WordPress
Contents
About
WordPress Trac - Bug Tracker
wpbeginner.com Wie man automatische Updates in WordPress für Hauptversionen aktiviert
wpbeginner.com Automatische Updates für WordPress Plugins und Themes aktivieren
Configure
wp-cron
By default
- WP-Cron works by checking, on every page load, a list of scheduled tasks to see what needs to be run. Any tasks due to run will be called during that page load.
- Costs performance, as tasks are executed on click.
- Latency, Slow down, …
- Scheduling errors occur, if no click happens within 3 hours.
- Auto-updates fail …
- The system cron based solution actually is only an automated web request to wp-cron.php.
- WTF?!
Install lightweight curl (wget is default by Wordpress docs)
1 apt install curl
/etc/cron.d/wordpress
1 #
2 # Ansible managed
3 #
4
5 SHELL=/bin/sh
6 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7
8 # Example of job definition:
9 # .---------------- minute (0 - 59)
10 # | .------------- hour (0 - 23)
11 # | | .---------- day of month (1 - 31)
12 # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
13 # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
14 # | | | | |
15 # * * * * * user-name command to be executed
16 */5 * * * * www-data curl --silent --show-error --output /dev/null http://localhost/wp-cron.php
17 #*/5 * * * * wget --delete-after http://localhost/wp-cron.php
18
To disable click based scheduling add the following line to
wp-config.php
1 define( 'DISABLE_WP_CRON', true );
Password Hashes
PHPass details
By default Wordpress uses PHPass (P H Pass) (Portable PHP password hashing framework) hashed passwords.
For the implementation details please see
wp-includes/class-phpass.php
They look like these:
$P$Hzp60wGyNNrc1I1BGWzMLerexnIKPg1
Attributes
- Length: 34 characters
Based on MD5
wp-includes/class-phpass.php1 # We were kind of forced to use MD5 here since it's the only 2 # cryptographic primitive that was available in all versions 3 # of PHP in use. To implement our own low-level crypto in PHP 4 # would have resulted in much worse performance and 5 # consequently in lower iteration counts and hashes that are 6 # quicker to crack (by non-PHP code).
- Salted with 8 chars
- Exponential cost factor
Substrings
OFFSET=0, LENGTH=3: Identifier, usually $P$, only PHPBB3 (PHP Bulletin Board 3) uses $H$
- OFFSET=3, LENGTH=1: Cost, number of hash rounds (of salt+prev_hash) log_2_
- encoded as position of the character in the string
./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz (64 chars -> Positions: 0-63)
- examples:
B ~ 13 -> 213 = 8192 rounds
H ~ 19 -> 219 = 524288 rounds (better)
- encoded as position of the character in the string
- OFFSET=4, LENGTH=8: Salt of 8 chars
- OFFSET=12, LENGTH=22: Actual hash
Structure
When with Python Passlib is available these can be generated in Ansible with
Password conclusion
Use a password per wordpress instance that is unique.
- A plugin should be used to provide a more appropriate password hashing algorithm in case of theft or leakage of the database.
Plugins
Automatic upgrades of plugins should always be activated.
W3 Total Cache (W3TC)
Significantly speeds up the site thought caching of static content.
Wordfence Security