Author Archives: masonlaw

Simple Steps to Secure WordPress Site

  1. Keep WordPress updated
  2. Keep plugins updated
  3. Only use trusted plugins
  4. Only use trusted themes
  5. Choose a secure password
  6. No “admin” username
  7. Decent hosting
  8. Keep regular backups
  9. Restrict login attempts (use iThemes Security)
  10. Switch on SSL encryption
  11. Change database prefix
  12. Two-factor authentication (use Google Authenticator)
  13. Monitor what’s happening
  14. Block access to system files

    # protect files
    <files wp-config.php>
    Order deny,allow
    Deny from all
    </files>
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    <files license.txt>
    Order allow,deny
    Deny from all
    </files>
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    <files error_log>
    Order allow,deny
    Deny from all
    </files>

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

  15. Build your own firewall
  16. Hide .htaccess file
    # STRONG HTACCESS PROTECTION
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow, deny
    deny from all
    satisfy all
    </Files>
  17. Protect WP-Admin area
  18. Block PHP in uploads folder
    <Files *.php> Deny from All </Files>
  19. Tighten PHP configuration
    ; Disable allow_url_fopen in php.ini for security reasons
    allow_url_fopen = Off
    ; Disable allow_url_include in php.ini for security reasons
    allow_url_include = Off
    ; Disable display_errors in php.ini for security reasons
    display_errors = Off
    log_errors = On
  20. Create your own encryption keys
  21. Folder permissions

Source: Primary Image

Mason’s Rebrand

To comply with the Mason’s brand, I have reworked the School of Law’s word mark and switched the typography to Minion Pro and Myriad Pro, which are Mason’s new primary typefaces. The fonts are served via Typekit.

I am also working on rebranding the Mason Law’s WordPress theme. This blog is now using a custom child theme based on WordPress’s Twentytwelve. For the previous theme, I am incorporating the new logo for now until I could get all the sites to switch to the new theme. The library blog is an example of the new change.

MODX Evo AjaxSearch Vulnerability

Issue: The AjaxSearch component distributed with all versions of MODX Evolution (and 0.9.x) contains a vulnerability that allows remote code execution.

Resolved: Deleted index-ajax.php and removed AjaxSearch plugin and snippets.

OpenSSL Update

Instructions on how to secure your server against the Heartbleed vulnerability:

  1. Edit CentOS-Base.repo (vi /etc/yum.repos.d/CentOS-Base.repo)
    • Add the # sign to this URL: mirrorlist=http://... (#mirrorlist=http://...)
    • Delete # sign to this URL: #baseurl=http://... (baseurl=http://...)
  2. yum clean all
  3. yum update openssl
  4. openssl version -a (Confirm the update: exemple: 'built on: Tue Apr 8 02:39:29 UTC 2014')
  5. rpm -q --changelog openssl | head (fix can be confirmed)
  6. Restart Apache
  7. Re-edit CentOS-Base.repo (vi /etc/yum.repos.d/CentOS-Base.repo)
    • Delete the # sign to this URL: #mirrorlist=http://... (mirrorlist=http://...)
    • Add # sign to this URL: baseurl=http://... (#baseurl=http://...)

Source: GoDaddy.

Re-Keying an SSL Certificate in GoDaddy.

Turning off SSL engine in Apache for CentOS

  1. vi /etc/httpd/conf.d/ssl.conf (Edit ssl.conf)
  2. SSLEngine off (Find a line SSLEngine and turn it to off)
  3. service httpd restart (Restart the Httpd Services)

Source: Linux Toolkits

Backup and Restore MySQL via MySQLdump

To backup:

# mysqldump -u root -p[password] database_name > database_name_backup.sql

[password] should be placed immediately after -p. For example: -pmypassword. database_name_backup.sql would be created in the root directory.

To restore:

  1. Create an appropriately named database on the target machine
  2. Load the file using the mysql command:
    # mysql -u [uname] -p[pass] [db_to_restore] < [backupfile.sql]

To restore a database that already exists, use mysqlimport command:
mysqlimport -u [uname] -p[pass] [dbname] [backupfile.sql]

Source: How to Back Up and Restore a MySQL Database

Simple RSS Parser With lastRSS

LastRSS makes displaying RSS feed easy. Here’s an example:

<?php
// include lastRSS
include "./lastRSS.php";

// Create lastRSS object
$rss = new lastRSS;

// Set cache dir and cache time limit (1200 seconds)
// (don't forget to chmod cahce dir to 777 to allow writing)
$rss->cache_dir = './temp';
$rss->cache_time = 1200;

// Try to load and parse RSS file
if ($rs = $rss->get('http://www.law.gmu.edu/rss/news_all')) {
// Show website logo (if presented)
if ($rs[image_url] != '') {
echo "<a href=\"$rs[image_link]\"><img src=\"$rs[image_url]\" alt=\"$rs[image_title]\"  /></a>\n";
}
// Show clickable website title
echo "<h1><a href=\"$rs[link]\">$rs[title]</a></h1>\n";
// Show website description
echo "<p>$rs[description]</p>\n";
// Show last published articles (title, link, description)
echo "<ul>\n";
foreach($rs['items'] as $item) {
echo "\t<li><a href=\"$item[link]\">".$item['title']."</a>".$item['description']."</li>\n";
}
echo "</ul>\n";
}
else {
echo "Error: It's not possible to reach RSS file...\n";
}
?>

Simple CAS Authentication

The following script makes a private web site accessible only to authenticated users. For example, if you have a career services web site and you only want students to access the materials using their email (university) credentials, this script would do the trick. You don’t need to create separate accounts  for the site.

1. Download phpCAS and unzip/untar it: https://wiki.jasig.org/display/CASC/phpCAS.

2. Place the entire phpCAS directory on your server.

3. Place the following codes in at the top of any .php file that you want the contents to be private. If you want to make the entire site private, just add the script to an include file in the header. The following script is based on a simple CAS client:

<?php

/**
* Example for a simple cas 2.0 client
*
* PHP Version 5
*
* @file example_simple.php
* @category Authentication
* @package PhpCAS
* @author Joachim Fritschi <jfritschi@freenet.de>
* @author Adam Franco <afranco@middlebury.edu>
* @license http://www.apache.org/licenses/LICENSE-2.0 Apache License 2.0
* @link https://wiki.jasig.org/display/CASC/phpCAS
*/

// Load the settings from the central config file
// require_once 'config.php'; /*commented out by Donny*/
// Load the CAS lib
require_once $phpcas_path . '/CAS.php'; /*This is the path that to the CAS directory on your server, not the URL*/

// Uncomment to enable debugging
phpCAS::setDebug();

// Initialize phpCAS
phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context);
//example: phpCAS::client(CAS_VERSION_1_0, 'login.gmu.edu', 443,'');

// For production use set the CA certificate that is the issuer of the cert
// on the CAS server and uncomment the line below
// phpCAS::setCasServerCACert($cas_server_ca_cert_path);

// For quick testing you can disable SSL validation of the CAS server.
// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION.
// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL!
phpCAS::setNoCasServerValidation();

// force CAS authentication
phpCAS::forceAuthentication();

// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().

// logout if desired
if (isset($_REQUEST['logout'])) {
phpCAS::logout();
}

// for this test, simply print that the authentication was successfull
?>

4. Add the following script to your HTML file to indicate if the user is logged in and also to the allow the user to sign off.

<div>Not <strong><?php echo phpCAS::getUser(); ?></strong>? <a href="?logout=">Sign out</a></div>