Skip to content
This repository has been archived by the owner on Dec 21, 2022. It is now read-only.

szepeviktor/shared-hosting-aid

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
adminer-wp-autologin
adminer-wp-autologin
 
 
cPanel
cPanel
 
 
export-one-db
export-one-db
 
 
minit-ps100
minit-ps100
 
 
stream-archive
stream-archive
 
 
wp-downloader
wp-downloader
 
 
Malware.md
Malware.md
 
 
Optimize-plus.md
Optimize-plus.md
 
 
Optimize.md
Optimize.md
 
 
README.md
README.md
 
 
chmodr.php
chmodr.php
 
 
enable-logging.php
enable-logging.php
 
 
jamss-wordpress.patch
jamss-wordpress.patch
 
 
malware-pattern-tests.sh
malware-pattern-tests.sh
 
 
md5-check.php
md5-check.php
 
 
mirror-site.lftp
mirror-site.lftp
 
 
php-mail-sender.php
php-mail-sender.php
 
 
php-vars.php
php-vars.php
 
 
ping.php
ping.php
 
 
postmortem.php
postmortem.php
 
 
postmortem2.php
postmortem2.php
 
 
remote-log-watch.sh
remote-log-watch.sh
 
 
srdb-oneify.sh
srdb-oneify.sh
 
 
sucuri-sitecheck.php
sucuri-sitecheck.php
 
 
wp-create-user.php
wp-create-user.php
 
 
wp-cron-http.sh
wp-cron-http.sh
 
 
wp-grep-tables.sh
wp-grep-tables.sh
 
 
wp-password-change.php
wp-password-change.php
 
 
wp-unzip-install.php
wp-unzip-install.php
 
 

Repository files navigation

Shared Hosting Aid

Some tools

Full featured PHP firewall

http://ninjafirewall.com/pro/overview.php

Plugins and tools for shared hosting problems

  • See: "Recommended plugins" in szepeviktor/wordpress-plugin-construction
  • Error log setup: shared-hosting-aid/enable-logging.php
  • Error log watch: error-log-monitor
  • Outgoing HTTP traffic monitoring: snitch
  • Email traffic checking: ${D}/monitoring/cse/
  • Cron job: shared-hosting-aid/wp-cron-http.sh
  • WordPress database cleanup: wp-sweep
  • Integrity: exploit-scanner
  • Security checklist: gauntlet-security

FTP/SFTP access with lftp

SSLOFF="set ftp:ssl-allow off"

# lftp -e "${SSLOFF}; cd" -u 'FTP-USER,FTP_PASS' FTP_HOST.
lftp -e "cd" -u 'FTP-USER,FTP_PASS' FTP_HOST.

Move/clone site with lftp

Turn off Maxer SiteProtection!

#!/usr/bin/lftp -f

#open ftp://DOMAIN.TLD
#cd website/html/
lcd tmp/
mkdir sr; cd sr
!wget -nv -N https://github.com/interconnectit/Search-Replace-DB/raw/master/index.php
!wget -nv -N https://github.com/interconnectit/Search-Replace-DB/raw/master/srdb.class.php
!ls -ltr | tail
put index.php; put srdb.class.php

# rm index.php srdb.class.php; cd ../; rmdir sr/

Webserver settings

https://github.com/szepeviktor/hosting-check

  • keep-alive
  • mime-type
  • content-compression
  • content-cache

https://github.com/h5bp/html5-boilerplate/blob/master/dist/.htaccess

https://redbot.org/

Check PHP settings

See: shared-hosting-aid/php-vars.php

wget -nv https://github.com/szepeviktor/wordpress-plugin-construction/raw/master/shared-hosting-aid/php-vars.php

Default email from address

See: shared-hosting-aid/php-mail-sender.php

wget -nv https://github.com/szepeviktor/wordpress-plugin-construction/raw/master/shared-hosting-aid/php-mail-sender.php

  • Set sender or forward as necessary.
  • Set usual addresses: info@, postmaster@, abuse@
  • Set up your account: webmaster@DOMAIN.TLD

Security plugin

  • sucuri-scanner plugin + ustom-sucuri plugin
  • gauntlet-security plugin

Plugins to protect

wget -nv https://github.com/szepeviktor/wordpress-plugin-construction/raw/master/mu-protect-plugins/protect-plugins.php

wp-config.php

Skeleton

See wp-config.php

Change salt

Block Bad Requests

wget -nv https://github.com/szepeviktor/wordpress-fail2ban/raw/master/block-bad-requests/wp-fail2ban-bad-request-instant.inc.php

Root files

  • .htaccess
  • *htaccess*
  • .user.ini
  • index.html
  • index.php
  • robots.txt
  • sitemap.xml
  • sitemap.xml.gz
  • crossdomain.xml
  • labels.rdf
  • apple-app-site-association (content: {})

https://github.com/h5bp/mobile-boilerplate/blob/master/index.html

Files for robots should not be indexed.

.htaccess

# Don't index files for robots
<FilesMatch "^(robots\.txt|sitemap\.xml|sitemap\.xml\.gz)$">
    Header append X-Robots-Tag "noindex"
</FilesMatch>

PHP security check

wget -nv https://github.com/sektioneins/pcc/raw/master/phpconfigcheck.php

Enable access in .htaccess.

SetEnv PCC_ALLOW_IP 1.2.3.4

File change notification

Sucuri plugin

Tripwire

git clone --recursive https://github.com/szepeviktor/Tripwire.git
cd Tripwire/
cp tripwire_config.sample.ini tripwire_config.ini
editor tripwire_config.ini

Tripwire access protection

.htaccess

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REMOTE_ADDR} !=<MANAGEMENT-SERVER-IP-ADDRESS> [OR]
  RewriteCond %{REQUEST_URI} !=/<SECRET_DIR>/tripwire.php
  RewriteRule ^ - [F]
</IfModule>

Block access to a directory

Deny all traffic .htaccess.

# Apache < 2.3
<IfModule !mod_authz_core.c>
  Order allow,deny
  Deny from all
  Satisfy All
</IfModule>
# Apache ≥ 2.3
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>

MySQL

  • ALTER table engine
  • @TODO

List WordPress plugin names and paths

Go to the Plugins page and execute:

// List plugin names
jQuery('#wpbody .plugins .plugin-title strong').each(function (){console.log(jQuery(this).text());});

// List plugin slugs (from "Deactivate" links)
var plungins=[].slice.call(document.querySelectorAll('#wpbody .plugins .plugin-title .deactivate a'));
plungins.forEach(function(p){console.log(decodeURIComponent(p.search.split('&')[1].split('=')[1]));});

About

When you must touch websites on shared hosting

github.com/szepeviktor/debian-server-tools/blob/master/CV.md

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages