Web applications

MySQL sleep() attacks

MySQL sleep() command injection attacks: how not validating your PHP user input can lead to Denial of Service (DoS) attacks against websites and back-end database servers. Simply by putting “AND sleep(3)” in the address bar… Here is how to put a MySQL server to sleep, happy SQL injection!

Read More

Send authenticated SMTP email over TLS from WordPress

How to configure TLS for SMTP email in WordPress. I was suprised WordPress is not able to send email using an SMTP server out-of-the-box. Not to mention using authenticated SMTP or TLS transport for security. A quick Google search showed me multiple plugins to handle this, but I wanted to create something myself. Here is how to override the wp-mail() function and send email using authenticated SMTP and StartTLS from WordPress.

Read More

8 Tips to improve Joomla performance

How to speed-up Joomla performance on Windows Server IIS: 8 important, but simple, tips to improve & speed up Joomla. Add caching, gzip compression, set your sessions & optimize MySQL database functions… Provide your visitors with a blazing fast Joomla website!

Read More

Minify JavaScript, CSS and compress images

Optimizing, minify and compressing JavaScript and CSS files, the easy and fast way? With YUI Compressor on the Windows-, Linux- and macOS command line of course! Compacting HTML, CSS, and JavaScript can speeds up your website because of smaller and faster downloads, parsing, and execution time.

Read More

Test SMTP Authentication and StartTLS

This post shows you how to test a connection to an SMTP server, using telnet or openssl, to create base64 encoded logon information, to verify the authentication over an opportunistic TLS connection, and all that from the Linux and Windows command line. This comes in very handy when investigating SMTP authentication issues, particular those over TLS encrypted connections. Investigate SMTP authentication issues like a boss using telnet and OpenSSL.

Read More

prettyPhoto DOM based XSS

prettyPhoto DOM based XSS on Saotn.org… This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?

Read More

WordPress wp_options table autoload micro-optimization

Learn how to add an index and optimize WordPress’ wp_options table for faster database results. This probably isn’t a big issue, but today I noticed a slow MySQL query coming from a WordPress database (WordPress wp_options table). This made me investigate and to optimize the WordPress wp_options table “autoload” feature. The autoload feature loads and caches all autoloaded options, if available, or all options. The default option is to autoload, and over time when the wp_options table grows, this degrades performance.

Read More

Install WordPress plugins without WP-admin access

Install WordPress plugins without admin access, and automate your WordPress customization and plugin installation. WordPress has a little drop-in plugin option available in the form of /wp-content/install.php. This install.php file is not present at default, but when created it can be used to install plugins without wp-admin access. This might come in handy for unattended WordPress installations, customization, and so on.

Read More

Configure SQLServer sessionState for Umbraco

Configure Umbraco for SQLServer sessionState storage, for your sessions. This post explains how to prepare your Umbraco website for a high performance web garden or web farm, and load balancing environments: Store your ASP.NET / Umbraco sessions out-of-process (OutProc). As opposed to the default in-process (inProc) sessions, where sessions are saved in the worker process.

Read More

Clean-up WordPress spam comments and meta data

How to delete WordPress spam comments and meta data with phpMyAdmin. A lot of WordPress spam comments and meta data will keep your WordPress database huge, and slows down your site. It’s best to delete spam comments regularly, but if you’re facing hundreds of thousands spam comments, here is how to delete them all in bulk.

Read More

WordPress plugin “In Over Your Archives” Call-time pass-by-reference fix for PHP 5.4

How to fix PHP Call-time pass-by-reference has been removed in errors. The following PHP fix goes for nearly all PHP Call-time pass-by-reference errors: The WordPress plugin In Over Your Archives is a plugin to display your archive page in a nice way, just like on inoveryourhead.net. The plugin hasn’t been updated in quite some time and breaks with PHP version 5.4:

Read More

How to load google-code-prettify syntax highlighting without plugins

If you run a WordPress blog where you display (parts of) source code, syntax highlighting is a must! It prettifies the code which makes it easier to read and it distinguishes code from text. However, most syntax highlighting is made available through plugins, and we all know too many plugins bring a lot of overhead to your blog. So, conditional load in WordPress: Load javascript only on posts in WordPress.

Read More