Categories
Hosting Technology

Fancy Hosting Your Website From Your Mobile Phone? Here’s How…

How would you like to host your websites from your mobile phones or tablets? Preposterous? No, actually, it is quite doable and in very few steps too.

In this example, we will be setting up a WordPress website/blog on an android device.

PS: Your Android device does not have to be rooted to carry out these tasks.

servers ultimateQuick Steps

  • You will need a PC to work from to make the setup process easier.
  • Your android phone and the PC must be connected to the same WiFi – same LAN.  (Note that the WiFi need not be Internet enabled.)
  • However, you will need to find a way to download and install the trial version of Servers Ultimate to your Phone from Google Play Store. There is a Pro version you can buy if you decide you like the app. You will also need to download and install Servers Ultimate Packs A to E from the same link.

Create the Servers

  • Go to WordPress.org and download the WordPress web software to your PC. Extract the archived files to a single folder on your PC. Copy this folder, preferably, to the root of your device SD Card
  • Start the Servers Ultimate app on your device, click on the “+” sign on the top right of your screen
  • Select “MySQL server”
  • Give the server a name and save it. Named mine “wp_mysql” (without the quotes, of course)
  • Again, click on the “+” sign on the top right of your screen
  • Select “PHP and Lighttpd Server”
  • Give the server a name. Named mine WordPress. Do not exit the screen just yet!

Configure the services

  • Select the next tab labelled “Specific”
  • Look under “Servers”, ensure the options “Enable Lighttpd Server” and “Enable PHP Server” are checked.
  • Scroll down and look under “Document Root”. Browse to the WordPress folder on your phone and select it.
  • Under “Server Tag”, you may enable all the options, especially “Enable PHPMyadmin”
  • Now press save. The screen will exit.
  • From the Server Ultimate default screen, click the start icon to start the two servers, “WordPress” and “wp_mysql”
  • Now right-click on the server labelled WordPress. From the context menu, select Information. Note the IP address that has been assigned to it. It will be in the form http://192.168.xxx.xxx:8082/

Create Database

  • Go to the following URL http://192.168.xxx.xxx:8082/phpmyadmin/
  • Log in with the following credentials; Username is “root”. Leave the password blank
  • Click on the “Databases” at the top left of the screen
  • Enter “wordpress_db” in the Create Database field and tap Create

Final Installation

  • Type the following URL in your browser to start the WordPress installation; http://192.168.xxx.xxx:8082/wp-admin/install.php
  • When prompted fill in wordpress_db in the Database Name field
  • Fill in root in the User Name field
  • Leave the password field blank
  • On the Welcome Page, fill in the details requested for, then click Install WordPress. On completion, you will be taken to the admin page of your website.
  • To view the front end, your type the IP address 192.168.xxx.xxx to your browser.

As it is, you can only view your site from within your LAN. In the next part of this post, we would go through the paces on how to access your new site from anywhere on the Internet.

Categories
Gadgets

Western Digital EX2 Network Attached Storage – A Review

My plan was to pick up the 4 bay option of Western Digital’s (WD) Network Attached Storage (NAS), the EX4. With this option, i would have a storage device that can accomodate 4 hard disk drives. However, budget considerations made me settle for the 2 bay option, the EX2.

What Are Network Attached Storages (NAS)?

NAS are usually compact enclosures that are fitted with multiple hard drives. But unlike your regular hard drives, your NAS has the following additional features;

  1. Generally, such devices can be controlled via a web interface, like your router, giving you a centralized dashboard to monitor your storage (Health, shares, usage, etc).This web interface masks the powerful Linux Operating systems that the NAS rides on.
  2. The NAS is connected to a Wired or Wireless network, making the hard drives accessible to all devices (Computers, Tablets, Smartphones) on the network.
  3. You have an option to limit access to the NAS to your local network or you can access it over the Internet. Think of your own personal dropbox.
  4. You can then access the files using a variety of different applications and even run different bits of software on the NAS itself, such as media-server solutions for streaming media (Music, Video or pictures) to the different devices on your network and BitTorrent clients for downloading directly on the device. Many types of back-up software can back up directly to the network storage.
  5. Most have a bunch of one-click installable apps (WordPress, Joomla, Dropbox, etc) that can transform your NAS to your website host.
  6. For small businesses, it can serve as a central storage for your files and allows for collaboration. You could also set up your company Intranet on it.
  7. They have slots for multiple hard drives; 3.5″, 2.5″ or both.

91APo+MU3yL._SL1500_Why Western Digital EX2?

What differentiates one NAS from the other include the following;

  1. Ease of use. As this device is targetted at the Home and Small Business audience who have limited technology skills, effort is put into making these devices as easy and intuitive as possible to use, particularly the embedded Operating System.
  2. Quality of the Hardware
  3. Cost
  4. Availability of third party apps

The WD EX2 excels in (almost) all these. But i must quickly note that, at the moment, third party apps for this device are very, very few.

I picked up the diskless variant from Amazon for about $160 and it arrived within 3 days. It is a 2-bay NAS and it allows a maximum of 2 drives in its enclosure. As of June 2015, current firmware supports a maximum capacity of 6TB for a single drive for this NAS, making a maximum of 12TB for the 2 bays in its enclosure. However, i picked up a single 4TB drive for about $160, hoping to pick up another as soon as the drive fills up.

Please note that while your regular computer hard drives will work in your NAS, there are drives that are specially built to work with them because of their peculiarities. Western Digital calls theirs WD Red. Hard disks stacked close to each other in a NAS will be subject to more heat and vibration as they chug away than they would in a desktop tower, so the Red series have hardware-based vibration compensation technology to improve long-term reliability when used in arrays of between two and eight drives. They are usually a bit (just a bit) more expensive than your regular drives.

819t3gmzMcL._SL1500_So What Happens To My Old External Drives?

Good News! While you are limited to the number of drives that you can fit into the enclosure of your NAS, whether you choose the 2 or 4 bay option, the WD NAS comes with 2 USB 3.0 ports. You can easily connect your old drives into these ports directly or via a, preferrably, powered hub if you have multiple hard drives or flash drives.

Basically,

  1. You will be extending the capacity of the NAS. You easily add additional GB/TB to the capacity of your NAS
  2. Easily take back ups of the drives in the enclosure.
Categories
Hosting Tutorials

How To Move Your Blog To A New Hosting Company

lgSo you finally decided to move your WordPress blog or site to arthurwales.net but you have no clue how to go about it. Or maybe you do but you find all this database thingy a bit tricky. And perhaps, that has been the only reason you have stayed on with your present hosting company even though their services sucks.

These scenarios sound familiar to anyone?

It is funny how easy the process of moving hosts is, no thanks to the “geeks” that paint the whole process as nigthmarish, using “geek speak” to describe processes that can be explained in simple (Nigerian) English!

The procedure may differ slightly depending on the control panel you are using. cPanel is probably one of the most common and the easiest to work with, however the underlying principles is the same with all control panels. At arthurwales.net, we have migrated, successfully, websites from even open source control panels like Virtualmin and ISPConfig.

For this purpose, we would assume you are using cPanel.

Here goes …

  1. Subscribe for a hosting account with arthurwales.net.
  2. On subscription, a mail will be sent to you titled NEW ACCOUNT INFORMATION which will contain your server account details and the login information. Also contained in this mail are two important URLS in the form  http://174.122.148.***:2082/ (Temporary Control Panel URL) and  http://174.122.148.***/~rztiartt/ (Temporary Webpage URL)
  3. Log into your cPanel Using your Temporary Control Panel URL and use Fantastico or QuickInstall to install WordPress. Perform all necessary updates.
  4. Create a backup of your website and download to your PC. Do this by logging into your old cpanel – under FILES, click BACKUPS. Under Full backup, click “Download or Generate a Full Website Backup”. Save file to your Home Directory, then copy to your PC.
  5.  The backup file is usually in a compressed format. Use an application like WinZip or Winrar to extract the content to a folder on your PC. We will call this extracted folder “BACKUP” folder.
  6. In the BACKUP folder, look for a file with “BIZ_DIR” extension. It is usually the largest file. Change the extension of this file to “ZIP” and extract to a folder on your desktop.
  7. Navigate to the folder “public_html”.
  8. Select and Upload the entire WP-Content folder from your old host and overwrite same in the public_html folder of your account with your new host – arthurwales.net.
  9. Go into your new hosting control panel and find out how to get into phpmyadmin. Once you are in phpmyadmin click on your database name on the left.
  10. Click on the “Import” tab on the top of the screen.
  11. Under “File to Import”, browse to the BACKUP folder and look for a compressed file in the format domainname_mysql_domainname. Select it. This is your mysql backup. Click the “Go” button at the bottom of the page. With this, you have successfully imported the database from your old blog.
  12. Now go to your new blog using your Temporary Webpage URL and it should let you in it, then login with your username and password from your old blog and then your all set, your blog should work the same as if it was on your old host.
  13. From your domain registrar admin panel, change your nameservers to that of the new host: ns1.arthurwales.net and ns2.arthurwales.net

Migration of your blog is now completed. Easy ain’t it? This method guarantees NO downtime to your blog.

The tutorial above on moving your website to another host is probably the easiest approach you can ever get. However, if you still find it difficult wrapping your head around it,or you would rather not take the risk so that you don’t break something, please sign up for our premium support on arthurwales.net. It is going for a promotional 50% discount price of N15,000.00. We will take care of all your web hosting scary stuffs and much more!

arthurwales.net … “So, why don’t you host with us?”

Categories
Hosting

Ever heard Of The CMS Commander?

If you are like me with “God knows how many” websites to maintain, this great tip will sure come in handy.

Enter the CMS Commander, a website to manage all your CMS websites (WordPress, Drupal, Joomla and phpBB) from a single control panel.

From this website, you get to do the following;

  • Manage all your CMS websites from one location
  • Perform one click plugin updates
  • Perform one click theme updates
  • Plugin installation to any number of websites at the same time
  • Theme installation to any number of websites at the same time
  • Fetch articles from legal sources and post to any number of your websites
  • Post images, videos, or affiliate products to any number of your websites
  • Consolidate your Google Analytics to a single dashboard
  • Schedule and create backups of your WordPress websites

I am more of a WordPress guy and this website does a great job in converging the administrative panels of all my websites.

To use a website inside CMS Commander you need to first install a small plugin to your website. This plugin handles all the communication between your site and cmscommander.com and establishes the secure and encrypted SSL connection. How to install the plugin depends on the CMS of your site. You can find instructions for WordPress sites below:

  • WordPress Websites
    1. Download the CMS Commander plugin for WP to your computer
    2. Log into your WordPress admin panel and navigate to the “Plugins > Add New” page.
    3. Click “Upload” in the tab bar near the top.
    4. Browse and select the CMS Commander plugin file on your hard drive. Click “Install Now” to upload it.

    Alternatively, you can upload the unzipped plugin directly with a FTP software like FileZilla to your site at /wp-content/plugins/cmscommander

This is a must-have for all website administrators.

Categories
Hack Hosting

How To Secure Your WordPress Blog – Part 3

The listed combination of plugins are recommended to make your WordPress blog more secure. The individual plugins may not be the best available, but the combination works very well for your site.

Word of caution here. My recommendations are based on the following assumptions:

– That what you have is a fresh wordpress installation. This would  work on an old installation too but there is a possibility that existing installed security plugins may be in conflict with some of my recommendations. So, please, proceed with caution.
– These installations are not one-offs. The developers usually release updates to keep abreast of new vulnerabilities. Always ensure that you update these plugins whenever the updates are available.
– Ensure your wordpress installation is updated regularly.
– Especially for old wordpress installations, i would suggest you test these plugins on a test server first before deploying it to your production or live site. A test server could be a sub domain on your main site but ,preferrably, an entirely different site.

You may direct issues you encounter through my twitter handle @diaryofageek

Backwpup

I consider this plugin as very key and probably the best defense against hack attacks or other forms of misadventures you may have on your blog. A good backup can return you back online within minutes of your site going offline.

Note: This plugin only backs up your blog site. Any other services available on your site, like emails, would not be backed up effectively. I do recommend you use Google Apps free email services for your email. This ensures that your email is always up, no matter what.

Backwpup comes highly recommended not because it does what it claims to do well, but because you get to enjoy an otherwise premium service for free. This plugin allows you to backup your blog to a local folder, email, remote ftp site (could be another shared hosting account) or, interestingly, a slew of free (and premium) online cloud services like Amazon S3, Google Storage, Microsoft Azure (Blob), RackSpaceCloud, Dropbox, SugarSync, etc.

The plugin can be scheduled to run backups on a regular basis with no input from you.

Bad Behaviour

Most hack attacks are not usually personal. These attacks are usually automated. These website cracking tools seek out blogs that still have known vulnerabilities that have not being patched.

Bad Behavior runs before your software on each request to your Web site, so if a spam bot does visit, it will receive nothing. When Bad Behavior looks at a request, it determines if the request matches a profile of known malicious or spammy activity, which falls outside the bounds of a normal human browsing the web. If so, the request is blocked.

BulletProof Security

BPS Free covers one very important aspect of website security – secure .htaccess files to block browser based hacking attempts. The best feature of the  plugin is that it is designed to be fast, simple and convenient.  It helps you to activate .htaccess website security from within your WordPress Blog’s Dashboard.

Login LockDown

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery, especially for the admin account. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

The plugin has not been updated recently but it still does what it was intended to do very well.

TimThumb Vulnerability Scanner

Quite a number of wordpress themes, especially the fancy 3rd party ones, come with a programming code called Timthumb embedded in it. Unfortunately, hackers have exploited loopholes in this programming code to bring down a lot of wordpress blogs. You can read more about this here.

The Timthumb Vulnerability Scanner plugin will scan your entire blog for instances of any outdated and insecure version of the timthumb script, and give you the option to automatically upgrade them with a single click. Doing so will protect you from hackers looking to exploit this particular vulnerability.

WordPress File Monitor Plus

In case the undesired happens and someone breaks into your site, they will most likely add files to your site. These extra files can act as backdoors, which can potentially allow hackers to execute files from their own servers. These files can hijack your traffic, place unwanted ads or links on your pages and place malware on your visitors computers. This plugin monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.

While no claims are being made that these plugins would make your site “hack-proof”, it would definitely serve as a deterrent to a would-be opportunist hacker.

This list is by no means exhaustive, suggestions and recommendations are always welcome.

Categories
Hack Hosting

How To Secure Your WordPress Blog – Part 2

Experts believe that the best way to secure your WordPress installation is by writing your own codes and not with the use of off-the-shelf codes, known as plugins.

While this may be true, not many possess the skills of writing codes for WordPress. Chances are, you may even be barely capable of finding your way round the blogging platform itself.

However, not all these coding techniques require a knowledge of Nuclear science to be able to apply it to your blog, i would list out some that just anyone can try on their own.

1. IP ACCESS RESTRICTION

Study has shown that a high number of malicious hacking originate from a number of Arab countries. So, why leave it open to them? Chances are that your blog were never intended for their consumption anyway.

There are two options to choose from;

Restrict access to your blog to only selected country / countries or deny a number of countries access.

Allowing Access To Your Blog To Selected Countries

– From your Control Panel (CPanel), Click on your “File Manger”.
– Ensure “Show Hidden Files (dotfiles).” is ticked. You will be taken directly to your root folder.
– Look for the file called “.htaccess”.
– Right click on this file and select “Edit”
– Open another tab in your browser, navigate to ip2location.com
– Select Nigeria from the list of countries. You may click on more countries to extend access to those countries.
– Under the drop down menu labelled “Output Format”, select “Apache .htacess allow”
– Click “download” to download a file labelled “cidr”
– Right click on the downloaded file and open with “Wordpad”. DO NOT USE NOTEPAD.
– Copy the content of this file and paste into your .htaccess file, after the last entries there – if any.
– Save and close.
– Now your site can only be accessed from Nigeria or whatever countries you selected.

NOTE: If you do see a .htaccess file in your root folder, first confirm if you enabled “Show Hidden Files (dotfiles).” from your file manager. If you did, then you would have to create the file yourself;

– Open Notepad
– Go to “Save as type”, choose ” All Files”
– Under Filename, type .htaccess
– Save.
– Copy the content of the downloaded “cidr” file to your .htaccess file
– Save
– Upload to your root folder using your cPanel file manager
– Right click on this file and change permission to 0644.

Denying Access To Selected Countries

– From your Control Panel (CPanel), Click on your “File Manger”.
– Ensure “Show Hidden Files (dotfiles).” is ticked. You will be taken directly to your root folder.
– Look for the file called “.htaccess”.
– Right click on this file and select “Edit”
– Open another tab in your browser, navigate to ip2location.com
– Select the countries you want to block. I suggest including Morocco, Turkey, Algeria, Russia.
– Under the drop down menu labelled “Output Format”, select “Apache .htacess deny”
– Click “download” to download a file labelled “cidr”
– Right click on the downloaded file and open with “Wordpad”. DO NOT USE NOTEPAD.
– Copy the content of this file and paste into your .htaccess file, after the last entries there – if any.
– Save and close.
– Now your site can not be accessed from those countries you selected.

NOTE: If you do see a .htaccess file in your root folder, first confirm if you enabled “Show Hidden Files (dotfiles).” from your file manager. If you did, then you would have to create the file yourself;

– Open Notepad
– Go to “Save as type”, choose ” All Files”
– Under Filename, type .htaccess
– Save.
– Copy the content of the downloaded “cidr” file to your .htaccess file
– Save
– Upload to your root folder using your cPanel file manager
– Right click on this file and change permission to 0644.

2. BACKUPS

While backups may not be view as a security technique, it is the best way of securing your site. The truth is, no website is hack-proof if hackers are determined enough. Not even the high profile

companies with millions budgeted to website security have been spared. Yeah, ask Sony, Fox, Warner Bros, CBS and, lately, LinkedIn. This list is not exhaustive. So what if these guys dont have

their website backed up? Note that with your backups, your website can be up again in minutes.

The latest trend, nowadays, is for hackers not to deface your site but to use it for phishing.

To back up your site,

Option 1

– From your cPanel, under “Files”, click “Backups”
– Under “Full Backup”, click “Download or Generate a Full Website Backup”
– Under “Backup Directory”, select “Home Directory” from the dropdown menu
– You may insert your email address to be notified when the backup has been concluded.
– Navigate to your root folder, not “public_html”, you would see your backup in “tar.gz” compressed format
– Download to your local PC.

Option 2

Alternatively, you may backup to a remote location. It may be another shared hosting account or, preferrably, amazon s3.

Option 3

– Go to your WordPress Admin Page
– Under “Tools”, select “Export”
– Under “Choose what to export”, select “All Content”
– Click “Download Export File”

This will download, to your local PC, all of your posts, pages, comments, custom fields, terms, navigation menus and custom posts.

Your Images will not be downloaded! It is advisable to upload and access your images from 3rd party sites like flikr, dropbox, box, etc. That way, your images would be preserved when you are restoring your backup.

3. Delete Admin User

You will be shocked at the number of “bots” out there, carrying out “brute force” password hacking on the default WordPress Administrative account, “admin”.

– Go to your WordPress Admin Page
– Under “Users”, select “All Users”
– Create a new user, give it a very unique username
– Grant it Administrator role
– Give it a strong password, at least twelve characters long. To make it stronger, use a mix of upper and lower case letters, numbers and symbols like ! ” ? $ % ^ &
– Log in to your blog, now using this new user account
– Delete the admin account.

Next, we do a run down of recommended plugins. stay tuned!

Categories
Hack Hosting

How To Secure Your WordPress Blog – Part 1

WordPress is an open source and free blogging software. Two variants abound;

WordPress.com

WordPress.com are blogs hosted by the company that gave us WordPress, Auttomatic. Recommended to beginners with little knowledge of what goes on behind the scene of this blogging platform.

Features

– WordPress.com is the safer way to go. There are a lot of mechanisms in place to make sure that you don’t accidentally break it or prevent it from working the way it was intended to.

– While no online platform can be regarded as impregnable, this is probably as safe as you can get. All of the technical maintenance work is taken care of by some of the best hands — Setup, upgrades, spam, backups, security, etc. Believe me, it is a scary world out there.

– It is free, with 3GB space to play with. This is more than enough. Diary of a Geek with over 300 posts uses less than 100MB of web space.

– Some of the best sites also use wordpress hosted blogging; CNN .

– Yes, your blog will be in the form of, say, artwales.wordpress.com but with $18 per year, you get to use a domain name of your choice.

Deal Breakers

– Inability to use your themes or plugins. You are restricted to a bunch of boring free and premium themes. However, from a security sandpoint, this can be viewed as a strength because most hacks into wordpress blogs are not via the blogging platform itself but through loopholes in these themes and plugins. Timthumb readily comes to mind.

– You can not monetize your blog with adsense and the likes. However, wordpress has its own home brew called Wordads.

– ads, though few, are present. You pay $30 per year to remove this.

WordPress.org

These are self hosted blogs. You subscribe to a web host to host your blog.

Features

– You have complete control over the look and feel of your site

– You can install any WordPress theme or plug-in to extend the functionality of your site (believe me, this is a very powerful and inexpensive way to add functionality to your website)

Deal Breakers

– Some level of skills is required to manage your blog satisfactorily.
– Careful, you can easily break something
– You need to manage your own backups. (However, there are free plugins to automate this easily.)
– Themes and plugins may contain vulnerabilities that can be exploited.
– You pay hosting fees.

In part 2, we would discuss some basic steps to secure your WordPress.org blog.

Categories
Hosting

VPS – The First Steps

A VPS Web server acts as a stand-alone server, complete with its own users, IP addresses, memory, root access, and configuration files. The size of these virtual servers can be adjusted much more easily than physical servers, making them a versatile asset for anyone using them.Basically, you pay for resources as you need them. “Scalability” is the word used to describe this.

My belief of what constitutes a minimum server specs is as follows;

20GB Diskspace (Incremental 20GB space costs as little as a dollar per month)
512 MB Ram
If you will be dabbling into MySQL database like in WordPress, this should be a minimum.
1024 GHz CPU speed
300 GB Bandwidth
1 IP address
Linux OS (Debian / CentOS preferrably)
Virtuozzo Linux VPS (Basic GUI access to your server)

Starting out with VPS hosting can be overwhelming at times, especially to the noobs. Therefore, it is advisable to start out with a little hand holding from your host by subscribing to the managed VPS option.

The term “managed” VPS describes a VPS offering whereby your host will support any issue concerning all standard softwares included in your package; Linux Os, Virtuozzo Panel, etc. However, in most cases, the host will do nothing unless you request it to, so you would still need to monitor the VPS yourself, though most hosts make security patches to supported softwares a priority.

For “Unmanaged” VPS, your host’s obligation to you stops after ensuring that the network to your server remains connected and the host node running; you’re responsible for everything else on the VPS. In simple english, You are on your own.

Expectedly, the managed VPS offering costs more but you get a lot of rest of mind in return.

Choice of Control Panel

The next logical step would be a choice of a control panel and my choice of ISPCONFIG was based on the following factors;

– Ease of installation with a lot of “hand-holding” from HowToForge.com

– More User friendly compared to the more efficient Webmin

– 3 levels of administration : Admin, Resellers and Users. Important for those who intend to resell VPS hosting

All the steps required to set up your server is contained on howtoforge.com

Categories
Hack

TimThumb – Hacker’s Delight

While no website on the Internet can be deemed 100% safe from hackers, lately, sites based on the WordPress platform have received more than their fare share of such intrusions. WordPress is the most widely adopted Content Management platform, with millions of blogs and websites based on this platform. The relative ease of setup and administration has made the platform quite popular. This is also probably the reason why it is attractive to malicious or opportunist attackers because of the large “target market” available.

Most people think that it is when your website is defaced that your site has been hacked. Far from it. Hackers have varied intents and purposes for hacking sites. Some are just plain malicious. Most script kiddies fall into this class. Script kiddies are largely unskilled hackers testing out information or tools gleaned from the Internet with no real skills on how things work. However, most do it for financial gains, with malicious intents, activism, curiosity or just plain fun!

Usually, these hackers try to exploit loop-holes in the software coding of the wordpress platform, usually, to gain administrative access to the site and unleash whatever their malicious intents may be. Over the years, wordpress has improved significantly on making the platform very secure. However, the same can not be said of third party softwares, called plugins, that is a necessary addon to these websites.

One such script is TimThumb.

TimThumb is a PHP script used for cropping, zooming and dynamically resizing images on websites. While TimThumb can be used on any website, it is ideal for blogs and other websites who use templates and themes (self hosted WordPress blogs, for example). Using TimThumb, you can dynamically fetch a cached copy of an image and proportionally resize it to fit in your blog template. Thumbnails, profile picture of users and signature images are typical examples where TimThumb script is used. Whilst TimThumb has found a home in WordPress themes, it is by no means limited to them – TimThumb can be used on any website to resize almost any image.

TimThumb is usually embedded in most premium themes or plugins. There are a lot of parameters which can be used with TimThumb, it depends on the requirements of your website and how you want to scale internal as well as external images.

Once your script is in place, it will continue to work in the background and store a copy of your images in the cache folder. So if you are scaling a really large image to, say, 100 X 100 using TimThumb, an exact match copy of the image will be saved in the cache folder. This image will be shown to your website visitors.

And here is how the TimThumb vulnerability goes to work.

Since the cache directory is public and is accessible to anyone visiting the website, an attacker can compromise your site by figuring out a way to get TimThumb to fetch a PHP file and put that file in the same directory. Now since the cache directory is preconfigured to execute any file ending with a .PHP extension, you are trapped.

So how do I know if I’m at risk?

Almost everyone using the TimThumb library that downloaded it before August 1, 2011 is likely at risk. If you are not sure if you are using TimThumb, the easiest way to check is to look through your theme folders for a file called timthumb.php or thumb.php. This can be done using an FTP program or the file browser in your CPanel. You may also use the Timthumb Vulnerability Scanner plugin.

Thankfully, there is a fix.

You may delete all instances of timthumb.php in your theme. Deleting the TimThumb script may break certain themes, or at least affect how they manage and display images. But if you need the TimThumb script running on your site, upgrade to the latest version. However, if you find some merit in the many discussions about the safety – or lack thereof – of allowing any scripts on your server to access data from third party sites, then delete the file.

[facebooksimplelike]

Categories
Hosting

WordPress 3.2 Now Available

Here in the U.S. we are observing Independence Day, and I can’t think of a more fitting way to mark a day that celebrates freedom than by releasing more free software to help democratize publishing around the globe. I’m excited to announce that WordPress 3.2 is now available to the world, both as an update in your dashboard and a download on WordPress.org. Version 3.2 is our fifteenth major release of WordPress and comes just four months after 3.1 (which coincidentally just passed the 15 million download mark this morning), reflecting the growing speed of development in the WordPress community and our dedication to getting improvements in your hands as soon as possible. We’re dedicating this release to noted composer and pianist George Gershwin.

Before we get to the release, in anticipation of the State of the Word speech at the upcoming WordCamp San Francisco (the annual WordPress conference) we’re doing a survey or census of the WordPress world. If you have a moment, please fill out this survey and we’ll share what we learn by publishing the aggregate results in August.


The focus for this release was making WordPress faster and lighter. The first thing you’ll notice when you log in to 3.2 is a refreshed dashboard design that tightens the typography, design, and code behind the admin. (Rhapsody in Grey?) If you’re starting a new blog, you’ll also appreciate the fully HTML5 new Twenty Eleven theme, fulfilling our plan to replace the default theme every year. Start writing your first post in our redesigned post editor and venture to the full-screen button in the editing toolbar to enter the new distraction-free writing or zen mode, my personal favorite feature of the release. All of the widgets, menus, buttons, and interface elements fade away to allow you to compose and edit your thoughts in a completely clean environment conducive to writing, but when your mouse strays to the top of the screen your most-used shortcuts are right there where you need them. (I like to press F11 to take my browser full-screen, getting rid of even the OS chrome.)

Under the hood there have been a number of improvements, not the least of which is the streamlining enabled by our previously announced plan of retiring support for PHP4, older versions of MySQL, and legacy browsers like IE6, which allows us to take advantage of more features enabled by new technologies. The admin bar has a few more shortcuts to your most commonly-used actions. On the comment moderation screen, the new approve & reply feature speeds up your conversation management. You’ll notice in your first update after 3.2 that we’ll only be updating the files that have changed with each new release instead of every file in your WordPress installation, which makes updates significantly faster on all hosting platforms. There are also some fun new theme features shown off by Twenty Eleven, like the ability to have multiple rotating header images to highlight all of your favorite photos.

(Matt Mullenweg – Co Founder, WordPress)

– Posted using BlogPress from my iPad