Đạt Trần, Author at Binary Carpenter

Posted on August 10, 2019August 11, 2019 by Đạt Trần — Leave a comment

How To Change Your WordPress Login URL & Block wp-admin Access

WordPress is widely used by many webmasters nowadays thanks to its power and flexibility. You can build almost anything with WordPress, from a blog to a professional eCommerce store. That’s why WordPress sites are the favorite target of hackers.

To list all the WordPress security tips, I may need a book. However, I’m going to show you one very effective tip to improve your site’s security. That is to change the login URL.

The default login URL of any WordPress site

By default, you can login to any wordpress site by typing thesite.com/wp-admin. You will be redirected to thesite.com/wp-login.php. If you leave the login URL as above, the attackers don’t need to do extra work (which is to find your login URL). Thus, they need less time to hack your site. That’s not what you want.

How to change the default login URL of your WordPress site

To change the login URL of your site to something else, simply install a plugin called WPS Hide Login. You can search for that plugin inside your admin area or download it here.

After installing the plugin and activated it, let’s go to Plugins->Installed plugins and find WPS Hide Login:

Let’s click on Settings link under WPS Hide Login. You’ll see a very simple interface.

There are only two fields.

Login URL: this is the new login URL that you want to specify. Make sure you remember your new login URL since the next time you login, /wp-login.php or /wp-admin is not accessible any more.

Redirection URL: The URL that is shown when someone try to access the login page using the old URL (wp-admin, wp-login.php)

Now, let’s save the changes and test the plugin.

Test the new login url

If I go to the new login URL, surely I can see the login form:

If I go to the old login url, I’ll see a different page. In my case, that’s is a 404 page.

The plugin works as expected. That’s great!

What if you forget the new login URL

It is not rare that after you set the new login URL, you can’t remember exactly what it was after a few weeks or a few months. If you are in this situation, don’t worry. You can simply get the old login URL back by login to your server (via FTP or cPanel) and delete the folder wps-hide-login inside wp-content/plugins.

After logging in, you can download the plugin again and set a new login URL.

Conclusion

It is recommended to change the default login URL of your site to something else rather than using the default provided by WordPress. Fortunately, there are plugins available that do this job quickly for us. WP Hide Login is one of the best plugin for this job. In case you forget the new login URL, simply delete this plugin via FTP or cPanel or SSH then you can login to your site via the old login URL again.

Posted on August 8, 2019August 6, 2019 by Đạt Trần — Leave a comment

How To Disable WordPress Theme, Plugin File Editing In One Minute

Being able to edit plugins and theme file is a real convenience, especially for people who know how to code. However, for people who don’t know how to code or don’t understand much about WordPress development, this is a possible risk.

By default, admin users in WordPress have file editing right. You can check if you have the edit right by hovering your cursor over Plugins or Appearance menu item in your dashboard (if you don’t see such options, chances are you don’t have the file editing right). If you see the last item in the sub menus say “plugin editor” or “theme editor”, you have the file editing right.

The need for disabling file editing right for admin users is even more urgent when you have other people working on the site. One missing semicolon may bring the whole site down.

So, how can you disable file editing completely on your site?

It’s easier than you might think.

How to disable file editing in the admin area

To accomplish this, you need to have access to your web server. Being an administrator on your site is not enough. You can either perform this task via FTP or ssh or cPanel. Please choose what suit you.

The only thing you need to do to disable file editing in the admin area is to put this line of code:

define('DISALLOW_FILE_EDIT', true);

right above the line:

/* That's all, stop editing! Happy publishing. */

in the file named wp-config.php

by default, this file is located at the root of your website. It is at the same level with wp-content, wp-include, wp-admin.

Here is where the file on my site:

After inserting the code, the content of my wp-config.php file would look like this:

Now, make sure you save the file and go back to your admin area. You should see the option to edit plugins and themes disappeared:

Now, no one, even admins can accidentally edit plugins or themes files. This action alone has significantly improve your site’s security.

What if you want to insert code to your site?

Adding functionalities to your site by modifying the plugins’ or themes directly (except the case of child theme) is not recommended. If you want to insert Javascript or CSS code, you can easily achieve this task by using plugins like WP Coder. In case of editing .php file, the best method is via FTP or SSH. In the occasion that you make a mistake, you can quickly fix it and bring the site back online without suffering a white screen of death.

Conclusion

As a solo admin of my site and a developer, I’m quite confident editing files in my site’s dashboard. However, if your site is managed by other people (and they have admin rights), it’s best to disable the file editing ability in the admin area. It will prevent accidental edit of files that may bring your site down.

Posted on August 7, 2019August 8, 2019 by Đạt Trần — 4 Comments

How To Prevent Other Sites From Using Your Images Without Permission

If you have a website that serves images, especially news site, there are chances that other people want to use your images. Polite people will ask for the right to display your images on their websites. Not so polite people may download the images to their computer and upload to their site. Worse, they can link directly to your images from their site. By doing so, they have images to show with you paying the bandwidth. This technique is called hotlinking.

You may wonder, is there any method to stop this?

Fortunately, the answer is yes. In this post, we are going to find out how to disable hotlinking for both Apache and Nginx servers. Let’s get started.

First thing first, find out what server you are running

Finding what kind of server you are running is quite simple. Currently, nginx and apache are the most popular servers. This post cover settings for these two only.

Here are the steps to find out what server that your website is running on:

Open your website on Chrome
Right click anywhere on the website and select inspect and switch to the network tab.
Reload your site and you’ll see something like this:

Let’s click on the line with your domain name. In my case, it’s www.binarycarpenter.com. There will be a new window opens on the right. Pay attention to the line start with the text “server”:

As you can see, my site is running on an nginx server. You’d have no problem saying what kind of server you are running if the text is different.

How to prevent other sites from linking directly to your images on Apache

To disable hotlinking on Apache, you need to have access to your server, not WordPress admin since you are going to enter some code in a file called .htaccess. If you have no idea what the file .htaccess is, you may want to read a bit about it here.

Basically, it’s a file on your server that let you write directives for your web server to do various things such as URL rewrite, manage file access …

To understand how .htaccess work may take a long time. However, to disable image hotlinking takes only a few minutes.

Now, let’s copy the following code and paste to the end of your .htaccess file that located at the same level with files such as wp-config.php, wp-content… If you don’t have that file, simply create it.

<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?your_site\.com [NC]
    RewriteRule \.(gif|jpe?g?|png)$ - [NC,F,L]
</IfModule>

Make sure you replace your_site with your domain name (without extension) and com with your domain’s extension.

For example, your site is greatsite.org, the code would be:

<IfModule mod_rewrite.c>
    RewriteCond %{HTTP_REFERER} !^$
    RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?greatsite\.org [NC]
    RewriteRule \.(gif|jpe?g?|png)$ - [NC,F,L]
</IfModule>

After that, save the file and you restart your server. Now, try to link to your images from other site (you can try on your localhost) and you’ll see a 403 error.

How to prevent other sites from linking directly to your images on Nginx

Now it’s time to apply some configurations to your nginx server to disable hotlinking. To successfully achieve this, you need to identify your server block. In one nginx config file, there maybe many server blocks.

Here, within my server block (for this site), I put the following code:

location ~* \.(jpg|jpeg|png|gif|swf|webp)$ {
     valid_referers none blocked binarycarpenter.com *.binarycarpenter.com;
     if ($invalid_referer) {
         return   403;
     }

 }

Make sure you replace my domain name with your own domain name.

Now, save the file and restart nginx.

On my site, I still see my images loading properly. However, if I try to link from other places (not from my domain), I’ll get a 403 error on the image:

Conclusion

As you can see, within a few minutes, you can prevent other from stealing your bandwidth. You may find this is difficult if you don’t know what .htaccess/apache/nginx are. If you need assistance, please leave a comment below.

Posted on August 6, 2019 by Đạt Trần — Leave a comment

How Get Notified About Available Updates In WordPress For Free

At the time of this writing, WordPress is the most popular blog platform on Earth and WooCommerce is the most popular e-commerce platform. That’s why they are the target of many malicious attacks. Keeping your WordPress (including themes and plugins) up to date is one of the most effective way to keep your site secure.

If you are like me, you’d probably have more than one website and there are sites that we visit more frequently than other. For sites that we visit the dashboard usually, we can update WordPress (including themes and plugins) very often. However, for sites that don’t get much attention, we may miss some updates, including important ones.

How to get notified when updates are available

You may wonder, since keeping WordPress up to date is vital, is there any way to keep us informed with the available updates? Fortunately, the answer is yes. Better yet, there is a plugin that does that job for free. Let’s learn how to install the plugin and configure it so you don’t miss any updates, especially critical ones.

Here is the step by step tutorial

Step 1. Install and activate WP Update Notifier

First of all, you need to install a plugin called WP Update Notifier .

You can either download the .zip file following the link above or search for it in your site’s dashboard.

There is one small issue with the plugin is it hasn’t been updated for 3 years. While the main functionalities are working properly, there is a minor issue with deprecated function (function that no longer supported by WordPress). I’ve removed the line of code that caused the deprecated notice and pack the plugin again here. You can download and install my version instead.

Download new version of the plugin

Step 2: Configure the plugin

After the plugin is activated, you can find its admin page under Settings->Update notifier

You’ll see this page appears:

The settings are straightforward and easy to understand. You can leave most of the settings to default. Here are the settings in details:

Frequency to check: How often do you want the plugin to check for update? I usually set it Daily for my site but you can set it to Hourly or Monthly…
Notify email to: by default, this is your admin email. This is the email you want to receive the update notification
Notify email from: The email that appears in the from field of the notification email
4 and 5, check if you want to receive notifications about plugins and themes updates. I’d recommend you leave this enabled (yes)
Hide core WP update nag… If you want to hide the WordPress core update notice from non-admin users (in case your site has other users with different roles) then select yes

Now, you can click on Save settings to save the options. If this is the first time you use the plugin, I’d recommend you click on the white button: Save settings with test email.

Troubleshooting

If your email setting is correct, you should have no problem getting update notifications to the email you specified above. However, some servers may not have the correct email sending function configured properly. If your site is hosted on such server, you may not get any email.

In that case, please check this guide here to fix the email sending function on your site.

Conclusion

Now you don’t need to worry about your site is not at risk because your WordPress core or themes or plugins are not up to date. With WP Update Notifier, you can act instantly once updates are available.

Posted on August 5, 2019 by Đạt Trần — Leave a comment

How To Disable XMLRPC Without Using Plugin

XML-RPC is a protocol that let you send data over HTTP. In WordPress, you can use this protocol to manipulate various things on your site including posts creating, deleting, editing… However, it is a dying technology and has high risk potential.

It is recommended for WordPress users to disable it entirely. By default, your WordPress installation has this enabled.

If you need more details about XML-RPC and its risk, this post should be sufficient.

How to disable XML-RPC without using a plugin

The good news for you is disabling XML-RPC is very simple. You only need to add one line of code. As usual, I would recommend you enter this code in your child theme. If you don’t know how to create one, I have a detailed tutorial here:

Picture Guide To Create Child Themes In WordPress Step By Step

After that, paste the following code in the child theme’s functions.php file:

add_filter( 'xmlrpc_enabled', '__return_false' );

The code basically add a function to xmlrpc_enabled hook. When this hook is fired, the function __return_false is called.

If you know a bit a PHP, you may wonder, where is the implementation of the function __return_false? The answer is it is a WordPress’s method to conveniently return false, which is all we need to disable XML-RPC.

Conclusion

Disabling XML-RPC is very simple and you should be able to do it without any problem. If you need help, please comment below. If you don’t use or don’t know what XML-RPC is, you should definitely disable it now.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.