This is going to be a pretty high tech article, but the benefits outweigh the work that it requires. I’m going to talk about using cloudflare.com to cache your website and offer IPv6 compatibility. For this to work you have to be using your own domain name and have access to change the namerservers for your domain. If you cannot do this, then you can’t take advantage of cloudflare.com.

Caching

To speed up access to a website, the larger sites around the Internet cache data as close as possible to the end user, usually using some sort of content delivery network (CDN). For the enduser, that speeds up access to the website, since instead of a US user having to transfer data from a UK website, the US user would only need to pull it from a closer server. There are also other tricks that CDNs use to lower bandwidth usage and increase speed. Cloudflare acts like a CDN on your behalf, automatically caching your website around the world.

IPv6

IPv6 is the next version of the Internet addressing protocol, set to replace the current IPv4. If you have an IPv4 address you can’t talk to a user with an IPv6 address and vice versa. Most clients now support both at once, but until all the connections between you and a website upgrade their equipment and software to IPv6, you are still going to be using IPv4 addressing for awhile. This isn’t true in Asia, where they’ve exhausted their IPv4 addresses and there are users there that are only getting an IPv6 address. If you only have an IPv6 address, then you only have access to about 10,000 websites that are set up for IPv6.

Enter Cloudflare

Once configured, Cloudflare manages connections to your website, caching the content. And with a simple switch on their website, you can turn on IPv6 access to your website. ryancollins.org is now on Cloudflare’s network and should be accessible over IPv6.

Should you sign up?

I’m going to run it for awhile and see if any issues crop up. I just noticed the “Threat Alerts” on my dashboard, where Cloudflare already has blocked a couple of botnets from accessing the site. I’ve played around with different caching plugins for WordPress, but Cloudflare seems like a lot better solution, especially since it doesn’t require any work.

Yes, I let my WordPress installation rot. And it’s entirely my fault. WordPress makes it so easy to keep it up to date now that there is no excuse, so I do accept full responsibility! I’m lucky in the fact that all the hacker
did was rewrite my .htaccess file to redirect visitors to a malware hosted site.

After examining the WordPress database, it appeared that it hadn’t been changed by the attacker, so I went about installing a new copy of WordPress. It went pretty smooth, and for right now I’m going for a minimum amount of
plugins and keeping the design pretty basic. As I was restoring, I began to think of what the hacker might of had access to and what I needed to do to protect myself.

1. I don’t know if the attacker had access to the filesystem or could only append lines onto the .htaccess file. Why is this important? Your MySQL password for your WordPress installation is listed in the wp-config.php file. If you allow access to your MySQL server from the outside world, an attacker armed with this username and password is free to make changes to your database, even making themselves an administrator. So before doing the installation, I changed my password to MySQL.

2. One plugin I use with WordPress is Automatic WordPress Backup. This makes daily backups of my WordPress installation and stores them on Amazon S3. What I realized after this hack was that if the attacker had gotten access to administrator privileges, he could have wiped out every single backup I have. Worse yet, they could gain access to my access keys for Amazon S3. I went in and changed my Amazon S3 access keys.

What I’m doing differently

1. I will be keeping up on WordPress updates!!!

2. The wp-config.php file, which contains some very important information on your WordPress installation does not need to live in a web accessible directory such as your main WordPress installation. I moved it up a directory. For example, if you installed WordPress in ~/public-html/, you can put wp-config.php in ~/.

3. Once my installation was completed, I created a user for myself and made it an administrator. I then logged in as my new administrator account and deleted the default administrator. This protects against hacks that target the default admin account.

4. I switched to Disqus for comments. The blog only had one user, and I didn’t want to worry about being hacked giving up reader information. By using Disqus, I let them handle it.

5. I installed the CHAP Secure Login plugin for WordPress. This protects logins by encrypting the password. Since I don’t have an SSL certificate, my password would be “in the clear” without this plugin.

6. I will be automating the download of my backups from Amazon S3.

If you have $1 and an iPad, this app is well worth it.

photo credit: ekurvine

Facebook has begun rolling out new settings for who can see your Facebook profile and what they can see on your profile. I suggest you double-check what is viewable about you. I try to keep my personal FB totally separate from my Facebook Page, so my profile is pretty much locked down. Over at Digital Inspiration they’ve written an article on How to Cross-Check Your Facebook Privacy Settings.

[ad]

To protect yourself you’ll need to disable Firewire in your PC BIOS, or on the Mac you will need to set the Open Firmware password.