Securing WordPress for SSL admin

August 08, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

I've written before about how WordPress doesn't really have a way to allow you to put administration tools in a secure location unless you do the same thing with the entire blog. This concerns me since I'm often on a wireless network that is open and not mine. Say, for example, at a book store with free wireless. While surfing on an open wireless network is generally pretty benign, sending any username/password across it without them being secure/encrypted makes it very easy to steal them.

I've hunted around a few times before, but had never really found a good solution. While doing some work on my site, I decided to try again and this time came up with "Admin-SSL". It's a plug-in someone wrote for WordPress that allows you to move all the "admin" stuff to a secure location. Something that isn't possible with the default install of WordPress (where you are either all secure or all open).

There are two examples of the power and benefit of open-source software with this plug-in. First off is the basic fact that WordPress is open which allowed for the plug-in to be created in the first place. While this isn't limited to open source software, it's a big help.

Second, when I installed the plug-in on my site, it didn't work properly. Some of the software that runs my site is different where the plug-in was originally created. However, since I could look at the source code, I was able to find a fix that works and allows me to use the it. To contribute back to the overall community a little, I've sent a note back to the original author explaining what I ran into and how I fixed it. This gives him the opportunity to let other people know about the issue and a way to fix it. Possibly even creating a specific fix for the issue in the next version.


Stop reading…. unless you are a web geek and/or are specifically looking for a fix for Admin-SSL on version 1.3 of the Apache web server. Below are the details of the fix that works for me. YMMV.

First, the short and sweet fix to try:

When you configure Admin-SSL (at least version 1.1) on a server running Apache 1.3, under the "Other Settings" category and the "HTTPS Detection" section

change: "The name of the HTTPS $_SERVER variable"
to: "SERVER_PORT" (without the quotes)

and change: "The value of the HTTPS $_SERVER variable when HTTPS is ON"
to: "443" (again, without the quotes)

Now some details. Admin-SSL uses the predefined $_SERVER['HTTPS'] php variable to check for secure connections while pattern matching to see if it should redirect a page to a protected URL. While this variable is available in Apache 2.x it is not in the Apache 1.3.x versions of the server.

See the list of "specials" under the "RewriteCond Directive" for reference:
Apache 2.x - http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewritecond

Apache 1.3 - http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html#RewriteCond

You can use an existing feature in the Admin-SSL configuration (described above) to get around this limitation assuming the port that your host uses for SSL is different from. Usually, SSL is set to run on port "443". If your provider uses a different port, you can simply use that instead. The only exception to this is if you have a host that runs both HTTP and HTTPS over the same port. In that case, there is no way to tell the difference in the script using the above method.

All this, of course, assumes that your host provides you with a way to access your site via HTTPS with either a private or shared cert. A general practice is for them to setup URLS like:

"https://www.your-site.com/~your-username/" that would simply give you a secure version of "http://www.your-side.com/". If you don't see a colon followed by a number after the .com, you should be running on 443. If you see something like "https://www.your-site.com:1234/~your-username/", that means that your host is running HTTPS on port "1234", or whatever the number there is. That's the number you would want to configure.

If, for some strange reason, that number is "80", you're going to have to fins another solution, because that's the standard port for web traffic which means the script wouldn't be able to tell the difference.


Audio Books on iPods

August 07, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

If you have CD audio books that you want to convert over to play on your iPod, this page has instructions for doing just that. I haven't tried it yet, but want to make sure I've got the link ready to go when I do. In the past, I have just made MP3s and done a play list. This is fine as long as you listen straight through, but if you stop and listen to something else, you loose your place and have to find it again which can be really tricky. When the files are identified as being part of an audiobook, they are speced to maintain internal bookmarks. So, even if you leave it and listen to something else, when you come back, it'll pick up where you left off. Here's a page that has notes on importing directly from a CD instead of from existing MP3s.


Changing PermaLinks (but it won't really matter)

August 06, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

So, the theory behind "permalinks" is that they are supposed to stay the same. I'm breaking the rules and changing mine. The good news is that because of the way Wordpress is built, links to the old addresses won't break. Originally, when I set them up, the format was: /blog/{year}/{month}/{day}/{post-title}. I'm removing the {day} because it's overkill. When looking at a web page address, it's nice to see the year and month the page was created, but there isn't a whole lot of reason to for the day to be there. The developers who built WordPress included a very nice feature that handles these changes smoothly. Bacially, if it sees requests for the old style address (which would potentially be coming in from other sites), it automatically redirects them to the new location. So, if an incoming link is pointing to something like this: http://www.alanwsmith.com/blog/2008/07/29/no-idea/ WordPress will see it and automatically change it to remove the now extranious "/29" part. This is a great example of a good software design. If this wasn't handled and the format for the permalinks was changed, any links to the old format would immediately be broken. The user of the software shouldn't have to worry about stuff like that, and because WordPress developers thought about and designed for this, the user doesn't have to. It just works without really thinking about it. Another nice example of good software design is that if you remove the post-title from the address (e.g. http://www.alanwsmith.com/blog/2008/07/) you'll get a list of all the articles that were posted in the corresponding month. Once again, very well thought out. Kudos to the WordPress team.


Offline Post Creation

August 01, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

Inspiration for blog posts can strike at any time. The fact that blogs are by definition on the web, this can make it difficult to post if you aren't online. In the past, I've written a few posts in a text editor and then copied them over to WordPress later, but that process is a pain.

After doing a little looking for an offline blog editor, I saw several references to folks using Windows Live Writer and being quite happy with it. Originally designed to work with "Windows Live", which I don't use, the Writer component works with other blogging platforms as well. This includes WordPress, which is what I use on my site.

So, I'm trying it out now (literally making this post in it). At first blush, it seems pretty nice. Aside from being able to write posts when not directly connected to the blog, I also like not having to work inside the browser itself. While the editor on the WordPress page is pretty nice and Firefox adds spell checking in the form, it's still not a very elegant experience to work inside the browser.

One of my biggest annoyances is that you have to scroll down in the browser to see the categories. The desktop app nature of the Writer application allows those categories to always be visible in selection menu at the bottom of the application. I often forget to add categories because they aren't in view. Not an issue with the desktop Writer. Also, there is an option in it's preference to trigger a reminder to add categories before you post if you didn't include any. Very nice.

Now, most of these User Interface issues could be solved in the browser, but overall, it's MUCH easier to tackle that stuff inside a desktop application.

I did have one issue when trying to install the software. I keep Firefox set as my default browser. After trying to unsuccessfully to install the Windows Live Writer a few times I temporarily set I.E. to be the default browser. After that, the install worked as expected. So, if you want to try it out, keep that in mind.

There are several other tools built into Writer that I haven't tried out yet, but the top level it seems to do what I want quickly and easily and basically get out of my way and let me create posts. That's the sign of good design. When it does what you want it to do without really having to think about it.


Sugar Water

July 31, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

A long time ago, I saw this video for the song "Sugar Water" by Cibo Matto. While trying to see if I could find it online, I was looking for "Backwards videos" and came across a page that had this one for the song "Typical" by Mute Math. I'd never heard of them, but I dig the tune. They have a site mutemath.com if you want to check out more.


NASA Images

July 31, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

imageJust discovered the recently launched NASA Images web site. From this article that talks about the launch: The launch is the first step in a five-year partnership that will add millions of images and thousands of hours of video and audio content, with enhanced search and viewing capabilities and new user features. How cool is that?!?! The design of the site looks like it should be easy to get around. I've downloaded a couple and they are decent resolution. My hope is that higher resolution becomes available as well.


No idea

July 29, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

Not sure where this is from Though I'm sure the internet would tell me, I prefer not to look this time. Sometimes it's fun to just let the random happen:


St. Johns County Library uses Codebar

July 25, 2008

Note: This post was migrated from my old blog software. It hasn't been cleaned up yet (and might not ever be). Don't be surprised if the formatting, links, images, etc... are messed up.

imageBetween the library, grocery store, and various rewards programs, I've got several cards with bar codes. Since I use a money clip instead of a wallet, I keep all these various cards in my car and only grab the one that I need whenever I need it. A great idea I heard a while back is to scan all these various bar codes and print them out on one piece of paper which you then laminate. The goal being to have one card instead of several. Since I don't have a scanner hooked up right now, I decided to see if there was a free online tool to generate the bar code graphics for me that I could use to make my single bar code card. I ended up with this one from waspbarcode.com. I had never really thought about the fact that there's more than one bar code standard which apparently are called "Symbologies". If I would have started with the Wikipedia page I would have quickly discovered there are several. My library and apparently lots of others use Codebar. Of course, the way I figured this out was by punching my library id number into the waspbarcode generator and just going though all the possible symbologies till I saw one that matched. One interesting part of this was that I found another barcode generator at barcodesoft.com which is the one I tried first. Everything lined up on theirs except the last few bars which were off which means the number would be incorrect. So, props to the wasp guys for getting it right. Now I just need to figure out the symbology for each of my other cards. Now that I know that what I'm looking for is a "symbology", I'll start with a search. I'm guessing someone else already lists what I need to know on the great wide internet.


Go To Index Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106


© Alan W. Smith
RSS Feed