xmlrpc attacks

Most clients and sites do not use xmlrpc function of WordPress so we block access to this file by our default apache configuration.

If you need it enabled, just add this code to the top of your .htaccess file for the site in question:

IMPORTANT READING: What is haccess and why you should back up your file first!

<FilesMatch "xmlrpc.php">
order allow,deny
allow from all
</FilesMatch>

By enabling only the sites that need it, you protect your server from the overwhelming resource usage of the attack.

References:
wordpress.org

Advanced Spam Filter Instructions

Even with spam filters installed you can still be getting flooded with junk in your inbox.

Note: Please unregister from mailing lists of the spam source, you may have signed up to receive mail or even not noticed a box being checked to receive mail.

1) Login to webmail.
Click Here
Username: bob
Password: **********
Server: yourdomainname.com

Screen Shot 2014-07-28 at 12.54.33 PM

2) Click the gear on the bottom left corner.

Screen Shot 2014-07-28 at 12.58.56 PM

Note: You may already have a spam mailbox.

3) Click Manage folders.

4) Click the plus to create a new folder.

Screen Shot 2014-07-28 at 1.00.10 PM

5) Create a folder named Spam.

Screen Shot 2014-07-28 at 1.01.20 PM

6) Click Save.

7) Create a folder named Ham

Screen Shot 2014-07-28 at 1.15.32 PM

Note: Ham is the actual technical term for legitimate email.

8) Click Save.

9) Move junk mail into the spam folder.

10) Move good mail into the ham folder.

Note: The more mail that you separate into these folders the better the spam filter will work to recognize spam. Please put a minimum of 25 emails in each folder.

11) Contact M3 server via client portal. Click Here

The spam filter will analyze the emails you put in the ham and spam folders to build forensics for identifying patterns and assist with the filter’s ability to catch spam for your account.

It will run twice per day on the ham and spam folders to auto learn your email for YOU, your emails will not be learned for other users and visa versa.

You should also make use of your online webmail’s address book. Only those address will be auto white listed for you, not the addresses found in other mail clients.

GeoIP block country

The free edition of the GeoIP database is not as accurate as the subscription based database.

Test this by working inside a non important testing directory with a simple testing file such as:

www.site.com/mytesting/index.html

Create a new .htaccess file with the following contents:

SetEnvIf GEOIP_COUNTRY_CODE GB BlockCountry
Deny from env=BlockCountry

This will block GB from your testing directory. Note, this document is only intended to illustrate the possibilities of the use of GeoIP for a basic how to.

Or If you want to redirect based on the country using mod_rewrite in combination with mod_geoip, your .htaccess file could look like this:

RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(NL|BE)$
RewriteRule ^(.*)$ http://www.mydomain.com/nl/$1 [L]

You do not need to enter the path in your .thaccess file:
GeoIPDBFile /path/etc/
Doing so will result in a 500 server error!

Please see the following 3rd party site, the makers of GeoIP for further details:
http://dev.maxmind.com/geoip/legacy/mod_geoip2/

ffmpeg degrades site performance

If your encoder, web service, and media service are all on one server, it is vital that you don’t let one service overrun your maximum CPU for the entire server. Case in point, FFMPEG.

While this is more evident on VPS servers with much fewer processors than dedicated servers, it can still effect entry to mid level dedicated servers.

Review your php script that controls your FFMPEG encoding rate. In this example, we will review the popular Mechbunny tube script:

admin/config.php
$ffmpeg_command

Find the variable listed above and locate the setting:
-threads

This is what sets the maximum amount of processors that FFMPEG can use for encoding videos. The value 0 (zero) indicates unlimited. While new sites that aren’t under any traffic loads can use more threads for FFMEPG, we recommend setting this value at 1/2 your total number of processors. This ensures your web and media service has plenty of CPU to perform vital functions of your site.

Final note, performing download speed tests from your server when you are uploading massive files to your server can most definitely produced slower download times. This often saturates your local network’s uplink speed and therefore inhibits the performance of downloading files.

Disable WordPress Cron

How often should wp-cron.php run?

How often do you update or tend to your website?

As a rule if you only check your website once a day, then run wp-cron.php once a day. If you find that you are getting a LOT of spam comments and Akismet is not keeping on top of it, then you may want to set it to every 6 hours or so.

Even if you were constantly working on a very busy site you would probably only want things to be processed every 30 minutes at the most.

WordPress tries to schedule its own activities using a wp-cron.php script. Unfortunately this script gets called to run every time a visitor comes to your site and can cause high usage.

You should setup a cron job that will only call wp-cron.php less often, something like every 4-6 hours works well.

0 */5 * * * cd /home/username/public_html; php -q wp-cron.php
*     *     *   *    *        command to be executed
-     -     -   -    -
|     |     |   |    |
|     |     |   |    +----- day of week (0 - 6) (Sunday=0)
|     |     |   +------- month (1 - 12)
|     |     +--------- day of        month (1 - 31)
|     +----------- hour (0 - 23)
+------------- min (0 - 59)

 

Then you’ll want to open up your wp-config.php file and add the following entry to it to disable the default wp-cron from running:

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

define('DISABLE_WP_CRON', 'true');

If you need help adding a crontab we can add one for you.

Crontab Reference

Crontab syntax :

A crontab file has five fields for specifying day , date and time followed by the command to be run at that interval.

*     *     *   *    *        command to be executed
-     -     -   -    -
|     |     |   |    |
|     |     |   |    +----- day of week (0 - 6) (Sunday=0)
|     |     |   +------- month (1 - 12)
|     |     +--------- day of        month (1 - 31)
|     +----------- hour (0 - 23)
+------------- min (0 - 59)

* in the value field above means all legal values as in braces for that column.
The value column can have a * or a list of elements separated by commas. An element is either a number in the ranges shown above or two numbers in the range separated by a hyphen (meaning an inclusive range).
Notes
Repeat pattern like /2 for every 2 minutes or /10 for every 10 minutes is not supported by all operating systems. If you try to use it and crontab complains it is probably not supported.

The specification of days can be made in two fields: month day and weekday. If both are specified in an entry, they are cumulative meaning both of the entries will get executed .

Mini Howto Crontab

Disable Email
By default cron jobs sends a email to the user account executing the cronjob. If this is not needed put the following command At the end of the cron job line .

>/dev/null 2>&1

Generate log file
To collect the cron execution execution log in a file :

30 18 * * * rm /home/someuser/tmp/* > /home/someuser/cronlogs/clean_tmp_dir.log

exclude directory for rewrite rules

Many php applications have their own internal URL rewriting techniques. To exclude a path from being included in these rewrite rules, you can do so with htaccess.

WARNING: Make a backup of your original .htaccess file as always. Backups are GREAT practice to follow.
If something goes wrong, please remove the lines from your .htaccess or restore your known working backup file. A simple typo can cause your site to generate a 500 server error. Avoid the panic, make your backup!

RewriteCond %{REQUEST_URI} !=/some_directory