Using WordPress nonces

Wordpress NoncesNonces are an important security feature of WordPress. Whilst they’re not infallible, they should be used on all forms you submit in WordPress (backend, frontend, plugins etc.).

The term ‘nonce’ stands for ‘number used once’. As it happens they’re often used more than once in WordPress but that doesn’t detract from they’re usefulness as a security feature.

They’re simple to use so there’s no excuse for not doing so.

Let’s say you have a form as follows:

<form action="" method="post" name="myform">
<input name="mytextfield" type="text" value="Hello" />
<input name="submit" type="submit" value="Submit" />

Continue reading …

EasyApache4 and CSF

If you upgrade from EasyApache 3 to EasyApache4 and you run CSF (ConfigServer Firewall), you’re going to need to make some changes to your CSF configuration because the Apache logs have been moved to a different directory. If you don’t make these changes, CSF will not be able to monitor your system effectively.

As far as I can see, these are the changes you need to make:

Continue reading …

CSS border-box everywhere

CSS Box-Sizing

I can only presume the folk who originally came up with the way CSS sizes its internal boxes were as mad as a box of frogs.

Take, for example, this bit of code:

.myblock {
   width: 200px;
   padding: 5px;
   border: 1px solid green;

If you said something was 200px wide and then added 5px of padding and a 1px border, it would actually now be 212px wide (the 200px width plus 5px padding each side and a 1px border each side). What most sane people would hope happened would be that the 200px width on the element would include the padding and borders.

Thankfully, the latest iterations of CSS have provided a way to make this work sensibly via the box-sizing property.

Continue reading …

Chkrootkit output passwd infected

techie-iconIf you’re seeing output from your chkrootkit that says something like:

Checking `passwd'... INFECTED

And maybe (at the bottom):


There’s a good change it’s a false positive but you need to check.

The way to check is see if the md5sum of your current passwd file matches the one distributed by CPanel.

Continue reading …

SSL for sites sharing an IP address: SNI+SSL

techie-iconIPV4 addresses are in short supply and one of the most common reasons people need additional IP addresses is to supply SSL to a site. However, it is now possible to add SSL certificates to individual domains that share an IP address via Server Name Indication (SNI).

Some things need to be in place to support SNI:

  • Apache 2.2.12+
  • an OS that supports SNI (CentOS 6, RHEL 6 or CloudLinux 6 at the time of writing); specifically, it needs an OS that supports OpenSSL 0.9.8+

With those things in place it should be automatically supported – you don’t usually need to take any additional action to enable it – and you can install SSL certificates on any and all sites even though they share the same IP address. There is no requirement to buy wildcard or any other particular type of SSL certificate. Normal certificates should suffice.

There is one ‘gotcha’ you should be aware of though.

Continue reading …

Speed up WordPress by fixing the cron job

wordpress-iconWordPress needs to run certain things on a regular basis. It needs to check whether scheduled posts should be submitted, plugins and themes need to be updated, emails need to be sent and such.

To do this, WordPress has a wp-cron.php file. By default, this gets called every time someone accesses your site. I presume WordPress does it this way just in case the site administrator doesn’t have the facilities or wherewithal to create proper cron jobs.

As you might imagine, there’s an overhead in calling this every time someone accesses your site and it’s totally unnecessary. Instead you can call it with a proper cron job on a scheduled basis.

Continue reading …

Clear the DNS cache in OS X 10.11 El Capitan

osx-iconOS X 10.11 El Capitan uses the same command as the previous version of OS X to clear the DNS cache. You need to open a Terminal window and enter:

sudo killall -HUP mDNSResponder

It will ask you for your password if you do not already have elevated privileges.

If you’ve moved a site somewhere and still don’t seem to be seeing the correct output after doing the above, it might be worth clearing cached pages from your browser.

To do this in Safari, click on Safari on the top menu, select Preferences and go to the Privacy tab. From there you can either hit the Remove All Website Data button to clear all your cookies and caches or click on the Details button and search for the specific site whose data you want to remove.

Ad-blocking, ethics and the internet’s financial model

www-iconBack in September the BBC ran an article speculating that the rise in ad-blocking software may mean the death of the free internet. A few years ago they even asked if blocking adverts was ethical. These are interesting questions.

A lot of websites rely on advertising income to keep them going. There are costs involved in producing a web site. Hardware needs to be purchased (or rented) and managed, software needs to be maintained and, on bigger sites, writers need to be paid. It’s the same with television. Virtually all channels – the BBC being the obvious exception – need to advertise to pay for their output. The BBC doesn’t because they get their income from the licence fee. Sky even has the temerity to charge people a fee to view their channels and show adverts too.

Now, I would imagine a lot of people record programmes on the commercial channels and just fast-forward through the adverts. Likewise, I would imagine that just about everybody clicks the ‘Skip Ad’ button when viewing YouTube content. And a lot of people do indeed run ad blocking software.

Continue reading …

Pretty, SEO-friendly URLs with .htaccess

techie-iconIt is often said that dynamic URLs – that is, URLs with a format like blog.php?id=1&title=hello – are at a disadvantage compared to static-looking URLs of the format blog/1/hello. There is much debate about this issue though and back in 2008 Google even recommended against rewriting URLs.

Google said:

Does that mean I should avoid rewriting dynamic URLs at all?

That’s our recommendation, unless your rewrites are limited to removing unnecessary parameters, or you are very diligent in removing all parameters that could cause problems. If you transform your dynamic URL to make it look static you should be aware that we might not be able to interpret the information correctly in all cases. If you want to serve a static equivalent of your site, you might want to consider transforming the underlying content by serving a replacement which is truly static.

So, according to Google back in 2008, blog.php?id=1 is just as good as blog/1/.

Continue reading …

El Capitan and Exchange aliases solution

osx-iconFurther to my previous post, after a bit of playing around I’ve found a solution to the problem of using Exchange aliases in OS X Mail under OS X 10.11 El Capitan.

It seems the accounts.plist file is now superfluous and the way to add an alias is as follows:

1. In OSX Mail, select Mail -> Preferences.

2. Highlight your Exchange account from the list on the left.

3. Make sure the Account Information tab is selected in the right panel and look for the Alias dropdown.

4. The alias dropdown may be greyed out (it was for me) so, if it is, go to the Outgoing Mail Server dropdown and change it to none.

5. Close down that panel (or select another mail account from the left menu if you have one) to force it to save. It should ask you if you want to save settings.

Continue reading …