Category: hosting

Categories
hosting internet microsoft programming software

how to host a serverless static website on azure

For my little gfpg project I wanted to put a simple static website online without having to set up and maintain a web server. I read about going serverless with a static site using S3 on AWS, but I wanted to try that on Azure instead. BLOB storage seemed the obvious alternative to S3, but it took some searching around and finding the right documentation on MSDN to get it all up and running.

If you’re on a similar quest to publish some static content to Azure BLOB storage as a serverless website, this short guide will help you along.

  1. First of all we need to create an Azure BLOB storage account for the site. The most important part is to choose a general-purpose v2 Standard storage account, for the account kind. This is the only type that supports hosting a static website. Guess who didn’t do that.
  2. Next thing is to enable static hosting of your files. This will create a $web folder in your storage account, which will be the root folder of your website. It’s that simple.
  3. Copy your files into the $web folder using the Storage explorer blade in the Storage account menu, or the Storage explorer app. You can already test your site using the Azure endpoint.
The Storage explorer is a quick and easy way to upload and manage your files in the BLOB storage account.

You can stop here if this is a personal project and you don’t need HTTPS support or a custom domain. In my case, I did want to go all the way, so here’s how to get that working as well.

  1. Get a domain name. Make it sassy ;). Make sure your domain registrar allows you to edit the CNAME records for your domain. This is pretty standard, but not all cheap web hosters allow this and you need it later on to hook up your domain to Azure.
  2. Set up an Azure CDN endpoint for your static site. I picked the Microsoft CDN option which is the most basic one, so you don’t need any accounts with a third party CDN provider.
  3. Now you can map your custom domain to your Azure CDN endpoint using a CNAME record.
  4. Create an HTTPS certificate for your site on Azure with just a few clicks. I was afraid this was going to be hard but it’s so damn easy it’s beautiful. There really is no excuse anymore to let your site just sit there on HTTP these days.
  5. Last thing to do is set up some caching rules for the CDN. We don’t want to be hitting the “slow” BLOB storage all the time and use the faster CDN instead. Depending on the option you chose for the CDN this will differ, but if you picked the Microsoft one you have to use the Standard rules engine to set your caching rules. If you picked Akamai or Verizon, you can use CDN caching rules instead.
    For a simple setup on the Microsoft CDN, go to the CDN settings Rules engine page, and set a global cache expiration rule to override and an expiration you like.
    After a few minutes you’ll see the cache header appear in your HTTP requests.
  6. Here you can also create a rule to redirect HTTP traffic to HTTPS, so people don’t accidentally hit the insecure version.

One more tip on the CDN. You can also purge the CDN cache after you pushed an update to your site to apply the changes, before your CDN cache expires. This is handy if you’ve set a rather big expiration time, because you don’t expect the site to change very often.

From the CDN account, you can purge content on a specific path, or everything at once.

Categories
geek hosting internet security wordpress

how to secure your wordpress blog

Carcassonne castle wall

WordPress is popular and as it goes with all kinds of popular software, it becomes a target for hackers trying to take over and use your site to send spam into the world, or just cause some other kind of mayhem.

To protect yourself from this kind of trouble, there are a few things you can do to prevent bad things from happening to your precious WordPress site.

  1. First, keep your WP software up-to-date. There are usually some security fixes in there and you do want to have those live on your public facing site. Hackers know what the vulnerabilities are in old WP versions and scan the internet automatically for unpatched sites. Don’t become an easy target by not having the latest version of WP installed. The latest version of WP (v3.7.1) is able to do security updates itself which is awesome. Be sure to check if your site supports this and activate it if it does.
  2. Keep your plugins up-to-date as well for the very same reason. Old plugins can offer a way in for hackers, and we don’t want that to happen.
  3. Delete (old) plugins you don’t use anymore, or replace them with newer ones. JetPack has a lot on board out of the box now so you can probably ditch a few old plugins. The fewer plugins you have, the less possible vulnerabilities your site has.
  4. Take regular backups. In case something goes wrong, you can at least restore a version you know isn’t compromised.
  5. Harden your WP site by configuring your .htaccess file if your site runs on an Apache web server. It’s explained nicely how to do that in the link. It can prevent hackers that do get access through a bad plugin to do any more damage to the rest of your site.
  6. Use a long, hard to guess and preferably random password for your admin account. Using a different admin user is also a good idea. Brute force login attempts are made against the default “admin” user, so if that one has a long random password you’re pretty safe there. You can use something easier to remember for an alternative admin account if you want, but I recommend you to use something like KeePass to manage long & hard to guess passwords anyway.

Here are some plugins that can help with these tips:

  • WordFence scans your site for possible vulnerabilities by checking your installed WP and plugin files with the ones from the official releases. It also helps with the first 2 tips by warning you by email if a plugin or WP itself needs an update. Quite handy.
  • All In One WordPress security & Firewall plugin scans your site settings for security vulnerabilities and helps you get rid of them. It also has a firewall built in.
  • WP security audit log won’t prevent anything, but it keeps track of logins, updates of plugins etc, so that if something weird happens, you can use it to figure out the “when” and “what”.
  • A backup plugin. There are plenty and you should pick one that fits your needs. I’ve used BackUpWordPress for a DB backup only, but it can also backup the files. It emails you with either the zipped backup or a link to download it if it’s too big to stuff in the email. Another good option is UpdraftPlus which can backup your files & DB to remote storage like Google Drive or Dropbox a.o. Your hoster might also have a full backup feature, which is usually the best option anyway as it will backup more than just your WP site.
  • BruteProtect protects (as it says) against brute force login attempts, a problem a lot of WP blogs had to deal with lately. Next to that you should of course make sure you have a complex password for your admin account.
  • Bad Behavior is mainly a tool to combat spam, but since it scans for incoming malicious requests it can also block the occasional bot looking for vulnerable sites.

For a more extensive guide to securing your WordPress site, also check out this Bloggers Guide to WordPress Security. It’s long and full of great tips and guides covering a wide rang of security practices like how to combat spam, CAPTCHA’s and setting up HTTPS.

Categories
geek google hosting internet security wordpress

guess who got hacked

Night Work

Let me tell you about that time my site got hacked.

Once upon a time I received this email from Google. Now when Google emails you, you usually pay attention, even it it’s a bot. Those guys know their stuff.
The email told me that my site was possibly hacked because it was suddenly feeding spam when the Google bot was passing by.
The reason why I got this email is because I use the free web master tools from the G btw. That way they know my site has behaved nicely over the years, and when it suddenly started spewing spam, they knew something bad was up.

The scary part is that this only happened when Googlebot was munching my pages. Not when I or any other human passed by with a browser. So in other words, I didn’t have a clue.
Because it was quite the mystery, I checked my web folder and found a few suspicious files and folders in there. Suspicious, because I never put them there.

I found a folder named “coockies“, an unknown common.php, session.php and coockies.txt file. My .htaccess file was also changed. All php files and the .htaccess had the same timestamp. I compared my complete WP installation with the original installation files to be sure no other files were modified, which turned out to be the case.

The folder seemed to contain files with file names resembling URIs of my blog posts. The content was unreadable and appeared garbage. I’m guessing it was an encoded version of the spam my site was feeding Google.

At first I thought my WP blog was hacked, but the entry point was simply the modified .htaccess file. It contained a few new rewrite rules which checked the user agent of the incoming request, and if that matched any of the major crawlers, it would redirect to the new php files, which would feed the spammy content.

Cleaning up turned out to be rather easy.
I deleted all the new files, restored my old .htaccess file (hurrah for backups) and changed my site passwords just to be sure.

The fishy thing about all this is that I’m still not sure how these files got on my system (hence the password changes). The timestamp on the files seemed to point to the moment I last ran a WP and plugin update on my site. Maybe it was pulled in with a compromised plugin, but there is no way to tell which one it could have been. Another option is a compromised FTP account, but that password was already random before I changed it so that seems unlikely. I still changed it to a random and longer one to be sure.

I also took some extra defensive measures to try to avoid this kind of hack in the future, but that’s for another post.

Photo by Thomas Heylen, cc-licensed.

Categories
geek hosting internet privacy

posting content anonymously

Heroes : M

One of the cool things emerging from the gazillion web 2.0 sites that popped up like zits on an unfortunate teens face are websites where you can publish your stuff without creating accounts or registering in any way. Anonymous so to speak.

Posting a quick snapshot online? Want to share a snippet of code? A collaborative manuscript? A mini-wiki for a short-lived purpose? There’s plenty of sites that offer these kind of functions without having to register. You can sign up if you really really want to in most cases, like if you want to claim, edit or delete things afterwards. But sometimes, that stuff is just overkill and maybe you just want to slap it online in a hurry or without any ties to your persona.

Here’s some good anon-services I found:

  • imgur.com: image sharing. Quick & easy. Keeps the pics as long as they are used for a fixed period of time. If not, they are deleted. Allows you to upload an image straight from a URL, which is damn handy if you want to avoid hotlinking pics from other sites.
  • bayimg.com, hosted by the lads from The Pirate Bay. Arrr! Free speech and all, upload anything (except pr0n that is).
  • pastebay.net, another one from The Piratee Bay lads. It’s like pastebin.com, but I’m sure more anonymous and certainly uncensored. Features are syntax highlighting for code and you can create your own sub-domain if you want to separate your snippets from others.
  • pastebin.com: I bet you’ve seen this one before. Paste text/code in an online notepad, allowing comments. Great for easy & quick copy-paste sharing.
  • pastehtml.com: the same as the above, except that this one takes HTML code and saves it as a working page on the site. It’s like free and ad-hoc web hosting. Pretty darn cool. Keeps the pages forever (or as long as the hosting is payed for) according to the FAQ. Needs a Facebook account if you want to claim pages. Sort of a  big minus.
  • wrttn.in: notepad/publishing tool. Create and publish text with or without markup, embed images, videos etc. Very minimal in style, but that’s just what makes it look good. All this without branding or ads. Sounds cool doesn’t it?
  • shrib.com is another notepad service. Simple and URL based. Share your notes, back em up, keep them private.
  • Last one for the minimalistic notepad shizzle is notepad.cc. Very clean and simple layout. Makes it all about just jotting down those notes. There’s always Google if you’re looking for even more of those type of notepad services.
  • piratepad.net : online collaborative Etherpad site. Allows for anonymous online collaborative text editing with a built in chat function. There’s more Etherpad hosts out there since it’s open source software. So if you want can even host your own. Oh yeah, and Arrrrr!!! of course. I almost forgot.
  • jottit.com : create a wiki, just like that. Anyone can edit, unless you claim it with a password. Sweet for mini sites and all!

A note on the use of “anonymous” here though. If you truly want to keep your identity hidden you might want to take additional measures than to simply trust the above websites in keeping your identity safe. Using a web browser to connect to any web site will give that site data about your browser, machine and geographical location. To shield this information and protect your online identity you should look into using an anonymizer like Tor.

Categories
blog hosting internet wordpress

10 reasons why wordpress kicks ass

Chapas WordPress
  1. 5 minute install. Seriously.
  2. Install a new theme for your blog from inside WP. No need to mess with FTP clients and uploading files and stuff. Easy peasy.
  3. Tons of free and open source themes to choose from.
  4. Plugins allow endless possibilities. Whatever you are looking for probably exists already. Facebook/twitter/whatever integration, fancy widgets, syntax highlighting for code, caching, Google site map generators, you name it.
  5. Install plugins without leaving your WP admin page. No geek skills required.
  6. Comes with an automated backup plugin. Backup your database and email it to yourself daily. Do this!
  7. Upgrade your WP installation with 2 clicks. Maybe 3 (didn’t actually count, but it’s just clicking).
  8. The layout is super-flexible. 1, 2, 3 columns? None? Make your site look like less like a blog and very CMS-like? No problem. There are themes for all that.
  9. PHP & MySQL hosts are everywhere. You’ll have no trouble finding a host at all. If you don’t want to do your own hosting, you can always create your blog at wordpress.com.
  10. It’s Open Source and has a huge community. This means that WordPress will never die! *stabs and Amen break start here*

Photo by {El Gris}, cc-licensed.