Webmasters! For heaven’s sake start using Mac or Linux!

18 May, 2010 | mayank
Topics: Wordpress Tutorials

I’ve written a fair bit on the topic of securing WordPress based sites and blogs however, it seems that no matter how much I write, it still is less. There is hardly any week that goes by where I don’t hear about the horror stories from our clients and various other friends in the trade whose sites get infected with malware. After handling lot of such cases and doing some research about it, I found out that one of the major reasons why the sites get infected is because its webmaster’s own computer was infected with a malware.

I’ll be also listing various resources that can be used to further strengthen the however, firstly I would like to put forth my views on the topic of why web-masters should use Mac or Linux. I would only list those points that are logical and none of them are influenced by any sorts. So here’s why I suggest so and how its easy to switch too -

1. To keep yourself safe from viruses :  I’ve used all three OSes and I’ve personally experienced that Mac & Linux aren’t prone to viruses as Windows is and the simple fact is that the market share of Windows is more than 90% and thats why almost every virus is targeted towards Windows Users. So, if you are using any of those two OSes you’d be safe from viruses and thus you reduce the chances of getting your website hacked.

2. For keeping others safe : As I’ve said that majority of cases that I’ve dealt are those where the webmaster’s computer was compromised. Moreover, once the sites are infected, they infect those computer who visit that site and that’s how they spread so quickly! Now, if at the first place the webmaster would have been using linux or mac, it would have ensured that at least they are not making the situation worse.

3. Switching is pretty easy – Most of the users give a reason that they won’t be able to switch because of the incompatibility issue and that they think that it would be pain to switch the platforms because of unavailability of ssoftware. I agree at one time it would have been difficult for most of the people, however web-masters specifically won’t find any issues in choosing these two platforms as most of their tasks are done online, else most of the software required have either a worthy alternative or if you are an open-source fan then you’d surely find most of them available for all three platforms. Here are some of the resources -

Try a gradual switch and start using these OSes and if you really want to run a windows software then you can try WineHQ or CrossOver (commercial) and most likely the software will work fine for you. If the software still doesn’t work and you don’t find any alternative then you can simply use VirtualBox or Parallels to run Windows inside Linux or Mac.

So when we know that for web-masters it can be easy to switch to Mac or Linux then why not use either of those two operating systems and keep yourself and the world safe from those malware? Anyway, enough of ranting – as I said that during my research, I did read quite a bit about websites, so I would like to share that with you :

How to strengthen the of your ?

  1. Don’t forget to read my articles that I wrote a while back on the topic of securing wordpress.
  2. If possible switch your OS as soon as possible – Don’t think it as a stupid suggestion. Consider this one for sure!
  3. Restrict admin use by IP Address.
  4. Learn to restrict the FTP server access for specific IPs using VSFTPD – I know that not everyone gets a static IP address from their internet service providers, however use of VPN can certainly [I use StrongVPN] help you get over that problem.
  5. More steps that can be done through htaccess file, here are some 11 more steps that you can use.
  6. Jeff Starr has created wonderful instructions for securing servers via htaccess and blocking the know malware techniques.
  7. Blocking spam is equally important – Chances are that some spam comment will have the URL to a site that is infected, so its important to ensure that no spam comment passes through.

What else can be done other than IP address, Htaccess tricks?

Some of ’ cool features come from allowing some files to be writable by web server. However, letting an application have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a perspective, to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images. In short we are talking about CHMOD settings of the server.

All files should be owned by your user account, and should be writable by you and any file that needs write access from should be group-owned by the user account used by the webserver. Of course, learning this can surely take some time, but if you really want to secure your server, then this is one thing you should focus on!

  • / — the root directory: all files should be writable only by your user account.
    • EXCEPT .htaccess if you want to automatically generate rewrite rules for you
  • /wp-admin/ — the administration area: all files should be writable only by your user account.
  • /wp-includes/ — the bulk of application logic: all files should be writable only by your user account.
  • /wp-images/ — image files used by : all files should be writable only by your user account.
  • /wp-content/ — variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).
    • /wp-content// — theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
    • /wp-content/plugins/ — plugin files: all files should be writable only by your user account.
    • other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.

Plugins that I prefer for securing

1. WordPress File Monitor - Think of it as a watch dog! It monitors your installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. So even if you add files using FTP, it will let you know. This is a fantastic way to ensure that no compromised file will go on server without going through its nose.

2. WordPress Firewall – I personally love this plugin. Of course, using this plugin means that you’d lose out on theme/plugin editing capabilities and few things here and there, however this plugin will ensure that everything will be super secure.

3. Block Bad Queries – Another gem from Jeff Starr. This plugin will ensure that your site will be safe from known vulnerabilities.

Well there have been countless number of posts on the topic of and the worst part is that things aren’t improving a little bit. Its important to choose the right web-hosts as well. If this post of mine was a request towards web-masters, Mark Jaquith has asked web hosts to become more secure and to help web-masters in understanding the of blogs/websites. It is one interesting read, so even if you are not a web host,  I would suggest you to read it.

What are your thoughts about changing the OS for ensuring safe and secure website? Do you think that one should go ahead and change their OS to ensure that their site will remain secure from malware to a large extent? Please share your thoughts in comments.

Bookmark and Share

5 Comments / Add yours

Part 1 : How to setup Cloud Servers for blog optimisation

21 Apr, 2010 | mayank
Topics: Wordpress Tutorials

has been considered as a memory hog and I can agree to that as I’ve faced the issues in the past as well. If you don’t use plug-ins like WP Super Cache or W3 Total Cache, you’d get an email from your shared hosting provider to upgrade the hosting plan pretty soon. As traffic increases you’d have to change the hosting plan and then the question will arise, to go for managed hosting or unmanaged hosting?

Personally I like things under my control where I can change just about anything as that way I don’t have to depend on anyone and things get done much faster as compared to a situation, where I’d have to call the tech support hoping that the support guy will help me in finishing the task and I’d get less than satisfactory answer. Anyway, to cut the story short, I got an email from my fantastic web hosting company i.e. WPWebHost, however as I was looking for cloud based hosting [I definitely like buzz words], I thought that I would rather go for Rackspace Cloud Servers as I get more control over things. Here are few things that you’d have to keep in mind, if you are interested in going for Cloud Servers -

You do get the complete control of the server but that also means that you have to setup everything from the scratch! You just get a server with a vanilla linux installation and that you’d have to and configure – web server, database server, take care of the issues and just about everything that you can imagine! So if you are weak heart then you should not read this guide and instead you should carry on your research for other hosting plans that offer managed servers.

However, More control over server means that you’d be able to have to have a much faster running site and that also means that you will get better rankings in Google!

One of the main purpose for getting the cloud server was that I wanted to run on Nginx, a much better and light alternative to Apache web server and wanted to play around with HipHop for PHP, pure innovation from ! Here’s what HipHop for PHP is all about [I'm still working on this part and will be sharing my experiences in upcoming posts]-

HipHop transforms your PHP source code into highly optimized C++ and then compiles it with g++ to build binary files. You keep coding in simpler PHP, then HipHop executes your source code in a semantically equivalent manner and sacrifices some rarely used features – such as eval() – in exchange for improved performance.

And now lets find out that how can we setup an optimized web server that would handle lots of traffic with minimum amount of resources that would make your load faster as well.

Setting up Linux server from scratch!

Note 1- In this case we are using CentOS 5.3 and all the commands will be mentioned step wise, so you can simply copy and paste them one by one and you should be good to go, I will give explanation of all the steps as we go along -

Note 2 - If you are new to these things, then make sure that you should go through this guide properly and should not skip anything.

1. Setting up basic

When you get a fresh installed Linux box that you want to use as a web server, it can be vulnerable to various attacks and in order to avoid them we will setup basic settings that a linux web server should have and for that you should connect to your linux server through SSH [ssh root@YOUR SERVER IP ADDRESS] and then run the following commands -

  • passwd [First time you login as Root and we must change the password of the root. Here's a guide for keeping secure password.]
  • adduser
  • passwd
  • usermod -a -G wheel
  • visudo [for newbies - vi is a text editor and here are the commands that will help you operate it.]
  • Find # %wheel  ALL=(ALL)   ALL and remove # from it.

These commands will basically setup a new user called “” in the Wheel group and will ensure that the user will be able to gain the root privileges at required times. If you want to use a different username then simply replace “” with your desired name.

Now we’d configure SSH to disable the root access and change the port to ensure that no hacker will be able to easily access the server. For that fun the following commands -

  • nano /etc/ssh/sshd_config

And you need to ensure that the following settings should be in the whole file. Nano is also a text editor and it displays the most basic and useful commands at the bottom so you won’t need to go through a guide. I definitely like it more than vi. Anyhow, here are the settings that you need to keep in SSH’s configuration file -

  • Port 30000  <— change to a port of your choosing
  • Protocol 2
  • PermitRootLogin no
  • X11Forwarding no
  • UsePAM no
  • UseDNS no
  • AllowUsers  <——- of course, this will be the username that you chose in the first steps.

Once we are done with the SSH configuration, we’d make changes in the IP Tables which is like the firewall settings to only allow certain ports that would be open. Run the following commands to ensure that IP Table settings are as per the way we desire -

  • iptables -L  <—- this will show the current IP Table configuration. Just copy and paste it in a text file.
  • iptables -F  <– this flushes the existing IP table rules. The following commands set desired new rules.
  • iptables -A INPUT -i lo -j ACCEPT
  • iptables -A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
  • iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
  • iptables -A OUTPUT -j ACCEPT
  • iptables -A INPUT -p tcp –dport 80 -j ACCEPT
  • iptables -A INPUT -p tcp –dport 443 -j ACCEPT
  • iptables -A INPUT -p tcp -m state –state NEW –dport 30000 -j ACCEPT  <— this should be the port that you selected in last settings.
  • iptables -A INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
  • iptables -A INPUT -j REJECT
  • iptables -A FORWARD -j REJECT
  • service iptables save
  • /etc/init.d/sshd reload    <— this will reload the new settings.

Now open a new tab of Terminal (Mac Users)/Putty (Windows Users) and try to connect to the server using the new settings that we’ve put all this while. If it connects then everything is fine, else go back to the previous tab, flush the settings again and try the above commands again.

  • ssh -p 30000 @Your Server’s IP Address

2. More CentOS configuration and setting development tools

In this section we’d configure CentOS to use external repositories, so that installation of various tools becomes easier and that in case you want to any software then it should be able to find the dependencies without much issues. One of the most known repository other than default one is RPMFORGE and we need to configure our server for that. Please follow this article to install RPMFORGE. Once we are done with that, we will run the following commands -

  • sudo yum update
  • sudo yum groupinstall ‘Development Tools’ ‘Development Libraries’

This will update the YUM and will most of the development tools and its libraries that you’d need in future. I hope that most of you would not find problems till this point of time as these are some simple steps, however things will start getting a little complicated when we’ll start installing Nginx, , MySQL, caching systems configuring them for optimum results. So gear up for the fun and awesome challenge that we’ll experience in forthcoming posts.

Bookmark and Share

1 Comment / Add yours

MySQL database tricks/tutorial through phpMyAdmin for WordPress that you must know!

11 Jan, 2010 | mayank
Topics: Wordpress Tutorials

phpmyadmin.jpg

As we all know that is powered through PHP & MySql and by far phpMyAdmin is considered to be most adopted way of managing the MySQL databases. Most of the web hosting companies have it installed for their users and most of the users find it pretty intuitive. Same goes with these days. At times, it looks like a perfect marriage between the two!

When it comes to , there are various obnoxious situations that we can avoid with the help of phpMyAdmin and its neat little tricks. Thankfully, Many tech savvy and generous bloggers have shared those neat tricks with the world and in this post, I would like to accentuate them.

Tricks related to Users

1. Reset WordPress user password using phpMyAdmin – by WPBeginner.
2. Change WordPress admin username – by Mahesh Kukreja
3. Disable New User Registration – by Rajesh Patel [I don't see any reason for taking this step as it can be easily done through options under settings, but still you never know when these things can come handy].
4. Change post attribution from one author to another – WpRecepies.

Tricks related to Posts & Comments

1. Delete all spam comments using phpMyAdmin – by Technofriends
2. Batch delete posts revisions – by WPRecepies
3. Restore commenting back using repair feature of WordPress – by Speed of Creativity [of course, this is more of a troubleshooting trick, but one handy trick that may help you at certain time]

Troubleshooting using phpMyAdmin when nothing works

There are times, when you might be playing with some broken plugin/theme or not an updated plugin/theme that can cause to break then it gets little hard to Troubleshoot things if you don’t have the database backup already. However, you can save yourself by ensuring that you can create the database backup or restoring it with the help of phpMyAdmin -

1. Create WordPress database backup using phpMyAdmin.
2. Restore WordPress database backup using phpMyadmin.

Various other useful tricks

1. Move WordPress blog from one domain to another.
2. 12 quick and easy MySql tricks. [This is not through phpMyAdmin, however can come in handy through SSH]
3. Running multiple WordPress blog on single database. [not recommended, however if you are running out of number of database then this is the only solution - else change your hosting provider - Here's the guide to do so]

If you know more tricks, feel free to share it with us as we’ll keep this page up to date with all those wonderful tricks!

Bookmark and Share

3 Comments / Add yours

Installing WordPress Locally on Your Computer

5 Jan, 2010 | Igor
Topics: Wordpress Tutorials

The LocalHost

In a previous post I wrote about a simple and easy way to convert your html into theme. Starting from today I will post a small series of articles that will explain the sweet little details when building a new WP theme. So first things first, we will start by explaining how to on a local computer (Learn how to install wordpress locally on mac). By doing so, it will save you time from updating and previewing files, also we will mention some problems that you may encounter during the installation and after it.
read full article →

Bookmark and Share

No Comments / Add yours

Coding the WordPress Loop explained

20 Oct, 2009 | Igor
Topics: Wordpress Tutorials

The Loop is used by to display each of your posts. It’s the most important set of PHP codes. Basically, it’s what displays the content you see on your homepage, your single posts, pages, archives, search results, etc. Any HTML or PHP code placed in the Loop will be repeated on each post. The Loop should be placed inside index.php and in any other Templates used to display post information.

read full article →

Bookmark and Share

1 Comment / Add yours

WordPressify your XHTML in 5 simple steps

9 Oct, 2009 | Igor
Topics: Wordpress Tutorials

php code
Some time ago I decided to give a try and convert some of my XHTML codes to . I looked for tutorials on this topic and find a lot of them and the WordPress website has lessons too. But can those tutorials and lessons be really helpful to you if you don’t know PHP and don’t understand the terminology used in them? I was a little bit confused by the huge amount of information at the beginning. So let’s keep it simple at least for now.

read full article →

Bookmark and Share

1 Comment / Add yours

So now you understand the importance of Upgrading WordPress?

6 Sep, 2009 | mayank
Topics: Wordpress Tutorials

My apologies for not updating the since long time. Thanks to Vivekk for point it out to me and reminding me about that how he’s missing the content of this (definitely makes me feel good). Coming back to the actual post and the talks of not being a secure engine and the questions being raised about the security of WordPress tells me that how we all tend to blame others for our own faults!

read full article →

Bookmark and Share

6 Comments / Add yours
Page 1 of 51 2 3 4
...
Last