Find and block unsafe content on your wordpress installation

Thanh Phu on November 12, 2018

For some reason, my WP installation decided to load some files via http instead of https

To find out which file it is, I used the Javascript console

It’s wp-emoji in this case, and I don’t use emojis on my site, so I decided to block it by adding this to my theme’s functions.php

 

remove_action( 'wp_head', 'print_emoji_detection_script', 7 );
remove_action( 'wp_print_styles', 'print_emoji_styles' );

 

How to connect to MySQL / MariaDB using Node.JS (the right way)

Thanh Phu on July 26, 2018

Use a connection pool. It helps

  • Conserve resource, connections got recycled
  • Better reliability: it automatically reconnects when there’s a problem

How? Simple, instead of creating a connection, just create a pool. It’s designed as a drop in replacement for client.query()

var mysql = require('mysql');
var pool  = mysql.createPool({
  connectionLimit : 10,
  host            : 'example.org',
  user            : 'bob',
  password        : 'secret',
  database        : 'my_db'
});

pool.query('SELECT 1 + 1 AS solution', function (error, results, fields) {
  if (error) throw error;
  console.log('The solution is: ', results[0].solution);
});

is a shorthand for

var mysql = require('mysql');
var pool  = mysql.createPool(...);

pool.getConnection(function(err, connection) {
  if (err) throw err; // not connected!

  // Use the connection
  connection.query('SELECT something FROM sometable', function (error, results, fields) {
    // When done with the connection, release it.
    connection.release();

    // Handle error after the release.
    if (error) throw error;

    // Don't use the connection here, it has been returned to the pool.
  });
});

Work around to make sub-subdomain useful on Cloudflare

Thanh Phu on July 25, 2018

As any seasoned webmaster may have known, Cloudflare’s free SSL certificate while convenient for most use cases, are very restrictive in edge cases. For example when you want to have.a.vanity.url.com for your website, Cloudflare won’t work (only vanity.url.com part is permitted).

What can you do? Other than paying cloudflare $10 / month and get a custom-made edge certificate?

You can set up URL forwarding rule like

  1. Log into your Cloudflare account.
  2. From the dropdown menu on the top left, select your domain.
  3. Click the Page Rules app in the top menu.
  4. When adding a new page rule, enable Forwarding.
  5. Enter the destination URL and select the forwarding type.

Forwarding examples:

Example forwarding to Google+:

Imagine you have a Google+ profile and you want to make it easy for anyone coming to get to simply by going to a URL like:

    *www.example.com/+

    *example.com/+

This pattern will match:

    http://example.com/+
    http://www.example.com/+
    https://www.example.com/+
    https://blog.example.com/+
    https://www.blog.example.com/+
    Etc…

It will not match:

    http://www.example.com/blog/+  [extra directory before the +]
    http://www.example.com+  [no trailing slash]

Once you have  created the pattern that matches what you want, click the Forwarding toggle. That exposes a field where you can enter the address I want requests forwarded to. 

https://plus.google.com/yourid

If I enter that in the forwarding box and click the Add Rule button within a few seconds any requests that match the pattern I entered will automatically be forwarded with a 302 Redirect to the new URL. 

Advanced forwarding options:

If you use a basic redirect, such as forwarding the root domain to www.yourdomain.com,  then you lose anything else in the URL. For example, you could setup the pattern:

    example.com

And have it forward to:

http://www.example.com

But then if someone entered:

    example.com/some-particular-page.html

Then they’d be redirected to:

    www.example.com

Not where you’d want them to go:

    www.example.com/some-particular-page.html

The solution is to use variables. Each wildcard corresponds to a variable when can be referenced in the forwarding address. The variables are represented by a $ followed by a number. To refer to the first wildcard you’d use $1, to refer to the second wildcard you’d use $2, and so on. To fix the forwarding from the root to www in the above example, you could use the same pattern:

    example.com/*

You’d then setup the following URL for traffic to forward to:

http://www.example.com/$1

In this case, if someone went to:

    example.com/some-particular-page.html

They’d be redirected to:

http://www.example.com/some-particular-page.html

Using this and set up a rule like

$1.$2.yourdomain/$3

and forward it to

yourdomain/$1.$2/$3

You can redirect it somewhere else or create a website for it

How to install zip extension for PHP7

Thanh Phu on July 25, 2018

Specifically for LAMP stack / webmin

First, install the module

sudo apt-get install php7.0-zip

Then restart the web server

sudo service apache2 restart
sudo service nginx restart

That’s it!

Tools to scan and secure your website

Thanh Phu on July 9, 2018

SSL server test: https://www.ssllabs.com/ssltest/

Mozilla Observatory: https://observatory.mozilla.org/analyze/

Firefox plugin to generate content-security-policy (simply browse your website for it to work): https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/

Sample nginx configuration for good security https://gist.github.com/plentz/6737338