Uncategorized

Is every web property that you own 100% HTTPS? Yeah? Ok, stop reading right now, this post isn’t going to help you at all. Still here? Great. You need SSL everywhere. On your site that accepts credit card payments? Yeah, you should’ve been doing this for a long time. On your site that sends you to a third party to collect money for a good or service? Yeah, SSL would be great for that.

Occasionally, we run into a client that uses an insecure password. We typically tell them about the security implications, and suggest that they change it, and mention LastPass{.colorbox} as an alternative to having to remember a ton of complicated passwords. There are simple ways you can check if you’re password is worth using. The big one to check is the top 500 most common passwords of all time{.colorbox}. It’s very common for bots to attack WordPress sites using the default admin username “admin” and the top 500 most common passwords.

I was originally very concerned about the new automatic updates, because updates on a WordPress site occasionally break things. When I update, I want to get a quick backup right before, and have a restore plan in place, in case anything goes awry. It’s a risky procedure, and the thought of WordPress updating itself whenever it wants to is enough to send chills down my spine. The first thing I looked for was how to disable the updates, which can be done by adding this to your wp-config.

It’s something that is often overlooked, but for security and speed, you should IP restrict your /wp-login.php file. I’ve had many sites go down because there’s someone trying to brute force the admin login, and even if it doesn’t take them down entirely, it tends to slow them down. Why? With any finely tuned site, users are mostly hitting static files. CSS, JS, images, cached pages, and so on. When they hit /wp-login.

Too often I get clients that have no idea who hosts their DNS, or they will migrate from a company, leave their DNS, and have no idea what they’re getting charged for. You need to know who hosts your DNS. Registrars The whole DNS system starts with a registrar. This is the place you bought your domain, the place that still charges you roughly $10 year. This will likely be GoDaddy, Network Solutions, NameCheap, or any one of the tons of registrars that are out there.

I write this not with the intent of telling people how to hack, but with the hopes that people will realize how easy it is to protect against. How to Hack Poorly Coded Forms The basic idea in SQL injection is that the app puts together a database query based on the input you’ve entered. If you enter the right input, and the app doesn’t check for it, you can control the database.

If you use the built-in import/export to migrate a WordPress site, you’re doing it wrong. You don’t save any of the site’s settings or the plugin settings. Please figure out a better way to migrate a site. What You’re Messing Up First of all, the WordPress export doesn’t move everything. Here’s what makes up your site: the core code, uploads, your theme, plugins (and their settings), posts, pages, users, and settings.

Earlier, one of my servers stopped responding on port 80. It appears puppet had restarted apache because it updated a config file for one of the virtual hosts, and there was a configuration error, so apache didn’t come back up. By default puppet uses restart, even when a daemon supports reload, so when it messes up, it kills apache. Also, I realized it’d be nice to use configtest before even trying to restart.

Have you ever realized that puppet stopped running on a server a month ago? Or perhaps you stopped it and forgot to restart it? Your server has been ignoring vital security updates because you thought that puppet had it covered. That’s why I use this handy bit of code:

The other day while I was trying to get puppet up and running on a server, I found that you can use “puppet resource” to automatically generate puppet manifest code. If you type: It’ll show you the puppet configuration for all of the user’s on your system. You can also specify a specific user, like this: You can do this for almost any type used in puppet. or You can easily save your system’s package list and deploy it quickly if the server fails, or if you just want to make a clone for staging.

I have definitely found a lot of decent uses for Dropbox, but none better than syncing my Thunderbird settings. The Problem I use a laptop, a work desktop, a home desktop, and occasionally I’ll pull up my email on the HTPC. I found that I had to install Thunderbird on each, which in itself isn’t that bad at all, but when it comes to configuring everything for my three emails and multiple settings that I use, it becomes a nightmare.