Protecting WordPress From XMLRPC Attacks

A really useful post by NixIntel on stopping XMLRPC calls to your WordPress site totally, using Fail2Ban.

https://nixintel.info/linux/protecting-wordpress-from-xmlrpc-attacks/

The post tells you how to disable xmlrpc.php on Apache using .htaccess.

If you’re running WordPress on Nginx rather than Apache then you can disable xmlrpc in your site’s nginx.conf file by inserting the following in your server block…

# Block xmlrpc.php
location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

Thoughts on UK Covid19 contact tracing app

Updated 15th May 2020. Added 2 new resources 9. and 10. below…

If you live in the UK then pretty soon you’re going to be asked by the government to install a Covid19 tracking app on your phone.

I must admit that my initial reaction was no way. My trust in this government is extremely limited.

And having an IT background means that my trust in quickly developed, phone based apps means that again my confidence in this app was going to be low. It takes multiple months, years even, and multiple software releases to debug an app.

I’m also very concerned about the data privacy aspects of this UK app. Google and Apple, not the most privacy focused companies, are developing a general backend (an “API”) that others can use to develop apps like this. This API actually has privacy aspects built in. Which is surprising for those companies. It’s designed to keep data on your phone – a de-centralised model. But the British government has decided to not use this. They have decided to go with their own centralised model. Data will be stored on your phone and then you will upload it to a centralised government server.

The government wants this because it will allow them to analyse general trend data much better. But it will also mean that they have a complete profile of who you have spent time with, who you associate with, where you go. I think that’s a step too far. The primary purpose of this app is to allow the app to contact people who you have been close to, if you end up with Covid19. To warn them to self isolate. To stop the actual spread. I see big risks in giving the government data that goes beyond that.

I’m also worried about the possible malicious use of this app. It will be possible for people to wander around, maybe sit on the bus or the train with the app. They then maliciously report that they have Covid19. Everyone who has the app also on that bus or train then gets notified that they have been in contact with an infected person, and that they should self isolate for 14 days. The potential for abuse here is huge. This hasn’t really been thought through.

So for now, I won’t be installing the app. For 2 reasons – I don’t trust it; and also it will be worthless for me and those closely around me – because we will continue to social distance even after lockdown is eased. The app will not be useful for me because there won’t be any multiple close contacts around me for it to track. Apart from 3 or 4 people in my close bubble, I won’t be having that contact.

However, if you have to travel for work, or other reasons, and will have to mingle closely with other people then it may be useful for you. Make up your own mind. I have listed multiple links below to sources that you may find useful…

1. Evaluating COVID-19 contact tracing apps? Here are 8 privacy questions we think you should ask – Imperial College London, April 2nd 2020

2. NHS rejects Apple-Google coronavirus app plan. BBC News. 27th April 2020

3. Coronavirus: NHS virus tracing app could be used in Wales. BBC News, 4th May 2020

4. Everything you need to know about the NHS Covid-19 tracking app. Wired UK. 4th May 2020

5. UK COVID-19 contact-tracing app data may be kept for ‘research’ after crisis ends, MPs told. The Register. 4th May 2020

6. UK finds itself almost alone with centralized virus contact-tracing app that probably won’t work well, asks for your location, may be illegal. The Register. 5th May 2020

7. UK eyeing switch to Apple-Google API for coronavirus contacts tracing — report. TechCrunch. 7th May 2020.

8. Coronavirus: NHS reveals source code behind contact-tracing app. BBC News. 7th May 2020

9. NHS contact tracing app isn’t really anonymous, is riddled with bugs, and is open to abuse. Good thing we’re not in the middle of a pandemic, eh? The Register. 14th May 2020

10. Contact-tracing app tests on the Isle of Wight show that technology is not the solution. ComputerWeekly. 15th May 2020

Ghost or WordPress for blogging?

I’ve been a big fan and user of WordPress for quite a few years now. I have a few personal websites that I self-host and they all use WordPress, installed on my own server. For this blog I didn’t want anything sophisticated – I just wanted to have something that I could host myself that allowed simple posts with some embedded photos / graphics. Good image support is important to me – the ability to easily resize and insert images, with good control of image position and text flow around the image. I had seen and tried Ghost before and decided to give it a try again for this blog.

I downloaded and installed v1.19.0 of Ghost. It was relatively easy to install. It comes with a good install script and configured Nginx and LetsEncrypt SSL correctly. The LetsEncrypt certificates were installed using a acme.sh script which I don’t really understand or use in the same way. All my other LetsEncrypt certificates were generated using the certbot-auto script. So I stripped out the certificates that had been installed by the Ghost install, and re-installed using the certbot-auto script so that the certificate configuration, location and renewal script would work the same way as my other existing certificates. This was just to keep consistency across all my websites. I’m sure that the standard LetsEncrypt SSL install would have worked fine.

The only problem I had was with the MySQL install. By default Ghost will use a file-based database called SQLite and I recommend that you use that. However, I optionally decided to use MySql for the install. The install script gives you that option but it didn’t work for me. I had to manually create the MySQL database and database user. But once I did that then I re-ran the install script and it continued the install.

How to manually create a MySql database and user:

$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5340 to server version: 3.23.54

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql> CREATE DATABASE databasename;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON databasename.* TO “username“@”localhost” IDENTIFIED BY “password“;
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)

mysql> EXIT
Bye
$

I started using Ghost using the standard out of the box theme that comes with the install. Posts (or stories in Ghost terminology) are easy to create. It uses Markdown markup language which I hadn’t used much before, but it’s quick and easy to learn. The editor has a set of common formatting and styling buttons that you can apply to your post. This includes image uploading and insertion.For more sophisticated styling you can also use html.

Compared to WordPress it’s a lot simpler and more focused. You’d expect this. The project has aimed at keeping it simpler and it’s been around for a much shorter period than WordPress. However, for me, it lacked the ease of control that WordPress gives me. Yes, you can add your own CSS to do whatever you want, but I found fairly quickly that I was adding extra css for this and for that. In the end it came down to image handling – I wanted more control to easily resize and position images using the on-screen editing buttons. And this was missing for me.

As a simple blogging platform Ghost is great and if you have time to customise the CSS and themes to suit then you can get it to work exactly the way that you want. I was particularly impressed by the install scripting and even the uninstall “ghost uninstall” worked well.

I’m very used to WordPress, and like the control that it gives me out of the box. So swapping across to Ghost wasn’t going to be easy.

This blog now runs on WordPress 😉

What are Microservices and Microservice Architecture?

Microservices by Paul Downey - https://www.flickr.com/photos/psd/

A few of my colleagues have been asking whether we should use microservices for our application design pattern. As usual I’m always a little behind the times on new design patterns so some research was needed…

A quick search on the web brought up a few interesting articles/resources:

In summary:

  • The microservice design pattern originated around 2012 and became more established from 2014.
  • Definition:

Microservices – also known as the microservice architecture – is an architectural style that structures an application as a collection of loosely coupled services, which implement business capabilities. The microservice architecture enables the continuous delivery/deployment of large, complex applications. It also enables an organization to evolve its technology stack.

Credit: http://microservices.io/

  • Microservice patterns focus more on the product than projects – it breaks apart monolithic applications into product focused modular services.
  • Building an application can mean that you need to call multiple microservices at the same time to support the required application capability.
  • SOA is a strategic initiative to change the IT of the whole enterprise, separating it into different services, thereby allowing the enterprise to be more flexible.
  • Microservices are a way to structure a specific application, involving only the team responsible for the application.

 

Thanks to Paul Downey https://www.flickr.com/photos/psd/ for the post image.