MySQL sleep() command injection attacks: how not validating your PHP user input can lead to Denial of Service (DoS) attacks against websites and back-end database servers. Simply by putting “AND sleep(3)” in the address bar… Here is how to put a MySQL server to sleep, happy SQL injection!
Send authenticated SMTP email over TLS from WordPress
How to configure TLS for SMTP email in WordPress. I was suprised WordPress is not able to send email using an SMTP server out-of-the-box. Not to mention using authenticated SMTP or TLS transport for security. A quick Google search showed me multiple plugins to handle this, but I wanted to create something myself. Here is how to override the wp-mail() function and send email using authenticated SMTP and StartTLS from WordPress.
Huge increase in WordPress xmlrpc.php POST requests
WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites… Secure WordPress xmlprc.php interface and reduce service disruption.
8 Tips to improve Joomla performance
How to speed-up Joomla performance on Windows Server IIS: 8 important, but simple, tips to improve & speed up Joomla. Add caching, gzip compression, set your sessions & optimize MySQL database functions… Provide your visitors with a blazing fast Joomla website!
Minify JavaScript, CSS and compress images
Optimizing, minify and compressing JavaScript and CSS files, the easy and fast way? With YUI Compressor on the Windows-, Linux- and macOS command line of course! Compacting HTML, CSS, and JavaScript can speeds up your website because of smaller and faster downloads, parsing, and execution time.
Test SMTP Authentication and StartTLS
This post shows you how to test a connection to an SMTP server, using telnet or openssl, to create base64 encoded logon information, to verify the authentication over an opportunistic TLS connection, and all that from the Linux and Windows command line. This comes in very handy when investigating SMTP authentication issues, particular those over TLS encrypted connections. Investigate SMTP authentication issues like a boss using telnet and OpenSSL.
prettyPhoto DOM based XSS
prettyPhoto DOM based XSS on Saotn.org… This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?
WordPress wp_options table autoload micro-optimization
Learn how to add an index and optimize WordPress’ wp_options table for faster database results. This probably isn’t a big issue, but today I noticed a slow MySQL query coming from a WordPress database (WordPress wp_options table). This made me investigate and to optimize the WordPress wp_options table “autoload” feature. The autoload feature loads and caches all autoloaded options, if available, or all options. The default option is to autoload, and over time when the wp_options table grows, this degrades performance.
Install WordPress plugins without WP-admin access
Install WordPress plugins without admin access, and automate your WordPress customization and plugin installation. WordPress has a little drop-in plugin option available in the form of /wp-content/install.php. This install.php file is not present at default, but when created it can be used to install plugins without wp-admin access. This might come in handy for unattended WordPress installations, customization, and so on.
How to clean up Contact Form 7 temporary captcha files on IIS web servers
Contact Form 7 (CF7) is a WordPress plugin that provides a simple but flexible contact form. On IIS, Contact Form 7 captcha has one HUGE disadvantage: temporary captcha files placed in wp-content/uploads/wpcf7_captcha, are not automatically removed. The files are made read only. Here is how to remove Contact Form 7 temporary captcha files on IIS…
Configure SQLServer sessionState for Umbraco
Configure Umbraco for SQLServer sessionState storage, for your sessions. This post explains how to prepare your Umbraco website for a high performance web garden or web farm, and load balancing environments: Store your ASP.NET / Umbraco sessions out-of-process (OutProc). As opposed to the default in-process (inProc) sessions, where sessions are saved in the worker process.
Clean-up WordPress spam comments and meta data
How to delete WordPress spam comments and meta data with phpMyAdmin. A lot of WordPress spam comments and meta data will keep your WordPress database huge, and slows down your site. It’s best to delete spam comments regularly, but if you’re facing hundreds of thousands spam comments, here is how to delete them all in bulk.
WordPress plugin “In Over Your Archives” Call-time pass-by-reference fix for PHP 5.4
How to fix PHP Call-time pass-by-reference has been removed in errors. The following PHP fix goes for nearly all PHP Call-time pass-by-reference errors: The WordPress plugin In Over Your Archives is a plugin to display your archive page in a nice way, just like on inoveryourhead.net. The plugin hasn’t been updated in quite some time and breaks with PHP version 5.4:
How to load google-code-prettify syntax highlighting without plugins
If you run a WordPress blog where you display (parts of) source code, syntax highlighting is a must! It prettifies the code which makes it easier to read and it distinguishes code from text. However, most syntax highlighting is made available through plugins, and we all know too many plugins bring a lot of overhead to your blog. So, conditional load in WordPress: Load javascript only on posts in WordPress.