Custom Security Header

Posted on by

As a precaution against distributed denial of service (DDOS) attacks, I allow access to my websites only through Cloudflare. Direct access – for example using my IP number – is not permitted. I put a bit of code in my htaccess file that checks to see if the Cloudflare IP Country header is present. That worked fine but would be pretty easy for a determined bad guy, gal, nonbinary person, or bot to defeat – especially since I posted here about it.

Recently CF added a Transform Rule feature. It consistently amazes me the great features that CF makes available on their free tier. Using a Transform Rule, I can create a custom, secret request header which I can then check for using htaccess. Something like this …

Read more Custom Security Header

2021 in Review: WP Highlights

Posted on by
  • WP continued to increase its market share from 39% of the web to 43%.
  • WP 5.9 release delayed to 2022 (that’s a good thing – wait till its ready).
  • The WP People in Charge (PIC) dug in their collective heels even deeper on the unfortunate Gutenberg editor, doubling down on it as “the future of WordPress for the next decade”. Thank goodness for the Classic Editor plugin.
  • WordPress 5.8 added support for the WebP image format.
  • The Wix/WP Kerfuffle provided some of the best, funniest entertainment of the year.

Apache, Nginx, or LiteSpeed?

Posted on by

Spoiler Alert: LiteSpeed is my choice for its superb server-side cache. Apache is a solid pick too – I just have to add the Comet Cache plugin. Nginx is right out – no support for .htacess.

Apache, Nginx (pronounced engine-x), and LiteSpeed compose the vast majority of the web server market. Comparisons of the three are readily available on the interwebs, so I won’t get into that – just a quick summary: Read more Apache, Nginx, or LiteSpeed?

The Best WordPress Hosting is … Blatant Clickbait

Posted on by

This nonsense swamps the Interwebs. Links screaming “The Best WordPress Hosting for 2022”, “The Top 10 WordPress Hosts”,  “WordPress Hosts Ranked by Real Users” – many other variations. These are always clickbait, frequently affiliate marketing scams, many times involving the notoriously evil Endurance International Group (EIG). No useful information has ever been gleaned from any of these sites.

So, how do I pick a WP host? It ain’t easy. There are thousands to choose from, and selection can be a bit hit and (mostly) miss. Sorry for that. Read more The Best WordPress Hosting is … Blatant Clickbait

The Cloudflare CAPTCHA Kerfuffle Continues

Posted on by

In early 2020, Cloudflare switched from Google’s reCAPTCHA to Intuition Machines’ hCaptcha. It was a business decision – although CF made a ridiculously hypocritical attempt to excuse the switch as a moral imperative. hCaptcha is much less expensive for CF than the Google alternative, but hCaptcha provides a lesser user experience. The CF community was – and remains – unhappy about the switch. Read more The Cloudflare CAPTCHA Kerfuffle Continues

One click HTTP to HTTPS ?

Posted on by

Way back on December 16, 2018 the good people at WordPress Christmas-gifted the community with the rollout of WordPress 5.0, introducing Gutenberg as the default content editor. Each subsequent release of WP has included improvements to Gutenberg (rebranded as the Block Editor).  So many ‘improvements’. This ongoing need for multiple improvements is validation for the vast majority of WP users – including me – who loudly but hopelessly railed against Gutenberg being forced upon us far before it was ready – or we were ready for it.

Maybe one day it will be ‘improved’ enough for me to give it another trial.

Anyway, the recent rollout of WP 5.7 includes the latest set of Block Editor improvements. It also includes a much-touted new feature:

From HTTP to HTTPS in a single click

Starting now, switching a site from HTTP to HTTPS is a one-click move. WordPress will automatically update database URLs when you make the switch. No more hunting and guessing!

Uhm, really? A single click to switch from HTTP to HTTPS? Turns out no. I still need an SSL certificate like Let’s Encrypt. The certificate is the foundational piece of the conversion, the rest is pretty straight-forward. The “hunting and guessing” was admirably solved by The Better Search Replace plugin. This new feature just moves the functionality of the Really Simple SSL plugin into WP core.  I tried out the Really Simple SSL plugin in the past and found that, for me at least, it didn’t do anything that I couldn’t do about as easily without.

Attacks on WordPress in 2020

Posted on by

The Wordfence 2020 WordPress Threat Report notes more than 90 billion malicious login attempts on the 4+ million sites using Wordfence in 2000. Doing a bit of math, that’s about 60 malicious login attempts on every site every day. I’m not at all sure 60 is exactly correct, but it seems about right based on what I find in my Cloudflare firewall logs – and it’s a big number.

Read more Attacks on WordPress in 2020