Web applications Archives

MySQL sleep() attacks

MySQL sleep() command injection attacks: how not validating your PHP user input can lead to Denial of Service (DoS) attacks against websites and back-end database servers. Simply by putting "AND sleep(3)" in the address bar... Here is how to put a MySQL server to sleep, happy SQL injection!

By Jan Reilink 05/08/2014Web application security

WordPress

Send authenticated SMTP email over TLS from WordPress

How to configure TLS for SMTP email in WordPress. I was suprised WordPress is not able to send email using an SMTP server out-of-the-box. Not to mention using authenticated SMTP or TLS transport for security. A quick Google search showed me multiple plugins to handle this, but I wanted to create something myself. Here is how to override the wp-mail() function and send email using authenticated SMTP and StartTLS from WordPress.

By Jan Reilink 29/07/2014WordPress

WordPress

Huge increase in WordPress xmlrpc.php POST requests

WordPress xmlprc.php DDoS and brute-force attacks. How to identify, block, mitigate and leverage these xmlrpc.php scans, brute-force, and user enumeration attacks on WordPress sites... Secure WordPress xmlprc.php interface and reduce service disruption.

By Jan Reilink 07/07/2014WordPress

Web applications

8 Tips to improve Joomla performance

Speed-up Joomla with just a few config settings: 8 Tips to improve Joomla performance. Add caching, gzip compression, set your sessions & optimize MySQL database functions... Provide your visitors with a blazing fast Joomla website!

By Jan Reilink 29/06/2014Web applications

WordPress

Minify JavaScript, CSS and compress images

Optimizing, minify and compressing JavaScript and CSS files, the easy and fast way? With YUI Compressor on the Windows-, Linux- and macOS command line of course! Compacting HTML, CSS, and JavaScript can speeds up your website because of smaller and faster downloads, parsing, and execution time. Fire-and-forget JavaScript and CSS minification and optimization

By Jan Reilink 18/05/2014WordPress

Web application security

Test SMTP Authentication and StartTLS

Investigate SMTP authentication issues like a boss! Particular over TLS encrypted SMTP connections, it's always handy if you are able to test the SMTP authentication and StartTLS connection. Preferably from your command line. This post shows you how to test SMTP servers, create base64 encoded logon information, verify SMTP authentication over an opportunistic TLS connection, all from the Linux and Windows command line using OpenSSL.

By Jan Reilink 17/05/2014Web application security

Web application security

prettyPhoto DOM based XSS

prettyPhoto DOM based XSS on Saotn.org... This evening, after tweeting about preventing cross site scripting vulnerabilities, I received a reply from Olivier Beg. His reply to my tweet contained an image, as you can see above. He alerted me that Saotn.org was vulnerable to a DOM based XSS vulnerability, hidden in prettyPhoto used by my WordPress theme. Whoops! So, I had work to do! But, what is prettyPhoto and what exactly is a DOM based XSS?

By Jan Reilink 04/05/2014Web application security

WordPress

WordPress wp_options table autoload micro-optimization

The autoload feature loads and caches all autoloaded options, if available, or all options. The default option is to autoload, and over time when the wp_options table grows, this degrades performance. Today I noticed a slow MySQL query coming from a WordPress database (WordPress wp_options table). This made me investigate and to optimize the WordPress wp_options table "autoload" feature.

By Jan Reilink 02/05/2014WordPress

WordPress

Install WordPress plugins without WP-admin access

Install WordPress plugins without admin access, and automate your WordPress customization and plugin installation. WordPress has a little drop-in plugin option available in the form of /wp-content/install.php. This install.php file is not present at default, but when created it can be used to install plugins without wp-admin access. This might come in handy for unattended WordPress installations, customization, and so on.

By Jan Reilink 30/04/2014WordPress

WordPress

Optimize WP StatPress plugin database performance

The WordPress plugin StatPress (no longer available in the Plugin Directory) is still widely used and still is very slow. Here are some MySQL statements you can use to optimize its performance, as a WordPress optimization tip...

By Jan Reilink 30/04/2014WordPress

WordPress

How to clean up Contact Form 7 temporary captcha files on IIS web servers

Contact Form 7 is a WordPress plugin that provides a simple but flexible contact form. On IIS, Contact Form 7 captcha has one HUGE disadvantage: temporary captcha files placed in wp-content/uploads/wpcf7_captcha, are not automatically removed. The files are made read only. Here is how to remove Contact Form 7 temporary captcha files on IIS...

By Jan Reilink 28/04/2014WordPress

Umbraco

Configure SQLServer sessionState for Umbraco

Prepare your Umbraco website for high performance web garden or web farm and load balancing environments: Store your sessions out-of-process (OutProc). As opposed to the default in-process (inProc) sessions, where sessions are saved in the worker process. Create a high performing, fast loading Umbraco website.

By Jan Reilink 23/04/2014Umbraco

WordPress

Clean-up WordPress spam comments and meta data

How to delete WordPress spam comments and meta data with phpMyAdmin. A lot of WordPress spam comments and meta data will keep your WordPress database huge, and slows down your site. It's best to delete spam comments regularly, but if you're facing hundreds of thousands spam comments, here is how to delete them all in bulk.

By Jan Reilink 23/04/2014WordPress

WordPress

WordPress plugin “In Over Your Archives” Call-time pass-by-reference fix for PHP 5.4

How to fix PHP Call-time pass-by-reference has been removed in errors. The following PHP fix goes for nearly all PHP Call-time pass-by-reference errors: The WordPress plugin In Over Your Archives is a plugin to display your archive page in a nice way, just like on inoveryourhead.net. The plugin hasn't been updated in quite some time and breaks with PHP version 5.4.

By Jan Reilink 23/04/2014WordPress

WordPress

How to load google-code-prettify syntax highlighting without plugins

If you run a WordPress blog where you display (parts of) source code, syntax highlighting is a must! It prettifies the code which makes it easier to read and it distinguishes code from text. However, most syntax highlighting is made available through plugins, and we all know too many plugins bring a lot of overhead to your blog. So, conditional load in WordPress: Load javascript only on posts in WordPress.

By Jan Reilink 23/04/2014WordPress

Web applications

MySQL sleep() attacks

Send authenticated SMTP email over TLS from WordPress

Huge increase in WordPress xmlrpc.php POST requests

8 Tips to improve Joomla performance

Minify JavaScript, CSS and compress images

Test SMTP Authentication and StartTLS

prettyPhoto DOM based XSS

WordPress wp_options table autoload micro-optimization

Install WordPress plugins without WP-admin access

Optimize WP StatPress plugin database performance

How to clean up Contact Form 7 temporary captcha files on IIS web servers

Configure SQLServer sessionState for Umbraco

Clean-up WordPress spam comments and meta data

WordPress plugin “In Over Your Archives” Call-time pass-by-reference fix for PHP 5.4

How to load google-code-prettify syntax highlighting without plugins

Windows Server

Web applications

PowerShell