Categories
WooCommerce

WooCommerce Sell Media

And The University of the People.

Sell access to digital media (content pages, video courses, images, music):

  • Create page and embed the media in it
  • Create virtual product with direct link to the page
  • Restrict the items that only those who purchased the compatible product may access it with the plugin
  • Enable content protection with the plugin
  • Limit connection to only one device with the plugin
  • Activate Two-factor authentication
  • Disable directory listing with Options -Indexes in the .htaccess file

As you probably have noticed- distance learning occupies a growing part of the way of learning, the one that has taken it one step further, is the University of the People, which does not have a physical campus and offers a full online degree without tuition.

Categories
WordPress

WordPress Security

And the Chamber of Secrets.

Improve system security at the WordPress level:

  • Secure the server
  • Grant folder 755 and files 644 permission
  • Update frequently
  • Install few plugins as possible
  • Report any suspicious activity in your account to your hosting provider
  • Use the build-in tool “Site Health”
  • Remove unused themes
  • Install SSL certificate
  • Make use of an Editor user and use Admin only in need
  • Disable built-in dashbaord theme editor- add the directive to wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );

Disable directory browsing, prevent access to important files and directories, and XSS attacks protection- add the directives to the .htaccess file:

Options -Indexes

<FilesMatch "^.*(xmlrpc.php|error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
# Comment the following directive if multisite
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] 
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR] 
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

Disable PHP execution in the uploads directory- create inside a .htaccess file with the content:

<Files "*.php">
Order Deny,Allow
Deny from All
</Files>

Hide the WordPress version and login errors- add to functions.php file in the child theme:

add_filter( 'the_generator', '__return_false' );
add_filter( 'login_errors', create_function( '$a', "return 'Invalid Input';" ) );

Scan frequently the code in the WordPress directory and database for malwares detection and delete unused items, create full backup before each modification, consider reinstalling WordPress (core files, themes and plugins) from the Dashboard. Make use of the recently modified files command:

find ./ -type f -mtime -15

Remove the Mobile Spam Popup malware- delete the wp-tmp.php, wp-vcd.php, wp-feed.php files from wp-includes directory and delete the code which is creating them from the themes’ functions.php.

Remove the Japanese Keyword Hack malware- clean the malicious code from .htaccess, wp-config.php, sitemap.xml files and uploads directory.

As you probably have noticed- many WordPress malwares were not created to shut down the website, but rather to use its infrastructure and create clients traffic to purchase products on a third-party site, usually advertising prohibited health and wellness products.

Categories
VPS

Proxmox

And the Japanese Car.

Proxmox Virtual Environment (PVE) is an open source server virtualization environment based on Debian. It allows VMs and LXCs, software-defined storage and networking, and high-availability clustering.

Backup the configuration of the server itslef use the command:

tar -zcvf /var/lib/vz/dump/srv_etc_root-$(date +"%Y_%m_%d-%H_%M_%S").tar.gz /etc /root

Disable the option of removal/restoration of LXC, enable the Protection option. Allow users to make backups grant them the permission PVEDatastoreUser on the storage path and PVEVMUser on the VM path.

Limit the number of the saved backups created automatically- use the Max Backups option (Datacenter => Storage).

Use NAT within PVE- create a Linux bridge with the LAN IP, and adjust the build-in firewall to work with the VMs/LXCs- add the directives to /etc/network/interfaces file:

post-up   iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1
post-down iptables -t raw -D PREROUTING  -i fwbr+ -j CT --zone 1

Config NAT and port forwarding with iptables- use in /etc/network/interfaces the directives:

post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '$LAN-IP-SUBNET' -o eno1 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '$LAN-IP-SUBNET' -o eno1 -j MASQUERADE
post-up iptables -t nat -A PREROUTING -i eno1 -p tcp -m multiport --dports $PORTS -j DNAT --to $DESTINATION-LAN-IP
post-down iptables -t nat -D PREROUTING -i eno1 -p tcp -m multiport --dports $PORTS -j D

To receive Let’s Encrypt SSL certificate for multiple servers reside behind NAT, set up port forwarding for port 80 to the relevant server during the validation process.

Config new storage in Server => Storage and Datacenter => Storage.

As you probably have noticed- the word Proxmox has no meaning, it was chosen following a short catchy domain name that was available, in order to be on the safe side and not end up like the Japanese automobile manufacturer Nissan, which still struggling to achieve the nissan.com address.

Categories
VPS

ISPConfig

And The Pied Piper.

ISPConfig is an open source hosting control panel for Linux, it allows multiple server management from one control panel includes web server management, mail server management, and DNS server management.

Comply with strict privacy policy websites- disable the web statistics program.

Create users- it is required to set permanent customer no., create resources for him with the feature “login as client”.

Change the server configuration use the path /usr/local/ispconfig/server/conf-custom/ and for the inteface configuration /usr/local/ispconfig/interface/lib/config.inc.local.php.

Activate SSL for a website- first enable the SSL and than the Let’s Encrypt SSL, you may use the Rewrite HTTP to HTTPS and SEO Redirect (domain.tld => www.domain.tld, after creating automatic www subdomain) options. Clean old SSL certificates- use the command (newer certificates will have higher suffix number):

certbot delete

Run WordPress website with SSL in reverse proxy- add the directive to wp-config.php:

$_SERVER['HTTPS'] = 'on';

Use ISPConfig behind NAT– enable the Skip Lets Encrypt Check option (System => Server Config => Web => SSL Settings), use the WAN IP in DNS Settings and Website Settings, and the LAN IP in Server Config and Server IP Addresses.

Config a reverse proxy in Apache web server, which keeps the original reciever address and don’t pass the SSL certificates requests use those directives:

ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass /$PATH http://$LAN-IP:$PORT/$PATH
ProxyPassReverse /$PATH http://$LAN-IP:$PORT/$PATH
ProxyPass / http://$LAN-IP:$PORT/
ProxyPassReverse / http://$LAN-IP:$PORT/ 

Recover better- enable rescue option (Server Config tab).

Restore a website from a server backup- it is possible to export and import the website files & database backup and the relevant backup record from the ISPConfig database, to manual run all the configured backups use the command:

php /usr/local/ispconfig/server/cron_debug.php --cronjob=500-backup.inc.php

Enhance the email policy- edit the directives in /etc/postfix/main.cf:

smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client cbl.abuseat.org,reject_rbl_client dul.dnsbl.sorbs.net,reject_rbl_client ix.dnsbl.manitu.net, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf

Use PureFTP in passive mode (allows using behind firewall)- use the commands (and open the same ports at the firewall):

echo "30510 30610" > /etc/pure-ftpd/conf/PassivePortRange
service pure-ftpd-mysql restart

Deal with a CSRF block while deleting resources- delete it directly in the database.

As you probably have noticed- the oldest written accounts of the Pied Piper of Hamelin was created in Lüneburg, the same town the ISPConfig software is developed.

Categories
WordPress

WordPress RTL

And the Philosopher’s Stone.

Fix WordPress Gutenberg built-in code block (CSS):

pre.wp-block-code {
	text-align: left;
	direction: ltr;
}

Fix Owl Carousel based slider elements (CSS):

.owl-carousel,
.bx-wrapper { direction: ltr; }
.owl-carousel .owl-item { direction: rtl; }

Fix Chosen Drop based dropdown elements (CSS):

.chosen-container .chosen-drop { left: 9999px; }

Create Twenty Twenty child theme- create the path wp-content/themes/twentytwenty-child, and create inside the files style.css and style-rtl.css with the content:

/*
 Theme Name:   twentytwenty Child
 Template:     twentytwenty
*/

And the file functions.php with the content:

<?php
add_action( 'wp_enqueue_scripts', 'condless_theme_enqueue_styles' );
function condless_theme_enqueue_styles() {
        if ( is_rtl() ) {
                wp_enqueue_style( 'parent-style-rtl', get_template_directory_uri() . '/style-rtl.css' );
        } else {
                wp_enqueue_style( 'parent-style', get_template_directory_uri() . '/style.css' );
        }
}

Fix its fonts:


body {
	font-family: "Inter var", -apple-system, BlinkMacSystemFont, "Helvetica Neue", Helvetica, sans-serif;
}

Create Storefront child theme- create the path wp-content/themes/storefront-child, and create inside the files style.css and style-rtl.css with the content:

/*
Theme Name: Storefront Child
Template: storefront
*/

And the file functions.php with the content:

<?php
add_action( 'wp_enqueue_scripts', 'condless_theme_enqueue_styles', 9999 );
function condless_theme_enqueue_styles() {
	if ( is_rtl() ) {
        	wp_dequeue_style( 'storefront-child-style' );
		wp_enqueue_style( 'child-style-rtl', get_stylesheet_directory_uri() . '/style-rtl.css', 'storefront-style' );
	}
}

As you probably have noticed- most of the Middle Eastern languages are written from right to left, it is suggested that as stone was the main material used, it being easier to chisel right to left. With ink, suggestions continue, moving left to right prevented smudging.

Categories
VPS

Two-Factor Authentication

And Kim Dotcom.

TOTP-based Two-Factor Authentication makes it difficult for unauthorized access to your account, becuase that besides your password, it will required to obtain the code generated in your app in real time and log in immediately (the code changes every short time) or to locate your secret.

In this verification process, a one-time code is created using an algorithm that uses your secret code and the current time, so that each code is set to change over time.

Two-Factor Authentication is part of the information security system required in every business. To use this authentication method it is required to download an OTP app.

To config TOTP as a second factor to WordPress:

  • Install and activate the plugin
  • Scan the QR code through the app
  • Click update profile

To config TOTP as a second factor to the Roundcube webmail:

  • Install and activate the plugin
  • Enable the option via the setting tab

To config TOTP as a second factor to the phpMyAdmin:

  • Install and activate the feature
  • Enable the option via the setting tab

To config TOTP as a second factor to the VPS SSH:

  • Install libpam-google-authenticator
  • Config google-authenticator
  • In /etc/pam.d/sshd file comment @include common-auth and add auth required pam_google_authenticator.so
  • In /etc/ssh/sshd_config file change ChallengeResponseAuthentication value to yes, PasswordAuthentication value to no, and add AuthenticationMethods publickey,keyboard-interactive
  • Restart the SSH service

To config TOTP as a second factor to the VPS Control Panel:

  • Press the TFA button in the user list
  • Randomize the secret key (optional)
  • Set the Issuer Name (optional)
  • Scan the QR code through the app
  • Enter your password
  • Enter the TOTP Value the app generated
  • Press Apply

As you probably have noticed- Kim Dotcom threatened to sue all the major web services offering this kind of authentication, bases on its patent from 2000. Currently the European Patent Office revoked his patent in light of an earlier 1998 US patent held by AT&T.