Tag Archives: Blogs

Written on by

Was it something I said? (or, supernaut blocked in China)

I noticed a few weeks ago that traffic from China was low — single digits low instead of being in the top three countries for visitors. Even then I was fairly certain the cause. Today I was again reminded of this anomaly, so sent a message to a 广州人 who replied almost immediately, “yes, blocked on my end”.

A pity, really. I liked that supernaut was read in China, that all my writings on living there, on culture, politics, artists, dancers, places had some small (tiny) return.

Anyway, here’s a picture of a grass mud horse.

草泥马 cao ni ma 草泥马 cao ni ma
Written on by

supernaut updates supernaut

Last night I noticed the dilapidated state of my sidebar links. “Who uses them anyway?”, I thought, before answering myself with, “Me!”

In order of finding new blogs, the first and most common is from someone I already read who mentions another writer who may take my attention long enough to click through to their site. Getting from there to the ‘New Additions” folder in my RSS Reader (now using the quite beautiful yet assuredly beta Reeder), is a rarity, and from there to my sidebar is … well there’s scant connection really, it’s a rare thing when I go through all the links and add/subtract, and even then, with 300 or so in my news feed, my sidebar is only a few I like a lot.

So I added and subtracted. As usual, some blogs I loved very much have withered and passed the deadline of no longer updated (around 3 months before promotion to my ‘Dinasaurs’ folder), others have moved. Many new ones have arrived.

Excitement! I’ll not list all the new ones here, but there are a few, notably in ‘Art and Theatre Blogs’, as well as in ‘Asia and Central Asia Blogs’ and in the sciences categories. As for the ones that vanished …

I removed two sections. One for design as this stuff has moved mostly to my other blog (thingswithbits.info) and I don’t really get so enthusiastic about design as I do about, say, Central Asia or Kepler objects. The other to go, which is little more difficult to explain is the category for Trans* Queer Feminism stuff.

Without going into too much detail, there are still blogs I read in this field, but I find what turns up on these blogs is either irrelevant to me (e.g. cat blogging), the quality of writing does not have a level of rigorousness I find in other blogs I admire, or too often they are simply too American-centric. I’m also not so interested in spending a day in the echo-chamber finding the rare blog I would read.

So, for those who suffer distress when I blog infrequently, the sidebar should now assist you in feeling as I do most mornings: inspired by brilliant and passionate writers.

Written on by

Flowplayer Playlists and WPAlchemy Meta Boxes

Last night I spent a bit of time working on francesdath.info, which I’ve been shifting into WordPress recently. I wanted to recreate the video playlist I had, but using some kind of dynamic method via the WordPress editing page. Flowplayer, WPAlchemy, PHP, JavaScript, CSS, Anonymous Pro … somehow it wasn’t so difficult. If you like coding stuff, you can read it here: Flowplayer Playlists and WPAlchemy Meta Boxes.

Written on by

Two Ways to Put Flowplayer into WordPress — Custom Fields & Shortcodes

I spent this afternoon working on a site for Daniel Schlusser that is hidden from view but close to completion. My task for the day was getting video into blog posts using all my favourite things. I won’t scare the natives with hundreds of lines of code, but for you who are curious, you can read about it on my other blog: Two Ways to Put Flowplayer into WordPress — Custom Fields & Shortcodes.

Written on by

blacker…

China Miéville’s rejectamentalist manifesto has been one of my favourite daily-ish reads since I stumbled into it after wondering where he’d got to having not seen him on Lenin’s Tomb for quite some time. It was a few days ago now I read Well grubbed, and of course clicked the links. Something about Reza Negarestani and the line, ‘Everywhere a hole moves, a surface is invented’ ensnared me. And so…

There is a certain feeling I experience when I am being drawn into someone new. It reminds me of discovering Deleuze, as if both pulled bodily into and through a choking, dirt-rimed tunnel, and simultaneously unearthed onto the steppe; vastness wherever my gaze might fall. Reza has this for me now.

I read what I could find of Cyclonopedia: Complicity with Anonymous Materials, and of course messaged my favourite Berlin bookstore, Saint George’s (who seem to have a new website). Ah this spending on books (having bought two today from the estate of Manfred Durniok)… 

I look more for Reza and discover ‘Hideous Gnosis – Black Metal Theory Symposium 1′. Why would I not be feeling an immediate sense of coming home? Philosophy? Black Metal? Graaaaaghhhh!!! (double kick drum!). And I see a link… blackmetaltheory.blogspot.com. And so I shall spend my evening reading ‘Hideous Gnosis’ and passing the time waiting for Reza to arrive.

black metal theory black metal theory

Written on by

on science and ethics

Many of you who read my blog or know me personally know I am a bit of a lush for science. The astrophysics of monadologie came from my residency at Swinburne Centre for Astrophysics and Supercomputing, which in itself is part of a lifelong interest in astronomy in particular and other natural sciences.

My love of physics naturally leads into astrophysics at one end and particle physics, quantum physics and so on at the other, and to a slew of scientists and philosophers from Leibniz to Michel Serres, Isabelle Stengers, others… Geology and geophysics take me into my love of climbing, mountains and so into Central Asia and China, geography, culture, history, maps and topography… anthropology… names keep recurring in different disciplines, braids between the disciplines inside and out of science–the arts, philosophy are twisted upon themselves over and over; ah and the joy is the same.

Some people might find through religion some sense of marvel in the universe. I do not. To me, looking at the stars or the earth and forcing interpretation through faith is perhaps at best an elegant metaphor or story to be studied through anthropology (I do find of course the pantheon of demons in all religions quite fascinating), but mostly craven superstition that is no different to a perverse choice in favour of the detritus littering the floor, when a banquet lies upon the table above.

Over the years of blogging and reading blogs, many of the ones in the sciences had coalesced around Discover Magazine Blogs and the Scienceblogs communities, which of course has led me to new blogs, furthering my wanderings through the sciences. Volcanology and deep sea oceanography with excellent blogs written by passionate working scientists are two of the fields I currently have a fascination for.

Yes, there is a but.

Mostly I don’t reblog. As much as I’d like to–and have tried in the past to make weekly reading lists of whatever has really grabbed my attention, the most obvious place where my love of science is displayed is in the sidebar (yes, needs updating…). But the last couple of days have brought some troubling developments.

Scienceblogs allows their writers complete freedom, in exchange for advertising in the right column and above the banner–most of which I don’t see because I use adblocking. This division allowed for an integrity in the science bloggers’ often coupled with disclosures either by naming themselves or when anonymous listing where their funding comes from.

As a non-scientist and being aware of the deluge of pseudo-science — homeopathy, new age therapies and so on under the misleading guise and banner of ‘alternative medicine’, the constant misrepresentation of climate science by the media, corporate manipulation of public perception and outright lies, or just simple things like why would a volcano cause air traffic across europe to shut down – all these things in small ways I find myself talking about.

But when a community such as Scienceblogs provides a platform to a corporate entity under the guise of a blog like others, when it is patently advertorial, massaging of public image, when it is Pepsi given space to write a blog (I use that in the very loosest of senses) on nutrition science and how they are making the world a better place through their foodstuffs research…

Yes, the science blog world is in an uproar. It is a crucial issue of ethics, impartiality and most importantly authenticity and integrity. When science is routinely denigrated, used against the wishes of scientists for political manipulation, misrepresented in the media, when vital issues for the our immediate future are at stake, it is imperative scientists are able to be seen as trustworthy and respected.

Many of the science blogs I read are in the process of leaving Scienceblogs. Funnily enough it has also introduced me to new blogs–which are also leaving. The story in itself is worth an afternoon’s reading, but summarised at The Loom, along with a list of blogs on the move, and by GrrlScientist in Sucking Corporate Dick (read the comments to enjoy scientists enraged).

Maybe this is also to say for those of you who get as much pleasure as I do in reading and in reading science, there is a wealth of extraordinarily talented writers in many fields who I’m sure you’ll greatly enjoy. And perhaps too, this diaspora is a good thing. Blogs and blog communities have progressed to the point – thanks to the code they run on – where ad hoc communities are simple to set up and there is no real need to belong to somewhere like Scienceblogs if they fail to meet the requirements of their bloggers.

I shall update my links in due course.

Written on by

return to blog

The last week has been chaotic. I came to Brussels slightly early – on Tuesday, to help with Dasniya’s Yoga and Shibari Workshop at Charleroi Danses, she arriving Thursday and some setting up in La Raffinerie, followed by three days of yokes and bindings with 20 others, and one long night of photography in an old stable somewhere south of Brussels. Yesterday some vagueness and attempts at ordering my life again, along with sorting—in a highly subjective manner, some 590 images I took over the three days. Hopefully I’ll be putting some of them up here later this week and writing about the workshop.

For now, continuing back into design work and trying to balance everything physical and computational. I’m not sure I manage this very well. Or perhaps I simply haven’t worked out how to a) sleep less, b) clone and reabsorb myself daily c) make myself attractive to wealthy philanthropists d) elongate seconds or minutes/convert former to latter/other temporal manipulations e) function in a highly regimented schedule… (and so on). I shall try though.

Mainly to say I’m feeling quite inspired at the moment, planning on a new performance, much enjoyment of reading, anxious to return to dance/climb/cycle/run/yoga and perhaps finding some progress in knee/hip/pelvis mess… Brussels for the remainder of the week, then Berlin again.

Some photos…

metro lemonnier metro lemonnier

sunset over parc forest sunset over parc forest

la raffinerie foyer - 1 la raffinerie foyer – 1

la raffinerie foyer - 2 la raffinerie foyer – 2

Written on by

wordpress security (in many small steps)

(This is for people who like reading code, cross-posted at thingswithbits.info)

Earlier this year supernaut got hacked. Many other of my WordPress installs did also, perhaps because they occupy the same shared hosting space. I learnt a lot about website and WordPress security very quickly – even to the point of inadvertently vanishing all but my index page for quite some time. Nothing if not clever, I am.

Because I am doing all my projects in WordPress at the moment, and also seem to have turned quite a few people over to using it also, I thought to document my approach and methods. The first thing I do then, is read. A lot.

I have a subjective and not-too carefully analysed approach to learning, especially when it comes to finding out information on a topic I know nothing about and need to know much quickly. It applies to everything, not simply limited to web design or computer stuff. I search and read and search and read and keep repeating until the same stuff starts to come up over and over again. Then I start to think I might be on the right path. So I might try a few things then. The key here is easiness. Anything requiring more than a few clicks, a few lines of text or modifications is not a reasonable solution.

Things that break this early get thrown away. A plug-in that asks for stupid things, or doesn’t perform without me rewriting some line in php.ini is not going to stay installed long. I wondered often if this was the wrong approach, but really, basic, effective security should be as simple to understand as a household door key. You shouldn’t have to build a lathe in order to cut the key yourself.

So, having done some research and playing, I slowly put together something useful. This is a mix of things I’ve been using for a while, and new things I’m adding at the moment, in response to pissy annoying php exploits, sql injections and other clever irritations.

Installing WordPress.

The first thing to change during an install is the database table prefix wp_. If you’ve already installed WordPress, it’s possible to also change this either using a plugin, or by editing wp-config.php and changing the table prefixes in phpMyAdmin.

Once logged in, make a new user with administrator privileges and suitably complex password (OSX Keychain Access has a very good password generator), log in with the new user and delete the user, ‘Admin’.

Now is also a good time to delete the default theme (after uploading your new one of course). As with the user named ‘Admin’, the wp_ table prefix and other defaults, botnet code injection methods look for these defaults as an easy place to start.

To avoid messiness, I think it’s better to leave installing plugins till last, though because information is sent in the clear unless using SSL or SSH, it’s probably a good idea to change the password again when it’s all finished.

Get rid of install.php

After your installation is finished, you don’t need this file, located in wp-admin. Delete it, or change the name, or even better log attempts to access it with this (just change the email address to receive notifications):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php // install.php replacement page: http://perishablepress.com/press/2009/05/05/important-security-fix-for-wordpress/ ?>
<?php header("HTTP/1.1 503 Service Temporarily Unavailable"); ?>
<?php header("Status 503 Service Temporarily Unavailable"); ?>
<?php header("Retry-After 3600"); // 60 minutes ?>
<?php mail("email@domain.tld", "Database Error", "There is a problem with teh database!"); ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Error Establishing Database Connection</title>
    </head>
    <body>
        <h1>Error Establishing Database Connection</h1>
        <p>We are currently experiencing database issues. Please check back shortly. Thank you.</p>
    </body>
</html>
Dealing with wp-config

Every time I open this file and see the database name, user, password and host all in plain text, I get a little queasy. There are several ways to make this less painful, firstly using htaccess, which I’ll cover later. A quite elegant solution is to put all the sensitive information in a separate php file outside the root web directory, and make a call to that in the wp-config file.

First make a new file, config.php stick it (on Dreamhost) in the /home directory, chmod to 644, and cut-paste the following from the original wp-config.php:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database-name');

/** MySQL database username */
define('DB_USER', 'username');

/** MySQL database password */
define('DB_PASSWORD', 'p@s5w0rD');

/** MySQL hostname */
define('DB_HOST', 'sqlhost.domainname.tld');

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'prefix_';

/** force ssl login and admin - might slow things down */
/** on dreamhost must pay for ssl cert, hence not used */
/** define('FORCE_SSL_ADMIN', true); */

?>

Then in the original file, just put:

1
include('/home/path/to/config.php');

For those lucky enough to have SSL on their server, using FORCE_SSL_ADMIN is an excellent idea. Changing permissions to 640 also is a good idea.

Adding Unique Authentication Keys takes about 30 seconds, and gives four separate keys to be used with your password. Copy-paste from the Secret Key online generator, it will look like this:

1
2
3
4
define('AUTH_KEY',        ' ;+ Xk*Kf:y3e1L?.,r[Hx<m;rV57d>2WL#<#3[ d]!#+$79/pSAF(HrGEAfS`a4');
define('SECURE_AUTH_KEY', '.k0zMi[@f&)E>~y=ZqO6~IfHS$S SP8d>C]S@:zhxh?H]VtXEpqV?p-OJV*O~3?v');
define('LOGGED_IN_KEY',   '~:b*7/m+Lx|-irCxYAHQn1t2$sYA+2}+*2c@!_,9/D2-H5cJ_:wJ8X7|-p%W&xGh');
define('NONCE_KEY',       '%#T+Y*|N>cq/2m3CRqR}SCM  BodKio`<x+?nMAe6,qgU:YiyKgEu,%<er>>qS$V');
Functions.php

Most themes have a functions.php file which does all sorts of exciting things, writing bits to the theme templates, interacting with WordPress admin interface… A couple of extra lines provide a little obscurity. WordPress puts its version number in the header in wp_generator, and also a link to xml-rpc.php, which for most people is unnecessary – unless they are using a blogging client like Marsedit – and a risk. This quickly removes both, as well as hiding information about failed login attempts through the browser:

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
//security stuff
add_filter('login_errors',create_function('$a', "return null;"));

function removeHeadLinks() {
    remove_action('wp_head', 'rsd_link');
    remove_action('wp_head', 'wlwmanifest_link');
}
add_action('init', 'removeHeadLinks');

function no_generator() { return''; }
    add_filter('the_generator', 'no_generator');
?>
htaccess

.htaccess is a joyous little world unto itself, like finding a hole in your backyard that leads into a vast cave system. mmm spelunking.

Much of my learning about security has revolved around what can be done with htaccess, and in particular Perishable Press and their 4G Blacklist. And much of what I do for security takes place here.

Starting with denying access to all to read the htaccess file itself. Then there is the WordPress hook that allows the install to exist in a different directory location to the site url. For those again who have SSL on their server, forcing SSL can be done here for admin and login. Then there are a bunch of protections to stop access to certain important files, install.php, wpconfig.php, and the WordPress readme.html.

Using gzip compression to deliver files and adding content expires information doesn’t strictly have much to do with security, but really, the difference in load times the former can make to a site, and the general usefulness of expires tags make this one to automatically add.

For those on Dreamhost, the DH-PHP handlers is automatically added when using the site-specific php.ini installer, something I’ll cover a bit further down.

Hotlinking prevents leechers sucking images and other content off your site, one of the first things I ever learnt how to prevent, when supernaut suddenly had massive bandwidth use as my images turned up in all manner of places.

The no-referrer section is specifically to thwart spammers circumventing your site altogether and trying to inject comment spam directly into the comments php. It’s also possible to block access to xml-rpc here, and use login passwords via httpasswd for extra security on the login page, both not included here.

Then comes the Perishable Press 4G Blacklist, a cornucopia of amazingness, which I left out for sake of brevity (haha). I have included two lines that need to be commented out in order for the browser-based file manager AjaXplorer to function ok.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# === DENY HTACCESS ===
<files .htaccess>
order allow,deny
deny from all
</files>
# === END DENY HTACCESS ===

# === BEGIN WORDPRESS ===
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# === END WORDPRESS ===

# === FORCE SSL ===
#RewriteRule !^/wp-(admin|login|register)(.*) - [C]
# === END FORCE SSL ===

# === PROTECT install.php ===
<Files install.php>
    Order Allow,Deny
    Deny from all
    Satisfy all
</Files>
# === END PROTECT install.php ===

# === PROTECT readme.html
<files readme.html>
    Order deny,allow
    deny from all
</files>
# === END PROTECT readme.html

# === PROTECT wpconfig.php ===
<files wp-config.php>
order allow,deny
deny from all
</files>
# === PROTECT wpconfig.php ===

# === DH-PHP handlers ===
AddHandler fastcgi-script fcg fcgi fpl
AddHandler php-fastcgi .php
Action php-fastcgi /cgi-bin/dispatch.fcgi
# === END DH-PHP handlers ===

# === BEGIN GZIP FILE TYPES BY EXTENSION ===
<Files *.html>
SetOutputFilter DEFLATE
</Files>
<Files *.css>
SetOutputFilter DEFLATE
</Files>
<Files *.js>
SetOutputFilter DEFLATE
</Files>
<Files *.ttf>
SetOutputFilter DEFLATE
</Files>
# === END GZIP FILE TYPES BY EXTENSION ===

# === BEGIN CONTENT EXPIRES ===
#set expire dates
<IfModule mod_expires.c>
ExpiresActive on
# 60 seconds * 60 minutes * 24 hours * 7 days
ExpiresDefault A604800
# 60 seconds * 60 minutes * 24 hours
ExpiresByType text/html A86400
</IfModule>
<FilesMatch "\.(ico|pdf|flv|f4v|m4v|jpg|jpeg|png|gif|swf|js|css|ttf)$">
# configure ETag
FileETag none
# max-age set to one week as above
Header set Cache-Control "max-age=604800, public, must-revalidate"
# if you use ETags, you should unset Last-Modified
# Header unset Last-Modified
</FilesMatch>
# === END CONTENT EXPIRES ===

#  === DISABLE HOTLINKING ===
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png|ico)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domainname\. [NC]
RewriteRule \.(gif|jpe?g?|png|ico)$ - [F,NC,L]
</ifModule>
#=== END DISABLE HOTLINKING ===

# === DENY ACCESS TO NO-REFERRER REQUESTS ===
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\. [NC]
RewriteCond %{HTTP_REFERER} !.*domainname\. [OR,NC]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) - [F,L]
</IfModule>
# === END DENY ACCESS TO NO-REFERRER REQUESTS ===

# === PERISHABLE PRESS 4G BLACKLIST ===

(snip…)

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
# this line stops ajaxplorer working
RewriteRule ^(.*)$ - [F,L]
</IfModule>

# CHARACTER STRINGS
<IfModule mod_alias.c>
 # BASIC CHARACTERS
# RedirectMatch 403 \/\/ ajaxplorer again
</IfModule>
robots.txt

Equally effective, and probably overkill, using robots.txt can grant or forbid access to a slew of places, particularly directories that you don’t want spidered, as well as any and all WordPress directories, using Disallow: /wp*.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
User-agent: *
Disallow: /cgi-bin
Disallow: /lurking
Disallow: /phpsecinfo
Disallow: /wp-*
Disallow: /tag
Disallow: /author
Disallow: /wget/
Disallow: /httpd/
Disallow: /i/
Disallow: /f/
Disallow: /t/
Disallow: /c/
Disallow: /j/
 
User-agent: Mediapartners-Google
Allow: /
 
User-agent: Adsbot-Google
Allow: /
 
User-agent: Googlebot-Image
Allow: /
 
User-agent: Googlebot-Mobile
Allow: /
 
User-agent: ia_archiver-web.archive.org
Disallow: /
 
Sitemap: http://www.domainname.tld/sitemap.xml
php.ini and phpsecinfo

Getting deeper into the system still and further yet from WordPress, modifying php.ini, the file that sets up what php can do is another essential. Dreamhost doesn’t make it easy to edit the php.ini, but fortunately there’s a script which installs it locally. More excitement ahead.

As with htaccess, much can be done in php.ini to prevent messiness. The following seem to work rather well. I’ll leave this uncommented upon except to say AjaXplorer needs fopen to be on, and shall devote a future post to elaborating on php.ini security.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
open_basedir = /home/site/folder:/home/site/tmp/folder
disable_functions = exec,passthru,system,proc_open,popen,curl_multi_exec,
parse_ni_file,show_source
expose_php = Off
error_reporting = E_ALL & ~E_NOTICE
register_globals = Off

; Whether to allow HTTP file uploads.
file_uploads = On
upload_tmp_dir = /home/site/folder/tmp/php
; Maximum allowed size for uploaded files.
upload_max_filesize = 200M

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
allow_url_fopen = On

; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
allow_url_include = Off

In addition to editing php.ini, and making sure there isn’t a file lying around called info.php with phpinfo() inside, phpSecInfo is an invaluable tool for assaying the security of your website, the results from which can be directly used to edit php.ini.

FTP, or rather SFTP.

As with passwords being sent in the clear, so too is FTP on its own not so great. Dreamhost allows for shell plus SFTP access with FTP disabled, which is both sensible for using desktop FTP clients (such as the amazing Transmit), and for searching out code injections. Time to open Terminal.

Commandline access is essential for a number of reasons, and instead of using the username/password combination, create passwordless login using private keys.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
//Generate a RSA private key

ssh-keygen -t rsa

// copy the key to your website

scp ~/.ssh/id_rsa.pub user@domainname.tld:~/

//ssh into your website
ssh user@domainname.tld

//Make a new folder, .ssh and copy the key to the authorized_keys file, then delete the key
mkdir .ssh
cat id_rsa.pub >> .ssh/authorized_keys
rm id_rsa.pub

//Set all permissions
chmod go-w ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Why might this all be useful? Going back to when I was hacked earlier this year, I could have gone though all the files on all my sites looking for base64 code, instead I opened Terminal, SSH’ed in and sent this command:

1
find . -name "*.php" -exec grep "base64" '{}' \; -print

Which searches through all files with the extension .php for the string base64 and dumps the results on screen. I found every instance of the hack in a matter of seconds.

Plugins for security.

Leaving aside all that code now…

WordPress is amazing because of its plugins and the community around its development. The problem though, for any plugin is twofold. Which one does the task you want the best (while integrating with the rest of your setup), and is updated frequently enough to not become a liability?

After the initial hack, I had many installed, which I then uninstalled because of small irritations and annoyances. After changing all my passwords to 16+ characters, including as many of type !@£$%^&_ as allowable, WordPress File Monitor has become an installation standard.

Rather than provide security, it lets you know when any modifications to files and folders have occurred, and in which. Notification via email and/or Dashboard alert, alterable scan intervals and directory path exclusions for me make this indispensable. When a new exploit emerges, instead of panicking and manually scanning all my installs for changes (which I do anyway out of nervous boredom), I can be fairly secure they will show up here. Of course, the idea is not to get hacked in the first place.

I’ve read a lot of good things about AskApache Password Protect, but I’ve never got it working, despite adding all the .htaccess files and even chmod up to 666. I would at least play with it otherwise, but for now don’t want to spend the time on it.

In general though (and said with a caveat that I don’t really know WordPress very well), much or all security that can be done with plugins can be done in other ways – .htaccess, robots.txt. php.ini, wp-config, sql changes and so on. Also, so many of the plugins haven’t been updated recently, which for me is worse than no protection due to the false sense of security.

During the course of the last two days, while I went through all the security stuff I could find, websites, pdfs, my own archives, I came across a couple of other plugins which I think are useful.

Semi Secure Login Reimagined provides about as good public and secret key encryption for passwords as possible if you don’t have access to SSL.

WP Security Scan I found useful for a post-install check to make sure all the settings were as minimally tight as could be. In the interests of not having hundreds of plugins, I uninstalled it after.

404 Notifier does just that, though I suspect getting off my ass and reading the logs (or ssh and then grepping them for 404s) would be a better idea.

Sources

Much of my information for this comes from a few places.

The WordPress Codex itself is a good place to start, and the Plugin directory also worth spending time in.
Perishable Press is invaluable, and not just for security.
Digging into WordPress, both the website and the book are the fundamental step-by-step guide for all things security and WordPress.
The WordPress community, across many blogs, forums, books, comments and bits and pieces.

Oh, and while this applies also to WordPress 2.9.x, I’m currently running the 3.0 beta on thingswithbits.info where I tested all this. (hopefully this all doesn’t add to confusion.)

Written on by

ick bin sechs jahre alt (und na logo habe ich vergessen)

Ja, naturlich, immer ein weniger mehr und immer bisschen spät. Habe Ich heute mit Katrin geplaudert, und dann mir ging ein Licht auf… Ja, am April 7te war mein Blog Geburtstag. Sechs jahre alt, fast 1500 Posten, viele viele Fotos, am wenigsten seben Staaten, hier und da, da und dort, toll, geil, extra voll krass…

Happy birthday supernaut, I would give you a big kiss but you are still only ones and zeros but I love you anyway.

Just to remember where supernaut came from…

black sabbath - vol 4 black sabbath – vol 4

Written on by

vanished again

I was wondering vaguely why supernaut’s site stats where plummeting ever lower, though decided it was a post-hack/infrequent-blogging combination, even though new posts didn’t appear in my feed reader either.

Testing out some new caching plugins, I discovered… absence. Everywhere.

Besides the index page, supernaut seems to have evaporated. The database is still there, and all the content appearing in it, up to date, but somewhere WordPress is failing to pull the data into itself.

Poo.

Without knowing why or where things have gone wrong, and only having my stats to guess it’s something I did post-hack, the simplest thing to do it a clean install of WordPress, my templates and plugins, and the database. Taking about 5 hours just to confirm everything is working, and not really being in the mood for that right now, absence will continue for a couple of days.

Poo again.

Much thinking on the U-Bahn in the afternoon while going to Kreuzstanbul…

I tried a few things, thinking back also to when I dealt with supernaut being hacked, and thought the problem might lie in the .htaccess file I stitched together, using in part the Perishable Press 4G Blacklist, and other items I knew to cause issues with various bits of PHP.

After a few minutes, I narrowed it down to the excellent few lines that prevent hotlinking of images. The problem? The call to WordPress begins with ‘RewriteEngine On’, as it should. But the hotlinking code also requires it and I’d put it before. Shifting the WordPress code to the top of the document fixed the problem.

I feel a bit idiotic, as it’s been some months since I first added that code, and for the entire time, every page but the index has thrown up a 404 error… I suppose I should clean out the junk in my database now, just in case I can break something else and notice it in three months.