Proper RFC 4122 UUIDs as GUIDs in WordPress

UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier), is a string that identifies a piece of information in computer systems. WordPress use GUIDs to identify each individual post, but use URLs (kind of) for GUIDs, and thus does not follow the standard definition (RFC 4122) of a UUID (or GUID).

June 10, 2017 · 7 min · Bjørn Johansen
forgery

How to perform and mitigate a WordPress session donation attack

WordPress doesn’t use a nonce for the login form, which opens up for you to perform a WordPress session donation attack.

March 22, 2017 · 7 min · Bjørn Johansen
encrypt

Encrypt and decrypt a file using SSH keys

If you have someone’s public SSH key, you can use OpenSSL to safely encrypt a file and send it to them over an insecure connection (i.e. the internet). They can then use their private key to decrypt the file you sent.

January 5, 2017 · 3 min · Bjørn Johansen
gun

Block access to PHP files on your WordPress site with Nginx

In your WordPress site, there are directories that include PHP files that visitors should never be able to access directly. They are only there for WordPress to function as an application that runs on your server. But because of WordPress’ directory and file structure, they are kind of accessible to the public. All of them are meant to be part of a larger application – WordPress, that is – and should not cause any harm if called directly – that we know. Some of the files execute some code even when ran standalone. An attacker might know of a clever way to make that code run in an unexpected manner, causing harm. To be on the safe side, we should deny access to all these PHP files from the outside world. Since we block access to them in our Nginx configuration, PHP will still run them as usual and WordPress will work just fine.

October 19, 2015 · 4 min · Bjørn Johansen
catch

Running HHVM with fallback to PHP-FPM

HHVM can really speed up your PHP-based web site. Most reports are somewhere in the range of 2–4x faster. Unfortunately, HHVM isn’t very stable and will suddenly die, just of the blue, from time to another. Fortunately, if you’re running Nginx it’s really easy to set up PHP-FPM as a fallback.

December 3, 2014 · 4 min · Bjørn Johansen
Fighter Jet, F 15 Strike Eagle, Fighter Aircraft

«Slap-on» speed optimization of your WordPress site

OK, so you might have been at a WordCamp listening to talks or reading a few blog posts and you get that you should really get your WordPress site speed optimized. Starting all over isn’t either tempting nor something you have the time for. Don’t despair, you’ll get a long way by installing 5 plugins.

January 30, 2014 · 3 min · Bjørn Johansen

Install latest version of Nginx on Ubuntu

I always run the latest LTS version of Ubuntu on all my servers. Unfortunately, the Nginx versions tend to be quite the bit behind the current release. So how do you get an updated, current version of without resorting to having to maintain the packages yourself? Luckily, the Nginx team have their own Ubuntu apt repository so it’s easy to keep current with the latest version of Nginx.

August 16, 2013 · 2 min · Bjørn Johansen

Install latest version of PHP on Ubuntu

I always run the latest LTS version of Ubuntu on all my servers. Currently the latest LTS is 14.04 which comes with PHP version 5.5, but as of November 2014, the latest stable version is 5.6. So how do you get an updated, current version of PHP without resorting to having to maintain the packages yourself? The answer is in PPA.

August 16, 2013 · 1 min · Bjørn Johansen

Publishing WordPress site from development to production server – or moving your WordPress installation from one host to another

You have finished that WordPress site, and want to deploy it – move it from your test server to the production server where it goes live. But how? WordPress have a famous 5-minute-install, but there is no 5-minute-go-live-script*. I’ll show you how in these 5 easy-to-follow steps.

August 12, 2013 · 3 min · Bjørn Johansen

Restricting access to WordPress login by IP address

If you have a static IP address, like from your own VPN, it is very easy to increase your security tremendously. Simply restrict all logins to that IP address.

April 20, 2013 · 2 min · Bjørn Johansen