Home Blog Page 3

Statistics in Plesk 12

As they say, there are three kinds of lies: lies, damned lies, and statistics. We need not concern ourselves with the former, but the latter might be of interest; specifically, statistics in Parallels Plesk. On the surface, the concept appears to be simple enough – it does not take a rocket scientist to figure out that it is about crunching numbers pertaining to the disk and traffic usage on a server – but the particulars are relatively obscure. This article aims to give an in-depth, “under the hood” overview of how statistics generation works in Plesk, highlight potential issues, as well as provide some troubleshooting advice.

In a nutshell, the statistics mechanism in Plesk calculates disk space and traffic usage on a per domain basis. This information is available to end users, resellers, and the provider alike. Besides being purely informative, statistics calculation indirectly facilitates other functions, such as the automatic suspension of subscriptions that go over the configured resource usage limits.

From the mechanical standpoint statistics calculation is handled by the statistics utility, which is being evoked by a script scheduled to run on a daily basis. On Linux, the following cron job takes care of the task:

Look for it in /etc/cron.daily/50plesk-daily. On Windows, it is the task with the description of “Daily script task” in the Task Scheduler. This ‘Daily maintenance’ script wears many hats (suspending subscriptions that overuse resources, checking for Plesk updates etc), and running the statistics utility is one of them. For every domain, the utility does the following, in turn:

  • Calculates disk usage and writes it to the Plesk database. The information goes into the disk_usage and domains tables.
  • Parses mail and FTP logs to calculate SMTP/POP3/IMAP/FTP traffic usage for the domain.
  • Processes the data from the web server logs. Now this is where the magic happens, so let us first take a look at the log files we will be talking about. Any user can see their domains’ web server logs from the Plesk interface by using the built-in file manager.

Here is where the web server logs are located on Linux:

And on Windows:

On Linux the processing of the Apache logs consists of the following steps:

  • The statistics utility reads the data from access_log, proxy_access_log, access_ssl_log, and proxy_access_ssl_log files and writes it to the corresponding *_log.stat and *_log.webstat files (i.e. the data from access_log and proxy_access_log goes in access_log.stat and access_log.webstat, and the data from *_ssl_log files goes in access_ssl_log.stat and access_ssl_log.webstat).
  • It then writes the data from the *.stat files into the corresponding *.processed files (e.g. the data from access_log.stat goes into access_log.processed), then sorts the contents. The *.stat files are removed afterwards.
  • Parses the *.processed files to calculate web server traffic, then calls the logrotate utility which cleans up the *.processed logs according to the domain’s log rotation settings. Note that this explains why there aren’t any provisions for rotating individual access log files in the logrotate configs (found in /usr/local/psa/etc/logrotate.d/<domain.tld>) – they never grow to any noticeable size, as the information is moved to .processed logs and those are rotated instead.
  • Creates hard links in the $HTTPD_VHOSTS_D/<domain_name>/logs/ directory pointing to the actual logs stored in $HTTPD_VHOSTS_D/system/<domain_name>/logs/. This mechanism allows end users to see the logs for their domain(s) and manage them, but prevents Apache from going haywire if a user deletes the /logs directory in their webspace, which Apache will be unable to recreate, as the directory is owned by root:root.
  • Writes the acquired traffic data to the Plesk database (DomainsTraffic and ClientsTraffic tables).
  • Calls the web statistics engine (either Webalizer or AWstats, depending on the domain’s settings). It processes the .webstat files to generate an HTML representation of the traffic data, available for the customers in the Web Statistics menu, then erases the contents of the .webstat files.

On Windows the process is much more straightforward. When the time comes to work on the web server logs, the statistics utility does the following:

  • Calculates traffic based on the data in the IIS log and writes it to the Plesk database.
  • Writes the time it ran to the registry.
  • Generates a different log and a configuration file. Those will be used by the web statistics engine (Webalizer or AWstats). The generation of web statistics is handled by a scheduled task named “Daily web statistics analyzers run task”, and the temporary log is removed after statistics calculation is done.

The next time the utility is run, it references the registry to get the date and the time it was last executed, then processes the data in the IIS log that has accumulated since that time, writes it to the web statistics log, and so on. Log rotation on Windows is carried out by the standard IIS means, so it does not depend on the utility running.

In the ideal world the process goes smoothly every time. Regrettably, in the imperfect reality the statistics engine requires a fair chunk of memory to operate, and is a juicy target for the OOMkiller. If the statistics utility is terminated before it has processed web server logs for all domains, those domains whose web server logs have not been processed will not have them rotated either (as there will be no .processed logs to rotate). This is a conscious design decision – this way we ensure that the data in the web server logs is not lost – but the trade-off is that the logs directory can quickly grow to an intimidating size, so the provider should keep an eye out for end users’ disk usage values ballooning, especially for domains seeing a fair amount of traffic.

Troubleshooting issues with statistics boils down to the following steps. These are by no means exhaustive, but provide a solid starting point, and should cover most everyday situations:

  1. Make sure that the logs are there for the affected domain(s). By default, the logs are located in $HTTPD_VHOSTS_D/system/<domain_name>/logs/ (Linux), or %plesk_vhosts%<domain_name>logs<logs_directory> (Windows). Make sure that permissions on the log files directory and the log files themselves are correct.
  2. Make sure that the scheduled task calling the daily maintenance script is in place. Make sure that it is being run (the cron daemon may be down etc).
  3. Make sure that the statistics utility is present and operational. Try running it for a single domain.

If you have trouble with log rotation, try these steps:

  1. Make sure that access logs are being correctly marked as .processed by the statistics utility (Linux). Make sure that the log rotation settings defined in the panel match those set in IIS proper (Windows).
  2. Make sure that the scheduled task calling the daily maintenance script is in place. Make sure that it is running (the cron daemon may be down etc).
  3. Make sure that the logrotate utility is present and operational. Try running it for a single domain (Linux).

Finally, some useful reading:

 

Ref. devblog.plesk.com

Good luck

What is Plesk 12 application pool in IIS?

This article describes when, why, and how many application pools are created by Plesk in IIS.

There are two types of application pools in Plesk: shared and dedicated. Shared application pools are assigned to serve sites that do not have dedicated pools. Dedicated pools are used to serve only the sites of the customer or reseller to whom the pool is assigned. Dedicated pools isolate sites of different customers or resellers from each other. It increases the stability of different sites if one of the customer’s or reseller’s sites crashes. For more information about application pools and their management see the Plesk Administrator’s Guide.

I am not going to describe dedicated and shared application pools, instead my aim is to write about how Plesk application pools are related to IIS application pools. Generally, it does not matter what type of application pool (shared or dedicated) Plesk creates – they are all provisioned in the same way. Let’s introduce two terms:

  • Plesk application pool – a pool that a Plesk user is allowed to manage. The pool’s settings can be managed in Plesk UI, and it can be either shared or dedicated.
  • IIS application pool – a pool that is created directly in IIS (one you can see in the IIS Manager).

It is important to understand that Plesk application pools are represented in IIS as groups of IIS application pools. It means that an application pool in Plesk (whether shared or dedicated) includes several IIS application pools. The number of IIS application pools in the group depends on the number of sites with different ASP.NET versions that are served by the corresponding Plesk application pool.

For example, consider a subscriber that has a dedicated Plesk application pool and two sites, “domain1.com” and “domain2.com”. “domain1.com” uses .NET v4.0, while “domain2.com” uses .NET v2.0. In this case, two application pools are created in IIS: “domain1.com(domain)(2.0)(pool)” for “domain2.com”, and “domain1.com(domain)(4.0)(pool)” for “domain1.com”. Note that in this case the IIS application pool serving “domain2.com” is named “domain1.com(domain)(2.0)(pool)” because the site belongs to the “domain1.com” web space.

Configuration in Plesk:

Configuration of pools in IIS:

The same is true for shared application pools. The maximum number of IIS application pools assigned to a single Plesk application pool is three (one pool for ASP.NET 1, for ASP.NET 2, and one for ASP.NET 4). When a user switches ASP.NET version for a site in Plesk, if an IIS application pool with the chosen ASP.NET version does not exist, one is created.

To sum it up, it is not possible to explicitly control the number of application pools in IIS using Plesk. Keep in mind that whenever you switch on the dedicated Plesk application pool for a user, the real number of dedicated pools in IIS could increase by more than one.

Why is a Plesk application pool a group of IIS application pools?

An application pool in IIS can only serve sites with only one version of ASP.NET. So, if a subscriber has sites with different ASP.NET versions, several application pools in IIS are required, one for each version of ASP.NET. A Plesk application pool is a set of application pool settings that should be applied for all the sites of the subscriber. Consequently, if there are sites with different ASP.NET versions, then the set of application pool settings should be applied for all application pools in IIS.

How do Plesk application pool settings work?

When application pool settings are changed in Plesk, they are applied to all corresponding application pools in IIS. For instance, if a Plesk application pool consists of three IIS application pools, and a user changes “The maximum number of worker processes” setting via the Plesk GUI, then the value of this setting will be applied to all IIS application pools included in the Plesk application pool. Consequently, the real maximum number of worker processes in the system is increased by three times the number set in Plesk.

 

Ref. devblog.plesk.com

What is Plesk 12 application pool in IIS?

Protecting your wordpress installations with fail2ban in Plesk 12

There is no two ways about it: having your server compromised sucks. Seeing your website defaced or infected with malicious scripts feels like a punch in the gut. Did you know that modern brute force tools can test millions of passwords per second? It takes around 15 minutes to crack an average password (eight symbols in length, consisting of mixed-case letters, numbers, and special symbols). Is there anything you can do to protect yourself?

Luckily, the answer is yes. Plesk 12 comes with a comprehensive set of security tools.We have got the ModSecurity support to protect web applications, and the automatic security hardening for WordPress. But today I would like to tell you about a different tool called Fail2ban. Fail2ban is effective against brute force attacks, and can be used to protect any service running on your server.

Here is how Fail2ban works:

  1. Fail2ban constantly monitors logs of the services it protects, matching every new log entry against a pre-defined set of rules.
  2. Once a suspicious entry is found in a log, Fail2ban notes the IP of the potential attacker and starts counting. Every time the IP performs suspicious activity, Fail2ban adds one to the counter.
  3. Once a pre-defined number of attempts is reached, Fail2ban can do two things:
  • Send an email notification, and/or
  • Ban the attacker’s IP for a pre-defined length of time.

In this article we will give step-by-step instructions illustrating how you can use Fail2ban to protect your WordPress installation from brute force attacks. To do so, we will need to follow these steps:

  1. Create a filter, which is a set of one or more regular expressions. The filter is used to search the logs for suspicious activity.
  2. Create a jail, which is a set of rules covering an individual scenario. The settings of the jail determine what is to be done once an attack is detected.

Step 1: Creating the filter.

To create a filter for WordPress, go to Tools & Settings > IP Address Banning (Fail2Ban), open the Jails tab, and click Manage filters > Add Filter. Give the filter a name, and paste the following into the Content field:

Bitbucket custom domain CNAME record deprecation

Shocking news from Bitbucket service

We are writing to let you know that Bitbucket is discontinuing the Custom Domain feature (aka CNAME) as of July 1st, 2015. CNAMEs are used by relatively few accounts, and we are committed to building a better Bitbucket for all our customers by focusing our efforts on higher-impact features.
What does this mean for you? As a current CNAME user, your underlying Bitbucket account, kamtec1, will be unaffected. However, you will now need to access your account from the normal bitbucket.org URL instead of the custom domain, code.securityinet.com, you have been using. Existing custom domains will be removed and we will stop forwarding and accepting these CNAME records.
We’re sorry for any inconvenience this might cause you. If you want to learn more about the custom domain deprecation or changing your DNS records, please view the documentation page here.
Thanks,
Dennis Kromhout van der Meer
Bitbucket Product Manager

 

Why they  do it 🙁

 

Because we have stopped supporting CNAME’s by July 1, 2015 you must change your custom domain URL’s everywhere they are used to access your Bitbucket team, account, repositories, and any automated processes which access Bitbucket using the custom domain URL.

We’ve provided a set of examples to illustrate the process on this page.

Remove your custom domain

Before you remove your CNAME plan for changing the url references used to access the account and all it’s repositories as shown in the following examples.

To remove your CNAME

  1. Do one of the following to access your team or account manage page: 
    1. For an individual account: Click Avatar> Manage account.
    2. For a team: Click Teams>your team name then click Manage team.
  2. Click Custom domain.
  3. Click Remove Custom Domain.

Your Bitbucket team, account, and associated repositories will no longer be accessible using the custom domain URL.

Change all URL’s to remove the custom domain

Change URL to access the account or team in Bitbucket

Removing the CNAME from your team or account will revert the URL used to access the team or account’s overview and management pages.

This URL to access account or team overview pages:

HTTP
http://myurl.myteam.com

Will become:

HTTPS
https://bitbucket.org/teamname
or
https://bitbucket.org/accountname

Change the URL to access the repositories owned by the account or team

Removing the CNAME from your team or account will revert the URL used to access the team or account’s repositories.

This URL to access repositories:

HTTP
http://myurl.myteam.com/web-development

Will become:

HTTPS
https://bitbucket.org/teamname/web-development
or
https://bitbucket.org/accountname/web-development

Change Git remote origin

If you used the CNAME domain when you initially set up your local repositories you will have to remove the remote origin entry for each repository and replace it so that it points to the repository in Bitbucket using: bitbucket.org/teamname/repo-name.

  1. Check to see what your current remote is by switching to the directory containing your repository and using the git remote -vcommand. It should reveal your default fetch and push URL’s similar to the following:
    $ git remote -v
    origin    https://[email protected]/web-development.git (fetch)
    origin    https://[email protected]/web-development.git (push)
  2. Remove the origin designation using git remote rm origin as shown in the following example:
    git remote rm origin
  3. Add the path to your remote using git remote add origin as shown in the following example:
    git remote add origin    https://[email protected]/teamname/web-development.git
  4. Verifiy the new remote using the  git remote -v command as shown in the following example:
    $ git remote -v
    origin    https://[email protected]/teamname/web-development.git (fetch)
    origin    https://[email protected]/teamname/web-development.git (push)

Change Git action URL’s

Git actions URL’s like this:

HTTP
git clone http://[email protected]/web-development.git

Will have to change to this:

HTTPS
git clone https://[email protected]/teamname/web-development.git

SSH and other processes

Modify all URL’s to replace the CNAME URL (myurl.myteam.com) with the Bitbucket URL (bitbucket.org) including any SSH and automated or other processes accessing your Bitbucket repositories.

Change mercurial action URL’s

Mercurial action URL’s like this:

HTTP
hg clone http://[email protected]/web-development

Will have to change to this:

HTTPS
hg clone https://[email protected]/teamname/web-development

SSH and other processes

Modify all URL’s to replace the CNAME URL (myurl.myteam.com) with the Bitbucket URL (bitbucket.org) including any SSH and automated or other processes accessing your Bitbucket repositories.

 

The information provided below is stored for archive purposes only.

Ref: Link
Good luck

Persist AspUpload new installation

Hi , Today i did installation of Persist AspUpload in my new Windows 2012 64 bit server – its running parallels Plesk (Odin) control panel . The .EXE installation  finishes without any errors but Persist AspUpload – not working ……… .

You will get many errors in your log and its good. You may see some errors that can indicate a problem but i never managed to understand thouse errors and the lsolution that fixed it.

Examples of errors you may get :

I can give that auto installer this grade and say – fail installer and fail web tech info … you may always ask support for help but it takes time 🙁 An F is given to a student for poor work. AspUpload is a server component that allows your web application to capture files uploaded with a browser in as little as 2 lines of ASP script. With AspUpload, files up to 4 GB can be uploaded while only consuming a tiny amount of RAM on the server. The files can be uploaded to disk, memory or the database of your choice. The user can monitor upload progress and time-remaining information via a built-in HTML-based progress bar. AspUpload’s remarkable robustness and extensive feature set has made it the upload solution of choice for tens of thousands of web sites around the world. See the entire list of features here.

 #Solution

To install Persist AspUpload new installation in a new Windows server you need to do it this way :

1) If your OS is 64bit – install 64-bit and 32-bit with the same key

2) Next you need to give permissions ( psacln and psaserv – full control )

3) You need to register manually this dll to Windows OS (auto installer do it 🙂 )

4) Give permissions ( psacln and psaserv – full control )

5) Need IIS restart

P.S. Regarding “psaserv” and “psacln” – its for PLESK . If you have a different CP you will need to add here an CP group or you may just use “Everyone” but its not recommended . P.S.2. Recommended to use this link to disable certain features of the component that he/she deems potentially dangerous, such as saving files in an arbitrary directory, manipulating ACLs, directory listing, file downloading, etc. P.S.3. Recommended to use Live Demos from Persits AspUpload Software Good luck!!!

GTmetrix Latest Performance Report

2

Hello everyone 🙂

Today i must say i tuned up my website a little bit 🙂

GTmetrix Latest Performance Report :https://www.securityinet.com/

PerformanceReport

 

Everybody deserves a fast web experience.

GTmetrix can help you develop a faster, more efficient, and all-around improved website experience for your users.

Your users will love you for it.

Speed matters.

Studies show that users leave a site if it hasn’t loaded in 4 seconds; keep your users happy and engaged by providing a fast performing website!

GTmetrix uses Google Page Speed and Yahoo! YSlow to grade your site’s performance and provides actionable recommendations to fix these issues.

Recommendations from GTmetrix.

 

1. Why should I be concerned with my site’s speed?

Your users’ experience in terms of navigating your site should be a great reason. Users have many options when it comes to consuming content on the internet, and a slow performing website will frustrate your users, sending them elsewhere. A faster and more responsive website will keep them more engaged and focused on your content, rather than waiting for scripts and images to load.

Another reason is for SEO. Google has announced they are using page speed in their ranking algorithm.

This means that faster performing sites may rank higher in search engine results. As developers and marketers look to optimize their sites, page speed should be among the top optimizations to consider.

2. My site loads pretty fast…why should I change it?

It’s all about efficiency and optimization. Your site may be loading fast, but it could be faster if you take some of the best practices into consideration. You even might be able to reduce bandwidth and hosting costs by minimizing your footprint.

3. Now that I have my scores; What do I do now?

Start optimizing your site! GTmetrix provides explanations for each recommendation, and gives you actionable advice. The recommendations in the table you see are ordered in terms of which have the most impact on your site. Fixing items at the top of your list can have a bigger impact on your overall score.

Make sure you fully understand the recommendations before you begin though. Though many of them are applicable to your site, some are not. The recommendations are meant to be generic, best practices – you don’t need to fix everything.

Need help? GTmetrix’s developer, Gossamer Threads, can handle all of your speed optimization requirements.

Feel free to contact us if you have any questions.

4. My server code is optimized. Is this enough?

It’s a start – but the code that really needs to be optimized is the user facing code. Front end optimization (of CSS, javascript, images, HTML, etc) is what’s going to make the most impact on your users. Often we only concentrate on server side optimizations, making the code as efficient as possible there; but we forget that we can get an even bigger speed increase if we optimize the front end code as well.

5. Why are my Page Speed and YSlow scores different?

Page Speed and YSlow use different recommendations when analyzing URLs. Each service analyzes a page using a set of rules that they believe are most relevant to page speed and performance. Most of the rules overlap or are very similar to each other, but in general your scores should be comparable.

Visit our Recommendations page for a list of each service’s best practices.

6. I have a _______ type of site. Why is it asking me to do X?

The post-analysis recommendations are not always relevant to your site (EG. You do not need a CDN if you’re running a small website or blog). This is why it’s important to truly understand the recommendations and how they can affect your site. Not everything will apply to your site.

Visit our Recommendations page to learn more about each recommendation.

7. I don’t have control over X, why is it asking me to fix it?

Most sites include code for services like ads, analytics or other widgets. These bits of code may fetch javascript or CSS from other sources. Of course, since you have no control over these resources, there’s nothing you can (or need to) do.

8. Do I have to fix everything?

No, not at all! Start with the recommendations at the top. The report organizes recommendations in order of what has the most impact on your score.

Realize that 100% is not realistic, and a green score generally means your site is speed optimized. Remember that these tools are meant to be used for a wide variety of site types, and so some recommendations may not apply to your site.

9. How much of an impact will doing this have on my search engine ranking?

In general, there is no definitive answer one way or the other. Google has indicated they want a faster web, and to be able to “flip through sites” visually (like a magazine), which requires sites rendering fast and caching well. Google has also stated:

“While site speed is a new signal, it doesn’t carry as much weight as the relevance of a page.”

 

 

P.s. If you need some performance tricks… poke me by mail/contact form/comment

Good luck

How To Configure A High Available Load-balancer With HAProxy And Keepalived

This tutorial explains how to set up a two-node load balancer with HAProxy and keepalived on CentOS 7. The load balancer sits between the user and two (or more) backend Apache web servers that hold the same content.  If one of them is down, all requests will automatically be redirected to the remaining backend server. which means the users will not notice any disruption of the service.

For configuring HA-Load balanceer, You need 2 virtual/physical servers for the load-balancers and 2 virtual/physical servers to load-balance. In addition to the 4 IP addresses needed by the servers themselves, a fifth virtual IP address (VIP) is necessary. The two load-balancers and the VIP need to be in the same network segment.

Piranha has been replaced in RHEL7/CENTOS 7 with HAProxy and keepalived. So, HAProxy will be used as load-balancing software, keepalived as high availability solution and apache as software to load-balance.

Host details:

  • Load Balencer 1: haproxy1, IP: 192.168.0.101
  • Load Balencer 2: haproxy2, IP: 192.168.0.102
  • Web Server 1:     httpd1,     IP: 192.168.0.103
  • Web Server 2:     httpd2,     IP: 192.168.0.104

We also need a virtual IP address that floats between haproxy1 and haproxy2 : vip, IP: 192.168.0.10

Here is the addressing schema chosen to write into the /etc/hosts file of each server

Here’s a little diagram that shows our setup:

 shared IP=192.168.0.100
192.168.0.101  192.168.0.102 192.168.0.103 192.168.0.104
——————–+———————+——————-+——————-+
|                       |                     |                    |
+–+–+              +–+–+         +—-+—-+       +—-+—-+
| haproxy1 |        | haproxy2 |     |  httpd1  |        |  httpd2  |
+—–+               +—–+           +———+         +———+
haproxy           haproxy           2 web servers (Apache)
keepalived        keepalived

HAProxy installation

On the haproxy1/haproxy2 servers, execute the following instructions:

Install the HAProxy package:

Open /etc/haproxy/haproxy.cfg file using your favourite editor, Mine is vi, replace the line “frontend  main *:5000″ with “frontend  main *:80″ and comment out the line “use_backend static if url_static”.

Go to the end of the same file, remove the lines starting with “server app” and replace them with the following lines:

Activate at boot and start the HAProxy service:

Open /etc/firewalld/services/haproxy.xml file and paste the following lines:

Next we need to assign correct SELinux context and file permissions to the haproxy.xml file:

Update the firewall configuration:

Keepalived installation

Next, We need to install keepalived on haproxy1 and haproxy2

Install the keepalived package:

Create a new /etc/keepalived/keepalived.conf file and paste the following lines:

Issue following commands to Enable keepalived service on system boot up:

Next, we need to Check the presence of the VIP on the haproxy1 server:

Apache installation

On the httpd1/httpd2 servers, follow Install LAMP Server (Apache, MariaDB, PHP) On CentOS/RHEL/Scientific Linux 7 to install apache.

Create a file called index.html in the /var/www/html directory on the httpd1 server and paste the following line:

Do the same operation on the httpd2 server but replace “httpd1″ with “httpd2″ in the index.html file.

From another server, test the configuration:

 

Ref. unixmen.com

P.S. 🙂

P.S.2. website haproxy : http://www.haproxy.org/

How To Configure A High Available Load-balancer With HAProxy And Keepalived

Good luck !!!

TrueCrypt v7.1a launch error 'TrueCrypt is already running'

0

TrueCrypt v7.1a launch error ‘TrueCrypt is already running’

I’m running kali linux on a regular pc and i have TrueCrypt v7.1a installed .

I used it for quite a while w/o any problems at all. Recently, it’s developed a glitch in the start-up. When I click on the launcher in the menu, the result is a dialogue box popping up in screen center with the message “TrueCrypt is already running.”.

This is despite there being no TrueCrypt icon on the panel, and no TrueCrypt process running in the list. I could boot the computer, start a Gnome session, immediately try to use TrueCrypt – and, the result is the same.

There was no problem uninstalling.
I rebooted, & reinstalled TrueCrypt v7.1a. When I tried to use it, the same disfunction happened as during the previous installation of the program – the “TrueCrypt is already running” error dialogue box.

The Solution for this problem

This error is typically caused if you abruptly shutdown your Linux, without giving TrueCrypt the chance to close properly.

Just delete the file named .truecrypt_lock  (.truecrypt_lock-profilename.) in your Home folder. It’s a hidden file so you need to press CTRL+H in order to see it.

When searching, replace profilename w/ whatever Linux session user name is in use for the Gnome session; i.e., same as the home directory.

 

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.

To download TrueCrypt click here

Everything should be fine again.

Good luck.

Google April Fools’ Day 2015

Best Google April Fools’ Day 2015 🙂

#1 Reverse your Google search: Forget going to google.com to perform your searches on April Fools’ Day, head to com.google instead. Seriously.

The net firm played an April 1 prank with a TLD trick ending in .google.

“Sometimes it’s important to reflect,” remarked Google’s Twitter account, kicking off a day of levity and cunning across the web.

Using its own Top Level Domain, all-comers were invited to visit com.google instead of the usual google.com.

The layout is recognizable but everything’s in mirror mode, from search box to corporate graphic, typing and beyond.

That’s just the tip of the iceberg, as the internet giant’s various branches rolled out their own variations on the theme, including a game of Pac-Man that runs on Google Maps, and a hands-free keyboard integrated into a paper party horn.

screen-shot-2015-04-01-at-7-17-50-am elgoog-1

#3 Pacman: Google made a Pacman prank that appears in Ingress as well as in Google Maps for both mobile and web browser iterations.

Google Maps continued their tradition of kicking things off a little early by introducing “Pac-Man on Google Maps” on Tuesday, which allows users to turn streets into, you guessed it, Pac-Man levels. Just click the blue and black square at the bottom of an open map to get chompin’.

PacMaps

pacman-mapsPretzel

🙂

 

Things You Should Do After Installing WordPress Quick Tips

Things You Should Do After Installing WordPress Quick Tips

You can install WordPress in 2 minutes but it is recommended that you tweak some of the default settings to optimize the performance and also improve the security of your WordPress website.

 

1. Move out the media upload folder

WordPress store all your uploaded images and files in the wp-content/uploads folder. You should however move this folder outside the main WordPress folder, preferably on a sub-domain. Thus your WordPress backups will be more manageable (the uploaded files and themes can be backed up separately) and, most important, serving images from a different domain will allow parallel downloads in the browser improving the page loading time.

Open your wp-config.php file and add the following lines to change the location of the wp-content folder. You may also deselect the option – “Organize my uploads into month- and year-based folders.”

2. Remove unnecessary meta tags from WordPress header

If you look at the HTML source code of your WordPress site, you will find a couple of meta tags in the header that aren’t really required. For instance, the version of WordPress software running on your server can be easily retrieved by looking at your source header.

This information is a good hint to WordPress hackers who are looking to target blogs that are using the older and less secure versions of WordPress software. To completely remove the version number and other non-essential meta-data from your WordPress header, add this snippet to the functions.php file found in your WordPress themes folder.

3. Prevent people from browsing your folders

Since you would not like anyone to browse your WordPress files and folders using the explorer view in web browsers, add the following line to your .htaccess file that exists in your WordPress installation directory.

Also make sure that there’s a blank index.php in the wp-content/themes and wp-content/plugins folder of your WordPress directory.

4. Disable HTML in WordPress comments

The comment box in WordPress allows commenters to use HTML tags and they can even add hyperlinks in their comment. The comments have rel=nofollow but if you would like to completely disallow HTML in WordPress comments, add this snippet to your functions.php file.

Eg. wp-content/your-theme/functions.php

or

Update: Replaced wp_specialchars with esc_html as the former is deprecated since WordPress 2.8+

Update #2 :

5. Turn off Post Revisions in WordPress

WordPress includes a helpful document revisions feature to help you track changes to post edits and you can also revert to any previous version of your blog posts. Post revisions do however increase the size of your WordPress wp_posts table as each revision means an additional row.

To disable post revisions in WordPress, open the wp-config.php file in your WordPress directory and add the following line:

Alternatively, if you would like to retain the Post Revisions functionality, you may just limit the number of posts revisions that WordPress stores in the MySQL database. Add this line to the wp-config file to only store the recent 3 edits.

6. Change the Post Auto-Save Interval

When you are editing a blog post inside the WordPress editor, it will auto-save your drafts as-you-type and this will help in recovering your work in case the browser crashes. The drafts are saved every minute but you can change the default duration to say 120 seconds (or 2 minutes) by adding a line to your wp-config.php file.

7. Hide the non-essential WordPress RSS Feeds

Your WordPress installation generates multiple RSS Feeds – the blog feed, article feeds, comments feed, category feeds, archive feeds, etc. – and these are auto-discoverable as they are included in the HTML header of your blog pages using the <link> meta tag. If you just want to publicize your main RSS feed and remove the other feeds from the , add a line to your functions.php file:

8. Maintain a Single RSS Feed, Redirect Others

In the previous step, we simply removed the RSS feeds from printing inside the site header but the RSS feeds still exist. If you would like to have only one RSS feed served through FeedBurner and disable all the other feeds, add this to your .htaccess file. Do remember to replace the feed URL with your own.

9. Disable WordPress Login Hints

When you type a non-existent username or an incorrect password while logging into WordPress, it will provide a very detailed error message telling you exactly whether your username is wrong or the password doesn’t match. That could offer an hint to people who are trying to break into your WordPress blog but, fortunately, we can disable the login warnings.

10. Enable 2-factor Authentication

This is highly recommended. If someone gets hold of your WordPress credentials, they will still need your mobile phone to get into your WordPress dashboard.

Unlike Dropbox or Google, 2-step authentication isn’t part of WordPress but you can always use the Authy plugin to enable 2-factor authentication.

11. Change the Permalink Structure

Do not use the default Permalink structure of WordPress since it is bad for SEO. Go to Options -> Permalinks inside your WordPress dashboard and change yourWordPress Permalink structure to something like:

12. Add Favicon and Touch Icons

Your WordPress theme may not even include references to the favicon (favicon.ico) or the Apple touch icons but web browsers and feed readers may still request them from your server. It’s always better to serve a file than returning a 404.

First, create a 16×16 favicon.ico and a 144×144 apple-touch.png file and upload them to the home directory of your blog. Then add this line to your .htaccess to redirect all apple touch icon requests to that particular file.

13. Disallow Indexing of WordPress scripts

You want Google and other search engines to crawl and index your blog pages but not the various PHP files of your WordPress installation. Open the robots.txt file in your WordPress home directory and add these lines to block the bots from indexing the backend stuff of WordPress.

14. Make the Admin a Subscriber

If your WordPress username is “admin,” create a new user and grant them administrator privileges. Now logout out of WordPress, log in as the new user and change the privilege of the user “admin” from Administrator to Subscriber.

You may even consider deleting the user “admin” and transfer any existing posts /pages to the new user. This is important for security reasons because you don’t want anyone to guess the username that has administrator privileges to your WordPress installation.

15. Hide XML Sitemaps from Search Engines

XML Sitemaps will help search engines better crawl your site but you don’t want search engines to actually show your sitemap in search results pages. Add this to your .htaccess to prevent indexing of XML sitemaps.

16. Do Not Use WordPress search

Make sure your site search is powered by Google Custom Search and do not use the built-in search feature of WordPress. WordPress search returns less relevant results and the other advantage is that it will reduce strain on your WordPress server /database since the search queries will be handled through Google.

Alternatively, if you plan to continue with WordPress built-in search, use the Nice Search plugin. It creates better permalinks for your WordPress search pages (/search/tutorials vs /?s=tutorials).

17. Password Protect the wp-admin Directory

You can easily add another layer of security to your WordPress installation bypassword protecting the wp-admin directory. You’ll however have to remember two sets of credentials for logging into WordPress – your WordPress password and the password that is protecting the wp-admin directory.

18. Log 404 Errors in Google Analytics

404 errors are a missed opportunity. You can use events in Google Analytics to log your 404 errors including details about the referring site that is pointing to that 404 page of your site. Add this snippet in your 404.php file.

19. Delete Unused Themes & WordPress plugins

The unused plugins and themes won’t affect the performance of your WordPress website but the aim should be to have as little executable code as possible on our server. Thus deactivate and delete the stuff that you no longer need.

20. Stop WordPress from Guessing URLs

WordPress has a strange habit of guessing URLs and it does make mistakes in most cases. Let me explain. If a user request labnol.org/hello URL but if that page doesn’t exist, WordPress may redirect that user to labnol.org/hello-world just because the URLs have some common words.

If you would like WordPress to stop guessing URLs and instead issue a 404 Not Found error for missing pages, put this snippet in the functions.php file:

21. Set Expiry Headers for Static Content

The static files hosted on your WordPress website – like images, CSS and JavaScript- won’t change often and thus you may set Expire Headers for them so that the files get cached on the user’s browser. Thus, on subsequent visits, your site will load relatively faster as the JS and CSS files would be fetched from the local cache.

Refer to the HTML5 Boilerplate for details on setting up expiry and compression headers for performance. If you are using a caching plugin like W3 Total Cache, the cache control is managed by the plugin itself.

or

23. Improve WordPress Security

I have discussed WordPress security in detail earlier. The gist is that you should addsecret keys to your wp_config.php file, install a file monitoring plugin (like Sucuri or WordFence), change the WordPress table prefix and also limit login attempts to prevent brute force attacks.

24. Disable File Editing inside WordPress

When you are logged into your WordPress dashboard as an admin, you can easily edit any of the PHP files associated with your WordPress plugins and themes. If you would like to remove the file editing functionality (one missing semicolon can take down your WordPress site), add this line to your wp-config.php file:

25. Remove extra Query Parameters from URLs

If the web address of your WordPress site is abc.com, people can still reach your site if they add a few query parameters to the URL. For instance, abc.com/?utm=ga or abc.com/?ref=feedly are, technically speaking, completely different URLs but will work just fine.

This is bad because it dilutes your link equity (SEO) and, in an ideal situation, you would like all URLs to point to the canonical version. Add this little snippet to your .htaccess file and it will strip the unnecessary query parameters from all incoming requests.

26. Remove the Admin Bar

This is an annoying feature of WordPress – it adds an admin bar on top of all pages and that is visible to all users who are logged into their WordPress.com accounts. This can however be removed by adding a line to your functions.php file.

27. Deal with Ad Blockers

Some of your blog readers may be using ad-blocking software to block ad serving from your site. You can serve alternate content like a list of your popular WordPress posts or embed a YouTube video instead.

28. Add Branding to your RSS Feed

You can easily add your brand logo to all articles in the RSS feed. And since these are served from your server, you can serve a different image for sites that are plagairising your content by republishing your feed. Add this to your functions.php file.

29. Optimize your Database

There are a few plugins available which can take responsibility to optimize and maintain the WordPress database. I’ll list just a few below, but if you search the WordPress Plugin Directory, you should be able to find quite a few more:

Keep in mind that lots of the bigger “Optimization/Caching Plugins” that help with caching and other stuff will do their own optimization as well – so if you have a caching plugin, you might already have this covered. Advanced users can also simply use PHPMyAdmin to optimize your WordPress database.

30. Compress and Combine JS and CSS Files

Compressing the JS and CSS will give you a good improvement in site loading time. As compressing the JS and CSS files will decrease your overall page size.
Another good points to keep in mind is to combine CSS and JS files. Combining the multiple files into single file will reduce the number of HTTP request to your web server.

JS compressor:

CSS compressor:

Alternatively you can use WordPress wp minify plugin for combining various JS and CSS files into one file.

Like compressing CSS and JS files its also good to compress the images of your WordPress site. We have plugin which uses the API of the smush.it and provide the compressed images for your WordPress site.

Use of CSS Sprite is also beneficial in case of reducing the number of HTTP request.

Compressing the static contents with gZip compression will drastically change your site loading time. Its a good practice for general web development too. Again I will go with the HTML 5 Boiler Plate for this trick.

eTags are also used for caching purpose, but if you have set a expire headers for the static contents then its good to disable the eTags functionality. Let’s see how to disable the eTag using .htaccess file.

You need to place one line in your .htaccess file to disable the eTag.

To know more about the eTag, you can visit this link.

Using a CDN (Content delivery network) is the better option for the high traffic site. CDN is the Content Delivery Network of the optimized servers all over the world. These servers works together to server your content via number of servers.

Most of the CDN’s out there right now are paid and can be very costly. We have only one CDN which is free 🙂

League of Legends servers – IP address

0

League of Legends servers – IP address

League of Legends (LoL) is a 2009 multiplayer online battle arena video game developed and published by Riot Games for Microsoft Windows[1] and Mac OS X. It is afree-to-play game that is supported by micro-transactions and inspired by the mod Defense of the Ancients[2] for the video game Warcraft III: The Frozen Throne.

In League of Legends, players assume the role of a character, called a “champion”, with unique abilities, battling with a team against other player or computer-controlled champions. In the most popular game modes, each team’s goal is to destroy the opposing team’s nexus, a building which lies at the heart of a base protected by defensive structures. Each League of Legends game is discrete, with all champions starting off each game fairly weak and progressing by accumulating gold and experience over the course of the game.[3]

League of Legends was generally well received at release, and it has grown in popularity in the years since. By July 2012, League of Legends was the most played PC game in North America and Europe in terms of the number of hours played.[4] As of January 2014, over 67 million people play League of Legends per month, 27 million per day, and over 7.5 million concurrently during peak hours.[5]

League of Legends has a large, active competitive scene. In North America and Europe, Riot Games organizes the League of Legends Championship Series, which consists of 10[6] professional teams in each continent. Similar regional competitions exist in China, Korea, Taiwan, and Southeast Asia. These regional competitions culminate with the annual League of Legends World Championship, which in 2013 had a grand prize of $1 million and attracted 32 million viewers online.[7] The 2014 tournament had the fourth largest prize pool in esports history, sitting at 2.3 million dollars.[8][9]

 

The server IP is in this excel : Server IP addresses lol

 

Good luck

 

MySQL – Migrate Users from Server to Server

MySQL – Migrate Users from Server to Server

Sometimes we need to migrate our databases to a new MySQL server.  It is easy to move the databases, but without the users and their permissions, our new databases would be worthless.  Below is a step-by-step on migrating MySQL users to a new MySQL server

Step 1 – Create a Query List That We Can Use to Get Grants for All Users

I use these options so that I wouldn’t get any formatting characters that I would have to manually delete later.

  • -N skip column names in the output
  • -p password – Asks me to type the password so nobody can get it from the command line history
  • -s  silent mode – less formatting output that we don’t want like “|” and “-“

So, let’s get a list of the users in a query that we can use to get the grants.  Our query will be output into the “myfile” file

$ mysql -uroot -N -p -s > myfile
Enter password:
select Distinct CONCAT(‘show grants for ’, user, ‘@’, host, ‘;’) as query from mysql.user;
quit

If we want to see what our query file look like, we can take a quick peek:

[[email protected] ~]# cat myfile
show grants for user1@%;
show grants for user2@%;
show grants for user3@10.%;
show grants for user4@10.%;
show grants for jeff@10.%;

Step 2 – Create the MySQL Grant File

We don’t have quite what we want and need yet.  We are looking for a query that will create all of our users on the new MySQL server.  We need to run the query that we just created and it will give us the query that we will use later to create the users.  It will create our grant permission statements in a file named “grantfile”

[[email protected] ~]# mysql -uroot -N -p -s -r < myfile > grantfile
Enter password:

We can take a peek at what our grantfile contains:

$ cat grantfile
GRANT USAGE ON *.* TO ‘user1’@’%’ IDENTIFIED BY PASSWORD ‘5ea9af6g6t27032f’
GRANT ALL PRIVILEGES ON database1.* TO ‘user1’@’%’
GRANT USAGE ON *.* TO ‘user2’@’10.%’ IDENTIFIED BY PASSWORD ‘2a123b405cbfe27d’
GRANT SELECT ON database1.table1 TO ‘user2’@’10.%’GRANT ALL PRIVILEGES ON *.* TO ‘user3’@’10.%’ IDENTIFIED BY PASSWORD ‘753af2za1be637ea’
GRANT SELECT, INSERT, UPDATE, DELETE ON *.* TO ‘user3’@’10.%’ IDENTIFIED BY PASSWORD ’08ad9be605rfgcb’…

Step 3 – Create Users and Grant MySQL Permissions on the New MySQL Machine

Now we are done working on the source machine.  We need to copy our file named “grantfile” over to the new machine.

$ scp grantfile [email protected]:/home/myuser

Next, we login to the destination or the new MySQL machine that we are building and run the “grantfile” in MySQL to create our users on the new MySQL machine.

$ mysql -uroot -p < ./grantfile

That’s it.  As long as our databases are named the same in the new MySQL, our users should be ready to use the copy of the databases in the new MySQL machine.

 

MySql-sql

 

P.s. Reference : uptimemadeeasy

Good luck ,

Javascript to make objects on your webpage obey gravity

1

Javascript to make objects on your webpage obey gravity

Hello all ,

Found very cool thing 🙂

This is a general version of the Google Gravity code written by Mr. Doob as a Chrome Experiment.

Just Include this file somewhere inside the body or head tag

Or run the bookmarklet by setting this as the link in a bookmark and clicking it while on ANY page. NOTE:NOTE:NOTE some browsers will remove the javascript: when you paste this string in the url bar. You can just add it back in after you paste it.

If you include this script or eval this javascript after the body tag has loaded it will do it’s awesome thing.

The standard version waits for a user to move their mouse. This version starts without the mouse moving:

or a shortened version

 

google gravity
google gravity
google gravity
google gravity

 

Reference: link

Good luck .

 

Install PHP Mcrypt on CentOS

Install PHP Mcrypt on CentOS

Overview

The PHP module “Mcrypt” provides encryption and decryption using algorithms such as DES, TripleDES and Blowfish. You can read more about it on the official PHP Mcrypt page.

This is required by eCommerce systems such as Magento, however it’s not part of the standard RHEL / CentOS packaging.

CentOS 6 and 6.5 allow you to install PHP-mCrypt easily right after installing CentOS. The reason mCrypt is removed by default from version  7 is still unknown, but we’re going to show you how to re-enable it.

The php-mcrypt package is available (for CentOS, Scientific Linux, and Oracle Linux administrators) from the RPMforge repository and from the EPEL repository.

 

How to install mcrypt ?

First, add the repository. For example, to add EPEL:

Then, install the php-mcrypt module:

If you see this —-> its OK 🙂

yum install php-mcrypt.x86_64
oaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* atomic: www7.atomicorp.com
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package php-mcrypt.x86_64 0:5.3.17-10.el5.art set to be updated
--> Processing Dependency: php-common = 5.3.17-10.el5.art for package: php-mcrypt
--> Running transaction check
---> Package php-common.x86_64 0:5.3.17-10.el5.art set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================================================================================================================================================================
Package                                                   Arch                                                  Version                                                          Repository                                             Size
==============================================================================================================================================================================================================================================
Installing:
php-common                                                x86_64                                                5.3.17-10.el5.art                                                atomic                                                1.0 M
replacing  php53-common.x86_64 5.3.3-13.el5_8
php-mcrypt                                                x86_64                                                5.3.17-10.el5.art                                                atomic                                                 48 k
Transaction Summary
==============================================================================================================================================================================================================================================
Install       2 Package(s)
Upgrade       0 Package(s)
Total size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing     : php-common                                                                                                                                                                                                             1/3
warning: /etc/php.ini created as /etc/php.ini.rpmnew
Installing     : php-mcrypt                                                                                                                                                                                                             2/3
Erasing        : php53-common                                                                                                                                                                                                           3/3
Installed:
php-common.x86_64 0:5.3.17-10.el5.art                                                                                 php-mcrypt.x86_64 0:5.3.17-10.el5.art
Replaced:
php53-common.x86_64 0:5.3.3-13.el5_8
Complete!

 

* Recommended to restart Apache service:

 

To check if installation was successful:

or

 

Good luck !

Install CentOS 6 via NetInstall

Install CentOS 6 via NetInstall

A CentOS Net Install (CentOS NetInstall) is method of  installing CentOS from a  small downloaded ISO image which downloads the needed files to complete the full operating system installation through the Internet. This tutorial explains the process of installing CentOS using the HTTP NetInstall method. This method is much faster and need not to download 4-5 CD ISO files or one huge DVD ISO for installing operating system.

Here is the Tutorial about the Installation of CentOS 6.

Download NetInstall ISO:

First you need to download the NetInstall ISO from CentOS website depending on your system. Depending on your system  you will have to choose proper architecture type. For example, i386 is used on most standard computers where as x86_64 is used if your hardware can support 64bit. Here i am using CentOS 6 x86_64 architecture.

 

Burn the ISO image file:

Once downloaded the NetInstall ISO image file burn it to CD using any CD/DVD burner. Boot the computer using that CD.

Setup NetInstall CentOS 6:

Step 1: From the Grub menu select the Install or upgrade existing system.

 

Step 2: Skip the Installation media test.

 

Step 3: Select the installation method. Here you have to select the URL method.

 

Step 4: Setup your TCP/IP configuration the next window.

 

Step 5: Type your NetInstall URL in the field. If your machine behind the proxy, fill the details and Press OK.

 

Step 6: it will start to retrieve the image from the server. It depends upon your Internet connection.

 

Once all the install image retrieved, Graphical installer will start automatically and it will guide you to finish the installation.

Install CentOS 6:

 

 

Good luck ,

Reference : itzgeek.com

Parallels Plesk 12: Harden Up and Supercharge Your WordPress Site

Parallels Plesk 12: Harden Up and Supercharge Your WordPress Site

Web management tools aren’t new, they’ve been around for many years and they all support one-click installs for common web applications. However, for the most part all this does is install the application and then you’re on your own. You don’t have visibility to manage these applications once they’ve been installed.

If you then throw in the fact that users love to install themes and plugins, the management becomes even more fun. The solution to this usually involves third-party services to centrally manage our WordPress sites. Wouldn’t it be nice if these management features were built into our hosting control panel? Well, with the latest version of Plesk, this is now possible.

Parallels Plesk is one of the leading hosting control panel and automation platforms on the market. If you’ve used a few hosting providers, chances are you’ve used Plesk.

In this article I’ll walk you through how to use Plesk 12 with a focus on the features that are most relevant to WordPress professionals, mainly the WordPress Toolkit. I will also touch on some of the other areas that those who manage multiple WordPress sites will be interested in.

First Impressions of the WordPress Toolkit in Plesk 12

When I first logged in, it was immediately obvious that the latest version of Plesk is seriously catering to WordPress developers and administrators.

While other web applications are supported, the WordPress-specific features are impressive. Plesk 12 has introduced what they call the ‘WordPress Toolkit‘ and it brings professional WordPress management features to a mainstream web hosting control panel. This includes the ability to detect manual installations, create new installations (with control over various configuration options), perform bulk updates, and manage plugins/themes.

In addition to the WordPress management features, if you want to jump into a specific WordPress dashboard, there’s usually a direct link available in most places within in the Plesk interface. That said, you can easily perform routine tasks without leaving Plesk.

Overview of features:

  • Security
  • Update Management
  • Plugin Management
  • Theme Management
  • ServerShield by CloudFlare
  • ModSecurity
  • Fail2ban
  • Outbound Antispam
  • Range of Editions

Installing WordPress Using the WordPress Toolkit

Installing WordPress is easy and using the WordPress Toolkit is even easier.

To install WordPress, log into Plesk and go to the ‘Applications’ page. On this page you have two options for installing WordPress via the drop-down box in the top right. The first option is ‘Install’ and that will run a default WordPress install.

The second option is ‘Install (Custom)’. This option will provide you with more control over the common configuration options.

With this option you will be able to select the installation path, update settings and admin access.

Further down the screen, you’ll find your standard WordPress configuration options such as your site name, administrator email address, language, and database details.

When your installation is complete, you’ll see the message shown below:

Security

Plesk 12 also includes best-of-breed security controls, with both WordPress-focused options and traditional web security tools.

Check Security

This feature will allow you to perform a security check to make sure WordPress has been configured correctly and general security measures are in place. Users would usually install plugins to achieve the same results, but now this is available natively within Plesk.

How to Use the ‘Check Security’ Feature

There are two ways to access this feature. The first appears when you login to Plesk. Under ‘Websites & Domains’ you’ll find a button labelled ‘Security Scan’ listed next to the WordPress installation name.

The second way to access this feature is by clicking on the WordPress installation name and selecting ‘Check Security’ under the ‘Tools’ menu on the right-hand sidebar.

Selecting either ‘Security Scan’ or ‘Check Security’ will display the screen shown below. The first time you run this on a new site, you will see a few alerts letting you know that there are measures that can be taken to harden your installation. Make sure these options are selected and then click on ‘Secure’:

Now, if you re-run this scan or check, it will look like this:

You will notice that some permissions give you the option to ‘Roll Back’, which I can see turning into a real time-saver when troubleshooting.

By following these basic steps above, you have significantly hardened your WordPress site. Too often I see security plugins being promoted as the silver bullet when it comes to security, however, following the basic best practices covered in ‘Security Check’ will offer way more protection from both known and unknown threats. It also removes the need for yet another plugin.

Detecting WordPress Installations

The WordPress Toolkit also includes a ‘Scan’ feature that you can use to detect WordPress sites running version 3.4 and above. This allows you to attach an installation to your WordPress Toolkit sites.

It’s worth noting that Plesk only knows about installations created through the WordPress Toolkit using Plesk’s application installer (based on Application Packaging Standard technology) or those that have been detected during a scan. It’s recommended you periodically scan your client sites for WordPress installations so they can be managed within the WordPress Toolkit.

Changing Your Administrator Username

We should all know not to use the default ‘admin’ as the administrator account, however, if we’re inheriting someone else’s sites there may be an occasion when you’re dealing with the dreaded ‘admin’ username. Or you might just want to change the administrator username.

There are a lot of ways to change your administrator username, most users will use a plugin to do this or create a new user to be the administrator and then delete the old ‘admin’ account.

With the WordPress Toolkit, this is easily managed, simply click on ‘Manage’ as shown below:

This will take you to a page where you can then specify your new administrator username.

Security Core

Security is a central theme to much of the Plesk platform. With Version 12, there are several powerful tools that have been bundled into ‘Security Core’. Here’s a few of the available tools for those who want to take extra steps to harden their sites (which should be everyone!):

  • ModSecurity
  • Fail2Ban
  • Outbound Antispam
  • ServerShield by CloudFlare

We will cover these tools in more detail below.

Update Management

Keeping any web application updated is critical. With WordPress running on 47.38% of identifiable CMSs on the Internet, it’s a popular target for attackers. A key component of WordPress Toolkit is the ability to manage all of your WordPress core updates in one place.

How To Update Multiple Sites

Under the ‘Websites & Domains’ tab select ‘WordPress’ on the right-hand sidebar. This will then display a list of all your WordPress sites. To run either a single or bulk update, select the sites you wish to update and click on the ‘Update ‘ button, it couldn’t get any easier. During my testing, updating WordPress worked flawlessly.

Once the updates have been installed and the process is complete, you’ll get an alert in the bottom right corner of your screen.

Managing Automatic Updates

When the WordPress team announced the move to automatic updates, most of us loved the idea. While I don’t personally ever recommend turning off automatic updates, I can understand why some people like to control updates themselves. Also, core updates such as 4.0 still require manual updating, so performing manual updates is something we all have to do.

Even though there are a few ways to manage updating, such as editing your wp-config.php, or installing a plugin such as WP Updates Settings, once you have more than a few sites, you really need centralized management to make things easier for you.

To turn on (or off) Automatic Updates, just toggle on the ‘Automatic Updates’ switch on your WordPress installation.

I’m a fan of updating early and often, but if you have clients who prefer to take their time, you can at the very least easily check what versions they are running on your systems at a glance.

Managing Plugins

Once you have updates under control, plugins are probably one of the greatest areas of concern when supporting lots of WordPress sites.

Issues such as performance, compatibility, and security are often linked to the choice of plugins. The WordPress Toolkit in Plesk 12 comes with a section to manage plugins. You can access this area under the ‘Websites & Domains’ tab, then select ‘WordPress’ on the right-hand sidebar followed by the ‘Plugins’ tab which will show a global list of plugins that are installed. Here’s what it looks like:

Within the Plugin section, you can perform a number of actions:

  • Activate/Deactivate
  • Install
  • Delete
  • Update
  • Search

The ability to search all plugins across your systems is useful if you’ve discovered an incompatibility or a security issue.

If you want to manage plugins for a particular installation, under the ‘WordPress Installations’ tab select the site and then select ‘Plugins’ in the toolbar:

Poorly developed or configured plugins are often a cause of performance issues. With the plugin view you can disable a plugin with one click or install a better alternative.

Another powerful feature is the ability to bulk install plugins. To manage plugins on a single site, click on the site within the ‘Websites & Domains’ tab and then select ‘Manage Plugins’ next to the site you wish to manage. You can then select the plugins that you want active or inactive.

If you want to manage plugins across multiple sites go to ‘WordPress’ in the right hand sidebar to view the ‘WordPress Installations’ page. Then select the sites you wish to bulk install plugins on, then select ‘Plugin’ in the toolbar.

As shown above, you might want to install a troubleshooting plugin such as P3 (Plugin Performance Profiler)on all of your sites to help your clients identify common performance problems. You’ll notice that ‘Activate after installation’ is checked, this is optional.

Managing Themes

Similar to the plugin management feature, you can see a list of all installed and active themes in the ‘Websites & Domains’ tab either by clicking on ‘WordPress’ on the right-hand sidebar and selecting the WordPress site:

Or by clicking on the ‘Themes’ tab:

I know many WordPress developers like to remove the default themes, but I like to leave the default themes for troubleshooting and isolating theme and theme/plugin compatibility issues. This is especially important when you have clients who like ‘experimenting’.

As with the Plugin management section above, the ability to install, activate, and deactivate themes from within Plesk is a huge time-saver.

Enabling ServerShield by CloudFlare

ServerShield is the result of a partnership with Parallels and CloudFlare and is a new key feature of Plesk 12.

People usually associate CloudFlare as ‘just a CDN’ and there’s no doubt it is definitely a world-class CDN, however there’s much more to CloudFlare than that. They also offer a range of security-related features that can further lock down your site.

To enable ServerShield, select the link in the sidebar as shown below:

ServerShield offers easy CloudFlare and StopTheHacker integration for your client sites directly within your Plesk interface, enabling both services couldn’t be any easier.

ServerShield has two main components:

  • CloudFlare
  • StopTheHacker

CloudFlare

CloudFlare’s security platform is comprehensive and beyond the scope of this article, but here are a few of the threats CloudFlare helps protect you from:

  • Comment Spam
  • SQL Injection
  • XSS
  • Malicious and Harvesting Bots

StopTheHacker

StopTheHacker offers daily monitoring of the reputation of your site on malware and phishing blacklists such as Google’s Safe Browsing list. It also offers suggestions on how you fix this if you ever find yourself on the list. Enabling StopTheHacker monitoring for yours or your clients sites is one click away in Core Security, as seen in the screenshot below:

ModSecurity

ModSecurity is a powerful web application firewall and included in all editions of Plesk 12.

Plesk gives you an easy interface to manage ModSecurity’s behaviour. All editions of Plesk 12 include premium ModSecurity rules from AtomiCorp. This means they’ll be updated regularly by a reputable ModSecurity rules provider to protect you from a variety of the latest threats.

As well as AtomiCorp, Plesk’s ModSecurity also ships with the OWASP Core Rule Set (CRS) and the Comodo ModSecurity Rule Set. The OWASP rules are known to be quite restrictive and may cause issues for WordPress, so Parallels recommend using the rules from Atomic or Comodo in this case.

There are also a few nice touches to the ModSecurity interface, like the ability to switch off rules by the ID, CVE, or regular expression. This is very useful if you’re trying to isolate a problem, as some ModSecurity rules can cause false positives.

If you’re looking at hardening your site, ModSecurity is something you’ll want to make sure you’re using (and leaving turned on) so it’s worth spending some time to get to know it.

Fail2Ban

Fail2Ban is a popular application that looks for any suspicious activity in your log files for various services and blocks (or ‘jails’) the IP addresses associated with that activity. This is useful for automatically blocking brute force attacks originating from an IP address or network. The Fail2Ban application can also automate changing firewall rules and send email alerts.

To configure Fail2Ban, go to ‘Tools & Settings > IP Address Banning (Fail2Ban) (in the Security group)’ and select the ‘Enable intrusion detection checkbox’. You can then configure the ban time length, interval between attacks as well as the number of failures before an IP address is banned.

You can also whitelist trusted IP addresses by going to ‘Tools & Settings > IP Address Banning (Fail2Ban) > Trusted IP Addresses > Add Trusted IP’. This is useful so you don’t accidentally end up blocked, or if you want to perform your own security checks on your systems.

Outbound Antispam

The problem of blacklisted IP addresses is something that has plagued even some of the biggest players and is a serious problem when you’re running lots of sites on a single or small range of IP addresses. With Outbound Antispam, you can protect your IP reputation by limiting your outgoing mail. This is an important feature that protects your users from getting their IP address blacklisted.

Selecting the Right Edition

Plesk comes in four flavors, catering for those hosting a few sites all the way up to professional hosting providers. The editions available are:

  • Web ADMIN Edition
  • Web APP Edition
  • Web PRO Edition
  • Web HOST Edition

All of the editions of Plesk 12 includes the WordPress Toolkit. It comes standard in the Web PRO and Web HOST editions and as an optional extra with Web ADMIN and Web APP edition.

Parallels has put together a handy comparison chart of the various Plesk editions to help you select the right version.

Summary

With WordPress continuing to grow in popularity and with the volume of sites we deploy continuing to grow, any features that help us automate and streamline the management of all our sites is critical.

There’s a lot more to Plesk than what I’ve highlighted in this article, I’ve only covered the WordPress specific goodies. Plesk 12 is taking the lead by including professional WordPress management features, they’re the best I’ve seen in any hosting control panel.

Check out the Plesk 12 demo for yourself here. Or if you’re already using it, I’d love to hear your thoughts in the comments below.

But there is some problem when you install manually WP and not from the apps – you cant control the manual install .

 

Original Post: sitepoint

 

Good luck ,