Security Plugins for Movable Type
Movable Type is a popular weblog publishing system that supports a variety of plugins. This article lists some very useful security-oriented plugins that can enhance your blogging experience.
Privacy allows you to define “read permissions” for assets in Movable Type (entries, categories and blogs). As a result, readers will first need to authenticate to be able to view the asset. Privacy gives you fine-grained control over who can read your content. The beauty and power of Privacy, however, lies in its extensible nature – plugins can easily be written that adds a new type of authentication to Privacy which can then be used to mark assets as private. This is most useful for organizations that already have a custom authentication in place.
AutoBan is an anti-junk plugin for use with the Apache webserver. It updates a .htaccess file to ban the IP addresses of junk sources. The list is generated from the junk objects stored in MT, providing for automatic aging. The updating is completely automatic. AutoBan is primarily useful for preventing flooding attacks. It also turns out that many junkers rent the same zombies, so even new types of attacks that get past the filters tend to be moderate because old attacks get the sources banned.
This plugin uses Movable Type’s OpenID Login framework to add a custom tab to the commenter login screen. AIM users and visitors from other AOL properties can log in with their screen name.
MT Protect finally gives you the ability to protect entries and blogs within Movable Type in three different ways:
- Password protection – protect your entries or blogs with a password which readers must correctly enter to gain access.
- Typekey protection – enter the Typekey usernames of readers you wish to grant access and they must login via Typekey to gain access. Typekey users not on the allowed list will not be able to gain access. This type of protection is much safer than password protection as it verifies the identity of your reader.
- OpenID protection – simply enter a reader’s OpenID URL to grant them access to the entry. Like Typekey protection, this method verifies the reader’s identity and hence is much harder to get around.
In the course of using the plugin, you may find that you are allowing access to the same people repeatedly. MT Protect’s Protection Groups feature allows you to define sets of any number of people who often garner the same permissions. The protection group – and hence all of the people in it – can be granted access to an entry as easily as one person. For all intents and purposes, protection groups are like email aliases in that you only send an email to only one address and yet many can receive it.