What’s New in WordPress 5.1 (Moving PHP Forward)

https://kinsta.com/blog/wordpress-5-1/?utm_source=facebook&utm_medium=cpc

WordPress 5.1 “Betty” was officially released on February 21, 2019, and is available for download.

WordPress 5.1 is the first major release since the launch of the WordPress block editor (AKA Gutenberg) in WordPress 5.0.

This issue is not new, but has just became to limelight again. HTTPOXY affects clients that honor the HTTP_PROXY variable and use it for their proxy configuration and server side applications which use HTTP_PROXY as real or emulated variable in their environment. This bug was first discovered over 15 years ago – but still in July 2016 researchers found that the vulnerability was still exploitable in PHP. So, the bug was lying dormant for years, like a latent infection: pox. To put it plainly: there is no way to trust the value of an HTTP_ env var in a CGI environment and you should block the Proxy header.

Best advice is to patch as soon as possible. Immediate mitigation before patching can be performed by blocking ‘Proxy’ request headers as early as possible - httproxy.org has released details for many enviroments (Apache, OpenBSD, Nginx/FastCGI and others). If you’re running PHP or CGI, you should block the Proxy header now. Blocking can be done in web server, web load balancer, web proxy or cloud proxy service.

The vulnerability is easily remotely exploitable and servers can be scanned for it, for details on that read HTTPOXY Vulnerability: How to protect and test your web server article that recommends https://httpoxy.rehmann.co/ service for testing your own servers.

Posted from WordPress for Android

Posted from WordPress for Android

It seems that RSS did not fully live up to the promise for end user perspective. It is useful technology that I use in this blog (http://www.epanorama.net/newepa/feed/). RSS feeds have been very popular, but are are somewhat fading in popularity, even to point that some articles expect death of RSS. Nowadays the trend is that people follow Twitter and Facebook instead of RSS. One of the best aspects of email subscriptions (and Twitter) is that you can actually see who’s taken interest in your work. 

Is RSS dead or not? To me, anytime someone says a tech is dead it usually means that tech is not very interesting to discuss anymore, or isn’t seeing the most innovative companies doing new things with it. Ultimately RSS will stick around as a way for content services to talk to each other (it does that well). The protocol is still very much alive, while people can get the data from other means than RSS from various services, very often RSS is the method that gets the data to the service people use. On thing to remember is to make sure that your RSS feed content is valid, I tested my feed to pass the validation service at https://validator.w3.org/feed/.

I still offer RSS feed at http://www.epanorama.net/newepa/feed/. I also post updates to Twitter and Facebook.

If you prefer to get update on material posted to this blog to clutter your email box (I post here quite often), there are many RSS to mail services.  From various alternatives I found out that Blogtrottr worked the way I liked. You can get information on new postings to your e-mail box using Blogtrottr by giving URL http://www.epanorama.net/newepa/feed/ and your e-mail address to this service, and selecting feed type (Realtime works well).

Posted from WordPress for Android

WordPress is very nice blogging platform for users, but because of many options available and huge popularity there are also security issues on the systems. Many security issues have been uncovered in the WordPress software over the years, and new ones come out every now and then.

So how to handle Wodpress security issues to keep your blog safe? Here some of my tips targeted especially for those who run WordPress software on their site (if you use WordPress hosted by for example wordpress.com issues are somewhat different):

Typical hacking and malware problems with WordPress installs, if you’d like to review your own WordPress setup, include: Poor password hygiene, including weak passwords, shared or re-used passwords, and no two-factor authentication. Poisoned third-party content such as adverts served from external servers. Use plugins only from trusted sources.

Make sure that you ahave all the security related settings in wp-config.php set in sensible way. For some tips on this check WordPress Security: Part 1 Securing wp-config.php and Conquering the wp-config.php File – 11 Good Practices.

When you access your site management at Linux shell level, use always secure communications methods. I recommend to access Linux server shell with SSH and files with SCP. It is also a good idea if you use SSH certificates for authentication istead of normal username+password. Do not use telnet or FTP because they are insecure. If possible perform your WordPress administration through web interface throug HTTPS instead of HTTP.

Make sure that you keep the WordPress up to date. You need to be prepared to update your WordPress and plugins when new security issues get published. Update quickly when serious security issues are reported. Unpatched WordPress software or plugins, leaving known security holes open for attackers. If possible, use automatic updating service.

Design a backup procdure to back up your site contents. You will need that in case somone hacks your site or there are serious problems on your hosting side. So make regular backups. Your WordPress database contains every post, every comment and every link you have on your blog. If your database gets erased or corrupted, you stand to lose everything you have written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal. Site backups are essential because problems inevitably occur and you need to be in a position to take action when disaster strikes. You need backups! Spend some time to make an easy, convenient backup of your database will allow you to spend even more time being creative and productive with your website. Do not end up losing a few months of hard work due too no backups. Make sure that the backups you have made really work (that you can restore data from them in case you really need them, non-working backups are just waste of time).

There are several methods of automating the backup process available. Various plugins exist to take automatic scheduled backups of your WordPress database. I have found that Vaultpress a good WordPress automatic backup service: it supports realtime syncing of all WordPress content to the VaultPress servers for a reasonable montly fee. I use Vaultpress for real-time backup and I also make my own backup files (database dump and WordPress directory contents) to another server periodically.

When you run WordPress on your own Linux system or some shared hosting Linux server, it is very important to to set the file and directory permissions right. Generally less permissions you give, the better for security, but if you do not give enough permissions your WordPress does not work. What permission do you suggest for wp-config? article recommends for your own server: Directories 755, files 644, (sometimes, the upload directory will require an exception). Permissions any lower that still permit functionality on your particular server setup is fine (lower number is more secure). If you use shared hosting service, you should make sure that other users can’t read your sensitive files, especially wp-config.php (use 750 permissions). Overly-liberal access controls giving too much power to too many users.

Keep your wp-config-.php file secure bcause wp-config.php that contains your database password and main admin credentials. If you are in shared hosting site (or any server that has many users), the permissions of your wp-config.php should be 750 (lower): It means that no other user will be able to read your database username and password.  Changing permissions to 750 effectively removes both the “read” and the “execute” options for “others” or world. You can be even more restrictive. If the website works with wp-config.php set to 600 (most restrictive – will only work if the file is “owned” by the same Unix user that runs apache), try that. If not, set it to 640 (still fairly restrictive; only the owner is allowed to modify the file, but any users – specifically the apache user – that might be in the group that owns the file can still read it).

Make also sure that web users can’t get the contents of that file accidentally. In normal use if somebody tries to read that from wordpress directory with web browser, the data in goes through PHP system and the user can’t see the source code that has the details in it. But if you accidentally give users possibility to read that file in raw form without going through PHP interpreter, your secrets leak out. This can happen if you accindetally in a way or another disable PHP interpreted on your directory (some configuration error). Other common way to leak wp-config.php contents is that have some backup of your wp-config-php with some other name on web readable directory, common mistakes here are to leave copy of old version or backup with name wp-config.bak or using editor that leves temperary copy after editing like wp-config.php~ If you plan publish your site contents on some open source repositorio (like github), you need to be careful that you don’t publish your wp-config.php contents to the world, because that would allow someone else to hack to your site and even cost you a lot in hosting bill. You can also consider if moving wp-config outside the web root really beneficial.

Consider using some firewall system between your WordPress server and world. There are several options here. One option is to have a separate firewall device or server webween your WordPress server and Internet. It is a good idea to block everyhting you don’t need to access, and maybe route the web traffic thoiugh some proxy server that can filter out dangerous requests. Cloudflare is one well known company that sells cloud service for this (you route your web traffic through their service). If you want to run some protection software on your own server, check out ModSecurity open source application firewall. It has worked for me well (protects agants many nasty stuff), but can have some downsides (for example sometimes causes unexpected Internal Server Error problems when using management interface and the moderated comments contain certain keywords in them).

If your blog is very important to be always on-line (generated lots of money or donwtime causes lots of negative PR) and/or your blog talks on sensitive topics that someone might want to silence, be prepared to plan against DDoS (Distributed Denial of Service) attacks. It is hard to protect agains DDoS (lots of work for good protection), so you first need to think what level of protection you could need. How To Protect Your WordPress Website Against DDoS Attacks article gives some ideas on how to plan DDoS protection. Cloudflare is one well known company that sells cloud service for DDoS protection.

End of an Era: The Golden Age of Tech Blogging is Over article tells that like the film industry, the Golden Era is the emergence period, when fresh innovation in a new medium is born. New techniques, revolutionary content, and different business models emerge as innovators pioneer a new medium.

Trend 1: Corporate acquisitions stymie innovation
Trend 2: Tech blogs are experiencing major talent turnover
Trend 3: The audience needs have changed, they want: faster, smaller, and social
Trend 4: As space matures, business models solidify –giving room for new disruptors

The Future: A New Era is set to Emerge – Tech blogging isn’t dying, it’s evolving.

This is a normal part of any industry.

Golden Age of Tech Blogging Done? I Couldn’t Disagree More article put out a view: No way. Unless of course, he means we’re about to enter the platinum age. Because things are far from dead in tech blogging– and blogging in general. In fact, I think we’re poised to enter one of the most exciting periods yet. I’m a big believer that tech trends tend to over-promise in the short term but under-promise in the longterm. Last few years demonstrated some of the limitations of blogging– ie, we can’t all make businesses and build big audiences, it won’t replace all older forms of media. In a lot of ways sites like Facebook, Yelp and Twitter have scratched that itch for self-expression by giving the masses an easier and more painless way to get the endorphin rush that blogging gave in the early day. But there are still plenty of people who love to write– not just share, Tweet and comment– for a living, and blogs are still the best platform for that. In many cases, blogs haven’t yet figured out a way to monetize their influence. Start out with a mindset not to sell.

Klikki Oy security bod Pynnonen commented: “An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication” and “probably the most serious WordPress core vulnerability that has been reported since 2009″.

The flaw has existed for about four years affecting versions between 3.0 to 3.9.2 but not in newest version 4.0. Official patches were released on November 20. They have now been deployed automatically to most WordPress sites. Reportedly the Akismet comment plugin now also filters any malicious comments containing the exploit.

So the users of 4.0 WordPress are safe from this, but they should note that  version 4.0.1 patched a separate and also critical set of XSS flaws discovered by the internal security team, along with a cross-site request forgery hole.