Code, InfoSec and Server Stuff
Views are my own and not my employer's
This is how I checked the compatibility of my WordPress theme and plugin (code) with PHP Compatibility Checker
Read the full article here: https://fearby.com/article/check-the-compatibility-of-your-wordpress-theme-and-plugin-code-with-php-compatibility-checker/
This is how I checked the compatibility of my WordPress theme and plugin (code) with PHP Compatibility Checker
Advertisement:
Aside
I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. PHP is my programming language of choice.
Now on with the post
Snip from: https://wordpress.org/plugins/php-compatibility-checker/
What is PHP Compatibility Checker
> The WP Engine PHP Compatibility Checker can be used by any WordPress website on any web host to check PHP version compatibility.
> This plugin will lint theme and plugin code inside your WordPress file system and give you back a report of compatibility issues for you to fix. Compatibility issues are categorized into errors and warnings and will list the file and line number of the offending code, as well as the info about why that line of code is incompatible with the chosen version of PHP. The plugin will also suggest updates to themes and plugins, as a new version may offer compatible code.
> This plugin does not execute your theme and plugin code, as such this plugin cannot detect runtime compatibility issues.
Please note that linting code is not perfect. This plugin cannot detect unused code-paths that might be used for backwards compatibility, and thus might show false positives. We maintain a whitelist of plugins that can cause false positives. We are continuously working to ensure the checker provides the most accurate results possible.
This plugin relies on WP-Cron to scan files in the background. The scan will get stuck if the site’s WP-Cron isn’t running correctly. Please see the FAQ for more information.
Install PHP Compatibility Checker
I instaled by SSH’ing to my server and opening my WP Plugins folder
1 | cd /www-root/wp-content/plugins/ |
I grabbed the latest download URL from here (hover over the download button), at the time of writing this was the latest version: https://downloads.wordpress.org/plugin/php-compatibility-checker.1.4.6.zip
Advertisement:
I downloaded the plugin on my server (then unzipped it and deleted the zip)
1 2 3 | wget https://downloads.wordpress.org/plugin/php-compatibility-checker.1.4.6.zip unzip php-compatibility-checker.1.4.6.zip rm php-compatibility-checker.1.4.6.zip |
Enable PHP Compatibility Checker Plugin
I enabled the plugin
I clicked on the following message
> You have just activated the PHP Compatibility Checker. Start scanning your plugins and themes for compatibility with the latest PHP versions now!
I already have PHP 7.2 installed so let’s scan my site. PHP 7.3 will be available in December and it is already being tested in beta.
PHP Versions
Site Scanning
PHP Compatibility Checker site scanning is very business like
PHP Compatability Checker Scan Results
2 of 22 plugins I use were not PHP 7.2 compatible (WordFence and WP Meta SEO)?
I read on twitter that Wordfence may be a false positive.
Clicking toggle details reveal why the scan failed. A Two Factor Auth plugin was all OK.
Your results will hopefully be…
> PHP 7.2 compatible
Of if errors exist it should explain why it did not pass.
FILE: /www-root/wp-content/plugins/wp-meta-seo/jutranslation/jutranslation.php
> —————————————————————————————-
> FOUND 1 ERROR AFFECTING 1 LINE
> —————————————————————————————-
> 251 | ERROR | The function is_countable() is not present in PHP version 7.2 or earlier
> —————————————————————————————-
I can’t wait for PHP 7.3 scanning. I will update this post in December 2018 after PHP 7.3 is released.
Advertisement:
Good luck and I hope this guide helps someone
Ask a question or recommend an article
Revision History
v1.0 Initial post
Here is a quick guide to show you how to add two-factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA authenticator app
Read the full article here: https://fearby.com/article/add-two-factor-auth-login-protection-to-wordpress-with-yubico-hardware-yubikeys-and-or-2fa-authenticator-app/
Here is a quick guide to show you how to add two-factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA authenticator app
Advertisement:
This is a quick post that shows how I upgraded to Wordfence Premium to get real-time defence feeds, malware scanner and two-factor authentication for WordPress logins
This is a quick post that shows how I upgraded to Wordfence Premium to get real-time defence feeds, malware scanner and two-factor authentication for WordPress logins
Advertisement:
Aside
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
What is Wordfence
WordFence is a free WordPress plugin (install guide here) that helps protect your WordPress site by logging and blocking bad events. I was a big fan of the Wordfence sister program called GravityScan (before it was retired)
Read my review of the free Wordfence plugin here.
I was using Wordfence free to
Advertisement:
Install and set up Wordfence (Free)
Read my guide here to learn how to setup Wordfence (Free).
Malware Infections
Your website is often scanned and ranked for safety by sites like Norton Safe Web, Google, Trend Micro, Kaspersky Virus Desk, SiteGuarding etc along with search engines. Having malicious files on your site will affect your site Search EnginOptimizationio (SEO).
I had a 5-year-old scan of a subdomain (that was hosted on a CPanel Host). The subdomain had false positives for malware.
Working to remove the false positive was a lengthy process.
You should aim to stay off the radar or many site scanning, check VirusTotal often to keep your self-updated as to the status of your website. Wordfence will hopefully detect real malware issues automatically in the future.
https://sitecheck.sucuri.net/ is a good site that can aggregate your sites safety ratings.
WordfFence Free v Premium
Wordfence Premium
Prices (USD)
Advertisement:
WordFence Premium
Read about some benefits of Wordfence Premium here.
Read more about getting the most from Wordfence Premium
Buying a Wordfence Premium API Key
>Thanks, your card information has been updated. You can now go to your API Key Manager and create and manage your Wordfence API keys.
Now you can buy an API key and copy and paste the API ey o to your Wordfence plugin.
Wordfence Firewall
Wordfence does a great job at showing failed/successful, top blocked IP’s
Wordfence Malware Scanner
Wordfence premium has schedulable scans with real-time malware signatures
Scan Progress
Testing the scanner
Wordfence says “A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections.”
I created an eicar.txt test file (information on eicar here (slightly modified so I don’t get tagged again b virus scanners)) to test the Wordfence malware scanner
1 2 | echo 'X5O!P#removed#X54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /www-root/eicar.txt sudo chown www-data:www-data eicar.txt |
I enable scanning of files outside of WordPress
I rescanned my site with Wordfence
Result: Nothing??
I logged a support ticket to see if this is right?
Update: Wordfence support replied and said “Thanks for writing in. We do detect the EICAR test file, but scans don’t scan file types that aren’t dangerous on a site by default, since scans would waste a lot of time on files that aren’t exploitable.“
I disagree a virus is a virus.
Wordfence says “A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections.”
I guess “all” does not mean “all”?
Wordfence support said EICAR files are detected if I rename the file to php. I renamed the file and to enabled “Scan images, binary, and other files as if they were executable“.
I started a new scan
> Scan Failed
>The scan has failed because we received an unexpected response from the Wordfence servers. This may be a temporary error, though some sites may need adjustments to run scans reliably
🙁
Advertisement:
I scanned my system with ClamAV and it found the EICAR file.
1 | clamscan -r --bell -i /www-root |
Result:
1 | /www-root/eicar.txt: Eicar-Test-Signature FOUND |
ClamAV found the virus.
Setting up Two Factor Authentication (work in progress)
Add your desired user and number
Click Enable User
Wait for the text message and activation code (on your phone)
Enter the activation code and press Activate
The two-factor authentication should be activated
List of two-factor authorization enabled users.
I logged out of WordPress and logged back in but the two-factor auth did not work, I logged a support Ticket with my theme maker and WordFence.
Update: Wordfence Support “Wordfence > Tools > Two Factor Authentication options there is an option for Enable Separate Prompt for Two Factor Code which you could disable and try.“
This fix did not work. I sent a 2nd diagnostics report to Wordfence.
Wordfence support said
Pros
Cons
Is Premium worth it? Yes if you want “Real-time firewall rules and malware signatures” (and don’t whitelist your IP).
I hope this guide helps someone.
Advertisement:
Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
Revision History
v1.4 Updated conclusion and Wordfence refund
v1.3 added whitelist 2FA info
v1.2 added replied from Wordfence support re EICAR and Two Factor Auth.
v1.1 Added Pros and Cons section
v1.0 Initial Post
This is how I set up a dedicated Debian subdomain (VM), Installed MySQL 14 and connected to it from a WordPress installation on a different VM
Advertisement:
Aside
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving fearby.com from Vultr to UpCloud.
Buy a domain name here
Now on with the post.
Fearby.com
I will be honest, fearby.com is my play server where I can code, learn about InfoSec and share (It’s also my stroke rehab blog).
There is no faster way to learn than actually doing. The problem is my “doing” usually breaks the live site from time to time (sorry).
I really need to set up a testing environment (DEV-TEST-LIVE or GREEN-BLUE) server(s). GREEN-BLUE has advantages as I can always have a hot spare ready. All I need to do is toggle DNS and I can set the GREEN or BLUE server as the live server.
But first I need to separate my database from my current fearby.com server and setup up a new web server. Having a Green and Blue server that uses one database server will help with near real-time production website switches.
Dedicated Database Server
I read the following ( Should MySQL and Web Server share the same server? ) at Percona Database Performance Blog. Having a separate database server should not negatively impact performance (It may even help improve speeds).
Deploy a Debian VM (not Ubuntu)
I decided to set up a Debian server instead of Ubuntu (mostly because of the good focus on stability and focus on security within Debian).
I logged into the UpCloud dashboard on my mobile phone and deployed a Debian server in 5 mins. I will be using my existing how to setup Ubuntu on UpCloud guide (even though this is Debian).
TIP: Sign up to UpCloud using this link to get $25 free UpCloud VM credit.
Deploy a Debian server setup steps:
After 5 mins your server should be deployed.
Advertisement:
After Deploy
Setup DNS
Login to your DNS provider and create DNS records to the new IP’s (IPv4 and IPv6) provided by UpCloud. It took DNS 12 hours to replicate to my in Australia.
Setup a Firewall (at UpCloud)
I would recommend you set up a firewall at UpCloud as soon as possible (don’t forget to add the recommended UpCloud DNS IP’s and any whitelisted IP’s your firewall).
Block everything and only allow
Read my post on setting up a whitelisted IP on an UpCloud VM… as it is a good idea.
UpCloud thankfully has a copy firewall feature that is very handy.
After I set up the firewall I SSH’ed into my server (I use vSSH on OSX buy you could use PUTTY).
I updated the Debian system with the following command
1 | sudo apt update |
Get the MySQL Package
Visit http://repo.mysql.com/ and get the URL of the latest apt-config repo deb file (e.g “mysql-apt-config_0.8.9-1_all.deb”). Make a temp folder.
1 2 | mkdir /temp cd /temp |
Download the MySQL deb Package
1 | wget http://repo.mysql.com/mysql-apt-config_0.8.9-1_all.deb |
Install the package
1 | sudo dpkg -i mysql-apt-config_0.8.9-1_all.deb |
Update the system again
1 | sudo apt update |
Install MySQL on Debian
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 | sudo apt install mysql-server Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libaio1 libatomic1 libmecab2 mysql-client mysql-common mysql-community-client mysql-community-server psmisc The following NEW packages will be installed: libaio1 libatomic1 libmecab2 mysql-client mysql-common mysql-community-client mysql-community-server mysql-server psmisc 0 upgraded, 9 newly installed, 0 to remove and 1 not upgraded. Need to get 37.1 MB of archives. After this operation, 256 MB of additional disk space will be used. Do you want to continue? [Y/n] y Get:1 http://repo.mysql.com/apt/debian stretch/mysql-5.7 amd64 mysql-community-client amd64 5.7.22-1debian9 [8886 kB] Get:2 http://deb.debian.org/debian stretch/main amd64 mysql-common all 5.8+1.0.2 [5608 B] Get:3 http://deb.debian.org/debian stretch/main amd64 libaio1 amd64 0.3.110-3 [9412 B] Get:4 http://deb.debian.org/debian stretch/main amd64 libatomic1 amd64 6.3.0-18+deb9u1 [8966 B] Get:5 http://deb.debian.org/debian stretch/main amd64 psmisc amd64 22.21-2.1+b2 [123 kB] Get:6 http://deb.debian.org/debian stretch/main amd64 libmecab2 amd64 0.996-3.1 [256 kB] Get:7 http://repo.mysql.com/apt/debian stretch/mysql-5.7 amd64 mysql-client amd64 5.7.22-1debian9 [12.4 kB] Get:8 http://repo.mysql.com/apt/debian stretch/mysql-5.7 amd64 mysql-community-server amd64 5.7.22-1debian9 [27.8 MB] Get:9 http://repo.mysql.com/apt/debian stretch/mysql-5.7 amd64 mysql-server amd64 5.7.22-1debian9 [12.4 kB] Fetched 37.1 MB in 12s (3023 kB/s) Preconfiguring packages ... Selecting previously unselected package mysql-common. (Reading database ... 34750 files and directories currently installed.) Preparing to unpack .../0-mysql-common_5.8+1.0.2_all.deb ... Unpacking mysql-common (5.8+1.0.2) ... Selecting previously unselected package libaio1:amd64. Preparing to unpack .../1-libaio1_0.3.110-3_amd64.deb ... Unpacking libaio1:amd64 (0.3.110-3) ... Selecting previously unselected package libatomic1:amd64. Preparing to unpack .../2-libatomic1_6.3.0-18+deb9u1_amd64.deb ... Unpacking libatomic1:amd64 (6.3.0-18+deb9u1) ... Selecting previously unselected package mysql-community-client. Preparing to unpack .../3-mysql-community-client_5.7.22-1debian9_amd64.deb ... Unpacking mysql-community-client (5.7.22-1debian9) ... Selecting previously unselected package mysql-client. Preparing to unpack .../4-mysql-client_5.7.22-1debian9_amd64.deb ... Unpacking mysql-client (5.7.22-1debian9) ... Selecting previously unselected package psmisc. Preparing to unpack .../5-psmisc_22.21-2.1+b2_amd64.deb ... Unpacking psmisc (22.21-2.1+b2) ... Selecting previously unselected package libmecab2:amd64. Preparing to unpack .../6-libmecab2_0.996-3.1_amd64.deb ... Unpacking libmecab2:amd64 (0.996-3.1) ... Selecting previously unselected package mysql-community-server. Preparing to unpack .../7-mysql-community-server_5.7.22-1debian9_amd64.deb ... Unpacking mysql-community-server (5.7.22-1debian9) ... Selecting previously unselected package mysql-server. Preparing to unpack .../8-mysql-server_5.7.22-1debian9_amd64.deb ... Unpacking mysql-server (5.7.22-1debian9) ... Setting up libatomic1:amd64 (6.3.0-18+deb9u1) ... Setting up psmisc (22.21-2.1+b2) ... Setting up mysql-common (5.8+1.0.2) ... update-alternatives: using /etc/mysql/my.cnf.fallback to provide /etc/mysql/my.cnf (my.cnf) in auto mode Setting up libmecab2:amd64 (0.996-3.1) ... Processing triggers for libc-bin (2.24-11+deb9u3) ... Setting up libaio1:amd64 (0.3.110-3) ... Processing triggers for systemd (232-25+deb9u4) ... Processing triggers for man-db (2.7.6.1-2) ... Setting up mysql-community-client (5.7.22-1debian9) ... Setting up mysql-client (5.7.22-1debian9) ... Setting up mysql-community-server (5.7.22-1debian9) ... update-alternatives: using /etc/mysql/mysql.cnf to provide /etc/mysql/my.cnf (my.cnf) in auto mode Created symlink /etc/systemd/system/multi-user.target.wants/mysql.service -> /lib/systemd/system/mysql.service. Setting up mysql-server (5.7.22-1debian9) ... Processing triggers for libc-bin (2.24-11+deb9u3) ... Processing triggers for systemd (232-25+deb9u4) ... |
Secure MySQL
Advertisement:
You can secure the MySQL server deployment (set options as needed)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | sudo mysql_secure_installation Enter password for user root: ******************************************** VALIDATE PASSWORD PLUGIN can be used to test passwords and improve security. It checks the strength of password and allows the users to set only those passwords which are secure enough. Would you like to setup VALIDATE PASSWORD plugin? Press y|Y for Yes, any other key for No: No Using existing password for root. Change the password for root ? ((Press y|Y for Yes, any other key for No) : No ... skipping. By default, a MySQL installation has an anonymous user, allowing anyone to log into MySQL without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? (Press y|Y for Yes, any other key for No) : Yes Success. Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? (Press y|Y for Yes, any other key for No) : No ... skipping. By default, MySQL comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? (Press y|Y for Yes, any other key for No) : Yes - Dropping test database... Success. - Removing privileges on test database... Success. Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? (Press y|Y for Yes, any other key for No) : Yes Success. All done! |
Install NGINX
I installed NGINX to allow Adminer MySQL GUI to be used
I ran these commands to install NGINX.
1 2 3 | sudo apt update sudo apt upgrade sudo apt-get install nginx |
I edited my NGINX configuration as required.
I reloaded NGINX
1 2 3 | sudo nginx -t sudo nginx -s reload sudo systemctl restart nginx |
Advertisement:
Install PHP
I followed this guide to install PHP on Debian.
1 2 3 4 5 6 7 8 9 10 | sudo apt update sudo apt upgrade sudo apt install ca-certificates apt-transport-https wget -q https://packages.sury.org/php/apt.gpg -O- | sudo apt-key add - echo "deb https://packages.sury.org/php/ stretch main" | sudo tee /etc/apt/sources.list.d/php.list sudo apt update sudo apt install php7.2 sudo apt install php-pear php7.2-curl php7.2-dev php7.2-mbstring php7.2-zip php7.2-mysql php7.2-xml php7.2-cli php7.2-common |
Install PHP FPM
1 | apt-get install php7.2-fpm |
Increase Upload Limits
You may need to temporarily increase upload limits in NGINX and PHP before you can restore a WordPress database. My feabry.com blog is about 87MB.
Add “client_max_body_size 100M;” to “/etc/nginx/nginx.conf”
Add the following to “/etc/php/7.2/fpm/php.ini”
Restore a backup of my MySQL database in MySQL
You can now use Adminer to restore your blog to MySQL. Read my post here on Adminer here. I used Adminer to move my WordPress site from CPanel to a self-managed server a year ago.
First login to your source server and export your desired database then login to the target server and import the database.
Firewall Check
Don’t forget to allow your WordPress site’s 2x Public IP’s and 1x Private IP to access port 3306 in your UpCloud Firewall.
How to check open ports on your current server
1 | sudo netstat -plunt |
Set MySQL Permissions
Open MySQL
1 | mysql --host=localhost --user=root --password=*************************************************************************** |
I ran these statements to grant the user logging in on the nominate IP’s access to MySQL.
1 2 3 4 5 | mysql> GRANT ALL ON databasenmae.* TO databaseusername@IPv4Server1PublicAddress IDENTIFIED BY '***********sql*user*password*************'; GRANT ALL ON databasenmae.* TO databaseusername@IPv4Server1PrivateAddress IDENTIFIED BY '***********sql*user*password*************'; GRANT ALL ON databasenmae.* TO databaseusername@IPv4Server2PublicAddress IDENTIFIED BY '***********sql*user*password*************'; GRANT ALL ON databasenmae.* TO databaseusername@IPv4Server1PrivateAddress IDENTIFIED BY '***********sql*user*password*************'; |
Reload permissions in MySQL
1 | FLUSH PRIVILEGES; |
Allow access to the Debian machine from known IP’s
Edit “/etc/host.allow”
Additions (known safe IP’s that need access to this MySQL remotely).
1 2 3 4 5 6 | mysqld : IPv4Server1PublicAddress : allow mysqld : IPv4Server1PrivateAddress : allow mysqld : IPv4Server2PublicAddress : allow mysqld : IPv4Server1PrivateAddress : allow mysqld : ALL : deny |
Tell MySQL to listen on
Edit “/etc/mysql/my.cnf”
Added..
1 2 3 4 5 6 7 8 9 10 | [mysqld] user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp language = /usr/share/mysql/English bind-address = DebianServersIntenalIPv4Address |
I guess you could change the port to something random???
Restart MySQL
1 | sudo service mysql restart |
Install a second local firewall on Debian
Advertisement:
Install ufw
1 | sudo apt-get instal ufw |
Do add the IP of your desired server or VPN to access SSH
1 | sudo ufw allow from 123.123.123.123 to any port 22 |
Do add the IP of your desired server or VPN to access WWW
1 | sudo ufw allow from 123.123.123.123 to any port 80 |
Now add the known IP’s (e.g any web servers public (IPv4/IPv6) or Private IP’s) that you wish to grant access to MySQL (e.g the source website that used to have MySQL)
1 | sudo ufw allow from 123.123.123.123 to any port 3306 |
Do add UpCloud DNS Servers to your firewall
1 2 3 4 | sudo ufw allow from 94.237.127.9 to any port 53 sudo ufw allow from 94.237.40.9 to any port 53 sudo ufw allow from 2a04:3544:53::1 to any port 53 sudo ufw allow from 2a04:3540:53::1 to any port 53 |
Add all other rules as needed (if you stuff up and lock your self out you can login to the server with the Console on UpCloud)
Restart the ufw firewall
1 2 | sudo ufw disable sudo ufw enable |
Prevent MySQL starting on the source server
Now we can shut down MySQL on the source server (leave it there just in case).
Edit “/etc/init/mysql.conf”
Comment out the line that contains “start on ” and save the file
and run
1 | sudo systemctl disable mysql |
Reboot
1 | shutdown -r now |
Stop and Disable NGINX on the new DB server
We don’t need NGINX running now the database has been imported with Adminer.
Stop and prevent NGINX from starting up on startup.
1 2 3 | /etc/init.d/nginx stop sudo update-rc.d -f nginx disable sudo systemctl disable nginx |
Check to see if MySQL is Disabled
1 2 3 4 | service mysql status * mysql.service - MySQL Community Server Loaded: loaded (/lib/systemd/system/mysql.service; disabled; vendor preset: enabled) Active: inactive (dead) |
Yep
Test access to the database server in PHP code
Add to dbtest.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | <em>SELECT guid FROM wp_posts</em>()<br /> <ul><?php //External IP (charged after quota hit) //$servername = 'db.yourserver.com'; //Private IP (free) //$servername = '10.x.x.x'; $username = 'username'; $password = '********your*password*********'; $dbname = 'database'; // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = 'SELECT guid FROM wp_posts'; $result = $conn->query($sql); if ($result->num_rows > 0) { // output data of each row while($row = $result->fetch_assoc()) { echo $row["guid"] . "<br>"; } } else { echo "0 results"; } $conn->close(); ?></ul> Done |
Check for open ports.
You can install nmap on another server and scan for open ports
Advertisement:
Install nmap
1 | sudo apt-get install nmap |
Scan a server for open ports with nmap
You should see this on a server that has access to see port 3306 (port 3306 should not be visible by non-whitelisted IP’s). Port 3shouldoudl not be seen via everyone.
1 2 3 4 5 6 7 8 9 | sudo nmap -PN db.yourserver.com Starting Nmap 7.40 ( https://nmap.org ) at 2018-07-20 14:15 UTC Nmap scan report for db.yourserver.com (IPv4IP) Host is up (0.0000070s latency). Other addresses for db.yourserver.com (not scanned): IPv6IP Not shown: 997 closed ports PORT STATE SERVICE 3306/tcp open mysql |
You should see something like this on a server that has access to see port 80/443 (a web server)
1 2 3 4 5 6 7 8 9 10 | sudo nmap -PN yourserver.com Starting Nmap 7.40 ( https://nmap.org ) at 2018-07-20 14:18 UTC Nmap scan report for db.yourserver.com (IPv4IP) Host is up (0.0000070s latency). Other addresses for db.yourserver.com (not scanned): IPv6IP Not shown: 997 closed ports PORT STATE SERVICE 80/tcp open http 443/tcp open https |
I’d recommend you use a service like https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap# to check for open ports. https://hackertarget.com/tcp-port-scan/ is a great tool too.
https://www.infobyip.com/tcpportchecker.php is also a free port checker that you can use to verify individual closed ports.
Hardening MySQL and Debian
Read: https://www.debian.org/doc/manuals/securing-debian-howto/ap-checklist.en.html
Configuring WordPress use the dedicated Debian VM
On the source server that used to have MySQL edit your wp-config.php file for WordPress.
Remove
1 | define('DB_HOST', 'localhost'); |
add (read the update below, I changed the DNS IP to the Private IP to have free traffic)
1 2 3 4 5 6 7 8 | //Oriinal localhost //define('DB_HOST', 'localhost'); //New external host via DNS (Charged after quota hit) //define('DB_HOST', 'db.fearby.com'); //New external host via Private IP (Free) define('DB_HOST','10.x.x.x'); |
Restart NGINX
1 2 3 | sudo nginx -t sudo nginx -s reload sudo systemctl restart nginx |
Restart PHP-FPM
1 | service php7.2-fpm restart |
Conclusion
Nice, I seem to have shaved off 0.3 seconds in load times (25% improvement)
Update: Using a Private IP or Public IP between WordPress and MySQL servers
After I released this blog post (version 1.0 with no help from UpCloud) UpCloud contacted me and said the following.
1 2 3 4 5 6 7 8 9 10 | Hello Simon, I notice there's no mention of using the private network IPs. Did you know that we automagically assign you one when you deploy with our templates. The private network works out of the box without additional configuration, you can use that communicate between your own cloud servers and even across datacentres. There's no bandwidth charge when communicating over private network, they do not go through public internet as well. With this, you can easily build high redundant setups. Let me know if you have any other questions. -- Kelvin from UpCloud |
I will have updated my references in this post and replace the public IP address (that is linked to DNS record for db.fearby.com) and instead use the private ip address (e.g 10.x.x.x), your servers private IP address is listed against the public IPv$ and IPv6 address.
I checked that the local ufw firewall did indeed allow the private IP access to MySQL.
1 2 | sudo ufw status numbered |grep 10.x.x.x [27] 3306 ALLOW IN 10.x.x.x |
On my new Debian MySQL server, I edited the file /etc/mysql/my.cnf and changed the IP to the private IP and not the public IP.
Now it looked like
1 2 3 4 5 6 7 8 9 10 | [mysqld] user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp language = /usr/share/mysql/English bind-address = 10.x.x.x |
(10.x.x.x my Debian servers private IP)
On my WordPress instance, I edited the file /www-root/wp-config.php
I added the new private host
1 2 3 4 5 6 7 8 | //Oriinal localhost //define('DB_HOST', 'localhost'); //New external host via DNS (Charged after quota hit) //define('DB_HOST', 'db.fearby.com'); //New external host via Private IP (Free) define('DB_HOST','10.x.x.x'); |
(10.x.x.x my Debian servers private IP)
Alos on Debian/MySQL ensure you have granted access to the private IP of the WordPress server
Edit /etc/host.allow
Add
1 | mysqld : 10.x.x.x : allow |
Restart MySQL
1 | sudo systemctl restart mysql |
TIP: Enable UpCloud Backups
Do setup automatic backups (and or take manual backups). Backups are an extra charge but are essential IMHO.
Troubleshooting
If you can’t access MySQL log back into MySQL
1 | mysql --host=localhost --user=root --password=*************************************************************************** |
and run
1 | GRANT ALL PRIVILEGES ON *.* TO databaseuser@'%' IDENTIFIED BY '***********sql*user*password*************''; FLUSH PRIVILEGES; |
Reboot
Lower Upload Limits
Don’t forget to lower file upload sizes in NGINX and PHP (e.g 2M) now that the database has been restored.
I hope this guide helps someone.
TIP: Sign up to UpCloud using this link to get $25 free UpCloud VM credit.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
Advertisement:
Revision History
v1.6 Changed Public IP use to private IP use to ensure we are not charged when the serves sage goes over the quota
v1.5 Fixed 03 type (should have been 0.3)
v1.4 added disable nginx info
v1.3 added https://www.infobyip.com/tcpportchecker.php
v1.1 added https://hackertarget.com/tcp-port-scan/
v1.0 Initial Post
This is a short post with General Privacy, Data Protection Regulation (GDPR) information for WordPress bloggers.
Advertisement:
Note: This is not legal advice, just late minute information on current opinions and facts around GDPR.
fyi: Read my guide on the awesome UpCloud VM hosts (get $25 free credit by signing up here).
Facebook, Google, Whatsapp and Instagram are facing lawsuits for failing to comply with GDPR, Europe’s sweeping new data protection law.
Facebook, Google, Whatsapp and Instagram are facing lawsuits for failing to comply with GDPR, Europe’s sweeping new data protection law https://t.co/o7FyX0fspI
— CNN (@CNN) May 25, 2018
It is GPRD Compliance Eve and there are loads of last-minute GDPR activity.
Official European Commission resources on GRDP
What are your new #dataprotection rights? What is the right to be forgotten?
Our official website provides you with more information → https://t.co/h0rqJaHqJt #GDPR pic.twitter.com/VLhWzOUzR6— European Commission ?? (@EU_Commission) May 25, 2018
Some US News sites are blocking Europeans
GDPR: US news sites blocked to EU users over data protection rules https://t.co/G0g5U0eqM1
— BBC Technology (@BBCTech) May 25, 2018
Legal Teams are up late
shout out to the legal teams pushing their GDPR-driven privacy policy updates out at the last minute pic.twitter.com/afSAT2egyf
— Patrick Donahue (@prdonahue) May 25, 2018
First Lawsuits are filed
Under #GDPR, Schrems files legal cases worth €7bn against Facebook https://t.co/eQtbptLl09
— Irish Times Business (@IrishTimesBiz) May 25, 2018
Should you panic?
No.
If you want a good summary for GDPR for bloggers – does it apply to you and how to comply then read this.
Also, Wikipedia has a good article.
wpbeginner.com has an Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know
Read wpbeginners.com’s summary of what GDPR is?
The General Data Protection Regulation (GDPR) is a European Union (EU) law taking effect on May 25, 2018. The goal of GDPR is to give EU citizens control over their personal data and change the data privacy approach of organizations across the world.
Are there fines?
Basically after May 25th, 2018, businesses that are not in compliance with GDPR’s requirement can face large fines up to 4% of a company’s annual global revenue OR €20 million (whichever is greater). This is enough reason to cause wide-spread panic among businesses around the world.
First, there will be warnings, then reprimands then Suspension then Fines and more.
Does GDPR apply to my WordPress site?
The answer is YES. It applies to every business, large and small, around the world (not just in the European Union).
If your website has visitors from European Union countries, then this law applies to you.
But don’t panic, this isn’t the end of the world.
While GDPR has the potential to escalate to those high level of fines, it will start with a warning, then a reprimand, then a suspension of data processing, and if you continue to violate the law, then the large fines will hit.
Read more at Ultimate Guide to WordPress and GDPR Compliance – Everything You Need to Know
But warning are issued before fines are given.
What can you do?
But the takeaway is, don’t create a website (then be lazy) and abuse users private data or be lazy with security.
My blog hosts (Vultr) GDPR information
I instaled a GDPR Cookie Concent WordPress Plugin
I used the WP-CLI plugin install GDPR Cookie plugin for the command line. View the developer site here.
1 2 3 4 5 6 7 8 9 | # Visited the WP Plugin page and got the URL for the latest plugin version # https://wordpress.org/plugins/cookie-law-info/ # Connect to my server via SSH cd /www-root cd wp-content/plugins/ wget https://downloads.wordpress.org/plugin/cookie-law-info.1.5.5.zip unzip cookie-law-info.1.5.5.zip unzip -r cookie-law-info.1.5.5.zip rm -R cookie-law-info.1.5.5.zip |
I then activated the plugin and configured it.
Cookie bot alos have a great page on GDRP here.
I edited the following Privacy/GDRP placeholder files.
1 2 3 4 5 6 | cd /www-root # Made a reject cookies placeholder sudo nano rejectcookies.html # Made a privacy placeholder sudo nano privacy.html |
I should have skipped creating a privacy.htm page as WordPress v4.9.6 has a Privacy Page Generator. Nice
Goto tour sites Dashboard, click Settings then Privacy. Create a new page, fill in the blanks and publish it.
I read MailChimp GDPR Advice as I had a few lists wih private data
More to come. Lets get back to those GDPR emails
Trying to delete #GDPR emails like… pic.twitter.com/eZpqSS2OVF
— H3roes&Vi1lains (@H3roesVi1lains) May 25, 2018
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.1 Cookie Bot GDPR Link
v1.0 Initial post
This is a simple guide that demonstrates how you can log in to a host that offers the CPanel tools to backup all of your website files (and databases). Backing up your website should be done often and especially before you migrate to any another website host. I used to change hosts every few years (they don’t own your site, you do).
Advertisement:
I have a number of guides on moving away from CPanel, setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line copying files to a server via command line editing remote files locally etc but how do you manage a website with CPanel?
You can normal login to CPanel tools on a shared host by loading www.yourdomainnam.com/cpanel (failing that login to your domain hosts web GUI and find your CPanel interface there).
Step 1: Login to your Host
Login to your web host
Step 2: Find your CPanel Interface
Hosts are a bit different but in this case, I just click my domain to find the CPanel link.
I found it, I clicked the CPanel login.
Step 3: CPanel Applications
CPanel does offer good tools to manage your websites like web-based File Manager and Database tool called phpMyAdmin.
Aside: CPanel/Hosts Downsides
The thing I don’t like about hosts that offer CPanel is they usually limit delivery of your website to extract more money. Nothing worse than receiving Resource Limit Is Reached errors.
Also shared hosts usually lag way behind in newer software versions like PHP and MySQL (this is a security concern).
TIP: You can scan your site for vulnerabilities using Qualsys Freescan, Zap or Kali Linux.
Here is a security scan of a shared host (with CPanel) that I was using in 1999. Note the high vulnerabilities and old version of Linux.
Also, a shared host will often overcharge you (e.g $150 a year) for a poorly configured SSL certificate.
This was an SSL cert I paid $150 a year for (evaluated with SSL Labs SSL Test) on a shared host with CPanel.
Aside: Self Managed Upsides
After I moved my domain to a self-managed virtual machine I migrated WordPress, set up a free SSL certificate, sped up my site with a CDN, setup Cloudflare, setup better TLS security etc
When you manage your own server you can install a free SSL certificate in under 1 minute.
Below is my SSL certificate. A strong SSL certificate will increase search engine traffic
Aside: Compare Shared host speed v Self Managed
FYI: https://gtmetrix.com/ is a great site for measuring the speed of a website (shared of self-managed). I found great speed improvements after moving away from a host offering CPanel, tweaking the server and setting up cloudflare. A self-managed server will allow you to tweak anything you want.
GTMetrix results:
I like how self-managed servers allow you to scale the server’s resources yourself, move servers or add storage etc.
Aside: SSL Certificate
If you have an SSL cert you should test it often as vulnerabilities pop up from time to time.
FYI: All sites will soon require an SSL certificate to be sent traffic from search engines (no SSL = lower traffic).
SSL Test my site: https://dev.ssllabs.com/ssltest/analyze.html?d=fearby.com&s=104.27.154.69
Now enough with the self-managed serve asides and back to how to backup your website with CPanel tools.
Step 4: Backup your web files in CPanel
Use the File Explorer app in CPanel
Highlight all files that you want to backup (highlight everything but not past backup files).
View the files to compress summary
Click Compress Files(s) and view the backup progress
You can now download the backup zip file in your browser (click the file and click Download).
Download Progress.
Step 5: Backup your database in CPanel
Now we need to backup any MySQL database(s) that may be used by WordPress
Open the phpMyAdmin app in CPanel.
FYI: Alternatively, you can use a free tool called Adminer to backup and restore our database.
Click your WordPress database (on the left). You can identify your current WordPress database by opening the wp-config.php file.
The first step is to perform an online cold backup of the WordPress database.
Now you have an online cold spare that you can use just in case the original database corrupts itself. You can rename the database or configure WordPress to point to this new database if need be.
Now let’s download a copy of the database (Repeat for multiple databases).
You should now have a backup of your website in a zip file and an export of your database in a .sql text file, SQL files can be re-imported to databases later.
TIP: Backup often.
I hope this guide helps someone.
Ask a question or recommend an article
Revision History
v1.0 Initial post
A recent trend with some WordPress Plugins (and Google Chrome Extensions) is malicious parties will purchase existing plugins (extensions) and inject malicious code into new versions to infect sites and software, this is called “Supply Chain Attacks”. This is a personal unpaid review of Gravity Scan.
Advertisement:
Update Feb 2018: Gravity Scan is shutting down 🙁
Recently WordFence wrote a blog post about Supply Chain Attacks found cases where older plugins are being purchased by malicious people in order to infect WordPress sites. WordPress CMS apparently runs 29% of the websites on the internet. Wordfence is a firewall and Gravity Scan is vulnerability scanner, they complement each other.
I have blogged here about setting up WordPress via Command line and setting up an Ubuntu server for as low as 42.5 a month on Vultr.
What can you do to protect your WordPress sites from “Supply Chain Attacks”? First, install the WordFence plugin (I blogged about it here). Wordfence gives you a great set of security settings and reports to keep your site safe. The Wordfence dashboard page on your site is a good place to stay up to date.
WordFence is a Firewall, Gravity scan is a vulnerability and malware scanner. Read more here.
Gravity Scan
Gravity scan is also made by the WordFence people to enable external audits and reports.
Sign up at https://www.gravityscan.com/ Verify your email and log in.
At login, you will be prompted to add a domain.
Scan
tip: You may want to whitelist Gravity scan servers. Read my guide about securing Ubuntu in the cloud.
1 | sudo ufw allow from 68.64.48.0/27 to any port 443 |
A site scan will automatically be started.
Scan Results
Post Scan Actions
Speed Up future scans by downloading the Install Gravity Scan Accelerator (by clicking “Not instaled” under “Accelerator” in scan results) and follow the instructions to download, upload and verify the accelerator.
Read the Gravity Scan Accelerator Install Instructions here.
tip: I had to run the following command to make the
1 | sudo chown www-data.www-data /www/gravityscan-agent-#############################################.php |
I also clicked “Trust Badge” link and added the script code to my site and verified it.
I now have a scan badge in my site footer.
Future scans are all good to go.
New Scan Options
It looks as if the accelerator gives more server-side verifications of checks of WordPress and PHP versions etc.
Go Pro
Gravity Scan also offers a non-free (paid) version where you can enable more options, enable scan schedules and set up SMS alerts and more for $4.95 a month per site.
To be honest I am happy with performing manual scans and I’d rather pay for a premium WordFence subscription first.
The Catch
Hang on Gravity scan requires a Pro membership to see High and Critical issues 🙁
I decided not to go pro to reveal issues.
A few months later
I started receiving scan results with severity Critical (but I can’t see results until I start a trail (and enter payment details)).
Time to start a trial
I started a trial and full details were shown, the critical error was my fault
Critical Issue
This was my fault, I left a previous version of WordPress in a subfolder from when I moved the site to a self-managed server. A quick few Linux commands later (removed) and this was fixed.
High Issue
Publically accessible file (fixed with a chmod command)
Current Scan Results
Remote Scan Options
Daily Scans, Alter levels, Malware, Vulnerability and status checks. Definitely, install the Accelerator as it found my local backup of WordPress.
Pros
Cons
More to come.
More Reading
Hope this helps someone.
Donate and make this blog better
Ask a question or recommend an article
Revision History
V.1.5 Gravity Scan shutting down
v1.4 Added remote scan options
v1.3 Pros and Cons and current results.
v1.2 Added more
v1.1 Fixed a few issues
v1.0 Initial Version