Categories
WordPress

An access control after such a long time-#2.

同一記事の日本語版

   About seven months ago, I made an Apache extra conf file “access-denied.conf” like this. Today, I’ve modified it to control accesses to the directory “wp-admin”.

   I opened the access-denied.conf and changed the text like this.

Old:
<Files “wp-login.php”>
  Require ip xxx.xxx.xxx.xxx/xx  <<--- my local IP addresses   Require host My wifi domain name </Files> New: <Files "wp-login.php">   Require ip xxx.xxx.xxx.xxx/xx  <<--- my local IP addresses   Require host My wifi domain name </Files> <Directory "drive_DC:/WEB/htdocs/wp-admin">  <<--- drive_DC:/WEB/htdocs/ is my DocumentRoot.   Require ip xxx.xxx.xxx.xxx/xx  <<--- my local IP addresses   Require host My wifi domain name   <Files "wp-admin-ajax.php">     Require all granted   </Files> </Directory>    I excluded the file "admin-ajax.php" from this deny rule, because the plugins which use the Ajax features need it (Ref:「Re: WordPress使いならこれだけはやっておきたい本当のセキュリティ対策10項目」). Actually, I examined plugins on my WordPress, and found some of them used the hook wp_ajax_(action). So, I needed to exclude the file from the rule.

   The rule works well. (^^)

Categories
WordPress

WordPress: Administration Over SSL #3

同一記事の日本語版

   When I activated the Administration Over SSL, I didn’t set “define( ‘FORCE_SSL_ADMIN’, true );” because at that moment I used a laptop pc (LaVie PC-LC5505D) as the server and it was already slow.

   Today, I had an update message about the plugin Ajax Edit Comments Version 5.0.30.0 and the Changelog read:

Fixing SSL error when FORCE_SSL_ADMIN is set to true. See trac ticket: http://buddypress.trac.wordpress.org/ticket/4761

   That made me remember the setting of the Administration Over SSL.

   I opened my wp-config.php and commented out the line “define( ‘FORCE_SSL_LOGIN’, true );” under which I added the line “define( ‘FORCE_SSL_ADMIN’, true );”. Saved and closed the wp-config.php.

   After this, when I access all the administration area of my WordPress, I need my own certificate because the WordPress works over SSL. Fortunately, I don’t feel the server response is slower. How about you?

   By the way, I also had an update message about the phpMyAdmin 4.0.6, so I used this opportunity to update it.

Categories
WordPress

Memorandum #4.

同一記事の日本語版

   How to create from the mo file to the po file on Windows OS.

  1. Install Poedit.
  2. Run cmd.exe
    >cd (Poedit bin Path)
    >msgunfmt -o (po file) (mo file)   —>See Command Line Help.
  3. That’s it. I have the po file. Happy.

   I stopped using the three plugins because they haven’t been updated in over 2 years.

  • Similar Posts
  • Post-Plugin Library
  • Picbox

   I started using the next plugins instead of the three plugins above.

Categories
WordPress

Upgrading to WordPress 3.6.

同一記事の日本語版

   Today, Japanese WordPress develop members announced they brought the new Japanese version WordPress for us, according to the Codex for Version 3.6, there are tons of changes.

   My WordPress is a multisite type and the parent site language is English. Probably for this reason, the WordPress Updates page does not show me the Japanese version update message.

   So, I downloaded wordpress-3.6-ja.zip manually and upgraded.

   Happy upgrade!! But, to use the new features I should update my themes I made by myself. Sigh!

Categories
WordPress

Memorandum #3.

同一記事の日本語版

   To make room at my navigation bar of o6asan’s Web Site, I did the next things.

  1. Open my header.php in the theme of o6asan’s Web Site.
  2. <?php wp_list_pages(‘title_li=&depth=2&sort_column=menu_order’) ?>
    —>
       <?php wp_list_pages(‘exclude=xx,yy&title_li=&depth=2&sort_column=menu_order’) ?>

    The xx is “Home” ID.
    The yy is “My server’s restoration note” ID.

   Then, I’ve had room I wanted.

Categories
WordPress

Memorandum #2.

同一記事の日本語版

   Some notes for my memory.

  1. About Apache.
    I forgot to add “ServerTokens” to my httpd.conf. So, I’ve done it today, “ServerTokens Prod”.
  2. About FireFox.
    FireFox has a feature “network.prefetch-next”. Its default value is true. If I access a site infected a malware, the feature might bring something bad to my PC. So, I changed its value from true to false. You can find “network.prefetch-next” by “about:config”.

    Another FireFox feature “plugins.click_to_play” value I changed from false to true.

    Maybe these two are my imaginary fears, ha-ha.

  3. About WordPress.
    They released WordPress 3.5.2. It is a security and maintenance release. I download and update wordpress-3.5.2-ja.zip by manual. I cannot use automatic update on my server because the update page does not show Japanese version. Why doesn’t the page show the latest Japanese version? I think I run my WordPress as a Multisite and its default language is English. Anyway, I always update my WordPress by manual.

    Nothing in particular. But, I found the file swfupload-all.js was deleted.

    I take this occasion to update to phpMyAdmin4.0.4.

Categories
WordPress

WordPress: Administration Over SSL #2

同一記事の日本語版

   Now, WordPress setting. As I had no experience about this, it was a worry to me, but, no problem. I found HOW TO do it.

   I set “define(‘FORCE_SSL_LOGIN’, true);” in my wp-config.php. I don’t use “define(‘FORCE_SSL_ADMIN’, true);” because my server is already slow (^^;).

   I access my log-in page. Immediately, I have a message “Multisite only works without the port number in the URL.”. OOPS!! I would have wanted to use port xxxxx instead of SSL well-known port. I have no choice, then I replace port xxxxx with the default. Well, I’ve got SSL login to my WordPress.

   I must learn about rewrite rule or so. But now, I am satisfied by this level.

Categories
WordPress

WordPress: Administration Over SSL #1

同一記事の日本語版
Update information      Edit(Jun.19)

   As I wrote before, my WordPress Login, I can only do via my home LAN because of my access control. But, honestly, it’s inconvenient very much (-_-;). So, I want I can log in my WordPress by my mobile PC. However, to transmit an unencrypted password goes against my policy.

   So, I decide to support SSL on my server (WindowsXP SP3 (x86)) again. Actually, as Apache 2.4 win32 binaries is built with apr-1.4.6 apr-util-1.4.1 apr-iconv-1.2.1 openssl-1.0.1e zlib-1.2.7 pcre-8.32 libxml2-2.9.0 lua-5.1.5 expat-2.1.0, it includes openssl.exe, openssl.cnf and other openssl files. The user is only me and the feature I need is only to log in my WordPress. Therefore, I need a private CA instead of the provider CA, like as VeriSign‘s.

   First, I make cakey.pem and cacert.pem. Usually, we use CA.pl on windows. But, Apache 2.4 win32 binaries doesn’t have CA.pl, so I use openssl.exe directly as command line tool. You can find HOW TO on the document page.

  1. Make a directory myCA somewhere in the server. Under the myCA, make directories private and newcerts, an empty text file index.txt. Actually, I made the myCA directory on a removable media. Because it’s convenient for moving my_ca.crt and clientcert.p12 to my client PC and secure if I remove it from my server when not using.
  2. The file openssl.cnf exists in the Apache conf directory. On WindowsXP, you see openssl.cnf as openssl, a file type “SpeedDial”. Open the file and modify. This modification is absolutely necessary on WindowsXP. If not, you will have an error like the below. MS new cmd.exe can use both “/” and “” as directory separators. But old cmd.exe can’t use “/”. Besides, to escape character is required in the file. So, you need “”.

    Error opening CA private key ./myCA/private/cakey.pem
    3464:error:02001003:system library:fopen:No such process:.cryptobiobss_file.c:398:fopen(‘./myCA/private/cakey.pem’,’rb’)
    3464:error:20074002:BIO routines:FILE_CTRL:system lib:.cryptobiobss_file.c:400:
    unable to load CA private key

    Modification of openssl.cnf:

         RANDFILE = $ENV::HOME/.rnd —> RANDFILE = $ENV::HOME.rnd
         #oid_file = $ENV::HOME/.oid —> #oid_file = $ENV::HOME.oid

         dir = ./demoCA —> dir = (drive xx):myCA   (Exact path required)
         certs = $dir/certs —> certs = $dircerts
         crl_dir = $dir/crl —> crl_dir = $dircrl
         database = $dir/index.txt —> database = $dirindex.txt

         new_certs_dir = $dir/newcerts —> new_certs_dir = $dirnewcerts

         certificate = $dir/cacert.pem —> certificate = $dircacert.pem
         serial = $dir/serial —> serial = $dirserial
         crlnumber = $dir/crlnumber —> crlnumber = $dircrlnumber

         crl = $dir/crl.pem —> crl = $dircrl.pem
         private_key = $dir/private/cakey.pem —> private_key = $dirprivatecakey.pem
         RANDFILE = $dir/private/.rand —> RANDFILE = $dirprivate.rand

    If you use TSA (Time Stamping Authority), you have to make the same modifications for the TSA area.

    As I use 2048 bits as default, I also modify the next.
         default_bits = 1024 —> default_bits = 2048

    By the way, I don’t add (drive x):(Apache bin dir) to the path environment variable. If you feel better to do that, please do so though I don’t like it.

  3. Run cmd.exe
         >cd (drive xx):myCA
         >copy index.txt+   (as a replacement for UNIX touch command)
         >echo 01 > serial   (a serial file contains a valid serial number is required)
         >(drive x):(Apache bin dir)openssl req -new -keyout privatecakey.pem -out careq.pem -config (drive x):(Apache conf dir)openssl.cnf

         Enter PEM pass phrase: xxxxxxxxxxxxxxxx   (pass phrase for cakey.pem)
         Verifying – Enter PEM pass phrase: xxxxxxxxxxxxxxxx   (pass phrase for cakey.pem)

         Country Name:JP
         State or Province Name:FUKUOKA
         Locality Name:FUKUOKA
         Organization Name:o6asan’s Web Site
         Organizational Unit Name:myCA
         Common Name:o6asan.com
         Email Address:My mail address

         A challenge password: blank
         An optional company name: blank

  4. Selfsign a certificate request, using CA extensions:
         >(drive x):(Apache bin dir)openssl ca -config (drive x):(Apache conf dir)openssl.cnf -selfsign -in careq.pem -extensions v3_ca -out cacert.pem

         Enter pass phrase for (drive xx):myCAprivatecakey.pem: xxxxxxxxxxxxxxxx   (pass phrase for cakey.pem)

         Sign the certificate? [y/n]: y
         1 out of 1 certificate requests certified, commit? [y/n] y

         >copy cacert.pem (drive x):(Apache conf dir)   (cacert.pem for Server use)
         >copy cacert.pem my_ca.crt   (my_ca.crt for Client use)

   Second, I make server.key and server.crt.

  1.      >(drive x):(Apache bin dir)openssl req -new -keyout server.key -out server.csr -config (drive x):(Apache conf dir)openssl.cnf

         Enter PEM pass phrase: xxxxxxxxxxxxxxxx   (pass phrase for server.key)
         Verifying – Enter PEM pass phrase: xxxxxxxxxxxxxxxx   (pass phrase for server.key)

         Country Name:JP
         State or Province Name:FUKUOKA
         Locality Name:FUKUOKA
         Organization Name:o6asan’s Web Site
         Organizational Unit Name:WordPress
         Common Name:o6asan.com
         Email Address:My mail address

         A challenge password: blank
         An optional company name: blank

  2. Sign a certificate request:
         >(drive x):(Apache bin dir)openssl ca -in server.csr -out server.crt -config (drive x):(Apache conf dir)openssl.cnf

         Enter pass phrase for (drive xx):myCAprivatecakey.pem: xxxxxxxxxxxxxxxx   (pass phrase for cakey.pem)

         Sign the certificate? [y/n]: y
         1 out of 1 certificate requests certified, commit? [y/n] y

         >copy server.crt (drive x):(Apache conf dir)

  3. As Win32 doesn’t support SSLPassPhraseDialog builtin, I need to remove the encryption from my server.key because of getting rid of an error at Apache startup time (PDF version).

         >copy server.key cp_server.key
         >(drive x):(Apache bin dir)openssl rsa <cp_server.key> (drive x):(Apache conf dir)server.key

         Enter pass phrase: xxxxxxxxxxxxxxxx   (pass phrase for server.key)

   Third, I make clientcert.p12.

  1.      >(drive x):(Apache bin dir)openssl req -new -keyout client.key -out client.csr -config (drive x):(Apache conf dir)openssl.cnf

         Enter PEM pass phrase: xxxxxxxxxxxxxxxx   (pass phrase for client.key)
         Verifying – Enter PEM pass phrase: xxxxxxxxxxxxxxxx   (pass phrase for client.key)

         Country Name:JP
         State or Province Name:FUKUOKA
         Locality Name:FUKUOKA
         Organization Name:o6asan’s Web Site
         Organizational Unit Name:Administration
         Common Name:o6asan
         Email Address:My mail address

         A challenge password: blank
         An optional company name: blank

  2.      >(drive x):(Apache bin dir)openssl ca -in client.csr -out client.crt -config (drive x):(Apache conf dir)openssl.cnf

         Enter pass phrase for (drive xx):myCAprivatecakey.pem: xxxxxxxxxxxxxxxx   (pass phrase for cakey.pem)

         Sign the certificate? [y/n]: y
         1 out of 1 certificate requests certified, commit? [y/n] y

  3. Make pkcs12 format client file.
         >(drive x):(Apache bin dir)openssl pkcs12 -export -in client.crt -inkey client.key -out clientcert.p12

         Enter pass phrase for client.key: xxxxxxxxxxxxxxxx   (pass phrase for client.key)
         Enter Export Password: xxxxxxxxxxxxxxxx   (password for client PC use)
         Verifying – Enter Export Password: xxxxxxxxxxxxxxxx   (password for client PC use)

    Close cmd.exe

   Now, I have cacert.pem, server.crt, server.key in my Apache conf directory, and, my_ca.crt and clientcert.p12 for my client PC on the removable media. These five files I only need to support SSL on my server.

   I uncomment the following lines in my current httpd.conf.

  • LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
  • LoadModule ssl_module modules/mod_ssl.so
  • Include conf/extra/httpd-ssl.conf

   I modify the file httpd-ssl.conf which exists in the Apache extra conf directory.
     Listen 443 —> Listen xxxxx   (If you leave the default, it’s no problem.)

     <VirtualHost _default_:443> —> <VirtualHost _default_:xxxxx>
     DocumentRoot “c:/Apache24/htdocs” —> DocumentRoot “my document root”
     ServerName www.example.com:443 —> ServerName o6asan.com:xxxxx
     ServerAdmin admin@example.com —> ServerAdmin My mail address
     ErrorLog “c:/Apache24/logs/error.log”
     —> ErrorLog “|bin/rotatelogs.exe -l -f logs/error.%Y.%m.%d 86400″ (my ErrorLog format)
     TransferLog “c:/Apache24/logs/access.log”
     —> TransferLog “|bin/rotatelogs.exe -l -f logs/access.%Y.%m.%d 86400″ (my CustomLog format)

     #SSLCACertificateFile “c:/Apache24/conf/ssl.crt/ca-bundle.crt”
     —> SSLCACertificateFile “C:/Apache24/conf/cacert.pem”

     #SSLVerifyClient require —> SSLVerifyClient require
     #SSLVerifyDepth 10 —> SSLVerifyDepth 10 SSLVerifyDepth 1

     <Directory “c:/Apache24/cgi-bin”> —> <Directory “my cgi-bin directory”>

   Restart My Apache.
   Install my_ca.crt and clientcert.p12 to my client PC Web browser.

   The remaining is the settings for my WordPress. Whew!

Edit(Jun.19):
   When I first logged in my WordPress over SSL, I had the message “Multisite only works without the port number in the URL”. I had no choice, then I replaced port xxxxx with the default. (^^;)

Categories
WordPress

An access control after such a long time.

   Today, I set an access control for my wp-login.php after such a long time. The reason why I want the AWStats everyday report except for the number of unauthorized accesses for the file wp-login.php.

   About this, I’ve not care for a long time. Because, my sever applications are nearly always up-to-date and its user is just me. But recently, I have a lot of unauthorized accesses for the file wp-login.php than before. I think that the number of them increased after I wrote the post “Snow falling on my blog.“. It is too much and so boring.

   I made a file access-denied.conf like the following and put it into my Apache extra-conf directory. The file also includes some IP addresses I want to deny. Now, it works. Great!!

<Files “wp-login.php”>
Require ip xxx.xxx.xxx.xxx/xx  <<— my local IP addresses
</Files>

<Directory “G:/WEB”>   <<— G:/WEB is my document root.
<RequireAll>
Require all granted   <<— I forget to write here, so added on Mar.1st.
Require not ip xxx.xxx.xxx.xxx/xx
Require not ip yyy.yyy.yyy.yyy/yy
</RequireAll>
</Directory>

Categories
WordPress

Welcome back, AEC!!

   Before I go on to the main subject, I write about “Kirin tidings”. I added some to the page.

   After a long term absence, AEC was back to us!! At the beginning of January, I thought to modify the file comment.php in the directory wp-includes by myself. So, it was unexpected pleasure that I had the email notification about this on Jan. 11th.

   I always make Japanese language file for AEC. If you need it, you can download from here.