Posts

Showing posts from February, 2021

Securing wordpress

 Wordpress is very vulnerable to attacks. I suggest the following four steps. 1. Install Sucuri plugin 2. Install Wordfence plugin 3. Install IQ block country and block all countries except your own unless you need to have customers from overseas.  4. Delete the wp-login.php file (or rather, keep a copy of it somewhere else), and put it into the folder when you need to login, but when you don't need to login, delete it. There are plugins that hide the login, which you can also use, but I find that quite often they don't work. I've been locked out of my own site many times from those plugins, hence the crude approach of just deleting the login script.

Resetting admin password

 mysql> SELECT ID, user_login, user_pass FROM wp_users;  mysql>  UPDATE wp_users SET user_pass=MD5('password') WHERE ID = '1';

enabling web interface updates over FTP or directly

Wordpress can be updated on the command line or the graphical side in the web browser. But in order to do that you need write permission on the server as the user www-data (the webs server), or, ftp access to upload files from wordpress.org to the server you are hosted at. Hence, you can either set the website to be owned by the webserver (and risk that vulnerabilities to the webserver affect your website), or you can enable FTP. The default is to let the webserver (www-data) have write permission: chown -R www-data:www-data /var/www/wordpress/ chmod -R 775 /var/www/wordpress/ To enable FTP, create a user specifically for the purpose on the server's FTP service and give them ownership of the wordpress folder. Put the following code into the wp-config.php file define( 'FS_METHOD', 'direct' ); define( 'FTP_BASE', 'www.myserver.com/www/wordpress' ); define( 'FTP_CONTENT_DIR', ' www.myserver.com /www/wordpress/wp-content/' ); define( ...

updating wordpress on the command line and automating updates

If you have access to your host server it is much easier to update on the command line or use its crontab file to keep your site updated. 1. Set the web user - or whoever will need write access to the wordpress installation folder - to have /bin/bash as their shell. For example, like so: sudo chsh www-data -s /bin/bash The above assumes you're on ubuntu linux and the user is www-data. 2. Install the wp package. wget https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar chmod u+x wp-cli.phar mv wp-cli.phar /usr/local/bin/wp wget https://github.com/wp-cli/wp-cli/raw/master/utils/wp-completion.bash cat wp-completion.bash >> ~/.bashrc 3. Run the update sudo -u www-data -i -- wp core update --path=/var/www/website/ 4. change the shell back chsh www-data -s /usr/sbin/nologin 5. You can put all this into a script and then automate it under cron: man crontab 5

wordpress can't login / can't access the database

 Sometimes you get an error with a wordpress site where it says 'wordpress can't access the database' That's because it's not using the native mysql password. If your wordpress database is called 'wordpress' and your user is called 'user' and your password is 'password', login as root on mysql and type: ALTER USER 'user'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password'; Check the config file has the right password in it, probably /var/www/wordpress/wp-config.php That will fix it.

changing php version

Wordpress might be fussy about which version of php it wants. Let's say it wants php7.1 specifically. Type the following commands: sudo add-apt-repository ppa:ondrej/php sudo apt-get update sudo apt-get install php7.1 sudo apt-get install php7.1-cli php7.1-common php7.1-json php7.1-opcache php7.1-mysql php7.1-mbstring php7.1-mcrypt php7.1-zip php7.1-fpm sudo a2dismod php7.2 sudo a2enmod php7.1 sudo service apache2 restart

php file upload size limits

 By default, php allows 2-8 MB file size uploads. These days, you need probably 1-2 GB in case someone wants to upload a video. [edit] /etc/php/php.ini find other versions: find /etc/php -name "php.ini*" -name edit those as well Search for these entries and change them as shown: post_max_size = 2000M upload_max_filesize = 2000M

Saving the Mysql Password

 If you find it a nuisance to constantly type the mysql password while working with mysql, you can tell it to save, and thereafter it won't ask for it. WARNING. This exposes your database to hackers in that if they gain access to your account, your copy of mysql is also vulneralble. The command is: mysql_config_editor set --host=localhost --user=<whoever> --password

Setting permissions on a database

 Login to mysql and run this, where "database" is your database, "username" is your database username, and "password" is your preferred password. grant all on database.* to 'username'@'localhost' identified with mysql_native_password by "password"; Note this is for mysql 8 and above, mysql 5 and below you remove the "with mysql_native_password" part.

Setting the owner and password of the blog in mysql

When creating the wordpress database, you need to set the owner. First, create the database. mysql> create database wordpress; then create the  user who will have write permissions: mysql> create user ' wordpress '@' localhost ' identified with mysql_native_password by ' somepassword '; mysql> flush privileges; If you forget the password, you can change it again like so: mysql> alter user ' wordpress'@'localhost' identified  with mysql_native_password by ' somepassword '; If you are using mysql version 8 or later, you need "with mysql_native_password" otherwise wordpress doesn't authenticate the database owner. At least, that was still true at the time of writing this. If you are using mysql version 5 or below, you can skip that. 

Purpose of this blog

 The purpose of this blog is to record common tricks/tips for managing wordpress.