blog.johnpray

an annotated brainlog

WordPress Security: Quickly Set the Proper File and Folder Permissions

| Comments

Having your web site hacked isn’t fun. Having your employer’s eleven (11!) separate WordPress installations simultaneously hacked, causing their entire website to be placed on Google’s malware warning list (resulting in some great visitor deterrance by Chrome, Firefox, and Google Search results), and learning about it early on a Sunday morning is just about as not-fun as it comes.

This happened to me. Let’s try to keep it from happening to you.

The folder and file permissions on the eleven WordPress installations I inherited at this job were not properly locked down. Here’s some of what I learned that Sunday (and for the week afterwards):

  • All files and directories in a WordPress installation should be owned by a user other than the web server (apache on CentOS, www-data on Ubuntu), though still in the web server’s group. For example, if you have a secure user named john, your directories and files should all be owned by john:apache or john:www-data, NOT apache:apache nor www-data:www-data.
    • The only exceptions are the wp-content/uploads/ folder on all installations, which the server needs access to so your authors can post images and other day-to-day files, and the wp-content/blogs.dir folder on Multisite installations, which the server needs access to to create and manage the various sub-sites. They should both still belong to apache:apache.
  • All directories (or folders) in the installation should have permissions of 755, which allows all server users to read and execute just the folder, while the owner (john, in this case) can write to it (though not necessarily the files inside).
  • All files in the installation should have permissions of 644, which provides read permissions to all server users, write permissions to the owner, and execute permission to no one. (I feel that I should mention that “users” in this case refers to accounts on the server’s very-back-end, in Linux – not to site visitors or WordPress users.)

Long story short, 755 for directories and 644 for files means that even if a hacker manages to somehow get a malicious script file onto your site, she/he/it isn’t going to be allowed to execute it. These are the best-practice permissions recommended by those who know WordPress best.

Since I had to make these changes efficiently and reliably over eleven different WordPress installations, I put together a handy list of commands for quick copy-paste action. Here they are for your WordPress-securing pleasure. They should work on a typical LAMP stack, but your mileage may vary. (I shouldn’t have to tell you to always have backups handy.)

On the command line for your server (via ssh, telnet, cyborg telepathy, or however you prefer to do these things), navigate to the directory containing your WordPress installation. This could be the root directory of your web site, or a subdirectory. For example:

1
cd /var/www/html/wordpress/

Take ownership of everything in that directory (substituting your own username for john and, if you’re on Ubuntu, www-data for apache):

1
sudo chown -R john:apache ./*

Find all directories in this directory and set their permissions to 755:

1
sudo find . -type d -exec chmod 755 {} \;

Do it again, but for files and 644:

1
sudo find . -type f -exec chmod 644 {} \;

Give the uploads folder back to apache (or www-data):

1
sudo chown -R apache:apache ./wp-content/uploads

In my case, I also needed to give existing folders starting with backup- back to apache as well, as that’s where our backup plugin placed its database backups:

1
sudo chown -R apache:apache ./wp-content/backup-*

Finally, if it’s a Multisite install, give the blogs.dir directory back as well:

1
sudo chown -R apache:apache ./wp-content/blogs.dir

That should do it. No guarantees that you’ll never be hacked again, but it should certainly be less likely.

Oh, and if you find yourself in a situation with eleven separate WordPress installations to maintain, do yourself a favor and turn them into a single Multisite installation.


If you need someone to build, maintain, or fix a WordPress site for you, I’m getting into freelancing to share my moderate skills with the world. Drop me a line or check out my StackOverflow Careers profile. (I also do Ruby on Rails. See my recent project, the Science Game Center, built from scratch in Rails by my own ten fingers.)

Wii U External Storage: What Works, What Doesn’t, and Proposed Solutions

| Comments

I got a Wii U shortly after launch, and I’m really enjoying it so far. Unfortunately, some of Nintendo’s practices with eShop games and external storage have me wondering what kind of problems, especially with losing saved progress, Wii U owners are going to run into in the near future.



The Wii U supports external USB storage.
The Wii U supports external USB storage.

A few weeks, ago, I got the Wii U Basic Set as it was all that was in stock when I went to pick one up, and I knew I had a spare hard drive laying around I could use to make up for the limited internal storage. That it didn’t come with a Nintendo Land disc was fine, as I’d made the life-changing decision to try going all-digital with the Wii U.

What Works

So far I’ve downloaded and played the heck out of both Nintendo Land and New Super Mario Bros. U on my Wii U and its really-pretty-great GamePad. Downloading may not have been as quick as I’d like, but that’s something Nintendo can fix, and even if they don’t, it’s only a one-time thing per game (besides the occasional update). Both games are stored on an external hard drive.

The contents of my Wii U's external drive.
The contents of my Wii U’s external drive.

The external USB storage worked without a hitch. I plugged in the drive, formatted it as instructed, downloaded my games, and just played. No hassle. This is quite a lot of progress for Nintendo, coming from the very-limited Wii, whose late SD card support was hindered by the need to copy games to pitifully-small internal memory before playing them. The Wii U exhibits no such limitation. So don’t get me wrong; I commend Nintendo for this much progress, and for taking the steps into digital distribution of retail games. It’s a wonderful step into the future. But it’s a step with the potential to get tripped up.

What Doesn’t

So, here’s the thing. When I got the console, I didn’t have a dedicated enclosure yet for the hard drive I wanted to use, so I swapped in one I was using for other things temporarily. Once my new enclosure arrived from Amazon, I swapped the drive into the new enclousre, and plugged it into the Wii U assuming (okay, hoping) that all would be well.

All external drives must be specially formatted.
All external drives must be specially formatted.

It wasn’t. The console refused to recognize the drive and needed to perform its special Wii U-formatting all over again. This tells me that the formatting the Wii U does identifies the disk contents as not only specific to that console, but also specific to that external USB device.

This meant I would need to redownload the two games, which I was fine with. So I went ahead and did it.

The console-specific thing I totally understand; it keeps piracy difficult. But the drive-specific thing? This means if I have a drive that (1) is failing or (2) for some reason has stopped working with the Wii U, I can’t move the data from the drive to another. In other words, all my saved progress is lost (again) if anything happens to that drive, including things out of my control like drive failure or a Wii U system software glitch.

Save data is packaged with the game data.
Save data is packaged with the game data.

It turns out that downloaded games’ save data is also stored on the external drive, and cannot be moved. This meant, by reformatting that drive, I lost all my Nintendo Land and Mario U progress so far. Fortunately it wasn’t yet much, and I was happy to re-play the games and levels we’d already played, but this still worries me.

Save data cannot be separated from its game.
Save data cannot be separated from its game.

When this hard drive eventually dies, and it will, I will lose my save data no matter what. I can’t back it up. I can’t move it to another drive (although the ability will apparently come in an update, though even then the drive still needs to be working to make the move). I can’t move it to internal storage, since the full games won’t fit on my Basic Set and the save data currently cannot be separated from it.

Proposed Solutions

To fix this, Nintendo needs to make a change or two. Here are my suggestions to Nintendo on how to improve things.

SOLUTION: Let me copy or move my save data from the external drive to internal memory (separating it from the much larger game data). You don’t store save data on game discs (never mind that it’s not possible); with the options available today, why force me to keep it on the much-more-likely-to-fail external storage?

Subsolution: While you’re at it, make identical disc-based and eShop games share the same save data, or at least provide the option. You wouldn’t have separate saves for two separate identical discs; why do it in this case? It’d only make sense if I could use the data on a friend’s console, which I cannot. If I rent a game on disc and then decide I want to buy the eShop version for keeps, I shouldn’t have to lose all my progress. UPDATE: According to multiple Redditors, apparently if you play a disc game then buy the eShop version, the save data will carry over. I’m interested to try this out to see how it works (does the save data become tied to the game data?); will report back when I do.

SOLUTION: Make external storage data only console-specific, not external-drive-specific. This would have prevented my issue above from cropping up in the first place, and makes perfect sense. Why shouldn’t I be able to move around the data (or better yet, back it up) as I please as long as it remains console-specific? Maybe this makes piracy somehow more difficult in theory, but I think it crosses the line of hindering your non-pirating consumer, me, much more.

UPDATE: SOLUTION: Sync save data to the cloud. I was reminded in the comments of this, probably the best and certainly the most modern and easiest solution for consumers. Link my save data to my shiny new Nintendo Network account, and sync it to and from Nintendo’s servers whenever it changes. Steam, Xbox 360, and PlayStation 3 all have this capability; why should’t Wii U? Supposedly this functionality is coming, so we’ll see if it pans out.

Even just one of these could solve the problem, though implementing them all would be ideal. The ball’s in your court, Nintendo. I’ll continue to buy games on your system, but it’s up to you to determine what my experience with said games will be like.


Any possible solutions I missed? Any reasons the above solutions wouldn’t work? Pull out that GamePad stylus and chime in.

All screenshots in this post were taken by me from my Wii U’s GamePad screen. Many apologies for the lacking quality of my smartphone’s camera.

GiftDraw for Android

| Comments

or Solving Secret Santa, Part One

Every Thanksgiving, we get together with the extended family on my Dad’s side for some good eats and good times. We also take the opportunity to draw names for Secret Santa giftgiving for the upcoming Christmas Eve gathering.

Traditionally, this Secret Santa was among the adults, each adult getting one gift, while everyone could get the kids of the family as many gifts as they wanted. But then all of us kids grew up (and haven’t yet brought along any grandchildren), and there were much fewer gifts going around, making things a little dull. So starting last year, we decided to be a little innovative: each person would draw two different names of people to give gifts to. To further complicate things, neither of those two names could be within your immediate family/household, since you’d be giving that person gifts anyway on Christmas morning.

This was a lot harder to try to coordinate with slips of paper in a basket than the old simple one-slip-per-person way had been. How do we ensure that each picker (1) gets two different names, that (2) neither of those names is in their immediate family, and that (3) nobody knows ahead of time who has their name (meaning no one person can coordinate the name assignments)? What do we do when the human mind and physical world fail us? We turn to our trusty computer overlords!

With the above-stated requirements in mind, I started in on an Android app (since I was still entrenched in Android development at the time–a habit I eventually thankfully kicked).

I managed to make something pretty and semi-functional that served us well that Thanksgiving. I passed my phone around, each person clicked their own name, they got to see their two recipients, and they got to email those names to themselves right from the app.

The source code for that abandoned project is available on GitHub, for the curious.

This year my immediate family won’t be around for Thanksgiving since we’re heading to Great Britain to visit my sister who’s studying abroad, so the Android app solution won’t work this year if I want to keep everyone’s names a secret from myself. Plus I like a challenge. Stay tuned for future posts where I’ll discuss GiftDraw Web, which I’m developing so that we can all draw our names from wherever we may be.

Dex the Cat

| Comments

This is Dex. He’s a pretty kitty.

I knew you’d agree.

(Welcome to my new blog running on Octopress. All posts older than this one are imported from my older Tumblr and WordPress blogs. Don’t forget to check out SkipandCal.net, which holds my cartoons and comics. Thanks for visiting!)

Photofo: The Making of an Infographic

| Comments

Herein you will learn of Photofo, the “simple” computer program I wrote to help me to collect the data that went into the infographic “a picture about pictures”. My goal was to look at all of the photos I took while studying abroad in London last fall (of which there were over 2,000) and use the information I could glean (1) by looking at the photos and (2) by remembering what was going on at the time the photo was taken in order to learn a bit more about the places I visited—and about myself.

In order to make the task of collecting that data realistic, I decided to harness the Visual Basic programming skills I was just learning at the time to create what I eventually dubbed “Photofo” (“photo” + “info”). Here’s a snippet of the code in Visual Basic Studio 2008:

And here’s the finished product:

It’s not much to look at, I’ll admit. But when combined with some basic spreadsheets with EXIF data (data encoded in the pictures by my camera) pre-extracted thanks to Exifer, it became a full-blown photofo-ing tool. It worked like this:

  1. I’d click Open Data and choose the correct barebones spreadsheet for the folder of photos I wanted to examine.
  2. I’d click Choose Photo and pick a photo, either the first one in that folder or where I’d left off.
  3. I’d get the following view, with the greyed-out values on the left being the ones pre-extracted by Exifer and added manually to the barebones data files by me:(That was our tour bus during my first trip to Scotland, with Haggis Adventures. I highly recommend them, clever bus text or not.)
  4. I’d then fill in all the info on the right, based on what I saw in the photo and (in the case of properties like “Spontaneous” and “Tourism”) what I remembered.
  5. I’d click Next Photo, the next image in the folder would load, and the process would repeat. I did this for every single one of my 2,143 photos in 18 folders. It took a reeeaaaally long time.
  6. When I was done with that folder, I’d click Save Data to File and then move on to the next one.
  7. Eventually I came out with a fully-filled-out spreadsheet for each of the folders full of photos I had. When I was done with them all, I combined them all into one big spreadsheet, which you can see a snippet of here:
  8. In that spreadsheet, I used some Excel wizardry (thank you Google search) to quantify the data, as you can see in the rightmost columns. Then I used Excel to make charts and graphs out of the data, some of which went directly into the infographic. The rest I used as reference as I made the infographic.

And that was that (it looks like a lot less work in a blog post than it really was). It was a fun project, except for the part where I didn’t leave myself quite enough time to work through the photos at a reasonable pace (let’s just say it was my most hectic finals week ever).

The question is, where does Photofo go from here? Was it just a fun little personal project, or should I expand on and polish it for others to use? Good question. What do you think? Would you use it?