Protect MySQL against WordPress xmlrpc attacks

If you run your own server you may be vulnerable to attack via WordPress’s xmlrpc.php file. Even though this file may not give a hacker access to your site it can still do damage. Just a single HTTP POST to that file can generate ten’s of database queries depending on what plugins you have installed and it very easy for a hacker or robot to post may times per second. That could add up to hundreds of database connections and thousands of queries very quickly which can crash MySQL without leaving a trace in your error log.

I have tried a few plugins that aim to help with the problem:

Disable XML-RPC will disable WordPress XML-RPC functionality meaning that nothing can be done to your content, however this does nothing to prevent initial database queries so MySQL can still be affected when running this.

BruteProtect – I’ve seen comments that it will protect xmlrpc but I’ve seen it in action during an attack and as of version 2.2.2 it did nothing.

NinjaFirewall – there are a lot of configuration options but this one does the job. It sits in front of WordPress and so it can intercept the attack before all the database activity starts up. This worked great when I used it during an attack.

However you may host multiple WordPress sites on a single server and it could be tedious having to install this and configure it for each site, plus there is going to be duplication of what the code is doing and Apache still has to handle all the incoming requests.

It may be better to stop any attacks at the firewall because that’s the single point of entry to your server. This approach still requires a plugin – WP fail2ban but this one will log attacks to your systems auth.log which can be picked up by fail2ban and automatically added for a temporary period to your firewall rules. It is more complicated than the other plugins to install but once a malicious IP has been blocked it can’t affect any of the sites on your server will keep the system load much lower.

Posted in Linux, MySQL, PHP | Leave a comment

MySQL NO_ZERO_DATE default

It is a good idea to use MySQL with sql-mode = NO_ZERO_DATE,NO_ZERO_IN_DATE (among other options)

If the NO_ZERO_DATE flag is not set, MySQL will allow ’0000-00-00′ in date and datetime fields. This also allows the silent conversion of invalid dates to this zero date as well.
You probably don’t want to find zero dates being allowed into your database if there is a problem with any of the data validation you are carrying out before inserting/updating data.

However you have to use something as a default value when creating a table that uses date and datetime fields. My recommendation is to go for the minimum allowed value: ’1000-01-01′ for a date field and ’1000-01-01 00:00:00′ for a datetime.

Posted in MySQL | Leave a comment

How to stop splitting PHP strings in NetBeans 8

In Java and JavaScript strings cannot span multiple lines. NetBeans 8 will helpfully change the code you are writing so the a single multi-line string will become many single line strings joined together. However if you are using NetBeans for PHP this can become a little annoying especially if you are writing long SQL statements.

If you want to switch this off like I did, go into Tools / Options / Editor / Code Completion, select PHP as the language then scroll down to the very bottom and deselect ‘Use String Auto-Concatenation after Typed Break’.

NetBeans 8 Auto-Concatenation settings

Posted in PHP | Leave a comment

Ubuntu modern.IE extracting VM files

If you follow the instructions on the www.modern.ie site to extract a VirtualBox file from a set of downloaded .rar files you are asked to run the following command:

./IE11.Win8.1.For.LinuxVirtualBox.part1.sfx

This gives the error:

bash: ./IE11.Win8.1.For.LinuxVirtualBox.part1.sfx: No such file or directory

The solution is to run:

unrar e IE11.Win8.1.For.LinuxVirtualBox.part1.sfx
Posted in Linux | 1 Comment

Table content overflowing enclosing div

A block level element like this div is sized to fit the width of its parent, not the width of its content.
At the top level of a document the parent is typically the viewport (a viewport is the visible portion of the canvas).

If you have a table with content that can’t be broken up because it doesn’t have spaces or there are lots of columns then the width may be greater than the viewport – especially if you are using a laptop or mobile browser.

In this instance the content will break out of the enclosing div.

stuff@longstring stuff@longstring stuff@longstring stuff@longstring stuff@longstring breakout

To resolve this,
use style display:table
Works with IE 8 onwards and tells the div to display as a table.

stuff@longstring stuff@longstring stuff@longstring stuff@longstring stuff@longstring enclosed

use style float:left
Works with IE6 onwards
When an element is floated it uses the value of defined width or auto in which case it shrinks to fit its content.
There’s a definition of shrink-to-fit by the W3C http://www.w3.org/TR/css3-box/#shrink-to-fit

stuff@longstring stuff@longstring stuff@longstring stuff@longstring stuff@longstring enclosed
Posted in CSS | Leave a comment