Advanced WordPress wp-config.php Tweaks
The bottom line for this article is that I want to make WordPress as fast, secure, and easy to install, run, and manage because I am using it more and more for client production sites, I will work for days in order to solve an issue so that I never have to spend time on that issue again. Time is money in this industry and that is ultimately (time) what there is to gain by tweaking WordPress.
Note: I spent no time on readability, this is primarily a read the code and figure it out article.. This is for advanced users looking for a reference or discussion and for those of you looking to advance. Feedback would be great if you make it that far..
Tagged: admin, advanced, Cookies, debugging, htaccess, mod_rewrite, PHP, phpinfo, WordPress, wp-config.php | 4 Comments | Continue...
An AskApache Plugin Upgrade to Rule them All
So my blog as been rather quiet for almost a year now, and very few updates if any have been released for my Password Protection PLugin, my Google 404 Plugin, and definately not for my AskApache CrazyCache plugin, which I will be releasing last… So for all of you who’ve helped me out by sending me suggestions and notifying me of errors and sticking with it… Just wanted to say sorry about that, and thanks for all the great ideas.. Well, I’ve been sticking with it as well believe it our not. I manage to get free days once in a while, and then its time to jam.
Tagged: AskApache Google 404, AskApache Password Protection, Fsockopen, WordPress Plugins, wordpress security | 1 Comment | Continue...
The Right to Read
The proponents of this scheme have given it names such as “trusted computing” and “palladium”. We call it “treacherous computing”, because the effect is to make your computer obey companies instead of you. This was implemented in 2007 as part of Windows Vista; we expect Apple to do something similar. In this scheme, it is the manufacturer that keeps the secret code, but the FBI would have little trouble getting it.
AskApache Debug Viewer Plugin for WordPress
The story behind this plugin is sorta wack, but in a good way :). While doing tons of security research on permissions, authorization, access, etc.. for the Password Protection plugin (still being worked on), I needed to have unheard of debugging capabilities while working on the plugin on the various websites, webhosts, and test servers that I use to test in different environments. So I hacked together a bunch of php code that helped me debug, actually I pretty much went overkill and tried to get as much debugging info as programmatically possible, and it ended up being so much code that I took it out of my Password Protection code and made it its own plugin.
Tagged: debugging, wordpress development | 1 Comment | Continue...
Password Protection Plugin Status
Enumerating Permissions can be Annoying
Don’t ask me how because I won’t tell you, but on one of the hosts I was testing on that did not allow direct access I was able to get the Apache server running as dhapache to erroneously write a file into my users blog directory. This is a big security no-no and I now have my .htaccess file written into the blog directory where it should go, but instead of my php script’s user having write access to the file so I can modify it, its owned by dhapache! Because the file is owned by dhapache I shouldn’t even be allowed to know it exists, but there it is. So the next step was to try and take ownership of the .htaccess file so that I could modify it. I tried and tried but was unsuccessful, I couldn’t modify it so that was another dead end. Actually it took me awhile to figure out how to remove the file from my directory. Being that it was owned by dhapache I couldn’t delete or modify it using my php process or even through ftp/ssh! Sysadmins regularly run find commands that search the servers for any files owned by dhapache that should not be there as this is a big red flag that someone has found a way to manipulate dhapache which could potentially lead to modifying dhapache-owned server config files, which sometimes is all it takes to hack your website and server.. Luckily I was able to delete it by basically running the hack again to overwrite the file.
Tagged: .htaccess plugin, Apache, askapache, htaccess, password protection, Security, WordPress | 2 Comments | Continue...
Ultimate Htaccess Tutorial for .htaccess files
This is not an introduction to .htaccess… This is the evolution of .htaccess… The BEST, the ORIGINAL, the NEWEST, and the most HIGHEST, FLYEST .htaccess tricks I can find.
Originally known as the “Ultimate .htaccess Guide”, its changed over the years by adding new .htaccess tricks and .htaccess examples to it.. I also add my favorite .htaccess links, the best .htaccess articles on AskApache, the coolest .htaccess experiments, the Web’s best .htaccess hacks, and update this article on the regular.
Tagged: .htaccess examples, Apache, Cache, caching, Files, FilesMatch, Google, Hacking, howto, htaccess, htaccess guide, htaccess help, htaccess howto, htaccess rewrite, htaccess tricks, htaccess tutorial, httpd, litespeed, mod_rewrite, Mod_Security, rewritecond, rewriterule, sample .htaccess, Security, SEO, seo secrets, SetEnvIf, ssl, ultimate htaccess | 56 Comments | Continue...
.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog
Well what can I say, other than this is sooo DOPE! Here is a list of the modules this plugin (version 4.7 unreleased) will automatically detect. I compiled the list myself using every module included with any default Apache installation for ALL the versions listed below, 1.3 to 2.2+
Want to know something else I’m including in this plugin? For each and every module that is detected, this plugin can then detect ALL of the modules .htaccess Directives! For instance, RewriteRule, AccessFileName, AddHandler, etc.. are each a directive belonging to a module that is allowed to be used from within .htaccess files.
Talk about sick.. these tricks have the diamond disease!
Tagged: Hacking, htaccess, htaccess rewrites, mod_rewrite, Security | 38 Comments | Continue...
Chmod, Umask, Stat, Fileperms, and File Permissions
Unix file permissions are one of the more difficult subjects to grasp.. Well, ok maybe “grasp” isn’t the word.. Master is the right word.. Unix file permissions is a hard topic to fully master, mainly I think because there aren’t many instances when a computer user encounters them. I’ve done a lot of research on it the past couple weeks… and now here’s everything I’ve learned so far.. cuz you guys AskApache Regs Rock!
Tagged: chmod, File Permissions, fileperms, Hacking, Security, stat, umask | 5 Comments | Continue...
Optimize a Website for Speed, Security, and Easy Management
Learn how to setup, configure, secure, optimize, and create a low-maintenance website the AskApache way. I’m piecing together all the hacks, tricks, methods, and ideas discussed throughout this blog and all across Netdom and glueing them all together to show you how to have the most optimized, crazy fastest, and best website setup I can think of.
Tagged: Apache, Cache, compression, hosting, htaccess, optimization, Security, server | 5 Comments | Continue...
COMPUTER SECURITY TOOLBOX
List of mainly obscure security software geared more for the master pentester. These are mostly for unix, bsd, and mac and many are difficult to install and setup (require custom servers, inside access points, obscure libraries). Only programs that output data are included, so no actual exploits or anything. Most of these output extremely useful albeit extremely technical information.
New Version of Password Protection Plugin
4.6 just released…. Check It Out.
:p
Mod_Security .htaccess tricks
Mod_Security rivals Mod_Rewrite in the amount of features it provides. I decided to go ahead and post what I learned about it today, even though its tough to give away such awesome htaccess and apache tricks.. Learn how to control spam once and for all, conditionally log/deny/allow/redirect requests based on IP, username, etc.. Mod_Security is so fine!
Tagged: Hacking, htaccess, Mod_Security, Security | 8 Comments | Continue...
AskApache Password Protection, For WordPress
AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving scripts.
Faster POST and GET Form Submissions… Shazam
Just a very brief look at speeding up form submission by delegating the processing and bandwidth to your server, not your client.
Tagged: Bottleneck, form, Form Submit, Fsockopen, GET, http, PHP, post, Snoopy | 1 Comment | Continue...
Update: AskApache Password Protect Plugin
WordPress plugin gives you control over HTTP Basic Authentication for your WordPress blog which among other things, stops most automated hacking attempts and exploits being attempted, cutting down on the number of requests, connections, and mysql queries for all WordPress blogs on the Internet.
Log all .htaccess/.htpasswd logins
Learn how to log and debug usernames and passwords used to login to a htaccess basic authorization protected website using php. This article is BOSS and will show you how to fully take control of this aspect of security using php and .htaccess, I don’t believe you will find instructions to do this anywhere else on the net.
Tagged: 401, authorization, basic, htaccess, htpasswd, htpasswd login, password, username | 3 Comments | Continue...
WordPress Plugin for Apache .htaccess Security
- gzip’s previous .htaccess file and sends it as an attachment to the logged in users email account along with password user setup.
- Now also works for sites running on SSL (PHP version >4.3.0)
- Rewrote the security module code in the form of snort, nessus, and mod_security rules and signatures
- Added a *real* check to see if mod_rewrite is installed
- Added Modules that remove directoryindexes
- Much more on the way..
.htpasswd file Generator
.htpasswd is a flat-file used by Apache and other applications to store usernames and password for HTTP authentication. Apache .htpasswd files may contain multiple types of passwords; some may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt(3) and/or SHA-1. Usernames are limited to 255 bytes and may not include the character :.
Htpasswd Formats
Apache Servers recognize 4 formats for representing a password hash in the text file usually named .htpasswd.
CRYPT
crypt(3) is the library function which is used to compute a password hash. Technically the name is a misnomer since it is actually a cryptographic hash function. The output of the function is not merely the hash: it is a text string which also encodes the salt and identifies the hash algorithm used. Apache uses the traditional Unix crypt function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password. ALG_CRYPT
MD5
MD5 is one in a series of message digest algorithms designed by Professor Ronald Rivest of MIT. The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32 hexadecimal digits. In .htpasswd files the hash is: $apr1$ + an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. ALG_APMD5
SHA-1
The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA-1 produces a 160-bit digest from a message with a maximum length of (264 − 1) bits. SHA-1 is the most widely employed of the SHA family. It forms part of several widely used security applications and protocols, including TLS and SSL, PGP, SSH,…
Troubleshooting Apache .htaccess Authentication
Apache Web Server users have problems getting Apache Authentication/password-protection in htaccess working, this is a troubleshooting guide to get Password Protection working!
Apache Authentication in htaccess
How to password-protect, Allow or Deny a visitor based on a condition. If you are having trouble getting htaccess-based password protection to work see: Troubleshooting htaccess Authentication: Getting it to work
htaccess rewrite, htaccess
Comprehensive .htaccess example file with advanced examples in 1 htaccess sample skeleton .htaccess file with the very best apache htaccess examples… Updated frequently based on detailed info from the Apache htaccess tutorial.
.htaccess – Wikipedia
.htaccess (Hypertext Access) is the default name of Apache’s directory-level configuration file. It provides the ability to customize configuration directives defined in the main configuration file. The configuration directives need to be in .htaccess context and the user needs appropriate permissions.
Statements such as the following can be used to configure a server to send out customized documents in response to client errors such as “404: Not Found” or server errors such as “503: Service Unavailable” (see List of HTTP status codes):
ErrorDocument 404 /error-pages/not-found.html
ErrorDocument 503 /error-pages/service-unavailable.html
When setting up custom error pages, it is important to remember that these pages may be accessed from various different URLs, so the links in these error documents (including those to images, stylesheets and other documents) must be specified using URLs that are either absolute (e.g., starting with “http://”) or relative to the document root (starting with “/”). Also, the error page for “403: Forbidden” errors must be placed in a directory that is accessible to users who are denied access to other parts of the site. This is typically done by making the directory containing the error pages accessible to everyone by creating another .htaccess file in the /error-pages directory containing these lines:
Order allow,deny
Allow from all
Contents
[hide]
1 Password protection
1.1 Password unprotection
1.2 Extra secure method to force a domain to only use SSL and fix double login problem
2 Enable SSI
3 Deny users by IP address
4 Change the default directory page
5 Redirects
6 Prevent hotlinking of images
6.1 From specific domains
6.2 Except from specific domains
7 Standardise web address to require www with SEO-friendly 301 Redirect
8 Directory rules
9 User permissions
10 Other uses
11 See also
12 External links
Password protection
Make the user enter a name and password before viewing a directory.
AuthUserFile /home/newuser/www/stash/.htpasswd
AuthGroupFile /dev/null
AuthName “Protected Directory”
AuthType Basic
<Limit GET POST>
require user newuser
</Limit>
The same behavior…
Arp Packet Hacking
Part deux of Want to know how to really hack?
Question: can i arp poison a MAC which is not in my LAN or Network?
What about double-encapsulation? Like embedding the arp within something else..
I’d study the wire capture for awhile and use tools like isic and hping3 to see what types of rules are in place…
Then you can always try random weird protocols like a different vlan header on the packet or something… ettercapNG would allow this to work with some mods.
Maybe you should try accessing the switch/router that is inbetween the lans… that is what I would try first… determine device type and version, research the heck outta it, and see what you come up with… default password maybe? Then you could setup a 2-way mirroring situation on the switch or router.
Anothr little trick I’ve had to do is configure a dhcp or bootp server on a nix box and then turn off and on the power of the building to reboot the device. Usually for the first few seconds of the reboot it will allow things to happen which usually don’t. But if you configure the dhcp or bootp correctly, your in. Like maybe for the first 5 minutes after a reboot, access to a builtin webserver for remote configuration will be running. If so you can then learn the type and version, then find ways to breach with this info.
No switch or router can stop you.. infinite ways to attack this..
If you have unix flavor try messing around with the following programs.. arp, route, ifconfig, vconfig, arping, rarp.
If arp doesn’t go through youcould try and imitate the gateway that is allowed to send arp, and then try again.
arping might be especially useful to you.
#sends an arp reply to dest_ip from source_ip from interface eth0
$ arping -A -I…
Web Development Glossary
Web Development / Webmaster Glossary
A | B | C | D | E | F | G | H | I | L | M | N | O | P | R | S | T | U | V | W | X | Z | other glossaries
This glossary defines some of the common terminology related to Apache in particular, and web serving in general. More information on each concept is provided in the links.
Access Control
The restriction of access to network realms. In an Apache context usually the restriction of access to certain URLs.See: Authentication, Authorization, and Access Control
Account
The term “account” is often used synonymously with username here at DynDNS. Both terms describe the name you use to log in to our system. An account is not the same as a hostname, which may be named differently.
age
The age of a response is the time since it was sent by, or successfully validated with, the origin server.
Alias
See cname.
Algorithm
An unambiguous formula or set of rules for solving a problem in a finite number of steps. Algorithms for encryption are usually called Ciphers.
APache eXtension Tool (apxs)
A perl script that aids in compiling module sources into Dynamic Shared Objects ( dsos) and helps install them in the Apache Web server.See: Manual Page: apxs
A Record
An A Record, short for Address Record, allows a numeric ipaddress to map to a more human-readable domain. An A Record may also be referred to as a host or hostname.
Authoritative Nameserver
A nameserver which has been configured to provide answers for a specific domain, rather than simply getting and caching data about domains from other nameservers.
Authentication
The positive identification of a network entity such as a server, a client, or a user.See: Authentication, Authorization, and Access Control
Advisory Committee
An Advisory Committee is a formal advisory…
My Picks
- THE Mod_Rewrite Cheatsheet
- AskApache .bash_profile
- Elite Log Viewing
- THE Ultimate Htaccess
- Intense Windows Speed
- DNS: Round Robin Speed
- Fsockopen: Nuts
- Rsync and SSH
The love of liberty is the love of others; the love of power is the love of ourselves.
-- William Hazlitt
Newest Posts
- 30x Faster WP-Super Cache and Site Speed with TMPFS
- Tips and Tricks for a BASH Power Prompt
- PortaPutty Auto-Reconnecting SSH Tunnels on an Encrypted TrueCrypt Portable USB Key w GPG
Tech Topics
- WordPress Plugins
- Google + SEO
- .htaccess Tips and Tricks
- Apache HTTPD
- Computer Security Articles
- Search Engine Experiments
- PHP Programming
- Linux / Unix / BSD
- Shell Scripting
- CSS, DOM, XHTML
- Advanced Shell-Scripting
htaccess Guide
- htaccess tricks for Webmasters
- HTTP Header control with htaccess
- PHP on Apache tips and tricks
- SEO Redirects without mod_rewrite
- mod_rewrite examples, tips, and tricks
- HTTP Caching and Site Speedups
- Authentication on Apache
- htaccess Security Tricks and Tips
- SSL tips and examples
- Variable Fun (mod_env) Section
- .htaccess Security with MOD_SECURITY
- SetEnvIf and SetEnvIfNoCase Examples
Website Speed Tips Series
- Turn On Compression
- Add Future Expires Header
- Add Cache-Control Headers
- Turn Off ETags
- Remove Last-Modified Header
- Use Multiple SubDomains
Donate
Please consider donating to support active development of the free software and articles here.
Good Causes
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
It's very simple - you read the protocol and write the code. -Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | TLDP | WAI | DISA | ICSI | GIAC | SANS RR | GHOST | DEFCON | NIST | DHS CYBER | NIST | Phrack | GDB | IEEE | GIT | GNU LIBC
↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. HTTPD based on NCSA HTTPd