A Pipe and a Keyboard

If there is one thing a hacker likes, it’s default settings.

Two of the settings in WordPress that originally were unchangeable were the default user – admin, and the database table prefix – wp_.

Nowadays both these can be changed at the time of installation but many people fail to do so and they remain at the default.

Changing them on an established site is not too difficult.  Once you have a tool like phpMyAdmin then it is pretty straightforward.

Changing the default username is the simplest job of all – simply open the ‘wp_user’ table and change the user_login to something other ‘than admin’.  The password and permissions will remain the same.  From experience, hackers trying a brute force attack will always use admin because a)  that’s the default and b) because trying to crack a username as well as a password is exponentially more difficult.

Changing the database table names is a little more time consuming.

First of all, the site needs to be taken off line, as any changes (such as comments) made during the fix will more than likely be lost.  I use the Ultimate Maintenance Mode plugin for this.

Next you need to check the maximum upload filesize allowed by your server.  A simple way to check is to select “Import” in phpMyAdmin and it will tell you.  A typical value would be around 10 to 15 Mb.  The reason for this check is that it is easy to download a database dump. but you may not be able to upload it again if the file is too big.  Most small sites will give little trouble, but a larger, well established site with thousands of posts and tens of thousands of comments will generate a dump well in excess or the limit.  The simple way around this is to export the database in batches of groups of tables.  Compression is another way around this, but for the sake of simplicity it’s best to use a SQL dump rather than a compressed one.

Once the file (or files) has been downloaded it is a simple matter of opening it (or them) in a text editor and doing a Search and Replace.  Note however that within the dump file there are two types of single quote.-

DROP TABLE IF EXISTS `wp_posts`;

CREATE TABLE IF NOT EXISTS `wp_posts` (

`ID` bigint(20) unsigned NOT NULL auto_increment,

`post_author` bigint(20) unsigned NOT NULL default ’0′,

Both types are shown in the above example.  The oblique quote appears before wp_… and the straight quote at ‘0’.  Doing the Find and Replace, it is essential to use the oblique version.  Cut and paste is the simple solution.

Decide on a new table prefix (I’ll call it ‘fixed_’ and then do the Find (`wp_) and Replace (`fixed_). on each and every SQL dump file.  Once that is complete, import the file(s) back into the database.  You should now have doubled the number of tables, half with the old prefix and the rest with the new.

Now open up the file wp-config.php and change the value  of $table_prefix to the new one .

The site is now ready for public viewing, but you will find one rather nasty looking problem – when you try to access the Dashboard. or the Admin area you will get a message -

“You do not have sufficient permissions to access this page”

To fix this, (using phpMyAdmin) open up the table  ‘fixed_usermeta’ and modify any data in the ‘meta_key’ field that starts with the old ‘wp_’ to the new prefix ‘fixed_’.  You should end up with fields containing the likes of ‘fixed_capabilities’ and ‘fixed_userlevel’.

Lastly, open the table ‘fixed_options’.  You will see an entry under ‘option_name’ called ‘wp_user_roles’.  Change that to ‘fixed_user_roles’.

That’s it.

The site should now be happily running with a new administrator user name and a non-default database.

Filed under: Blogging, Tech stuff on April 28th, 2012 | 3 Comments »

There is a file in WordPress called wp-config that is very important as it contains (in plain text) all the details of the database, such as the database server name, username and password.

Naturally if anyone can access this file they then have full access to the database where they can run amok changing users, passwords, posts etc.

If you are running a self-hosted WordPress site, the chances are that your wp-config.php is located in the root of the site where the potential exists for anyone to hack into it.  There is however a simple way to place it out of sight (and out of site?) altogether.

As yours is a self hosted site, you will have full access via FTP to move files around.  However a lot depends on the configuration of your server.  If you are lucky, you will have access to the folder underneath your root folder (where the site resides).  If that is the case, all you have to do is to move wp-config to that sub-folder.  As an example, if your structure is as follows -

/home/web/httpdocs/index.php

This varies from server to server but you’ll get the idea.  In this case you will have write access to both ‘httpdocs’ (the site root) and to the folder beneath it (‘web’).  So just move wp-config.php from ‘httpdocs’ to ‘web’ and the job is done..  Note however if there is more than one copy of WordPress running in parallel folders this method should never be used, as each copy of WordPress will possibly attempt to read the new copied file.  In this case it would be wiser to use the method below.

WordPress has a built in feature that will discover the new location, so there is no need to change anythingn else.  The site will continue working as before.

However suppose you don’t have access to the folder beneath the root of the site?  Chances are you can see it and can browse it (using FTP) but you cannot write to it?

Using the example above, you can load files into the folder ‘httpdocs’ but you can’t into the folder ‘web’.  What now?

Again a simple solution.  Create a folder called anything you like.  The name is not important.  We now have a structure

/home/web/httpdocs/whatevername/index.php

You have access to ‘httpdocs’ as that is the site root.  You also have full access to ‘whatevername’ because you just created it.

Next, copy all the files (and folders) from ‘httpdocs’ to ‘whatevername’.  Notice I say copy, and not move.

The next step is to change the root of the site from ’httpdocs’ to ‘httpdocs/whatevername’.  This is done by changing the domain settings.  In my case, I went to my domain control panel and just added the new folder into the domain pointer and that did the trick.

Once you are happy that the domain pointer is working (I usually check by placing a little piece of code into the files I have just copied up) it is a simple matter of deleting all files and folders in ‘httpdocs’ except wp-config.php and of course the folder where the site now resides.  Lastly, delete wp-config from within ‘whatevername’ and the job is done.

There is a very simple test to see whether your wp-config.php is secure – just browse for it!   for example, if you type the address

http://apipeandakeyboard.com/wp-config.php

You will get a file not found message (as I have secured it already here).  If you just get a blank screen it means the file is still readable and is potentially hackable.

The only way anyone can now access wp-config.php is to either find a way to FTP into the site, or hack into the main server itself and that should be fully secured by your hosting company.

Filed under: Tech stuff on April 23rd, 2012 | No Comments »

In Serving up media (Part 1) a couple of weeks ago I talked about playing media streamed from a Media Server.  But what about formatting media to serve up?

For the purposes of this exercise, I’m going to convert the contents of three CDs (Queen’s Greatest Hits, three CD collection) to an MP3 format for use in a Media Server.

The software packages which I will use are SoundConverter for Gnome and EasyTAG. 

The first thing we need is a structured file system.  My technique id to create a folder for the album artist.  That folder will contain folders for each album/CD.  If any album is a CD boxed set (such as my Queen example) I will create a further series of folders to hold the individual CD files.

I have now created my root folder called “Queen”, and within it is a further folder – “Greatest Hits, which in turn contains three folders – Disk 1, Disk 2 and Disc 3.  All that remains id to copy the contents of the three cds into the relevant folders.

As you can see, each track is names Track x.wav, where “x” is the track number. 

Unfortunately, WAV files are of no use to us as we need to embed Meta information for the Media Server to catalogue the files.  I will change them to MP3, as this format uses Meat information and is also compressed giving a smaller footprint on the disk.

Fire up SoundConverter.  The first thing is to set preferences (found in “Edit”).  I generally set the programme to place the new files in the same folder as the input, with the same name (but replacing the suffix) and delete the original.  Click “Convert” and away it goes.

In SoundConverter Click on “Add Folder” and select the album folder (in my case, “Greatest Hits”) and click Select.  It will then proceed to load all the files in the subfolders.

Note that SoundConverter has a lot of work to do so it will take a little time.  If you were converting the entire works of Mozart it would take many hours.  In my example here it took 9 minutes and 54 seconds to convert all 51 files.

W now have the original folder tree containing all our new MP3 files.  The next thing is to start creating Meta Tags.

Open EasyTAG and point it to the folder “Greatest Hits”.

Note how the tracks appear in the central frame while everything else is blank. 

To get started, we need to fill in any information that is common to the whole album – for example, Artist and Genre.  I tend to fill in Composer and Album Artist at this time as I don’t really want to go through the hassle of finding the precise Artist for each individual track. 

Firstly, I select all using the Select all button (11th from the left on the toolbar).  I then enter the required information In each of the fields, and then press the wee circle button to the right of the field.  The latter is important as it then applies the field to all the selected files.

Click on the Save button (9th from the left on the toolbar).

The next bit is the only really tedious bit.  We have to name each track.  Now I could type the name of each track by reading it off the album box, but there is a slighly less tedious method.  Find the album on the Internet!  Usually it will have a Wikipedia or Amazon entry and somewhere there will be a list of tracks. So all I have to do is a quick copy & paste from the web page to Title. (in my example, I found my list here)   One thing we do NOT do here is use the wee circle (apply to all files) button, unless you want all tracks to have the same name!

Notice how as you modify each file, its information turns red in the centre pane.  This is just an indicator that the file has had its tags modified but not saved.  There is no need to save each file as you go, as at the end, we can select all and do a bulk save.

Next I select each individual Disk folder and apply the information for that disk (Album [name] and CD [optional]) and again apply it to each file in that folder.  One operation which is slightly different – there is no need to enter Track #.  Just press the tiny button (with the hash on it) to the left of “Track”.  That will number sequentially all highlighted files but will start a new sequence for each folder, if you happen to have more than one folder open.

Once finished there is a simple test to make sure that the system is working so far.  Select the album folder to load all our files and then click Tree browser (10th button from the left on the toolbar).  The resulting display should show just one artist, with three CDs (and their titles) and the number of tracks in each.  If it doesn’t then there is an error somewhere.  The most common source of error I have found is to forget to select all before making a change to say an Album title.

The last job that needs to be done, just to add sense to it all is to rename all the actual files.  They are currently still names Track 1.mp3, Track 2.mp3 etc, though their Meta information is now updated.

From the Album folder, select all files.

Now select “Scan Files” (5th button from the left on the toolbar). This will open a new small window.  There are three options and we want “Rename File and Directory”  There will be a text box which requires a very simple code (if the code options aren’t visible. try clicking the wee blue button with the question mark).

The code I am going to use is %n – %t which will change the existing file name to a new one consisting of the track title (%t) prefixed by the track number (%n) and a dash.  I could use for example %d%n – %t which would give a four figure prefix (disk and track numbers) assuming I have entered the disk number for each disk.  Whatever you chose, it will display a sample below the code input box.

you have entered the code and while all the files are selected, click on the little green button beside the dropdown box (as shown by the curser in the snapshot below)

Close the little window and click the save button.  It will ask if you want to change the Meta information, but now it will also ask if you want to rename the files.  Click yes and that is it!

All set and ready to go.

Filed under: Media on April 17th, 2012 | 2 Comments »