Immutable assets with unique URLs in WordPress for enqueued JS and CSS files

If you’re utilizing the browser cache correctly, you’ll gain huge performance benefits for your users, as well as save bandwidth and server capacity which equals to saving money. To do this right, you must create unique URLs for all versions of your resources, and tell them to never ask for the content again by telling the browsers that the assets are immutable resources.

Continue reading “Immutable assets with unique URLs in WordPress for enqueued JS and CSS files”

Do you want my time for free?

Publishing open source software or articles for free is very giving. Not only does it give you a warm fuzzy feeling inside when someone appreciates what you release, but it can also have other indirect consequences that give you a happier life.

But when something is free – as in no cost – people will also often turn to a mindset where they don’t appreciate your effort, time or value as a human being. For some reason, some people forget all about being polite and demands that I give them professional support because they can’t read instructions, don’t know what they are doing, or just feel like their time is much more important than mine.
Continue reading “Do you want my time for free?”

Moderate WordPress comments with WP-CLI

I very much appreciate comments that bring new insights, corrects my errors, or leaves a thank you note. But even so, it is a bit tedious to moderate comments. Though logging into WordPress – even with two-factor authentication enabled – isn’t much of a hassle, it is still a nuisance when you just want to approve or trash a couple of comments.
Continue reading “Moderate WordPress comments with WP-CLI”

SVG uploads in WordPress (the Inconvenient Truth)

Enabling uploads of SVG files in WordPress is quite easy, and there is a tonne of posts on the Interwebs explaining how you do it. Usually along the lines of:

And that’s pretty much it.

Except it is not.

Continue reading “SVG uploads in WordPress (the Inconvenient Truth)”

Run all due cron events for WordPress with WP-CLI

Running a real cronjob is much more reliable than WordPress’ built-in “maybe-will-trigger” solution. But if you’re running a multisite network, you have to add a crontab entry for every site you set up – which is tedious. Thanks to WP-CLI, we can use a small bash script instead, which will run all due events for all sites for us. Oh, and it works for single sites as well. Continue reading “Run all due cron events for WordPress with WP-CLI”

Restrict allowed HTTP methods in Nginx

Security vulnerabilities are often exploits of software that fails when trying to deal with unexpected input. Other times they are exploits of a misconfiguration or a service that unintentionally was open to the public.

For the above reasons, we should limit as much as possible what services are exposed to the public and limit as much as possible what they do and accept from the visitors. To follow those security principles, we should only allow the HTTP methods for which we, in fact, provide services. Under all normal circumstances, that would be the methods GET, POST and HEAD.

Continue reading “Restrict allowed HTTP methods in Nginx”

Block access to PHP files on your WordPress site with Nginx

In your WordPress site, there are directories that include PHP files that visitors should never be able to access directly. They are only there for WordPress to function as an application that runs on your server. But because of WordPress’ directory and file structure, they are kind of accessible to the public. All of them are meant to be part of a larger application – WordPress, that is – and should not cause any harm if called directly – that we know. Some of the files execute some code even when ran standalone. An attacker might know of a clever way to make that code run in an unexpected manner, causing harm. To be on the safe side, we should deny access to all these PHP files from the outside world. Since we block access to them in our Nginx configuration, PHP will still run them as usual and WordPress will work just fine.

Continue reading “Block access to PHP files on your WordPress site with Nginx”

Restrict access to the WordPress dashboard by IP address in Nginx

If you have a static IP address, like from your office, or your own private VPN, you can increase your security tremendously by restricting all logins to that IP address. The effect is that even if an attacker knows your login credentials, they will not be able to log in or access any part of the WordPress Dashboard.

Continue reading “Restrict access to the WordPress dashboard by IP address in Nginx”

Redirect all HTTP requests to HTTPS with Nginx

All login credentials transferred over plain HTTP can easily be sniffed by an MITM attacker, but is is not enough to encrypt the login forms. If you are visiting plain HTTP pages while logged in, your session can be hijacked, and not even two-factor authentication will protect you. To protect all info sent between your visitors – which includes you – and your web server, we will redirect all requests that are coming over plain HTTP to the HTTPS equivalent.

Continue reading “Redirect all HTTP requests to HTTPS with Nginx”

Two Factor Authentication for WordPress

If you’re using a strong password, brute-forcing is a very inefficient way of breaking into your WordPress account, and if it is really strong, dictionary attacks won’t help much either. However, there are are other, easier, ways for a mischievous person to get their hands on your login credentials e.g. with phishing, keyloggers or a MITM attack. By using a two-factor solution, you will increase your login security by an order of magnitude. Continue reading “Two Factor Authentication for WordPress”