Medo's Home Page

Cheap Bastards

It is very sad to see illegal downloads driving Sony Music so poor that they cannot afford to have proper SSL certificate. It is either that or team creating these pages just didn’t give a damn.

Well, at least they do offer SSL…

Force HTTPS for WordPress Login Page

If you do have SSL certificate on your domain it would be shame not to use it for WordPress login. Since WordPress sends passwords as plain-text, it would be great thing if we would be redirected to HTTPS version for every login (even if we forget to specify it).

Solution lies in adding few lines to your .htaccess file:

RewriteCond %{HTTPS} off
RewriteRule ^wordpress/wp-(login.php|admin/)(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

This code checks whether we are going to login or admin pages. If we are and https is not protocol of our choice, it will simply rewrite request.

P.S. This example was taken from my pages where I have WordPress installed in sub-directory named wordpress) If you have it installed in some other directory, adjust accordingly.

P.P.S. Do not forget to set FORCE_SSL_LOGIN and FORCE_SSL_ADMIN also.

WordPress and Plain-text Password

If you ever did network capture of your WordPress login procedure you would have noticed that password is sent as plain text:

[plain] POST /wordpress/wp-login.php HTTP/1.1 log=admin&pwd=mysuperpass&wp-submit=Log+In&redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&testcookie=1 [/plain] Anyone that can watch traffic on your network can see it as clear as day. Worse still, if you traverse some proxy server (in most of companies), your password might get dumped into a log file. Whoever has access to those log files has access to your password. Do you really trust your network admin that much?

Proper way to sort this out would be to use SSL. That way connection is encrypted end-to-end and whole plain-text issue just goes away. Unfortunately, SSL certificates usually cost some money.

Cheaper solution would be to tunnel all your traffic through SSH on trusted network (e.g. your system at home). While this would alleviate thread when you are connecting from e.g. hotel, it still means that your plain-text is traveling to server unencrypted. However, in case of SSH tunnel from home, you can count (or can you?) on your provider not keeping such a detailed log.

Last thing that you might do is to force WordPress to use CHAP protocol. That way password is still visible but only in hashed form. Brute-force attacks will be possible but at least attacker has something to do. And, if password was selected carefully, it might require months and even years of computing. Only way I found to do this is by installing Chap Secure Login plugin.

Upon activating this plugin you should log-out and log-in again (that will fail). And then log-out and log-in again (in my case this was still sending plain-text). Only upon third logout/login plugin will start working properly. Snooping system again you will see something like:

POST /wordpress/wp-login.php HTTP/1.1
  log=admin&amp;pwd=0a1dbb73659c24dd237ec254022af7daef410404665cc7f4be22b69e1e2b1845&amp;wp-submit=Log+In&amp;redirect_to=http%3A%2F%2Fwww.example.com%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_status%3Ddraft%26post_type%3Dpost&amp;testcookie=1

This looks much better.

[2014-10-29: I had this plugin fail with Suffusion. After its (manual) removal I was unable to log on anymore. Solution was to remove cookies.]

SQL Server 2012

If you happen to be MSDN subscriber, there is new treat for you. SQL Server 2012 is available for download.

For those as cheap as me, there is SQL Server 2012 Express. For some reason it is still listed as beta, but I expect to see RTM version soon enough.

Biggest feature in my book would be LocalDB. On first glance it would be same thing as SQL Server Compact. However, if you dig a bit deeper, you will see that it has few subtle differences.

For me LocalDB is missing link that brings SQL Server data and TSQL without need for full-blown SQL Server install. Compared to Compact, it is bigger and not as easily distributed. On other hand, upgrade between LocalDB and full SQL Server should be a breeze. This one goes on my system immediately. Check more details.

Yes, there are other changes, but I will leave each one of you to pick a favorite.

Shield Button

Windows Vista introduced us to UAC. One cornerstone for developers was displaying shield next to a button that requires elevation. And it is shame that most application still don’t draw it.

Code is really simple:

var hIcon = NativeMethods.LoadImageW(IntPtr.Zero, NativeMethods.IDI_SHIELD, NativeMethods.IMAGE_ICON, 24, 24, NativeMethods.LR_DEFAULTCOLOR);
if (!hIcon.Equals(System.IntPtr.Zero)) {
    var icon = System.Drawing.Icon.FromHandle(hIcon);
    if (icon != null) {
        this.TextImageRelation = TextImageRelation.ImageBeforeText;
        this.Image = icon.ToBitmap();
    }
}

As you can see, all things are done in first line. Using Interop we request for a system’s shield icon, sized 24x24 pixels in default color. All other lines are there just to be sure that something was loaded and you are not crashing if not (e.g. if you are running XP).

Notice that one could use SystemInformation.SmallIcon to determine “proper” icon size. Unfortunately that will not have nice result for icon sizes that are not 16x16, 24x24 and 32x32. You could always do some fancy smoothing but at such small icon sizes I think it is best to go for something that is of native size.

As example I took liberty to make Button control with UAC shield. Full source is available for download.

1 … 165 166 167 168 169 … 263