Marc DiBlasi

So, I have a bunch of side projects. All of them are fairly small and it’s mostly me and a few friends using everything. I’ve constantly tried to cut my hosting costs as much as possible, not as a practical matter but I see it more like code golf, it’s just fun to see what’s possible. Let’s start off by listing what I’m hosting: 2 PHP-based web apps 3 environments each (dev, staging, live).

yum whatprovides is a great tool to figure out which package you need to get a certain file. yum whatprovides */dig will let you know that you need the install the bind-utils package to get dig. Ubuntu has the same functionality, but you’ll need to follow a few steps to get there. First, install apt-file apt-get install apt-file Then, update the file cache apt-file update After that, you can search the cache using regexp.

I recently needed to get the first character of a column in a space separated file, and while there are a ton of ways to do this, I figured that Awk’s substr function would make the most sense. substr(string, start, length): This will return length characters from string starting at position start. start is not zero-based, so 1 will be the first character, 2 will be the second, and so-on. On most systems, 0 still works for the first character, even though 1 will also return the first character.

While looking into a way to speed up my website, I also found a way to have it hosted for free. Best of both worlds? Pretty much, though there are a few caveats. WordPress Previously I had a WordPress site on a paid hosting platform. This worded out pretty well. I could add a bunch of different plugins and do all sort of neat stuff with my site. It was very easy to setup, update, and do… whatever I wanted.

Is every web property that you own 100% HTTPS? Yeah? Ok, stop reading right now, this post isn’t going to help you at all. Still here? Great. You need SSL everywhere. On your site that accepts credit card payments? Yeah, you should’ve been doing this for a long time. On your site that sends you to a third party to collect money for a good or service? Yeah, SSL would be great for that.

Occasionally, we run into a client that uses an insecure password. We typically tell them about the security implications, and suggest that they change it, and mention LastPass{.colorbox} as an alternative to having to remember a ton of complicated passwords. There are simple ways you can check if you’re password is worth using. The big one to check is the top 500 most common passwords of all time{.colorbox}. It’s very common for bots to attack WordPress sites using the default admin username “admin” and the top 500 most common passwords.

I was originally very concerned about the new automatic updates, because updates on a WordPress site occasionally break things. When I update, I want to get a quick backup right before, and have a restore plan in place, in case anything goes awry. It’s a risky procedure, and the thought of WordPress updating itself whenever it wants to is enough to send chills down my spine. The first thing I looked for was how to disable the updates, which can be done by adding this to your wp-config.

It’s something that is often overlooked, but for security and speed, you should IP restrict your /wp-login.php file. I’ve had many sites go down because there’s someone trying to brute force the admin login, and even if it doesn’t take them down entirely, it tends to slow them down. Why? With any finely tuned site, users are mostly hitting static files. CSS, JS, images, cached pages, and so on. When they hit /wp-login.

Too often I get clients that have no idea who hosts their DNS, or they will migrate from a company, leave their DNS, and have no idea what they’re getting charged for. You need to know who hosts your DNS. Registrars The whole DNS system starts with a registrar. This is the place you bought your domain, the place that still charges you roughly $10 year. This will likely be GoDaddy, Network Solutions, NameCheap, or any one of the tons of registrars that are out there.

I write this not with the intent of telling people how to hack, but with the hopes that people will realize how easy it is to protect against. How to Hack Poorly Coded Forms The basic idea in SQL injection is that the app puts together a database query based on the input you’ve entered. If you enter the right input, and the app doesn’t check for it, you can control the database.

If you use the built-in import/export to migrate a WordPress site, you’re doing it wrong. You don’t save any of the site’s settings or the plugin settings. Please figure out a better way to migrate a site. What You’re Messing Up First of all, the WordPress export doesn’t move everything. Here’s what makes up your site: the core code, uploads, your theme, plugins (and their settings), posts, pages, users, and settings.