08 Sep 2016
Dreamhost has been a great host for many years
but there are other options for hosting a plain blog like this one these days,
which makes paying out ~$50 for two years’ hosting start feeling too much.
So I finally converted to
jekyll+github-pages
solution and uses a free plan from CloudFlare to
front the blog with HTTPS. In order to do its job, CloudFlare also becomes my
domain DNS server.
CloudFlare for this site now runs in Full SSL mode, which means SSL is run
between visitors and CloudFlare CDN, as well as between CloudFlare and
github-pages.
I cannot run Full (strict) mode, which would ask CloudFlare to validate its
connection to github-pages with a server-side certificate for my domain,
because github-pages only serve HTTPS with a certificate for
github.com/github.io.
16 Mar 2016
Thanks to Dreamhost and
Let’s Encrypt, this WordPress site is now serving
over HTTPS only.
Switching to HTTPS with Dreamhost and Let’s Encrypt was pretty
straightforward and took about 1 hour or so at most, thanks to the nice guide
by
Aaron.
I didn’t see some of the trouble with PHP - it might well be the
case that Dreamhost has updated their default PHP configuration for hosted
sites.
The procedure I took was:
- Update WordPress and all plugins to latest.
- Backup your database
- Enable “Secure Hosting” on Dreamhost Panel
-
Put .htaccess with the excellent permanent redirect from http to https by
Aaron:
<IfModule mod_rewrite.c>
# enable Rewrite
RewriteEngine On
# make sure not already HTTPS
RewriteCond %{HTTPS} !=on
# redirect from original to same location using HTTPS
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</IfModule>
-
Clean up database by replacing all local refs to use HTTPS using the SQL
presented by Aaron (replace domainname
with your own):
UPDATE wp_comments SET comment_author_url = replace(comment_author_url, 'http://domainname.com', 'https://domainname.com');
UPDATE wp_comments SET comment_content = replace(comment_content, 'http://domainname.com', 'https://domainname.com');
UPDATE wp_options SET option_value = replace(option_value, 'http://domainname.com', 'https://domainname.com');
UPDATE wp_postmeta SET meta_value = replace(meta_value, 'http://domainname.com', 'https://domainname.com');
UPDATE wp_posts SET post_content = replace(post_content, 'http://domainname.com', 'https://domainname.com');
UPDATE wp_posts SET guid = replace(guid, 'http://domainname.com', 'https://domainname.com');
UPDATE wp_sitemeta SET meta_value = replace(meta_value, 'http://domainname.com', 'https://domainname.com');
- If possible update external references with HTTPS as well (e.g., serving
Google fonts over
HTTPS/HTTP)
23 Oct 2015
From Convert keys between GnuPG, OpenSsh and
OpenSSL:
OpenSSL to OpenSSH
Private keys format is same between OpenSSL and OpenSSH. So you just a have
to rename your OpenSSL key:
In OpenSSL, there is no specific file for public key (public keys are
generally embeded in certificates). However, you extract public key from
private key file:
ssh-keygen -y -f myid.key > id_rsa.pub
[Update] Also converting from OpenSSH private key to .pem in X.509 format,
which is a format required by Microsoft Azure
VMs:
openssl req -x509 -key ~/.ssh/id_rsa -nodes -days 365 -newkey rsa:2048 -out myCert.pem
16 Oct 2015
From Protecting Your WordPress Blog From XML-RPC Brute Force Amplification
Attacks:
To summarize, attackers are taking advantage of a vulnerability in
WordPress’s XML-RPC system.multicall method which effectively allows them to
issue hundreds of login attempts with a single request. To put it another
way, this is an extreme case of brute forcing logins in an attempt to
determine your administrative user credentials.
Validate the change as suggested from a comment of the above link (xml-rpc
should be disabled):
You can check if XML-RPC is enabled on your site with this tool