Skip to main content


Computer security issues relevant to Tuskfish CMS, its interaction with the outside world and website administration in general.

Copyright, all rights reserved.

In this collection

How to set up a WireGuard VPN server in a Docker container

Tired of paying for a commercial VPN? I set up a private WireGuard VPN server, running in a Docker container on a cheap virtual machine I already have with Linode. No need to pay for additional infrastructure! It works straight out of the box, and is fast and simple to set up. This article closes a few gaps in the documentation that might slow you down. Set up time was about 10 minutes, including configuring client devices. It's a nice facility to have, and is so lightweight you can run it on existing infrastructure without paying anything more.

Thoughts on the Gl.iNet Beryl (GL-MT1300) travel router

The marketing materials lean heavily on its ‘advanced security features’, but TLDR it doesn’t have any, unless you think VPN capability is something special. It’s just a small, portable wireless router that can accept a WIFI signal as its WAN input. So you can use it in a coffee shop and have a firewall between you and their network, but the firewall is just like any other home router firewall. You can forward ports and so on, but that’s about it, and it doesn’t provide any visibility into the traffic or what’s going on. Sadly, it does not support DFS channels (52-140) on fast 5GHz WIFI, so it is not compatible with any access point using them.

Firewalla Purple thoughts

The Firewalla Purple brings firewall management to the masses: It has a great GUI that makes it easy for less-technical users to see what is happening on your network and to manage devices. Firewall rules are easy to set up and content filtering policies can be toggled on and off by device or group. There are a few minor shortcomings but the feature set is still being extended. The Purple is an excellent device for managing small networks and the online activities of children. However, it is highly overpriced.

Tuskfish 2.0.4 released

Tuskfish 2.0.4 brings a user management module, which allows you to enrol trusted users in an Editorial role, so that they can create and edit content. The core structure has been refactored to improve modularity for development of new extensions. Internal login checks now test admin status against a surrogate password hash, rather than a simple session flag, which is a small security improvement: If an admin/editor changes their password at any time, any existing logged-in sessions are rendered invalid.

Tuskfish CMS V1.1.3 stable

A maintenance release. Further internal refactoring to improve the structure and extensibility, and updates to third party libraries. An XSS vulnerability present in Bootstrap 4.0 has been patched through an update to Bootstrap V4.1.3.


  • Add canonical URL link.
  • Clean up base URL / links on index page (remove unnecessary 'index.php').
  • Use title for image alt tag if no caption is set.
  • Refactor of methods towards smaller logical components and improved compliance with the single responsibility principle.
  • Removal of magic method accessors and mutators in favour of manual getters and setters.
  • Improved error messages to increase clarity.
  • Extended bad login count and retry delay to include 2-factor authentication.
  • Fixes to pagination control.
  • Implement admin side content object controller to clean up the admin script.
  • Fix conversions in content module.
  • Manually set cache limiter in some pages to avoid 'document expired' errors when using the browser back button.
  • Bugfix for taglinks being deleted when a tag is edited.
  • Update to FontAwesome 5.5.
  • Update Bootstrap to V4.1.3 and remove unnecessary files.
  • Remove popper.js library (now bundled in Bootstrap).
  • Update TinyMCE to V4.8.5.

Password hash cost calculator

I was playing around with different password hashing algorithms and came across this password hash cost calculator. It's a simple script you can use to measure how long it takes to calculate a given hash on a particular machine. Since web hosting accounts often come with limited resources compared to your local dev box, it's useful for tuning the cost of your hashing algorithm (how many times you iterate the calculation) to keep it at a sane level.

The problem with PHP

It feels strange to criticise PHP after developing a substantial (for me) project in it. Obviously I like the language and the recent performance improvements have given it a significant boost. But there are a few things that grate on the nerves and make me wonder about its long term future. Here are some of them, presented in no particular order.