1and1 wp-login.php Redirection Issues

WordPresFor a time on December 30th, 2013, my hosting provider 1and1.com was redirecting all WordPress logins to 128.0.0.1 whenever one hit wp-login.php effectively blocking all attempts to login — and logout for that matter – from any WordPress installation on their servers.

Their response was less than desired; they stated that this issue was effecting only .5% of their customers.  Even if that were to be true, which I would find doubtful given the widespread use of WordPress, and it seems to discount the severity of the issue for WordPress user, a program that they say they support completely. Read more

Securing Older Versions of Joomla

sheild

One reason I’ve begun to prefer WordPress over Joomla is that WordPress has made the upgrade process so much easier than Joomla. To upgrade Joomla 1.x to 1.5, you have to use special tools and again if you go from 1.5 to 2 or version 3, be prepared for a different toolset and migration path.  Ugh!  Worse still, Joomla Extensions have become very version specific due to a lack of backwards compatibility. WordPress on the other hand allows one to simply put the new code in place, and so long as there is not a conflict with a Plugin, the code takes care of everything else for you, including updating the database.

Perhaps it is only because I haven’t tried to migrate a very customized WordPress site that I feel this way, or that my more complicated older sites are nearly all in Joomla.  So long as I keep a copy of the changes I’ve made to styles or any core files, I’m able to keep things up to date really quite easily with WordPress. As noted above, sometimes an entire system isn’t easy to replace though.  There are times a client has invested heavily into very specific Joomla module or tool — only to have these items not become readily available to the newest versions of Joomla. (I am not finding this to be true of WordPress Plugins — another reason to go with WordPress today.)  So the problem to deal with is securing older versions of Joomla that have known security issues.  What exactly can one do to make an older Joomla site more secure? Let’s take a look at securing Joomla.

Read more

Brute Force Attacks? Get “Better WP Security” for WordPress Security

Over the past several days, I’ve seen a great many news articles about a bot based brute force attack on WordPress (and Joomla) based websites where the bot uses common password choices and attempts to login with the username “admin.”  Mind you, we are talking about hundreds, perhaps thousands of these common passwords and coming from tens of thousands of compromised servers.  The effort being to gain access to the server and then use the administrator site to add other files and code changes which further compromise the use of the website completely. You really need some WordPress Security.

Having already written about other hacking effort increases of late, I am bothered that yet again these content management systems are being hit with what amounts to the use of wasted talent; hackers show intelligence and problem solving skills, why not put them to use in a way that doesn’t harm others?  Thankfully, the open source community is quick to respond and build tools needed to protect websites from such harmful efforts.

Bit51 - Better WP SecurityBetter WP Security from Bit51.com is an excellent add on to your WordPress website.  It was written long before this current wave of brute force attacks, and is something I would recommend all WordPress websites use from day one.  It relies on both htaccess changes for blocking known bots and other file changes that remove vulnerabilities outright and through obfuscation.

Here is a list of some of the things this tool does:

  • Enforces stricter passwords for users at any level you determine.
  • Removes the backend file editor.
  • Scans the site for recently changed files and emails a report to you if there are such intrusions.
  • Blocks repeated login attempts.
  • Blocks SQL injection attempts.
  • Makes backups of your database and mails them to you are regular intervals

This is open source work at its finest.  It is free to use, but the developer does provide a means of paying him for his work — which I’d highly recommend doing as this tool is really quite will constructed and extremely valuable.

 

Dealing with Hacked Websites

hackers-suckSimply put, hackers suck.  Over the past six to eight months, I’ve had to deal with the hacking of many former (and a few current) client websites.  All but one of the exploits came through older versions of Joomla, and the exception being an older WordPress site.  Version 1.0 of Joomla is ancient by Internet terms, and there were several security exploits discovered with it.  Add to this that there are often third party extensions with additional exploit possibilities. This environment makes it so any jackass who can write a script that searches source code on pages for specific components or Joomla references can then upload files to your server.  Ugly.  Really ugly.

The compromised websites in all cases continued to function, at least somewhat.  One hacker injected a file into the site that would in turn alter the htaccess file adding mod_rewrite rules that would redirect anyone coming from Facebook, Google and just about any other search engine or social networking site.  If one were to type the URL in directly, nothing happened.  No URLs in the search engines were altered either; the redirects in the htaccess file hijacked only people who had headers from one of these sources.  A couple of sites had files that were posting text on pages and adding new links.  One hack destroyed the ability of using the administrator section of Joomla causing a 500 error upon login.

Read more

Directory Pass – Open Source File Access Tool

Being able to manage access to specific directories with usernames and passwords is a fairly easy thing to do with htaccess on Apache server.  There are many websites that offer help for this. However, if you need to manage users on a regular basis, having a tool for doing so is really helpful.

Directory Pass is one such tool.   I’ve been using it at work for close to a year now and while it’s not perfect, it gets the job done with pretty simple ease of use.  The only real pain I’ve had with using it was clicking the “Disable Password Protection” link once only to discover it didn’t save any of the former settings.  Disable is really delete.  Otherwise, this has been a great little tool to use and it’s open source, too.

Mobile Site Recognition Via htaccess

Using JavaScript to detect a browser type and redirect iPhones, iPad and other mobile devices is not very difficult to do.  However, it means that the page load has already happened as the JavaScript must be invoked before it can redirect the browser to the alternative page.

If you’re using Apache, you can redirect via htaccess.  This will let Apache redirect the browser before there are any assets downloaded.

This example is from StackOverflow.com, and includes a call to cookie the user so that you may code your pages to keep the user on the mobile site unless they choose to view the desktop version.

RewriteEngine On

# Check if this is the noredirect query string
RewriteCond %{QUERY_STRING} (^|&)noredirect=true(&|$)
# Set a cookie, and skip the next rule
RewriteRule ^ - [CO=mredir:0:%{HTTP_HOST},S]

# Check if this looks like a mobile device
# (You could add another [OR] to the second one and add in what you
#  had to check, but I believe most mobile devices should send at
#  least one of these headers)
RewriteCond %{HTTP:x-wap-profile} !^$ [OR]
RewriteCond %{HTTP:Profile}       !^$
# Check if we're not already on the mobile site
RewriteCond %{HTTP_HOST}          !^m\.
# Check to make sure we haven't set the cookie before
RewriteCond %{HTTP:Cookie}        !\smredir=0(;|$)
# Now redirect to the mobile site
RewriteRule ^ http://m.example.org%{REQUEST_URI} [R,L]

1and1.com – php.ini and htaccess customization

I host my website with 1and1.com, and can honestly say I recommend them to others, too. They provide a great deal of resources at a very reasonable price and have reasonably good service on the occasions I’ve needed it.   Perhaps because I don’t expect much from a low cost hosting entity is also why I think their service is fine, too.  It may also be said that I wouldn’t recommend them because of their service – that’s certainly true, too.

They provide a great Linux/Apache/mySQL/PHP setup and allow you to have private domains through their registrar for no additional costs.  Private domains save you against an onslaught of a ton of spam and unwanted phone calls as your registration remains one hidden behind this 1and1 proxy account.

There are a couple of oddities with any hosting provider to overcome and here’s what I have learned about 1and1 and the tools I use to make development easier.  First off, php 5 is not enabled automatically.  In order to have php 5 be the default for the website, you’ll need to add the following line to an htaccess file —

AddType x-mapp-php5 .php

If you are running Joomla!, and wish to use the built in SEO mod_rewrite features, be sure to also set the RewriteBase flag to the root directory —

RewriteBase /

The controls over php values, like with many shared hosts, are controlled via a php.ini file that you may upload to your root directory.  However, with 1and1, there are some less than   traditional settings and you must also place a php.ini file in each directory on the website that php files are used.  If you’ve just started using 1and1 for the first time, figuring all of this out can be challenging.

Download the ini_help.zip files here To easily install a php.ini file everywhere in the website’s code, I use the script phpcopy.php that you’ll find in the archive.  If you need to delete files, you can use the phpdelete.php script.  You will need to insert the full path of where this script lives on the server within the file before you upload it.  I’ve also included a copy of the php.ini file I use.  It will also need the full server path added to it for the tmp directory line.

If you need to determine the full server path, you can do so with a php info script and look under the environment section. Alternatively, you could login via SSH and navigate to the web directory you wish to use and enter “pwd” to see the full path.