Monthly Archives: May 2010

Protecting my wordpress folders

WordPress by default doesn’t protect its wp-includes and wp-content folders. While WordPress doesn’t do stupid things in most of these files, they still don’t do a simple defined check to ensure we came from an a privileged file. SMF does this and it prevents direct loading of any of the Source files.

To get around this is not as simple as it should be.  To start with, I added a “.htaccess” to my “wp-includes” folder with the following contents.

Deny From All

However, that broke the built in rich editor in WordPress.  So, now to edit “wp-admin/includes/mainifest.php” and change the following.

echo “<script type=’text/javascript’ src=’$baseurl/wp-tinymce.php?c=$zip&amp;$version’></script>\n”;

All I did was change .php to .js since after reading the directory I came to figure out the .php version is just a compressed version.  I removed the “$zip&amp;” part as well since it didn’t make sense to keep it anymore.  the “c” argument just tells it whether to compress or not.  So this is my resulting change

echo “<script type=’text/javascript’ src=’$baseurl/wp-tinymce.js?$version’></script>\n”;

However, since I was loading some content from my includes folder now, a tweak needed done to my “.htaccess”

<Files *.php>

Order Deny,Allow

Deny from all

Allow from localhost

</Files>

Simply put, that will deny access to all php files in my “wp-includes” folder.  That worked and a simple duplication of the file to my “wp-content” folder produced the same results.  However, I still wasn’t done.  A simple .htaccess password protected directory for my “wp-admin’ would offer a very basic block to help prevent unauthorized access.  Although it isn’t using a very strong password or username on it, it still prevents the fly-by attacks.

AuthType Basic
AuthName “Restricted Access”
AuthUserFile “/path/outside/webroot/wordpress-admin.access”
Require valid-user

Now I just simply needed to populate that file.  Since I have apache installed on my laptop, I simply opened Terminal and ran “htpasswd -n username” and gave it a password at the prompts.  Then I simply just copied the line from the window to my .access file and saved.  Everything works and my entire wp-admin folder is protected from unauthorized web access.

However, “wp-login.php” contains three calls to css files in the wp-admin folder.  A “login.css”, “colors-fresh.css” and “logo-login.gif”.  Simply copying those three files to my theme is half the problem resolved.  Then just modifying wp-login.php to directly call those files rather than the functions that previously called them.  “login.css” needs to be modified and the path to the logo-login.gif file needed adjusted.

Read More

Simple secure login for wordpress

This is a simple way to setup a secure login for WordPress.  Simply editing “wp-login.php” and looking for:

/** Make sure that the WordPress bootstrap has run before continuing. */
require( dirname(__FILE__) . ‘/wp-load.php’ );

Add after that:

force_ssl_admin(true);

Now when accessing login and registration pages, the browser redirects to the secure version.

Edit,

After looking into “wp-settings.php” some more, I found the following setting:

if ( !defined(‘FORCE_SSL_ADMIN’) )
define(‘FORCE_SSL_ADMIN’, false);

Copying the define line to my “wp-config.php” and changing false to true has ensured this will work even if “wp-login.php” ever gets updated.

Read More

Hello /dev/null

When I started my site, I knew that I would rarely see visitors.  It is more of a personal test site then it is for anything else.  I recently decided to get rid of my own site and get a blog.  Mostly because my site isn’t really for communication amongst many individuals, rather that its for my own discussions and fun.  So in this aspect, a blog makes more sense doesn’t it.

Read More

Setting up SVN

I wanted to setup SVN on my server.  Why you ask?  Well just because I can really.  The most important reason is to get my mods and other files into a repository that would also act as a backup.  I set it up on my site as I never saw the point in keeping on my own system.

Luckily, like most linux systems, on Ubuntu I can do this without breaking a sweat.  I won’t go into why I am running ubuntu.  I just felt like using Ubuntu as my server software of choice.  Although I plan on looking into Debian.

When I was going to setup, SVN I decided to set it up with dav.  Mostly because it would be easier for me to give out urls to the svn.

$ apt-get install subversion libapache2-svn

After that quickly ran and I accepted it to download the files, I was almost done.  I setup a svn repository and did an initial commit into it.  Although I had options for how to setup access, since I would be the only one committing to it, I just setup the very basic setup for access.

I had to setup my self signed SSL certificate so I could continue setting up svn.  That is as simple as running the openssl command with the correct options.  I did a google search since I was too lazy to read the manual.

$ openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem         -keyout /etc/apache2/ssl/apache.key

Although I should of generated a 2048 key instead of the 1024 key.  After that, it was very simple to complete the setup.  I just needed to setup my virtualhost for svn and I was on my way.

<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
ServerAdmin foo@bar.com
ServerName svn.sleepycode.com
<Location /code>
DAV svn
SVNParentPath /home/svn
</Location>
</VirtualHost>

Read More

Highslide for Wordpress Plugin