Monthly Archives: February 2013

BetterWPSecurity – a great WordPress plugin but proceed with caution

I’ve recently installed the BetterWPSecurity WordPress plugin, and found that while it’s very useful and does increase the security of WordPress it can also break your site.

Ah, Monday morning and the start of my three months paternity leave looking after my six month old son Zach. During his morning nap I logged into my blog to work on an article and noticed that my blog wasn’t loading articles correctly even though the home page worked just fine. Investigating further and looking at my site stats (I use both the Jetpack plugin and Google Analytics) clearly showed that something broke at the start of the weekend – I had nearly no traffic all weekend. Having just referred a colleague to my site for some information and on my first day of paternity leave (ie less time on my hands, not more as some may think) this was definitely not ideal timing!

My first step was to check my logs for information, in this case the BetterWPSecurity log for changed files. This revealed that the .htaccess file in the root directory was changed late on Friday night at 11:35pm – and I knew that wasn’t me as I was tucked up in bed. My first thought was a hack as the .htaccess file permits access to the site but there was no redirect or site graffiti and the homepage still worked so that didn’t seem likely. I logged in via SSH to have a look at the .htaccess file but didn’t see anything obvious although I’m no WordPress expert.

My priority was to get the blog working again so I tried restoring a copy of the changed file from the previous week’s backup (made via the BackWPUp plugin) only to find the backup wasn’t useable. Bad plugin! Luckily I’m a believer in ‘belt and braces’ and I knew my hosting company, EvoHosting, also took backups. I logged a call with them and within the hour they’d replied with the contents of the file from a week earlier. Sure enough the file had been changed but looking at the syntax it appeared to be an error rather than malicious hack.

My .htaccess file when the site was working;

# BEGIN WordPress

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

My .htaccess file after the suspicious change;

# BEGIN Better WP Security

Order allow,deny

Allow from all

Deny from

# END Better WP Security

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]


# END WordPress

I backed up the suspicious copy of the file (for future reference, ie writing this blogpost), restored the original et voila – the blog was working again. Step one complete, now to find the root cause…

Part of any diagnostic process is the question ‘what’s changed?’ and I had a suspicion that BetterWPSecurity could be the culprit as I’d only installed it a few weeks earlier. There was also the obvious issue of the new code in the .htaccess file which looked to belong to BetterWPSecurity. I checked the site access logs which confirmed my hypothesis – someone had attempted to break into my site and while attempting to block the attacker BetterWPSecurity had mangled my .htaccess file. The logs below have been truncated to remove many of the brute force login attempts (there were plenty more) but note that on the final line (after BetterWPSecurity has blocked the attacker) the HTML return code was 418 (“I’m a teapot”) rather than 200 plus the suspect IP is the same as the one denied in the mangled .htaccess file. Yes, you read that right, “I’m a teapot”! Here’s a full explanation for that April Fool’s error code. 🙂 - - [15/Feb/2013:23:35:19 +0000] "POST /wp-login.php HTTP/1.1" 200 3017 "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" - - [15/Feb/2013:23:35:19 +0000] "POST /wp-login.php HTTP/1.1" 200 3017 "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" - - [15/Feb/2013:23:35:19 +0000] "POST /wp-login.php HTTP/1.1" 200 3017 "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" - - [15/Feb/2013:23:35:19 +0000] "POST /wp-login.php HTTP/1.1" 200 3017 "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1" - - [15/Feb/2013:23:35:19 +0000] "POST /wp-login.php HTTP/1.1" 418 5 "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1"

So BetterWPSecurity led me to the fault but also caused it. To be fair the plugin does warn you which settings are potentially going to cause issues but I’d assumed that it wouldn’t be me – dangerous things assumptions. I’ve rectified the issue by restricing BetterWPSecurity from altering core system files as shown in the screenshot below;

My blog is fixed and I’m feeling quite chuffed that it was all resolved during a long lunchbreak – not a bad day’s work if I do say so myself! Lesson for today? Take warnings seriously and have multiple backups!

Is storage a fungible commodity?

Fungibility – are you getting what you expect? 🙂

I keep hearing that ‘IT is becoming a commodity‘, cloud computing is ‘like a utility‘, and recently I’ve heard the term ‘fungibility’ applied to computing on multiple occasions. The technologies behind cloud computing are driving these changes but what does it mean to be a commodity, what on earth is fungibility, and what’s it got to do with cloud computing? In this post I’ll explore the fungibility of storage and in a future blogpost the wider impact to cloud computing.

Lets dig into what fungibility is and why it’s important. Wikipedia defines it as;

Fungibility is the property of a good or a commodity whose individual units are capable of mutual substitution, such as crude oil, shares in a company, bonds, precious metals, or currencies.

In plain English fungibility means something is interchangeable – a common example is money. If someone owes you ten dollars you don’t care if they pay you one ten dollar bill, two fives, or ten ones – you get essentially the same thing. Another example is that you’re supposed to eat five portions of fruit and veg every day but you could eat five fruits, five veg, or a mixture – they’re fungible (interchangeable).

Now we know what is it but who cares if something is fungible?

  • for consumers fungibility is a good thing as it increases competition and flexibility – you can buy your commodity from anyone, often driving down prices
  • for providers fungibility could be good and bad. The increased competition might benefit your competitors but history has shown that once a market becomes a commodity it tends to grow, leading to more business for all involved.

Note that just because a commodity is fungible it doesn’t mean there’s no differentiation. Many metals are considered fungible – a tonne of molybdenum may be valued the same whether it’s mined from Australia or Europe. If you need that metal in Europe however you’ll incur shipping costs if you buy the Australian sourced tonne so you’ll pay a premium to get the supplier from Europe. It’s this differentiation which enables trade – more on this in the followup post coming shortly.

Fungibility and storage

Two of the references I’ve heard were in regard to storage and whether it is or isn’t fungible, so that’s where I’ll start. Virsto’s argument during their storage hypervisor presentation at SFD2 argued that while CPU and memory are fungible (specifically in virtualized environments) storage isn’t and is therefore a pain point (which they aim to solve obviously). In his 2013 predictions article Arthur Cole at IT BusinessEdge sees storage becoming a fungible commodity which has ramifications for how it’s consumed.

Uncertainty over whether storage is fungible or not is understandable – my first reaction when I thought about it was ‘no chance’! I’m a storage admin in my current job and each storage request is slightly different – there are too many variable factors which affect the outcome that you couldn’t consider two requests as interchangeable unless the solution was from the same vendor and with the same configuration. Here’s just some of the factors when specifying solutions or diagnosing storage issues;

  • Capacity (typically in GB or TB)
  • Performance – throughput, latency, IOps
  • Workload – read/write ratio, block sizes, sustained or variable demand
  • Availability – HA, clustering, support, SLAs etc
  • Backups – snapshots, long term archiving, restore times
  • Security – location, governance, compliance

Crucially however, as a storage provider I have a different perspective to a consumer of my storage. For a consumer most of this complexity is invisible, hidden behind either a technical or business abstraction – hence why a storage request often only considers capacity (much to my frustration!). What I get concerns me, not how it’s implemented. If you look at storage from the customer’s perspective then it’s a simpler construct and provided it satisfies the user’s expectations it can be considered fungible. All those variables can differentiate one service from another but for many services they’re of secondary importance.

Take a simple consumer example – Dropbox. I’ve used this excellent service for quite a few years and the only thing I really care about is how much storage I can consume and that it works reliably. I assume that it’s always available, that I can get my files back when needed, and that the storage provided by Dropbox can handle what I throw at it. If I don’t like the service offering I can move to one of their competitors like Crashplan, Skydrive, or Bitcasa and while the functionality is slightly different (maybe they don’t all support Linux clients for example) I can compare prices and pick the one that best suits me.

At the enterprise level companies like Amazon, with their S3 and Glacier services, compete with other industry heavyweights like Google’s Cloud Storage, Microsoft’s Azure, Nirvanix etc. Take up of these services started with the Web 2.0 generation but today’s they’re starting to tackle the ‘legacy’ enterprises. This is the more complex world where the factors I mentioned above are more relevant – if someone offered me some ‘cloud’ storage versus some traditional onsite storage (using Netapp’s or EMC gear) then I’d expect them to deliver completely different experiences. Rodney Rogers, the CEO of Virtustream, has recently written an excellent piece about why Amazon may struggle when delivering to the enterprise and I’d agree completely – the demands of the average enterprise are not the same as the Web 2.0 companies running commodity hardware. There are plenty of successful cloud storage companies doing business in the enterprise world today but as Gartner warn you need to be on your guard as the services offered vary widely and are not therefore easily compared – they’re not fungible. They also indicated that 20% of companies are already using cloud storage so one hopes it’s delivering some value. Apologies for mentioning the ‘G******’ word so often!

The answer to ‘is storage fungible?’ is the classic ‘it depends’. For some, typically consumer, requirements I’d say it is but for the more demanding enterprise it’s not there yet.

Further Reading

Fungibility applied to IT

Your storage in the cloud (Hans De Leenheer)

Cloud storage viable option, but proceed with caution (Gartner)

Top 10 cloud storage providers (Gartner)

The longevity of IT skills