Sal Aguilar's Bilingual Adventures in IT

computers are easier to deal with than people

Introduction to WordPress Security by Sucuri — February 14, 2018

Introduction to WordPress Security by Sucuri


Security on websites and mostly on WordPress which is on more than 29% of the entire internet, its crucial, preventive security is 10 times cheaper than proactive security.

Below is an amazing and easy to follow infographic about WordPress Security by my favorite Website Security provider: Sucuri

See the full infographic here: https://sucuri.net/infographics/intro-to-wordpress-security

 

Advertisements
¿Cómo escoger un hosting para WordPress? Parte 1 — January 19, 2017

¿Cómo escoger un hosting para WordPress? Parte 1


Siempre en los grupos de usuarios de WordPress no falta alguien que siempre pregunte:

¿Que hosting me recomiendan para mi sitio WordPress?

Luego siempre saltan los fanboys a recomendar el hosting que ellos usan sin antes tener datos que te permitan responder responsablemente la pregunta. Y muchas veces genera frustración en los usuarios cuando contratan un servicio que no era exactamente lo que estaban buscando.

Por eso me decidí a escribir este artículo, para todas esas personas que necesitan saber como escoger un hosting adecuado a sus necesidades y posibilidades.

Antes de empezar

Este artículo les va a realizar preguntas que ustedes deben de poder contestar, si alguna de las preguntas no las pueden contestar entonces les recomiendo que tomen tiempo primero para determinar la visión de su sitio web. Cosas que parecen tan  tontas como visión, nicho de mercado, localidad del mercado objetivo, nivel de visitantes concurrentes, plan de contingencia y demás se vuelven importantes porque no todos los servicios ofrecen las mismas bondades. Por eso antes de empezar les sugiero que tengan ya bien definido que quieren hacer con su sitio web para poder garantizar el mejor funcionamiento posible.

Requisitos básicos

Como ya deben de saber, WordPress está hecho en PHP y depende de una base de datos MySQL, por lo que el host debe de tener cualquiera de las siguientes configuraciones:

Servidor Web: Apache, NGINX, LiteSpeed o IIS.

Servidor Aplicativo: PHP o PHP-FPM.

Base de Datos: MySQL, MariaDB o Percona DB.

Ahora vamos a ver paso a paso lo que tenemos que saber para poder escoger un hosting.

¿Cual es la localidad de los visitantes que quieres atraer?

Algunos me han preguntado en eventos: ¿que tiene que ver con el que tipo de hosting? Y la respuesta es sumamente sencilla. Si estás en Nicaragua o Costa Rica no vas a comprar un hosting que tenga los servidores en Australia o India, porque tendría impacto en la velocidad de carga del sitio web.

En el caso especifico de Nicaragua, que nuestro internet viene de USA, siempre lo mejor es buscar servidores que estén cerca de Miami, para poder así tener una ruta más corta hacia el mismo. Una elección popular es Dallas, luego New York y luego Miami. También vale la pena recalcar que algunos proveedores como Siteground tienen sus servidores en Chicago y Amazon Web Services en Virginia.

En el caso específico de Costa Rica, que cuenta con enlaces tanto a la costa este como a la costa oeste, podría agregar que Los Angeles, San Francisco & Oregon.

Siempre es bueno hacer un traceroute para poder determinar cual hosting es el que queda más cerca de nuestro mercado meta.

¿Cuantos visitantes pretendemos que visiten mi sitio al mes?

Muchos hosting limitan los recursos como CPU, procesos PHP, Memoria, consultas MySQL, etc. Por esto mismo es super importante que tengamos definido cuanta gente queremos que visiten nuestro sitio.

Analicemos Siteground como ejemplo, en su página de WordPress ellos anuncian 3 paquetes y te dicen un aproximado de visitantes que soporta cada plan.  Esto es importante saber ya que hosting como HostGator, BlueHost, Site5 (todos pertenecen a EIG) tienen varias limitantes en la letra pequeña y por eso es que los costos so bajos. Los problemas de rendimiento ocurren luego del tercer visitante concurrente al sitio. Y no solo cuentan los visitantes que son personas, sino todos los bots, crawlers y scanners que a diaro visitan nuestros sitios sin que nos demos cuenta.

Si querés tener más de 5 visitantes al mismo tiempo y que tu sitio no pierda velocidad entonces hay que evitar cualquier plan de shared hosting. Una vez que definís que querés tener capacidad de recibir más visitantes entonces hay que usar un servidor dedicado.

En el caso específico de SiteGround, ellos ofrecen dos tipos de servidores dedicados: servidor en la nube o servidor dedicado. El servidor en la nube es sencillamente un contenedor/servidor virtual que convive en el mismo hardware que otros servidores y que puede ser movido a otro hardware con facilidad sin perder ninguna información. El servidor dedicado, por otra parte, significa que es un hardware dedicado a tu cuenta y que no hay otros sitios en el, sino que todos los recursos son unicamente tuyos. Por motivos de escalabilidad y flexibilidad recomiendo los servidores en nube, por que asi se puede escalar hacia arriba cuando vamos a esperar algun pico en el trafico debido a alguna oferta o alguna estrategia de marketing activa. Y te permite luego bajar a un servidor con menos recursos una vez este exceso de trafico haya bajado. Te ayuda principalmente a disminuir costos. El caso del servidor dedicado, para un upgrade toma más tiempo porque hay que migrar tu sitio a un servidor nuevo, que tenga mas capacidad entonces esto lleva mucho mas tiempo que el simple redimensionamiento de un servidor en la nube.

Otro caso similar es WPEngine, quien es un proveedor de sitio que únicamente ofrece el servicio de Alojamiento de WordPress Administrado. Ellos te ofrecen servicios extras dentro del precio mensual: certificados SSL gratuitos y remoción de malware via Sucuri.net incluído dentro del precio mensual. Ellos en cada plan te muestran más o menos cuanto tráfico soporta cada plan, pero tomen nota que esto es un aproximado nada más. Con ellos igual se puede ir subiendo de plan a medida de que aumenta o disminuye el trafico. Este es un servicio más orientado a empresas que necesitan altos niveles tanto de rendimiento como de soporte y por eso el costo es más alto, pero es super recomendado si tienen el presupuesto.

¿Quiero un servicio administrado o quiero administrar el servidor?

Esta pregunta es una que muy pocas personas se hacen. Servicios como SiteGroundWPEngine son servicios completamente administrados donde el personal de la compañía se encarga de la administración del servidor, actualizaciones, parches de seguridad, logs, backups, etc. El usuario nunca llega a tener acceso administrativo o de super usuario al servidor.

En el caso intermedio podemos ubicar a KnownHost, que es un proveedor que te ofrece un servicio administrado, pero que si te dan acceso a nivel de administrador al servidor bajo ciertos lineamientos. Ellos te ofrecen 3 tipos de planes: Servidores Dedicados, Servidores VPS (cloud) & Servidores VPS con SSD.

Y finalmente en el caso de que quieras administrar tu mismo el servidor: instalar, configurar, actualizaciones, parches, problemas de memoria, etc, entonces te puedo recomendar darte una vuelta por Digital Ocean y probar con un dVPS de USD5 al mes. Usa este link y Digital Ocean te va a regalar USD 10 en saldo para poder probar el VPS gratis por 2 meses. Lo bueno es que es super flexible ya que tu mismo puedes armar el stack que quieras: LEMP, LAMP, etc. Lo malo es que necesitas mucho conocimiento y tiempo para poder configurar las cosas y hacer el troubleshooting cuando algo salga mal.

Vale la pena comentar que Digital Ocean cuenta con un servicio de backup bastante bueno pero que tiene un costo extra. Es muy buena idea usarlo en vez de usar plugins de backup de WordPress ya que le quitamos peso al aplicativo y todo lo hace el proveedor a nivel externo sin impactar CPU o Memoria de tu VPS.

 

#BlogsNI – Festival de Blogs de Nicaragua — September 18, 2016

#BlogsNI – Festival de Blogs de Nicaragua


What is #BlogsNI?

Next week, I set sail to the #BlogsNI, which is Nicaragua’s Blogs Festival. An event oriented to talk about the local nicaraguan blogosphere, a review of the past, present and future. The event will hold different local experts from Social Communication, Marketing and Technology,

What I would be doing on #BlogsNI?

I was invited by the organizers to participate on the event on the technology side of things. After all I’m an IT guy that loves teaching about WordPress. I will represent Sucuri (talk to me if you need help with WordPress & Website Security) and I will be giving a talk about WordPress and e-Commerce and I will give a WorkShop about Advanced WordPress. Below is the full agenda and the banner for my workshop.

#blogsni - agenda

Join my workshop if you want to learn further about WordPress!

#BlogsNi - Advanced WordPress

More info on the event:

When:

  • September 21 – #BlogsNI Workshops
  • September 22 – #BlogsNI Talks

Where:

Universidad Centro Americana. UCA. Managua, Nicaragua.

Facebook Page: https://www.facebook.com/FestivalBlogsNicaragua

Facebook Event: https://www.facebook.com/events/646689258837645/

Be sure to contact me if you want to setup some time to talk!

Cheers!

 

How websites get hacked? And WordPress meetup Managua — June 11, 2016

How websites get hacked? And WordPress meetup Managua


On May, I had the opportunity to participate on Desarrolladores WordPress Nicaragua (You can find them facebookmeetup ) monthly meetup.

Both my business partner and co-founder of SenorCoders.com and myself gave talks. While I talked about How Websites get Hacked, Kharron talked about Developing a Mobile App using WordPress as the backend.

My presentation was based out of the work that I do each day as part of the Remediation team in Sucuri. You can find my presentation here:

 

Special thanks to:

  • Daniel Gordon & Steven Hansen from Rain for sponsoring the venue, sodas and pizzas.
  • Tom Sepper @ Site5 for sponsoring the web hosting accounts

 

 

Top 5 WordPress Tools for any WordPress Developer — February 18, 2016

Top 5 WordPress Tools for any WordPress Developer


As a professional working on WordPress sites, I wanted to share what are the tools that I use on my day to day WordPress Development and Management tasks, I hope these tools will make your life easier, as they did to me, so without further comments, let’s begin:

Chrome Developer Tools

faster-htmlcss-workflow-with-chrome-developer-tools
It’s incredible that many people who do WordPress sites are not aware of how useful your Chrome browser is. Google has made very great things with it and Dev Tools is a biggest part of it. You can find Javascript errors, see HTTP headers, do performance analysis and much much more. Its an essential part of what I use to diagnose issues with websites.

Website: https://developers.google.com/web/tools/chrome-devtools/

YouTube: https://www.youtube.com/watch?v=dJR-n8szgBc

wp-cli: Command Line Interface for WordPress

wp-cli

If you are a console lover like me, you’d appreciate this tool very very much. wp-cli is a terminal application built on PHP, that allows you executing a lot of wordpress management tasks such as updating & install plugins, adding users, password resets, etc and everything from the comfort of your favorite shell environment (I use and ❤ Oh my zsh). It requires you to have a unix like environment and PHP installed.

Website: http://wp-cli.org/ 

Twitter: @wpcli

GitHub: https://github.com/wp-cli/wp-cli

YouTube: WP-CLI – A Practical Guide For The Rest of Us WordCamp

Wocker: Docker for WordPress

Wocker Rapid development environment for WordPress

Wocker is a rapid development environment for WordPress. It’s based on Docker. It works on Linux and Mac. Since I am using a Mac, it made my life easier as I don’t need to setup Apache and MySQL each time I have to setup a new WordPress boilerplate! (AWESOME)

This allows you a great way to locally develop a site and then you can migrate it over to your web host using any of the available methods!

Author: Kite Koga (@ixkaito)
Website:
 http://wckr.github.io/

YouTube Tutorial: https://www.youtube.com/watch?v=F3OAm7qMeic

Presentation: http://www.slideshare.net/kaitokoga9/wocker-create-a-wordpress-development-environment-in-seconds

WordPress Codex

One thing I love the most about WordPress its all the documentation is available online, and codex @ wordpress.org is the best online resource for anything wordpress documentation, whether you are starting or you need a quick reference about any function of the CMS. +1 to Automatic for making such an awesome resource online available to us all.

Website: https://codex.wordpress.org/

The IDE: PHPStorm by JetBrains vs SublimeText

highlight-comparision

I know this is a very personal decision for each one of you, but to me PhpStorm is better than SublimeText when it comes to being a real IDE. Sure SublimeText has a lot (I seriously mean A LOT) of plugins that extend its functionality, but PHPStorm comes with everything I need from scratch.

Download PHPStorm: https://www.jetbrains.com/phpstorm/

PHPStorm & WordPress Tutorial: WordPress Development using PhpStorm

Download SublimeText: http://sublimetext.com/

SublimeText & WordPress tutorial: Setting Up Sublime Text for WordPress Development

Conclusion

This are the tools that I use and work for me, let me know if I missed other tool that you use on your daily tasks that simplify your work with WordPress. I would love to learn new tools!

Happy 2016 & update WordPress! — January 8, 2016

Happy 2016 & update WordPress!


It’s January, it’s 2016. If your site survived the holidays without going down or getting hacked, Congratulations!

If you are not aware WordPress recently released an update, which honestly is just a maintenance and security update to fix 52 bugs from WordPress 4.4 aka Clifford which was released on December 2015.

So if you want to keep your WordPress secure quickly run to your site WordPress Admin and then update it. But wait!!! Do you have a backup ? If not then do it RIGHT NOW before it’s too late.

12393672_655490657887786_1123512390_n

So what is coming up on this blog? Well I do have a few ideas about articles to post on the future, some of my rough drafts are:

  • wordpress.org vs wordpress.com – an idiots guide!
  • BulletProof Security vs Wordfence
  • W3 Total Cache with CloudFront – an easy guide
  • W3 Total Cache with Memcache – simple steps
  • Debugging on WordPress

I’m also exploring other topics, if you have any suggestion, drop me a note or comment below.

By the way, we are close to officially launch SeñorCoders.com this year and we do have a couple of projects to finish before we do the launch party! So if you need professional WordPress support and implementation, contact me or contact senorcoders.com. If you refer my blog you would get a special discount from yours truly!

WordPress and admin-ajax.php — May 14, 2015

WordPress and admin-ajax.php


In past articles I have shared with you what I consider the Top 5 WordPress Plugins for Shared Hosting but I must admit that I forgot about this one. It  was only after assisting customers from Site5 that I remembered that I had forgotten to add this important plugin as it causes severe damage sometimes.

What is the admin-ajax.php on WordPress?

It’s called WordPress Heartbeat API and it’s used by WordPress to communicate between the web browser and the server, it’s used for tasks of user session management & auto saving.

In layman’s term is the file that allows WordPress to save automatically while we are writing posts or pages and other related tasks. It helps WordPress to keep track of what is happening on the Dashboard and for this the Wordpress Heartbeat API calls this file every 15 seconds to auto save posts, provide other useful information like what your fellow administrators and authors are working on at that moment.

Unfortunately, sometimes WordPress begins to send excessive requests to admin-ajax.php which can cause a high CPU usage and this is something you need to avoid specially if you are on shared hosting accounts. For instance leaving a web browser with WordPress Dashboard opened this could be a potential issue.

Continue reading

WordPress Plugin Vulnerabilities — May 12, 2015

WordPress Plugin Vulnerabilities


This is for all of you WordPress users. Recently a lot of vulnerabilities were discovered which allow hackers and script kiddies to have access to your website if you are running outdated versions of all the following plugins:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • UpdraftPlus
  • WP-E-Commerce
  • WPTouch
  • Download Monitor
  • Related Posts for WordPress
  • My Calendar
  • P3 Profiler
  • Give
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

The above plugins have already been updated by their developers to fix the issue so we strongly recommend logging into your WordPress admin panel and updating these as well any other plugins that are installed.

What can you do?

UPDATE WordPress

Yup! Get your WordPress to the latest latest version available. Go here to know what the latest version of WordPress is the one that was recently released -> WordPress.org

UPDATE Plugins

Go to your WP-ADMIN Dashboard and then to plugins and update all the ones that are outdated. Please note that this will probably cause some features to break, but its better to fix this than to get hacked and get your domain or server blacklisted. Preventive maintenance it’s ten times better than corrective maintenance. At least that is what my mother taught me.

REMOVE Plugins

If any of the plugins listed above is on your WordPress and it does not have a recent update less than 2 weeks ago (please note that today is May 12th 2015), remove it. It’s better be safe than sorry.

Also cut all the fat, and remove all the plugins that you are not using, even if you have them disabled it’s just safer to remove them for good. Bye, CIAO, ADIOS!!!

Say no to cracked or nulled Plugins and Themes

I know the idea of not paying for software might be appealing to you.. However I suggest to not be cheap when it comes to this, as it’s more often that these types of warez have some sort of injected code which will allow other to get access to your account and use it to run commands on your account remotely.

So do not be a part of the next DDoS attack or SPAM source. Pay for your plugins and themes, below are some great places to purchase your WordPress Themes and Plugins:

For Themes

For Plugins -> Code Canyon By Envato

Further reading

For more information about this vulnerability, please visit the following link:

https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

5 MUST HAVE Plugins for WordPress on Shared Hosting plans — April 16, 2015

5 MUST HAVE Plugins for WordPress on Shared Hosting plans


I’m back 🙂

This time I have over 7 months working for Site5.com. I have been able to interact with probably more than 1 thousand customers and helped them on their issues. Most of them have no HTML or Security expertise and are regular folks like you and me trying to get on the digital stairwell of the world wide web.

But when they install WordPress they forget about having to do some maintenance to it. Having a website whether is WordPress, Drupal, Joomla or any other CMS, requires some admin work as well. Having a website is like having a vehicle, it needs tuning, maintenance and gasoline, and off course you CAN NOT OVERLOAD the weight it can carry or you will take it down.

The same thing applies to WordPress, bugs are discovered, there are several Botnets that daily scan across the internet for websites running wordpress and then attempt thousands and thousands of login attempts where via wp-config.php or the gruesome xmlrpc.php. These are called BRUTE FORCE ATTACKS. Sucuri, a leading security provider, published a report on the XMLRPC attacks that you can read here.

So for all of you WordPress users I am writing this article from my perspective as a technical support specialist.

BulletProof Security

BulletProof Security

Just like your computer, your WordPress also needs a firewall service, and BulletProof Security from AIT-pro is just that. It works as a protection to disable unauthorized access and to block those script kiddies trying to brute force their way into your site. It implements security controls like:

  • .htaccess rules generation, to block IPs that have failed to login to wp-admin more than 3 times. Once the plugin detects an IP with several failed attempts, it adds it the .htaccess file so your Apache can block access to this particular offender.
  • It also logs and checks for HTTP errors, that why you might have someone trying crawl thru your website or scan for vulnerabilities; so you can also block them from snooping around.
  • It also creates backup databases and can even email them and schedule the generation and deletion of old backups.

This plugin has both a FREE version and a PRO (paid) version which you can see here.

Similar plugins or services: WordPress FirewallSucuri WordPress Security Plugin & Wordfence Security

Disable XML-RPC

As I stated previously one of the most recent ways to take down WordPress sites are done using the XML-RPC procedure. But you can simply download this plugin to disable that feature, then go to your wordpress admin console >> plugins and then enable the Disable XML-RPC plugin. And you are done!

You can validate that XML-RPC is disabled on the following web tool:: http://xmlrpc.eritreo.it/

Similar plugins or services: Remove XMLRPC Pingback Ping

W3 Total Cache

Every single time you load a page from a WordPress based site, it does several queries to the database and process the PHP into plain HTML, all of that uses resources. And when you are using a shared hosting account, chances are that you have limited resources and you can get limited whether on CPU, Memory or PHP Process like we do on Site5.

The cache layer is a very important one, because it reduces the usage of CPU, Memory and queries to MySQL. The plugin create a static copy of your site, so instead of having wordpress to perform the same task over and over again, it creates a cache of the files and contents and set a expiration or TTL time on that, which will tell the script to try to fetch a new copy of the site every given time.

Download it here

Similar plugins or services: WP Super Cache & CloudFlare.

WP Cron Control

Let me first start explaining that on the Linux world, a CRON is a scheduled task that runs every certain tab depending on the scheduling setup by a person.

This plugin allows you to take control over the execution of cron jobs. It’s mainly useful for sites that either don’t get enough comments to ensure a frequent execution of wp-cron or for sites where the execution of cron via regular methods can cause race conditions resulting in multiple execution of wp-cron at the same time. It can also help when you run into posts that missed their schedule.

Download it here.

Similar plugins and services: WP Control & Advanced Cron Manager

Google XML Sitemaps

Use this plugin to submit your WordPress site to Google’s Webmaster tools. This plugin will generate a special XML sitemap which will help search engines like Google, Bing, Yahoo and Ask.com to better index your blog.

With such a sitemap, it’s much easier for the crawlers to see the complete structure of your site and retrieve it more efficiently. The plugin supports all kinds of WordPress generated pages as well as custom URLs. Additionally it notifies all major search engines every time you create a post about the new content.

Download it here.

And there you go folks, this is what I recommend folks to use on their site as basic pillars on which to build your awesome website. Hit me up if you have any comments or need some guidance, I’d be happy to lend you a hand.

Please don’t forget to share this article on your social media and other websites 🙂

Lost your WordPress Administrator password? — February 3, 2015

Lost your WordPress Administrator password?


This happens a lot on the web hosting world:

  • clients loose their WordPress password
  • clients forget their WordPress Administrator username
  • clients setup an email and they no longer have access to it to do the password reset
  • WordPress of the client can’t send email notifications because its being blocked by the anti spam filters.

Before we start, I want to point out that this tutorial is done with the tools that Site5 provides. So this tutorial assumes that you have all the following:

  • Active Domain, subdomain or Temporary URL (extremely necessary)
  • Active Site5 Web hosting account
  • Backstage access
  • SiteAdmin or cPanel access
  • WordPress previously installed
  1. Find what is the database name of your WordPress installation.
    • Via FTP or File Manager go to your the folder where you installed WordPress, for example to /home/username/public_html/ and look for the file wp-config.php (select the file and then click on the edit button of the File Manager toolbar) and look for these lines:
      /** The name of the database for WordPress */
      define(‘DB_NAME’, ‘example_wp355’);Where example_wp355 is your database name.File Manager
  2. Go to your Backstage >> SiteAdmin >> Databases >> PHPMyAdminphpMyAdmin
  3. Look for the example_wp355 database, and then for table wp_usersphpMyAdmin

Once that you are on the wp_users table, you should see all the username details. On this particular case I only have one user that is admin as you can see on the screenshot below:

admin user

  1. Now to change the password, click on the Edit button for the username that you want to modify.
  2. On the new screen you will be able to edit all the details of that username, but on this particular case we ONLY care to change the password. So go to the user_pass field, click on the dropdown and select MD5 and on the input field next to it, simply type the password that you want to set. Once you are finished, click on the Go button.change_wordpress_password

And that is all, now you should be able to login to your WordPress with the password we recently set for that account. If you need assistance, let me know on my contact me page.

Below are more resources regarding password resets:

%d bloggers like this: