Tag Archives: Security

WordPress, HTTPS, CDN and W3 Total Cache

I’ve worked with a few sites recently that use HTTPS to secure certain parts of there site and also a couple of pages here are SSL protected due to the data captured. If you use the W3 Total Cache plugin like I do, and I really recommend that you do if you have a wordpress site, and make use of its CDN functionality, you might hit the following snag:

My CDN provider doesnt provide a HTTPS endpoint or its different to my normal CDN URL

the simple solution to this would be, to force loading of cdn assets via HTTP like so:

 

 

 

 

This has one other issue

Why dont i see the Blue/Green Bar?

That’s because your loading HTTP assets on a HTTPS page, for some this is an acceptable tradeoff. but for some this is bar is a must to convey trust to users. Thankfully the solution is fairly simple, Disable the CDN on SSL pages. To disable the CDN on SSL pages only add the following code snippet to your themes functions.php file, this snippet requires the W3TC plugin to be enabled and working to work as its code that tells W3TC: “hey, don’t load the cdn on this page!”

add_action('wp_head','nocdn_on_ssl_page');
function nocdn_on_ssl_page() {
if ($_SERVER['HTTPS'] == "on") {
define('DONOTCDN', true);
}
}

reload an SSL page and watch the address bar and do a view source to see the results!

Is your WordPress site embedding tracking code without your knowledge?

I just stumbled upon a couple of important articles relating to the WordPress Stats plugin available for free to all wordpress users and gives a sort of cut down Google Analytics functionality. i found the articles because i was googling as to why all of a sudden my sites were loading a file from quantserve.com, I wont rehash the details and instead link you to the 2 respective blog posts and summarise with these points, full info is available at http://www.techairlines.com/2010/12/30/wordpress-stats-quantcast/ or at http://blog.futtta.be/2010/12/15/wordpress-com-stats-trojan-horse-for-quantcast-tracking/

  • The WordPress Stats plugin now includes a call to the quantserve sites for “planned extra features”
  • They have not acknowledged the inclusion of a 3rd party data tracking script in there plugin on the plugin main page
  • they have not offered ANY opt in or opt out procedure and look to be unwilling to do so
  • The js file in question can and seems to lower website performance by a noticeable margin

However there is a solution for users of the of the WordPress Stats plugin: install this plugin made by futta which will disable all tracking possibility with quantserve (do not install if you actually use quantserve) and let the developers of the WordPress Stats plugin know that you are unhappy with the inclusion of 3rd party data tracking without your knowledge and without an opt-out facility.

I’m also going to consider asking futta to submit the plugin to the wordpress plugins database.

This problem highlights the need to be vigilant and careful about what plugins you install on your wordpress site

Email alerts whenever someone logs into root via SSH

Want to be notified instantly when someone logs into your server as root? No problem. there was recently a discussion over on the vps.net forums after an incident where a user had had several of there servers logged into as root by an unknown source (since resolved) a helpful user (R4Z0R49) posted this helpful guide and I have cleaned it up and added some further notes and caveats.

While I wouldn’t recommend allowing root logins over SSH and prefer to setup non root accounts with sudo access, sometimes for one reason or another, root over ssh is needed. This guide should also log su logins to root as well, because by using su you login to that users enviroment and it loads the users environment which then calls the same file that loads stuff like variables and paths when you login over ssh so you should also get an email in this instance too.

Check out this nice tutorial on email notification for root logins. Keeping track of who logs into your server and when is very important, especially when you’re dealing with the super user account. We recommend that you use an email address not hosted on the server your sending the alert from.

To carry out this tutorial you need to have root level access to your server in some form or another, I assume you have already logged in as root or otherwise escalated your privileges to root level, I will also assume you use the nano text editor, feel free to use any other editor you are comfortable with such as vi or otherwise.

It is recommended to have mailx installed to send the emails, depending on your system you can install it with either one of the following commands on debian/ubuntu (apt) or centos(yum) systems respectively.

apt-get install mailx
yum install mailx

Now we need to make sure we are in root’s home directory (this should be the same on all linux systems)

cd /root

We now want to edit the .bashrc file to add some code to do the emailing this file is the environment file and pretty much all servers use bash for the root user by default. This file will set local environment variables for the user and can also perform some other cool login tasks like we are going to do below – NOTE: .bashrc is a hidden file so you wont normally see this by doing a normal ls command in this directory, if you want to see it on ls you need to use the -a flag to view all files.

nano .bashrc

At the bottom of the file we want to add the following line, replacing YourserverName with a suitable name for your server (I find the system hostname is often the easiest to distinguish particularly if you have several servers) and change [email protected] to a suitable email address – I would recommend using an email address not hosted on the server as it could be intercepted by someone if they were aware of such a system being in place (now is a great time to use google apps!)

echo 'ALERT - Root Shell Access (YourserverName) on:' `date` `who` | mail -s "Alert: Root Access from `who | cut -d'(' -f2 | cut -d')' -f1`" [email protected]

Save and exit the file by pressing Crtl + X and then Y, then hitting Enter

Now logout of SSH, close the connection and log back in! You should receive an email address of the root login alert a few minutes afterwards.

Caveats

You can do this for any user you want to get email alerts on login for, assuming they are assigned the bash shell then edit there .bashrc file which should be found in /home/username/.bashrc.

If you want to do this for all users you have 2 options. either edit /etc/profile instead of .bashrc or install CSF & LFD and set it up as it has an SSH and SU login detection system that will email upon login without having to make these profile changes. I shall put up a post on how to install and setup CSF & LFD in a further blog post.