How to automatically redirect the WordPress login and admin pages from HTTP to HTTPS

Posted on November 16th, 2011 webmaster No comments          Print

I always get worried every time I have to login to a website over a non-SSL enabled connection.  When my blog didn’t support SSL (before I migrated from a shared host to my own VPS) and I had to work on it at a coffee shop, I would sometimes change my password when I get home, which of course is still not that secure as my blog is hosted outside my local network which I have no control over.

A computer with a network card (wired or wireless) that supports promiscuous mode can easily sniff out packets coming in and out of other devices on the same local network the computer belongs to using tools like Wireshark.  So if you’re using a public wireless access point, for example, other computers connected to that same wireless access point could see the data you’re sending and receiving over the network.

Even if the login form hashes the password first (using one-way hashing algorithms such as MD5 or SHA-1), most users probably have passwords that aren’t that strong/complex, allowing the attacker to brute-force the hashed passwords in a reasonable amount of time.  Advancement in GPU technology and tools like IGHashGPU make cracking passwords much, much faster.

There are also tools like Firesheep for Firefox which allows attackers to impersonate you by hijacking your session cookies since its content can be retrieved in plain text over an unencrypted connection.

Automatically redirecting all WordPress pages that send out authentication-related information from HTTP to HTTPS could prevent these types of attacks.

If you have full control over your WordPress installation, this is very easy to do.  Just edit the wp-config.php file in the root directory of your WordPress installation and add the highlighted line below before /* That’s all, stop editing! Happy blogging. */.

define('WP_DEBUG', false);

/**
* Force SSL on login and admin pages.
*/
define('FORCE_SSL_ADMIN', true);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
        define('ABSPATH', dirname(__FILE__) . '/');

More information can be found here: http://codex.wordpress.org/Administration_Over_SSL

If you don’t have full control over your WordPress installation (such as in a shared hosting environment), you can give this plugin a try: http://wordpress.org/extend/plugins/wordpress-https/

Ubuntu 10.04: Apache using up all of your server’s memory? Consider using apache2-mpm-worker

Posted on November 12th, 2011 webmaster 1 comment          Print

I was checking my site yesterday morning and noticed it was responding very very slowly.  The server running it only has 256MB of RAM, which I estimated shouldn’t be a problem at all with the amount of traffic I’m currently getting.  I quickly logged in to the server to check the resource usage and found that the Apache daemon was using up pretty much all the RAM and virtual memory!

After some researching, I discovered that the Apache Multi-Processing Module (MPM) that I’m using is the “prefork” one (apache2-mpm-prefork), which basically creates/forks a new process to handle each connection.  The “worker” (threaded) MPM (apache2-mpm-worker) is considered to be faster with a smaller memory footprint and I’ve seen posts in forums suggesting to switch to this one and see what happens.

It looks like aptitude installed the “prefork” MPM by default because the PHP5 library I installed required it.  Switching to the “worker” MPM made a huge difference for me, I’m only using about half my RAM and very little virtual memory now.

To use the “worker” MPM with PHP, do the following:

Step 1. Stop the apache2 daemon

 sudo /etc/init.d/apache2 stop 

Step 2.  Uninstall apache2-mpm-prefork

 sudo aptitude remove apache2-mpm-prefork 

Step 3.  Install apache2-mpm-worker and apache2-threaded-dev

 sudo aptitude install apache2-mpm-worker apache2-threaded-dev 

Step 4. Enable CGI and mod_actions (may already be enabled)

sudo a2enmod cgid
sudo a2enmod actions

Step 5.  Create a file in /etc/apache2/conf.d with the following content (I called mine php5-cgi.conf):

<IfModule mod_actions.c>
        Action application/x-httpd-php /cgi-bin/php5
</IfModule>

Step 6.  Start the apache2 daemon

 sudo /etc/init.d/apache2 start 

Sources:

• http://www.beardy.se/exchanging-apache2-mpm-prefork-for-apache2-mpm-worker-and-using-php5-cgi-on-debian-to-improve-performance
• http://articles.slicehost.com/2010/5/19/configuring-the-apache-mpm-on-ubuntu
• http://forum.slicehost.com/comments.php?DiscussionID=3313

How to change the hostname of your Ubuntu server

Posted on November 9th, 2011 webmaster No comments          Print

This post is really more of a note to myself as I’m sure I’ll be doing this again.  But hopefully someone else will stumble upon this and find it useful .

I have a VPS hosted on Rackspace running Ubuntu 10.04 LTS server edition.  I wanted to change the hostname as I originally named it the name of the application I was working on, but I’m now planning on using it for multiple things.  I wanted the name to be more generic.

Step 1. Type in the following command.

 sudo hostname newhostname 

Step 2. Edit the /etc/hostname file and replace the text there with the new hostname and save it.

 sudo vi /etc/hostname 

Step 3. Edit the /etc/hosts file and replace the old hostname references to the new hostname, then save it.

 sudo vi /etc/hosts 

Step 4. Logout and log back in

It will now show user@newhostname in the command prompt, typing hostname will now show the new hostname, and pinging the new hostname will resolve to something.

Source: http://linuxservertutorials.blogspot.com/2009/02/how-to-change-hostname-in-ubuntu-server.html