Sal Aguilar's Bilingual Adventures in IT

computers are easier to deal with than people

Introduction to WordPress Security by Sucuri — February 14, 2018

Introduction to WordPress Security by Sucuri


Security on websites and mostly on WordPress which is on more than 29% of the entire internet, its crucial, preventive security is 10 times cheaper than proactive security.

Below is an amazing and easy to follow infographic about WordPress Security by my favorite Website Security provider: Sucuri

See the full infographic here: https://sucuri.net/infographics/intro-to-wordpress-security

 

Advertisements
El Trabajo Remoto y yo — December 27, 2017

El Trabajo Remoto y yo


Ayer me decidí escribir algo corto que resulto crecer mucho más de lo que pensé. Quería escribir sobre trabajo remoto en Nicaragua pero terminé contando mi historia, mis obstáculos y mi motivación.

Decidí también probar escribir en LinkedIN Pulse para probar el reach del mismo. Fue una bonita experiencia y escribir es algo que ayuda a quitarme estress e ideas locas de la cabeza para poder andar más liviano por la vida.

Lean mi historia aquí: https://www.linkedin.com/pulse/el-trabajo-remoto-y-yo-salvador-aguilar-l-i-o-n-/

También está este video de un conversatorio que hicimos sobre trabajo remoto hace algunos meses:

 

En WPNicaragua estamos buscando como hacer más charlas al respecto, incluso para el WordCamp Managua 2018, es posible que metamos una al respecto. 

¿Qué les parece?

WordCamp Managua 2017 – Canal 6 Nicaragua — May 8, 2017
Clearing CloudProxy cache via PHP — October 18, 2016

Clearing CloudProxy cache via PHP


For those who are not familiar let me explain what CloudProxy is. CloudProxy is the Web Application Firewall & Caching service from my employer, Sucuri.net. This service is setup at the DNS level and helps filtering all the HTTP requests that get to your website and speeding the performance a the same time.

Below is a simple graphic to explains how it works:

sucuri-cloudproxy-how-it-works
A brief explanation on how Sucuri’s CloudProxy works

How can I clear CloudProxy Cache?

It’s simple there are two ways:

  • Via CloudProxy‘s dashboard on Sucuri’s website
  • Using the API

Clearing the cache via the dashboard

Just follow this steps:

  1. Login to your account via https://login.sucuri.net
  2. Then go to CloudProxy (check your left menu) or simply type this: https://waf.sucuri.net on your browser address bar.
  3. Once on the CloudProxy Dashboard, click on settings and select the website you want to clear the cache for.
  4. Once there click on Performance, and then simply on the button to clear the cache. And in less than 2 minutes the cache will be trashed from all the CDN servers.

You can also check their tutorial on their Knowledge Base: CloudProxy – Clearing Cache

This is convenient when you are not making that many changes into your website. However if you are pushing changes everyday or building an webapp, then you need something easier.

Clearing the cache via PHP

I am currently building a web app with some friends and we faced the issue that after deploying each change, I needed to login to my account and clear the cache manually. This becomes tediously when you are committing changes several times a day 5 days a week. So I had to come up with a simple solution to get the job done.

That is why I turned to CloudProxy’s API, which offers me the ability to clear the cache by calling a simple string. You can see the basic code  below:

<?php
/**
 * Simple Script in PHP to clear sucuri's cloudproxy cache via php 
 * 
 * Author: Salvador Aguilar
 * Email: sal.aguilar81@gmail.com
 * Web: salrocks.com
 */
$curl = curl_init();
curl_setopt_array($curl, array(
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_URL => 'https://waf.sucuri.net/api?v2',
    CURLOPT_POST => 1,
    CURLOPT_POSTFIELDS => array(
        // this is the Sucuri CloudProxy API key for this website
        k => 'your-cloudproxy-api-key-goes-here',
        // this is the Sucuri CloudProxy API secret for this website
        s => 'your-cloudproxy-api-secret-goes-here',
        // this is the Sucuri CloudProxy API action for this website
        a => 'clear_cache'
    )
));
// Send the request & save response to $resp
$resp = curl_exec($curl);
echo '<pre>' . $resp . '</re>';
// Close request to clear up some resources
curl_close($curl);

https://gist.github.com/riper81/2f070c485f8172364bf4efd7a30f2b2c.js

That is the initial version of the script, if you want other features or to fork it you can get it from GitHub: https://github.com/riper81/clear_cache_cloudproxy_php 

What’s next?

Once you have the file, you simply put it on your website root and you edit with the proper values from your Sucuri account and then simply run it via a web browser or command line and you cache will be cleared.

I added this script into my deployment script so I can update from my git repo and then clear the cache from Sucuri. Making things easy for us 🙂

If you have an idea, hit me up!

WP Nicaragua: walking towards a WordCamp in Nicaragua on 2017 — August 25, 2016

WP Nicaragua: walking towards a WordCamp in Nicaragua on 2017


First I must admit that I love that as part of my job in Sucuri I get to  assist to WordPress events like WordCamps. I had the opportunity to assist the first WP Campus in Sarasota, Florida. This event was for all the Universities and other Higher Education entities that use WordPress on their campus for their websites. It was pretty cool to see all the talks from Developers from 10up, Modern Tribe, Lynda.com, WP Engine, Pantheon and other companies which made the event possible.

This year, I met the organizer of the Costa Rica WordPress group , Roberto Remedios, and I had the opportunity to give a talk remotely to their group, and after that I realized that he was organizing the WordCamp San Jose, Costa Rica 2016 and I offered my assistance as a volunteer and to speak at the event.

nicaragua
WordCamp Nicaragua 2014 – Suyapa Beach, Las Peñitas

As a Nicaraguan, I’m truly excited to have a WordCamp in Central America. We did hold a WordCamp here in Nicaragua in 2014 and also in 2013, and we will he hosting a DrupalCon as well on Nicaragua this year, but I don’t have much details for now, but I will make a post as soon as I get all the inside scoop.

This year we are trying to push for at least a monthly meetup in our Managua WordPress Group, and we have had a good discipline and have held all the following meetups:

And this month we will held another, to keep meeting and sharing good practices and cool new tricks about WordPress, come and join us: http://www.meetup.com/Managua-WordPress-Meetup/events/233562086/

The ultimate goal, for us as a group/community is to hold a WordCamp next year, so we do not compete with Costa Rica for speakers or sponsors. So we are meeting regularly and have started the talk about who would volunteer to help organize such event in Nicaragua, so we can plan ahead, and have a great event as well as a good attendance from other Central American countries like Guatemala, El Salvador and Honduras.

If you would like to help organize, speak or sponsor our event, you can contact me, or go to our MeetUp page and click on contact: http://www.meetup.com/Managua-WordPress-Meetup/

We are going to try to push for WordCamp Nicaragua, WordCamp Costa Rica and then WordCamp El Salvador, and hopefully in 2018, hold our very first WordCamp CentralAmerica, were we can gather as a region instead of separate small countries so we can have a higher traction in assistance and sponsorship!

If you are from Guatemala or Honduras, and need help on setting up your WordPress community or want to be part of the WordCamp CentralAmerica, ping me on twitter or email me. I will be cool to gather as one!

I look forward to your comments!

WordCamp San José in November 2016 — August 18, 2016

WordCamp San José in November 2016


WordCamp_San_Jose_Costa_Rica_2016

Finally, we have the official dates for #WordCamp San José in Costa Rica. The event will be held on November 5th and 6th.

The event will be divided in tracks, that will help you focus on the talks/workshops that you might be interested.

What are the tracks?

There will be three:

  • Developer Track
  • Design: UX & UI track
  • Bloggers Track

What are they about?

Developer Track

It will be focused on working with API and sharing data across platforms. It will also have a heavy Javascript component for all of you that want Node.JS and other goodies!

Design: UX & UI

It will be focused on talks for the front end people. Prettify your WordPress folks!

Bloggers

This will be for the non-technical people, for marketeers and bloggers and how the get the best of your WordPress to achieve your goals!

More info?

Right now they are on the phase of recruiting sponsors, so if you are interested you can go ahead and contact them directly. The call to speakers will start soon as well.

Visit and subscribe to their news on: https://2016.sanjose.wordcamp.org/

You can also contact the organizers via email: sanjose@wordcamp.com

I will be assisting the event on behalf of Sucuri, if you want to hang out and talk about website security, contact me so we can meet at the event!

Cheers!

What I’ve learned about people from providing support to WordPress Users — August 16, 2016

What I’ve learned about people from providing support to WordPress Users


WARNING: This is a rant. Read at your own discretion!

For the past 5 years my work has been focusing on WordPress, started a web development agency, then worked for mexican integrator, then moved to the web hosting world and now, at I work at a website security company called Sucuri.net.

It’s been a great ride and have managed to see several aspects from WordPress users, I have seen the n00bs, I have helped developers, I’ve crashed my head against the wall while working with Marketers and I have shouted to my computer while working with website owners who don’t want to do anything, but have everything fixed at the point of a click.

I wanted to write a fun article about the frustrations of providing support to WordPress users and below are some of the things I’ve learned:

People don’t read

WordPress is pretty well documented, any bug, issue can easily be resolved by doing a search on any search engine. But no, WordPress users rather call (wait online on hold music), email (expecting a response within 5 seconds after sending it) or chat (expecting the rep to solve everything with a single click).

In any of my previous jobs, I would get the customer email/ticket/chat, and I would try go gather as much information from the issue before start troubleshooting. Then I would check what the problem is, try to replicate myself, then analyze what might be causing it. If I was not very familiar with the issue a quick search online would be enough to find the issue. I would try to apply the patch/change suggested and if it would work would give the article to the customer for them to read and understand what happened. I would also provide a link with my suggestions on how to avoid the issue from happening. But the customer would come back a few days/weeks/months with the exact same problem, claiming the last person he talked to said it was solved but is still happening. Facepalm.

People sometimes don’t read, even when you ask them to because it would save them time and it would avoid them being hacked. But they do not read and do not want to be told to read. It worries me because I am a self taught IT guy, I love learning and trying stuff; I’m the kind of guy who can learn programming from YouTube or reading a book and hacking his way into things. It is so sad that some website owners can read entire books of marketing, Improve your SEO on Google and Pay Per Click Advertising, but they neglect to read a single page that will help them on protecting their brand, reputation and website.

If you are one of those, please, I beg you, read the links that your web advisor, web developer, security analyst, web hosting provider sent. And if you do not understand ask questions. We are here to help you, but we can’t do everything for you. Please help me so I can help you.

People don’t care about security

You can see that by the amount of websites that get blacklisted on Google each week. People just have websites done, they only care about being flashy, nice and have information there. I have not seen a customer on my web developer experience to ask about having a website secure and protected by hackers. They just don’t. You installed WordPress 4 years ago, and is working but suddenly, you have VIAGRA ads on your website and you see that a new administrator user has been added. You then get a call from a provider saying that they get a warning when they try to access your website. You then panick! You open Chrome and try to visit the website, and you too get the warning. You don’t know what is going on. You try to login to your WordPress using admin and 12345 as password and you see lots of pages and blog posts that you have not added. It is until then when you start thinking about security.

That story happens very often, it even happened to a colleague of mine in Sucuri. And it is until we make the mistake that we realize how easy was to take us down, and how easy would have been to prevent this from happening. You do not have to be a web expert or a security ninja to be able to have security put in place. You can opt for services like Sucuri, that provide a managed security service to protect your website. That way you can focus on your business and we will manage security and let you know of any issue that we see that requires your attention.

Visit Sucuri.net for more info!

People don’t care about what is under the hood

Customers pretty much just needs something that works and does the job. They don’t care if its WordPress or Joomla or Drupal. They don’t. They will trust the web agency or web advisor doing the work. Plus they would probably do a search online. They do not know about security, so it is the responsibility of the person or company doing their website to provide the proper guidance. Most of the cases they would choose WordPress over Drupal merely due to cost. They want the most BANG for the buck. And we can all relate to this.

However after the website is done, the customer must be advised that he needs to do maintenance to his website, which is just like a car, that needs some tune up to keep it working well, having all security updates in place to correct any vulnerability and make sure that his SEO and brand reputation is not harmed.

People blame 3rd parties instead

While working at Site5, I faced many customers that were angry because we didn’t stop the hackers from defacing his website. Which is funny to me and the perfect analogy I gave them, is like complaining to your land lord who rented you that house, when burglars break in and steal your stuff. Web hosting providers are responsible for the security of the servers, not for the security of the applications. They protect their servers from being accessed on their core, not on user accounts. I remember when Site5 started blocking IPs of people trying to access several times with the wrong FTP passwords, we had tidal waves of complains and just 1% of people really appreciated the security measure imposed.

In Sucuri, is a different story, people come with actual problems, websites infected with malware, hacked, or blacklisted and we need to help them. I work with customers and the first thing I need to clean a site is access to the website files, but many people do not know what an FTP account is and we provide them an explanation, and offer them to possibility of reading a tutorial on how to get the FTP account, or to simple give over his web hosting account login details so we can figure out the rest. At least 80% of the times, they would give you their web hosting account details, with the same passwords, and they do not change it after we use it. Which is very dangerous.

Once I am in, I have problem because some scripts are really really old, and they have tons of vulnerabilities, but upgrading them it causes hell, because it breaks plugins and themes, leaving most of the times the websites with the dreaded white screen of death. So I have to be careful about removing the infection. Reinstalling the specific WordPress version to make sure that we have clean core files. And finally checking the plugins and themes to advise which really need an update.

From time to time, cleaning malware breaks the functionality of a plugin or a feature of the website that I honestly overlook, and people come back reporting that, as a precaution we always take backups of everything we modify, so we can always roll back. Although there are very very rate times when the site was so infected and corrupted that the only choice is to update everything and we suggest to work with a developer or rebuilding the site and provide several suggestions on how to avoid this from happening again.

I try to do my best always, but sometimes, that is not enough. People whose website I’ve cleaned, do not read the suggestions, and get reinfected, and I am the one to blame for not doing my job right. Its like going to a physician because you had a cold after jogging under the rain, and after getting cured, go jogging under the rain again and then complain and blame the physician. We helped you, we cleaned the site, we told you how to avoid this from happening again. You didn’t listen or didn’t care and now we are to blame. But not worry, we will AGAIN, clean your site and AGAIN provide the suggestions hoping this time you will follow them.

That’s all folks!

These are a few of the things I’ve learned from working with people who have WordPress website around the world. Some have made me laugh, some have annoyed me at first, but from both I’ve learned and adapted my feedback to them so they can be better protected.

If you want to talk more about this, invite me for a beer and let’s hangout!

How websites get hacked? And WordPress meetup Managua — June 11, 2016

How websites get hacked? And WordPress meetup Managua


On May, I had the opportunity to participate on Desarrolladores WordPress Nicaragua (You can find them facebookmeetup ) monthly meetup.

Both my business partner and co-founder of SenorCoders.com and myself gave talks. While I talked about How Websites get Hacked, Kharron talked about Developing a Mobile App using WordPress as the backend.

My presentation was based out of the work that I do each day as part of the Remediation team in Sucuri. You can find my presentation here:

 

Special thanks to:

  • Daniel Gordon & Steven Hansen from Rain for sponsoring the venue, sodas and pizzas.
  • Tom Sepper @ Site5 for sponsoring the web hosting accounts

 

 

WordPress Plugin Vulnerabilities — May 12, 2015

WordPress Plugin Vulnerabilities


This is for all of you WordPress users. Recently a lot of vulnerabilities were discovered which allow hackers and script kiddies to have access to your website if you are running outdated versions of all the following plugins:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

The above plugins have already been updated by their developers to fix the issue so we strongly recommend logging into your WordPress admin panel and updating these as well any other plugins that are installed.

What can you do?

UPDATE WordPress

Yup! Get your WordPress to the latest latest version available. Go here to know what the latest version of WordPress is the one that was recently released -> WordPress.org

UPDATE Plugins

Go to your WP-ADMIN Dashboard and then to plugins and update all the ones that are outdated. Please note that this will probably cause some features to break, but its better to fix this than to get hacked and get your domain or server blacklisted. Preventive maintenance it’s ten times better than corrective maintenance. At least that is what my mother taught me.

REMOVE Plugins

If any of the plugins listed above is on your WordPress and it does not have a recent update less than 2 weeks ago (please note that today is May 12th 2015), remove it. It’s better be safe than sorry.

Also cut all the fat, and remove all the plugins that you are not using, even if you have them disabled it’s just safer to remove them for good. Bye, CIAO, ADIOS!!!

Say no to cracked or nulled Plugins and Themes

I know the idea of not paying for software might be appealing to you.. However I suggest to not be cheap when it comes to this, as it’s more often that these types of warez have some sort of injected code which will allow other to get access to your account and use it to run commands on your account remotely.

So do not be a part of the next DDoS attack or SPAM source. Pay for your plugins and themes, below are some great places to purchase your WordPress Themes and Plugins:

For Themes

For Plugins -> Code Canyon By Envato

Further reading

For more information about this vulnerability, please visit the following link:

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

%d bloggers like this: