Category Archives: Tech stuff

Changing WordPress defaults

A Pipe and a Keyboard Posted on by

If there is one thing a hacker likes, it’s default settings.

Two of the settings in WordPress that originally were unchangeable were the default user – admin, and the database table prefix – wp_.

Nowadays both these can be changed at the time of installation but many people fail to do so and they remain at the default.

Changing them on an established site is not too difficult.  Once you have a tool like phpMyAdmin then it is pretty straightforward.

Changing the default username is the simplest job of all – simply open the ‘wp_user’ table and change the user_login to something other ‘than admin’.  The password and permissions will remain the same.  From experience, hackers trying a brute force attack will always use admin because a)  that’s the default and b) because trying to crack a username as well as a password is exponentially more difficult.

Changing the database table names is a little more time consuming.

First of all, the site needs to be taken off line, as any changes (such as comments) made during the fix will more than likely be lost.  I use the Ultimate Maintenance Mode plugin for this.

Next you need to check the maximum upload filesize allowed by your server.  A simple way to check is to select “Import” in phpMyAdmin and it will tell you.  A typical value would be around 10 to 15 Mb.  The reason for this check is that it is easy to download a database dump. but you may not be able to upload it again if the file is too big.  Most small sites will give little trouble, but a larger, well established site with thousands of posts and tens of thousands of comments will generate a dump well in excess or the limit.  The simple way around this is to export the database in batches of groups of tables.  Compression is another way around this, but for the sake of simplicity it’s best to use a SQL dump rather than a compressed one.

Once the file (or files) has been downloaded it is a simple matter of opening it (or them) in a text editor and doing a Search and Replace.  Note however that within the dump file there are two types of single quote.-

DROP TABLE IF EXISTS `wp_posts`;

CREATE TABLE IF NOT EXISTS `wp_posts` (

`ID` bigint(20) unsigned NOT NULL auto_increment,

`post_author` bigint(20) unsigned NOT NULL default ‘0’,

Both types are shown in the above example.  The oblique quote appears before wp_… and the straight quote at ‘0’.  Doing the Find and Replace, it is essential to use the oblique version.  Cut and paste is the simple solution.

Decide on a new table prefix (I’ll call it ‘fixed_’ and then do the Find (`wp_) and Replace (`fixed_). on each and every SQL dump file.  Once that is complete, import the file(s) back into the database.  You should now have doubled the number of tables, half with the old prefix and the rest with the new.

Now open up the file wp-config.php and change the value  of $table_prefix to the new one .

The site is now ready for public viewing, but you will find one rather nasty looking problem – when you try to access the Dashboard. or the Admin area you will get a message –

“You do not have sufficient permissions to access this page”

To fix this, (using phpMyAdmin) open up the table  ‘fixed_usermeta’ and modify any data in the ‘meta_key’ field that starts with the old ‘wp_’ to the new prefix ‘fixed_’.  You should end up with fields containing the likes of ‘fixed_capabilities’ and ‘fixed_userlevel’.

Lastly, open the table ‘fixed_options’.  You will see an entry under ‘option_name’ called ‘wp_user_roles’.  Change that to ‘fixed_user_roles’.

That’s it.

The site should now be happily running with a new administrator user name and a non-default database.

Securing wp-config

A Pipe and a Keyboard Posted on by

There is a file in WordPress called wp-config that is very important as it contains (in plain text) all the details of the database, such as the database server name, username and password.

Naturally if anyone can access this file they then have full access to the database where they can run amok changing users, passwords, posts etc.

If you are running a self-hosted WordPress site, the chances are that your wp-config.php is located in the root of the site where the potential exists for anyone to hack into it.  There is however a simple way to place it out of sight (and out of site?) altogether.

As yours is a self hosted site, you will have full access via FTP to move files around.  However a lot depends on the configuration of your server.  If you are lucky, you will have access to the folder underneath your root folder (where the site resides).  If that is the case, all you have to do is to move wp-config to that sub-folder.  As an example, if your structure is as follows –

/home/web/httpdocs/index.php

This varies from server to server but you’ll get the idea.  In this case you will have write access to both ‘httpdocs’ (the site root) and to the folder beneath it (‘web’).  So just move wp-config.php from ‘httpdocs’ to ‘web’ and the job is done..  Note however if there is more than one copy of WordPress running in parallel folders this method should never be used, as each copy of WordPress will possibly attempt to read the new copied file.  In this case it would be wiser to use the method below.

WordPress has a built in feature that will discover the new location, so there is no need to change anythingn else.  The site will continue working as before.

However suppose you don’t have access to the folder beneath the root of the site?  Chances are you can see it and can browse it (using FTP) but you cannot write to it?

Using the example above, you can load files into the folder ‘httpdocs’ but you can’t into the folder ‘web’.  What now?

Again a simple solution.  Create a folder called anything you like.  The name is not important.  We now have a structure

/home/web/httpdocs/whatevername/index.php

You have access to ‘httpdocs’ as that is the site root.  You also have full access to ‘whatevername’ because you just created it.

Next, copy all the files (and folders) from ‘httpdocs’ to ‘whatevername’.  Notice I say copy, and not move.

The next step is to change the root of the site from ’httpdocs’ to ‘httpdocs/whatevername’.  This is done by changing the domain settings.  In my case, I went to my domain control panel and just added the new folder into the domain pointer and that did the trick.

Once you are happy that the domain pointer is working (I usually check by placing a little piece of code into the files I have just copied up) it is a simple matter of deleting all files and folders in ‘httpdocs’ except wp-config.php and of course the folder where the site now resides.  Lastly, delete wp-config from within ‘whatevername’ and the job is done.

There is a very simple test to see whether your wp-config.php is secure – just browse for it!   for example, if you type the address

https://apipeandakeyboard.com/wp-config.php

You will get a file not found message (as I have secured it already here).  If you just get a blank screen it means the file is still readable and is potentially hackable.

The only way anyone can now access wp-config.php is to either find a way to FTP into the site, or hack into the main server itself and that should be fully secured by your hosting company.

Firefox New Tab

A Pipe and a Keyboard Posted on by

I have been a fan of Firefox for many years.

I currently use Firefox Nightly, which as its name implies is the nightly build and therefor using the very latest in Firefox innovations.

For a few days, I noticed that whenever I opened a new tab, instead of a blank page, I got a page of thumbnails of my most visited sites.  These are the sites that appear if you click the dropdown on the right-hand end of the address bar.

I can appreciate how a lot of people will like this feature when it eventually filters down into a stable release, but frankly I found it a little distracting.  I set about finding ways and means of restoring the blank page.

I trawled through Preferences but could find no mention.  I then tried “about:config” and there it was – an entry in the configuration file – browser.newtab.url.  The value of this was set to “about:newtab”.  Typing “about:newtab” into the address bar produced the page with the thumbnails. I deleted the value (not the whole variable) and that cleared the new page and reverted to blank.

The thought then occurred to me that some people would maybe like their new tabs to open on a specific website.  I tried entering a search engine’s address and indeed it works.

aboutConfig

For those who are not familiar with the “about:config” file, it is a simple matter of entering “about:config” (without the quotes) into the address bar.  You will be presented with a precautionary warning that you are entering a risky area, but ignore that.  Scroll down the entries (they are alphabetically sorted) until you find the “browser.newtab.url” entry.  Right-click and enter (or delete) the value.

The NewTab is a new feature in Firefox.  I checked a few versions and found the following –

Firefox 11 for Windows – As yet, about:newtab and browser.newtab.url don’t exist.

Firefox 11 for Linux – about:newtab hasn’t yet been implemented but browser.newtab.url has, so at least you can set the new tab’s contents.

Update:

The NewTab entry in Config is new to Firefox and as such doesn’t appear in the standard releases.

Firefox 14.0a1 for Linux (the Nightly build) – both about:newtab and browser.newtab.url are implemented and operational.

Something to look forward to!

A slow WordPress blog

A Pipe and a Keyboard Posted on by

In these competitive times, speed is everything on the Internet.

For a long time now I have been concerned at how Head Rambles is very slow to load.  Not only was it affecting visitors but I believe Google intend to penalise slow sites, if they aren’t doing so already.

My particular concern was the plugins in use.  I had tried experimenting with these with little success as there are too many permutations and combinations.

Yesterday I came across a plugin that looked interesting – P3 Plugin Performance Profiler by GoDaddy.  To say I was impressed was to put mildly.  It very nicely loads the site into itself and gives a detailed breakdown of the load times of each plugin in use.

It instantly identified JetPack (by WordPress!) as a huge restriction.  As I had only loaded it as an experiment, I removed it.  I ran the tests again and it promptly threw up another – an Archive menu tool which I also removed.  In total I have reduced load time by almost 2 seconds per page, which isn’t too bad.  The only impact on the functionality of the site is that the archives aren’t quite so neatly presented.

I’m sure I will find a less resource hungry plugin somewhere, as a replacement!

Media streaming on an iConnect

A Pipe and a Keyboard Posted on by

Well over a year ago I bought an Iomega iConnect USB hub.

From day one it didn’t work and I documented some of my troubles on this site.

A couple of weeks ago to my amazement it started working properly.  I haven’t a clue why as I did nothing to it.  I didn’t upgrade software or anything.  It will have to remain a mystery.

One of the features of the iConnect is that it is a media streamer.  I had disabled this during “the troubles” so I re-enabled it and stared loading some music onto an attached drive.

I have no experience of media or uPnP so it was an interesting experience.

The first thing I learned was that the metadata on each and every track was critical for success, and also found that some of the tracks off my CDs had incorrect information in them.  A misspelled item on one track would isolate that track from the others which ended up in a messy setup. This meant I had to do a lot of editing.

I have a reasonable selection of CDs and the only method I could think of at first to edit metadata was to load each track into Audacity.  This was a very lengthy and very time consuming progress so it was clearly out of the question.  That’s when I found EasyTAG.  This is an excellent little program that did everything I wanted and did it quickly and efficiently.  It even batch processed a full CD (or rather a full directory of files).

Another problem I had was caused by a little quirk of the iConnect – it could categorise any track it found on the drive, but I was unable to play anything that was further than one directory from root.  If, for example I had a file /pop/Beatles/Abbey Road/Something.mp3 it would be listed in the Media stream but wouldn’t actually play.  Being a somewhat methodical sort of bloke I didn’t like the idea of dumping every single file into the one spot without ordering them in some sort of fashion.  I decided that changing the file names would work well.  However the idea of rewriting a thousand or two filenames didn’t appeal.  I installed Métamorphose and that proved perfect for the job. Now I could rename my files as, for example /pop/Beatles_Abbey_Something.mp3, simply by adding “Beatles_Abbey_” as a prefix to every filename.

My final problem was that several of the albums were in FLAC format which was fine but bulky.  I decided to convert all the files to MP3 format as it suited my needs better.  Here I came across SoundConverter which was a little slow but very happily ran batch jobs so it was just a question of pointing the program to the relevant directories and leaving it to it.

It was a lot of work, but worth it.  I can now play my entire collection on a Wifi portable or on the PC which save a lot of time and effort hunting for CDs!