for them – are linked inappropriately to an administrator profile when logged in. This means the handy link in the upper-right corner of the logged-in views does not work for them, and they may get “you do not have permission”-type errors if they follow that link.

The best link to a user’s profile page is http://[projectname.]genweb.io/forums/users/[yourusername], which unfortunately is not displayed anywhere except on a forum topic to which you replied. This is not optimal! but it does work.