Category: How To

SSL Security: Forward Secrecy
Forward secrecy is actually what it sounds like. It forwards on secrecy. This means that the secret keys you have won’t be compromised even if the server’s key gets hacked. The way it works is by constantly changing things. Basically it’s rotating its encryption forever.

“You’re constantly generating new keys for new messages,” says Nadim Kobeissi, the creator of Cryptocat, one instant messaging app that was early adopter of perfect forward secrecy. That means if a user’s device is stolen or hacked and eavesdroppers steal a decryption key, it doesn’t matter. “The latest message gets compromised, but any message prior to that message or after it can’t be decrypted,” Kobeissi says.

This is a good thing to have on your own server, as it means if a secure transaction (like an ebook sale) is compromised, only that one instance is impacted. No one else gets hacked. No other part of the sale is affected. You minimize damage considerably.

Let’s do this thing!

On Monday we killed off RC4 by going to WHM Home » Service Configuration » Apache Configuration » Global Configuration and changing the cipher suite to this: ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

In order to properly handle perfect forward security, we have to reorder things. Instead of using ALL, which calls everything, we need to put the ciphers in a preference and omit the ones we don’t want. That gives us this:
```
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
```
Awesome. Once we set that, and restart Apache, we go to Service Configuration » Apache Configuration » Include Editor » “Pre Main Include” and pick ‘All Versions’ from the drop down. I’ve edited this section before, when adding HSTS support. But then I edited pre_virtualhost_global.conf (“Pre VirtualHost Include”). This is just a different section.

In the Pre Main Include section, put this:
```
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
```
This forces the SSL protocol to v3 and then v2, but then it demands the order of the ciphers be honored.

Restart Apache and you’re done.

Testing it

If you want to test, go to ssllabs.com/ssltest and you should see something that says A or A+. If you don’t have it right, you’ll max out at an A-.

This site? It’s currently an A+, however that target is always moving. Keep safe out there.
1 February, 2017
SSL Security: Killing RC4

In the middle of debugging what turned out to be an unrelated problem, my friend James pointed out that my server was throwing a warning about the RC4 cipher.

Ciphers?

When you want to transmit secure data, you use a cipher to encrypt the data. RC4 is a (hah) cipher. It generates a stream of random bits and bytes (they’re not really random) and combine them with plain text using a pattern to make an encrypted message. The secure connection unravels the bits because it knows the cipher too.

Ciphers only work if no one knows how to crack them. That isn’t the case with RC4 anymore and it was hacked. Sad news. Time to disable it!

Disable it!

Why was it enabled at all? As it happens, it was enabled on my servers for browsers that can only use it. Old browsers. The funny part is that those old browsers can’t support SNI (which is what lets me have multiple certificates and multiple https sites on one IP address), so the domains were broken anyway.

To disable, I went to WHM Home » Service Configuration » Apache Configuration » Global Configuration and changed my cipher suite to ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

The !RC4 is the part that says “Not this one!”

Restart Apache and you’re safe to go!

30 January, 2017
Text Alerts and Email

Sometimes there are specific emails you want to be alerted to immediately. While there are a lot of options for this, like scripting things on the server level, most email tools let you handle this on their end.

Cautions

Short email is better. You get 160 characters. So this is a tweet length of stuff. Whatever emails you decide to do this with must be short.

Be very careful based on how many texts you think you’ll get. If you get too many, you’ll blow through your limits.

In order to email anything to your phone as a text, you need to know your email address. They all work the same way, in that it’s a phone number followed by an @something – just like normal email. What’s your address? You’ll have to read your network provider’s documentation. Wikipedia has a list of some US carriers that can get you started. If you have the option for MMS, and you know your email has pictures and stuff, use that. But again, you should be short!

How To

All you have to do is create a filter for the emails you want to forward. Seriously, that’s it.

My gmail filter looks for emails with the subject [Mass WP Upgrade] and if found, applies a label, moves to a folder, never marks as spam, and yes, texts me.

If you do this you’ll get an alert telling you that if you don’t mark things as spam, you can (heh) spam the hell out of your forward and get in trouble.

This is pretty much the same as for cPanel, who has incredibly robust filter available. The extra fun is that while you can just use “Redirect to Email” to forward the message, you can also pipe it to a program on your server. If that made no sense to you, don’t worry about it. Just know it’s there.

If you’re using gmail, you also need to add your text email address as a forwarding address. Don’t Panic!! I know it makes it look like it’ll forward all your email. It won’t. For cPanel and other things, they don’t require verification of the forwarding destination.

27 January, 2017
Cleaning up SVGs
If you were here on Friday, I talked about the headache of using SVGs on AMP pages. In that post I mentioned that one of the fixes was to ‘clean’ the SVG file.

Why would be bother? The simple answer is that smaller files are better. But as we learned with AMP being picky, it’s also because we want our files to be fully compatible with all browsers and servers. SVG standards are important, after all.

So let’s clean!

Remove Headers

If your SVG starts with this, just remove it:
```

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN">
```
Remove Less Standard Tags

I wouldn’t have realized these weren’t super standard if it hadn’t been for AMP alerts. But these aren’t:
```
xmlns:x="&ns_extend;" xmlns:i="&ns_ai;" xmlns:graph="&ns_graphs;"
```
Again, remove them. But also you want to remove tags like <g i:extraneous="self"> and that’s tricky because you’ll usually see it like this:
```
<g i:extraneous="self">
    <g>
        [Image stuff]
    </g>
</g>
```
If you use a regular expression like I did, be very cautious. I checked every single one of my 700 SVGs after the edits to make sure they still worked. There were cases where the only call to the <g> tag was with the extraneous stuff, so I had to very cautiously replace. I missed about 40.

Remove Illustrator’s Extra Shit

Here’s where you’re going to save the most space. First remove the requiredExtensions stuff:
```
	<foreignObject requiredExtensions="&ns_ai;" x="0" y="0" width="1" height="1">
		<i:pgfRef  xlink:href="#adobe_illustrator_pgf">
		</i:pgfRef>
	</foreignObject>
```
And then remove the big hunk of PGF:
```
<i:pgf  id="adobe_illustrator_pgf">(.*)</i:pgf>
```
I can’t show you the actual content. It’s huge. It’s way huge. It’s up to 20k huge.

Remove Switch

If you’re not using the switch, you want to remove it.
```
<switch>
	<g i:extraneous="self">
		<rect fill="#231F20" width="28" height="28"/>
	</g>
</switch>
```
End Result?

A 29 KB file is 4KB. And that is a faster internet.
16 January, 2017
Rebranding Featured Image
WordPress 3.0 introduced featured images, letting everyone designate an image for a post (or page) in a way that themes have taken great advantage of in the intervening years. The concept of a ‘featured’ image was easy enough to understand. An image the content featured. Cool. But it can do so much more.

The Defaults

The basic box is one all WordPress users are familiar with:

A simple box that says “Featured Image” with a link to set the featured image.

It’s great, but it’s a little boring.

Changing the Title

The actual trick to this is to remove the metabox. The three attributes you will need are the name of the meta box, the post type, and the location. The post type is the one most of you are going to change. For example, I wanted to change the title for a specific post type so it was clearer what kind of image I was looking for to use as a featured. For TV shows, I wanted it to indicate that I was looking for a Title Card type image.
```
add_action('do_meta_boxes', 'featured_image_title_post_type_shows');
function featured_image_title_post_type_shows() {
    remove_meta_box( 'postimagediv', 'post_type_shows', 'side' );
    add_meta_box('postimagediv', __('Show Image/Title Card'), 'post_thumbnail_meta_box', 'post_type_shows', 'side');
}
```
This little snippet removes the meta box and then adds it back with a new title:

Changing the Main Content

Once the title is changed, the next step is to change the content. I’ve done this before, putting in the image size to the content. What I wanted to do here was change the content from “Set featured image” to “Set show image” and for that, I want to use a string replacement:
```
add_filter( 'admin_post_thumbnail_html', 'set_featured_image_text_post_type_shows' );
function set_featured_image_text_post_type_shows( $content ) {
    global $current_screen;

    if( !is_null($current_screen) && 'post_type_shows' == $current_screen->post_type )
        return $content = str_replace( __( 'Set featured image' ), __( 'Set show image' ), $content);
    else
        return $content;
}
```
But that only changed the one. Once you’ve set a featured image, the language changes to “Remove featured image”. I could add in more replacements, or I could be smart. We like being smart.
```
return $content = str_replace( __( 'featured' ), __( 'show' ), $content);
```
And yes, it works.

Customizing by Type

What if you have ten custom post types? Well then it’s time to get smart! By using anonymous functions, we can do this quite effectively, getting a list of all the publicly registered post types that aren’t the built-ins, and then for each one, renaming the content:
```
// Customize Featyred images for CPTs
add_action( 'admin_init', 'helf_featured_images' );
function helf_featured_images() {
	$post_type_args = array(
	   'public'   => true,
	   '_builtin' => false
	);
	$post_types = get_post_types( $post_type_args, 'objects' );
	foreach ( $post_types as $post_type ) {

		$type = $post_type->name;
		$name = $post_type->labels->singular_name;

		// change the default "Featured Image" metabox title
		add_action('do_meta_boxes', function() use ( $type, $name ) {
			remove_meta_box( 'postimagediv', $type, 'side' );
			add_meta_box('postimagediv', $name.' Image', 'post_thumbnail_meta_box', $type, 'side');
		});

		// change the default "Set Featured Image" text
		add_filter( 'admin_post_thumbnail_html', function( $content ) use ( $type, $name ) {
			global $current_screen;
			if( !is_null($current_screen) && $type == $current_screen->post_type ) {
				return $content = str_replace( __( 'featured' ), strtolower( $name ) , $content);
			} else {
				return $content;
			}
		});
	}
}
```
This trick uses the values of a custom post type which you already set when you built out your custom post types.

Customizing the Content Further

Now that we’ve changed ‘featured’ to match our custom post types, it’s time to take it even further. Can we smartly add in the image size? Usually the answer here is no, because it’s impossible to know what you want to have as your featured image size for each custom post type. As it happens I can because I was smart.

Every single CPT that has a special image has an image size for it:
```
add_image_size( 'character-img', 150, 200, true );
add_image_size( 'show-img', 960, 400, true );
```
And my post-names for those things are ‘post_type_characters’ and ‘post_type_shows’. This means I can add the following to my filter for admin_post_thumbnail_html:
```
		add_filter( 'admin_post_thumbnail_html', function( $content ) use ( $type, $name ) {
			global $current_screen;
			if( !is_null($current_screen) && $type == $current_screen->post_type ) {
			    // Get featured image size
			    global $_wp_additional_image_sizes;
			    $genesis_image_size = rtrim( str_replace( 'post_type_', '', $type ), 's' ).'-img';

			    if ( isset( $_wp_additional_image_sizes[ $genesis_image_size ] ) ) {
			        $content = '<p>Image Size: ' . $_wp_additional_image_sizes[$genesis_image_size]['width'] . 'x' . $_wp_additional_image_sizes[$genesis_image_size]['height'] . 'px</p>' . $content;
			    }
				$content = str_replace( __( 'featured' ), strtolower( $name ) , $content);
			}
			return $content;
		});
```
This could even be extended to only show the image size when it was not set. For now, this does what I want.

How’s it look?

Not bad:

And there you have it. More information for your users to know what kind of and size image to use.
11 January, 2017
Recoding Taxonomies
It’s hard to know what the future will be. When initially building out a site, it’s a game of guesswork to name things. You want to name them to be long term sustainable, but without a crystal ball, there will be missteps.

Take, for example, the case of custom taxonomies. When my site was originally built out, it only had one custom set of tags and they were logically called sitename_tags. As the site grew, it became apparent that multiple tags were going to be needed and, in the end, it had five.

What Are Our Names

While it’s relatively easy to rename a taxonomy’s display name by editing the data in register_taxonomy, you don’t want to rename the rewrite after the fact. You can do it, of course, but I recommend you be really up to speed on your redirects before you try. Obviously the best choice is to pick good names in the beginning. But what names are we actually talking about?
1. The Display Name – This is the name your readers (and you) see. Categories and Tags are display names. In my case, Stations, Clichés, and Tropes are display names. You can change these as you need.
2. The Slug – This is the rewrite I mentioned. It’s in your URL. Don’t change this unless you know redirects.
3. The Taxonomy Name – This is secret. You’d only know what it was if you hovered over the links and noticed that tags have a taxonomy of post_tag.
Today we’re talking about that third one.

Why Bother?

If you’re the only one who really sees that you named your stations show_tag instead of show_station, why does it matter?

As it turns out, if you’re working on the theme and plugins for a site, you will end up running into those quirks when you write a loop to perform complex displays on your data. It’s both annoying to have to always comment things like “Yes show_tag means show_station” so that future you knows what the hell you’re doing.

Like my friend says, the best documentation for a function is a good name, and fixing the name will make you feel better and smarter.

How To Do It

This requires two steps:

1) Run a search/replace on your files to swap the names out
2) Run a search/replace on your database to swap the names out

The reason is that those two things have to be in sync. Since my world lives in a git repo and a server with WP-CLI, I ran a search/replace on my files, pushed the changes, and then ran a quick wp search-replace show_tag show_station to clean it up.

The important thing to note is that what you’re changing in your database is not post content, but meta information and tags tables.
9 January, 2017