Web applications Archives

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You'll learn the important steps to move WordPress from http to https

By Jan Reilink 15/07/2016WordPress

WordPress

17+ Useful WordPress snippets

Here are 17+ valuable WordPress snippets for site-specific plugins and functions.php to provide you a better WordPress experience. Enhance your WordPress site with these small PHP snippets: WordPress filters, actions and functions. Quickly add or extend the functionality you need for your WordPress website! Read on...

By Jan Reilink 30/05/2016WordPress

Web application security

Binary webshell through OPcache in PHP 7

GoSecure wrote up a new PHP exploitation technique using the default OPcache engine from PHP 7. Using this attack vector, it's possible to bypass certain hardening techniques that disallow the file write access in the web directory.

By Jan Reilink 28/04/2016Web application security

WordPress

Optimize WordPress MySQL tables through Cron, behind the scenes

To regularly optimize my WordPress database tables, I created a small plugin that utilizes the WordPress Cron feature. This comes in handy to perform database optimization for WordPress on a regular basis, without forgetting about it. Just activate and enjoy. And here is the plugin code.

By Jan Reilink 04/03/2016WordPress

Web application security

Cracking PHP rand()

Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().

By Jan Reilink 15/02/2016Web application security

WordPress

Minify WP-Super-Cache HTML cache files: WPSCMin a WP-Super-Cache plugin

The WordPress WP-Super-Cache cache plugin doesn't minify HTML cache files, which I find a disadvantage. Knowing minify libraries, I went looking for an existing solution (why reinvent the wheel?), and found one: WPSCMin. Read on ...

By Jan Reilink 27/12/2015WordPress

WordPress

How to add conditional analytics tracking code in WordPress Multisite

In my WordPress multisite, I use one theme for three sites and a tracking code for analytics on my websites. Whether it is Google Analytics or Piwik doesn't matter. Here is how you can conditionally add tracking codes to your WordPress Multisite: Use a condition in functions.php to add the tracking code for Piwik/Matomo Analytics or Google Analytics.

By Jan Reilink 11/07/2015WordPress

Web application security

Add a delay to your WordPress login form

This plugin adds a three second delay when logging into WordPress. This slows down brute-force attacks on your website. However, it is not recommended to use sleep(), because a heavy brute-force attack will let all those POST requests sleep for the given amount of time.

By Jan Reilink 10/07/2015Web application security

WordPress

My WordPress web.config

Do you host your WordPress website on Windows Server IIS? And are you having trouble with your web.config? I often receive questions about how to use a web.config file in WordPress on Windows Server, and which settings are important for a WordPress site. Maybe it's because I'm a WordPress on Windows Server IIS enthusiast, so here is my web.config for your convenience (really, it's not that special).

By Jan Reilink 22/06/2015WordPress

Web applications

PHP 5.6 default_charset change may break HTML output

An important note for everyone who's upgrading from PHP 5.4 and PHP 5.5 to PHP 5.6: the PHP default_charset in php.ini changed from "empty" to UTF-8, often breaking sites after upgradiong from PHP 5.4 and PHP 5.5 to PHP 5.6. UTF-8 encoding breaks when upgrading PHP 5.6 to PHP 7.0.

By Jan Reilink 31/03/2015Web applications

WordPress

Disable WordPress comments (how-to)

When the WordPress comment option is abused by spammers, it becomes a real pain in the "@ss". With thousands spam reactions, disabling -and removing- WordPress comments is the only way to go. Here is how to disable WordPress comments in both the WordPress Dashboard interface and in your MySQL database. As a bonus, I show you how to re-enable comments too!

By Jan Reilink 02/01/2015WordPress

Web application security

Joomla websites abused as open proxy for Denial-of-Service attacks

Joomla websites using the Googlemaps plugin for Joomla are actively abused as open proxy for launching Denial-of-Service (DoS) attacks. The problem with the Joomla Googlemaps plugin lies in the fact anyone can execute cURL HTTP requests to remote websites.

By Jan Reilink 16/11/2014Web application security

WordPress

Display commas in WordPress tags

Sometimes you may want to display commas in tag names. For example if you have a business directory listing and want to create one single taxonomy (tag name) "cafe, restaurant, bar". This post shows you how to create a filter in your functions.php file to display WordPress tags with a comma, enjoy!

By Jan Reilink 12/10/2014WordPress

Web application security

Exploit PHP mail() to get remote code execution

If you are able to control the 5th parameter of PHP mail() function ($options), you have the opportunity to execute arbitrary commands. Remote Code Execution (RCE) in PHP mail()

By Jan Reilink 07/09/2014Web application security

Web application security

Increase in SQL injection attacks

Since a week or so, I notice a huge increase in SQL injection attacks on various websites. Anyone else seeing the same SQL injection attacks lately? This increased SQL injection activity - on various web sites and databases - has the following characteristics

By Jan Reilink 07/08/2014Web application security

PowerShell