Blog

Wordpress

Wordpress (14)

Hay muchas formas de proteger Wordpress. Uno de los fallos de seguridad más frecuentes es a través de peticiones POST a través de vulnerabilidades descubiertas y publicadas en foros de seguridad. 

Como siempre Wordpress ofrece un repertorio bastante amplio de plugins para todo tipo de funcionalidades que se busque. En este caso, Wordpress ofrece también plugins para bloquear peticiones POST maliciosas como es el caso de Block Bad Queries, bastante útil para proteger la web contra los ataques más frecuentes. 

Otra posibilidad es modificar el fichero .htaccess del directorio donde se encuentra la plantilla de Wordpress introduciendo el siguiente código:

$request_uri = $_SERVER['REQUEST_URI'];

$query_string = $_SERVER['QUERY_STRING'];

$user_agent = $_SERVER['HTTP_USER_AGENT'];

 

// request uri

if (    //strlen($request_uri) > 255 || 

    stripos($request_uri, 'eval(') || 

    stripos($request_uri, 'CONCAT') || 

    stripos($request_uri, 'UNION+SELECT') || 

    stripos($request_uri, '(null)') || 

    stripos($request_uri, 'base64_') || 

    stripos($request_uri, '/localhost') || 

    stripos($request_uri, '/pingserver') || 

    stripos($request_uri, '/config.') || 

    stripos($request_uri, '/wwwroot') || 

    stripos($request_uri, '/makefile') || 

    stripos($request_uri, 'crossdomain.') || 

    stripos($request_uri, 'proc/self/environ') || 

    stripos($request_uri, 'etc/passwd') || 

    stripos($request_uri, '/https/') || 

    stripos($request_uri, '/http/') || 

    stripos($request_uri, '/ftp/') || 

    stripos($request_uri, '/cgi/') || 

    stripos($request_uri, '.cgi') || 

    stripos($request_uri, '.exe') || 

    stripos($request_uri, '.sql') || 

    stripos($request_uri, '.ini') || 

    stripos($request_uri, '.dll') || 

    stripos($request_uri, '.asp') || 

    stripos($request_uri, '.jsp') || 

    stripos($request_uri, '/.bash') || 

    stripos($request_uri, '/.git') || 

    stripos($request_uri, '/.svn') || 

    stripos($request_uri, '/.tar') || 

    stripos($request_uri, ' ') || 

    stripos($request_uri, '<') || 

    stripos($request_uri, '>') || 

    stripos($request_uri, '/=') || 

    stripos($request_uri, '...') || 

    stripos($request_uri, '+++') || 

    stripos($request_uri, '://') || 

    stripos($request_uri, '/&&') || 

    // query strings

    stripos($query_string, '?') || 

    stripos($query_string, ':') || 

    stripos($query_string, '[') || 

    stripos($query_string, ']') || 

    stripos($query_string, '../') || 

    stripos($query_string, '127.0.0.1') || 

    stripos($query_string, 'loopback') || 

    stripos($query_string, '%0A') || 

    stripos($query_string, '%0D') || 

    stripos($query_string, '%22') || 

    stripos($query_string, '%27') || 

    stripos($query_string, '%3C') || 

    stripos($query_string, '%3E') || 

    stripos($query_string, '%00') || 

    stripos($query_string, '%2e%2e') || 

    stripos($query_string, 'union') || 

    stripos($query_string, 'input_file') || 

    stripos($query_string, 'execute') || 

    stripos($query_string, 'mosconfig') || 

    stripos($query_string, 'environ') || 

    //stripos($query_string, 'scanner') || 

    stripos($query_string, 'path=.') || 

    stripos($query_string, 'mod=.') || 

    // user agents

    stripos($user_agent, 'binlar') || 

    stripos($user_agent, 'casper') || 

    stripos($user_agent, 'cmswor') || 

    stripos($user_agent, 'diavol') || 

    stripos($user_agent, 'dotbot') || 

    stripos($user_agent, 'finder') || 

    stripos($user_agent, 'flicky') || 

    stripos($user_agent, 'libwww') || 

    stripos($user_agent, 'nutch') || 

    stripos($user_agent, 'planet') || 

    stripos($user_agent, 'purebot') || 

    stripos($user_agent, 'pycurl') || 

    stripos($user_agent, 'skygrid') || 

    stripos($user_agent, 'sucker') || 

    stripos($user_agent, 'turnit') || 

    stripos($user_agent, 'vikspi') || 

    stripos($user_agent, 'zmeu')

) {

    @header('HTTP/1.1 403 Forbidden');

    @header('Status: 403 Forbidden');

    @header('Connection: Close');

    @exit;

Conviene aclarar que cada plantilla de wordpress tiene sus peculiaridades, por lo tanto no es aconsejable introducir el código a pelo en el fichero .htaccess. Si lo haces, lo más probable es que la web deje de funcionar. 

Advanced Access Manager

Advanced Access Manager (aka AAM) is all you need to manage access to your website frontend and backend for any user, role or visitors.

 

FEW QUICK FACTS

The only plugin that gives you absolute freedom to define the most granular access to any aspect of your website and most of the feature are free;

Bullet-proven plugin that is used on over 100,000 websites where all features are well-tested and documented. Very low amount of support tickets speaks for quality;

It is the only plugin that gives you the ability to manage access to your website content for any role, individual user and visitors or even define the default access to all posts, pages, custom post types, categories and custom hierarchical taxonomies;

AAM is developer oriented plugin. It has dozens of hooks and configurations. It is integrated with WordPress RESTful and XML-RPC APIs and has numerous abstract layers to simplify coding;

No ads or other promotional crap. The UI is clean and well crafted so you can focus only on what matters;

No need to be a “paid” customer to get help. Request support via email or start chat with Google Hangout;

Some features are limited or available only with premium extensions. AAM functionality is transparent and you will absolute know when you need to get a premium extension;

MAIN AREAS OF FOCUS

Access & Security Policy allows you to define who, when, how and under what conditions your website resources can be accessed;

Content access control on frontend, backend and API sides to posts, pages, custom post types, categories, custom hierarchical taxonomies and CPTs for any role, user and visitors;

Roles & capabilities management with ability to create new roles and capabilities, edit, clone or delete existing;

Access control to backend area including backend menu, toolbar, metaboxes & widgets;

Access control to RESTful & XML-RPC APIs;

Developer friendly API so it can be used by other developers to work with AAM core;

And all necessary features to setup smooth user flow during login, logout, access denied even, 404 etc.

THE MOST POPULAR FEATURES

[free] Manage Backend Menu. Manage access to the backend menu for any user or role. Find out more from How to manage WordPress backend menu article;

[free] Manage Roles & Capabilities. Manage all your WordPress role and capabilities.

[free] Create temporary user accounts. Create and manage temporary user accounts. Find out more from How to create temporary WordPress user account;

[limited] Content access. Very granular access to unlimited number of post, page or custom post type (19 different options). With premium Plus Package extension also manage access to hierarchical taxonomies or setup the default access to all post types and taxonomies. Find out more from How to manage access to the WordPress content article;

[free] Manage Admin Toolbar. Filter out unnecessary items from the top admin toolbar for any role or user.

[free] Backend Lockdown. Restrict access to your website backend side for any user or role. Find out more from How to lockdown WordPress backend article;

[free] Secure Login Widget & Shortcode. Drop AJAX login widget or shortcode anywhere on your website. Find out more from How does AAM Secure Login works article;

[free] Ability to enable/disable RESTful and XML-RPC APIs.

[limited] URI Access. Allow or deny access to any page of you website by the page URL as well as how to redirect user when access is denied;

[free] Manage access to RESTful or XML-RPC individual endpoints for any role, user or visitors.

[free] JWT authentication. Authenticate user with WordPress RESTful API and use received JWT token for further requests. Fid out more from Hot to authenticate WordPress user with JWT token

[free] Login with URL. For more information check WordPress: Temporary User Account, Login With URL & JWT Token article.

[free] Content Filter. Filter or replace parts of your content with AAM shortcodes. Find out more from How to filter WordPress post content article;

[free] Login/Logout Redirects. Define custom login and logout redirect for any user or role;

[free] 404 Redirect. Redefine where user should be redirected when page does not exist. Find out more from How to redirect on WordPress 404 error;

[free] Access Denied Redirect. Define custom redirect for any role, user or visitors when access is denied for restricted area on your website;

[free] Manage Metaboxes & Widgets. Filter out restricted or unnecessary metaboxes and widgets on both frontend and backend for any user, role or visitors. Find out more from How to hide WordPress metaboxes & widgets article;

[paid] Manage access based on IP address or referred domain. Manage access to your website for all visitors based on referred host or IP address. Find out more from How to manage access to WordPress website by IP address article;

[paid] Monetize access to you content. Start selling access to your website content with premium E-Commerce extension. Find out more from How to monetize access to the WordPress content article;

[free] Multisite support. Sync access settings across your network or even restrict none-members from accessing one of your sites. Find out more from AAM and WordPress Multisite support;

[free] Multiple role support. Finally AAM supports multiple roles per user WordPress access control for users with multiple roles

 

[and even more…] Check our help page to learn more about AAM

 

Qué es el XMLRPC

El protocolo XMLRPC es un protocolo que utiliza XML para estructurar datos y el protocolo HTTP para la transmisión de esos datos estructurados en XML.

El protocolo XMLRPC fue desarrollado en 1998 por la empresa UserLand Software en colaboración con Microsoft, finalmente Microsoft considero que el protocolo XMLRPC era muy simple y lo convirtió en lo que ahora mismo se llama SOAP.

En WordPress, el protocolo XMLRPC actual como interfaz que actúa como API para aplicaciones externas y que nos permite interactuar con una instalación de WordPress utilizando aplicaciones o servicios externos.

Al funcionar como una interfaz externa es casi como una “puerta de entrada” por lo que esta puerta puede ser atacada fácilmente desde el exterior causando un alto consumo de recursos al ejecutarse una y otra vez el proceso de autentificación.

En ocasiones, al instalar un nuevo plugin, cambiar de plantilla o intentar aprovecharte de las ventajas que PHP7 aporta a nuestras instalaciones WordPress, te has encontrado con que tu Web no funciona y la página web muestra el siguiente mensaje en una página blanca:

“Fatal error: Allowed memory size of 41943040 bytes exhausted”

seguido de alguna ruta de un fichero de tu WordPress.

Miércoles, 26 Diciembre 2018 00:25

Cómo solucionar error utf8mb4_unicode_520_ci

Written by

Cuando migramos una web de wordpress a otro servidor, en el proceso de importar la base de datos en archivo .sql o comprimido en el nuevo servidor por phpmyadmin podemos encontrarnos un error como utf8mb4_unicode_520_ci, que si tenemos la web en inglés sería:

Unknown collation: ‘utf8mb4_unicode_520_ci’.

 

Para solucionarlo tenemos que editar el archivo .sql con el editor Notepad++ y remplazando todas las palabras utf8mb4_unicode_520_ci a utf8mb4_unicode_ci, entonces salvamos el archivo y lo volvemos a importar. Ya no nos dará ese error.

Lunes, 05 Noviembre 2018 12:14

Ejemplos de implementación de ajax load more

Written by

El texto original está aquí

https://connekthq.com/plugins/ajax-load-more/add-ons/previous-post/#implementation

1) Crear una plantilla Repeater Template

 

 

2) Insertar en single.php el siguiente código: 

<?php
// Our single template (single.php)
// Replace the entire contents of the WordPress loop with the [ajax_load_more] shortcode.
// https://connekthq.com/plugins/ajax-load-more/add-ons/previous-post/
?>
<?php get_header(); ?>
 
<main id="page-content">
  <div class="post-container">
    <?php
    // The loop
    if ( have_posts() ) :
      while (have_posts() ) : the_post();
        // replaced with Ajax Load More shortcode
        echo do_shortcode('[ajax_load_more post_type="post" repeater="default" previous_post="true" previous_post_id="'. get_the_ID() .'" posts_per_page="1" button_label="Previous Post"]');
      endwhile;
    endif;
    ?>
  </div>
</main>
 
<?php get_footer(); ?>
 
------------------------------------------------------------------------
Más ejemplos para excluir posts
https://connekthq.com/plugins/ajax-load-more/docs/code-samples/exclude-posts/
Lunes, 05 Noviembre 2018 12:11

Obtener el ID de la categoría actual en wordpress

Written by

Se puede  utilizar la función 

get_the_category():

$categories = get_the_category();

$category_id = $categories[0]->cat_ID;

Descripción

Videos and pictures don’t have to be difficult. Gabfire themes include a media module that makes embedding media simple.

This plugin is maintained by the folks over at http://www.gabfirethemes.com

We strongly suggest you to use this plugin together with

https://wordpress.org/plugins/otf-regenerate-thumbnails/

 

SAMPLE CODE

<?php 

gabfire_media(array(

    'name' => 'figure', 

    'imgtag' => 1,

    'link' => 1,

    'enable_thumb' => 1,

    'enable_video' => 0, 

    'resize_type' => 'c', 

    'media_width' => 415, 

    'media_height' => 284, 

    'thumb_align' => 'alignnone',

    'enable_default' => 1,

    'default_name' => 'defaultimage.png'

)); 

?>

name -> Name of post thumbnail to be used thats going to be resized to display featured image

imgtag -> 1 or 0. Using this option you can add/remove ‘<img src’ tag to image.

link -> 1 or 0. If set 1, the image will have a link to post

enable_thumb -> 1 or 0. You may want to use this option function just to get featured post thumbnails

enable_video -> 1 or 0. You may want to use this option function just to get videos

resize_type -> c, w, or h. C will crop image to exact size. w resizes the width and calculates height in proportion. h resizes the height and calculates width in proportion.

thumb_align -> adds a class to media

enable_default -> 1 or 0. You can set a default image to display if post has no media

default_name -> name of image to display. The image path is yourtheme/images/thumbs directory.

 

HOW TO ADD A VIDEO

If you are going to use Youtube/Vimeo/Dailymotion -> copy video URL from browser bar -> add it via custom field to your post using key name iframe

If you’d like to display a self hosted MP4, WEBM or OGV file, add them as below

Custom field key name video-mp4 and enter full file url into value field

Custom field key name video-webm and enter full file url into value field

Custom field key name video-ogv and enter full file url into value field

To add a caption (SRT or VTT format) to the video, use custom field name caption-url-1 and full file url into value field

Miércoles, 18 Abril 2018 20:18

Después de migrar el WordPress de linux a Windows IIS

Written by

Cuando se migra un wordpress de Linux a Windows IIS, una de las cosas que no te van a funcionar son los enlaces amigables. En Windows .htaccess no funciona. En su lugar tiene que colocar un fichero web.config para que el sistema te permita visualizar los enlaces amigables. He aqui un ejemplo de web.config para que te funcionen los enlaces amigables. 

<?xml version="1.0" encoding="UTF-8"?>

<configuration>

  <system.webServer>

    <rewrite>

Miércoles, 01 Noviembre 2017 11:27

Configurar SSL en wordpress

Written by

Para configurar el protocolo HTTPS en wordpress, hay que seguir los siguientes pasos

1) Editar wp-config.php y agregar la siguiente línea

define('FORCE_SSL_ADMIN', true);

2) Ir al menú configuración y cambiar las rutas por https:

3) Cambiar .htaccess, 

# BEGIN WordPress

<IfModule mod_rewrite.c>

    RewriteEngine On

    RewriteCond %{SERVER_PORT} !^443$

    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    RewriteBase /

    RewriteRule ^index\.php$ - [L]

    RewriteCond %{REQUEST_FILENAME} !-f

    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule . /index.php [L]

</IfModule>

# END WordPress