rootninja

Find the wp-admin directory of your site and put a .htaccess file in there.  Create it as root and just put 3 lines in it and you’re done.

order deny,allow
deny from all
allow from 72.14.205.100

Change 72.14.205.100 to your ip address. If you’re behind a router of some time, go to a website that tells you what ip you’re browsing from, like whatismyip.com and put the ip address it says you’re coming from in there.  If your ip craptastic-ly changes a lot, try just 3 octets, leaving the last one out.  For example, if your ip is 72.14.205.100 today, you could make the last line just:

allow from 72.14.205

Doing it this way allows 253 other ip’s besides yours to access that folder at any given time, but that’s an improvement from a theoretical 4,294,967,295 others for ipv4 right?

Uncategorized fix, security, wordpress, wp-admin

Get rid of this line in all your WordPress php files

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /><!– leave this for stats please –>

When wordpress comes out with a new version, part of the update is usually fixing an exploitable bug.  The bug may allow a hacker to access your wp-admin directory or delete your files, or worse.  If the bug is only in version xyz, and that’s the version you’re running, you don’t want anyone googling that version to run into your pages and exploit your code.

You can use the “leave this for stats please” to find and replace that line in all your php files at once.  If you don’t have shell access, well I guess you’ll have to use whatever interface your site provider overlords have thrust upon you.

[admica@host]$  sudo for x in `grep ” leave this for stats please” /path/to/myblog -R | awk ‘{print $1}’ | grep -o -e “.*php”`; do sed -e ’s/.*leave this for stats please.*//g’ $x > $x.temp; mv $x.temp $x; done

This will find all the files that contain that line and delete it from each one.

Linux bash, php, security, wordpress

I just got Wordpress installed and completely forgot to change the random password it started me off with to something I might have a chance of remembering.  So to change it, I opened a terminal and changed the password field for the account I just created in mysql.  Here’s how:

First you’ll need to get your password encrypted using openssl.

$ # openssl passwd -1 my_super_secret_password

$1$AIO1MlAJ$nTI.HbEKpuYRbtCpn.5Vu/

Copy this hash so you can paste it into your sql statement later.  Now connect to mysql.

$ mysql -u root -p

Welcome to the MySQL monitor.  Commands end with ; or \g.

Your MySQL connection id is 976

Server version: 9.7.6evil Source distribution

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql>

If you know the database name you can just connect to it, if your forgot, which I did, just list them all.

mysql> show databases;

Connect to your wordpress database.

mysql> connect my_wordpress_database_name;

And change the password.

mysql> update wp_users

-> set user_pass=’$1$AIO1MlAJ$nTI.HbEKpuYRbtCpn.5Vu/’

-> where user_login=’admin’;

And that’s it; all done.  Now you can get back to editing…

Linux forgotten passwords, mysql, openssl, wordpress