With being used by more than 25 percent of all websites, WordPress is by far the most popular CMS today. This much attention also makes it quite popular among the hackers and script kiddies, which usually rely on automated bots to check vulnerabilities and exploit them. And when successful, enslaved sites generally controlled with commands sent via POST requests.

It's best if you can keep your WordPress core, theme and plugins always up to date, but sometimes this can be problematic with a fairly old instance that can't be upgraded because of an orphaned piece in the setup. Most secure option for such a site would be going static. If that's not applicable because of a function that requires interaction, locking unnecessary features on the webserver level might help ease the pain.

I use Hiawatha for these kinds of legacy WordPress sites. It is an open source webserver with a focus on security; has built-in SQLi, XSS and CSRF/XSRF protection and quite easy to setup. If you are not familiar with Hiawatha, I suggest you to check out the official manual and how-to pages. You can find a step by step guide for a secure Hiawatha installation here.

Creating a chain reaction with URL toolkit

Hiawatha's URL toolkit is where you can perform actions based on the URL or on the URL itself. It is usually used for creating rewrite rules but actually more powerful than that. Using regular expressions, you can match a pattern and redirect it, limit/deny access to it or forward it to a different CGI handler.

It also allows you to perform actions based on request headers of the client, which I use in my solution;

UrlToolkit {
		ToolkitID = allowpost
		Match ^/profile/$ Return
		Header X-Dress-Code black-tie Return
		Method POST DenyAccess
}

VirtualHost {
		Hostname = www.legacysite.tld
		...
		UseToolkit = allowpost
		...
}

What's happening here is we first check with allowpost toolkit whether the user is browsing the /profile/ page, where everyone allowed to POST in our hypothetical setup. If he is, we tell Hiawatha to ignore the rest of the toolkit and carry on. If he is not, Hiawatha will refer to the next line and check his request headers.

In this case, we have defined a custom request header X-Dress-Code and black-tie as the key. So, as long as user is sending our server this header-key pair, Hiawatha again will ignore the rest of the toolkit and the user will be allowed to POST.

Last line of the allowpost toolkit, where user will end up if he's not viewing his profile or not dressed correctly, is self-explanatory. He will be denied of making POST requests.

Dressing up for a formal visit

As you can easily guess, the X-Dress-Code is a totally imaginary header created by me for adding some fun to this boring tutorial :) You can use one of the official headers listed here or define yourself a new one. I suggest you create a custom header for distinguishing your authorized users.

If you opt to tailor your own custom header, you'll need a plugin to pass that to your server. Modify Header Value plugin for Chrome and Firefox can handle this task for you. Here is a sample configuration, click for a bigger version:

Final thoughts

If you are seeing unusual POST requests in your logs and especially those requests are being made to weirdly named PHP files located in places not common for a WordPress installation, your site is probably already compromised.

If somehow you are unable to upgrade your setup, again, it's best if you convert the whole site to a static one and limit CGI execution altogether. Unless that's not really an option, then you might start tinkering with the POST requests. It might let you breath while you clean up things and add further protection for not getting compromised again.

Although it's possible to limit POST requests in different ways with other web servers like Apache and Nginx, I recommend you to use Hiawatha for added security. The solution I offer here involves several checks, so it might hinder your performance a bit, particularly if you are getting a considerable amount of traffic. However, since Hiawatha is also a serious contender in performance, I don't believe it will lag behind of others with similar configurations. Nevertheless, your mileage may vary.

Update: A previous version of this post offered a rather long and complicated solution for the problem at hand. Thanks to Hugo Leisink, the creator and main developer of the Hiawatha, we now have a simpler config.

If you have a server that you are unable to install Debian versions higher than v7.x (code name Wheezy) due to a script dependence, old hardware or lack of time but still need to run Node.js, you must have already figured your options are quite limited.

Debian Node.js repositories for Wheezy are quite old for obvious reasons and maintainers’ choice of changing main node application name from “node” to “nodejs” seems to confuse some scripts. Binary installations of newer versions are also not easy to work with, at least not in my case. If you haven’t figured out already, compiling is your only way out.

Installing v6.x branch from source is possible; however, you’ll still need some modifications in your environment. Main problem is latest GCC version on Wheezy is v4.7.2 and Node.js requires v4.8.5 and up. To overcome this issue, Node.js team decided to build the packages below v6.x for Wheezy with clang-3.4. And, they maintain a compatible package for clang at their Node source repositories. So, first thing you need to do is to add their repos to your apt sources.

apt-get update
apt-get install curl apt-transport-https ca-certificates
echo "deb https://deb.nodesource.com/clang-3.4 wheezy main" >> /etc/apt/sources.list
curl -s https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add -

Then, install clang.

apt-get update
apt-get install clang-3.4

After that, download your Node.js v6.x branch source code tarball and unpack it. Before starting the build process, switch your compiler to the newly installed clang by applying these at the command line;

export CC=/usr/bin/clang
export CXX=/usr/bin/clang++

Carry on with ./configure and make, you should be able build Node.js and install it after the process completes.

This post is derived from the Node Source’s official description of the issue, which can be found here.

OnePlus issued me three more invitations several days ago and if you are still searching for an opportunity to buy a One, one of them may be yours.

Either leave a comment here or contact me via Twitter. You can find my contact information here. They all have 12 hours left, better be quick :)

Update: All gone, will post again if I receive more invitations in the future.

Although I’ve managed to pre-order my OnePlus One yesterday at the latest round, it didn’t take too long to face that the commitment to pay doesn’t enough to get your device shipped immediately. So, I’ve decided not to wait for three weeks in the queue and started to seek an invitation. Well, for two invitations in fact, since I’ve ordered not once, but twice.

Thanks to the generosity of the OnePlus community, I was able to find the invites I needed in less than 24 hours. What came as a surprise was an additional invitation sent from the OnePlus itself, which arrived right after I hit the “skip the queue with invite” button. So, I ended up with a spare invitation at hand at the end of the day, which might be yours if you are interested in buying a One for yourself, too.

Since my motivation was to get rid of the queue I’m in while searching for this invitation, I’d like give it to a person who is in a situation similar to mine. Please let me know if you’ve already pre-ordered your device on the November 17th, and have at least 2 or 3 weeks waiting time before your delivery. I’d be happy to share my spare invitation with you.

Don’t forget to share a screenshot of your order status while asking for the invite, and make your OnePlus account name visible while doing it. You can find my contact information here.

Update: Invitation gone to the person with the longest waiting time in the queue; 5 weeks. None left at the moment, will post again if I receive more invitations in the future.

Play was about six 20 years old soldiers who have been killed in an unnamed war. Their comrades dig a mass grave. But when they laid their bodies in an alphabetic row, the six dead soldiers stand up! They tell that they don’t want to give up their lives they’ve barely begun to experience and refuse to be buried.

We went to see the “Bury the Dead” by Irwin Shaw with two of my friends yesterday.

I don’t know whether it’s because I haven’t seen any expressionist drama before or it was just a sloppy implementation of the original, it felt like a hundred minute long constant pain. I’m no expert in theater, but I still suspect the latter.

According to Wikipedia, play was Shaw’s first and written in 1936. What we saw yesterday was looked like a heavily modified version with more modern clothing, armament, stage, lighting etc. Although the whole play was full of symbols; messages were too direct and the translation of the script was almost soulless.

Play is presented at the Cevahir, I suggest you to stay away from it.

Warning: Spoiler ahead. Don’t go any further unless you’ve already seen the movie.

Just watched the Wreck-it Ralph, which is considered by most of the critics as one of the serious contenders for the “Best Animated Film of the Year” at Oscars.

Movie was fun with lots of carefully crafted references to many popular arcade games, and I was really enjoying it until I see the scene where Ralph returns to the game he belongs with a medal on his neck. There, rather than the standing ovation he is expecting, he finds out that everyone has panicked and left the game. Gene, the only person hasn’t left the building yet, tells him that it’s his fault that everyone is gone. According to Gene, because Ralph left the game, Felix went looking for him and everybody left afterwards because they were afraid of Litwak’s plan to unplug the game in the morning. He tells Ralph, “you actually went and did it”.

After that, we all realize why he wasn’t left and waited for Ralph. Because Gene, who literally started all the adventure by insulting Ralph and refusing him to accept to their “high” society, is a “man of his word”. He throws the key to the penthouse to Ralph with another despising remark; “Well, now you can live alone in the penthouse”. Then we see Ralph standing devastated with a golden key in his hand, while he walks through the door.

I believe this scene ruined the idea behind the whole movie with its flawed message. Accept your place told you by the “higher” members of the society? Obey the hierarchy, or else society will fail and you’ll even lose your beloved dump? This is justifying social stratification, this is praising caste!

In my opinion, instead of receptively listening to his disturbing “shame on you” speech, Ralph should have punched Gene out of the game to the sewers of Mario, so he can chase mushrooms for the rest of his life to get high and dream of a princess that he’ll never reach. Because Ralph didn’t wreck it, they did.

Hope they don’t get an Oscar for this.

Before LinkedIn and Twitter end their partnership last summer, Twitter users were able to post their tweets automatically to LinkedIn. Users were able to choose between sharing all tweets directly and filtering tweets that has a certain hashtag (#in). Since then, the link between two platforms is severed and these options are no longer are available.

However, it’s still possible to automate sharing your tweets to LinkedIn via third party services. There are numerous alternatives here, but I prefer using IFTTT because it has a clever design and offers diverse set of functions across many platforms.

IFTTT is short for “if this, then that”. The service basically connects different apps/platforms to each other with certain set of rules created by users, which they call “recipes”. To automate your tweet sharing, all you need to do is create an account, and link your LinkedIn account to the system.

After that, you have two options:

The easy way: Use my recipe

It’s very easy to create a recipe, but if you don’t have time for it and looking for an easy fix, or just feeling lazy; you can always use the recipe I’ve created, which you can find it below:

• Post tweets with hashtag #in to LinkedIn

As title states, with my recipe you’ll be able to automatically update your LinkedIn status with your tweets containing #in hashtag. Don’t forget to change the “alikuru” at the end of the Feed URL with your Twitter user name; otherwise you’ll end up seeing my tweets in your LinkedIn profile, instead of yours :)

You can also change the hashtag according to your needs (i.e. use #linkedin instead of #in).

The hard way: Create your own recipe

After logging in to the IFTTT, in your dashboard, click “create” and choose “Feed” option for “this”. You’ll have two different “trigger” alternatives. Should you like to share all your tweets to your LinkedIn account, choose “New feed item” here. If you prefer to filter your tweets with a hashtag, try “New feed item matches” instead.

In either case we need our Twitter RSS stream. Copy and paste the link below to the “Feed URL” section. Don’t forget to change “username” with your own Twitter user name at the end of the link:

http://api.twitter.com/1/statuses/user_timeline.rss?screen_name=username

If you have chosen “New feed item” in previous step, hit “Create trigger” first. If you have chosen “New feed item matches”, enter your keyword filter to the “Keyword or phrase” text box before proceeding to “that” (because it saves more characters, I’ve used #in for my recipe).

After “that”, choose LinkedIn between your linked accounts and choose “Share an update”. In the status text box, clear all options and choose “Entry Content” from the drop down menu on the right. Hit “Create action” and save your recipe by clicking “Create recipe” on the next step.

You are done, enjoy the web automation!

Thanks to AOKP, I’ve recently upgraded to Jelly Bean and I met with Google Now. I really liked the idea behind it but, unfortunately, my experience with the Google Now is not even close to what’s been advertised on Google’s landing page for the product. It just couldn’t go beyond displaying weather forecast cards for the days ahead, which is quite understandable considering I’m refusing to turn my search history on :)

Google introduced the Web History in 2005 (was “Search History” back then); I’ve never enabled it, not even tried it once. But I always had the feeling of missing something important.

I’m against the idea of logging the keywords I use not because Google is gathering and storing this information and using it for research, but because search data can reveal particularly sensitive information about you. Like the facts about your political views, religion, health concerns etc.; facts that might create troubling scenarios in certain conditions if revealed.

Let’s be honest; we are not always searching for our favorite sports team’s scores or flight schedules. We sometimes search for our ex girl/boyfriend’s whereabouts or CV of a newly joined co-worker. It gets even naughtier on some occasions :)

You don’t need a massive hack attempt to gain access to someone’s private search history; it just takes a curious co-worker accessing your computer at lunch time (or your pathologically ill-minded girl/boyfriend while you’re asleep?). Also, since recent example of LinkedIn taught us that even the biggest sites with dedicated team of security professionals are susceptible to breaches, we know that that possibility is not a far one either.

I believe that what we need here is a “pause” button. We must be able to suspend our search history for a brief period of time, which will allow us search for our necessary evil off the record, and then go on the record again. What I want is a state comparable to the “incognito mode” offered by most of the modern browsers or “pause protection for 5 minutes” type of flexibility offered by most of the anti-virus software programs. This way, we can enjoy the benefits of our search history without worrying about what might can be discovered if someone digs into our keywords and visited sites.

However, I doubt that Google will ever implement such feature.

Search history is on by default on new registrations (just checked and verified it) and most of the users never realize that Google is recording every keyword they are searching and every search result they are clicking. They just enjoy the “personalized” search experience without knowing the risks. Putting a button near the “I’m feeling lucky” button wouldn’t bring good luck to Google, obviously. So, Google will just ignore this and keep trying to convince people who already disabled their web history with new products like Google Now :)

Well, after the article I’ve just read on the NewScientist blog “One Per Cent”, it’s not really a question for me anymore. I believe it can.

The article I mentioned is about how Twitter data is being used to predict a single person’s chances of getting caught by flu. According to the article, researchers analysed 4.4 million tweets tagged with GPS location data from over 630,000 users in the New York City area over one month in 2010. They used a machine-learning algorithm to tell the difference between tweets by healthy people – who might say something like “I am so sick of this traffic!” – and someone who is actually sick and showing signs of the flu. After their analysis, they were able to predict when healthy people were about to fall ill -and then tweet about it- with about 90 per cent accuracy out to eight days in the future. That’s quite impressive!

Do you know what was the first thing came to my mind while I was reading that result? The data mining experiment carried out by Target, for pinpointing their pregnant customers (a must read, by the way).

It wouldn’t be so hard to use a similar approach here and take advantage of the publicly -and, might I add; also freely– available data for marketing purposes. If you can spot a prospective patient several days in advance of his/her illness, that information clearly gives you the opportunity of mentioning him/her in a tweet like this one at the time when he start feeling his very first symptoms;

Is he feeling feverish? Indeed he is; 90%. You can replace the vitamin C/flu with any relevant condition and product/service combination; as long as there is enough tweet to feed the methodology, it should work. Lastly, we can discover patient’s whereabouts from the location data embedded in his most recent tweet. So, why not point him to a pharmacy? Or, to a health center? Where he can enjoy a carefully crafted Foursquare special discount for his check-in :)

Now, although this sort of targeting has the potential of proving itself very effective, it also has another aspect: it might spook your customers out. In fact, that was exactly what Target experienced on their first attempt to reach out their pregnant customers. When they started sending catalogs with a “Congratulations on your first child!” note attached to these customers, because they’ve never told the company about their pregnancy, it made them uncomfortable.

But, I believe method has space for fine tuning. Target perfected its method with sending out specifically designed catalogs with baby ads looking random. Since people usually don’t consider flu like conditions as private as their pregnancy, it might be easier to find a smoother way for this one.

Anyway, because using publicly available data from social networks has a potential of rendering conventional methods obsolete, I have a feeling that we’ll see scenarios similar to what I’ve described here more often in the future.

Probably more often than anyone of us ever want :)

Images: One Per Cent Blog, gpiron@unsplash and mcfarlandmo@flickr

Although I occasionally whine about it, I can’t give up using Firefox. And, I’ll probably keep using it till Chrome implements native SOCKS support.

I have a ten years old computer at home, which even suffers from the XP version of Windows. That’s why, recently I’ve decided to run Debian on it and I installed Firefox -the original, not the re-branded Iceweasel- as the default browser on Wheezy.

Everything works perfectly, except backspace action on Linux seemed to differ from Windows. While the default behavior for the backspace is to take you to the previous page on Windows, hitting backspace on Linux does nothing. Because backspace is one of my favorite shortcuts, first thing I did was to check whether if there are any references in about:config.

There was and it works :)

According to MozillaZine, the key browser.backspace_action can have two different values: 0 and 1. Article on MozillaZine says that giving a value other than these two will simply unmap the key. Since 2 is the default value on Linux, hitting backspace for going back (or shift + backspace for forward) does nothing on Linux.

Changing it is easy; type about:config on the address bar, dismiss the warning, and then search for backspace. After you’ve located the browser.backspace_action key, highlight it, hit enter and change the value to 0. After you click “OK”, you can start enjoying seamless browsing experience with your browser :)

Google released an interesting new web site dedicated to promote their environment friendly technologies: The Story of Send. According to the site, magic happens through sophisticated and ultra secure data centers, with the help of overweight engineers :)

Site tells the whole story around sending and receiving emails with Google’s mailing service, Gmail. There a lot of videos and pictures embedded throughout the neatly designed web site. Especially how they shred the hard drives that have fulfilled their mission in the data center is quite interesting, don’t miss it.

What really attracted my attention while watching the videos, almost all of the staff shown on them are obese, or overweight at best. Google pays well, apparently :)

Obesity is a serious health issue and I believe companies like Google should care about the overall health of their staff, as much as they do for the environment. I suggest Google management team to Google for “obesity“, as a start :)

Firefox has a feature called “Inspect Element” for inspecting elements on a web page. It allows you to dig deeper in both the HTML and CSS code of a web page and lets you understand the inspected elements position and styling information in the structure. Today, while inspecting the branding features of Johnson&Johnson’s YouTube page, I’ve noticed a “3D” button on the “Inspect Element” bar and found that it takes the experience in a whole new level :)

After a search, learned that it’s been around since de v11 beta and migrated to the v11 stable after testing. If you are interested in learning HTML and CSS, you should try Firefox’s 3D inspection. You can see how browsers implement the code, in a fun way :)

I saw the first of these ads today on Twitpic, one that say “I’ve been tagged” in three photos, and clicked it with curiosity on whether Twitpic started photo tagging on its system or not. It was the official account of the magazine I’m working for, hence it was important to check if the content was appropriate.

After I clicked the ad, it redirected me to an executable file named “etype_setup.exe”. Certainly, I haven’t downloaded or installed the executable on my system. But, since these ads are obviously misleading users to an installation file without any proper description and warning, it feels like a stinky situation.

Is creating its own botnet a new business model for Twitpic?

According to the Next Web, Google is about to launch a third-party commenting system that is very similar what’s been offered by Facebook.

Obviously, this is not a surprise. But, it is also probably the most important update for the company since their “Social Search” implementation.

With on-by-default social search, Google literally forced site owners to create Google+ profiles for their businesses and for themselves. And, since Google highly values “+1” interactions on both its search engine and third-party sites, this new feature gets late adapting webmasters attention to optimize for Google+ and adopt +1s, too.

Because Google is still dwarfing all the competition, I believe the soon to be released third-party commenting system of the company will also be welcomed with mass adoption rates. Comments will be indexed by Google, most probably with their +1 values, and this will bring the SEO power on the most powerful search engine of all times.

Unless Google somehow manages to ridicule itself, no one will miss this.

Who said “the content is the king”? It seems like that era has been finished already.

This is what I see when I open an item belong to the Wired Gadgets RSS feed on Google Reader. After they became more annoying, disturbing and interrupting with every day, online ads are finally holding the throne.

The King is dead. Long live the King.