Development Notes #2: WordPress suggestions and practices are awful when it comes to security

Photo by alx_chief

A disclaimer: This post doesn’t have anything to do with the core team or their roadmap.

As anyone doing software development, when we have questions one of the things we have to do is use a search engine. The documentation in WordPress can sometimes be extremely vague, or at times there are situations where a hook or filter I need exists but I end up recreating the wheel just to be annoyed that it’s already there and my time has been wasted.

One of the things that really stood out is the amount of really, really bad recommendations because some of the answers are copy/pasted from other answers and of course maybe the person writing out the answer hasn’t come to the realization that WordPress way of naming their hooks and filters can come out as vague.

And to know surprise I’m talking about:

is_admin()

The is_admin() function is meant to just check if you are within the administrative interface. But given the rather free and exposed nature of WordPress it’s also a function that could have unintended effects. For example, Some plug-in creators doesn’t develop plug-ins with security in admin, I’ve noticed with a plug-in that I use that anyone could literally change the configurations of my plug-in as long as he/she is registered.

But the problem goes deeper. The workflow that WordPress has introduced over the year is a bit convoluted. A plug-in is literally a free soul that is attuned to the environment, it’s a vacuum that receives all types of requests.

is_admin() while it is an offender doesn’t cover the next thing. Some plug-ins aren’t aware of AJAX/RESTful calls so they end up blocking the calls because the plug-in is expecting the call to be done while a user uses the admin interface but that may also break features that are meant for the public, depending on how things have been laid out.

I feel like while WordPress does tell the developer “hey, you can use this to achieve this”, it doesn’t instruct the developer on “hey, that’s cool you are using our hook/filter but before all that you should check out documentation on security and understanding the functions you need to safely provide resources to your users.”

But it’s not only a thing about security. Like I said, a plug-in in WordPress is a free soul. It listens to all requests, meaning the developer has to devise a way to tend to the needs of:

  • public requests
  • private requests (within admin)
  • public (ajax/RESTful)
  • private ajax(RESTful) (within admin)

That aside for a moment, I have actually enjoyed my time developing my plug-in. I can’t actually wait to use it in the public myself but it’s under heavy development.

One of the things I love is how flexible/extensible/versatile WordPress do things. It takes very little effort, or any at all! But as all things, it’s also super easy to mess up your code and leave yourself wide open to attacks.

And I fear that while WordPress has vast amounts of plug-ins out there the bigger question is how many of them are secure?

Would the fault lies with WordPress core team not communicating things? Would WordPress StackExchange need to go on a purge to flag all high risk answers ?

It’s food for thought honestly. Personally, we are already here, and I’ve seen their new documentation and it’s amazing but the people who are writing plug-ins may not be aware of such documentation and maybe being more vocal about security isn’t a bad idea.

DNS Updates

Small update that the site is currently switching over to new nameservers and it might not work for everyone. Propagation usually takes 48 hours.

Hello, WordPress, great to see you again! Development Notes #1

This week has been extremely busy for me. It’s been a while since I worked on the development of a new site. A lot of what I’ve done this week has been pretty much the definition of: “Can I do this with WordPress?” *proceeds to poke the code with a stick*

And so far the answer has been, yes, a lot of the difficulties I’ve thought would cause me a a lot of headaches has turned out to be great, yet I don’t want to make it sound easy either I have spent a lot of time reading documentation and going back and forth with the core code. As to why you wonder, why would you go to the core code? Surprisingly because the answers I seek weren’t found in Google.

A lot of the answers became more of a sales pitch: “Hey, what’s up, my company works on this plug-in it just costs $60 monthly”. Quite frankly I’m not against making a living out of this at all. I’m gearing myself towards this as well.

As I progress I notice a lot of potential that can be untapped with WordPress… it’s actually insane how much you can do with it and the nature of how you do business with WordPress code always feels slightly primitive. It’s like having this piece of software akin to the likes of Slackware which a lot of well-tested scripts to power through the OS, but instead you have a lot of scripts, tiny functions that can be overridden or filtered.

WordPress is honestly a miracle that has stayed glued together.

You still find code from WordPress 1 or WordPress 2 versions and see them hanging around in 2020.

Overall, it’s been a great experience. That were some things with the structures that took me by surprises and in the long run it makes sense to have it that way.

I’ve also been using Visual Studio Code which so far has been a delight to use. I thought about paying for PHPStorm but ultimately…. the experience provided by Visual Studio Code suffices.

Evolving the site and giving everyone their place to talk. Humble Spaces™

Photo by Lilac and Honey

As of late I’ve been thinking of expanding this site into something else. It’s been a long time since I’ve done something community-driven and for someone who moderated communities a long time ago I guess there’s a small part of me who feels a tiny bit uneasy.

Well, in general handling people is never easy in any profession.

The Humble Spaces thing is a joke… kinda. I mean, in a sense I’m giving you the space to have your own thing going. I also don’t usually talk much of what I do, I’ve always adapted the idea that it’s always better to speak with actions rather than words. Words are cheap, actions solidifies your commitment to what you have planned. Excitement gets the best of us, and it has happened that sometimes I get overly excited about something and talk about it endlessly but at the end of it it’s all hot-air, nothing. So, in a sense I actually dislike talking about things that I have in mind for the future because I consider it a taboo, consider it something I’ve instilled within me as a code to follow.

I do think it’s the best approach and for whatever it’s worth it’s more of an experiment than anything else. I don’t think I’m going with the mindset that suddenly it’ll be flooded with people.

I ended up choosing WordPress as my go to content management system. I think at some point, and it happened again this year is that I usually prefer to create my own stuff, but the truth behind that is that it takes 10-15x times the effort to just roll out on your own for an audience that may not be exactly there at all.

WordPress fits the bill in almost every area. It’s easy-to-use, it’s manageable, and it has all the tools I need for people to use. PHP 7.4 is around the corner for me, although I could go ahead and make it available for me but I’d rather wait for Ubuntu Server 20.04.1 because it’d be less headaches.

There are some integration things that I want to do to broaden the way the audience share their content. But ultimately, my expectations are that I just gotta keep working on it.

I do subscribe to the ideas of Jeff Atwood. I’ve always wanted to get better at writing, but there’s a huge part of me that fears writing. Quite honestly, you can’t get good at something if you don’t practice every day or at least a few times in a week. And what I mean by all of this is that you’ll see more content from me. I will continue writing more, and I hope that once the site has expanded that you also join me in writing and speaking your thoughts.

Sometimes I wonder if WordPress is unbeatable…

For years I’ve been looking at possible replacements for WordPress. I’ve thought about Drupal but it requires too much time to setup to bother. I did like Movable Type when it was open source ages ago but that somewhat died really quick as well… plus you needed to have extensive knowledge of Perl to get somewhere programmatically, something I didn’t have.

Checking other languages like C#/Java/NodeJS seemed to have good contenders… but in the end it was a mix of:

  • How much time do I really want to spend on this?
  • WordPress is extremely well documented with its StackExchange site as a backup if things go wrong.
  • Ghost blogging platform looked like a great contender but at the time there wasn’t much documentation on how to create plug-in. Plus it would defy my “how much time do I really want to spend?”
  • PHP is still one of the easiest language to get around. And like JavaScript it’s also one language you can mess up pretty quickly or misunderstand.
  • In an unrelated note I’ve noticed PHP community has gotten worse? There seems to be a lot of zealots than in the old days when everyone was just happy with what they had. Most of my fond memories with the PHP Community was how open it was to help.
  • In another unrelated note: Python community is still one of the most loving helpful folks beating almost any community. They are chill and ready to help.

Unrelated notes aside…. it seems that even in 2020 WordPress remains to be one of the strongest platforms ever created. It’s easy to get into, easy to work around changes, easy to do stuff.

If you have any open suggestions just let me know below if you ever stumble upon this article.

It’s good to be 127.0.0.1(home): New (blazingly fast) host

Hurrah!

I’ve been meaning to actually move this site to a new host. Not just this site but all the other sites that are under this…. I can say that I’ve been successful and it took me a sweet 3 hours to configure everything.

Ouch!

Now, usually moving large amount of files I don’t even bat an eye to that. I just put my trusty rsync command to do its magic and get all files transferred.

What took me a bit was the MySQL configuration part. Now it actually has more secure configurations so it’s really nice, but…. I had users set to specific IP addresses that I’ve forgotten about. Testing nginx configurations was remarkably fast… to the point I was surprised how little you need to get nginx running. I also have extra users for PHP FPM so they run isolated from everything.

What’s left is a series of doing some security configurations and update the backup script I’ve used for all my sites.

All in all. I’ve been meaning to do this for a long time. Yay me!

This world has been connected aka “this site is live again”

As you can guess this site is back. I had a couple of hiccups with SSL as the renew in certbot wasn’t working correctly. I didn’t sweat the issues but it did take me a while to figure out why the site wasn’t loading. Turns out that I had a plugin for wordpress that enforced https thus making me nginx redirect to the https.

I like https. But seeing that it has become a bit of a hassle to maintain it and I only blog on a monthly basis I don’t see why I should consider SSL anymore.

I ended up mass updating a lot of stuff in the database to clean out any https reference that belonged to my site. It turns out that storage.thehumble.ninja has been offline for 2 months now. There’s a quick fix coming for that.

Site updates: Done, and done.

I finally finished moving everything off Microsoft Azure. Using Azure made me realize that as much as I wanted to use it it was just a huge money sink for what I was going to use it for. Over the days that passed I was just pondering whether or not I should stay with Azure. It didn’t sit well for me paying additional fees for Bandwidth, disk performances (reads, writes, premium, standard), and other types of details.

I hope that in a near future Microsoft Azure offers a B-series virtual machine with the capability of reserving bandwidth capacity. It’s a much needed feature for customers that have small or medium sites. I know that most of Azure is managed, as in, if I open a ticket the standard support is supposed to do the work and investigate what’s going on. I know it’s not profitable assigning so many resources to support small/medium customers when you want to keep that response time low for enterprises.

I hope that in the following days I have the time to write a long winded post about the cloud and the current prices. In fact I’m hoping to talk about Linode, Digital Ocean, Scaleway, and other services where I spent my time doing setups.

Now, having said all that. I ended up in ArubaCloud. I thought long and hard about it. I gathered that many people didn’t have problems with them. I’m actually excited because not only I got a low cost out of it but I can now create actual affordable virtual machines based on current needs: Do I need an e-mail server? Let me spin up a VM. Do I need an additional SQL Server? Let me spin up a VM and see if I can even out the current load.

I ended up creating a setup I really liked. For a long time I wanted to have SQL Server separated from NGINX/Apache, and with ArubaCloud that was made possible so now I have a dedicated SQL server serving this site and a HTTP server (nginx) serving all dynamic/static data. I loved working with UFW, setting up the firewall, fail2ban, etc. I think if I have to put an order out there it would be like this:

  • Spin up a VM in ArubaCloud with Ubuntu.
  • Notice that it doesn’t have the latest Ubuntu, but that’s okay with Ubuntu Xenial I can jump to 18.04.
  • Jump to do-release-upgrade -dand that will guide you through the process.
  • Once upgraded, which shouldn’t take you more than 30 minutes, apply security settings to sshd_config and add the rules I need to protect my VMs with UFW which is a tool to simply firewall management.
  • Install fail2ban, change SSH port and so on.
  • Configure server roles (DB, HTTP Server in my case)
  • Install LetsEncrypt’s amazing certbot.
  • Generate certificates for your site and be sure to enable SSL on your virtual host.

And the steps goes on and on and on. It looks tedious, and sometimes it is. I enjoy setting up my environments. After all the configurations were done?

I had a few hiccups from the MySQL Server. I wasn’t getting a decent response time, I think it was a network issue because as I’m writing it the response times have improved greatly.

There’s still a few security enhancements I have left to do, but they aren’t exactly priorities. I feel incredibly accomplished with my little journey on configuring my first remote MySql server and making it work with the HTTP server. At first sight it isn’t hard, but as you start considering security things become a bit harder.

 

TheHumble.ninja now with SSL

I’ve made some changes to thehumble.ninja as I plan to restructure to site and start purging content here and there. There’s an article I’ve been wanting to write about and it’s about saving costs with Azure, the cons and pro of using cloud services, and how scary it can get if you decide to use cloud services like Azure, Google Cloud, etc.

With that in mind I’d like to emphasize that I do like Microsoft Azure and would love to use it without the constant fear of overage charges, but that’s another subject that won’t be discussed here at all. Now, going back to Azure I’ve read two articles from Scott Hanselman where he goes over demonstrating how to use Azure and deploy cheap containers.

In an ideal world, I would have supported every word he said. Using containers is amazing, wonderful, and just plainly awesome. It gives you that control of isolating services (mysql, httpd, mail, etc) into separate containers and you can cram as many, MANY, applications in your app service plan.

But I can’t simply support it and it’s honestly for a very silly yet incredibly harmful reason that I can’t agree that Azure is cheap. It’s harmful for anyone that wants to run a personal project, site. If you have disposable cash and have never in your life budgeted for a single thing then Azure is for you.

Bandwidth is my biggest concern. Not just for Azure, but for any cloud service. I think Azure VMs are decently priced and competitive, heck I even thought of paying a reserved instance myself for this site (well, many sites hosted in it). As of today, 1TB is $88.65 USD. If that’s not expensive for you then sir, by all means go for Azure as I won’t stop you. But an average joe with an average job like me who just wants to write, and deploy personal projects to the web? 88 bucks is too much + all calculated prices on top of it.

My suggestion to Azure team? Include bandwidth packages in App Service Plans, offer reserved instances to containers/app service plan and I’ll be more than happy to subscribe for the years to come (as long as the prices are reasonable). And it doesn’t have to be 1TB exactly. I think we all need that safety net most service providers offer with VPS and we don’t have that in Azure.

Why? Imagine an scenario that an individual is targeted. See, if the person gets DDoSed Azure has basic protection and I’m sure it can withstand any attack. More so if you have Cloudflare as your front and you keep a good chunk of malicious individuals out. But, hey, the malicious individual just found out that for some reason you are using cloud services to host your site and decide to download 1 million time a 100 megabytes zip archive you offer. That’s 100 TB bandwidth down the drain alone, and I doubt that Azure will throw the towel and say “it’s ok we understand you were targeted and attacked. So we will invalidate the bandwidth usage”.

And maybe my example is overly exaggerated, but my point is even if you aren’t attacked, and you have a medium sized site with 1TB bandwidth usage I highly doubt anyone would pay $88.65 when Digital Ocean, OVH, even Amazon with Lightsail gives you that bandwidth cap at a lesser monthly price. I get it. They are overselling bandwidth. Any service provider will probably monitor your VM and try to assess if it’s getting abused or that’s just the normal bandwidth usage of the server. If it is? Great, carry on, there’s no abuse involved. Most service providers won’t care in the long run because they have so many customers that use at the very least 3-4GB of bandwidth and it’s expected they will never reach 400GB bandwidth as it’s just a bunch of personal sites, etc. Now, if all their customers used 1TB exactly I guess they’d be running at a deficit. I honestly don’t know much of the deals involved with data centers and network usage and there are better people specialized in this sort of stuff than me.

In conclusion, because I never meant to write a post this long. As you can see, I want to use Azure, but Azure is a big threat to my wallet when it comes to bandwidth. Do keep in mind that my thoughts on Azure are going to be a larger post than this, but this is one of the issues that I really needed to throw out there to the public.

As for the site. It’s temporarily hosted in a Azure instance until I decide whether to stay or not. I highly doubt I would stay considering the bandwidth concern. I don’t use much bandwidth but I know sometimes it’s a good 10GB that is used, that doesn’t eliminate the concern though.

 

Site updates

A few weeks ago I wrote about completely stopping creating content for thehumble.ninja. I realized that I wanted to keep creating content and be more active in different communities, share what I have discovered and enjoy doing the process of content creation.

This site will stop being about my life, programming, and career related stuff. The content I mentioned just now will be moved to a different domain while I repurpose thehumble.ninja to focus on different entertainment mediums: anime, manga, games (and keep alive linux gaming), and tv series. Part of me already think it’s a good idea to keep two different things completely separated and at the same time I wonder if it would lean itself to be more of a “reactionary” type of content where I react to things and they come. I’m sure I’ll come up with a way to even the process.

How often the site will be updated will solely depend on my free time. I’m not getting any younger, my life priorities have changed completely. I’ve had to leave communities and other things to achieve (usually) a short term goal or just move on with everything else going. What I’m trying to say is that while I’m happy I’m doing this I’d also like to focus on other aspects in my life like losing weight, traveling to other countries and well, see other things.