Using HTTP Auth Basic in WordPress

I was posed with the question as to how to protect a BB forum with a general user/pass for students at a community college. Since the segment that needed securing was not a standard post, but a custom rewrite, there was no way to use the native post password feature. Using .htaccess was also out as that protects entire directories.

Fortunately, PHP allows you to implement auth headers to handle this. Let me first say that I understand that HTTP Auth Basic is not a secure authentication solution, but it is a privacy gate which is all that was requested to help reduce spam, malicious posts, etc.. With the proper hooks, I was able to target the specific URI segment and it worked like a charm.

Continue…

Find all sites on server by IP address

I don’t advocate using the following to hack other sites. I found it interesting that my host was serving pornography from the same box I was using, so I switched to my own cloud server. There are two ways to go about finding other sites on your server. If you don’t know your server IP, you can search

whois yourdomain.com

and there are plenty of sites that will expose the server domain.

Bing IP Search

This seems to be pretty reliable and up-to-date. Bing has an IP operator that allows you to specify an IP address when searching.

Example Search:

ip:70.32.68.69

Hackers will use this operator to find sites running WordPress using the images tab. Once they identify several domains, they can easily ascertain your WP version with the generator meta tag. A hacker can know all of the WordPress installations and versions of those sites without leaving a probing footprint. If there is a known vulnerability with one of your versions, it’s a cinch to attack it. Keep your software up-to-date and your back-doors closed friends. Bing is not your friend with this horrid search operator.

Example Search:

ip:70.32.68.69 wp-content

Continue…

Create a WordPress admin user with MySQL

If you’ve ever been locked out of a WordPress installation, but have access to the database, here’s a nifty snippet to grant you administrator-level access. There are a couple of things you need to do before using this MySQL code. First, set the variables to your own information. Next, if your WordPress installation is based on a non-standard wp_ table prefix, you must find/replace ‘wp_’ with your current table prefix.
Continue…

Mac: Copy the current SVN URL to the clipboard from command line

If you are still using SVN (WHY HAVEN’T YOU SWITCHED TO GIT??), here’s a simple alias you can drop into your ~/.bash_profile . Then type `source ~/.bash_profile` on any current terminal windows to load the alias. Here’s how it works. Navigate to your SVN working copy and type `svnurl` and viola! it’s copied to your clipboard. This is extremely useful for copying/deleting/switching/merging branches via command line.
Continue…

Generate a custom _s (underscores) WordPress theme from command line

I’m building out a new theme for my blog using the _s theme. It’s an exercise in building out a responsive grid. _s is a great theme starter. Underscores.me has a nifty little tool to generate the starter theme with namespaced functions, title, description, etc… for the theme. I wanted to generate the theme directly from command line. Here’s what I used to generate the theme directory with one line (your pwd should be wp-content/themes/):

curl --data "underscoresme_generate=1&underscoresme_name=Coderrr&underscoresme_slug=coderrr&underscoresme_author=Brian+Fegter&underscoresme_author_uri=http%3A%2F%2Fcoderrr.com&underscoresme_description=A+custom+theme+for+coderrr.com." http://underscores.me >> coderrr.zip; unzip coderrr.zip; rm coderrr.zip;

There are four things that happen here:

  • Curl http://underscores.me and send post data
  • Tell Linux to place all returned data into a zip file
  • Unzip that file and create the theme directory
  • Remove the zip file

Continue…

Setting Proper WordPress Unix Permissions

One of the biggest black boxes of WordPress for newbies is file ownership/permissions. I’ve had numerous people ask me why they can’t use the default theme editor or install new plugins directly from wp-admin. The symptoms usually range from getting the FTP credentials screen to error messages that WordPress cannot create a specific directory, and more.

It took me a while to grasp the concept, so I hope the following explanation will help you. This, in no way, is a security tutorial. It is a simple tutorial on Unix users/groups and file permissions. You should also read Hardening WordPress. If you’re not sure about file permissions, read this article first.
Continue…

Recursive FTP get for command line

If you’re like me, you hate using a FTP GUI for doing simple gets. Sometimes, GUIs get in the way and bog the transfer down. I prefer to take out the middle man and use command line. Here’s a nifty snippet I picked up along the way that lets you recursively download entire directories. The files are stored in their identical structure in your working directory.

wget -r --user %user% --password %password% ftp://%server%/full/path

If you want to stick with pure FTP commands, you can use the following:

#Turn off confirmation for getting each file
ftp>prompt
ftp>mget *

WordPress Rewrites Without Duplicate Content

There are times when you need to surface content in a different context. For instance, you might have an events section and you want to have your related live-blog posts reside within the context of that specific event URI structure. The problem lies in surfacing the same content in the original location and in a rewritten location. Search engines frown on this. You can easily sidestep this and stay search engine friendly by setting up simple redirects.

Continue…

Automatic git status emails

This is a basic, elementary script to audit a git working copy. This is useful to keep a watchful eye on cowboy coding on a client server.

Save the following inside your git repo as .git-status.sh. Make sure to add ‘.git-status.sh’ to your .gitignore file.

#!/bin/sh
DOMAIN = "http://whatever.com"
SENDTO = "your@email.com"
MODIFICATIONS=`git status -s`
if [ ! -z "$MODIFICATIONS" ]
then
        SUBJECT = "git changes from $DOMAIN"
        EMAIL = "$SENDTO"
        BODY = "/tmp/emailbody.txt"
        echo "Changes found on the following paths:\n" > $EMAILBODY
        echo "$MODIFICATIONS" >> $EMAILBODY
        mail -s "$SUBJECT" "$EMAIL" < $EMAILBODY
        echo "$MODIFICATIONS"
fi
[/bash]

To automate, add a crontab:
[bash]
30 15 * * * /path/to/your/script/.git-status.sh 2>&1>> /dev/null

Continue…

Send a WordPress Auth Cookie with HTTP API Requests

This snippet I created lets you hit your site with a remote request that includes your current auth cookie. I use this to circumvent caching plugins that use output buffering when I need to store a page load for analysis.