Switched to jekyll and CloudFlare

Dreamhost has been a great host for many years but there are other options for hosting a plain blog like this one these days, which makes paying out ~$50 for two years’ hosting start feeling too much.

So I finally converted to jekyll+github-pages solution and uses a free plan from CloudFlare to front the blog with HTTPS. In order to do its job, CloudFlare also becomes my domain DNS server.

CloudFlare for this site now runs in Full SSL mode, which means SSL is run between visitors and CloudFlare CDN, as well as between CloudFlare and github-pages.

I cannot run Full (strict) mode, which would ask CloudFlare to validate its connection to github-pages with a server-side certificate for my domain, because github-pages only serve HTTPS with a certificate for github.com/github.io.

Switched to HTTPS/TLS

Thanks to Dreamhost and Let’s Encrypt, this WordPress site is now serving over HTTPS only.

Switching to HTTPS with Dreamhost and Let’s Encrypt was pretty straightforward and took about 1 hour or so at most, thanks to the nice guide by Aaron. I didn’t see some of the trouble with PHP - it might well be the case that Dreamhost has updated their default PHP configuration for hosted sites.

The procedure I took was:

  1. Update WordPress and all plugins to latest.
  2. Backup your database
  3. Enable “Secure Hosting” on Dreamhost Panel
  4. Put .htaccess with the excellent permanent redirect from http to https by Aaron:

     <IfModule mod_rewrite.c>
     # enable Rewrite
     RewriteEngine On
     # make sure not already HTTPS
     RewriteCond %{HTTPS} !=on
     # redirect from original to same location using HTTPS
     RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
     </IfModule>
    
  5. Clean up database by replacing all local refs to use HTTPS using the SQL presented by Aaron (replace domainname with your own):

     UPDATE wp_comments SET comment_author_url = replace(comment_author_url, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_comments SET comment_content = replace(comment_content, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_options SET option_value = replace(option_value, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_postmeta SET meta_value = replace(meta_value, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_posts SET post_content = replace(post_content, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_posts SET guid = replace(guid, 'http://domainname.com', 'https://domainname.com');
     UPDATE wp_sitemeta SET meta_value = replace(meta_value, 'http://domainname.com', 'https://domainname.com');
    
  6. If possible update external references with HTTPS as well (e.g., serving Google fonts over HTTPS/HTTP)

Link: Defensive Bash Programming (2012)

Simple principles nicely put together:

http://www.kfirlavi.com/blog/2012/11/14/defensive-bash-programming

Link: Convert keys between GnuPG, OpenSsh and OpenSSL

From Convert keys between GnuPG, OpenSsh and OpenSSL:

OpenSSL to OpenSSH

Private keys format is same between OpenSSL and OpenSSH. So you just a have to rename your OpenSSL key:

  cp myid.key id_rsa

In OpenSSL, there is no specific file for public key (public keys are generally embeded in certificates). However, you extract public key from private key file:

  ssh-keygen -y -f  myid.key > id_rsa.pub

[Update] Also converting from OpenSSH private key to .pem in X.509 format, which is a format required by Microsoft Azure VMs:

  openssl req -x509 -key ~/.ssh/id_rsa -nodes -days 365 -newkey rsa:2048 -out myCert.pem

Link: Protecting Your WordPress Blog From XML-RPC Brute Force Amplification Attacks

From Protecting Your WordPress Blog From XML-RPC Brute Force Amplification Attacks:

To summarize, attackers are taking advantage of a vulnerability in WordPress’s XML-RPC system.multicall method which effectively allows them to issue hundreds of login attempts with a single request. To put it another way, this is an extreme case of brute forcing logins in an attempt to determine your administrative user credentials.

Validate the change as suggested from a comment of the above link (xml-rpc should be disabled):

You can check if XML-RPC is enabled on your site with this tool


Contents on this site are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Creative Commons License