Allan McRae

Many months ago I noticed that I logged into my blog over plain HTTP and thought to myself that I really must do something about that one day. And that day is… well… a couple of days ago! I honestly was never really too concerned about logging in insecurely as the chances of anyone actually wanting to gain access to this blog and being in a position to exploit the insecure login is minimal. My guess would be that the majority of self-managed WordPress installs are administered over plain HTTP.

So apart from general apathy, what kept me from fixing this? Cost was probably the main issue… Any cost for a SSL certificate would not be particularly justified in my case. I also did not want to use a self-signed certificate as I find the security warnings that all web browsers give about untrusted certificates annoying enough to not want them on my site. That also rules out the free SSL certificates from CAcert, as the CAcert root certificate is not included by most browsers by default.

Then I saw a post somewhere about the free certificates given out by StartSSL. The price is right and the root certificate is commonly included so all seems good. There is not much actual validation that goes on to get one of these – my email and domain name were “verified” by sending emails… – so they would not be good for any site where trust is actually needed (such as anything where any personal and financial data are being collected).

Once validated, all I had to do was provide a CSR and they provided me the certificate. My webhost then uploaded that certificate and broke everything! The HTTPS version of my site was giving the error “ssl_error_rx_record_too_long”, which is actually quite uninformative as it covers a wide range of actual issues, and the HTTP version for some reason lost all access to files even thought they were clearly still there when I checked. This took me a few hours to notice as I had to wait for the DNS entries to propagate, so the issue was reported at 5pm on Friday the 30th of December… I really thought my website would be down until the 3nd of January when the support desk reopened, but everything was fixed a few hours later. So good service given what I pay, but the whole issue could have been avoided with a simple check at their end once the SSL certificate was installed.

Once you have your SSL certificate installed and ready to go, making WordPress enforce SSL usage for all administration tasks is simple. Simply add the following to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

Now all your blog administration is secure(ish). The final thing to do was to check whether browsing my website using HTTPS worked… No, it did not! I was getting messages about the site only being partially encrypted. A quick search showed I serve all my images using the full URL rather than a relative one. I did this because a certain Linux distribution’s Planet feed did not show images otherwise (or at least that was the case a long time ago – I have not tested lately). I could go through and adjust all my image links to use HTTPS, or just disable HTTPS access to my website. I chose the latter as nothing on my site is that important that it needs to be encrypted and I thought it would be the quicker option… Several hours later and this is the rule you need to add to your .htaccess file to achieve this:

RewriteCond %{ENV:HTTPS} on [NC]
RewriteRule !^wp-(admin/|login.php|includes/|content/)(.*)$ http://allanmcrae.com%{REQUEST_URI} [R,L]

The only real trick there is that the WordPress login and administration interface uses files from the wp-includes and wp-contents directories so they need to be excluded from the RewriteRule.

So… remember how I said self-signed certificates were annoying as all visitors to the site would get a warning. Well, now I force HTTP usage, that whole argument is irrelevant as only I would see the SSL certificate when I access the administration interface. But I at least have the option of serving parts of the site over HTTPS using a recognized certificate if I ever feel the need.

Here is what happens when you make a post with around 2MB of images in it…

That was a spike from my usual 100MB bandwidth use a day to over 2GB! I usually only use about 2 or 3GB for the whole month, so that was a bit of a surprise. Also, I only pay for 25GB a month so if it sustained at over 800MB a day I was going to be in trouble… (well, it would only be $2 more for an additional 50GB, so not too much trouble!)

So where did all that bandwidth go? Looking at my blog access stats, only about 20% of it is from people actually visiting my site. So the rest seems to come from people looking at my RSS feed, either directly or through sites like Planet Arch Linux that syndicate the feed.

That means I could drastically reduce my bandwidth usage by posting only a summary to my feed. But given I really dislike seeing only article summaries in my feed reader, it is not something I would really want to do. It is not as if my site has any advertising, so there is little point driving people here. Also, I would probably need to spend a few hours getting WordPress to actually provide summaries in the feeds the way I would like them (because WordPress never does anything quite “right”…).

After some interesting attempts at importing my old posts and comments, followed by some manual post recovery and editing of the MySQL database, it appears my site is completely restored and running on my new host. All files should hopefully have migrated too… but let me know if you spot anything missing.

While I was restoring everything, I took the time to update my theme and make my modifications the proper way using a child theme. I’m still not 100% satisfied with the adjustments; the menu at the top could be reduced in height by a few pixels and the line under the header should always span the page. I am entirely stuck on how to achieve those, so I would be very appreciative if any CSS experts out there want to post fixes for those.

Now, on to posting the insightful blog posts I am so well known for!

After struggling with my current provider and their unstable MySQL server for the past couple of months, the final straw was broken when the the posts table from my WordPress database became gone. So it is goodbye to 000webhost and your free hosting (hence not too much complaining from me…).

Given my total website requirements are modest – WordPress (PHP-4.3 and MySQL-4.1.2) and some file hosting – there is little point in me getting a VPS (and having to figure out how to set all that up!). So I am giving Laughing Squid a go. I figure you can not go too far wrong at $6 a month.

So now I just have to restore everything… These things always happen when you have critical deadlines for work, so this will take a few weeks. I have backups to restore from (although a couple of my recent blog posts are missing and require rescuing from the Google cache), so everything will be back eventually.

Edit: comments have been temporarily disabled to make my restore easier.

I had turned off the need to moderate comments before their appearance on this blog as an experiment to see how long it took for spammers to start posting. Turns out, it was not very long… but taking 25 days is still slightly longer than I had expected. So comment moderation is turned back on.

While most spam is obvious posting of links to websites, I just do not understand some of the spam that I have received. One IP address (which is well know for its spam), posted messages like “The best information i have found exactly here. Keep going Thank you” and “Hi, very nice post. I have been wonder’n bout this issue,so thanks for posting“. Do a google search for those phrases and note how frequent those exact comments are. What is strange is that the “people” posting these comments seem to have nothing to gain, at least initially. They listed website their website as google.com and their email address is not shown so no-one can reply to them. I suppose they want to get through that initial moderation phase so that they can posted unhindered crap in the future. You have got to admire their determination…

The death of Google Page Creator (and the inability to do anything decent with Google Sites) has finally pushed me to get my own domain and make a “proper” website.  Now all I have to do is figure out how to make my WordPress install look semi-decent.  This could take a while…

Edit: decided to go with a slightly modified simpleX theme for the time being. There are a few things I still do not like about it but it is better than the default WordPress theme.