Clickjacking – How to prevent on wordpress sites

Clickjacking
Photo credit 3294310361cherry scented

What is clickjacking

In simple words Clickjacking means users are tricked into clicking or keystroking on a different site/page making them think they are on their usual site.

How can that be a problem from security point of view. Here is an example

An example of Clickjacking

Lets assume you own a website my_domain.com and you login to it everyday. If this site is not protected from clickjacking a hacker may be able to call this site in an iframe on some page hosted on his domain some_domain_owned_by_hacker.com

Now the hacker also adds some javascript to this page which records users keystrokes.

Through some means the hacker may trick you in clicking and opening this page. If you do not notice the domain name in the URL then you may feel that it is your own website and may even log in.

Due to the keystroke recording script the hacker is then able to get your password.

However you may feel that you always check the domain name before performing any transaction on a website and more so if it is your own website. So would this still be a problem?

Remember that the hacker can even trick other administrators on your site and they may not be as careful as you are and it follows the same about your website users.

Further to this

Let’s assume you are already logged in to your website and the hacker tricks you in clicking some button on his page. Through the above mentioned iframe and button overlapping the hacker may perform a malicious administrative task on your website on your behalf by just tricking you to click on a link.

Solution to prevent clickjacking using X-Frame-Options

Solution to this is very simple. Simple add below code in your .htaccess file

The above code checks if the page called within iframe is from the same origin. If not it does not display the page

 

For more information read Clickjacking – OWASP

 

How to automatically alert your users about events happening in their area

This can be easily done if you are already geocoding users addresses (i.e. getting their latitude and longitude) while they register on your website.

If you are not doing so then you can go back and geocode all the previous addresses.

Now lets assume you have geocoded all the addresses and are storing them in a separate table as shown below

Table: user_lat_long

Now create a function to get users from the above table near a certain address (where the event is to be held).

Now just call the above function with 3 parameters as input

  1. Radius => Defines the area you want to set to alert your users e.g. 100 KM
  2. Latitude => Latitude of the place where the event is to be held
  3. Longitude => Longitude of the place where the event is to be held

 

Shell script to backup database and send it to remote server automatically

Database backup script
Photo credit – 132889348@N0722868800432

This article explains how to create a database backup script to send the backup to remote server  without any manual intervention. For security reasons or to enable disaster recovery it is important to keep database backup copies on some additional server outside your network.

The process to create a script for database backup and to autosend it to a remote server is not really so complicated as many would think.

To make it simpler let’s divide the whole task in 3 different sub tasks

  1. Create a backup file of your database.
  2. Authorize the origin server i.e. Your current server to send the files to the remote server (So that the remove server knows that it is receiving the files from a genuine source)
  3. Create a script to simply SCP the files from the origin server to the remove server

Above mentioned are mandatory steps. Additionally you may also want to create a log file to log the status of every step just in case if something goes wrong.

Now lets discuss each step in detail

Step 1: Create a backup file of your database

The backup file of your database can simply be a compressed sql file. There are lot of automated tools to achieve this. But to create a script is also quite simple.

For those who want to script everything here is a sample script (and assuming you have only one database)

Above command just creates a dump of the database. The dump is in sql format. Let’s say db.sql

The size of the file however would be too big (depending upon your database) as it is an uncompressed database file. So you may wish to change the above command to output a gzip or bzip2 file.

GZip

bzip2

Note: Although the compressing provided by bzip2 is better than Gzip it takes much longer (around 6-10 times) to compress a file in comparison to Gzip. However in our case the process will mostly run during the night and will be automated so you might wish to use bzip2. So in this case both the options are ok.

Step 2: Authorize the origin server to send the files to the remote server

As you would have guessed this steps is to avoid password prompts so that the process happens automatically without any manual intervene.

It involves only 2 steps

A. Create an SSH key on the origin server

Command: ssh-keygen

This will create a key in your USER/.ssh folder with the name of the key provided while running above command.

When asked to enter passphrase, leave it blank (unless you will be caching the passphrase on the remote server)

If you want to use your current SSH keys thats fine too however they may have a passphrase on it. You can remove the passphrase using below command

Command: ssh-keygen -p

This command will first ask the ID of the key for which you wish to change the passphrase. Then it will prompt you to add the new passphrase. You can leave it blank.

 

B. Add the private key to the authorized_keys file on the remote server

This step is very simple. Just copy the public key (e.g. id_rsa.pub) contents and paste them on a new line in the authorized_keys file on the remote server

Note: Do not delete any content in this file. Just append the file with the contents of the key starting on a new line.

Step 3: Create a script to simply SCP the files from the origin server to the remove server

Final step is very simple. Here we will just be copying the files from the origin server to the remote server using below command

 

Here the port number is of the remote server where you will be sending the files. If the scp port is non standard or non default only then -P PORT_NUMBER option is necessary

How to connect to a remote GIT from Windows PC

  1. Download and Install GIT Tool from below URL: https://msysgit.github.io/
  2. While installing the tool keep all the default settings
  3. Create a folder named as projects for your site/application (maybe in your Documents folder)
  4. Open GIT GUI tool and generate a key from the Help menu
  5. The keys get created in your Users/USERNAME/.ssh folder
  6. Import both (public and private) keys to your server using CPanel
  7. Open GIT command line tool and navigate to the Documents folder (i.e. one folder above projects)
  8. Run the command: git clone ssh://USERNAME@IP_ADDRESS/home/USER/repositories/REPO_NAME

 

Now just make some changes to your code and commit the change using

git commit

The changes can be pushed to the remote server using below command

git push origin master

Set remote GIT on VPS / Dedicated server

It is possible to set Remote GIT on your own server provided your hosting provider allows to install GIT on the server.

If your site/application is hosted on VPS or a dedicated server then it much easier to do so.

Prerequisite to set remote GIT

GIT should be installed on there server

If you are on VPS or dedicated server then it is likely that GIT is already installed on the server.

To check if GIT is installed or not SSH to your server and try below command.

If GIT is installed then it will show the version of GIT.

If not it will give an error message.

If GIT is not installed then you first need to install GIT on your server. For this you may need root access to your server. If you do not have root access ask your hosting provider to install GIT for you.

Once git is installed follow below steps on the server to set remote GIT

Create a Directory

SSH to your server (using Putty on Windows or using terminal on MAC)

Initialise Repository

Hook (Push to deploy)

post-receive hook in GIT is used to perform action after receiving or committing a file to GIT. This hook can be used to deploy our changes automatically to the live server using below commands.

Add below content to the post-receive hook/file

Press ctrl+d to save the file

File permissions

Through these simple steps your GIT is ready to accept commits. On the client side or on the localhost you can set up Remote GIT to push your changes to the server. This is easily possible if you are using Netbeans or similar software.

Plot multiple places on Google Maps – WordPress plugin

Plot events, photos, places, etc on Google Maps using a simple WordPress shortcode which is built using Google Maps API.

Everything below can be achieved easily with a simple plugin, XML file to provide the markers and a configurable shortcode

  • Plot Multiple Locations on a Map
  • Marker Clustering (markerclusterer)
  • Ability to click each marker to get more details i.e. through a Marker popup
  • Marker’s info popup details is customizable through shortcode and CSS
  • Ability to set initial zoom level

Step 1: Get an API Key for Google Maps API

First of all we need an API key for Google Maps. You can get an API key from Google Developer Console

Here are the steps to create an API Key

1. Visit Google Developer console Projects page and create a project as per your requirement

2. Go to API Manager and select the project created in above step

3. Enable Google Maps JavaScript API and Google Maps Embed API

4. Click the Credentials link

5. Click New Credentials and select API Key. On the options page select Browser Key

6. Add your domain name as shown in below screenshot

Screen Shot 2016-02-14 at 10.25.38 PM

7. Finally click the Create button which will generate the API Key

Step 2: Install the Google Maps plotter plugin

  1. Download the plugin files from WordPress plugins repository 
  2. Install and activate the plugin

Step 3: Generate XML file for the Google Map markers

Make sure you have the markers XML file ready.

XML markers file can also be dynamically created through php from your database or it could just be a static file in below format

Sample XML file for the markers

Read how to generate XML file dynamically – coming soon

Step 4: Display Google Map

Now just display the map on a page, post, custom post, widget, etc using below shortcode

Zoom => In above shortcode the initial zoom level is set to 2

html  => will display the marker popup text

Data attributes are separated with a bar (|)

Each data attribute has the data attribute matching to the XML file and the corresponding comma separated label

e.g. topic is the data attribute you wish to display while Topic is the label to it

Above html will display the popup as below after clicking the 1st Marker

Topic: Some Topic

Presenter: Mary

Date: 14-Feb-16

Telephone / Mobile:

Step 5: Stylize Google Maps Marker popup text

Now the last thing is to stylise the marker popup text

If you notice the source code for the marker. It is as below

So the label and the data associated with it can be easily styled using the IDs in your CSS

 

 

Replace wordpress search with Google Custom Search (CSE)

For better search results or due to integration with Adsense you many want to replace wordpress search with Google Custom Search (CSE)

Below are the steps to follow using a simple wordpress plugin. [Download Plugin]

1. Register you site on Google Custom Search by filling a simple form as shown below

Google Custom Search
2. After creating your CSE you will get a search engine ID as shown below. Make a note of this ID.

Screen Shot 2016-01-25 at 12.10.01 PM
3. Create a page to display the search results page and add [PW_ADD_GSEARCH_RESULTS] shortcode on this page.

4. Add the the URL of the search results page on the setting screen of the plugin.

Replace wordpress search with google custom search
Settings screen

5. Comment/Remove the code in searchform.php in your themes folder of probably header.php and add below code instead

This will create the search box.

 

 

 

 

How to change default RSS feed posts limit

By default RSS feed in WordPress shows 10 posts. This default count can be changed by adding below code in your functions.php file

In above code the limit is increased to show 20 posts