Web Served, part 5: A blog of your own
- Thread starter JournalBot
- Start date
The warning about the Wordpress plugins is one I've said myself many times. Be very, very wary of poorly written plugins. There are stories all over the web about servers being compromised because these plugin authors don't know the first thing about writing secure code.
Upvote
8
(8
/
0)
Why have you spent all this time hardening a server.. then installed the most common vulnerability on the web?
Upvote
-7
(3
/
-10)
Back when I used to work for Hostgator, I have seen hundreds upon hundreds of blogs that were owned, compromised and rooted by exploits from poorly-written modules and plugins.
I've also seen many more crash servers from overloading them. People loading 50+ plugins and wondering why it keeps on crashing things.
"Wordpress is an unauthenticated shell that, as a useful side feature, also contains a blog."
I've also seen many more crash servers from overloading them. People loading 50+ plugins and wondering why it keeps on crashing things.
"Wordpress is an unauthenticated shell that, as a useful side feature, also contains a blog."
Upvote
7
(7
/
0)
I've been trying to keep up with this article. Just curious, and forgive me if I overlooked it, but will there be a part on how to transfer a domain name to your home-hosted solution?
Also Drupal FTW! : )
Also Drupal FTW! : )
Upvote
2
(2
/
0)
It is fair say the platform itself is a security problem, because the platform defines the boundaries of the plugins.
Similar to Windows which is attempting not just to improve it's own security, but also to strengthen application and plugin boundaries.
It's on the platform people to do this as much as it is the plugin writers.
Similar to Windows which is attempting not just to improve it's own security, but also to strengthen application and plugin boundaries.
It's on the platform people to do this as much as it is the plugin writers.
Upvote
-1
(1
/
-2)
I for one appreciate the tips on Wordpress - I had to install a simple hosted website in a very quick fashion a few months ago, and no surprise (in hindsight), it was hacked fairly recently.
I chose Wordpress as it gave us the ability to have a good looking website quickly, and with that website being something that could be updated by anyone in our org, even admins (administrative, not sys) if necessary.
Basically signed up to say "thanks" to Lee for a very helpful series. Not everything applies as I'm in a hosted environment, but plenty does.
I chose Wordpress as it gave us the ability to have a good looking website quickly, and with that website being something that could be updated by anyone in our org, even admins (administrative, not sys) if necessary.
Basically signed up to say "thanks" to Lee for a very helpful series. Not everything applies as I'm in a hosted environment, but plenty does.
Upvote
2
(2
/
0)
Thank-you, Lee. This series is superb. The security tips (and the explanation of the reasoning behind them) are very interesting and valuable.
Upvote
1
(1
/
0)
WordPress is great for end users who want to get blogging quickly and want to have more variety in themes and widgets than a hosted blog, like Blogger. Unfortunately, it is prone to security problems, and it's not really designed to be a full-fledged CMS. There are plugins and updates that turn it into just about anything (e-commerce... really?), but it was never designed to be those things.
As a developer, my disdain for WordPress stems from how it's written under the hood. Frequent use of globals, application and display logic mashed together.... The platform really shows its age. Coming from an MVC environment, it can be frustrating to deal with.
Of course, I've never been a fan of pre-made CMS software anyway. They never tend to do exactly what I need, and I always feel like the amount of time necessary to learn how they work and hack their internals could be better spent writing a focused (but extensible) system of my own. Part "Not Invented Here," part "I don't want to have to learn yet another system."
As a developer, my disdain for WordPress stems from how it's written under the hood. Frequent use of globals, application and display logic mashed together.... The platform really shows its age. Coming from an MVC environment, it can be frustrating to deal with.
Of course, I've never been a fan of pre-made CMS software anyway. They never tend to do exactly what I need, and I always feel like the amount of time necessary to learn how they work and hack their internals could be better spent writing a focused (but extensible) system of my own. Part "Not Invented Here," part "I don't want to have to learn yet another system."
Upvote
-1
(0
/
-1)
Just noticed that there appears to be a missing "}" at the end of the /blog/ location block on page two:
location /blog/ {
try_files $uri $uri/ /blog/index.php?$args;
allow 192.168.1.0/24;
allow 127.0.0.1;
deny all;
<------------------------------ should be } here?
location ~ /blog/.*\.php$ {
allow 192.168.1.0/24;
allow 127.0.0.1;
deny all;
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
location /blog/ {
try_files $uri $uri/ /blog/index.php?$args;
allow 192.168.1.0/24;
allow 127.0.0.1;
deny all;
<------------------------------ should be } here?
location ~ /blog/.*\.php$ {
allow 192.168.1.0/24;
allow 127.0.0.1;
deny all;
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php5-fpm-sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
}
Upvote
0
(0
/
0)
Good eye, sir--fixed. Sometimes cutting and pasting sections of code gets a little messy.Steveysteve":1x9vl1eq said:
No, but it can certainly be beaten into shape with great effectiveness. For example, look at this page's HTTP headers.
Upvote
2
(2
/
0)
David Trest":1hqosb68 said:
"You mean I'm not supposed to run Wordpress with 200 plugins, a dozen of which are SEO-related and do active indexing all the time?!? sir plz, fix this for me! It is cutting into the $2000 per hour I make with my site!"
I wish I were joking about this. He who has not been turned into a BOFH after working any significant time supporting Wordpress/Joomla/Magento/etc. in even the most basic way is not a human being and may want to see a doctor to make sure that they're not some kind of robot.
Upvote
0
(0
/
0)
Pokrface":30bq1rew said:
Has Ars always been on WordPress? Asking out of pure curiosity.
---
I know that as a PHP developer I should learn WP (premium themes seems like a decent way to make some side cash), but every time I actually look at the code under the hood, my eyes cross. It's like wading into the year 2004.
Upvote
1
(1
/
0)
KevinM1":2ei1bmf0 said:
I always thought this, but actually being forced to do it in my current job, I say STAY AWAY. The code really is that bad, and I have to deal with the aftermath of hacks and exploits on a weekly basis. Use your time to learn something new and worthwhile like RoR or if you must stick with PHP, http://getsymphony.com
Upvote
1
(1
/
0)
The barrier to entry for any software written in PHP is too low and most of the PHP code available reflects that. Our security people won't let us deploy PHP on the internet, it is THAT bad.
Suggesting that people deploy their blog using a PHP solution is doing them a diservice - pretty much anything except PHP should be used unless the blog will be professionally managed.
Sure, all the popular software languages have security issue, but most will not ship a version with an already known critical security bug inside ... except 1. It is hard enough to create a reasonably secure web presence without the core software including known exploits.
The other programming language teams like Perl, Python and Ruby seem to take security more seriously. Each has issues, but the community works to quickly address them.
Still, nobody is perfect and for someone knew to blogging, paying a professional to manage your server for you (not the cheapest bid either), is probably a good idea. The way you know if they are good - do they suggest updating the software stack weekly? Yes, it needs to be addressed THAT quickly.
Suggesting that people deploy their blog using a PHP solution is doing them a diservice - pretty much anything except PHP should be used unless the blog will be professionally managed.
Sure, all the popular software languages have security issue, but most will not ship a version with an already known critical security bug inside ... except 1. It is hard enough to create a reasonably secure web presence without the core software including known exploits.
The other programming language teams like Perl, Python and Ruby seem to take security more seriously. Each has issues, but the community works to quickly address them.
Still, nobody is perfect and for someone knew to blogging, paying a professional to manage your server for you (not the cheapest bid either), is probably a good idea. The way you know if they are good - do they suggest updating the software stack weekly? Yes, it needs to be addressed THAT quickly.
Upvote
0
(0
/
0)
Granite Octopus":1vuny6ph said:
Yeah, I've started to use Symfony for my projects. Aside from inaccurate/misleading docs (which I guess is to be expected from a FOSS framework), it's pretty solid.
I have some books on Ruby and Rails, but haven't had the time to do much more than install RVM (which I guess may not be the ideal solution any longer) and write a Hello World. Oh, and install SASS (which is awesome).
Upvote
0
(0
/
0)
I think the Suffusion for WordPress singlehandedly killed my need for pretty much ever other add-on I'd used or considered using. There are just so many things WordPress doesn't do where the two options used to be trust Jim and Bob's orphaned plug-in or write your own.
For all of the talk about hardening the system and cautions against running plugins, what about some discussion about page caching?
For all of the talk about hardening the system and cautions against running plugins, what about some discussion about page caching?
Upvote
0
(0
/
0)
The entire last section of the article is on how to set up Batcache to do just that, using APC as its backing store so you don't have to configure an additional instance of memcached.RGutiarrez":1cq7clpq said:
Bigger caching plugins are highly overrated. If you need the level of performance that W3 Total Cache or WP Super Cache say they deliver, you're better off biting the bullet and setting up varnish. It'll outperform them both, and there's a WP plugin to handle seamlessly purging stale objects.
Upvote
2
(2
/
0)
Great work Lee!
Can you configure aptitude (or others) to auto-update? And, is there a way to auto-update WordPress (and plug-ins)?
If not, I suppose a good alternative could be subscribing to an update emailing list.
Can you configure aptitude (or others) to auto-update? And, is there a way to auto-update WordPress (and plug-ins)?
If not, I suppose a good alternative could be subscribing to an update emailing list.
Upvote
1
(1
/
0)
yokimbo":3ryvid31 said:
look for cron-apt for system updates. As the hypothetical user in this article downloaded Wordpress from a third party source, you'd have to run cron weekly with a script to have it auto-update. I don't really understand some of the choices in this series, such as straying from the repositories, which negates all of Umbongo's advantages, but you know...
Upvote
0
(0
/
0)
Upvote
0
(0
/
0)
KevinM1":3n2ksl26 said:
Symfony is a completely different project to Symphony
They started around the same time, the name dispute hasn't really been a dispute, more of a "the grass is greener on the other side" grumble.Both are good though!
Upvote
1
(1
/
0)
For a single user server hosting a single site, I am. As I'm sure you know (since you obviously know enough to ask!), once applications get tossed into the mix it's not always obvious what files within the web hierarchy need to be written to and which don't; having the whole web root readable and writable to owner & group simplifies that. The fact that the web root is writable by the www-data user doesn't buy an external attacker very much; it becomes a factor during a compromise, though.sporkme":2v6xl2ts said:
I'd say that the way to go the extra mile here isn't just to remove write permissions except where necessary, but to also go ahead and chroot nginx and php-fpm. Unfortunately, this is an annoying amount of work, both to set up and also to maintain, and it's definitely overkill for a little personal closet server.
Upvote
0
(0
/
0)
Great tutorial. I use basic hosting with cPanel and some hacks to prevent the wp-admin from appearing and it was only couple of months ago so I completely forgot what exactly I did. But I'm realizing how creative you an get with this that one may find a a positive outcome or a negative step to an improperly made site. Why is it that all of this code and commands are being shown but on cPanel it's all find and dandy and through the majority of gui usage? Btw... when are we gonna read the next topic on SEO, keyword research, and organic growth of content sites like Ars is doing so we could learn a bit heh? How about link Ars readers' blogs? =)
Upvote
0
(0
/
0)
Upvote
0
(0
/
0)
When it comes to deciding whether or not you would like the capability to remotely administer and post to your blog, you can have your cake and eat it too.
You have just set up a linux server, so you almost certainly have sshd running.
https://wiki.archlinux.org/index.php/Secure_Shell
Change your sshd config so that you can forward ports with the "AllowTcpForwarding" entry. Then you can run an ssh command like ssh -L [localport]:127.0.0.1:[remoteport] user@serveraddy (or equivalent PuTTY GUIness). Now, when you browse to http://localhost:[localport], your traffic passes through your linux host (and stays on it, because you designated 127.0.0.1 as the destination server for that port forward).
Now, for the length of the session, your traffic appears to be coming from the local machine, regardless of where you are in the world, and everything from your login credentials to your content is all cryptographically secured by the SSH tunnel. You can restrict yourself to local administration, but act like a local anywhere.
The only other thing you have to change is your listen directive in Nginx to make sure that you can connect to your page from your local machine with the loopback address, 127.0.0.1.
**EDIT: Also, please Google the timthumb exploit and protect yourself accordingly. There are some great security plugins out there that can help you with this and other common exploits. None of the above matters if you let people get shell with a vulnerability in some PHP.
You have just set up a linux server, so you almost certainly have sshd running.
https://wiki.archlinux.org/index.php/Secure_Shell
Change your sshd config so that you can forward ports with the "AllowTcpForwarding" entry. Then you can run an ssh command like ssh -L [localport]:127.0.0.1:[remoteport] user@serveraddy (or equivalent PuTTY GUIness). Now, when you browse to http://localhost:[localport], your traffic passes through your linux host (and stays on it, because you designated 127.0.0.1 as the destination server for that port forward).
Now, for the length of the session, your traffic appears to be coming from the local machine, regardless of where you are in the world, and everything from your login credentials to your content is all cryptographically secured by the SSH tunnel. You can restrict yourself to local administration, but act like a local anywhere.
The only other thing you have to change is your listen directive in Nginx to make sure that you can connect to your page from your local machine with the loopback address, 127.0.0.1.
**EDIT: Also, please Google the timthumb exploit and protect yourself accordingly. There are some great security plugins out there that can help you with this and other common exploits. None of the above matters if you let people get shell with a vulnerability in some PHP.
Upvote
2
(2
/
0)
This site is ummm running on Wordpress. Go ahead and hack it supergenius.elh":1zd3lxdx said:In general "securing wordpress" is an oxymoronflash__":1zd3lxdx said:
Upvote
0
(1
/
-1)
elkoraco":1ru9hxtv said:
I'd really like to hear an answer to this. For a server sitting my home closet, keeping up to date on non-repository, internet-facing software is extremely burdensome. Companies have teams of people responsible for their website, but a single person goes on vacation and forgets to do things. Something like cron-apt is vital for the home server. Also, one doesn't haven't to sign up for too many security update email lists before the email quantity becomes unpleasantly large.
I'm enjoying the series! Keep them coming.
Upvote
0
(0
/
0)
We're keeping the quantity of non-repo stuff as small as possible; currently, it's limited to the SQL admin tool (and you can use phpmyadmin from a repo if you really, really want to, though that means you're using phpmyadmin) and WordPress itself. Nginx, PHP-FPM, and mariadb all come from repos.GmbH9":2gfco39y said:
The web apps we're going to get running are WordPress, Vanilla, and MediaWiki. I don't think there's a repo for Vanilla, and with WordPress and MediaWiki, installing them directly instead of via a repo means security updates are available faster. You also get a lot more flexibility with the install location, and the web server configuration is a bit less convoluted (consolidated web roots, fewer locations).
Keeping your stuff up to date is the user's ultimate responsibility. Whether you're running on hosted services or in your closet, you still need to ensure everything is updated. Zero-day vulnerabilities don't blow up most sites--old security holes do.
Upvote
0
(0
/
0)
You have bad commenting system, but Disqus is even worse.
If you've ever commented on Engadget you'll know what I'm talking about.
By the way, excellent article. And I'm already using the previous ones for setting up my home server.
If you've ever commented on Engadget you'll know what I'm talking about.
By the way, excellent article. And I'm already using the previous ones for setting up my home server.
Upvote
0
(0
/
0)
Pokrface":krhx64op said:
A fairly OK middle ground with WP is to leave wp-content owned by the www user. That leaves the core of WP untoucable but still allows for uploading content (the "uploads" dir), themes and plugins without being presented with the ftp dialog. At least if you get hacked by some crappy plugin or theme (yes, beware of themes!), you have some confidence that your problems reside in wp-content. Your config options for nginx that block running php in uploads is really excellent, I think many of the common hacks have relied on executing things in the upload dir.
Having the rest of WP owned by someone else also means that any other web apps you might have installed will not be able to scribble around random parts of your WP install if they are compromised.
In short, if someone did really want to protect themselves a bit further, this is an option:
-create a user that you will use for managing your content (not your normal login account!)
-enable ftp, only allow from localhost
-chown the entire WP install except for wp-content/uploads to that user
-use WP's "ftp to itself" function when adding themes, plugins or updates
-look for crappy plugins that by default try writing stuff in places they shouldn't
Pokrface":krhx64op said:
I imagine chrooting would be quite a project, and it still wouldn't save you from a buggy php script overwriting something it has permissions to overwrite. It would save you from having say, WP going over and screwing with other web apps where the www user has write permissions.
One thing readers might find interesting is to google around for the whole "tim thumb" fiasco:
http://markmaunder.com/2011/08/01/zero- ... ss-themes/
This is a great example of how php "copy and paste" coders can really screw things up. Some guy made a small image resizing function. Nothing fancy, it just made thumbnails from uploaded images and it was simple to use. As such, people started copying it. It was used in plugins that needed to create thumbnails, and even more insidious, it was used in many themes to allow users to upload a few theme-specific images and then resize them. "Many" might be a weak word, it was in a shitload of themes.
Once this was discovered by the bad guys, scanning for sites with "timthumb.php" became a hobby and many sites were compromised. timthumb.php was really, really widespread and really easy to find once the attackers starting figuring out which popular themes and plugins used it. Scanning became easy, just look for example.com/wp-content/plugins/some-vulnerable-plugin-name/timthumb.php or example.com/wp-content/themes/some-vulnerable-theme-name/timthumb.php. Very low cost scan, very high possibility of a jackpot. Attackers then upload some silly remote php shell thing, or fill your site with revenue-generating links, or launch a small phishing/spamming operation. And it's all automated...
Anyhow, that's my timthumb rant.
edit: hard to stop this comment system from auto-linking urls, it even grabs oddball stuff like htxxp://example.com/
Upvote
0
(0
/
0)
I have a love/hate relationship with WP. There are some really great ideas in it. And it's not Joomla. In a perfect world, someone would clone the functionality and the most commonly-used wp functions while gutting the code that makes it go.
This is a very nice gem I found while working on something:
http://uproot.us/projects/cfs/
It's based on "Advanced Custom Fields", which puts a user-friendly face on "custom fields". You gain a post/page edit screen that can include an arbitrary number of additional fields (single-line text, textbox, image upload, etc.) which are easily accessed in your page/post template files. It's quite simple, but really helps make WP a bit more CMS-like. You can do crazy stuff by putting divs and other markup in the default single textbox that WP offers, but that's a total hack if any "normal" people will be maintaining the site.
This is a very nice gem I found while working on something:
http://uproot.us/projects/cfs/
It's based on "Advanced Custom Fields", which puts a user-friendly face on "custom fields". You gain a post/page edit screen that can include an arbitrary number of additional fields (single-line text, textbox, image upload, etc.) which are easily accessed in your page/post template files. It's quite simple, but really helps make WP a bit more CMS-like. You can do crazy stuff by putting divs and other markup in the default single textbox that WP offers, but that's a total hack if any "normal" people will be maintaining the site.
Upvote
0
(0
/
0)
Thanks for a great series. A section on setting up varnish would be interesting, I realize it might be overkill for a home server, but still. As to wordpress as a CMS: I've worked with it for years and have dozens of websites running on it, but I've decided that I won't use it anymore unless I'm forced to, or it actually is a blog I'm working on.
Too many flaws in the system: user management / permissions, security issues, code quality, the way it dictates how markup gets put out, inflexibility in general.
Custom fields are pretty good unless you try to mix them with other post types in a page hierarchy.
Too many flaws in the system: user management / permissions, security issues, code quality, the way it dictates how markup gets put out, inflexibility in general.
Custom fields are pretty good unless you try to mix them with other post types in a page hierarchy.
Upvote
0
(0
/
0)
I've got a pretty big blog post on configuring Varnish on top of Nginx, along with a run-through of my working configuration. I likely won't be able to do an entry in this series, unfortunately, but it's a neat thing to learn about.
I completely agree that it's overkill for a closet server, but as with everything else in this series, there's tremendous practical value in the learning of it.
I completely agree that it's overkill for a closet server, but as with everything else in this series, there's tremendous practical value in the learning of it.
Upvote
1
(1
/
0)
- Status