AskApache » WordPress Plugins

Advanced WordPress wp-config.php Tweaks

AskApache — Sat, 03 Oct 2009 07:23:37 +0000

The bottom line for this article is that I want to make WordPress as fast, secure, and easy to install, run, and manage because I am using it more and more for client production sites, I will work for days in order to solve an issue so that I never have to spend time on that issue again. Time is money in this industry and that is ultimately (time) what there is to gain by tweaking WordPress.

Note: I spent no time on readability, this is primarily a read the code and figure it out article.. This is for advanced users looking for a reference or discussion and for those of you looking to advance. Feedback would be great if you make it that far..

For a better handle on the way I like to structure web site directories, see Optimize a Website for Speed, Security, and Easy Management but note it is a bit outdated compared to what I’m doing now. I don’t have the luxury of using only one type of server, or hosting provider anymore, so I have been working towards making things even more portable in order to move from host to host from server to server without issues i.e. my portable .bash_profile.

So I’ve been basically experimenting various ways to accomplish that and thought I would share what I am currently doing for my benefit and hopefully get some input. All of my WP installs run the development version, and one main idea with my setups is that upgrading is automated. So I really keep the WordPress install clean and use plugins and wp-config.php to do all the customization.

Portability – Hands-free upgrades and easy to move
Security – Additional security and protection
Speed – Less CPU and Disk I/O
Customization – All my favorite customizations

wp-config.php

These are the main settings I use.. Seriously this is more like an interactive article, because to understand it you will need to do some code grepping. You may want to grab a jolt.

ASKAPACHE_ROOT

The ASKAPACHE_ROOT variable is just a better way for me to be able to include and access all the different files in my site tree. For instance, in my non-wp php files, I can do this:

!defined('ASKAPACHE_ROOT') && require $_SERVER['DOCUMENT_ROOT'] . '/wp-config.php';
include(ASKAPACHE_ROOT . '/includes/custom-download.inc.php');

ASKAPACHE_LOCK

This is one of my all-time favorite hacks, that I think is one of the most useful methods I employ as a web developer. This allows me to use far-future-expire headers for optimum caching, while still forcing browsers to re-validate every day or so automatically, or forcing them to re-validate whenever I change the suffix. This takes advantage of the mod_rewrite trick that I use on EVERY site I run, definately worth learning. Because I practice best-practice web-standards, for every web site I create a single css file and javascript file, which I then add to the template like:

 Settings > General panel.
 */
!defined('WP_SITEURL') && define('WP_SITEURL', 'http://'.$_SERVER['SERVER_NAME']);
 
/**
 * WP_HOME is another wp-config.php option added in WordPress Version 2.2. Similar to WP_SITEURL,
 * WP_HOME overrides the wp_options table value for home but does not change it permanently.
 * home is the address you want people to type in their browser to reach your WordPress blog. It should include the http:// part. Also, do not put a slash "/" at the end.
 */
!defined('WP_HOME') && define('WP_HOME', WP_SITEURL);
 
/** no trailing slash, full paths only */
!defined('WP_CONTENT_DIR') && define( 'WP_CONTENT_DIR', ABSPATH . 'wp-content' );
 
// full url - WP_CONTENT_DIR is defined further up
!defined('WP_CONTENT_URL') && define( 'WP_CONTENT_URL', WP_SITEURL . '/wp-content');
 
/** Allows for the plugins directory to be moved from the default location. @since 2.6.0 */
// full path, no trailing slash
!defined('WP_PLUGIN_DIR') && define( 'WP_PLUGIN_DIR', WP_CONTENT_DIR . '/plugins' );
 
/** Allows for the plugins directory to be moved from the default location. @since 2.6.0 */
// full url, no trailing slash
!defined('WP_PLUGIN_URL') && define( 'WP_PLUGIN_URL', WP_CONTENT_URL . '/plugins' );
 
/** Allows for the plugins directory to be moved from the default location. @since 2.1.0 */
// Relative to ABSPATH.  For back compat.
//!defined('PLUGINDIR') && define( 'PLUGINDIR', 'wp-content/plugins' );
 
/** Number of autosaves to save. TRUE is default and enables post revisions, FALSE disables revisions completely. */
!defined('WP_POST_REVISIONS') && define('WP_POST_REVISIONS', 150);
 
/* ini_set('memory_limit', WP_MEMORY_LIMIT); */
!defined('WP_MEMORY_LIMIT') && define('WP_MEMORY_LIMIT', '64M');
 
/** Only check at this interval for new messages. Default is 5min */
/** @since 2.9  */
!defined('WP_MAIL_INTERVAL') && define('WP_MAIL_INTERVAL', 3600); // 1 hour
 
/** Saves updated post values to post from edit window every x seconds. (default 60)
 * When editing a post, WordPress uses Ajax to auto-save revisions to the post as you edit. You may want to increase this setting for longer delays in between auto-saves, or decrease the setting to make sure you never lose changes.
 * @since 2.5.0 */
!defined( 'AUTOSAVE_INTERVAL' ) && define( 'AUTOSAVE_INTERVAL', 60 );
 
/** @since 2.9.0  */
/** Permanently deletes posts, pages, attachments, and comments which have been in the trash for EMPTY_TRASH_DAYS. */
!defined( 'EMPTY_TRASH_DAYS' ) && define( 'EMPTY_TRASH_DAYS', 300 );

Debugging WordPress

One of my secrets for getting really good at this stuff is to master debugging. There is really not ever a time when I am working on a site that I don’t have color-highlighted logs scrolling automatically in an ssh window. It’s really almost impossible to fix problems with wordpress or do any kind of advanced anything without being able to view debugging info. At first I relied heavily on a custom php.ini being available on the server, but after having to deal with many hosts who don’t allow php.ini files I now rely completely on setting values using ini_set for ultimate portability. Detailed towards the end of this article and is also included in this wp-config.php

/**#@+
 * DEBUGGING STUFF
 */
/** display of notices during development. if false, error_reporting is E_ERROR | E_WARNING | E_PARSE | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR otherwise E_ALL */
!defined('WP_DEBUG') && define('WP_DEBUG', false);
 
/** The SAVEQUERIES definition saves the database queries to a array and that array can be displayed to help analyze those queries.
 *  The information saves each query, what function called it, and how long that query took to execute.  */
!defined('SAVE_QUERIES') && define('SAVE_QUERIES', WP_DEBUG);
 
!defined('ACTION_DEBUG') && define('ACTION_DEBUG', WP_DEBUG);
 
/** This will allow you to edit the scriptname.dev.js files in the wp-includes/js and wp-admin/js directories.  */
!defined('SCRIPT_DEBUG') && define('SCRIPT_DEBUG', WP_DEBUG);

 
/** Add define('WP_DEBUG_LOG', true); to enable php debug logging to WP_CONTENT_DIR/debug.log */
//!defined('WP_DEBUG_LOG') && define('WP_DEBUG_LOG', true);
 
/** This determines whether errors should be printed to the screen as part of the output or if they should be hidden from the user.
 *  Add define('WP_DEBUG_DISPLAY', false); to wp-config.php to use the globally configured setting for display_errors and not force it to On */
!defined('WP_DEBUG_DISPLAY') && define('WP_DEBUG_DISPLAY', false);

Ultimate Security Tweaks

Well, ultimate for WP’s built-in keys and password functions, this is all for wp-config.php keep in mind. This is a very neccessary and recommended step, and is one of the only things I modify for each new installation.

Security KEYS

If like me you are familiar with password-cracking software like John the ripper, rainbow hash tables, l0pht-crack, etc.. then you will like to know that you can specify your own keys and salts for the encryption used by WP. They are AUTH_KEY, AUTH_SALT, SECURE_AUTH_KEY, SECURE_AUTH_SALT, LOGGED_IN_KEY, LOGGED_IN_SALT, NONCE_KEY, NONCE_SALT, SECRET_KEY and SECRET_SALT.

A random and long key gives you better encryption, and exponentially increasing that is using a random and long salt for the encryption. Encryptions with known salts are incredibly easy to decrypt compared to encryptions with secure salts, because the salt + key individually need to be guessed in order to find a matching hash, vs. just the key if the salt is known. See: Locating weak passwords.

A secret key is a hashing salt which makes your site harder to hack and access harder to crack by adding random elements to the password.

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.

For more information on the technical background and breakdown of secret keys and secure passwords, see:

I like to use the WordPress.org secret-key service 4 times. That’s because for each key and salt I like to do: (1 key from api +random keyboard input+1 key from api).

/**#@+
 * Authentication Unique Keys.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies.
 * This will force all users to have to log in again.
 *
 * @since 2.6.0
 *
 * Get salt to add to hashes to help prevent attacks.
 *
 * The secret key is located in two places: the database in case the secret key
 * isn't defined in the second place, which is in the wp-config.php file. If you
 * are going to set the secret key, then you must do so in the wp-config.php
 * file.
 *
 * The secret key in the database is randomly generated and will be appended to
 * the secret key that is in wp-config.php file in some instances. It is
 * important to have the secret key defined or changed in wp-config.php.
 *
 * If you have installed WordPress 2.5 or later, then you will have the
 * SECRET_KEY defined in the wp-config.php already. You will want to change the
 * value in it because hackers will know what it is. If you have upgraded to
 * WordPress 2.5 or later version from a version before WordPress 2.5, then you
 * should add the constant to your wp-config.php file.
 *
 * Below is an example of how the SECRET_KEY constant is defined with a value.
 * You must not copy the below example and paste into your wp-config.php. If you
 * need an example, then you can have a
 * {@link https://api.wordpress.org/secret-key/1.1/ secret key created} for you.
 *
 * Salting passwords helps against tools which has stored hashed values of
 * common dictionary strings. The added values makes it harder to crack if given
 * salt string is not weak.
 *
 * @since 2.5
 * @link https://api.wordpress.org/secret-key/1.1/ Create a Secret Key for wp-config.php
 *
 * @return string Salt value from either 'SECRET_KEY' or 'secret' option
 */
define('AUTH_KEY',        'jflkhaskljdfhkljasdhflkjashd;flkjhas;djfh;kajshdflkjashdlfkjhasdlkfhal?p[B+GR{@>{Yq`c|LnG;dvq#| %OA_cbBSU6,rICC1o/c)-|');
define('SECURE_AUTH_KEY', 'jflkhaskljdfhkljasdhflkjashd;flkjhas;djfh;kajshdflkjashdlfkjhasdlkfhal?Vp[Bb15baar8&R-r<[T|?(xhJJABGq+Ux+U$)-Hltp/');
define('LOGGED_IN_KEY',   'jflkhaskljdfhkljasdhflkjashd;flkjhas;djfh;kajshdflkjashdlfkjhasdlkfhal?Vp[B<5n6DG|YWnJ9tY2!M1L)`{-$LW~~Ia%.uCbn!P. 41o2$Z$4');
define('NONCE_KEY',       'jflkhaskljdfhkljasdhflkjashd;flkjhas;djfh;kajshdflkjashdlfkjhasdlkfhal?Vp[Bgu+wm 2)bS0Pd_+1rx0brX]ND8|');
define('SECRET_SALT',      '123423190847olqkfhladhfsldshafasdfasdf09a7f-90a87df98adfyapoiyaf9asd8f70a9s8d7f908a7sdf97W4qCdm2<>))U|sty)+4vpWooKls/^[vN');
/**#@-*/

Using SSL for Admin and Login

SSL is kinda required from my point of view, it is just way to easy to sniff data off the wire otherwise. At least with SSL you force them to use tools like burpsuite, paros proxy, webscarab, etc..

/** @since 2.6.0  */
!defined('FORCE_SSL_ADMIN') && define('FORCE_SSL_ADMIN', true);
 
/** @since 2.6.0  */
!defined('FORCE_SSL_LOGIN') && define('FORCE_SSL_LOGIN', true);

Mod_Rewrite to Force SSL

This is pretty cool, it forces non-https for all urls except for /wp-admin and wp-login.php, which both require https. It also checks for the logged_in_cookie, and if that is present in the request then it doesn't force non-https. Kinda confusing if you don't have a mod_rewrite cheatsheet.

RewriteCond %{THE_REQUEST} ^$ [OR]
RewriteCond %{REQUEST_URI} ^/(wp-admin|wp-login\.php).*$ [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*wp_li_sadfsdfasdf11b361cdsdfasdfasd=.*$ [NC]
RewriteRule .* - [S=1]
 
RewriteCond %{HTTPS} =on [OR]
RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
RewriteRule .* http://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
 
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(wp-admin/.*|wp-login\.php.*)\ HTTP/ [NC]
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

File System Permissions

You can get a basic and solid intro on file permissions by reading: Changing File Permissions, or you can check out some of my file permission research.

/** The permissions as octal number, usually 0644 for files, 0755 for dirs.
 *  http://codex.wordpress.org/Changing_File_Permissions
 *  if ( !$wp_filesystem->mkdir($remote_destination, FS_CHMOD_DIR) )
 */
!defined('FS_CHMOD_DIR') && define('FS_CHMOD_DIR', (0755 & ~ umask()));
!defined('FS_CHMOD_FILE') && define('FS_CHMOD_FILE', (0644 & ~ umask()));
/**#@-*/
 
/** Define the timeouts for the connections. Only available after the construct is called to allow for per-transport overriding of the default. */
//stream_set_timeout( $stream, FS_TIMEOUT );
//!defined('FS_TIMEOUT') && define('FS_TIMEOUT', 30);
 
//$this->link = @ftp_connect($this->options['hostname'], $this->options['port'], FS_CONNECT_TIMEOUT);
//!defined('FS_CONNECT_TIMEOUT') && define('FS_CONNECT_TIMEOUT', 30);
 
// function get_filesystem_method($args = array(), $context = false) {
//  $method = defined('FS_METHOD') ? FS_METHOD : false; //Please ensure that this is either 'direct', 'ssh', 'ftpext' or 'ftpsockets'
//!defined('FS_METHOD') && define('FS_METHOD', 'direct');
 
/** These methods for the WordPress core, plugin, and theme upgrades try to determine the WordPress path, as reported by PHP, but symlink trickery can sometimes
 * 'muck this up' so if you know the paths to the various folders on the server, as seen via your FTP user, you can manually define them in the wp-config.php file.
 * FS_METHOD forces the filesystem method. It should only be "direct", "ssh", "ftpext", or "ftpsockets".
 * FTP_BASE is the full path to the "base" folder of the WordPress installation.
 * FTP_CONTENT_DIR is the full path to the wp-content folder of the WordPress installation.
 * FTP_PLUGIN_DIR is the full path to the plugins folder of the WordPress installation.
 * FTP_PUBKEY is the full path to your SSH public key.
 * FTP_PRIKEY is the full path to your SSH private key.
 * FTP_USER is either user FTP or SSH username. Most likely these are the same, but use the appropriate one for the type of update you wish to do.
 * FTP_PASS is the password for the username entered for FTP_USER. If you are using SSH public key authentication this can be omitted.
 * FTP_HOST is the hostname:port combination for your SSH/FTP server. The standard FTP port is 21 and the standard SSH port is 22.
 */
//define('FS_METHOD', 'ftpext');
//define('FTP_BASE', '/path/to/wordpress/');
//define('FTP_CONTENT_DIR', '/path/to/wordpress/wp-content/');
//define('FTP_PLUGIN_DIR ', '/path/to/wordpress/wp-content/plugins/');
//define('FTP_PUBKEY', '/home/username/.ssh/id_rsa.pub');
//define('FTP_PRIKEY', '/home/username/.ssh/id_rsa');
//define('FTP_USER', 'username');
//define('FTP_PASS', 'password');
//define('FTP_HOST', 'ftp.example.org:21');
 
/**
 * Block requests through the proxy.
 *
 * Those who are behind a proxy and want to prevent access to certain hosts may do so. This will
 * prevent plugins from working and core functionality, if you don't include api.wordpress.org.
 *
 * You block external URL requests by defining WP_HTTP_BLOCK_EXTERNAL in your wp-config.php file
 * and this will only allow localhost and your blog to make requests.
 * The constant WP_ACCESSIBLE_HOSTS will allow additional hosts to go through for requests. The format of the
 * WP_ACCESSIBLE_HOSTS constant is a comma separated list of hostnames to allow.
 *
 * @since 2.8.0
 * @link http://core.trac.wordpress.org/ticket/8927 Allow preventing external requests.
/** @since 2.9  */
//!defined('WP_HTTP_BLOCK_EXTERNAL') && define( 'WP_HTTP_BLOCK_EXTERNAL', false );
 
/*
 * The constant WP_ACCESSIBLE_HOSTS will allow additional hosts to go through for requests. The format of the
 * WP_ACCESSIBLE_HOSTS constant is a comma separated list of hostnames to allow.
 *
 * @since 2.8.0
 * @link http://core.trac.wordpress.org/ticket/8927 Allow preventing external requests.
 * $accessible_hosts = preg_split('|,\s*|', WP_ACCESSIBLE_HOSTS);
 * return !in_array( $check['host'], $accessible_hosts ); //Inverse logic, If its in the array, then we can't access it.
 */
//!defined('WP_ACCESSIBLE_HOSTS') && define( 'WP_ACCESSIBLE_HOSTS', 'askapache.com,askapache.org' );

Cookies!

There’s always a little comfort in having non-default cookies for security (against auto-bots), and using shorter names also means smaller HTTP Packets.

The $cookie_hash is my hack to get around the fact that COOKIEHASH isn’t definable in wp-config.

/**#@+
 * COOKIES
 * Used to guarantee unique hash cookies @since 1.5 */
$cookie_hash=md5(WP_SITEURL);
 
/** Set a cookie now to see if they are supported by the browser.
 * setcookie(TEST_COOKIE, 'WP Cookie check', 0, COOKIEPATH, COOKIE_DOMAIN);
 * @since 2.3.0 */
!defined('TEST_COOKIE') && define('TEST_COOKIE', 'wp_tc');
 
/* @since 2.6.0 */
!defined('LOGGED_IN_COOKIE') && define('LOGGED_IN_COOKIE', 'wp_li_' . $cookie_hash);
 
/* @since 2.6.0 */
!defined('SECURE_AUTH_COOKIE') && define('SECURE_AUTH_COOKIE', 'wp_sa_' . $cookie_hash);
 
/* @since 2.5.0 */
!defined('AUTH_COOKIE') && define('AUTH_COOKIE', 'wp_a_' . $cookie_hash);
 
/* @since 2.0.0 */
!defined('PASS_COOKIE') && define('PASS_COOKIE', 'wp_p_' . $cookie_hash);
 
/* @since 2.0.0 */
!defined('USER_COOKIE') && define('USER_COOKIE', 'wp_u_' . $cookie_hash);
 
/* ok unset this var, its not needed as COOKIEHASH will have this value, but is not definable in wp-config.php */
unset($cookie_hash);
 
/** @since 1.2.0 */
!defined('COOKIEPATH') && define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', WP_HOME . '/' ) );
 
/** @since 1.5.0 */
!defined('SITECOOKIEPATH') && define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', WP_SITEURL . '/' ) );
 
/** @since 2.6.0 */
!defined('ADMIN_COOKIE_PATH') && define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . 'wp-admin' );
 
/** @since 2.6.0 */
!defined('PLUGINS_COOKIE_PATH') && define( 'PLUGINS_COOKIE_PATH', preg_replace('|https?://[^/]+|i', '', WP_PLUGIN_URL)  );
 
/** @since 2.0.0 */
!defined('COOKIE_DOMAIN') && define('COOKIE_DOMAIN', $_SERVER['SERVER_NAME']);

/**
  * The WP_CACHE setting, if true, includes the wp-content/advanced-cache.php script, when executing wp-settings.php.
  * For an advanced caching plugin to use, static because you would only want one
  * if ( defined('WP_CACHE') )@include WP_CONTENT_DIR . '/advanced-cache.php';
  */
!defined('WP_CACHE') && define('WP_CACHE', true);
 
/** WordPress Localized Language, defaults to en_US.
 *
 * Change this to localize WordPress.  A corresponding MO file for the chosen
 * language must be installed to wp-content/languages. For example, install
 * de.mo to wp-content/languages and set WPLANG to 'de' to enable German
 * language support. */
!defined('WPLANG') && define ('WPLANG', 'en_US');
 
/** Stores the location of the language directory. First looks for language folder in WP_CONTENT_DIR
 *   and uses that folder if it exists. Or it uses the "languages" folder in WPINC. @since 2.1.0 */
//!defined('WP_LANG_DIR') && define('WP_LANG_DIR', ABSPATH . WPINC . '/languages');
 
/** LANGDIR defines what directory the WPLANG .mo file resides. If LANGDIR is not defined WordPress looks first to wp-content/languages and then wp-includes/languages for the .mo defined by WPLANG file.  Old static relative path maintained for limited backwards compatibility - won't work in some cases*/
//!defined('LANGDIR') && define('LANGDIR', 'wp-content/languages');
 
/** Stores the location of the WordPress directory of functions, classes, and core content. @since 1.0.0 */
//!defined('WPINC') && define('WPINC', 'wp-includes');

WPMU Stuff

I personally don’t use.

/** Allows for the mu-plugins directory to be moved from the default location. @since 2.8.0 */
//!defined('WPMU_PLUGIN_DIR') && define( 'WPMU_PLUGIN_DIR', WP_CONTENT_DIR . '/mu-plugins' ); // full path, no trailing slash
 
/** Allows for the mu-plugins directory to be moved from the default location. @since 2.8.0 */
//!defined('WPMU_PLUGIN_URL') && define( 'WPMU_PLUGIN_URL', WP_CONTENT_URL . '/mu-plugins' ); // full url, no trailing slash
 
/** Allows for the mu-plugins directory to be moved from the default location. @since 2.8.0 */
//!defined( 'MUPLUGINDIR' ) && define( 'MUPLUGINDIR', 'wp-content/mu-plugins' ); // Relative to ABSPATH.  For back compat.

WordPress Database

This is usually the only thing I have to manually edit when creating a new site, unless I just use the same DB and modify the $table_prefix, (farther down). I run everything I possibly can in UTF-8, but if you don’t already know alot about character sets, wow it is one of the most confusing things so you may want to save learning about that topic for another day. Otherwise the following are helpful (and show how confusing character sets are!)

If you ever setup WP to use the builtin membership features, make sure you learn about the CUSTOM_USER_TABLE and CUSTOM_USER_META_TABLE constants, I’ve found them very helpful.

/**#@+
 * MySQL settings
 */
/** The name of the database for WordPress */
define('DB_NAME', 'askapachewpblog75');
 
/** The username to access the database */
define('DB_USER', 'askapache245d');
 
/** The password for the username to access the database */
define('DB_PASSWORD', 'asdfklj2340');
 
/** The hostname to connect to the database at */
define('DB_HOST', 'mysql.askapache.com');
 
/** The charset of the database */
define('DB_CHARSET', 'utf8');
 
/** The collation of the database */
define('DB_COLLATE', 'utf8_general_ci');

$table_prefix

The $table_prefix is the value placed in the front of your database tables. Change the value if you want to use something other than wp_ for your database prefix. Typically this is changed if you are installing multiple WordPress blogs in the same database, and also for enhanced security.

Its a safe and good idea to change this value pre-installation to add more security to your WordPress blog. Exploits attempted against your WordPress blog by malicious crackers often are built with the premise that your blog uses the prefix wp_, by changing the value you mitigate some attack vectors.

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'ar15_';
 
/** CUSTOM_USER_TABLE and CUSTOM_USER_META_TABLE are used to designated that the user and usermeta tables normally utilized by WordPress are not used, instead these values/tables are used to store your user information. */
//!defined('CUSTOM_USER_TABLE') && define('CUSTOM_USER_TABLE', $table_prefix . 'my_users');
//!defined('CUSTOM_USER_META_TABLE') && define('CUSTOM_USER_META_TABLE', $table_prefix . 'my_usermeta');

Setup PHP Ini Settings

 
/** Turns the output of errors on or off, you really never want this on, you should only view errors by reading the log file. */
ini_set('display_errors', WP_DEBUG_DISPLAY);
 
/** Tells whether script error messages should be logged to the server's error log or error_log. */
ini_set('log_errors', 'On');
 
/** http://us.php.net/manual/en/timezones.php */
ini_set('date.timezone', 'America/Indianapolis');
 
/** Where to log php errors */
ini_set('error_log', ASKAPACHE_ROOT . '/logs/php_error.log');
 
/** Set the memory limit, otherwise defaults to '32M' */
ini_set('memory_limit', WP_MEMORY_LIMIT);

Sessions are slow

So I only use sessions when I have a specific use… In this case I need sessions only when one of the tools in the /online-tools/ directory is being used. And that is for the captcha image. In the future I won’t ever use sessions.

if(preg_match( '#^/online-tools/#',$_SERVER['REQUEST_URI'])) session_start();

Include Custom Files

Sure you could use the my-hacks.php that WP allows, or you can just stick your functions in your TEMPLATEPATH/functions.php file, but they are executed only after the wp-settings.php file, which may be too late for your file.

In the past I’ve also used the auto_prepend_file settings to run my script before anything (index.php) but I ran into some issues on different hosts, and it wasn’t as portable.

This is useful because you can have a file with globally available functions that you can use in non-WP areas as well as WP areas. I am moving away from this more and more as I learn more about classes and build plugins instead for portability.

include_once ASKAPACHE_ROOT . '/includes/myfunctions.inc';
 
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
?>

Some Useful PHP

I am constantly trying to make my sites and code more portable, so I am using plugins alot more to accomplish things that I use to do with separate php. Here are some examples of minimal php.

add_filter("the_generator", create_function('$a','return "";'));
add_filter('the_content', create_function('$a', 'return ((is_feed())? $a."".get_the_title()." originally appeared on ".get_bloginfo("name")."." : $a);'), 99999);
add_filter('excerpt_length', create_function('$a', 'return 300;'),99);
add_filter('excerpt_more', create_function('$a', 'return "…";'),99);
add_action( 'wp_head', create_function('$a','echo "\n";'), 95 );
add_action( 'wp_head', create_function('$a','echo "\n";'), 96 );
add_action( 'wp_head', create_function('$a','echo "\n";'), 97 );
add_action( 'wp_head', create_function('$a','echo "\n";'), 98 );
add_action( 'wp_head', create_function('$a','echo "\n";'), 99 );

Debugging Note

If you read this far than you probably know how important debugging is, but I sometimes like to stick the best tips deep in my articles to make sure only YOU find it. GRTFM isn’t used on this site, it’s mostly a requirement because my writing can get pretty bad.. The point, debugging is more than a crucial requirement if you want to do anything cool. Don’t worry I got you.. check my AskApache Debug Viewer Plugin from the official WP site. It’s pretty close to providing as verbose amount of information that I could possibly figure out how to get out of php, probably more than you have ever seen at least, I focused on quantity. I use it all the time on new installs as there is no setup required and it tells me advanced information about the setup of the server, hacker code for sure.

Here’s a quick function to see set global vars, I just think this is interesting code.

function askapache_global_debug(){
  global $_GET,$_POST,$_COOKIE,$_SESSION,$_ENV,$_FILES,$_SERVER,$_REQUEST,$HTTP_POST_FILES,$HTTP_POST_VARS,$HTTP_SERVER_VARS,$HTTP_RAW_POST_DATA,$HTTP_GET_VARS,$HTTP_COOKIE_VARS,$HTTP_ENV_VARS;
  $gv=create_function('$n','global $$n; ob_start(); if ( is_array($$n) && sizeof($$n)>0 && print("[{$n}]\n") ) print_r($$n);return ob_get_clean();');
  foreach (array('_GET','_POST','_COOKIE','_SESSION','_ENV','_FILES','_SERVER','_REQUEST','HTTP_POST_FILES','HTTP_POST_VARS','HTTP_SERVER_VARS','HTTP_RAW_POST_DATA','HTTP_GET_VARS','HTTP_COOKIE_VARS','HTTP_ENV_VARS') as $k)echo $gv($k);
  print_r(get_defined_constants());
}

Also check the WordPress Codex page: Editing wp-config.php

Advanced WordPress wp-config.php Tweaks originally appeared on AskApache.

An AskApache Plugin Upgrade to Rule them All

AskApache — Wed, 29 Jul 2009 17:59:07 +0000

So my blog as been rather quiet for almost a year now, and very few updates if any have been released for my Password Protection PLugin, my Google 404 Plugin, and definately not for my AskApache CrazyCache plugin, which I will be releasing last… So for all of you who’ve helped me out by sending me suggestions and notifying me of errors and sticking with it… Just wanted to say sorry about that, and thanks for all the great ideas.. Well, I’ve been sticking with it as well believe it our not. I manage to get free days once in a while, and then its time to jam.

I’ve used just about every CMS/Blog/Forum/Trac/Gallery/etc) and really didn’t like a lot of the way they coded… I could use php but I didn’t KNOW php.. so I’ve had to learn php also, and it was tough to learn the advanced class usage and all the other language specific (but similar) constructs for php. It was especially difficult (but fun and challenging) to program so as to be compatible with php4 and php5 (Such is WordPress). But I kept at it, and soon you can decide for yourself what to make of it.

I can code in plenty of languages (bash, lua, windows .bat and vbs, ocaml, big fan of all things shell) and can work my way through C and even sorta somewhat with assembly. Assembly is the hardest, by far, I’m into easy and powerful languages like Python, Javascript, perl, php, ruby, and CGI. I’ve used PHP for a long time to do various things, but never to build software projects like this. Once I noticed WordPress’s core .php files and the excellent programming I wanted to try and learn hot to do it. The WordPress code is some of the best I’ve seen. It appears the way they built it was planned, and not just dreamt up while typing that I can’t help but do. Every time I read through the core code I learn a new trick or very nice way to do something. Those guys are really good, and I think WordPress is going to dominate for a long long time.

The Strategy

The Password Protection (passpro) plugin has a lot of complex stuff going on, especially for a newbie to PHP and WordPress like me, so after refactoring the whole thing at least 5 times I decided to modify my approach, and wrote the AskApache Google 404 Plugin as a way to practice on a simpler piece of code, while at the same time providing a plugin of value. Eventually I stopped thinking I could just code the whole thing in one sit-down with a stream-of-consciousness, and had to instead modularize the code and focus in on each part before moving to the next (I go without a plan because its fun, just not the most productive, but again, I’m not a programmer in the scientific sense.).

So I decided I had to really learn how WordPress Plugins work, filters, hooks, actions, and basically comfortability at reverse-engineering code, (Im a beginner for the last time), and so with the upcoming release of the AskApache Google 404 Plugin I have succeeded in making an incredibly stable plugin. That way I only have to worry about what the aapasspro plugin is doing, instead of trying to fit it into a framework.

AskApache Google 404 Upgrade

I think its rather unusual to develop a nice plugin like this 404 handler merely for the purpose of improving upon another plugin, but hey it worked. As of 08/03/2009 14:06PM EST I have about 1 hour left of finishing touches to release this upgrade. But as you cantell by my badly edited posts, I don’t have a lot of time to myself. An hour here and there is about it. So it could be up to 2 weeks before I actually have the time to commit the release to the repo. On a sidenote, have you checked out Windows 7 News? I’ve been contracted to do some technical work for them and thought they had an excellent site.

But keep in mind, the 404 PLugin is just where I practice for the passpro plugin, which truly does have features that no other software like it has ever had. I understand the technology behind this plugin, and know it would really have a great impact on improving the Web (esp. WordPress) for all of us, I’ve just had to learn how to make it.

AskApache Password Protection

Probably still a couple weeks away, this plugin is the ultimate culmination of apache hackers dreams, at least those on shared servers (who may be interested in learning how to bypass security of said servers).. So this is something I have much too fun with doing what I like to do.. network/protocol-level security. I’ve examined the source code for many software packages that I use or have used to audit a server’s security, and this simple php plugin in most instances can enumerate with accuraccy most of the server’s setup in about a minute. The catch (and the file permission problems I had to find a workaround too) is that this software is launched on the server, not remotely against the server.

Some of the software I examined was whiskers, nessus, nmap, hping, mozilla source, wireshark, ncftp, netcat, etc.. The closest comparison to the socket-level class I’ve hacked together to those is wireshark. Except that wireshark only interprets (captures) the data passing over the wire, while this class does that and in fact sends and receives the data like netcat or nmap. Its really more similar to metasploit, and can easily be used to send hex, binary, ascii, or any type of payload to the remote or local host.

The Upgrades Begin

Well I started working on them a long time ago. Both the Password Protection plugin and the Google 404 plugin needed serious work. And I finally have it all figured out. Essentially I would work on one and finish an upgrade, but I just wasn’t happy with it and I wold start all over again, refactoring the code. So as I put the finishing touches on those 2 plugins keep an eye out. They are major upgrades. I was able to meet all the goals I had for them, and came up with a lot of more improvements during the process.One of the main things I needed was a socket-level class to perform all kinds of checks and tests on. I need this also for my crazy cache plugin, which my blog is currently using , and I have a 2 more really nice pplugins I use that also needed access to a network class. I wrote about what I was doing with fsockopen, and I’ve been improving on that example ever since. I use this class to do some really powerful and exciting stuff, but you’ll see it soon enough. As an indication of ‘getting it right’ for the Password Protection plugin, the plugin will now work on Windows, Apache, IIS, Lighthttpd, and will even work running on a blackberry web server. So now everyone using wordpress can at least get some security()

Many of the the other improvements focus on using the fsockopen class and .htaccess tricks to basically enumerate and discover all the different capabilities of your particular server; That way you can learn about all the features and security that are possible for your specific server, and the securty modules wi8ll be geared for that as well. FINALLY this plugin is going to be stable, and I just cant wait to see how people react when they learn all great capability their Apache-based Server has that they didn’t have a clue about. Its amazing in that sense, and hackers will love theh way it works.. but your server admins will love it even more because its entirely 100% focused on helping you to set your site up (if you have Apache) to keep spammers out, to keep virii-serving robots and their log-hogging exploit requests and CPU/Mem robiing 404 errors off of your servers for real. This will have a noticeable affect to whoever is running the server. As you can tell.. I am pumped!

Apache is easy to configure and use, but only when you have root access. Most people on shared and private hosting aren’t even able to view the main config file, let alone execute the Apache binaries to see what features are available and what configuration is being used.

Apache can only be influenced by the main server configs and by .htaccess files. Not by php, not by perl, and the main configs are almost never accessible to the masses. But .htaccess files are. And many hosting providers allow and enable .htaccess files, a configuration file for your web server. The advanced features and capabilities of Apache were out of reach for most of us, it just wasn’t possible to enumerate or access, and most hosting providers are infamous for their lack of .htaccess (customer) support. This plugin goes around those problems to give the power back to the people.

y creating custom .htaccess files containing unpublished .htaccess tricks and techniques and combining that with the use of socket-level networking from WordPress (PHP) using fsockopen, we can effectively enumerate and discover an incredible amount of features and settings you will be able to control and use with this plugin.

Here are a few examples of the capabilities of this plugin, some of which I believe no other software can do.. (Open source free to copy!).

Current Version of Apache (Down to the API Version)
List of ALL Modules currently enabled by Apache (Such as Mod_Rewrite)
List of ALL Directives enabled by EACH enabled Module.
Enumerate .htaccess Overrides, Context Permissions
Test for any builtin Handlers (like the status handler screenshot)
Configure SSI (http://www.askapache.com/htaccess/advanced-htaccess-ssi.html#htaccess-ssi-security)

March 1, 2009
I would focus on the method that WordPress uses. The code they have now (2.8 bleeding-edge) still isn’t where it needs to be, but this is some difficult stuff and they have a brilliant start, it’ll work.. just a question of when.

The main issue with the password protection plugin working for some people and not others is due to file permission configurations. The plugin attempts to write/modify files in your blog’s root directory.

November 05, 2008
To make a long story short, I downloaded each major release of the apache httpd source code starting at version 1.3.0 and finishing with version 2.2.11, I then compiled each version and built a HTTPD from source for all these apache versions.

1.3.0

1.3.1

1.3.11

1.3.12

1.3.14

1.3.17

1.3.19

1.3.2

1.3.20

1.3.22

1.3.23

1.3.24

1.3.27

1.3.28

1.3.29

1.3.3

1.3.31

1.3.32

1.3.33

1.3.34

1.3.35

1.3.36

1.3.37

1.3.39

1.3.4

1.3.41

1.3.6

1.3.9

2.0.35

2.0.36

2.0.39

2.0.40

2.0.42

2.0.43

2.0.44

2.0.45

2.0.46

2.0.47

2.0.48

2.0.49

2.0.50

2.0.51

2.0.52

2.0.53

2.0.54

2.0.55

2.0.58

2.0.59

2.0.61

2.0.63

2.1.3-beta

2.1.6-alpha

2.1.7-beta

2.1.8-beta

2.1.9-beta

2.2.0

2.2.10

2.2.2

2.2.3

2.2.4

2.2.6

2.2.8

2.2.9

2.2.10

2.2.11

Then I went through each version and determined the compatible modules for that version, and I’m pretty confident that I was also able to find each and every directive allowed by the compatible modules for that version (including core directives). See .htaccess directive list. Basically I can now test a server using a variety of methods and determine almost 100% accurately what version of Apache (down to the API) is running, what modules (and versions) are enabled, and each and every directive that is allowed or disallowed for that version. So this is so awesome because now we can enable all sorts of additional security features.

Htaccess enabled Modules
Here are most of the modules that come with Apache. Each one can have new commands that can be used in .htaccess file scopes.

mod_actions, mod_alias, mod_asis, mod_auth_basic, mod_auth_digest, mod_authn_anon, mod_authn_dbd, mod_authn_dbm, mod_authn_default, mod_authn_file, mod_authz_dbm, mod_authz_default, mod_authz_groupfile, mod_authz_host, mod_authz_owner, mod_authz_user, mod_autoindex, mod_cache, mod_cern_meta, mod_cgi, mod_dav, mod_dav_fs, mod_dbd, mod_deflate, mod_dir, mod_disk_cache, mod_dumpio, mod_env, mod_expires, mod_ext_filter, mod_file_cache, mod_filter, mod_headers, mod_ident, mod_imagemap, mod_include, mod_info, mod_log_config, mod_log_forensic, mod_logio, mod_mem_cache, mod_mime, mod_mime_magic, mod_negotiation, mod_proxy, mod_proxy_ajp, mod_proxy_balancer, mod_proxy_connect, mod_proxy_ftp, mod_proxy_http, mod_rewrite, mod_setenvif, mod_speling, mod_ssl, mod_status, mod_substitute, mod_unique_id, mod_userdir, mod_usertrack, mod_version, mod_vhost_alias

Debugging HTTP protocol

Check this out! I’m particularly happy about this feature, which outputs an exact trace of any requests made by the plugin (such as during the testing phase) by saving the actual raw data sent out on the wire using fsockopen, RX and TX. This is useful for a number of reasons, viewing your headers, finding Redirect Loops, testing RewriteRules, and following the request hop-by-hop for debugging. The below example shows 2 requests for 2 URIs. The first URI is protected using Digest Authentication, the 2nd shows Basic.

 ______________
|  RAW TRACE   |
==================================================================================================================================
GET /htaccess/index.txt?testing=query HTTP/1.1
Host: www.askapache.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1) AA_PassPro/1.9 (http://www.askapache.com/)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://www.askapache.com/
 
HTTP/1.1 401 Authorization Required
Date: Wed, 22 Jul 2009 06:29:58 GMT
Server: Apache
WWW-Authenticate: Digest realm="do or die", nonce="03328f3ec7c7b", algorithm=MD5, domain="/", qop="auth"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 882
Connection: close
Content-Type: text/html; charset=UTF-8
 
GET /htaccess/index.txt?testing=query HTTP/1.1
Host: www.askapache.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1) AA_PassPro/1.9 (http://www.askapache.com/)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://www.askapache.com/
Authorization: Digest username="test",realm="do or die",nonce="03328f3ec7c7b",uri="/htaccess/index.txt?testing=query",
cnonce="82d057852a9dc497",nc=00000001,algorithm=MD5,response="9d476e9ea3",qop="auth"
 
HTTP/1.1 200 OK
Date: Wed, 22 Jul 2009 06:29:58 GMT
Server: Apache
Authentication-Info: rspauth="9051b01ee26dd62b3e2b40dada694f45", cnonce="82d057852a9dc497", nc=00000001, qop=auth
Last-Modified: Tue, 21 Jul 2009 23:56:00 GMT
Accept-Ranges: bytes
Cache-Control: max-age=3600
Expires: Wed, 22 Jul 2009 07:29:58 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 27
Connection: close
Content-Type: text/plain; charset=UTF-8
```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````
 
 ______________
|  RAW TRACE   |
==================================================================================================================================
GET /htaccess/po.txt?testing=query HTTP/1.1
Host: www.askapache.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1) AA_PassPro/1.9 (http://www.askapache.com/)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://www.askapache.com/
 
HTTP/1.1 401 Authorization Required
Date: Wed, 22 Jul 2009 06:29:58 GMT
Server: Apache
WWW-Authenticate: Basic realm="Po Pimping"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 878
Connection: close
Content-Type: text/html; charset=UTF-8
 
GET /htaccess/po.txt?testing=query HTTP/1.1
Host: www.askapache.com
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1) AA_PassPro/1.9 (http://www.askapache.com/)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://www.askapache.com/
Authorization: Basic adfAGAltcA==
 
HTTP/1.1 200 OK
Date: Wed, 22 Jul 2009 06:29:58 GMT
Server: Apache
Last-Modified: Wed, 22 Jul 2009 05:54:39 GMT
Accept-Ranges: bytes
Cache-Control: max-age=3600
Expires: Wed, 22 Jul 2009 07:29:58 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 27
Connection: close
Content-Type: text/plain; charset=UTF-8
```````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````````

.htaccess Directives

AcceptFilter, AcceptMutex, AcceptPathInfo, AccessFileName, Action, AddAlt, AddAltByEncoding, AddAltByType, AddCharset, AddDefaultCharset, AddDescription, AddEncoding, AddHandler, AddIcon, AddIconByEncoding, AddIconByType, AddInputFilter, AddLanguage, AddModuleInfo, AddOutputFilter, AddOutputFilterByType, AddType, Alias, AliasMatch, AllowCONNECT, AllowEncodedSlashes, AllowOverride, Anonymous, Anonymous_Authoritative, Anonymous_LogEmail, Anonymous_MustGiveEmail, Anonymous_NoUserID, Anonymous_NoUserId, Anonymous_VerifyEmail, AssignUserId, AuthAuthoritative, AuthBasicAuthoritative, AuthBasicProvider, AuthDBDUserPWQuery, AuthDBDUserRealmQuery, AuthDBM, AuthDBMAuthoritative, AuthDBMGroupFile, AuthDBMType, AuthDBMUserFile, AuthDefaultAuthoritative, AuthDigestAlgorithm, AuthDigestDomain, AuthDigestFile, AuthDigestGroupFile, AuthDigestNcCheck, AuthDigestNonceFormat, AuthDigestNonceLifetime, AuthDigestProvider, AuthDigestQop, AuthDigestShmemSize, AuthGroupFile, AuthLDAPAuthzEnabled, AuthLDAPBindDN, AuthLDAPBindON, AuthLDAPBindPassword, AuthLDAPCharsetConfig, AuthLDAPCompareDNOnServer, AuthLDAPDereferenceAliases, AuthLDAPEnabled, AuthLDAPFrontPageHack, AuthLDAPGroupAttribute, AuthLDAPGroupAttributeIsDN, AuthLDAPRemoteUserAttribute, AuthLDAPRemoteUserIsDN, AuthLDAPStartTLS, AuthLDAPURL, AuthLDAPUrl, AuthName, AuthType, AuthUserFile, AuthzDBMAuthoritative, AuthzDBMType, AuthzDefaultAuthoritative, AuthzGroupFileAuthoritative, AuthzLDAPAuthoritative, AuthzOwnerAuthoritative, AuthzUserAuthoritative, BS2000Account, BalancerMember, BrowserMatch, BrowserMatchNoCase, BufferedLogs, CGIMapExtension, CacheDefaultExpire, CacheDirLength, CacheDirLevels, CacheDisable, CacheEnable, CacheExpiryCheck, CacheFile, CacheForceCompletion, CacheGcClean, CacheGcDaily, CacheGcInterval, CacheGcMemUsage, CacheGcUnused, CacheIgnoreCacheControl, CacheIgnoreHeaders, CacheIgnoreNoLastMod, CacheLastModifiedFactor, CacheMaxExpire, CacheMaxFileSize, CacheMaxStreamingBuffer, CacheMinFileSize, CacheNegotiatedDocs, CacheRoot, CacheSize, CacheStoreNoStore, CacheStorePrivate, CacheTimeMargin, CharsetDefault, CharsetOptions, CharsetSourceEnc, CheckCaseOnly, CheckSpelling, ChildPerUserId, ContentDigest, CookieDomain, CookieExpires, CookieLog, CookieName, CookieStyle, CookieTracking, CoreDumpDirectory, CustomLog, DAV, DAVDepthInfinity, DAVGenericLockDB, DAVMinTimeout, DBDExptime, DBDKeep, DBDMax, DBDMin, DBDParams, DBDPersist, DBDPrepareSQL, DBDriver, Dav, DavDepthInfinity, DavGenericLockDB, DavLockDB, DavMinTimeout, DefaultIcon, DefaultLanguage, DefaultType, DeflateBufferSize, DeflateCompressionLevel, DeflateFilterNote, DeflateMemLevel, DeflateWindowSize, Directory, DirectoryIndex, DirectoryMatch, DirectorySlash, DocumentRoot, DumpIOInput, DumpIOOutput, EnableExceptionHook, EnableMMAP, EnableSendfile, ErrorDocument, ErrorLog, Example, ExpiresActive, ExpiresByType, ExpiresDefault, ExtFilterDefine, ExtFilterOptions, ExtendedStatus, FancyIndexing, FileETag, Files, FilesMatch, FilterChain, FilterDeclare, FilterProtocol, FilterProvider, FilterTrace, ForceLanguagePriority, ForceType, ForensicLog, GprofDir, GracefulShutdownTimeout, Group, Header, HeaderName, HostNameLookups, HostnameLookups, ISAIPFakeAsync, ISAPIAppendLogToErrors, ISAPIAppendLogToQuery, ISAPICacheFile, ISAPIFakeAsync, ISAPILogNotSupported, ISAPIReadAheadBuffer, IdentityCheck, IdentityCheckTimeout, IfDefine, IfModule, IfVersion, ImapBase, ImapDefault, ImapMenu, Include, IndexIgnore, IndexOptions, IndexOrderDefault, IndexStyleSheet, KeepAlive, KeepAliveTimeout, LDAPCacheEntries, LDAPCacheTTL, LDAPCertDBPath, LDAPConnectionTimeout, LDAPOpCacheEntries, LDAPOpCacheTTL, LDAPSharedCacheFile, LDAPSharedCacheSize, LDAPTrustedClientCert, LDAPTrustedGlobalCert, LDAPTrustedMode, LDAPVerifyServerCert, LanguagePriority, Limit, LimitExcept, LimitInternalRecursion, LimitRequestBody, LimitRequestFields, LimitRequestFieldsize, LimitRequestLine, LimitXMLRequestBody, Listen, ListenBacklog, LoadFile, LoadModule, Location, LocationMatch, LockFile, LogFormat, LogLevel, MCacheMaxObjectCount, MCacheMaxObjectSize, MCacheMaxStreamingBuffer, MCacheMinObjectSize, MCacheRemovalAlgorithm, MCacheSize, MMapFile, MaxClients, MaxKeepAliveRequests, MaxMemFree, MaxRequestsPerChild, MaxSpareServers, MaxSpareThreads, MaxSpareThreadsPerChild, MaxThreads, MetaDir, MetaFiles, MetaSuffix, MimeMagicFile, MinSpareServers, MinSpareThreads, ModMimeUsePathInfo, MultiviewsMatch, NWSSLTrustedCerts, NWSSLUpgradeable, NameVirtualHost, NoProxy, NumServers, Options, PassEnv, PerlAccessHandler, PerlAuthenHandler, PerlAuthzHandler, PerlChildExitHandler, PerlChildInitHandler, PerlCleanupHandler, PerlDispatchHandler, PerlFixupHandler, PerlFreshRestart, PerlHandler, PerlHeaderParserHandler, PerlInitHandler, PerlLogHandler, PerlModule, PerlPassEnv, PerlPostReadRequestHandler, PerlRequire, PerlRestartHandler, PerlSendHeader, PerlSetEnv, PerlSetVar, PerlSetupEnv, PerlTaintCheck, PerlTransHandler, PerlTypeHandler, PerlWarn, PidFile, Port, Protocol, ProtocolEcho, Proxy, ProxyBadHeader, ProxyBlock, ProxyDomain, ProxyErrorOverride, ProxyFtpDirCharset, ProxyIOBufferSize, ProxyMatch, ProxyMaxForwards, ProxyPass, ProxyPassInterpolateEnv, ProxyPassMatch, ProxyPassReverse, ProxyPassReverseCookieDomain, ProxyPassReverseCookiePath, ProxyPreserveHost, ProxyReceiveBufferSize, ProxyRemote, ProxyRemoteMatch, ProxyRequests, ProxySet, ProxyStatus, ProxyTimeout, ProxyVia, RLimitCPU, RLimitMEM, RLimitNPROC, ReadmeName, Redirect, RedirectMatch, RedirectPermanent, RedirectTemp, RemoveCharset, RemoveEncoding, RemoveHandler, RemoveInputFilter, RemoveLanguage, RemoveOutputFilter, RemoveType, RequestHeader, Require, RewriteBase, RewriteCond, RewriteEngine, RewriteLock, RewriteLog, RewriteLogLevel, RewriteMap, RewriteOptions, RewriteRule, SSIAccessEnable, SSIEndTag, SSIErrorMsg, SSIStartTag, SSITimeFormat, SSIUndefinedEcho, SSLCACertificateFile, SSLCACertificatePath, SSLCADNRequestFile, SSLCADNRequestPath, SSLCARevocationFile, SSLCARevocationPath, SSLCertificateChainFile, SSLCertificateFile, SSLCertificateKeyFile, SSLCipherSuite, SSLCryptoDevice, SSLEngine, SSLHonorCipherOrder, SSLLog, SSLLogLevel, SSLMutex, SSLOptions, SSLPassPhraseDialog, SSLProtocol, SSLProxyCACertificateFile, SSLProxyCACertificatePath, SSLProxyCARevocationFile, SSLProxyCARevocationPath, SSLProxyCipherSuite, SSLProxyEngine, SSLProxyMachineCertificateFile, SSLProxyMachineCertificatePath, SSLProxyProtocol, SSLProxyVerify, SSLProxyVerifyDepth, SSLRandomSeed, SSLRequire, SSLRequireSSL, SSLSessionCache, SSLSessionCacheTimeout, SSLUserName, SSLVerifyClient, SSLVerifyDepth, Satisfy, ScoreBoardFile, Script, ScriptAlias, ScriptAliasMatch, ScriptInterpreterSource, ScriptLog, ScriptLogBuffer, ScriptLogLength, ScriptStock, SecureListen, SendBufferSize, ServerAdmin, ServerAlias, ServerLimit, ServerName, ServerPath, ServerRoot, ServerSignature, ServerTokens, SetEnv, SetEnvIf, SetEnvIfNoCase, SetHandler, SetInputFilter, SetOutputFilter, StartServers, StartThreads, Substitute, SuexecUserGroup, ThreadLimit, ThreadStackSize, ThreadsPerChild, TimeOut, Timeout, TraceEnable, TransferLog, TypeAuthDBMUserFile, TypesConfig, UnsetEnv, UseCanonicalName, UseCanonicalPhysicalPort, User, UserDir, VirtualDocumentRoot, VirtualDocumentRootIP, VirtualHost, VirtualScriptAlias, VirtualScriptAliasIP, Win32DisableAcceptEx, XBitHack, allow, deny, order, php_admin_flag, php_admin_value, php_flag, php_value

You can view the plugins home page, old, or view it on the wordpress.org site.

An AskApache Plugin Upgrade to Rule them All originally appeared on AskApache.

AskApache Debug Viewer Plugin for WordPress

AskApache — Mon, 06 Apr 2009 03:53:31 +0000

Screen Shots | PHP Debug Functions

The story behind this plugin is sorta wack, but in a good way :). While doing tons of security research on permissions, authorization, access, etc.. for the Password Protection plugin (still being worked on), I needed to have unheard of debugging capabilities while working on the plugin on the various websites, webhosts, and test servers that I use to test in different environments. So I hacked together a bunch of php code that helped me debug, actually I pretty much went overkill and tried to get as much debugging info as programmatically possible, and it ended up being so much code that I took it out of my Password Protection code and made it its own plugin.

I’ve been using it for several months now while working on a plugin or diagnosing some issue, and decided that I’d share it with everyone. Hopefully it will help other plugin authors and php programmers in general to start writing more robust and error-proof code, which would in turn help me! To help those not using WordPress, I’ve included most of the debugging functions below, but you’ll need the AskApacheDebug class for them to work. Hope you find it useful! I do. Download AskApache Debug Viewer

Screenshots and Debug Output

The plugin outputs the debugging info in the admin footer by hooking into the ‘in_admin_footer’ action.

PHP Debugging Functions

Ok so for those interested more in the php flavor, here are a few of the functions that produce the debugging output. I’ll start with my customized _stat function, which took a lot of research to write, but you can read that story at Chmod, Umask, Stat, Fileperms, and File Permissions.

function _stat($fl)
{
  static $ftypes = false;
  if (!$ftypes)
  {
    $this->logg(__FUNCTION__ . ':' . __LINE__);
    $ftypes = array(S_IFSOCK => 'ssocket', S_IFLNK => 'llink', S_IFREG => '-file', S_IFBLK => 'bblock', S_IFDIR => 'ddir', S_IFCHR => 'cchar', S_IFIFO => 'pfifo');
  }
 
  $s = $ss = array();
  if (($ss = stat($fl)) === false) return $this->logg(__FUNCTION__ . ':' . __LINE__ . " Couldnt stat {$fl}", 0);
  $p = $ss['mode'];
  $t = decoct($p & S_IFMT);
  $q = octdec($t);
  $type = (array_key_exists($q, $ftypes)) ? substr($ftypes[$q], 0, 1) : '?';
$s = array(
'filename' => $fl,
 
'human' => ($type .
(($p & S_IRUSR) ? 'r' : '-') . (($p & S_IWUSR) ? 'w' : '-') . (($p & S_ISUID) ? (($p & S_IXUSR) ? 's' : 'S') : (($p & S_IXUSR) ? 'x' : '-')) .
(($p & S_IRGRP) ? 'r' : '-') . (($p & S_IWGRP) ? 'w' : '-') . (($p & S_ISGID) ? (($p & S_IXGRP) ? 's' : 'S') : (($p & S_IXGRP) ? 'x' : '-')) .
(($p & S_IROTH) ? 'r' : '-') . (($p & S_IWOTH) ? 'w' : '-') . (($p & S_ISVTX) ? (($p & S_IXOTH) ? 't' : 'T') : (($p & S_IXOTH) ? 'x' : '-'))),
'octal' => sprintf("%o", ($ss['mode'] & 007777)),
'hex' => sprintf("0x%x", $ss['mode']),
'decimal' => sprintf("%d", $ss['mode']),
'binary' => sprintf("%b", $ss['mode']),
'base_convert' => base_convert($ss['mode'],10,8),
'fileperms' => fileperms($fl),
'mode' => $p,
 
'type_octal' => sprintf("%07o", $q),  'fileuid' => $ss['uid'],
 
'type' => $type,
'filegid' => $ss['gid'],
'owner_name' => $this->get_posix_info('user', $ss['uid'],
'name'),
'group_name' => $this->get_posix_info('group', $ss['gid'],
'name'),
'dirname' => dirname($fl),
'is_file' => is_file($fl) ? 1 : 0,
'is_dir' => is_dir($fl) ? 1 : 0,
'is_link' => is_link($fl) ? 1 : 0,
'is_readable' => is_readable($fl) ? 1 : 0,
'is_writable' =>
is_writable($fl) ? 1 : 0,'device' => $ss['dev'],
'device_number' => $ss['rdev'],
'inode' => $ss['ino'],
'link_count' => $ss['nlink'],
'size' => $ss['size'],
'blocks' => $ss['blocks'],
'block_size' => $ss['blksize'],
'accessed' => date('Y M D H:i:s', $ss['atime']),
'modified' => date('Y M D H:i:s', $ss['mtime']),
'created' => date('Y M D H:i:s', $ss['ctime']),
'mtime' => $ss['mtime'], 'atime' => $ss['atime'],
'ctime' => $ss['ctime'], );
  if (is_link($fl)) $s['link_to'] = readlink($fl);
  if (realpath($fl) != $fl) $s['real_filename'] = realpath($fl);
 
  return $s;
}

get_debug_functions

These are various security and user related information. Nice.

function get_debug_functions($vb=false)
{
  $functions=$oa=array();
  $functions = array(
'PHP script Process ID' => 'getmypid',
'PHP script owners UID' => 'getmyuid',
'php_sapi_name' => 'php_sapi_name',
'PHP Uname' => 'php_uname',
'Zend Version' => 'zend_version',
'PHP INI Loaded' => 'php_ini_loaded_file',
'Current Working Directory' => 'getcwd',
'Last Mod' => 'getlastmod',
'Script Inode' => 'getmyinode',
'Script GID' => 'getmygid',
'Script Owner' => 'get_current_user',
'Get Rusage' => 'getrusage',
'Error Reporting' => 'error_reporting',
'Path name of controlling terminal' => 'posix_ctermid',
'Error number set by the last posix function that failed' => 'posix_get_last_error',
'Pathname of current directory' => 'posix_getcwd',
'posix_getpid' => 'posix_getpid',
'posix_uname' => 'posix_uname',
'posix_times' =>'posix_times',
'posix_errno' => 'posix_errno',
'Effective group ID of the current process' => 'posix_getegid',
'Effective user ID of the current process' => 'posix_geteuid',
'Real group ID of the current process' => 'posix_getgid',
'Group set of the current process' => 'posix_getgroups',
'Login name' => 'posix_getlogin',
'Current process group identifier' => 'posix_getpgrp',
'Current process identifier' => 'posix_getpid',
'Parent process identifier' => 'posix_getppid',
'System Resource limits' => 'posix_getrlimit',
'Return the real user ID of the current process' => 'posix_getuid',
'Magic Quotes GPC' => 'get_magic_quotes_gpc',
'Magic Quotes Runtime' => 'get_magic_quotes_runtime', );
 
  foreach ($functions as $title => $func_name) {
    $val = '';
    if ( ( $this->checkfunction($func_name) && ($val = $func_name()) !== false) ){
      if (empty($val)) $val=$func_name;
      $oa[$title] = $val;
    }
  }
 
  return $oa;
}

get_debug_permissions

This is a function designed to get as much information about file/user/group permissions as possible.

function get_debug_permissions($vb=false)
{
  $oa=array();
 
  $user_info = $this->get_posix_info('user');
  $group_info = $this->get_posix_info('group');
 
$functions = array(
'Real Group ID' => posix_getgid(),
'Effective Group ID' => posix_getegid(),
'Parent Process ID' => posix_getppid(),
'Parent Process Group ID' => posix_getpgid(posix_getppid()),
'Real Process ID' => posix_getpid(),
'Real Process Group ID' => posix_getpgid(posix_getpid()),
'Process Effective User ID' => posix_geteuid(),
'Process Owner Username' => $user_info['name'],
'File Owner Username' => get_current_user(),
'User Info' => print_r($user_info, 1),
'Group Info' => print_r($group_info, 1),
'RealPath'  => realpath(__FILE__),
'SAPI Name' => (function_exists('php_sapi_name')) ? print_r(php_sapi_name(), 1) : '',
'Posix Process Owner' => print_r(posix_getpwuid(posix_geteuid()), 1),
'Scanned Ini' => (function_exists('php_ini_scanned_files')) ? str_replace("\n", "", php_ini_scanned_files()) : '',
'PHP.ini Path' => get_cfg_var('cfg_file_path'),
'Sendmail Path' => get_cfg_var('sendmail_path'),
'Info about a group by group id' => posix_getgrgid(posix_getegid()),
'Process group id for Current process' => posix_getpgid(posix_getpid()),
'Process group id for Parent process' => posix_getpgid(posix_getppid()),
'Process group id of the session leader.' => posix_getsid(posix_getpid()),
'Info about a user by username' => posix_getpwnam(get_current_user()),
'Info about a user by user id' => posix_getpwuid(posix_geteuid()),
'Apache Version' => (function_exists('apache_get_version')) ? print_r(apache_get_version(), 1) : '',
'Apache Modules' => (function_exists('apache_get_modules')) ? print_r(apache_get_modules(), 1) : '',
'PHP_LOGO_GUI' => php_logo_guid(),
'ZEND_LOGO_GUI' => zend_logo_guid()
);
 
  foreach ($functions as $title => $v) $oa[$title] = $v;
 
  return $oa;
}

get_debug_defined

This gets all the defined constants, if verbose it gets more and gets the values for each.

function get_debug_defined($vb=false)
{
  $oa=array();
  foreach ((array)@get_defined_constants() as $k => $v){if (!$vb && in_array($k, array('ABSPATH', 'WP_ADMIN'))) $vb = true;  if($vb)$oa[$k]=$v;}
 
  foreach (
  array('WP_TEMP_DIR', 'WP_SITEURL', 'WP_HOME', 'ABSPATH', 'WP_CONTENT_URL',
  'WP_CONTENT_DIR', 'WP_PLUGIN_DIR', 'WP_PLUGIN_URL', 'WP_LANG_DIR', 'TEMPLATEPATH',
  'STYLESHEETPATH', 'WPINC', 'COOKIEPATH', 'SITECOOKIEPATH', 'ADMIN_COOKIE_PATH',
  'PLUGINS_COOKIE_PATH', 'PHP_SAPI', 'PHP_OS', 'PHP_VERSION'
  ) as $def) if (defined($def) && $val = constant($def) && !empty($val)) $oa[$def] = $val;
 
  return $oa;
}

get_debug_inis

This function gets the values of your php ini, if verbose it gets them all and shows the currently used value instead of both the global and local.

function get_debug_inis($vb=false)
{
  $oa=array();
 
  foreach (array('Error Log' => 'error_log',
'Session Data Path' => 'session.save_path',
'Upload Tmp Dir' => 'upload_tm_p_dir',
'Include Path' => 'include_path',
'Memory Limit' => 'memory_limit',
'Max Execution Time' => 'max_execution_time',
'Display Errors' => 'display_errors',
'Allow url fopen' => 'allow_url_fopen',
'Disabled Functions' => 'disable_functions',
'Safe Mode' => 'safe_mode',
'Open Basedir' => 'open_basedir',
'File Uploads' => 'file_uploads',
'Max Upload Filesize' => 'upload_max_filesize',
'Max POST Size' => 'post_max_size',
'Open Basedir' => 'open_basedir') as $title => $ini_name) if (($val = '' && $val = strval(ini_get($ini_name))) !== false && !empty($val)) $oa[$title] = $val;
 
  if($vb!==false){
    foreach ((array)@ini_get_all() as $k => $v) $oa[$k] = (($v['global_value'] == $v['local_value']) ? $v['global_value'] : $v);
  }
  return $oa;
}

get_debug_phpinfo

I’m particularly proud of this function because the preg_replace was tough and the result is a perfect array of values returned by the phpinfo command.

function get_debug_phpinfo()
{
  $oa=array();
  ob_start();
  phpinfo(-1);
  $oa = preg_replace(array('#^.*(.*).*$#ms', '#PHP License
.*$#ms', '#Configuration
#', "#\r?\n#", "##", '# +<#', "#[ \t]+#", '# #', '#  +#', '# class=".*?"#', '%'%', '#(?:.*?)" src="(?:.*?)=(.*?)" alt="PHP Logo" />' . 'PHP Version (.*?)(?:\n+?)#',
    '#PHP Credits
#', '#(?:.*?)" src="(?:.*?)=(.*?)"(?:.*?)Zend Engine (.*?),(?:.*?)#', "#  +#", '##', '##'), array('$1', '', '', '', '' . "\n", '<', ' ', ' ', ' ', '', ' ', 'PHP Configuration' . "\n" . 'PHP Version$2' . "\n" . 'PHP Egg$1',
    'PHP Credits Egg$1', 'Zend Engine$2' . "\n" . 'Zend Egg$1', ' ', '%S%', '%E%'), ob_get_clean());
  $sections = explode('', strip_tags($oa, '
'));
  unset($sections[0]);
  $oa = array();
  foreach ($sections as $section)
  {
    $n = substr($section, 0, strpos($section, ''));
    preg_match_all('#%S%(?:(.*?))?(?:(.*?))?(?:(.*?))?%E%#', $section, $askapache, PREG_SET_ORDER);
    foreach ($askapache as $m) $oa[$n][$m[1]] = (!isset($m[3]) || $m[2] == $m[3]) ? $m[2] : array_slice($m, 2);
  }
  return $oa;
}

get_debug_included

Gets a list of all the files included by php, if verbose it also super-stats them.

function get_debug_included($vb=false)
{
  $oa=array();
  foreach((array)@get_included_files() as $k=>$v) $oa[$v]=($vb===false) ? '' : $this->_stat($v);
  return $oa;
}

get_debug_classes

Gets a list of predefined classes declared in your php instance, if verbose it gets EVERY class and also gets the methods for each.

function get_debug_classes($vb=false)
{
  $classes=$oa=array();
  $classes= ($vb!==false) ? (array)@get_declared_classes() : array('WP','WP_Error','Walker','WP_Ajax_Response','wpdb','WP_Object_Cache','WP_Query','WP_Rewrite','WP_Locale');
  foreach ($classes as $k)  $oa[$k] = @get_class_methods($k);

  return $oa;
}

get_debug_globals

This function tries to get the values of every known (past and present) global variable in php.

function get_debug_globals($vb=false)
{
  $oa=array();
 
  $globs =
  array(
  'GET'     => isset( $_GET )?$_GET:'',
  'POST'    => isset( $_POST )?$_POST:'',
  'COOKIE'  => isset( $_COOKIE )?$_COOKIE:'',
  'SESSION'   => isset( $_SESSION )?$_SESSION:'',
  'ENV'     => isset( $_ENV )?$_ENV:'',
  'FILES'     => isset( $_FILES )?$_FILES:'',
  'SERVER'  => isset( $_SERVER )?$_SERVER:'',
  'SERVER'  => isset( $_SERVER )?$_SERVER:'',
  'UPLOAD'  => function_exists('wp_upload_dir') ? wp_upload_dir():'',
  'REQUEST'   => isset( $_REQUEST )?$_REQUEST:'',
  'HTTP_POST_FILES'   => isset( $HTTP_POST_FILES )?$HTTP_POST_FILES:'',
  'HTTP_POST_VARS'    => isset( $HTTP_POST_VARS )?$HTTP_POST_VARS:'',
  'HTTP_SERVER_VARS'  =>  isset( $HTTP_SERVER_VARS )?$HTTP_SERVER_VARS:'',
  'HTTP_RAW_POST_DATA' => isset( $HTTP_RAW_POST_DATA )?$HTTP_RAW_POST_DATA:'',
  'HTTP_GET_VARS'     => isset( $HTTP_GET_VARS )?$HTTP_GET_VARS:'',
  'HTTP_COOKIE_VARS'  =>  isset( $HTTP_COOKIE_VARS )?$HTTP_COOKIE_VARS:'',
  'HTTP_ENV_VARS'     => isset( $HTTP_ENV_VARS )?$HTTP_ENV_VARS:'',
  );
  foreach ($globs as $k => $v) if (isset($v) && sizeof($v) > 0) $oa[$k] = $v;
 
  foreach (array_keys($_SERVER) as $k) if ($val = strval($_SERVER[$k]) && !empty($val)) $oa[(substr($k, 0, 5) == 'HTTP_' ? 'HTTP' : 'SERVER')][$k] = $_SERVER[$k];

  return $oa;
}

get_debug_loaded_extensions

Returns a list of all the loaded extensions in php. If verbose it also returns their functions!

function get_debug_loaded_extensions($vb=false)
{
  $oa=array();
  foreach((array)@get_loaded_extensions() as $k=>$v) $oa[$v]= ($vb===false) ? '' : (array)@get_extension_funcs($v);
  return $oa;
}

AskApache Debug Viewer Plugin for WordPress originally appeared on AskApache.

Password Protection Plugin Status

AskApache — Sun, 01 Mar 2009 17:39:57 +0000

I wanted to address why the update to the AskApache Password Protection plugin didn’t happen pre-2009 as I had hoped.. Mostly due to my job but I thought I could at least fill you in. Oh and this is going to get very boring very fast, unless you’re ready to rumble in the zone.

File Permissions!

The main issue with the password protection plugin working for some people and not others is due to file permission configurations. WordPress is simply a group of .php files saved on your server. The actual program that is in fact running WordPress is the PHP interpreter, which is in turn controlled by the Apache Server. Almost all computers are running at least 2 servers, the Web Server which serves and displays your files, and a FTP server.

Here’s a detailed look at the Apache Security Model, from ApacheSecurity.net, a blog maintained by Ivan Ristic, the author of ModSecurity.

The problem is happening because when you login to your FTP server with your username and password, the files that you upload are then owned by that username and password, which is almost always an actual user account on the server system. But the Apache Server is an executable file itself, and it is not owned by your FTP username, for security reasons. Apache controls the PHP Interpreter, which parses and executes the WordPress and plugin files as a separate user. ( SuEXEC, Apache Security Tips )

So what happens is the askapache-password-protect.php file saved on your server and is owned by the user that created it (if you downloaded it to your computer then used ftp to transfer, your ftp user owns it.. if you used a php downloader script, then the php process owner owns it) So when you click on the Run Tests button from the WordPress administration website what you are doing is sending a request via HTTP to your Apache Server process, which sees the requested file is .php so it then runs the php interpreter to execute the askapache-password-protect.php file, then that file uses programming to attempt and write/modify a file in your blog’s root directory.

Process Owner vs. File Owner

So who owns your blog’s root directory? Your ftp user account/ you do.. but who owns the process that is trying to write/modify a file that is owned by your ftp user? The PHP Process that is actually executing the file access/write requests. This is the core way that 99% of all web sites get cracked into.. All these malicious robots and exploit bots do is attempt to write a file onto your server so that it can then be used to take over your site. If they can save a file on your blog’s directory (uploads, insecure plugin code, not filtering user input, etc..) it inherits the permissions of the process that actually wrote the data bits onto the hard-drive.

So some server-admins/web hosts configure the php interpreter to not have write access anywhere except for a couple neccessary locations like /tmp. They have auto-installation’s available through their online web panels, meaning instead of executing .php scripts in your user directory as the php process they force you to use, they can bypass all that because the installation scripts they use are all on their systems, not on your “locked-down” cluster.

This is the fundamental security battle that network server security is all based on.. Apache is owned by a powerful user because it owns the server process, so apache is often run as the user dhapache or nobody.. If a cracker is able to find a way to get a file saved on your server with the dhapache user as the owner then they’ve basically just gotten control of the whole thing. When you upload a file to your server using the add attachment form in wordpress, the file first goes through the dhapache user which passes the file to the php process owner which has much less permissions. Apache has been in open-source development for many many years now, its the safest most secure server in the world, windows servers are hackable, apache servers are hacked usually only when the sysadmin configures it wrong or accidentally.

Believe it or not, as confusing as my feeble explanation was, this is only like .1% of whats going on.. I’ve basically spent the last several months developing the new version specifically to be able to work no matter what configuration you have. What I ended up doing was finding ways to bypass this security on a couple hosting providers that are setup in this way, but even though I got it to work in most instances it basically was hacking their systems, and if I published that code to automatically bypass web-hosts security setups I think I’d be in big trouble and they would just close those specific holes and the plugin would not work again. So I decided instead of exploiting host-specifics hacks to get the plugin to work that I would focus on the method that WordPress sorta uses. The code they have now (2.8 bleeding-edge) still isn’t where it needs to be, but this is some difficult stuff and they have a brilliant start, it’ll work.. just a question of when.

`wp-admin/includes/file.php`

Ok so this function get_filesystem_method is a brilliant bit of code that would’ve been beyond my current PHP skills to come up with. It determines which if any of the following methods can be used to modify files on your server from within WordPress, which is exactly what the new version of the passpro plugin needs to use. The first test simply creates a file from within php using wp_tempnam, a function that attempts to locate and write to a temporary location on your server that has the best chance of having write access. If it is successfully created (this code assumes that it will be, something they need to fix) then the fileowner (uses stat internally) of the temp file just created is compared to the owner of the php script… Normally this works and then the plugin woks too, but on some hosts the script is running as a separate user than that of the file which means you can’t directly access the local file system. That is what is occurring for most of you who experience permission problems while testing the plugin. There are thousands of caveats for each little part depending on your php version, php setup, server setup, server version, which Server API you are using, the type of SAPI being used, and on and on..

function get_filesystem_method($args = array()) {
  $method = false;
  if( function_exists('getmyuid') && function_exists('fileowner') ){
    $temp_file = wp_tempnam();
    if ( getmyuid() == fileowner($temp_file) ) $method = 'direct';
    unlink($temp_file);
  }
  if ( ! $method && isset($args['connection_type']) && 'ssh' == $args['connection_type'] && extension_loaded('ssh2') )
          $method = 'ssh2';
  if ( ! $method && extension_loaded('ftp') )
          $method = 'ftpext';
  if ( ! $method && ( extension_loaded('sockets') || function_exists('fsockopen') ) )
          $method = 'ftpsockets'; //Sockets: Socket extension; PHP Mode: FSockopen / fwrite / fread
  return apply_filters('filesystem_method', $method);
}

Enumerating Permissions can be Annoying

This was part of some tests I did to see what kind of access I had with the very helpful posix functions which are very accurate as well since they were designed for a system with file permissions, ie. not Win. Don’t ask me how because I won’t tell you, but on one of the hosts I was testing on that did not allow direct access I was able to get the Apache server running as dhapache to erroneously write a file into my users blog directory. This is a big security no-no and I now have my .htaccess file written into the blog directory where it should go, but instead of my php script’s user having write access to the file so I can modify it, its owned by dhapache! Because the file is owned by dhapache I shouldn’t even be allowed to know it exists, but there it is. So the next step was to try and take ownership of the .htaccess file so that I could modify it. I tried and tried but was unsuccessful, I couldn’t modify it so that was another dead end. Actually it took me awhile to figure out how to remove the file from my directory. Being that it was owned by dhapache I couldn’t delete or modify it using my php process or even through ftp/ssh! Sysadmins regularly run find commands that search the servers for any files owned by dhapache that should not be there as this is a big red flag that someone has found a way to manipulate dhapache which could potentially lead to modifying dhapche-owned server config files.. Luckily I was able to delete it by basically running the hack again to overwrite the file.

  if ((posix_setgid(getmygid())) !== false) $this->to_log('', 1,
      "Success Changing SETGID of {$file}  to " . getmygid(), 3);
  elseif ((posix_setgid(filegroup(__file__))) !== false) $this->to_log('', 1,
      "Success Changing SETUID of {$file} to " . filegroup(__file__), 3);
  if ((posix_setegid(getmygid())) !== false) $this->to_log('', 1,
      "Success Changing SETEGID of {$file} to " . getmygid(), 3);
  elseif ((posix_setegid(filegroup(__file__))) !== false) $this->to_log('', 1,
      "Success Changing SETEGID of {$file} to " . filegroup(__file__), 3);
  if ((posix_setuid(getmyuid())) !== false) $this->to_log('', 1,
      "Success Changing SETUID of {$file}  to " . getmyuid(), 3);
  elseif ((posix_setuid(get_current_user())) !== false) $this->to_log('', 1,
      "Success Changing SETUID of {$file} to " . get_current_user(), 3);
  if ((posix_seteuid(getmyuid())) !== false) $this->to_log('', 1,
      "Success Changing SETEUID of {$file} to " . getmyuid(), 3);
  elseif ((posix_seteuid(get_current_user())) !== false) $this->to_log('', 1,
      "Success Changing SETEUID of {$file} to " . get_current_user(), 3);
  if ((chmod($file, FS_CHMOD_DIR) || chmod($file, 0776) || chmod($file, 0766) || chmod($file,
    FS_CHMOD_FILE)) !== false) $this->to_log('', 1, "Success Changing Mode of {$file}", 3);
  if ((chown($file, getmyuid())) !== false) $this->to_log('', 1,
      "Success Changing Ownership of {$file} to " . getmyuid(), 3);
  elseif ((chown($file, get_current_user())) !== false) $this->to_log('', 1,
      "Success Changing Ownership of {$file} to " . get_current_user(), 3);
  if ((chgrp($file, getmygid())) !== false) $this->to_log('', 1,
      "Success Changing Group of {$file} to " . getmygid(), 3);
  elseif ((chgrp($file, filegroup(__file__))) !== false) $this->to_log('', 1,
      "Success Changing Group of {$file} to " . filegroup(__file__), 3);
  if ((chmod($file, FS_CHMOD_DIR) || chmod($file, 0776) || chmod($file, 0766) || chmod($file,
    FS_CHMOD_FILE)) !== false) $this->to_log('', 1, "Success Changing Mode of {$file}", 3);
  if ((chown($file, getmyuid())) !== false) $this->to_log('', 1,
      "Success Changing Ownership of {$file} to " . getmyuid(), 3);
  elseif ((chown($file, get_current_user())) !== false) $this->to_log('', 1,
      "Success Changing Ownership of {$file} to " . get_current_user(), 3);
  if ((chgrp($file, getmygid())) !== false) $this->to_log('', 1,
      "Success Changing Group of {$file} to " . getmygid(), 3);
  elseif ((chgrp($file, filegroup(__file__))) !== false) $this->to_log('', 1,
      "Success Changing Group of {$file} to " . filegroup(__file__), 3);
  return (!$this->_fclose($fh)) ? $this->to_log(__function__ . ':' . __line__ .
    " Error closing {$mode} handle for {$file}", 0) : $total;

If php process isn’t allowed to write to your web directory but you have an ftp account that is, then we request your ftp username/password in wordpress and if the php process running the askapache-password-protect.php plugin script is allowed access to raw networking sockets using fsockopen then we can basically access and write to your blog’s .htaccess file by using php to mimick an ftp client session. There are also other protocols and options available using php if ftp/fsockopen isn’t allowed, but you run out of alternatives quick. Using the curl extension is one option.

So I wrote my own ftp library for a fsockopen class I had already developed for specific test requirements in unreleased versions, so the release of the new askapache password protect plugin will work for 75% or so of the people who have trouble now.. not to mention the insane logging and debugging I’ve added while looking for the reasons some web-hosts still don’t work. Some use custom php security modules, wrappers, and custom virtual servers that are akin to a vmware server. So for maybe 10% of those running apache who have had problems they would still have them. I’m still playing with some ssh capability from within the plugin similar to the ftp technique.. I really hope WordPress just adds this functionality by updating their current filesystem classes..

Fsockopen Payload Class

Here’s what I had several versions ago.. Just sticking it up here in case anyone is curious, one cool thing this version starts to incorporate is being able to send direct data payloads across the socket so it can be used like the metasploit framework to send payloads of exploits, but of course we’re using it to mimick other protocols like ftp, which can be setup by feeding hex into the socket direct from a real ftp client, and piping the output. Keep in mind that this is my first time using php classes, so the learning curve has been incredible…

 '1.0', 'method' => 'GET', 'referer' =>
   'http://www.askapache.com/', 'port' => '80', 'ua' =>
   'Mozilla/5.0 (compatible; AskApache_Net/1.6; http://www.askapache.com/)', 'scheme' =>
   'http', 'transport' => '', 'host' => '', 'user' => '', 'pass' => '', 'path' => '/',
   'query' => '', 'fragment' => '');
  var $authtype = 'Basic';
  var $timeout = 15;
  var $_dh = '';
  var $_digest = array('realm' => '', 'nonce' => '', 'uri' => '', 'algorithm' => 'MD5',
   'qop' => 'auth', 'opaque' => '', 'domain' => '', 'nc' => '00000001', 'cnonce' =>
   '82d057852a9dc497', 'A1' => '', 'A2' => '', 'response' => '');
  var $_ACLF = "\r\n";
  var $_request_body = '';
  var $_request_headers = array();
  var $_response_headers = array();
  var $my_headers;
  var $_response_header = '';
  var $_response_protocol = '';
  var $_response_version = '';
  var $_response_code = '';
  var $_response_message = '';
  var $_response_body = '';
  var $_errs = array(3 => 'Socket creation failed', 4 => 'DNS lookup failure', 5 =>
   'Connection refused or timed out', 111 => 'Connection refused', 113 =>
   'No route to host', 110 => 'Connection timed out', 104 => 'Connection reset by client');

  /**
   * AskApache_Net::AskApache_Net()
   */
  function AskApache_Net()
  {
   return $this->__construct();
  }

  /**
   * AskApache_Net::__destruct()
   */
  function __destruct()
  {
   $this->_timer('class');
   return true;
  }

  /**
   * AskApache_Net::__construct()
   */
  function __construct()
  {
   $this->_timer('class');
   $this->_ACLF = chr(13) . chr(10);
   @set_time_limit(60);
   return true;
  }

  /**
   * AskApache_Net::hsockit()
   */
  function hsockit($URI)
  {
   $this->msg(__function__ . ':' . __line__, 3);
   $this->_socket['method'] = 'HEAD';
   return $this->sockit($URI);
  }

  /**
   * AskApache_Net::sockit()
   */
  function sockit($URI = '')
  {
   $this->msg(__function__ . ':' . __line__, 3);
   if (!$this->_build_sock($URI)) return $this->msg(__function__ . ':' . __line__,
     "Failed!", 0);
   if (!$this->_connect()) return $this->msg(__function__ . ':' . __line__, "Failed!", 0);
   $this->_build_request();
   if (!$this->_build_request()) return $this->msg(__function__ . ':' . __line__,
     "Failed!", 0);
   if (!$this->_tx()) return $this->msg(__function__ . ':' . __line__, "tx Failed!", 0);
   if (!$this->_rx()) return $this->msg(__function__ . ':' . __line__, "rx Failed!", 0);
   if (!$this->_disconnect()) return $this->msg(__function__ . ':' . __line__,
     "disconnect Failed!", 0);
   if ((bool)$this->net_debug === true) {
    foreach (array('out_payload', '_request_body', '_response_header', '_response_body') as
     $nam) {
     if (is_array($this->$nam)) {
      if (sizeof($this->$nam) > 1) {
       echo "\n\n{$nam}\n";
       print_r($this->$nam);
      }
     } else {
 
      if (!empty($this->$nam)) {
       echo "\n\n{$nam}\n";
       echo $this->$nam;
      }
     }
    }
    $this->tcp_trace(1);
   }
   return (int)$this->_response_code;
  }

  /**
   * AskApache_Net::_build_sock()
   */
  function _build_sock($url)
  {
   $this->msg(__function__ . ':' . __line__, 3);
   $socket_info = &$this->_socket;
   if (!$u_bits = parse_url($url)) return false;
   if (empty($u_bits['method'])) $u_bits['method'] = 'GET';
   if (empty($u_bits['protocol'])) $u_bits['protocol'] = '1.0';
   if (empty($u_bits['host'])) $u_bits['host'] = $_SERVER['HTTP_HOST'];
   if (empty($u_bits['scheme'])) $u_bits['scheme'] = 'http';
   if (empty($u_bits['port'])) $u_bits['port'] = $_SERVER['SERVER_PORT'];
   $u_bits['path'] = (empty($u_bits['path']) ? '/' : $u_bits['path']) . (!empty($u_bits['query']) ?
    '?' . $u_bits['query'] : '');
   if (empty($u_bits['ua'])) $u_bits['ua'] =
     'Mozilla/5.0 (compatible; AskApache_Net/1.0; http://www.askapache.com)';
   if (empty($u_bits['referer'])) $u_bits['referer'] = 'http://www.askapache.com';
   if (empty($u_bits['fragment'])) unset($u_bits['fragment']);
   if (empty($u_bits['user'])) unset($u_bits['user']);
   if (empty($u_bits['pass'])) unset($u_bits['pass']);
   if ($u_bits['scheme'] == 'https' || $this->_socket['scheme'] == 'https') $u_bits['transport'] =
     'ssl://';
   if ($u_bits['scheme'] == 'https' || $this->_socket['scheme'] == 'https') $u_bits['port'] =
     '443';
   $socket_info = $this->_parse_args($u_bits, $socket_info);
   extract($socket_info, EXTR_SKIP);
   return true;
  }

  /**
   * AskApache_Net::_build_auth_header()
   */
  function _build_auth_header()
  {
   $this->msg(__function__ . ':' . __line__, 3);
   if ($this->authtype == 'Basic') $this->_request_headers[] = 'Authorization: Basic ' .
     base64_encode($this->_socket['user'] . ":" . $this->_socket['pass']);
   elseif ($this->authtype == 'Digest') {
    $this->msg(__function__ . ':' . __line__, 3);
    $this->_socket['protocol'] = '1.1';
    $hdr = $mtx = array();
    preg_match_all('/(\w+)=(?:"([^"]+)"|([^\s,]+))/', $this->_dh, $mtx, PREG_SET_ORDER);
    foreach ($mtx as $m) $hdr[$m[1]] = $m[2] ? $m[2] : $m[3];
    foreach ($hdr as $key => $val)
     if (array_key_exists($key, $this->_digest) && !empty($val)) $this->_digest[$key] = $val;
    $this->_digest['uri'] = $this->_socket['path'];
    $this->_digest['A1'] = md5($this->_socket['user'] . ':' . $this->_digest['realm'] .
     ':' . $this->_socket['pass']);
    $this->_digest['A2'] = md5($this->_socket['method'] . ':' . $this->_socket['path']);
    $this->_digest['response'] = md5($this->_digest['A1'] . ':' . $this->_digest['nonce'] .
     ':' . $this->_digest['nc'] . ':' . $this->_digest['cnonce'] . ':' . $this->_digest['qop'] .
     ':' . $this->_digest['A2']);
    $this->_request_headers[] = sprintf('Authorization: Digest username="%1$s", realm="%2$s", nonce="%3$s",'.
     'uri="%4$s", algorithm=%5$s, response="%6$s", qop="%7$s", nc="%8$s"%9$s%10$s',
     $this->_socket['user'], $this->_digest['realm'], $this->_digest['nonce'], $this->
     _digest['uri'], $this->_digest['algorithm'], $this->_digest['response'], $this->
     _digest['qop'], $this->_digest['nc'], !empty($this->_digest['cnonce']) ? ', cnonce="' .
     $this->_digest['cnonce'] . '"' : '', !empty($this->_digest['opaque']) ? ', opaque="' .
     $this->_digest['opaque'] . '"' : '');
   }
   return true;
  }

  /**
   * AskApache_Net::_build_request()
   */
  function _build_request()
  {
   $this->msg(__function__ . ':' . __line__, 3);
   $this->_request_headers[] = $this->_socket['method'] . " " . $this->_socket['path'] .
    " HTTP/" . $this->_socket['protocol'];
   if (is_array($this->my_headers) && sizeof($this->my_headers) > 0) $this->
     _request_headers = array_merge($this->_request_headers, $this->my_headers);
   else {
    $this->_request_headers[] = "Host: " . $this->_socket['host'];
    $this->_request_headers[] = "User-Agent: " . $this->_socket['ua'];
    $this->_request_headers[] = 'Accept: application/xhtml+xml,text/html;q=0.9,*/*;q=0.5';
    $this->_request_headers[] = 'Accept-Language: en-us,en;q=0.5';
    $this->_request_headers[] = 'Accept-Encoding: none';
    $this->_request_headers[] = 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7';
    $this->_request_headers[] = 'Referer: ' . $this->_socket['referer'];
   }
   if (!empty($this->_socket['user']) && !empty($this->_socket['pass'])) $this->
     _build_auth_header();
   if ($this->out_payload !== false) $this->_request_body = $this->out_payload;
   else  $this->_request_body = join($this->_ACLF, $this->_request_headers) . $this->
     _ACLF . $this->_ACLF;
   return true;
  }

  /**
   * AskApache_Net::_tx()
   */
  function _tx()
  {
   $this->msg(__function__ . ':' . __line__, 3);
   return (bool)(is_resource($this->_fp) && $this->_netwrite($this->_fp, $this->
    _request_body));
  }

  /**
   * AskApache_Net::_rx()
   */
  function _rx()
  {
   $this->msg(__function__ . ':' . __line__, 3);
   if (!is_resource($this->_fp)) return false;
   $this->_response = $this->_netread($this->_fp, 500000);
   $parts = explode($this->_ACLF . $this->_ACLF, ltrim($this->_response), 2);
   $this->_response_header = trim($parts[0]);
   $this->_response_body = trim($parts[1]);
   if (preg_match('#([^/]*)/([\d\.]+) ([\d]*?) (.*)#', $this->_response_header, $htx)) {
    $this->_response_protocol = trim($htx[1]);
    $this->_response_version = trim($htx[2]);
    $this->_response_code = trim($htx[3]);
    $this->_response_message = trim($htx[4]);
   }
   if (preg_match_all('#([^:]+)\:?(.*)#', str_replace($htx, '', $this->_response_header),
    $mtx, PREG_SET_ORDER)) {
    foreach ($mtx as $m) {
     $this->_headers[strtolower(trim($m[1]))] = trim($m[2]);
     if (preg_match('/(WWW|Proxy)-Authenticate:.*Digest/i', trim($m[1]))) $this->_dh =
       trim($m[1]);
    }
   }
   return true;
  }

  /**
   * AskApache_Net::tcp_trace()
   */
  function tcp_trace($p = false)
  {
   $this->_timer(__function__ );
   $ret = join("\n", array_merge((array )$this->_request_headers, array(''), (array )$this->
    _response_headers));
   if ($p !== false) {
    echo $ret;
    $ret = true;
   }
   $this->_timer(__function__ );
   return $ret;
  }

  /**
   * AskApache_Net::_get_ip()
   */
  function _get_ip($host)
  {
   $this->msg(__function__ . ':' . __line__, 3);
 
   if (!preg_match('/^[\t ]*[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[\t ]*$/', $host)) $hostip =
     gethostbyname($host);
   $ip = ($hostip == $host) ? $host : long2ip(ip2long($hostip));
   return $ip;
  }

  /**
   * AskApache_Net::_connect()
   */
  function _connect()
  {
   $this->msg(__function__ . ':' . __line__, 3);
   if (false === ($this->_fp = fsockopen($this->_get_ip($this->_socket['host']), $this->
    _socket['port'], $errno, $errstr, $this->timeout)) || !is_resource($this->_fp)) {
    $err = (array_key_exists($errno, $this->_errs)) ? $this->_errs[$errno] :
     'Connection failed';
    return $this->msg(__function__ . ':' . __line__ . " Fsockopen failed! [{$errno}] {$err} ({$errstr})",
     0);
   }
   if (function_exists("socket_set_timeout")) socket_set_timeout($this->_fp, $this->
     timeout);
   elseif (function_exists("stream_set_timeout")) stream_set_timeout($this->_fp, $this->
     timeout);
   usleep(10000);
   return true;
  }

  /**
   * AskApache_Net::_disconnect()
   */
  function _disconnect()
  {
   $this->msg(__function__ . ':' . __line__, 3);
   if (is_resource($this->_fp)) return $this->_fclose($this->_fp);
   else  $this->_fp = null;
   return true;
  }

  /**
   * AskApache_Net::get_response_headers()
   */
  function get_response_headers($header = false)
  {
   $this->msg(__function__ . ':' . __line__, 3);
   if ($header !== false && array_key_exists($header, $this->_response_headers)) return $this->
     _response_headers[$header];
   return $this->_response_headers;
  }

  /**
   * AskApache_Net::get_response_body()
   */
  function get_response_body()
  {
   $this->msg(__function__ . ':' . __line__, 3);
   return $this->_response_body;
  }

  /**
   * AskApache_Net::_netread()
   */
  function _netread(&$fh, $ts = 50000000, $bs = 124)
  {
   $this->_timer(__function__ );
   for ($d = $b = '', $rt = $at = $r = 0; ($fh !== false && !feof($fh) && $b !== false &&
    $at < 50000000 && $rt < $ts); $r = $ts - $rt, $bs = (($bs > $r) ? $r : $bs), $this->
    _timer("R: {$rt}"), $b = fread($fh, $bs), $br = strlen($b), $d .= $b, $this->_timer("R: {$rt}"),
    $rt += $br, $at++, $this->msg("[RT: {$rt}]\t[BR: {$br}" . (($ts != 50000000) ? "]\t\t [{$r} / {$ts}]" :
    " : {$bs}]\t[{$at}]"))) ;
   $this->_timer(__function__ );
   return ((strlen($d) != 0)) ? $d : false;
  }

  /**
   * AskApache_Net::_netwrite()
   */
  function _netwrite(&$fh, $d = '', $bs = 512)
  {
   $this->_timer(__function__ );
 
   for ($bw = $wt = $at = 0, $dat = '', $ts = strlen($d); ($fh !== false && $bw !== false &&
    $at < 50000000 && $wt < $ts); $r = $ts - $wt, $bs = (($bs > $r) ? $r : $bs), $dat =
    substr($d, $wt, $bs), $bw = fwrite($fh, $dat), $wt += $bw, $this->msg("[WT: {$wt}]\t[BW: {$bw}]\t\t[I: {$r} / {$ts}:{$bs}] - {$at}"),
    $at++) ;
   $this->msg("[WT: {$wt}]\t[BW: {$bw}]\t\t[I: {$r} / {$ts}:{$bs}] - {$at}");
   $this->_timer(__function__ );
   return ($wt == $ts) ? true : false;
  }
 }
endif;
?>

So I decided to finally give in to what I’ve been avoiding all along and added a php-software-based method that will work on everycomputer, windows, blackberrys, etc.. That took me about 15minutes as its just a few lines of code.. The problem I have with it is that php is what is actually controlling the sending, receiving, and verifying of the authentication headers instead of using the builtin super-secure apache method.

Here’s how you would block someone using the apache/askapache way:

[Exploit Request] => ([BLOCKED]-AskApache)

This prevents the exploit from even reaching PHP, saving your computer a lot of CPU/memory and bandwdith, and obviously can’t exploit wordpress if php isn’t even loading.

Here’s how the php-software-based method blocks the same request:

[Exploit Request] => (AskApache) => (PHP) => (WordPress) => ([BLOCKED]-askapache-password-protect.php)

So the last bit of programming and research I’m doing at the moment is how to cause the askapache-password-protect plugin to execute as soon as possible, ideally it would execute before WordPress starts.. And I am still crazy swamped at work, this was the longest non-posting period of the blog to date!

Password Protection Plugin Status originally appeared on AskApache.

.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

AskApache — Sat, 22 Nov 2008 14:18:12 +0000

Well what can I say, other than this is sooo DOPE! Here is a list of the modules this plugin (version 4.7 unreleased) will automatically detect. I compiled the list myself using every module included with any default Apache installation for ALL the versions listed below, 1.3 to 2.2+

Want to know something else I’m including in this plugin? For each and every module that is detected, this plugin can then detect ALL of the modules .htaccess Directives! For instance, RewriteRule, AccessFileName, AddHandler, etc.. are each a directive belonging to a module that is allowed to be used from within .htaccess files.

Talk about sick.. these tricks have the diamond disease!

Screenshot Unreleased 4.7

I’ve been making a lot of progress as these screenshots illustrate, including the ability to detect 100% accurately the modules that are enabled on your server. Big deal! you might say… “How does knowing the modules help?”

Well it just so happens that in addition to detecting which modules are loaded on your server, this plugin will also detect which Directives are enabled for each module that are allowed to be used from within your .htaccess file! Future release will provide the ability to explore the different .htaccess directives allowed by your server, so you can do all sorts of cool Apache .htaccess tricks to secure your blog and make it run better.

Apache Module Detection

Future releases of this plugin will also let you search for non-default modules, wild, beta, and others.

mod_access
mod_actions
mod_alias
mod_asis
mod_auth
mod_auth_anon
mod_auth_basic
mod_auth_dbm
mod_auth_digest
mod_auth_ldap
mod_authn_alias
mod_authn_anon
mod_authn_dbd
mod_authn_dbm
mod_authn_default
mod_authn_file
mod_authnz_ldap
mod_authz_dbm
mod_authz_default
mod_authz_groupfile
mod_authz_host
mod_authz_owner
mod_authz_user
mod_autoindex
mod_bucketeer
mod_cache
mod_case_filter
mod_case_filter_in
mod_cern_meta
mod_cgi
mod_cgid
mod_charset_lite
mod_dav
mod_dav_fs
mod_dav_lock
mod_dbd
mod_deflate
mod_dir
mod_disk_cache
mod_dumpio
mod_echo
mod_env
mod_example
mod_expires
mod_ext_filter
mod_file_cache
mod_filter
mod_headers
mod_ident
mod_imagemap
mod_imap
mod_include
mod_info
mod_isapi
mod_log_config
mod_log_forensic
mod_logio
mod_mem_cache
mod_mime
mod_mime_magic
mod_mycore
mod_negotiation
mod_netware
mod_nw_ssl
mod_optional_fn_export
mod_optional_fn_import
mod_optional_hook_export
mod_optional_hook_import
mod_proxy
mod_proxy_ajp
mod_proxy_balancer
mod_proxy_connect
mod_proxy_ftp
mod_proxy_http
mod_rewrite
mod_security
mod_setenvif
mod_so
mod_speling
mod_ssl
mod_status
mod_substitute
mod_suexec
mod_test
mod_unique_id
mod_userdir
mod_usertrack
mod_version
mod_vhost_alias
mod_win32

The original plugin page and description can be found here.

UPDATE: 11/22/08

To make a long story short, I downloaded each major release of the apache httpd source code from version 1.3.0 to version 2.2.10, then I configured and compiled each for a custom HTTPD installation built from source. This allowed me to find every directive allowed in .htaccess files for each particular version. YES!

http://wordpress.org/support/rss/topic/214390
I’ve been working on a completely improved version on/off for about a month with the specific goal of finally ending all the little errors that can crop up when dealing with .htaccess.

To that effect I am succeeding marvelously, first I’ve converted the plugin to a class (4+5 compat), I’ve replaced my error_handling with WordPress’s WP_Error class, and the coolest change is the new tests I’ve added.

To make a long story short, I downloaded each major release of the apache httpd source code starting at version 1.3.0 and finishing with version 2.2.10, I then compiled each version and built a HTTPD from source for all the apache versions.

1.3.0, 1.3.1, 1.3.11, 1.3.12, 1.3.14, 1.3.17, 1.3.19, 1.3.2, 1.3.20, 1.3.22, 1.3.23, 1.3.24, 1.3.27, 1.3.28, 1.3.29, 1.3.3, 1.3.31, 1.3.32, 1.3.33, 1.3.34, 1.3.35, 1.3.36, 1.3.37, 1.3.39, 1.3.4, 1.3.41, 1.3.6, 1.3.9, 2.0.35, 2.0.36, 2.0.39, 2.0.40, 2.0.42, 2.0.43, 2.0.44, 2.0.45, 2.0.46, 2.0.47, 2.0.48, 2.0.49, 2.0.50, 2.0.51, 2.0.52, 2.0.53, 2.0.54, 2.0.55, 2.0.58, 2.0.59, 2.0.61, 2.0.63, 2.1.3-beta, 2.1.6-alpha, 2.1.7-beta, 2.1.8-beta, 2.1.9-beta, 2.2.0, 2.2.10, 2.2.2, 2.2.3, 2.2.4, 2.2.6, 2.2.8, 2.2.9

Then I went through each version and determined the compatible modules for that version, and I’m pretty confident that I was also able to find each and every directive allowed by the compatible modules for that version (including core directives). See .htaccess directive list.

Basically I can now test a server using a variety of methods and determine almost 100% accurately what version of Apache (down to the API) is running, what modules (and versions) are enabled, and each and every directive that is allowed or disallowed for that version.

So this is so awesome because now we can enable all sorts of additional security features.

Other big changes are:

Completely hands-off updates, so that updating the plugin keeps all your settings.

making each SID module have its own configuration and options (like protecting individual files, individual request, and custom exploit strings).

Advanced ErrorDocument usage and handling (like tracking repeat offenders and suggesting they be blocked, emailing admin with custom info, etc..)

Multi User/Group password Control

And this time I am developing the plugin using a plethora of wordpress installations and configurations, to make sure that it will work regardless of a custom siteurl, blogid, etc..

Release will come before 2009.. I have some vacations to take and business to finish first.

.htaccess Security Modules

Directory Protection

Enable the DirectoryIndex Protection, preventing directory index listings and defaulting. [Disable]

Options -Indexes
DirectoryIndex index.html index.php /index.php

Password Protect wp-login.php

Requires a valid user/pass to access the login page - *** Safe, Use [401]


Order Deny,Allow
Deny from All
Satisfy Any
 
AuthName "Protected By AskApache"
AuthUserFile /home/askapache.com/.htpasswda1
AuthType Basic
Require valid-user

Password Protect wp-admin

Requires a valid user/pass to access any non-static (css, js, images) file in this directory. - *** Safe, Use [401]

Options -ExecCGI -Indexes +FollowSymLinks -Includes
DirectoryIndex index.php /index.php
 
Order Deny,Allow
 
Deny from All
Satisfy Any
 
AuthName "Protected By AskApache"
AuthUserFile /home/askapache.com/.htpasswda1
AuthType Basic
Require valid-user
 

Allow from All

 


SecFilterEngine Off

Allow from All

Protect wp-content

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [401]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .* - [F,NS,L]

Protect wp-includes

Denies any Direct request for files ending in .php with a 403 Forbidden.. May break plugins/themes [403]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F,NS,L]

Common Exploits

Block common exploit requests with 403 Forbidden. These can help alot, may break some plugins. [403]

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

Stop Hotlinking

Denies any request for static files (images, css, etc) if referrer is not local site or empty. [403]

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.askapache.com.*$ [NC]
RewriteRule \.(ico|pdf|flv|jpg|jpeg|mp3|mpg|mp4|mov|wav|wmv|png|gif|swf|css|js)$ - [F,NS,L]

Safe Request Methods

Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD - *** Safe, Use [403]

RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]

Forbid Proxies

Denies any POST Request using a Proxy Server. Can still access site, but not comment. See Perishable Press [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Real wp-comments-post.php

Denies any POST attempt made to a non-existing wp-comments-post.php - *** Safe, Use [403]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

HTTP PROTOCOL

Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only - *** Safe, Use [403]

RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]

SPECIFY CHARACTERS

Denies any request for a url containing characters other than “a-zA-Z0-9.+/-?=&” – REALLY helps but may break your site depending on your links. [403]

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

BAD Content Length

Denies any POST request that doesnt have a Content-Length Header - *** Safe, Use [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteCond %{REQUEST_URI} !^/(wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

BAD Content Type

Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data - *** Safe, Use [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

Directory Traversal

Denies Requests containing ../ or ./. which is a directory traversal exploit attempt - *** Safe, Use [403]

PHPSESSID Cookie

Only blocks when a PHPSESSID cookie is sent by the user and it contains characters other than 0-9a-z - *** Safe, Use [403]

NO HOST:

Denies requests that dont contain a HTTP HOST Header. - *** Safe, Use [403]

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]

Bogus Graphics Exploit

Denies obvious exploit using bogus graphics - *** Safe, Use [403]

RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]

No UserAgent, No Post

Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING. [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

No Referer, No Comment

Denies any comment attempt with a blank HTTP_REFERER field, highly indicative of spam. May prevent some visitors from POSTING. [403]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule .* - [F,NS,L]

Trackback Spam

Denies obvious trackback spam. See Holy Shmoly! [403]

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^.*(opera|mozilla|firefox|msie|safari).*$ [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.+/trackback/?\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

SSL-Only Site

Redirects all non-SSL (https) requests to your https-enabled url [301]

Anti-Spam, Anti-Exploits

Denies Obvious Spam and uses advanced mod_security protection [Read More]

.htaccess Security Module Screenshot

.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog originally appeared on AskApache.

New Version of Password Protection Plugin

AskApache — Tue, 19 Aug 2008 13:08:39 +0000

I added file revisioning support to .htaccess files, so that every time you update or change the .htaccess files it saves the old copy. The next release will provide a DIFF view of the differences. Version 4.7 Almost Done

You can view the plugins home page, or view it on the wordpress.org site.

Also fixed all the bugs I was notified about or found, and provided the option to bypass some of the testing if you know your server supports something.

I have to get back to my real job now :) but for the next release I’m going to add a whole user-management area to add and remove users and groups from .htpasswd files.

Then it will be ready to start using the advanced SID’s like mod_security..

ScreenShots

New Version of Password Protection Plugin originally appeared on AskApache.

SEO Boost from Google 404 Plugin

AskApache — Tue, 01 Jul 2008 15:11:16 +0000

Demo | Download | Installation | FAQ | Screenshots / Video

AskApache Google 404 is a must-have WordPress plugin that uses some ajax and a couple tricks to display a very helpful and SEO Error Page. The default displays Google Search Results for images, news, blogs, videos, web, custom search engine, and your own site.

Updated: 01/26/2008
Install Time: 10 seconds to 5 minutes
Install Difficulty: Super Easy

Demo 404 Error Page

Click Image

Heads Up: I’ve been thinking about ways to improve this plugin for awhile now, and I’m going to be releasing an upgrade in the coming weeks! Any specific feature requests let me know~

Downloads

askapache-google-404

404.php Installation

Upload zip/tar.gz file to the /wp-content/plugins/ directory and unzip.
Activate the plugin through the ‘Plugins’ menu in WordPress.
Go to your Options Panel and open the “AA Google 404″ submenu. /wp-admin/options-general.php?page=askapache-google-404.php
Enter in your Google Search API Key and hit the “Update Key” Button. (Get One)
Add the code to your 404.php template page by including in your main content area.

Frequently Asked Questions

Do I need a Google Account?

Yes.

Do I need a 404.php template file?

Only if you want to use this for your error page.

My 404.php page isn’t being served for 404 Not Found errors!?

Add ErrorDocument 404 /index.php?error=404 to your .htaccess file.

What is a Google API Key?

How do I get a Google API Key?

Google 404 Screenshots

Loading Video… [dl]

Plugin Configuration Panel

Search Entire Web

Search Blogs

Search Custom Search Engines

Search Images

Search Online Videos

More Info from Google

SEO Boost from Google 404 Plugin originally appeared on AskApache.

Crazy Cache WordPress Plugin Released

AskApache — Tue, 01 Apr 2008 05:25:23 +0000

Isn’t WP-Cache an incredibly useful plugin? If I was only allowed to have one plugin for my WordPress blogs, hands-down I’d choose WP-Cache.

AskApache Crazy Cache lets you cache all the posts on your blog at once.

I’ve used some advanced features of libcurl and fsockopen to make sure that this caching action doesn’t overwhelm your server or result in redundant requests. That could slow down your blog, which I would never, ever, allow, I am very interested in this stuff.. speedy sites that is.

I always wanted the ability to cache all my posts on my blog whenever I wanted, and WP-Cache doesn’t let you do that. So a few months ago I hacked together this kick-butt plugin to do exactly that.

ScreenShot

Installation

This plugin is one of those idiot-proof installations, nuff said.

Download

askapache-crazy-cache at wordpress.org

Want More Speed?

I love you guys and girls who want a faster Internet, we rock. So check these out.

Crazy Cache WordPress Plugin Released originally appeared on AskApache.

AskApache Password Protection, For WordPress

AskApache — Sat, 29 Mar 2008 13:02:57 +0000

Description | Download | Installation | FAQ | Screenshots

AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.

Of course this would never be able to stop real hacker intent on taking over your blog, if you are connected to the net on a public line, of course you coun’t stop them. The people who are attacking the blogosphere are for the most part just playing. They “hack” code that “exploits” a “vulnerabiliity” in some open-source software like phpBB or WordPress. Those people actually help the community of open source software like WordPress by finding security issues and bringing them to light.. So who is this plugin built to stop? It’s built to stop the people who are trying all the time to maliciously crack into YOUR average blog. Why would someone want to hack an AVERAGE blog like mine or yours? Well the answer is that its not an actual group, entity, or person who is going to try hacking into your blog. Its an army of robots.. and they will never stop the attack.

So how do these robots attack us? What is their ammo? Their ammo is very specific knowledge of exploiting security holes in very specific software to “crack” your blog. Vulnerabilities are discovered all the time, mostly small ones, but those vulnerabiilties that are dangerous to those of us running WordPress 2.5 are LETHAL to those of us running 2.1.. just absolutely deadly. So These robots are programmed to do one thing and one thing only, try the exact same exploit that would work against 2.3 against every computer on the internet, as fast as they can and as anonymously as they can.. terrorizing the networks with these non-stop requests and slowing down the whole internet, which hopefully will start getting faster as more people use this plugin. Robots have no choice but to leave my servers alone. They understand what a 403 Forbidden means, to them it means take me off your list, the exploit I’m carrying is not compatible. But once again, this will not stop a hacker, this will stop 99.9% of the same bots that “hacked” 99.9% of the blogs.

Description

This Plugin will make alot of the bots out there stop coming back, and I have found this exact type of security setup to be a great insurance policy against these types of brainless zombie bots. A few years ago I had implemented this password protection on a forum I was the security admin for, and it didn’t seem like a big improvement to very many people. The forum software we were running was phpbb, and during that Christmas break we weren’t even thinking about the forums. When we got back though the whole place was in an uproar. Some kid sent out a million of these zombie robots with a single payload- an exploit that he knew would successfully penetrate the forum’s defenses. It did.

It was like a tidal wave across the world, thats how many of these phpBB forums were hit. Thankfully all the kid did was copy the entire forum into a kind of book format, and sell it on ebay. Anyway so we looked at the logs for our server and forum, and we saw he had tried the exact same thing against us… and he did have our forum software defenses beat… You see he had his target all scoped out and meticulously researched, a nice fat range of forums needing an upgrade.. As long as they could get to the inner door (admin login) they could knock it down in seconds and own the whole thing.

Everything about the attack on our server was incredibly smooth and fast, hacked past the user login and then flew straight towards the admininstrator login… then, out of nowhere they got b**slapped because they ran full-speed into a wall that seemingly came out of nowhere, and thats exactly the same thing that you will have after installing this plugin. Its like being surrounded by a smal army, a sniper can still get you, but you can forget about the ground troops (zombies ech)

If you are worried about your WordPress blog getting hacked, this can help immensely. It adds a 2nd layer of security to your blog by requiring a username and password to access anything in the /wp-admin/ folder.

The plugin is simple, you just choose a username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.

This plugin automatically picks all the right settings for where to save the .htpasswd and .htaccess files, but you can easily change those settings to anything you want. You can change it whenever you want right from your WordPress Admin Panel.

Screenshots

Downloads

Download the AskApache Password Protection Plugin

Installation

Upload aa-password-protect.zip to the /wp-content/plugins/ directory
Unzip
Activate
Setup

Frequently Asked Questions

Do I have to type in my username and password every admin page?

No. You just have to type it in once and it will keep you logged in until you close your browser.

How Secure Is It

In Basic HTTP Authentication, the password is passed over the network not encrypted but not as plain text — it is “uuencoded.” Anyone watching packet traffic on the network will not see the password in the clear, but the password will be easily decoded by anyone who happens to catch the right network packet.

WordPress Codex Security Articles

Limiting access: Making smart choices that effectively lower the possible entry points available to a malicious person.

Containment: If a weak point in your installation is found by a malicious person, your system should be configured to minimize the amount of damage that can be done once inside your system.

Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation.

AskApache Password Protection, For WordPress originally appeared on AskApache.

Update: AskApache Password Protect Plugin

AskApache — Thu, 07 Feb 2008 14:51:29 +0000

Note: A lot of updates to this plugin are in the works, so this plugin should be considered BETA… than them.

Adding .htaccess based HTTP Basic Authentication to your WordPress blog is such a smart thing to do and I’m trying to help make it easier for you. Mainly because it stops alot of automated hacking attempts and exploits from ever being attempted, thus cutting down on the number of requests, connections, and mysql queries for all WordPress blogs on the Internet.

Upgrading Instructions
Just download and extract the new plugin file to wp-content/plugins/askapache-password-protect/ and activate it. It automatically deactivates and deletes previous versions.

New Features

Well, this is BETA for now, meaning it works but there are a lot of cool features I just didn’t have time to include in this release. A lot of people were experiencing problems with the older version.

TONS of error checking and compatibility checks. This plugin WONT break your server.
Tests your servers ability to use .htaccess/.htpasswd files by setting them up in a temporary spot first and checking them. (ssl/https enabled)
Determines which .htpasswd Encryption Algorithms that your server supports by testing each one.
Provides all 4 htpasswd encryption formats that Apache explains
Uses php to generate the encrypted hashes for all 4 encryption formats using portable code. Even has the apache-specific MD5!
Allows you to specify and change the AuthName / Realm
I made this upgrade fool-proof, just the way I like it.

Download New AskApache PassPro

Now hosted by WordPress.org

Current AskApache Password Protection: download | description

Whats Looks Like

Install Problems
Known solutions to all the issues are in the works so prepare for the next release. In the meantime, the problem occurs because this version tries to save the encrypted htpasswd file ABOVE your document_root, obviously this isn’t working very well for most wordpress users.

Update: AskApache Password Protect Plugin originally appeared on AskApache.

AskApache » WordPress Plugins

Advanced WordPress wp-config.php Tweaks

wp-config.php

ASKAPACHE_ROOT

ASKAPACHE_LOCK

Debugging WordPress

Ultimate Security Tweaks

Security KEYS

Using SSL for Admin and Login

Mod_Rewrite to Force SSL

File System Permissions

Cookies!

WPMU Stuff

WordPress Database

$table_prefix

Setup PHP Ini Settings

Sessions are slow

Include Custom Files

Some Useful PHP

Debugging Note

An AskApache Plugin Upgrade to Rule them All

The Strategy

AskApache Google 404 Upgrade

AskApache Password Protection

The Upgrades Begin

Debugging HTTP protocol

.htaccess Directives

AskApache Debug Viewer Plugin for WordPress

Screenshots and Debug Output

PHP Debugging Functions

get_debug_functions

get_debug_permissions

get_debug_defined

get_debug_inis

get_debug_phpinfo

PHP License

Configuration

PHP Version (.*?)

PHP Configuration

', strip_tags($oa, '

')); unset($sections[0]); $oa = array(); foreach ($sections as $section) { $n = substr($section, 0, strpos($section, '

get_debug_included

get_debug_classes

get_debug_globals

get_debug_loaded_extensions

Password Protection Plugin Status

File Permissions!

Process Owner vs. File Owner

wp-admin/includes/file.php

Enumerating Permissions can be Annoying

Fsockopen Payload Class

.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

Screenshot Unreleased 4.7

UPDATE: 11/22/08

.htaccess Security Modules

.htaccess Security Module Screenshot

New Version of Password Protection Plugin

ScreenShots

SEO Boost from Google 404 Plugin

Demo 404 Error Page

Downloads

Frequently Asked Questions

Google 404 Screenshots

More Info from Google

Crazy Cache WordPress Plugin Released

ScreenShot

Installation

Download

Want More Speed?

AskApache Password Protection, For WordPress

Description

Screenshots

Downloads

Installation

Frequently Asked Questions

Do I have to type in my username and password every admin page?

How Secure Is It

WordPress Codex Security Articles

Update: AskApache Password Protect Plugin

New Features

`wp-admin/includes/file.php`