Categories
Presentations

What to shove up your .htaccess

Simon Bragg of website and design agency Sibra gave a talk on Monday about the .htaccess file. This file is found in the root directory of websites running on Apache web servers (so check what server software you are using if the htaccess is missing). It controls access to pages on the site, handles redirects and can be used for security and optimisations.

You can see Simon’s slides here:

What to shove up your htaccess presentation by Simon Bragg of Sibra
What to shove up your htaccess presentation by Simon Bragg of Sibra (click to open)

Here’s a written version of the presentation:

What to shove up your .htaccess

Simon Bragg

http://sibra.co.uk

Cambridge WordPress Meetup August 2018

The .htaccess file

.htaccess files enable:

  • Configuration changes to directory and sub-directory;
  • Without accessing httpd.conf,
  • Usually allowed;
  • Short commands:
  • key value pair.

If you screw it up syntax, you get:

Error 500 internal server error

What you can do

  • Browser caching
  • gzip compression for file transfer
  • Keep alive
  • Regex for redirects
  • Security enhancements

Browser caching

## EXPIRES CACHING ##

<IfModule mod_expires.c>

ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 year"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType text/javascript "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/javascript "access 1 month"
ExpiresByType application/x-javascript "access 1 month"
ExpiresByType application/json "access 1 month"
ExpiresByType application/vnd.ms-fontobject "access plus 1 year"
ExpiresByType application/x-font-ttf "access plus 1 year"
ExpiresByType application/x-font-opentype "access plus 1 year"
ExpiresByType application/x-font-woff "access plus 1 year"
ExpiresByType image/svg+xml "access plus 1 year"
ExpiresDefault "access plus 2 days"

</IfModule>

## EXPIRES CACHING ##

This can make a dramatic difference:

Speed check caching before
Speed check caching before
Speed check caching after
Speed check caching after htaccess changes

Compress transfer: gzip

Place this code AFTER WordPress stuff:

<IfModule mod_filter.c>

AddOutputFilterByType DEFLATE "application/atom+xml" \
"application/javascript" \
"application/json" \
"application/ld+json" \
"application/manifest+json" \
"application/rdf+xml" \
"application/rss+xml" \
"application/schema+json" \
"application/vnd.geo+json" \
"application/vnd.ms-fontobject" \
"application/x-font-ttf" \
"application/x-javascript" \
"application/x-web-app-manifest+json" \
"application/xhtml+xml" \
"application/xml" \
"font/eot" \
"font/opentype" \
"image/bmp" \
"image/svg+xml" \
"image/vnd.microsoft.icon" \
"image/x-icon" \
"text/cache-manifest" \
"text/css" \
"text/html" \
"text/javascript" \
"text/plain" \
"text/vcard" \
"text/vnd.rim.location.xloc" \
"text/vtt" \
"text/x-component" \
"text/x-cros
Speed check gzip compression after
Speed check gzip compression after

Keep alive, if allowed by host

At end of .htaccess file

## KEEP ALIVE ##

<ifModule mod_headers.c>

Header set Connection keep-alive

</ifModule>

## END ENABLE KEEP ALIVE ##

But cheapo host doesn’t allow this.

RedirectMatch for Regex redirects

Have mod_rewrite.c enabled for #Begin WordPress stuff.

So can use Regex to redirect multiple pages in one line. Some Examples:

Perhaps for tweaking URL structure:

.* means anything, (.*) means whatever, and repeat in $1

RedirectMatch 301 .*/employment/employee-shares/(.*)
http://www.website.co.uk/employee-shares/$1

^ means start of string, (/D) means 1 non digit character.

RedirectMatch 301 ^/share(\D)options$
http://www.website.co.uk/employee-shares/

Use of OR for multiple redirects to one page:

RedirectMatch 301 ((/introducing-thepod/)
|(/products/pod/)
|(/about-us/the-vision/)
|(/cambridgepod/)) https://website.co.uk/pod/

http to https

When have http site and converting to https, add in bold

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

# BEGIN WordPress
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Bits of code

1. Protect important files, deny access to them:

<FilesMatch "^.*(error_log|wp
config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

Check php.ini, is php.ini

2. Prevent directory browsing /wp-content/uploads/

Options All –Indexes

3. Block unauthorized execution of PHP files.

Most hackers upload backdoors to /uploads folder

<Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

4. Protect against Script injections

Hackers change WordPress GLOBALS & REQUEST variables, so:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

5. Secure wp-includes directory

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

6. Prevent username enumeration

Visitor who enters your-site.com/?author=1 finds username. One less thing to guess. Just needs the password. So:

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

7. Prevent hot linking

Most hackers upload backdoors to /uploads folder

RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER}
!^http://(www\.)?your-site.com/.*$ [NC] RewriteRule \.(gif|jpg)$
http://www.your-site.com/hotlink.gif [R,L]Directory "/var/www/wpcontent/uploads/">

And replace http://www.your-site.com/hotlink.gif with image url you want to protect

xmlrpc.php blocking?

Xmlrpc : remote procedure call using XML to encode, and http for transport

Enables you to:

Post using weblog clients e.g. Windows Live Writer, IFTTT

Was a security concern, although not any more.

If want to block:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>

Thanks to Simon for his excellent talk!

Categories
Presentations

Practical WordPress Security with Tim Nash

Tim Nash (@tnash) from 34SP joined us on Monday 14 May to share his knowledge of WordPress security.

Tim Nash

You can see slides from Tim’s recent talks on security here

Tim’s said:

Thanks folks who came to my Practical Security talk at WP Cambridge last night.

Today it’s time to take action we covered a lot of stuff so where to start?

Here are 3 things to do right now.

1. DONT PANIC
2. Remove all admin roles and replace with editors
3. test your backups

 

Categories
News

WordPress News – WP 4.9.1 and State of the Word 2017

Top stories

WordPress 4.9.1 Released

Mostly a security and maintenance release (point releases are normally bug and security fixes).

Fixes page template issue:

4.9 introduced an error whereby users would discover that page templates wouldn’t appear in the Template drop down when editing a page.

See more at: WP Tavern

Gutenberg 1.8 Released, includes block templates for custom post types

Block Templates – allows developers to specify where to display custom fields when defining custom post types

Improved design of tool menu – include a space for where plugin extensions will appear in future

Ability to filter by block type – so developers will be able to specify which block types a custom post type can use

Better UI features – Including improve colour picker, contrast checker and tooltips.

State of the Word 2017

Matt Mullenweg, original developer of WordPress, has delivered his annual State of the Word address at the US WordCamp.

To see the entire speech here:

Key takeaways:

Note these are just my scribbled notes from the video, not a verbatim account. Please see the video for the exact exchanges. – Ben Attenborough

Tide project

Tide aims to clean up plugin directory. Runs tests against the plugin directory – allows user to see status of tests.

Gives devs info on how to improve plugins and fix bugs – lets user know which plugins have issues

Links to GitHub so people can automatically raise issues and help fix them.

There’s a slack channel for tide

Growth Council

Will discuss ways WP can grow.

HTTPS

36% of WP sites are over https more than double last year.

This year’s focuses

This year there has been a focus of customisation:

  • Improvements for adding images, videos, audio and text to sidebars (widget areas- could also be header, footer or within the body)
  • New dashboard widget for meet ups – attendances have gone up 30% on average since this was introduced.
  • Drafting and scheduling for customiser.
  • Syntax highlighting to css and code editors
  • No default theme this year.
  • WP-CLI has become an official WordPress project

Gutenberg

Gutenberg is longest running feature development WP has ever had, now more than 11 months, 18 iterations

It’s an effort to simplify everything that goes on in the editor – short codes, widgets, menus and random stuff in TinyMCE into the concept of a block.

Gutenberg expected to be ready by April.

Mission to democratise publishing

Classic editor plugin.

If you think April is too soon to start using Gutenberg, install the Classic Editor Plugin now – will make sure that old editor will continue to be used.

Next step: Gutenberg-based site optimisation

Blocks to lay out the whole site.

Next year’s focuses

Gutenberg Editing

Gutenberg Customisations

Gutenberg Theme

Q&A (See 1:02.00 in video)

Note these are just my scribbled notes of the Q and A, not a verbatim account. Please see the video for the exact exchanges. – Ben Attenborough

Q: Question about page builders and is Gutenberg unfair to creators of page builder plugins as it will replace their functionality

MM: Lots of different page builder plugins, which shows how much demand there is for page building functionality

But problem is it is hard for plugins to work with page builders because each builder works differently. If Gutenberg presents a standard way for building posts and pages it makes it much easier for plugin developers to build applications that work in the expected way.

Will create opportunities for devs.

Q: Fields API – Will it be necessary to continue to have a fields API

MM: Gutenberg will cover a lot of bases for fields, but not everything so a fields API will still be necessary.

Question about WYSIWYG

MM: Will be editing on dashboard not literally on front end. But it will be a lot closer to a true WYSIWYG experience.

Q: Could we get a split community where some people will be on classic mode and some on Gutenberg. How will we get beyond these two worlds?

MM: You really do need to develop for Gutenberg and I’m okay if you drop support for Classic.

Q: Concern that users may find Gutenberg harder to use.

MM: We are building for people new to publishing and websites

Structure will be more intuitive. Ever have an image which is right aligned and you try to move it and move it inside a link and it’s a bit of a mess? Gutenberg is trying to fix that.

Q: If I’m creating sites for clients, I’m putting onus on users to design. What would be great is if I can add certain blocks to a CPT and say that’s it.

MM: Yes, it will be possible to lock down which block types a user will have access to.

Q: Front end responsive issue. There are circumstances where things have to change on different screens. So if the user specifies a 80px font size for a heading, it is not going to be 80px on a mobile phone. How are you going to control this?

MM: We are going to err on the side of letting people do stuff. Including being able to mess it up, but allow themes and plugins to bring in the guard rails a lot more.

Q: Concerned about changes Gutenberg will force on to customers.

MM: Today there is an opt-in plugin. New plugin will give a specific opt out. Trying to provide a gradual ramp. Trying to learn from Gutenberg because going to make big changes in the future.

Q: Are you concerned about React?

MM: Think that React is the future and can fork from the GPL version of React if future React version introduce bad things.

Cross compiling from other language possible.

My thoughts

Gutenberg is happening, and although there will be ways to continue with the old TinyMCE editor it is clearly the direction of travel.

At 1:10.55 Matt gets a question about the danger of “two worlds” one where people use Gutenberg and one where people use classic. Matt responds by saying that over time users will expect everything to work with Gutenberg and demand for classic will fall away.

It was interesting to me that Matt Mullenweg actually says “at some point” he will be fine with plugin developers dropping support for the pre-Gutenberg world (See around  1:14.00). Once plugin start dropping support for classic, people are going to have to either stay still or move ahead under Gutenberg.

It certainly feels like Gutenberg is the future and developers and users will not be able to ignore it, or at least not for long.

Furthermore it seems that the Gutenberg philosophy of using content “blocks” will also be extended into designing pages. It looks like a page building system, like ones such as Beaver Builder, will eventually be part of WordPress core. What will this mean for existing sites built with a page builder system? Will they need to be redesigned using the Gutenberg builder?

This will be controversial, but I’m optimistic that eventually this will be a good thing for users, as it will give them more access to design their own pages and posts without having to code. Hopefully it will also be good news for developers, as they will be able to build sites which give users more customisation options without having to introduce a slew of plugins or custom code.

Categories
Presentations

October 2017 Meetup: Managing WordPress & WP Transients

Managing WordPress

Steven Watts of Newt Labs talked about WordPress management, which also included a quick introduction to Slack – an instant messaging/support system.

See the slides below:

Click on the image above to see the slide (pdf format)

This is a cut down version of the presentation, for more see https://www.slideshare.net/StevenWatts8/managing-wordpress

Takeaways: where to get help, how to setup a staging site, a backup strategy, quick security wins, eyes on your site, and a better understanding of quality hosting.

Slack – We at WordPress Cambridge have two channels. There are a bunch of UK channels, and also a bunch of international channels. You can stay in contact with the Cambridge group, and get help/support from the UK and internationally.

Newt Labs is a sponsor of our Meetup group. They provide site care for WordPress websites by providing unlimited small fixes, implementing best practices and taking care of ongoing technical tasks. Keeping WordPress sites secure and effective, from £49 a month.

WordPress Transients API

Adam Maltpress of http://maltpress.co.uk/ talked about the WordPress Transients API.

Transients help speed up your site by reducing the number of database queries needed to create a page. We discussed the code needed to start using transients in your theme or plugin as well as looking at a couple of ways of measuring your code’s performance while developing and testing. We also discussed some of the issues around caching content and the compromises involved.

See the slides below:

Transients API presentation cover
Click on the image above to see the slides (PDF format)
Categories
News

Security with Tim Nash

Another amazing guest speaker – this time Tim Nash of 34SP.com (and timnash.co.uk).

Tim is the platform lead at 34SP.com for their Managed WordPress product in addition to being the company’s Developer Advocate.

Tim’s presentation managed to be both scary and reassuring about security: making it clear that security is everyone’s responsibility but also that there are plenty of things we can do to make our sites secure.

Tim pointed out that sites are as likely to be hacked if they’re running a security plugin as they are if they’re not! This underlines the fact that plugins only really fix one small part of a larger security process which includes making sure the server is set up correctly, that people are sensible with the way they use passwords, and that site administrators set up users correctly.

It’s important to make sure that users are only given the permissions that they need and that sites have as few administrators as possible. Some site owners have two accounts – an editor and an administrator – and purposefully change their administrator password to something ridiculous so it’s impossible to log in with it unless it’s reset using the site’s database. Others add alerts to their sites which make it really clear when logged in as an administrator and they may have too much power!

In terms of passwords, most have been leaked at some point so it’s important to change them regularly and never use the same password for multiple sites.

Whether you use a password manager or not (see Keypass and Keeweb, password length is far more important that complexity (i.e. combinations of letters, numbers and special characters) so an increasingly popular way of handling passwords is to use pass phrases

Two factor authentication (using a phone app to provide a special login key every time you log in) is another great way to increase your site’s security. There are several plugins which add two-factor authentication to your site. Just make sure you print (and keep safe) your backup codes! The best method is to combine a long pass phrase and two-factor authentication.

Keeping everything up to date is also vitally important – core WordPress, plugins and themes (even if they’re not active) and don’t pirate themes which might not be updateable. Using child themes, as ever, is strongly recommended. Tim pointed out it’s worth updating even if it breaks little things – it’s better to have a secure site.

Site monitoring is a handy tip Tim gave us: use visual regression testing, which takes a visual snapshot of your site (or part of your site) and warns you if it looks different. Visualping.io is one example of a visual regression testing service. Testing backups when you take them is also really important – and it’s handy to automate this as much as you can, if you know how!

Hardening WordPress refers to making sure the server is set up correctly. There’s a great guide at https://codex.wordpress.org/Hardening_WordPress

Finally, use HTTPS on everything! We’ll be covering HTTPS in more depth in a future meetup but in the mean time it’s worth checking the sort of HTTPS/SSL certificate your hosting service can provide you with. You shouldn’t need to pay – there are plenty of free services available now, inlcuding Amazon.

Categories
Presentations

Understanding the Motivators, Tactics and Impacts of Hackers

Steven Watts spoke about some of the nefarious things hackers do and the motivators behind why they do it to help website owners weigh up the risks and see if website security is something that needs to be taken into consideration within their business.

You can find a full write up covering all aspects of the talk here: