This is the very first time i need to use a temporary server maintenance page, previously when i upgrade wordpress (even to major release such as this one) … there’s no need for me to redirect this site visitors to a temporary page saying that this server is under maintenance, but this time the situation is different

And that’s because i do not want my visitors to see lots of beautiful MySQL error message when viewing every page of this site (i’m quite sure you feel the same way too) because of the recent database schema changes in Wordpress 2.3, but … how to do that ? if you ask me …

The answer is simple, as long as you have access to edit your .htaccess file (some web hosting company doesn’t allow you to edit the .htaccess file, and that’s why i said so) :)

And here are the complete instruction :

1. Create a new html page saying that this site under maintenance or anything you like :) , and save it as maintenance.html (this is just an example, feel free to use another filename)

2. Edit your .htaccess file in your root public_html directory

and add these lines :

RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteCond %{REQUEST_URI} !/maintenance.html$ [NC]
RewriteRule .* /maintenance.html [R,L]

Note : Replace 123\.456\.789\.0 with your own ip address

And here are the description about what the above line does :

1. The first RewriteCond is used so that you can still access your site, by detecting your ip address
2. The second RewriteCond is used so that every request to maintenance.html file will not be redirected, this is used to prevent infinite redirect loop
3. The third RewriteCond is used so that others that is trying to access your site in any page will be redirected automatically to your maintenance.html page using temporary redirect so that search engine robot will check again later

3. Now you just need to upload the above file into your public_html directory and continue the upgrade process

But what if you’ve finished upgrading your wordpress, and you want your visitors will able to view your site again ?

Simple … you just need to remove the above .htaccess rules, and to make sure that your site visitors will be automatically redirected to your main page, you can add below line to your .htaccess file

Redirect 301 /maintenance.html http://www.yourdomain.com

And you’re done :)

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 2 comments

0x87485B96 | Tags : Apache, Guide, Wordpress

Previously i wrote a how to guide on installing Apache HTTPD 1.3 on Windows machine. But it seems that some people prefer to use the new Apache 2.2 series instead of the old httpd 1.3 series which is not good when used on production system (read: if you allow anyone to access your webserver), beside the apache website itself tell you this :

the older 1.3 series was never designed to run on Windows, but that support was ‘hacked in’, introducing a large number of potential thread saftey issues and other confirmed problems.

And that’s why i choose to create the apache guide again but this time it is using the 2.2 series, and of course this guide tell you on how to setup your apache server with php 5 manually not using an all in one package. And here’s the guide :

Requirements :

1. Apache 2.2.x : At the time i wrote this guide, the latest stable version is 2.2.26 (btw get the non-ssl version unless you plan on using ssl)

2. PHP 5.2.x : 5.2.4 is the latest stable version when i wrote this (get the zip version, not the installer)

And here are the steps :

Note : in this example i’m using the default installation path for Apache 2.2

1. Install Apache 2.2 until below screen appears and use this information (or adjust it to your liking) and then continue the process until finished :)

2. To make sure Apache is working now you need to open your browser window and type http://localhost as the address, and if you get the same message like below image that mean apache is working

3. Thanks God the Apache seems to work … but now you’ll need to configure apache so it’ll recognize the php files and can parse the php files correctly. And the first thing you should do is extracting the PHP zip archive somewhere, and in this example i extracted the php 5.2.4 files into C:\PHP-5

4. After finished with the extraction process, now you just need to go to your Apache installation path, and then open httpd.conf which is located under the conf directory using your favorite text editor. Btw if you installed apache using the default path, here’s what the apache directory structure looks like

5. In order for apache to parse the php files correctly, first you need to Load the PHP5 module into the Apache, and to do this you just need to add below line to your Apache httpd.conf (after the last line of the loadmodule section) :

LoadModule php5_module "c:/php-5/php5apache2_2.dll"

Note : Adjust the php path accordingly if you extracted it into other directory

And here’s the image :

5.1 Now you need to search for (use your text editor built-in search function) :

<IfModule mime_module>

and then add these lines inside that directive (before the closing </IfModule> for mime_module )

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

6. After finished with the above process, now you’ll need to configure apache so it’ll check the existence of index.php by default too instead of just checking the index.html only for the default index filename, and here’s how to do it

The default configuration from Apache 2.2 :

<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

The modified version :

<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>

Notice the difference ? i’m pretty sure you’ll notice it right away … but like everyone knew that a picture worth a thousand words (read: because my English language is bad), so here goes the picture

7. Now we are done with the httpd section, now we need to configure php. Here are how to do that :

7.1 Copy php.ini-recommended from your php5 directory into C:\Windows (or your windows path) and then rename it into php.ini

7.2 Open the php.ini file using notepad and change the extension_dir as shown on below image :

7.3 Now you need to copy some dlls from your php 5 directory into C:\Windows\System32 :

Im pretty sure that you can’t read the filename from the above image, but don’t worry because all you have to do is just :

Right click and choose Arrange Icons by name, and then copy each file shown on the above image into your windows system32 directory, and you’re done (hint: hold CTRL key to select multiple files)

Or … copy all dll files at the root of your php directory into your system32 directory except those that is using php5*.dll

8. Now we’ve configured php, apache … but what else do we need ? of course we need to make sure that php really working and apache can parse it without problem, so we need to create a php test page first, here’s how to do it :

8.1 Create a file named test.php inside C:\Program Files\Apache Software Foundation\Apache2.2\htdocs (because that’s where the default document root path of your apache)

8.2 Add below line to the test.php file like shown on below image, then save and close the notepad

9. Okay … finally we’ve reached the final stage !!! now you just need to open command prompt and type like below image :

If you can’t read what you should type from the above image, actually you just need to type :

net stop apache2.2 && net start apache2.2

to restart your apache 2.2 process

10. Now after finished restarting the apache process, we need to open the browser window and point to http://localhost/test.php

If you see something shown like on the above image, that means Apache and PHP is working on your system

Congrats … now you’ve got apache and php 5 working on your system the only thing left is … adding mysql support (if you plan on using a registration page for your Mangos Server or other private server), and to do this you just need to remove the ; from the extensions, for more information, you can download the sample php.ini and httpd.conf as a supplement for this short how to guide

Hint : Compare the sample php.ini file you’ve downloaded with the default php.ini file from the php.ini files included in PHP archive (in this case you can find it on your windows directory)

Hopefully i didn’t miss anything, but if you do notice that i miss something, please let me know so i can fix it or add it :)

Thanks to Al for the suggestion :)

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 229 comments

0x87485B96 | Tags : Apache, PHP, Tutorials, Windows

Today i’m going to tell you on how to hide your affiliate links or any other links you want to hide (see the right sidebar of this site) using a simple htaccess redirect trick, just in case you didn’t know about it, and of course i’ve only tested this on Apache HTTP Server only (Windows and Linux version) so if you’re using any other webserver to serve your webpages … i’m quite sure that this trick is not going to work, and you’ll have to use some redirect script to do it

But as a side note, this redirect trick (or any other redirect trick using php, etc) may or may not working especially if your site mostly visited by tech savvy users even if the affiliate website itself didn’t show your referal link, because they can always see it through the HTTP header

Redirecting from the root of your domain name

Step to do it :

Open or create new .htaccess file on the root of your www / public_html directory and add this line :

Redirect /myaffiliate http://www.myaffiliatewebsite.com

the above line mean, if you type http://www.yourdomainname.com/myaffiliate it’ll be redirected automatically to www.myaffiliatewebsite.com using 302 Found HTTP Header

But what if you want a 301 Moved Permanently HTTP Header instead of 302 HTTP Header (almost every redirect trick i’ve seen so far is using 302) ? … if that’s what you want … then you can use this

Redirect 301 /myaffiliate http://www.myaffiliatewebsite.com

Redirecting from subdirectory

Step to do it

1. Create new directory (for example : redir)
2. Create new .htaccess inside and add these into your newly created htaccess file

Redirect /redir/affiliate http://www.affiliatewebsite.com

The above line mean, if you type http://www.yourdomainname.com/redir/affiliate it’ll be redirected automatically to your affiliate link

Redirect to multiple product in the same affiliate website with a single line (useful on site like Amazon)

Let’s say you’ve become an Amazon Affiliate, and you want to link to that product page without adding new line into your htaccess file … then you can add this line into your .htaccess file

RewriteRule ^show/(.*)$ http://www.amazon.com/exec/obidos/ASIN/$1/YourAmazonID [L]

What the above line do is, whenever you type http://www.yourdomainname.com/show/ANY-AMAZON-PRODUCTID it’ll be redirected automatically to http://www.amazon.com/exec/obidos/ASIN/ANY-AMAZON-PRODUCTID/YOUR-AFFILIATE-ID

Another example on how to make your Amazon Link look pretty is you can also use this :


RewriteCond %{QUERY_STRING} id=([^&]*)$
RewriteRule ^products\.asp$ http://www.amazon.com/exec/obidos/ASIN/%1/YOURAMAZONID? [L]


Basically what the above code do is, everytime you type mydomain.com/products.asp?id=AMAZON-PRODUCT-ID even without the existence of products.asp file on your webserver, it’ll be redirected automatically to the Amazon link using your Referal ID :)

As a note, Mod Rewrite must be enabled on your server to do the last redirection trick

That’s it … i hope this small tips can be useful for you :)

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 10 comments

0x87485B96 | Tags : Apache, Guide, Webmaster Tools

It’s been a while since the last time i wrote tips or whatever you called it :P … so i decided to write some tips on how to hardening your wordpress installation. As as you already guessed, this tips might be useful if you’re using Wordpress as your platform (blog, etc)

But first as a reminder, this is not a perfect way to secure your wordpress installation (because of various reasons / factors), but at least it’s going to harden your wordpress installation

And as a note, this is tested only on Apache Web server, and you’re allowed to override the configurations using .htaccess file and lastly … you need to have mod rewrite installed and activated (don’t worry if you can use Custom Permalinks that mean you’ve mod rewrite enabled on your hosting / server)

Okay without further ado … here are the tips :

1. Disable Directory Indexing

By disabling directory indexing, you can prevent people seeing through your directory structure

Step to Disable it :

Create or edit .htaccess file on your public_html directory and add this into your htaccess :

Options -Indexes

2. Removing Wordpress version number

Some people think that hiding your wordpress version number is not necessary, so feel free if you want to implement it or not

Step to Remove it :

Remove this line from the header.php file of your currently used theme :

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

also if you’re feeling a little bit adventurous, you can also remove the generator line from wp-includes/feed-*.php. Because by default wordpress is going to show your wordpress version number from your blog feed

3. Protecting WP-Admin Directory

In this example i’m going to tell you how to protect your wp-admin directory by checking your IP Address (it can be used even on dynamic ip address)

Step to Protect it :

3.1 If you’re using Static IP Address

Create new .htaccess file inside your wp-admin directory and add these lines into the newly created .htaccess file


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteRule .* http://www.domain.com/ [R,L]
</IfModule>


3.2 If you’re using Dynamic IP Address

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.456\.
RewriteRule .* http://www.domain.com/ [R,L]
</IfModule>

What the above configuration does, is checking your IP Address first to see if you’re allowed to any file inside the wp-admin directory or not and if you’re not allowed to view it, you’ll be redirected automatically to specified address (you can use any address) by using 302 Found Header (Temporarily Moved)

As a side note, if you want the easiest way to password protect your wp-admin directory you can use this plugin by askapache or if you prefer to do it using the manual way … you can check blogsecurity website

4. Protecting wp-login.php and wp-register.php or any file you choose

Now you’ve protected your admin directory … but there’s one more step to do, especially if you’re the only person on your blog and also disabling user registration.

So this time we’re going to protect wp-login.php and wp-register.php, and here are the step to protect it :

Step to do it :

– Open the .htaccess file on the root of your public_html directory and choose which method that you like

4.1 Deny Access to wp-login.php by showing forbidden message


<Files wp-login.php>
Order deny,allow
Deny from All
Allow from 123.456.789.0
</Files>


4.2 Deny Access to wp-login.php by redirecting it to the specified address :


<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} wp-login.php
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteRule .* http://www.domain.com/ [R,L]
</IfModule>


As a note, you can also use Dynamic IP Address just like on Protecting WP-Admin Directory Method

That’s it … you’re done … hope this small wordpress tips can be useful for you

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 9 comments

0x87485B96 | Tags : Apache, Guide, Linux, Wordpress

After 1 week thinking about on should i install PHP-FastCGI with Suexec combined with XCache (PHP OP-Code Cache) because my current host aren’t going to support it (although they say, they can help me installing it) if i’m going this way, i’ve decided to use them all together eventhough i have to do it all by myself (as learning purpose of course) … and after 6 hours (or more) playing around with it … i managed to set them all nicely

Btw if you ask me, why i really want to use PHP-FastCGI with Suexec and XCache eventhough my host aren’t going to support it, the answers are :

1. Running PHP as Apache Module isn’t really good (although it’s the fastest and the easiest to configure with), because it’s running under Apache userid not your own userid. But if it’s for me, i do not like to chmod some of my files / directory into world writeable
2. PHPSuexec takes too many resources although it’s secure (from security point of view), but it has the other advantage, because if you run PHPSuexec, you don’t need to chmod some of your files / directory into 777 (beside chmod 777 is not going to work with PHPSuexec). Unfortunately the downside from this method is … i can’t use any PHP OPCode cache / any php accelerator out there

So based on that conclusion, i try reading various material about this stuff on the web, and found that the best solution is to use PHP-FastCGI with Suexec enabled to run under your own userid, and the good side from this method is you can use PHP Accelerator. Fortunately there’s someone who’s using an almost identical server setup like mine so i can simply follow his guide (although i need to do some little modification because i can’t seem to get the .fcgi script to run if i’m not putting it in some directory that is allowed to execute CGI) :D

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | Add a comment

0x87485B96 | Tags : Apache, Linux, PHP, Web Servers

This is perhaps might be useful especially to those who’s using managed server / managed vps (or have anything related to core system component installed and configured for you) and keep seeing client denied by server configuration message on your site error_log (via CPanel or other method) … because that’s what happened to me today

I keep seeing someone trying to access this site and get blocked immediately, but what makes it strange this error message only appear on some of my pages. Although when i tried to access those pages, i can see it without problem at all (yes, i have mod_security installed), so that mean there’s something wrong somewhere in my apache configuration because if it’s caused by hotlink protection, i already make sure it still can be viewed by those who’s blocking their referer address

So after taking a good look into the httpd.conf, i found that my current host already configured apache to load some configuration rules outside the httpd.conf, and after checking each conf i found something i haven’t seen before

DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10

Note : the above directives is a sample

Of course the next step would be searching what this configuration directive actually does, and then i find out that my host currently use mod_evasive as protection measure againts HTTP Ddos attack

So what do i do then ? of course after i read what those configuration directives do (you can see it from the readme file attached in the mod_evasive file), i reconfigured it by increasing it value slightly to make sure that it’s working properly

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | Add a comment

0x87485B96 | Tags : Apache, Linux, Web Servers

This is the fourth part of the Creating your own World of Warcraft Server using Mangos

1. The First part is all about Installing and Configuring MySQL on your Windows Machine
2. The Second part is about Configuring the WoW Mangos itself
3. The Third part is all about Setting up Private WOW Server for Lan Party
4. The Fourth part is all about Installing and Setting up Apache Webserver with PHP

Okay this is the last part of my guide about creating and setting up private wow server. And as the title said, this part is all about setting up webserver using apache on your pc that can be used to put the registration page for your private wow server

Previously i’ve said that i want to tell you on how to create the registration page for your wow server. Unfortunately, it seems impossible (if you know a good registration page that can be used for WoW Classic Server and TBC Server … please let me know) because different mangos version use different structure like column number differences between the wow classic server with the wow tbc server inside the realmd.account table. So in this guide im going to tell you to use the simple registration page created by Mangos-files.de that can be used for the registration page of your WoW Classic Server

But i think you don’t have to worry about that, because if you understand the steps required to set up webserver on your pc, basically you’ve done the important part with the exception you might need to edit / create the registration page by yourself

As a side note, you can also use your webserver for many other things like hosting your own webpages from your own computer :)

That’s all for the intro … now we’re going to start the guide

Requirements :

• Apache HTTPD (Free / Open Source) – In this example i use Apache 1.3.3.7 (Apache 1 Series)
• PHP Win32 Zip Version (Free / Open Source) – In this example i use PHP 4.4.3 (PHP4 Series)
• Know how to setup port forwarding
• A simple registration page for mangos (you can get it from here) / create one by yourself

Optional : Some people might prefer the easiest way of doing it … and if you like it that way then i’d suggest you to use XAMPP instead. But if you decided to use XAMPP and you already followed my previous mysql installation guide, you don’t need to enable the MySQL Service from XAMPP Control Panel

Note : i never tried using XAMPP but from the screenshot at XAMPP Website i think the XAMPP provides you a control panel / menu to enable or disable individual service from it

Important Note : Please take caution if you want to make your webserver accessible to everyone, because this guide only tell you the basic way of setting up webserver from your own computer

Installing Apache Webserver :

Since Apache installation for Windows is straightforward, you can just simply follow the setup process until this part, and then continue with the installation process until finished :

and don’t forget to remember the path where you’re going to install it

Installing PHP :

First of all you need to extract php into somewhere on your harddrive, and in this example the php location is at C:\PHP. And after you’ve finished extracting it, go to C:\PHP\Sapi from Windows Explorer and copy the php4apache.dll into the root of the php directory. If you choose to use Apache 2, then you need to copy the php4apache2.dll instead

Here’s what it should look like :

Installing PHP as module in Apache HTTPD :

Now after finished with the previous steps, you need to configure apache to load the php4 as a module. And here’s how to do it

1. Open httpd.conf in your Apache conf directory (in this example, the httpd.conf can be found at C:\Program Files\Apache Group\Apache\conf\httpd.conf)

2. Uncomment the :

LoadModule rewrite_module modules/mod_rewrite.so

and add this line after all the loadmodule :

LoadModule php4_module "C:/php/php4apache.dll"

Example image below :

3. At the addmodule section uncomment the :

AddModule mod_rewrite.c

and then at this line :

AddModule mod_php4.c

example image below :

4. At the addtype section add this line :

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

5. Now at the DirectoryIndex section add / replace the previous line with this one :

DirectoryIndex index.html index.php

From the above example, the index.html always get first priority over index.php file but you can change it as you like

Testing your Apache Installation :

As for the last, now you need to open the command prompt window (Start Menu -> Run -> type CMD) or Start Menu -> Accessories -> Command Prompt

and type :

1. Net stop apache
2. Net start apache

This is done to make apache reload the configuration files that have been changed

Now you’ve finished with all the process, but of course you need to make sure your webserver is working properly so now you need to test it by typing http://localhost via your browser and if you see something like above image, that means your webserver is working

You’ve finished setting up apache webserver, mysql and php on your computer .. Now what you should do next ? well … because this is part of the mangos series guide, of course now you need to put the registration page you’ve downloaded previously into your www document root directory

If you followed this guide, the document root can be found at C:\Program Files\Apache Group\Apache\htdocs … but since the webserver is located on the same location as where you are, you don’t need FTP Program to do it, you just need to copy / extract the simple registration page into that directory … simple isn’t it ?

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 114 comments

0x87485B96 | Tags : Apache, Guide, Tutorials, Web Servers

Small information about Hostgator, quoted from their about page. Hostgator is a privately owned company founded in 2002 that has no debt, is very profitable, and has NO intentions of selling any time soon. We provide service to over 400,000 websites on our shared and reseller plans. We are the world's leading provider of reseller accounts with over 10,000 resellers who have chosen us to provide the network, servers, and support required to launch a hosting business

At the time i write this post, i'm currently hosted by Hostgator (dunno if in the future) i'm going to move into other web hosting company or not. But one thing for sure is, when i posted this .. i have been with hostgator for 8 months (until March 07). And without further ado, here’s my own complete hostgator review (including their server setup and so on), based on my personal experience with them :

Webhosting Plan Offered :

1. Hatchling Croc :

• Price : $6.95 (paid yearly)
• Storage : 50 GB
• Bandwidth : 200 GB
• Type : Shared Hosting

2. Baby Croc :

• Price : $9.95 (monthly)
• Storage : 100 GB
• Bandwidth : 1 TB / 1000 GB
• Type : Shared Hosting

3. Swap Croc :

• Price : $14.95 (monthly)
• Storage : 200 GB
• Bandwidth : 2 TB / 2000 GB
• Type : Shared Hosting

4. Semi Dedicated :

• Price : $74.95 (monthly)
• Storage : 25 GB
• Bandwidth : 500 GB
• Type : Shared Hosting, almost VPS like with the exception there’s no root access

Server Setup and Features :

1. Using CPanel and Fantastico that provides one click installation to various web application such as Wordpress
2. They are using PHPSuexec on their server which is a plus for security reason
3. You can choose whether you want PHP5 or PHP4 on your server
4. Using MySQL 4.1.xx as their SQL Database
5. Support Ruby on Rails
6. Adult supported (to those who’s interested on creating adult website)
7. On my current server i got this setup, Intel(R) Xeon(TM) CPU 3.20GHz with 4242960384 KB RAM
8. They can also give you SSH access to your own account known as Jailed SSH, and to activate this features you can just simply give them your photo id as identification

Server / Resources Usage Limitation :

1. Can not use 25% or more of system resources for longer then 90 seconds
2. Can only run cron entries with intervals of less than 15 minutes
3. There is a 200 hourly email limit per domain this limit is also applied towards mailman
4. 30 Maximum Concurrent Connection to MySQL
5. If you’re using Hostgator nameserver and using shared hosting, the only option to change your DNS settings is by emailing them and ask them to change it
6. No SSH (this is not necessary to those who’s not interested on unix command)

Personal Opinion About Hostgator :

They’re a good webhosting company, good respond time from their sales and support team. And the Level 3 Support team is really good and does the job very well (24 Hours support). And as a side note, i live in GMT +7 timezone

Good Uptime, although sometimes there’s downtime but i'm sure that every webhosting out there has downtime issue (last night there’s downtime for about 45 Minutes reported by Pingdom Monitoring, and Siteuptime). If you want to see the uptime of this website, you can check my sidebar for it

The only thing i do not like from them is i have to email them everytime whenever i want to change / add zones to my domain. Maybe they should give access to zones editing or such stuff so i can modify my zones manually without telling them to do it whenever i want to add something (for example adding CName)

Other thing i like is the SSH access to simplify thing, although im not a unix expert

And the conclusion is, if you seek a reliable web hosting company and can be trusted, you might try using the Hostgator service and see it for yourself

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 6 comments

0x87485B96 | Tags : Apache, Linux, Opinion, Web Hosting, Web Servers

I found this from SecFocus website regarding the XSS problem on Wordpress 2.1.1 (0day) yesterday .. and this new xss exploit works on version 2.1.1 .. (i’ve already tested it on my local server) – Link (SecFocus) / Link 2 (Secunia) and here’s what it said :

Samenspender has discovered a vulnerability in WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "post" parameter in wp-admin/post.php (when "action" is set to "delete") is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the target user is logged in as administrator.

The vulnerability is confirmed in version 2.1.1. Other versions may also be affected.

And today, i read another possible script injection attack on wordpress <= 2.1.1 based blogging platform discovered by Stefan Friedli – Link

The only solution i’ve found so far to prevent / reduce the damage of this attack is by protecting your wordpress admin directory using .htaccess or you can also use mod_security if it’s installed on your webserver

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 3 comments

0x87485B96 | Tags : Apache, Network and Security, PHP, Website, Wordpress

Because i’ve been getting queries from search engine from someone who want his domain name always use the www version instead of non www version, i decided to post it again. Well although i’ve already write about this before, but it seems for some people they don't know which part is the force www.

And because i’ve already explained it before, i'm not going into much detail and don't forget to put this in your .htaccess file :

That’s it, and you’re finished, and as a side note you should choose to use only the www or non www version of your domain name, because Google doesn't like duplicate content on same website / domain name. ;)

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | One comment

0x87485B96 | Tags : Apache, Google, Guide, Linux, SEO, Tutorials, Web Servers

Okay, so you just bought a new domain name but you doesn't want to buy another webhosting plan because your current webhosting already allow you to host multiple domain under one account so you decided not to buy another hosting. Although addon domain can be set up easily, but as you already knew that addon domain can be accessed through various url because addon domain is a subdirectory of your current hosting directory

For example you already have a website hosted by some webhosting service using mydomain.com as your domain name, most likely your public_html or your web root directory will be /home/yourdomain.com/public_html. And if you buy another domain name (for example addondomain.com), your addon domain web root or public_html directory will be /home/yourdomain.com/public_html/addondomain (although the addon domain name directory may vary because you can change it)

And to access your addon domain name or url, you can use various method like below :

• www.mydomain.com/addondomain
• mydomain.com/addondomain
• addondomain.mydomain.com
• www.addondomain.mydomain.com
• www.addondomain.com
• addondomain.com

The first url, sure doesn't looks to good. Because everyone can see that your addondomain is a subdirectory of your primary domain. As for the second url, it’s not that good too. Because most of web surfer always forgot to add www before going to a website (although it’s up to you whether you want your website with or without www) .. but if it's for me i’d rather have www by enforcing them automatically like Yahoo!

The third and fourth url is because is not good too because it list your addondomain as a subdomain of your primary domain, and i'm pretty sure no one like that, right ?

And the fifth and sixth address is the correct url, but the sixth address is without www before your domain name. And just like i said before, that depend on you .. but as a side note, i'm going to tell you how to force your website to always using www in front of your addondomain or domain name and if they write the url using the first – fourth address, it’ll automatically change into addondomain.com.

And in order to use that, you’ll need modrewrite enabled on your Linux Webhosting (and of course your Linux Server must be running Apache as the web server)

Here’s a few lines of code you should put into your .htaccess file so it’ll automatically do the job for your addondomain, no matter what url typed into the address bar of your visitors browser

<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?addondomain\.mydomain\.com [NC,OR]
RewriteCond %{HTTP_HOST} ^!www\.addondomain\.com [NC]
RewriteRule ^(.*)$ http://www.addondomain.com/$1 [R=301,L]
RewriteCond %{HTTP_HOST} ^addondomain.com [NC]
RewriteRule ^(.*)$ http://www.addondomain.com/$1 [R=301,L]
RewriteCond %{REQUEST_URI} ^/addondomain($|/.*$)
RewriteRule ^.* http://www.addondomain.com%1 [R=301,L]
</IfModule>

The IfModule used just in case your server didn't have modrewrite enabled, so your server doesn't return a 500 status header, as for the other part, i think it self explained because you can see it clearly … as a side note, i'm using this on a few of my domain name. And hopefully this small .htaccess or modrewrite guide / tips / whatever can be usefull for you :)

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 6 comments

0x87485B96 | Tags : Apache, Guide, Internet, Linux, Tutorials, Web Servers

Yesterday i’ve finished setting up the redirection on my feed url so all the request made into my feed url got redirected automatically into my feedburner url. There’s a lot of website already put this guide on how to redirect your wordpress feed into feedburner feed, but in my case i was using the redirect only for human not bot.

Because if you submit your site feed into google sitemap or yahoo sitemap, your feedburner feed can’t be read by those bot or other rss aggregator bot if you choose to optimize your feedburner feed so it’s browser friendly. If you don’t understand what i mean about optimizing your feedburner feed, take a look at my feedburner feed at http://feeds.reaper-x.com/ReaperX and you’ll see the XML file was transformed by feedburner so you can read it in your browser, instead of showing the XML codes. But this optimizing thing doesn’t looks good to bot / rss aggregator bot because bot can only see it in real xml format not the converted xml codes. And so i decided to make .htaccess file containing redirection only for human not for bot (although i don’t have a complete list but this one already enough for me).

And here’s the sample .htaccess file i'm using to redirect my feed into feedburner :


RewriteCond %{HTTP_USER_AGENT} !^.*RSS.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Aggregat.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Crawler.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Seek.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Google.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Yahoo.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*FeedBurner.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Spider.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Bot.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Wordpress.* [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*Ask.* [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/ReaperX [R=301,NC,L]



Forget about that part ... the simple way to do it is just like this :)

# 301 Redirect to the new feed url for every
RewriteCond %{HTTP_USER_AGENT} !Feedburner [NC]
RewriteRule ^feed/?([-_0-9a-z]+)?/?$ http://feeds.reaper-x.com/ReaperX [R=301,NC,L]


# 301 Redirect to the new comments feed url
RewriteCond %{HTTP_USER_AGENT} !Feedburner [NC]
RewriteRule ^comments/feed/?([-_0-9a-z]+)?/?$ http://feeds.reaper-x.com/ReaperXComments [R=301,NC,L]


Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | One comment

0x87485B96 | Tags : Apache, Guide, Linux, Tutorials, Wordpress

Yesterday i just read about the recent security flaw in mod_rewrite modules in Apache HTTP Server that can make the web server process crash or allow arbitrary code execution by a malicious user. And here’s the announcement from the Apache HTTP Security team :

CVE-2006-3747: An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.

Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.

This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:

• The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
• The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).

Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.

So in the other words, every users should update their Apache installation immediately, especially for those who’s already using a blogging platform like Wordpress, because if you want to use the Permalink feature, you’ll have to use mod_rewrite function and the Wordpress installation included that by default (except it doesn't have write access to the .htaccess file) but if you’re using your own computer as a server, then you should apply this update immediately

And here’s a link if you want to get more information about this issue :

• Apache HTTP Server 1.3.37 Released
• US-CERT Vulnerability Note VU#395412
• Apache Official Website

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | Add a comment

0x87485B96 | Tags : Apache, Computer Security, Journal, Network and Security, Web Servers

After playing around with my new host … i finally found out that this host support permanent redirect, full mod_rewrite support, etc !!! … unlike my previous host, although i’ve set up some pretty redirect it always give the same result, although the permalink works it still return 302 http header no matter what !!! … I think i'm going to be with this new host for a long time … lol .. and hopefully they’ll reduce their prices too (you know from someone in 3rd country like me, $5 means alot) :)

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | Add a comment

0x87485B96 | Tags : Apache, Journal, Web Hosting, Web Servers, Website

I have completely finished all the initial setup on my new homepage, after configuring domain name, uploading the wordpress software, installing some plugins, put one wordpress theme to use instead of the default kubrick, and many other steps … but i think just in case you want to have your own hosting service like me (actually this is shared between me and my uncle’s) :P … anyway, i’m going to give you some tips on how to copy your old blogs post / article into your new hosting service without using RSS because its not quite perfect (and this is the way i'm doing it) but i'm not going into detail here because it’ll be reallllly long … and just a note, my hosting service doesn't provide CPanel or Fantastico that can simplify your CMS Software Installation

Required Software :

• Apache Web Server : a Web Server Software so you can run Wordpress on your computer
• MySQL : SQL Database which is required by Wordpress
• Phpmyadmin : to simplify MySQL database management
• Wordpress MU : Required because the most perfect way to import your blogs posts by using Wordpress MU (at the time i wrote this)
• Wordpress SU : This is the one you’re going to use on your web hosting service, if it doesn't give you Fantastico (but i prefer to upload it directly instead of using Fantastico)

The first step is, install Apache and MySQL on your Computer and configure it correctly so your web server can be accessed at http://localhost by typing at the browser address bar. And as for the next step if you’re using Windows, open the HOSTS file in Windows/System32/Drivers/etc directory and add these line (if you’re using linux there’s no need to use this) :

127.0.0.1 localhost.localdomain

because Wordpress MU required to be run at localhost.localdomain instead of just localhost. And after doing the above steps, extract the Phpmyadmin into the root of your web server directory (in your computer) .. and configure it as necessary like configuring the mysql database path and so on. If you already finish that step, open your web browser and try opening http://localhost.localdomain/phpmyadmin (depends on your phpmyadmin directory) and see if you can open it and access the mysql database in your browser.

And now, create a database to use on Wordpress MU installation, and extract the Wordpress MU Archive into the directory of your webserver, and configure it again to use that database. And once again open your browsers and point the url into your Wordpress MU directory and see if it can load properly, then follow the steps given untill finished

And now (how many time did i say “And Now” ? ) … lol … open your web browsers into your Wordpress.com account and choose Manage -> Export -> and save it in your harddisk. Then Open up the wordpress MU url again in your browser and choose to Import the Wordpress xml file and wait untill your post has been succesfully imported into the Wordpress MU installation, and now open the phpmyadmin url in your browser and open up the _categories table and delete link_count, posts_private and links_private field, then choose to Export from the Wordpress MU SQL Database only at the below table using any format you choose :

*_categories , *_comments , *_posts , and *_post2cat

after doing the above step, if you were using an uncompressed format, copy – paste all the sql query into your favorite text editor … and rename all the *_table so the results will be :

wp_categories , wp_comments , wp_posts and wp_post2cat

and now upload the wordpress single user installation into your web hosting service, and install the wordpress single users and login into your admin dashboard and delete all the welcome messages, comment, posts, etc (just to be safe) … after that open Phpmyadmin (most web hosting service already gives you this, including me that’s not using Fantastico or CPanel) and choose to run the previous sql query by importing it … and wait …

That’s it you’re finished ;) … all your wordpress.com posts are imported into standard wordpress installation … hopefully you understand what i'm trying to say (sorry if my english is bad) … and just a note … this is a manual step without using RSS / external plugin to import your posts and require you to know about SQL, Web Server and such stuff, so if you don’t understand about this stuff i suggest you try asking someone who can help you importing your wordpress posts into your new host.

Copyright © Reaper-X Technology – www.reaper-x.com | Permalink | 2 comments

0x87485B96 | Tags : Apache, Blogging, General Blogging, Tutorials, WPMU, Web Hosting, Wordpress