Blocking access to PHP files in /wp-includes breaks the visual editor…

So in an honest attempt to harden the security of the WordPress sites I manage, I read numerous articles and posts online about how to do this. More than one source informed me to use an .htaccess file to restrict access to PHP files in the /wp-includes folder.

Now some of you at this point may already be laughing and saying to yourselves “You can’t do that”, I have since learned this. My thinking was that it was going to block clients from accessing PHP files and being able to extract more info about my site/server to be able to find a vulnerability to exploit, but it would still allow the server from the backend to access what it needed to run the site properly. I was wrong…

 

What these articles informed me to do was to create a file in the /wp-includes folder of my site called .htaccess and in this file have the following text:

<Files *.php>
deny from all
</Files>

What this effectively did was stop the clients web browser from accessing any file ending in .php in that wp-includes folder. Surprisingly enough the only visible symptom I was seeing from this was that the visual editor wasn’t working when trying to edit a page or post.

What finally lead me to finding this as the culprit to my problem was the following line in the apache log file for my site:

1.234.56.78 – – [11/Feb/2015:10:43:51 -0500] “GET /wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4107-20141130 HTTP/1.1” 403 32

This is indicating the clients getting a 403 error while trying to access the wp-tinymce.php file, which is inside the wp-includes folder. Once I saw this, I remember that I had created the .htaccess file and it was apparently acting just like it should. So deleted the .htaccess file and refreshed the site in my browser and everything was working fine again.

So please learn from my experience and mistake, don’t follow the several articles that you will come across online on securing wordpress when they tell you to restrict access to PHP files in in the wp-includes folder.

How to delete files more than X days old in Windows CMD

Just a quick post on a really handy command to keep around.

 

If you have ever needed to script or even just manually delete a bunch of files that were old than X days then you can use the following command in Windows CMD:

 

forfiles /p “C:\source_folder” /s /m *.* /c “cmd /c Del @path” /d –7

 

Just make sure you change the path to where your files are and in this example the “/d -7” at the end is deleting files older than 7 days, you can change that number to anything you wish.

Disable Windows error reporting

If you would like to disable the pop-up dialog that Windows displays after an app crashes:

On Windows XP, they could get rid of it by going to “Control Panel > System Properties > Advanced > Error reporting”, clicking on “Disable error reporting” and disabling “But notify me when critical error occurs”.

On Windows 7 on the other hand, if we go to “Control Panel\System and Security\Action Center\Problem Reporting Settings” and select “Never check for solutions”, we still see a dialog when app crashes. The dialog says:

[Window Title]
MyAppName

[Main Instruction]
MyAppName has stopped working

[Content]
A problem caused the program to stop working correctly. Please close the program.

[Close the program] [Debug the program]

 

A command like this won’t work, as it has the same effect than the control panel: serverWerOptin /disable.

We will have to set this registry value to 1 instead: HKEY_CURRENT_USER\Software\ Microsoft\Windows\Windows Error Reporting\DontShowUI

Disable: Windows can check online for a solution to the problem

If you are like me, you will pretty much find the Windows “Problem Reporting” feature completely useless and annoying. Not only that, in 1 case on one of my clients servers the message on the screen asking if I want to check for resolutions to the problem actually stops my script from working that looks to see if a process is running and starts it if it isn’t.

Here is a simple way to disable this “feature” in Windows 7 and Server 2008. I’m sure there is a similar way to do it in Windows 8 and Server 2012, but I don’t have one of those in front of me at the moment to verify.

1. Open the “Action Center”, I generally do this by right-clicking the flag icon in the system tray, but you should be able to get to it from the “Control Panel” as well.

 

2. Look for and click the link “Change Action Center Settings”

 

3. Look for and click the link “Problem Reporting Settings”

 

4. Select “Never check for solutions” and click “OK”

 

Now the annoying window will never pop up asking to check for solutions, and there will be nothing to interfere with any scripts to restart a process, as was my case.

Minimize/reduce/stop corruption on Raspberry Pi SD card

If you have spent any time with a Raspberry Pi you have undoubtedly had at least 1 SD card get corrupted on you. SD cards are susceptible to write fatigue, so running an operating system from one, even a light weight one designed for the RPi, can damage the card relatively quickly.

One of the biggest reasons for disk, or in this case card, activity is logging. Unless you are trying to troubleshoot something specifically you probably won’t spend much time looking at /var/log. This location and /var/run, where lock file, PID files, etc reside are common places for the OS to write data to disk.

One of the greatest strengths of Linux is its flexibility and customization. One of these is the ability to use tmpfs. This is a feature of mounting a location in the filesystem that resides in RAM and so never gets written to the disk. To set this up for the two location mentioned above add the following line in your /etc/fstab file:

none /var/run tmpfs size=1M,noatime 0 0
none /var/log tmpfs size=1M,noatime 0 0

These lines mount /var/log and /var/run using tmpfs at boot time, and give them an upper limit of 1MB. This is a pretty restrictive size, and if you are very active on your RPi, you may try setting /var/log to 2M or 3M. Keep in mind that you are working with a Raspberry Pi and have a limited amount of RAM to work with in the first place. (Although the Raspberry Pi 2 just got announced, and even though I have not been able to get my hands on one yet, the 1GB of RAM on this model should help alleviate the restriction here, with the 1GB you should be able to set this to 5M, which will be plenty of space for logging, and still have plenty available to use elsewhere.)

Another thing to do to help minimize the disk activity is to set /boot to read only. It isn’t very often this needs to get written to, and you can always change it back to “defaults” and reboot if need be. To set this, change the following line in red to the example in green inside /etc/fstab:

/dev/mmcblk0p1 /boot vfat defaults 0 2

/dev/mmcblk0p1 /boot vfat ro,noatime 0 2 

At this point you should already notice less activity with the filesystem light on the RPi, however there is one more item that you can modify to help extend the life of your SD card. You can disable the swapfile. The swapfile is a file on the SD card that is used as memory if you run out of system RAM. Even conventional computers have this feature, and even they have a huge performance hit when they start using swap. With the low specs on the RPi, and the transfer speed limitations of even a class 10 SD card, using the swapfile will bring your RPi to a crawl and render it essentially unusable until you reboot it. With all of this in mind, why even have it, so to permanently disable it run the following commands:

sudo dphys-swapfile swapoff
sudo dphys-swapfile uninstall
sudo update-rc.d dphys-swapfile remove

After running this you should see something similar to the following when you run: free -m

pi@raspberrypi ~ $ free -m
             total       used       free     shared    buffers     cached
Mem:           438         59        378          0          9         27
-/+ buffers/cache:         22        416
Swap:            0          0          0

 

This should help considerably. Although nothing is going to make an SD card last forever. You could go even farther and once you have your RPi updated, configured, and acting like you need it to, then mount your root ,/, filesystem as readonly. This will make it so nothing writes to the SD card ever. This obviously will come with some drawbacks, like you won’t be able to install any new packages or updates unless you change the setting back and reboot. But in certain situations it could be done and be useful.

Yet another option would be to initiate the boot process from the SD card, then change the root filesystem to be on a USB flash drive (which will have the same drawbacks as the SD card) or a USB external hard drive or SSD. This is a post that I will do later. When I get it done I will come back and link to it here.