Category Archives: Web Application Development

How to Fix a Hacked WordPress Website

Problem:

When you visit your WordPress website you are randomly redirected to unwanted websites.

Verification:
  • Log in your website as an Administrator.
  • Go to Appearance >> Theme Editor.
  • Click on the Theme Functions link on the right side.
  • Verify if malicious code was injected into the functions.php file.

Example of malicious code:

<?php @ini_set('display_errors', '0'); 
error_reporting(0); 
global $zeeta;
  • Download the wp-config.php file to your machine via FTP or SSH.
  • Verify if malicious code was injected into the wp-config.php file.

Example of malicious code:

include_once(ABSPATH . WPINC . '/header.php');
      Solution:
      • Stop the website.
      • Download the whole website to your local machine.
      cd /var/www/huybien.com
      sudo zip -r huybien.zip /var/www/huybien.com/html
      
      • Download the latest version of WordPress.
      • Unzip and the latest version of WordPress to a new folder.
      • Copy the wp-content/uploads folder, the wp-config.php, .htaccess, web.config, and ads.txt file from your original website to the new folder.
      • Review and remove all the suspicious contents in the wp-content/uploads directory of the new folder.
      • Go to the wp-content\themes folder of the new folder.
      • Manually re-download and unzip all the necessary themes.
      • Go to the wp-content\plugins folder of the new folder.
      • Manually re-download and unzip all the necessary plugins. Pay attention to the plugins that were closed due to Guideline Violation.
      • Delete all your website content in your root directory in your hosting server.
      cd /var/www/huybien.com/html
      sudo rm -rf *
      ls -a
      • Zip and upload the new folder (without the folder name) to your hosting server. The typical path is /home/ubuntu.
      • Unzip the new content to your root website directory.
      cd /home/ubuntu
      unzip huybien.zip -d /var/www/huybien.com/html
      • Start the website.
      Configuration:
      • Log in your website as an Administrator.
      • Change your Administrator’s password.
      • Change permissions for the html folder.
        sudo chmod -R 777 /var/www/huybien.com/html
      • Remove all the unused plug-ins or themes.
      • Revert permissions for the html folder and set permissions for the wp-content folder.
        sudo chmod -R 775 /var/hosting/huybien.com/html
        sudo chmod -R 777 /var/hosting/huybien.com/html/wp-content
      • Install, activate and configure a CAPTCHA plug-in to protect Login Form, Registration Form, Lost Password Form, Reset Password Form and Comment Form if there is no one.
      • Disable insecure FTP access if there is one.
      • Install and activate the Simple History plugin to review access to your website. After 1 or 2 days, review the access information, and possibly block the malicious IP addresses using the Windows Firewall.
      • Install, activate and configure Cerber Security plug-in to automatically detect and block the malicious IP addresses.

       

       

      How to Manually Install PHP 7.4 for Windows Server 2019

      Motivation:

      To understand how PHP works with IIS in order to be able to update PHP to any version to address compatibility or security issues.

      Using a tool to install PHP for IIS, for example Microsoft Web Platform Installer 5.0 https://www.microsoft.com/web/downloads/platform.aspx, restricts us from using only versions supported by the tool.

      Solution:

      • Install CGI for IIS.
      • Download VC15 x86 Non Thread Safe package here or under PHP 7.4 section from http://windows.php.net/download/
      • Extract the ZIP file to the C:\Program Files (x86)\php-7.4.9-nts-Win32-vc15-x86 folder.
      • Rename the php-.ini-development file to php.ini.
      • Open the php.ini file and add the following line at the end of the file.
      extension=php_wincache.dll
      • Uncomment the following lines
      fastcgi.impersonate = 1;
      
      cgi.fix_pathinfo=1;
      cgi.force_redirect = 1 (and change the value to 0, i.e. cgi.force_redirect = 0)
      
      extension_dir = "C:\Program Files (x86)\php-7.4.9-nts-Win32-vc15-x86\ext"
      
      extension=php_curl.dll
      extension=php_fileinfo.dll
      extension=php_mbstring.dll
      extension=php_exif.dll
      extension=php_mysqli.dll
      extension=php_pdo_mysql.dll
      extension=php_openssl.dll
      
      error_log = "C:\Program Files (x86)\php-7.4.9-nts-Win32-vc15-x86\php_errors.log"
      
      error_log = syslog
      • A sample php.ini file can be download here.
      • Add C:\Program Files (x86)\php-7.4.9-nts-Win32-vc15-x86 to System Path.
      • Download x86 package of WinCache 2.0 for PHP 7.4 here or from https://sourceforge.net/projects/wincache/.
      • Extract and copy the php_wincache.dll file to C:\Program Files (x86)\php-7.4.9-nts-Win32-vc15-x86\ext
        folder.
      • Open IIS, click on Server name, double click on Handler Mappings, click on Add Module Mapping, and enter below information
      Request path = *.php
      Module = FastCgiModule
      Executable = "C:\Program Files (x86)\php-7.4.9-nts-Win32-vc15-x86\php-cgi.exe"
      Name = PHP 7.4
      Request Restrictions = File or folder

      Open a Command Prompt, execute below command and ensure that NO WARNINGS APPEAR.

      php -version
      • Create phpinfo.php file with below content in the website folder and test the result.
      <?php
      phpinfo();
      ?>

       

      How to move a WordPress instance from one server to another Linux server

      Motivation:

      You want to move a WordPress instance from one server to another to consolidate your websites to reduce cost.

      Solution:

      Install and use below Duplicator plugin to achieve your goal.

      https://wordpress.org/plugins/duplicator/

      User guide: https://snapcreek.com/duplicator/docs/quick-start/

      If everything goes well for you then congratulation!

      Otherwise, please review below possible problems and corresponding solutions.


      Problem 1:

      You don’t have a website on the new server.

      Solution 1:

      1. Create a new virtual host in the /etc/httpd/conf/httpd.conf

      <VirtualHost *:80>
      ServerName example.com
      ServerAlias www.example.com
      DocumentRoot "/var/www/www.example.com"
      </VirtualHost>

      2. Set 775 permission for /var/www/www.example.com

      3. Restart httpd service

      sudo systemctl restart httpd

      Problem 2:

      You are using Amazon Linux 2 server.

      You are logged in as ec2-user.

      You use WinSCP to upload files and edit configuration files.

      You cannot modify /etc/httpd/conf/httpd.conf and /etc/php.ini.

      Solution 2:

      1 View permission settings for the file

      ls -ld /etc/httpd/conf/httpd.conf

      The result indicates that the file owner is root user and root group, not ec2-user.

      2. View groups of a user

      groups ec2-user

      The result indicates that the ec2-user does not belong to root group.

      3. Add a user to root group

      sudo usermod -a -G root ec2-user

      4. Grant Read-Write permission against a file to root group

      sudo chmod g+rwx /etc/httpd/conf/httpd.conf
      sudo chmod g+rwx /etc/php.ini

      5. Logout and login to the server again.


      Problem 3:

      You are using Amazon Linux 2 server. The ZipArchive feature is missing.

      Solution 3:

      1. Execute below commands:

      sudo amazon-linux-extras install php7.2
      sudo yum install php-pear php-devel gcc libzip-devel zlib-devel
      sudo pecl install zip-1.13.5 # we must specify a slightly older version due due to compatibility

      2. Add “extension=zip.so” to /etc/php.ini

      3. Restart the server

      sudo reboot

      Problem 4:

      You don’t have a WordPress database on the new Linux server.

      Solution 4:

      Execute below MySQL commands:

      CREATE USER 'username'@'localhost' IDENTIFIED BY 'password';
      CREATE DATABASE `wp_database`;
      GRANT ALL PRIVILEGES ON `wp_database`.* TO "username"@"localhost";
      FLUSH PRIVILEGES;

      Problem 5:

      An database error occurs while restoring a website.

      Solution 5:

      1. Execute below commands to remove the website:

      sudo chown -R ec2-user:apache /var/www/example.com
      sudo chmod 2775 /var/www/example.com && find /var/www/example.com -type d -exec sudo chmod 2775 {} \;
      find /var/www/example.com -type f -exec sudo chmod 0664 {} \;
      rm -r /var/www/example.com

      2. Upload the Duplicator files again, and restore the website again.


      Problem 6:

      No write access against /var/www/example.com is available for Duplicator.

      Solution 6:

      1. Execute below commands:

      sudo chown -R ec2-user:apache /var/www/example.com
      sudo chmod 2775 /var/www/example.com && find /var/www/example.com -type d -exec sudo chmod 2775 {} \;
      find /var/www/example.com -type f -exec sudo chmod 0664 {} \;

      2. Run http://example.com/installer.php again.

      Setting File Permissions for WordPress on IIS

      Motivation:

      • You have a WordPress instance in Windows with IIS.
      • You upload a file. Its thumbnail is not shown in Media Library.
      • You change the file permission. Its thumbnail now is shown correctly in Media Library.
      • You upload another file and have to change the file permission manually again.
      • How can we make WordPress automatically set the correct permission for new uploaded files?

      Procedure:

      1. Ensure that the the Identity of Application pool that the website is running under is ApplicationPoolIdentity.
      2. Execute below commands as Administrator
      icacls "C:\inetpub\wwwroot\domain.com" /grant "IUSR":(OI)(CI)F /T
      icacls "C:\inetpub\wwwroot\domain.com" /grant "IIS_IUSRS":(OI)(CI)F /T

      3. Open IIS Manager, click on your website, click Authentication, click Anonymous Authentication (which should be the only one enabled), click Edit, select Application pool identity if it is not selected, click OK.

      How to change a WordPress website’s domain name?
      • Open the wp-config.php file.
      • Add two lines to the file, right before /* That’s all, stop editing! Happy blogging. */:
      define('WP_HOME','http://example.com');
      define('WP_SITEURL','http://example.com');
      • Bulk edit the posts content if needed.

      How to Manually Install PHP 7.1 for Windows Server 2016

      Motivation:

      To understand how PHP works with IIS in order to be able to update PHP to any version to address compatibility or security issues.

      Using a tool to install PHP for IIS, for example Microsoft Web Platform Installer 5.0 https://www.microsoft.com/web/downloads/platform.aspx, restricts us from using only versions supported by the tool.

      Solution:

      • Install CGI for IIS.
      • Download VC14 x86 Non Thread Safe package here or under PHP 7.1 section from http://windows.php.net/download/
      • Extract the ZIP file to C:\Program Files (x86)\php-7.1.33-nts-Win32-VC14-x86 folder.
      • Rename the php-.ini-development file to php.ini.
      • Open the php.ini file and add the following line at the end of the file.
      extension=php_wincache.dll
      • Uncomment the following lines
      fastcgi.impersonate = 1;
      
      cgi.fix_pathinfo=1;
      cgi.force_redirect = 1 (and change the value to 0, i.e. cgi.force_redirect = 0)
      
      extension_dir = "C:\Program Files (x86)\php-7.1.33-nts-Win32-VC14-x86\ext"
      
      extension=php_curl.dll
      extension=php_mbstring.dll
      extension=php_mysqli.dll
      extension=php_pdo_mysql.dll
      extension=php_openssl.dll
      
      error_log = "C:\Program Files (x86)\php-7.1.33-nts-Win32-VC14-x86\php_errors.log"
      
      error_log = syslog
      • Add C:\Program Files (x86)\php-7.1.33-nts-Win32-VC14-x86 to System Path.
      • Download x86 package of WinCache 2.0 for PHP 7.1  here or from https://www.iis.net/downloads/microsoft/wincache-extension
      • Extract and copy the php_wincache.dll file to C:\Program Files (x86)\php-7.1.33-nts-Win32-VC14-x86\ext
        folder.
      • Open IIS, click on Server name, double click on Handler Mappings > Add Module Mapping with below information
      Request path = *.php
      Module = FastCgiModule
      Executable = "C:\Program Files (x86)\php-7.1.33-nts-Win32-VC14-x86\php-cgi.exe"
      Name = PHP 7.1
      Request Restrictions = File or folder
      php -version
      • Create phpinfo.php file with below content in the website folder and test the result.
      <?php
      phpinfo();
      ?>

       

      Using Let’s Encrypt with IIS in Windows or with nginx in Ubuntu

      Motivation:

      Why use an SSL/TLS certificate to secure your website?

      1. To protect your website users from man-in-the-middle attacks.
      2. To ensure the integrity of the data being sent to your website.

      Why use Let’s Encrypt SSL/TLS certificate?

      It's FREE.

      Tested environment:

      1. Windows Server 2016/IIS 10
      2. win-acme.v2.1.10.896.x64.pluggable
      3. Ubuntu 18.04
      4. certbot 0.27.0

      For Windows and IIS:

      1. Log in a Windows server.
      2. Download win-acme.v2.1.10.896.x64.pluggable here or from https://github.com/win-acme/win-acme/releases.
      3. Unzip the files to C:\inetpub\win-acme.v2.1.10.896.x64.pluggable.
      4. Open cmd.exe as Administrator and cd to C:\inetpub\win-acme.v2.1.10.896.x64.pluggable
      5. Type wacs.exe and press Enter
      6. Follow the instructions.
      7. Open Task Scheduler and ensure that a task with description “Check for renewal of ACME certificates.” has been created.
      8. Open Firewall port 443 if needed.
      9. Open the selected website using HTTPS protocol.
      10. Update emails to which notifications will be sent: Open wacs.exe, type O, then A, then y, and enter an email.
      11. Remove website from automatic renewal:
        wacs.exe --list
        // Copy the exact name between ": " and " - renewed" without quotes.
        // Example: [IISBinding] huybien.com
        wacs.exe --cancel --friendlyname "[IISBinding] huybien.com"

      Redirecting HTTP to HTTPS in IIS7:

      1. Install the Microsoft URL Rewrite Module if needed.
      2. Make sure Require SSL is NOT checked under SSL Settings for your website.
      3. Copy and paste the following code between the <rules> and </rules> tags in your web.config file in your website root directory.
      <rule name="HTTP to HTTPS redirect" stopProcessing="true">
        <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
        <action type="Redirect" redirectType="Found" url="https://{HTTP_HOST}/{R:1}" />
      </rule>

      4. Open your site using HTTP protocol and ensure that you are redirected to the HTTPS site.

      Multiple SSL Certificates per IP Address

      1. You have to use Server 2012 IIS to support Server Name Indication (SNI) which allows you to bind multiple SSL certificates to a single IP Address.
      2. Please repeat the Procedure for each site, then go to the IIS site, Bindings and ensure that the check box Require Server Name Indication is selected and the corresponding SSL Certificate is selected.
      3. Please be noted that SNI does not work with Windows XP clients.

      For Ubuntu and nginx

      1. Login as root via SSH to a Ubuntu server.
      2. Execute 3 commands below.
      sudo apt install python-certbot-nginx
      sudo certbot --nginx -d huybien.com -d www.huybien.com
      sudo certbot renew --dry-run

      3. Remove a certificate:

      sudo certbot delete

      4. Update emails to which notifications will be sent:

      sudo certbot register --update-registration --email info@huybien.com

      5. Review Let’s Encrypt’s log file:

      sudo nano /var/log/letsencrypt/letsencrypt.log

      Press Ctrl+W, then enter a string to be found. Press Alt+W to find a next match.

       

       

      Topic 7 – Introduction to Web Application Development

      Why do I need to learn about web application development?

      Desktop applications are very powerful and convenient but their development, deployment and maintenance are daunting. The reason is that the platform dependency makes it very expensive to create a desktop application working on different versions of different operating systems, such as Windows, Linux and Mac OSX. Deployment and updates of desktop application typically require high privileges access to a computer machine, causing a problem for companies requiring high security.
      
      Fortunately, you can overcome these limitations by creating a web application running on a browser. To create a web application you need to learn about web application development.

      What can I do after finishing learning web application development?

      You will be able to create web applications like The BBC News, The WordPress Blog or The White House Website.

      This is just what I want to learn! What should I do now?

      Web application development requires a lot of reading. You have to master networking concepts, HTML, CSS, JavaScript, a programming language and a database management system for web.
      Please read 
      - this Semmy Purewal (2014). Learning Web App Development. O'Reilly Media book, and
      - this Jon Duckett (2011). HTML & CSS - Design and Build Websites. John Wiley & Sons book first to get familiar with web application development.
      After that please read
      - this Stephen Greig (2013). CSS3 - Pushing the Limits. John Wiley & Sons book and
      - this Anne Boehm and Zak Ruvalcaba (2018). Murach's HTML5 and CSS3. Mike Murach and Associates book to learn in-depth about HTML and CSS.
      JavaScript is the language for web development because it is implemented in most of the web browsers. Please read 
      - this David Flanagan (2020). JavaScript: The Definitive Guide. O'Reilly Media book, and 
      - this Kyle Simpson (2015). You Don't Know JS. O'Reilly Media book, and
      - this Jon Duckett (2014). JavaScript and JQuery. Interactive Front-End Web Development. John Wiley & Sons book to master it. Strong knowledge of JavaScript will ease your web development learning very much.
      Single page application is the default front-end choice for most of new web development projects. Please read 
      - this Kirupa Chinnathambi (2018). Learning React. Addison-Wesley Professional book, and 
      - this Robin Wieruch (2020). The Road to React - Your Journey to Master Plain Yet Pragmatic React. Leanpub book to learn how to create a single page application (SPA).
      After that you will have 4 main options. You can choose one of them. We STRONGLY recommend that you choose only ONE option. You should NOT learn all of them at the beginning. You could save your time by digging into only one option. After mastering the selected path, you will realize that all of them are very similar in the sense of use. One note is that although their concepts are similar to one another but they will still take us much time to learn how to apply implementation of an approach in real world solutions.
      When developing a real world web application, you often use only one or two of these 4 approaches. If you cannot make your own selection then we recommend you 
      - a combination of the first and second option, or
      - a combination of the first and third option, or
      - a combination of the first and fourth option.
      
      The first option is PHP world.  Please read 
      - this Luke Welling and Laura Thomson (2016). PHP and MySQL Web Development. Addison-Wesley Professional book or 
      - this Robin Nixon (2018). Learning PHP, MySQL & JavaScript. O'Reilly book.
      After that depending on your projects you can read these books below. 
      - Brad Williams, David Damstra and Hal Stern (2015). Professional WordPress: Design and Development. Wrox.
      The second option is ASP.NET Core. Please read
      - Adam Freeman (2020). Pro ASP.NET Core 3: Develop Cloud-Ready Web Applications Using MVC, Blazor, and Razor Pages. Apress book and
      - this Andrew Lock (2021). ASP.NET Core in Action. Manning book.
      A complementary part for this option is ASP.NET Web Forms. Please read this "Imar Spaanjaars (2014). Beginning ASP.NET 4.5.1: in C# and VB" book.
      The third option is Java world. if you are not familiar with Java language then please read 
      - this Cay S. Horstmann (2019). Core Java. Volume I - Fundamentals. Pearson book, and
      - this Cay S. Horstmann (2019). Core Java. Volume II - Advanced Features. Pearson book first.
      
      Then please read 
      - this Tim Downey (2021). Guide to Web Development with Java - Understanding Website Creation. Springer book or 
      - this Nicholas S. Williams (2014). Professional Java for Web Applications. John Wiley & Sons book.
      The 4th option is Node.js world.  Please read this
      - this Jonathan Wexler (2019). Get Programming with Node.js. Manning Publications book, and
      - this Bruno Joseph D'mello et al. (2017). Web Development with MongoDB and Node. Packt Publishing book.
      There are also several other options that you may consider. These options include Ruby on Rails and Flask.
      
      If you need to convert a web application from one platform to another or create a web application framework please read 
      - this Leon Shklar and Richard Rosen (2009). Web Application Architecture. John Wiley & Sons book, and
      - this Leonard Richardson and Mike Amundsen (2013). RESTful Web APIs. O'Reilly Media book.
      After finishing the books please click Topic 8 - Introduction to Mobile Application Development to continue.