How to Dump / Export all MySQL Databases Individually Using php

Posted by on Oct 6, 2016 in Servers | 0 comments

Database backups are super important. They are also important when you have to do migrations. Some of the sites can just be deleted and don't need to be migrated so you need only a few databases exported. Almost all of my business & personal files are in Dropbox so they are backed up as soon as something changes which is nice and I don't have to think about it. When programming, though, the databases are not automatically backed up to the cloud. There's mysqldump tool but you can either export/dump one or all databases. You have to write a tool for  that.  I checked and there's lots of linux tools that allow you to export the databases which is nice but if you're running Windows they probably won't work. For those who don't want or can't use linux/bash here's a php version of a mysql database dump tool. It exports each database in own sql file. If gzip is present it will compress it. If there are errors they are logged in a database specific log file. You can download the php version of MySQL database dump here: >> https://github.com/orbisius/server-tools/raw/master/mysql_db_dumper.php If you want to contribute to the project feel free to fork it at >>...

Read More

What Files to Exclude when Backing Up a WordPress Site with Duplicator Plugin

Posted by on Jul 19, 2016 in Backup | 0 comments

Almost everybody knows (and has used) the WordPress Duplicator plugin. It allows you to quickly backup your site to set it up on a new server or just for your own backups. The things that I don't like is that it requires a fresh database when importing a site and will delete any other db tables. Of course it warns you about that and doesn't do it in a surprising way. When exporting a site and if you share the same database with other apps or another WordPress install you have to manually choose which tables to exclude from the backup. I am sure the author Cory Lamle has had good reasons to have those in place. I know that there's a Duplicator Pro version. Maybe it doesn't have those limitations. I haven't used it just yet. Depending on your reasons to package the site you will need to exclude some files and not others. Scenario 1: Troubleshooting a theme or a plugin: partial WordPress site backup You want to quickly troubleshoot a plugin or a theme. In this case you don't need everything from the uploads folder. That way the package will be smaller and the packaging process will finish quicker. Hmm, on second thought maybe you want it to take longer ;) Ok. Let's get back to writing. File Directories to exclude: /var/www/vhosts/somesite.com/htdocs/wp-content/uploads; /var/www/vhosts/somesite.com/htdocs/wp-content/*backup*; /var/www/vhosts/somesite.com/htdocs/wp-content/*cache*; File Extensions to exclude: zip;tar;log;txt;gz;bak;mp3;mp4;pdf;doc;docx;xls;xlsx We're excluding all of those files types/extensions because they won't help in any way the troubleshooting process. Scenario 2: (Almost) full WordPress site backup File Directories to exclude: /var/www/vhosts/somesite.com/htdocs/wp-content/*backup*; /var/www/vhosts/somesite.com/htdocs/wp-content/*cache*; File Extensions to exclude: zip;tar;log;txt;gz;bak We're surrounding backup with asterisks so 'backup' keyword can appear anywhere in the folder name. We want those excluded from the final archive file because they most likely be full site copies created by another backup plugin. The same applies to cache folders. Note: I have used [/var/www/vhosts/somesite.com] as an example file path to the document root of the site. Your site's root dir will most likely be different. Fortunately, Duplicator has 2-3 useful links that you can click on to find out what's the exact root path. If you're not using the correct path the exclusions won't work. What files or folders do you exclude from your backup/clone process? Setup WordPress site in seconds? No way! Don't believe me? Visit qSandbox for more...

Read More

How to Block Script Execution from WordPress Uploads Folders

Posted by on Jul 19, 2016 in Security | 0 comments

There are many ways to improve the security of your site and you should try to do as much as possible to protect your (client) sites. Here's another way to enhance the security of your site. Problem: If your site is running an outdated piece of software malicious people will try to upload & execute files from your uploads folder. With the following rules we'll block requests to certain files from the that folder. That way even if the attacker manages to upload a file he/she won't be able to execute it. This post assumes that you're running an Apache web server. The rules for nginx should be very similar. If you are running Apache v2.4+ add this to the root .htaccess file (create it if necessary) (document root). If you have access to the server it's better to put this snippet in /etc/apache2/conf-enabled/00_block_scripts_in_uploads.conf Then reload the server config. Doing this at server level would save precious server resources AND the rules will apply to ANY site hosted on the server. <LocationMatch "/uploads?/.*?\.(php\d*|py|cgi|pl)"> Require all denied </LocationMatch> For Apache < v2.4 put this in an .htaccess file (create it if necessary) residing in the uploads folder you want to protect. If using WordPress should put it in wp-content/uploads/ <FilesMatch "\.(php\d*|py|cgi|pl)"> Order allow,deny Deny from all </FilesMatch> Notes: The regular expression doesn't end in $ which would only block such file extensions. Don't we want exactly that? Well, yes and we want a lot more! In this WordPress.org forum post somebody suggested that the attacker could also name the script file as test.php.jpg which would bypass any security checks done just for extensions as it would assume it's an image. That's why we're looking for a known extension anywhere within the filename name. \d* means that the php extension may or may not be followed by a number. This will match e.g. test.php and test.php4 and test.php5 etc. The observant ones have noticed that the text above didn't mention WordPress at all. Well, it is related to WordPress because WordPress' uploads folder usually is in wp-content/uploads. The rules above will match requests to (sub)folders named: upload or uploads and therefore is WP applicable. Related http://httpd.apache.org/docs/current/sections.html Do you use test/staging sites? Visit qSandbox for more...

Read More

How to Make WooCommerce Refresh its cart-contents Widget

Posted by on Jul 15, 2016 in WooCommerce | 0 comments

I am not going to start with pointless intro about WooCommerce and how many sites WooCommerce powers. If you're reading this post you know for sure what it does so I will just dive in. In a recent update of our WooCommerce plugin which allows bulk product adding we've added Ajax add to cart so the clients can stay on the same page in case they want to add more products a few seconds later. This has to be enabled from the plugin's Settings which can be found in WP Admin > Settings > Orbisius Quick Order for WooCommerce. One of our customers & also great beta tester Annie (Hi Annie) noticed that the WooCommerce cart-contents widget wasn't refreshing i.e. the user adds one or more products to the shopping cart, the page correctly doesn't refresh but the widget that shows the current total didn't change at all. Same thing for mobile view as well. This was happening with the Storefront theme. I started digging into WooCommerce & Storefront theme and found the piece of code that was responsible for triggering and refreshing the so called fragments. WooCommerce makes an Ajax call and receives a JSON back . The JSON nicely includes with different fields that contain HTML code that can be used to replace different sections on the page. A theme or a plugin can/will handle the add to cart and make some (visual) changes. The code that reloads those fragments can be found here: \plugins\woocommerce\assets\js\frontend\cart-fragments.js To refresh WooCommerce widget you have to copy the code below var $fragment_refresh = { url: wc_cart_fragments_params.wc_ajax_url.toString().replace( '%%endpoint%%', 'get_refreshed_fragments' ), type: 'POST', success: function( data ) { if ( data && data.fragments ) { $.each( data.fragments, function( key, value ) { $( key ).replaceWith( value ); }); if ( $supports_html5_storage ) { sessionStorage.setItem( wc_cart_fragments_params.fragment_name, JSON.stringify( data.fragments ) ); set_cart_hash( data.cart_hash ); if ( data.cart_hash ) { set_cart_creation_timestamp(); } } $( document.body ).trigger( 'wc_fragments_refreshed' ); } } }; ... and to trigger the event you do this: $.ajax( $fragment_refresh ); or jQuery.ajax( $fragment_refresh ); Note: if you have this snippet code in php you may have to rename $fragment_refresh to my_plugin_fragment_refresh so the dollar sign $ doesn't get interpreted as php variable. Ideal way It would have been awesome if we can trigger the fragments to reload with a simple custom jQuery event and not to have to copy and paste code above. $( document.body ).trigger( 'wc_reload_fragments' ); or $( document.body ).trigger( 'wc_force_reload_fragments'...

Read More

How to Return Page Not Found Error (Status 404) Instead of Access Forbidden (Status 403)

Posted by on Jul 11, 2016 in Web Development | 0 comments

Why bother doing this? If somebody is trying to access a file or a folder on your server the least they know the better. Once the attacker finds out that some files are there and potentially accessible they could start guessing file names to see if you have forgotten some interesting files like passwords for ftp, social media accounts etc. The how Add these lines in your .htaccess in the document root folder. If the file doesn't exist create it. ErrorDocument 403 /error/404.php ErrorDocument 404 /error/404.php In the folders that you'd like to protect (e.g. docs/, /includes/, marketing/) so they are not accessible via browser create a new .htaccess file with content: deny from all Note: Assuming that you're running Apache web server. In document root (where your site is) create a folder /error/ and then put create /error/404.php file We need php to correct the status code (if necessary) because the apache server will return the error page but if we don't override the status code the header will still show as 403 status code. <?php // Do not let any attacker know that they have just been denied access. // This code requires php 5.4 or newer. if ( function_exists( 'http_response_code') && http_response_code() != 404 ) { @http_response_code( 404 ); } echo "Page Not Found."; ?>   Effectiveness This is a pretty basic protection. It should be one of many that you use to protect your sites. Always keep the software you use up-to-date in order to reduce the risk. Whenever possible use a managed hosting. The admins know how to protect a server because that's what they do all they long.   Related http://stackoverflow.com/questions/6479198/denying-via-404-instead-of-403 http://stackoverflow.com/questions/3258634/php-how-to-send-http-response-code http://php.net/manual/en/function.http-response-code.php http://stackoverflow.com/questions/548156/problem-redirecting-403-forbidden-to-404-not-found   Other possible titles of this post: How to force apache to return 404 instead of 403? How to Redirect 403 Forbidden to 404 Not Found Denying via 404 instead of 403 How to Deny Access (Status 403) via Page Not Found (Status 404) Error Showing HTTP/1.1 404 Not Found instead of HTTP/1.1 403 Forbidden HTTP/1.1 403 Forbidden to HTTP/1.1 404 Not...

Read More

How to Add Custom Fields to Connections Pro

Posted by on Jul 8, 2016 in Web Development | 0 comments

I had to help with troubleshooting why some custom fields weren't showing up in a form generated by Connections Pro plugin. I've tried the example in this article. In addition to "cn_metabox" action, I have also tried cn_loaded, wp's init nothing. I have passed different attributes to the meta boxes so they are public. Nothing worked. I started thinking if a caching issue was doing some stuff. Finally, realized it can't and shouldn't be that difficult. I had checked the code and was well written so there had to be a reason. Then checked the admin area. It turned out that I had to manually approve or make the new field(s) active so they can show up in the form. I see this as nice feature especially if you want to reorder fields. In other cases I would have expected the field to show up. I wasted a f*** hour on this. That's why I am writing this for others to learn and also exercising my writing skills so that time doesn't go to waste. Solution 1) I've created a new plugin in /wp-content/plugins/orbisius-custom-form-fields 2) Customized the example code from this link (i.e. changed ids and title etc.) >> http://connections-pro.com/2015/06/23/quicktip-custom-field-adding-a-text-field/ 3) Activated the plugin 4) Went to WP Admin > Connections > Settings > Forms and then enabled the fields so they show up on the form. The direct link is: >> http://yoursite/wp-admin/admin.php?page=connections_settings&tab=form...

Read More