How to make the WordPress login for your personal use only

Limit Login Attempts is a very good WordPress plugin that limits how many login retries an IP can perform (and fail) before being locked out some time. I cannot recommend it enough: it works like a charm and can be tweaked at will. It also notifies you about lockouts, so that you know if someone is trying to gain access to your site. Of course you still need a strong password.

 

Let’s see how a login would work in the real world. If the blog was a house, the login page would be the door and the login button the doorbell. A guest comes to the door, slides their business card below, and rings the doorbell. The gatekeeper wakes up, collects the business card, checks guest’s credentials against the list of people allowed to get in. If there is a match, the gatekeeper opens the door, otherwise goes back to sleep.

In a brute force attack, a guest is trying to get in by submitting ever changing business cards to the gatekeeper, hoping to find a match by mere chance. When such an attack takes place, the gatekeeper is doing a lot of “useless” work, and soon they’ll ask for a raise.

To prevent that, the master provides the gatekeeper with a scanner for business cards that reveals the factory (IP) that made them. Automatically, the scanner rejects any guest whose credentials are written on a business card made by the same factory of the business card of a guest whose credentials were not on the list. This is Limit Login Attempts.

It’s a nice mechanism that in general will work very well because many guests make their business cards themselves. Additionally there are so many commercial factories around that the risk of a rightful guest to be using the same factory of a gatecrasher is very small.

 

Limit Login Attempts has been doing quite a nice job since I installed it, but lately non desirable people have started sliding below the door business cards made by many different factories, thus reducing a bit the effectiveness of the scanner. Along time, I went through all these levels of annoyance.

  1. Just ignore them.
  2. Write a sarcastic post about them.
  3. Tweak the scanner to block more and faster.
  4. Destroy the doorbell.
I never have guests on my list: it’s always just me at the door. So I do not need a doorbell because I can call the gatekeeper and trust them to recognize their master’s voice. Of course, I still present my credentials.

Step 1 of 2 – Edit the wp-login.php file

In your WordPress blog directory there is a file called wp-login.php. It’s the file that shows the login page. At the very beginning, after the statement that reads

require( dirname(__FILE__) . '/wp-load.php' );
insert the following lines of PHP code
//noteslog.com 2012-02-06 start
$challenge = 'doit'; $answer = 'now';
if (! ('POST' != $_SERVER['REQUEST_METHOD'] || isset($_POST[$challenge]) && $answer == $_POST[$challenge]))
{
	wp_redirect('http://' . $_SERVER['HTTP_HOST']);
	exit();
}
unset( $challenge, $answer );
//noteslog.com 2012-02-06 end

What these lines do is to check if the user has submitted a login form with a given challenge/answer pair. In this example they are doit/now. If the pair is there, then the login form is processed as usual, otherwise the user is redirected to the home page.

Of course you MUST NOT use doit/now, but feel free to choose any other pair of words that you can easily remember, possibly unrelated, like spoon/pig. (sorry, now you cannot use that pair either) Use only letters a through z. (this is not a password !)

That pair is your secret. Do not tell anyone, unless you want them to be able to get through the login page.

Step 2 of 2 – Add a bookmarklet to your browser

Edit the following code such that the challenge/answer pair matches the one used in Step1. Then make a bookmarklet out of it, copy the result in a new bookmark and call it My login.

(function(){
var action = jQuery('#loginform').attr('action') || '';
if (action.search(/^(http|https)://noteslog.com//i) == -1) return alert('No login form or not targeting your blog.');
var challenge = 'doit'; var answer = prompt(challenge, '');
jQuery('#loginform')
  .append('<input type="hidden" name="' + challenge + '" value="' + answer + '">')
  .submit();
})();

What these lines do is to add a challenge/answer pair to the login form and submit it.

When you want to login, go to the login form and enter your username and password as usual, but remember to hit the bookmarklet instead of the standard button. (If you used the standard button you’d be redirected to the home page, without logging in.)

A Login Dongle Plugin

I’ve already made a Login Dongle plugin for WordPress with all that code. I’m going to upload it this week. Stay tuned.

EDIT (2012-02-09): http://wordpress.org/extend/plugins/login-dongle/

 

How to recover an old installation with Softaculous

Yesterday I had some time and will to update my TikiWiki installation, that I created in 2008, with version 2 something. When I checked it yesterday, I discovered that the current version is 8.3 !! So I thought: OK, let’s do it!

Unfortunately, a lot of time converts to a lot of changes, so it’s been probably more trouble than needed if I had been keeping TikiWiki up to date along time. Not only the version of the application had changed, but also other basic setups of my hosting provider, including cpanel version and softaculous version. I tried it anyway, using Softaculous updater, but it failed. So I went for my backup.

Fortunately, I made a backup before proceeding, and I’ve been able to restore it by now. Really I made two, for good measure, and that was “lucky” because I needed both. So I’m going to suggest you the same. Do both a database backup (I used cpanel, but anything that can export SQL does the job) and an installation backup (with Softactulous).

 

Softaculous backs up an installation, but the zip does not appear in the backups page.

This is something I was worried about since I got it. Soon after backing up something, Softaculous shows a progress bar and finally a success page that informs you that you will find that backup in the backups page. You navigate there and the zip does not appear !! I made a brand new backup, but I got the same: no zip in the backups page, just the message “You do not have any backups”.

The workaround is to

  1. remove the old installation completely if it’s still there
  2. create a fresh one at the old directory and with the old database name (dummy installation) BUT input your current email address for receiving the installation details
  3. get the number that appears at the end of the backup URL: let’s say it’s 5
  4. access your site with a file manager
  5. enter the softaculous_backups folder
  6. locate the zip file of the backup: you’ll discover it was properly created, with a name like “tiki.0.2012-02-04_19-50-44.zip”
  7. rename it to “tiki.5.2012-02-04_19-50-44.zip”
  8. refresh the backups page
Now you’ll see the zip in the backups page, and you will be able to restore it from there.

Softaculous restores an installation, but the database is empty.

So you restore it, go to the application page and you get a connection error. You check with the file manager and see the application file structure in the old directory, then you check with phpMyAdmin and see the database, but it’s completely empty !! The problem here was that the dummy installation created a database with the old name and the old user name BUT with a new user password.

The workaround is to

  1. import the database backup with phpMyAdmin
  2. edit the database configuration file in the application folder, such that the password is the one sent to your email address

Now you’ll see the application page as it was at backup time, and you’ll be able to go on from there.

 

I’m now going to find a way to export my old wiki content from the old installation and import it back into a new one. Wish me luck.

 

Google Chrome Extensions/Apps for Hacker News

I collected all data between 2012-02-02 and 2012-02-03.

I tested all the 50 extensions/apps with news.ycombinator.com; I did not test all the other HN domains (news.ycombinator.org, news.ycombinator.net, hackerne.ws).

The order in which the extensions/apps appear below is not significant, except for the ones I tagged very useful, which come first. (broken < obsolete < 0 < funny < interesting < useful < very useful)

  1. Hacker News Amplifier 1.6 — Use this HN amplifier to see news with most points and comments at a glance, while preserving list order.
    Pop: 3 — Pro: It does it. Highly compatible. — Con: The icon could be better. — Very useful. (disclosure: I made it)
  2. HN Unread Comments 1.1 — Shows unread comments on Hacker News (http://news.ycombinator.com/).
    Pop: 59 — Pro: It does it. — Con: There could be a count on the home page. The color of the highlighting border could be an option. — Very useful.
  3. Hacker News Sidebar 1.0.7 — Hacker News integration for Chrome.
    Pop: 421 — Pro: It works. — Con: The sidebar doesn’t show up if a web page is on HN but it has still no comments. A page action could be a better handle for the sidebar. — Very useful.
  4. What HN says 0.2 — Shows the current page score. Click on icon to see discussion in Hacker News.
    Pop: 2 — Pro: It does it. — Con: Nothing. — Very useful. (similar to Hacker News Sidebar)
  5. HN New Comments 0.314 — Highlight new and edited comments.
    Pop: 12 — Pro: It does it. — Con: Options page lacks a title. — Very useful. (similar to HN Unread Comments 1.1)
  6. HNCommentTracker 0.2 — Hacker News Comment Tracker.
    Pop: 18 — Pro: It does it. — Con: Inconsistent: “new” and “unread” used interchangeably. — Very useful. (similar to HN Unread Comments 1.1)
  7. Hacker News’d! 1.0 — Lets you know if the page you’re looking at has been discussed on Hacker News (and lets you jump straight to that disucssion).
    Pop: 210 — Pro: It does it. — Con: Nothing. — Very useful. (similar to Hacker News Sidebar 1.0.7)
  8. Hacker News UX 1.2.2.1 — Hacker News improve user experience experiment.
    Pop: 371 — Pro: “About” feature very useful. — Con: There’s no option for enabling only what you need. It’s only home compatible with HN Amplifier.Very useful.
  9. Hacker News – Show Read Comments 1.0 — This is an extension to show you which comments you’ve already read.
    Pop: 7 — Pro: It does it. — Con: Nothing. — Very useful. (similar to HN Unread Comments 1.1)
  10. Hacker Friends 1.0 — Highlight when your friends post to Hacker News.
    Pop: 113 — Pro: It does it. — Con: Nothing. — Very useful.
  11. Shareaholic for Google Chrome™ 5.1.0 — The easiest way to share interesting webpages using Facebook, Twitter, Email, Gmail, Buzz, Reader, Bookmarks, and more…
    Pop: 64663 — Pro: All in one. — Con: A bit lengthy setup with so many choices. — Very useful.
  12. HN HideIt 0.5.4 — A collection of little utilities to make Hacker News browsing more comfortable.
    Pop: 30 — Pro: Nothing. — Con: Each reload causes a reset. Options are misleading, eg: “links” means “posts”, “hidden” means “grayed out”, … Some options are obsolete. Search box repositioning makes pages look broken.
  13. HN Reveal 0.21 — Reveals vote scores of comments posted on Hacker News.
    Pop: 14 — Pro: No options. — Con: It looks broken, it always shows “1 point by”.
  14. Readable HN 1.0.3 — HackerNews with a touch of beauty (Readability bookmarklet like styling).
    Pop: 102 — Pro: No options — Con: It makes everything much bigger. (Why not just zoom?)
  15. HN Search Suggestions 1.0 — Provides search-suggestions for Hacker News submissions and/or comments. (Type ‘hn’ in the omnibox and press tab).
    Pop: 7 — Pro: No options. — Con: Misleading instructions, eg: on my Mac, I had to use [h][n][space] instead of [‘][h][n][‘][tab] — Useful.
  16. HN Vote button 1.0.2 — Vote-up webpages directly from your browser’s toolbar!
    Pop: 2 — Pro: No options. — Con: Misleading icon. It looks broken.
  17. Show full domain on HN 1.2 — Show the full domain name on Hacker News next to titles.
    Pop: 7 — Pro: No options. — Con: It looks broken or obsolete.
  18. Flattehn 0.9.1 — Levels the voting field of HN by hiding usernames and points until you’ve voted.
    Pop: 8 — Pro: No options. — Con: It looks broken AND obsolete.
  19. Hacker News Collapsible Comments 1.1 — Adds reddit-like [+] and [-] links to collapse and expand comment threads.
    Pop: 258 — Pro: No options. — Con: Each reload causes a reset. I wish the default was all collapsed but showing the first line, gmail-like — Useful.
  20. Go Build Stuff 1.0 — Helps you concentrate on building stuff.
    Pop: 107 — Pro: No options — Con: Nothing. — Funny.
  21. Coley’s Hacker News 1.1 — Refreshes Hacker News every minute. All out-going links open in a background tab.
    Pop: 8 — Pro: No options. — Con: It looks broken.
  22. Noprocrast Enhanced 0.1 — This refreshes all idle (i.e. no keydown or click events) HN pages every five minutes.
    Pop: 1 — Pro: No options. — Con: What for?
  23. Mustard Gas (HN3) for Hacker News 1.1 — Mustard Gas.
    Pop: 4 — Pro: No options. — Con: It looks broken.
  24. Hacker News Modified 3.0.8 — Updated version of http://goo.gl/C7Kpp.
    Pop: 2 — Pro: It can save to Instapaper. — Con: Main icon is broken. — Interesting.
  25. HackemUp 1.1 — Keep track of what’s changed on Hacker News front page since the last time you looked.
    Pop: 106 — Pro: No options. — Con: It’s not compatible with HN Amplifier. It could just show delta of new comments. No help about icons. — Interesting. (similar to HN Unread Comments 1.1)
  26. Georgify 1.1 — Alternate CSS for Hacker News with a focus on typography and readability.
    Pop: 1530 — Pro: No options. — Con: It’s not compatible with HN Amplifier. Misleading documentation: It changes the DOM, not just the CSS — Interesting. (similar to Readable HN 1.0.3)
  27. Hacker News 2.51 — Displays recent stories from Hacker News.
    Pop: 688 — Pro: Nothing. — Con: Nothing. — Interesting. (similar to Hacker News Modified 3.0.8)
  28. Hacker News OnePage 0.8.2 — Provides users with the ability to browse Hacker News articles and comments without leaving the page.
    Pop: 343 — Pro: No options. — Con: It doesn’t remember my choices about what posts to show collapsed/expanded. It could show the Comments below the Article and not the other way around. — Interesting.
  29. Hacker News Hotkeys 0.1 — Gmail style hotkeys for Hacker News. Want Vim or Emacs style? Pay me or bother me 🙂
    Pop: 102 — Pro: No options. — Con: It’s using a browse action instead of a page action. Misleading documentation: h does not show help (the icon does). — Interesting.
  30. Hacker News Stack 0.3 — Focus on the really fresh and unread news in YCombinator – Hacker News. Relocate read items into the bottom of the website.
    Pop: 42 — Pro: No options. — Con: It works only if you leftclick on a post. The icon does nothing.
  31. Hacker News Reader 0.2 — Quickly browse Hacker News articles and comments.
    Pop: 1316 — Pro: Nothing. — Con: It’s an app (not an extension). — (similar to Hacker News OnePage 0.8.2)
  32. Hacker News Collapse 1.1 — Collapses comments on Hacker News.
    Pop: 106 — Pro: No options. — Con: Each reload causes a reset. I wish the default was all collapsed but showing the first line, gmail-like — Useful. (similar to Hacker News Collapsible Comments 1.1)
  33. Hackers News Reader 4 — Simplistic Reader for Hacker News.
    Pop: 690 — Pro: No options. — Con: It’s an app (not an extension). — (similar to Hacker News OnePage 0.8.2)
  34. Hacker News + 1.5 — Stylish Hacker News.
    Pop: 303 — Pro: No options. Home page really nice. — Con: Nothing. — Interesting. (similar to Readable HN 1.0.3)
  35. Readable HackerNews 2.3.4 — Stylish Hacker News.
    Pop: 412 — Pro: No options. Nice. — Con: Nothing. — Interesting. (similar to Readable HN 1.0.3)
  36. Reddit-Style Comments for Hacker News 1.3 — Adds a simple toggle to hide/show comments in discussion threads on Hacker News.
    Pop: 41 — Pro: No options. It shows #descendants. — Con: Each reload causes a reset. I wish the default was all collapsed but showing the first line, gmail-like — Useful. (similar to Hacker News Collapsible Comments 1.1)
  37. Hacker News Sorter 1.6.1 — Sort posts by points, enables search and linkify’s Hacker News.
    Pop: 26 — Pro: No options. — Con: Nothing. — Interesting. (similar to HN Amplifier)
  38. Hacker News Extended 00.1 — Framework for extending Hacker News.
    Pop: 4 — Pro: No options. — Con: No documentation. — (jko navigation)
  39. Submit to Hacker News 1.0 — Hacker news submit button for Chrome. Inspired by Phil Kast’s bookmarklet.
    Pop: 27 — Pro: No options. — Con: What for?
  40. Tweet From Hacker News 1.0 — Tweet articles directly from Hacker News.
    Pop: 60 — Pro: No options. — Con: Nothing. — Interesting.
  41. Hacker News platinum 8 — Hacker News extension that provides keyboard navigation based on reddit-platinum.
    Pop: 10 — Pro: No options. — Con: It could save scrolling time eliminating animation. — Useful. (jko navigation)
  42. NavigComments @ Hacker News 0.1.1 — Navigate through comments @ Hacker News. Any comment can be marked as read or highlighted, read ones can be hidden.
    Pop: 3 — Pro: No options. Marked comments are not lost on reload. — Con: It’s not possible to highlight on a Mac. — Interesting.
  43. Hacker News Hider 1.0.3 — This minifies/hides stories that you have clicked on at the YCombinator site: Hacker News.
    Pop: 7 — Pro: No options. Grayed out comments are not lost on reload. — Con: It works only if you leftclick on a post. — (similar to HN HideIt 0.5.4)
  44. Hacker News – Show Full Domain 1.0 — This is an extension to show the full domain (including subdomains) next to a link, rather than just the root.
    Pop: 128 — Pro: No options. — Con: Nothing. — Useful. (similar to Show full domain on HN 1.2)
  45. Hacker Sync 1.3 — Integrates Delicious bookmarking with upvoting at Hacker News.
    Pop: 28 — Pro: No options. — Con: Nothing. — Useful.
  46. Chrombinator 1.1 — .
    Pop: 15 — Pro: No options. — Con: Nothing. — Useful.
  47. Wompt Chat 0.1.7 — Wompt brings chat to all your favorite sites.
    Pop: 44 — Pro: No options — Con: Nothing. — Interesting.
  48. Popularity 1.4.1 — Shows how many times the current web page has been shared on Twitter, LinkedIn, Facebook, Hacker News and Google Buzz.
    Pop: 102 — Pro: No options. — Con: Nothing. — Interesting.
  49. Make Something People Want 1.2 — Redirects your list of distracting sites to makesomethingpeoplewant.org.
    Pop: 2 — Pro: Nothing. — Con: Nothing. — Funny. (similar to Go Build Stuff 1.0)
  50. HNdicator 0.1 — HackerNews Character Limit Indicator.
    Pop: 2 — Pro: No options. — Con: The smallest feature. — Interesting.