CAll Us: +1 888-999-8231 Submit Ticket

Using Docker To Build Local WordPress Development Environments

Over the years, we’ve looked at several different systems for setting up local development environments, from applications like MAMP to a Varying Vagrant Vagrants workflow. I’m always looking for the most efficient way to create new WordPress instances, both for development and because I need an easily replicable WordPress environment for testing plugins and updates I want to write about.

Today, I’d like to talk about my current setup, which is based on the Docker container system. I considered using Docker a few years ago, but it was complicated compared to the alternatives, so I didn’t use it for long. But, on the recommendation of a friend, I recently took another look. The tooling has improved considerably and it’s now a good option for those of us who don’t want to spend too much time fiddling with our tools.

So, without further ado, let’s look at how to create a local WordPress development installation with Docker.

What Is Docker?

Docker is a tool for creating and managing containers. A container is a self-contained unit of software that includes all the libraries and other code required to run an application.

It’s important to understand that a container is not the same as a virtual machine — containers are much lighter than virtual machines, they “boot” a lot faster, and they’re more portable. Containers also don’t need a guest operating system.

To use Docker containers, you’ll need to set up Docker on your machine. Because the setup process is different depending on the operating system you use, I won’t go into detail here, but you can find full documentation on the Docker site.

I’m also going to assume you know how to use the command line on your OS.

Building A Local WordPress Container

There are several ways to go about building containers, but we’re going to use the excellent Docker Compose tool.

First, open a terminal, create a directory for your WordPress installation, and change to that directory:

mkdir testing-wordpress && cd testing-wordpress

Next, create the file we’ll use to tell Docker Compose what to do:

touch docker-compose.yml

We’re going to use the Docker Compose file from the official Compose documentation. Open “docker-compose.yml” in a text editor and paste the following text into it:

version: '3'

services:
   db:
     image: mysql:5.7
     volumes:
       - db_data:/var/lib/mysql
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: somewordpress
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: wordpress

   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     ports:
       - "8000:80"
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
volumes:
    db_data:

If you’re interested in what the file is doing, I encourage you to read the documentation, but, in brief, it tells Docker Compose to create two containers. The first is a container for the MySQL database, and the second is a container for WordPress itself.

Save the file, go back to your terminal, and run this command:

docker-compose up -d

Docker will download, configure, and launch the containers. It might take a few minutes, but when it’s finished, you’ll have a WordPress instance waiting at this URL:

http://localhost:8000

To stop the containers, use this command from inside the project folder:

docker-compose stop

You can restart with the “up” command you used previously.

If you want to remove the WordPress container, but leave the database intact:

docker-compose down

And if you want to blow away both WordPress and the database container:

docker-compose down --volumes  

After removing the containers, you can start from scratch with the same “up” command as before:

docker-compose up -d

Because Docker containers are entirely self-contained, you can create as many WordPress installations as you like: just create a new folder, copy the “docker-compose.yml file to it, and repeat the process.

Posted in:
WordPress

Source link

How to Provide Secure Access to Your WordPress Site

WordPress site owners sometimes need to give a third-party access to their site. Once a site grows beyond a certain size, it’s impossible for one person to do all the work, even if they have the necessary skills. Bringing a professional on-board is a smart move.

But giving someone that don’t know well access to your site is a daunting proposition. It’s unlikely they will turn out to be malicious, but incompetence and carelessness cause just as many problems. No one wants to have their site hacked because a contractor used an insecure password or because a developer wasn’t as careful as they should have been.

Site owners should follow one simple rule when giving third-parties access to their site: provide the least access compatible with getting the job done. In the security world, this is called the Principle Of Least Privilege, and most of us intuitively understand its implications. When you pay a vendor, you don’t send them your bank details so they can withdraw any amount they want, hoping they’re honest: you send them a check or use a credit card that authorizes them to claim exactly the amount they’re entitled to.

What does that mean in the context of WordPress?

Granting Access To Your WordPress Site

WordPress provides a collection of user roles that determine the capabilities of a user account.

  • Administrators have complete control over the site. There is really no restriction on what an administrator can do.
  • Editors can publish and manage the posts of other users.
  • Authors can only manage and publish their own posts.
  • Contributors can upload posts, but they can’t publish them.

No one should be given administrator privileges on a site unless it’s absolutely essential. If a service provider needs admin access, they should not be given the authentication credentials of the site’s owner or other trusted users. An admin account should be created for their use and deleted once they no longer need it.

If you have contracted a writer and you want to check their work before it’s published, don’t give them an Author account because they don’t need access to the publication features.

Always give accounts the smallest amount of power you can.

Granting Access To Your Server

Occasionally, a developer or designer may need access to your server or hosting account. Once again, the Principle of Least Privilege applies.

Firstly, and most importantly, never provide root access to your server to someone you don’t absolutely trust. In fact, it’s better to give no one root access and to disable root logins.

If you can, you should do any work that requires privileged access to your server. If a designer asks for access to upload some files, you or someone you trust should upload them if it is at all feasible.

If not, create an FTP or database account for them, and then delete the account when they no longer require access.

If a developer or designer is likely to use FTP over an insecure connection, use a secure VPN to ensure that the data can’t be intercepted.

If you rigorously adhere to the Principle Of Least Privilege, you will be able to give vendors and service providers the access they need without putting the security of your WordPress site at risk.

Posted in:
WordPress

Source link

Is Your WordPress Site As Secure As You Think?

WordPress is — as content management systems go — very secure. It’s the most targeted web application in the world, but it’s also the best protected. It is in the interest of many thousands of developers and users to seek and destroy any vulnerabilities that may find their way into the code of WordPress Core, themes, and plugins.

If a WordPress hosting client follows a few basic security best practices, the likelihood of a successful attack is slim. Security best practices include:

  • Updating WordPress, themes, and plugins as soon as new versions are released.
  • Getting themes and plugins from trustworthy sources.
  • Using long, random passwords. Or, even better, using two-factor authentication.
  • Not sharing passwords with third-parties.

But everyone who manages a website has to face the reality that their site may be targeted, and if it is targeted, it may be compromised. It’s not enough to follow security best practices. You also have to keep an eye out for signs of compromise. But what does a compromised site look like?

Criminals don’t want you to know when your site has been compromised. The longer they remain hidden, the longer they can use a site to distribute malware, send spam, and inject their SEO links. A site that looks perfectly fine to you might, in fact, be spewing spam and infecting your visitors.

The solution is automated vulnerability and malware scanning. Vulnerability and malware scanners are capable of monitoring a site for signs of malicious software or known software vulnerabilities and alerting you to them.

For occasional scans, there are several excellent online tools that you should be aware of.

  • GravityScan is an online vulnerability and malware scanner from the team behind the Wordfence security plugin. It will check a site for both malware and software vulnerabilities.
  • Sucuri SiteCheck is similar to GravityScan, providing much the same malware and vulnerability checking.

An external web-based scanner is a good option to have, but they aren’t as capable as dedicated security plugins which have greater access to a site and its files.

Wordfence Security is the most popular WordPress security plugin, and it includes a host of features to keep WordPress sites secure, including malware, vulnerability, and backdoor scanning, and a Web Application Firewall capable of repelling known attacks. The premium version of this plugin adds real-time updating of firewall rules, more frequent scans, and two-factor authentication.

Wordfence’s main competitor is the Sucuri Security plugin. Sucuri includes file integrity monitoring, remote malware scanning, and security hardening. The premium version includes a website firewall that can protect a WordPress site against the exploitation of software vulnerabilities, brute force attacks and denial of service attacks.

For most sites, a plugin is probably a better solution than a web service. The plugins we’ve discussed automatically alert site owners when they discover a problem. Relying on your memory to prompt you to regularly use the web scanning tools is probably not the most effective approach.

Posted in:
Security, WordPress

Source link

Ransomware Could Soon Hold Your Data Hostage

In 2017, global ransomware attacks like WannaCry and NotPetya rocked the world, devastating both businesses and government organizations. Troublesome though they were, they were only the beginning. Ransomware is on the rise, and it’s only going to get worse from here.

Criminals have realized that ransomware can act as both a data exfiltration method and as a distraction for a larger attack. They’ve realized that holding information for ransom can be just as lucrative as stealing and selling it. And they’ve realized that in all cases, ransomware requires almost no effort on their end.

In short, you need to do everything in your power to protect yourself – here’s where you can start.

Back Everything Up

The best defense against a ransomware attack is and always will be an air-gapped backup. By maintaining several copies of your data and images of your system both in an online repository and in an isolated, on-site backup server, you can ensure that any systems compromised by ransomware can simply be deleted. At that point, it’s just a matter of restoring your systems to working order.

Now, there’s a reason I recommend multiple backups – and that you keep multiple copies. Truth is, ransomware developers know that backup data is their main weakness. As such, they’ve started to target backups.

Educate Your Employees

Believe it or not, your employees are actually a bigger threat to your data than any external bad actors. Phishing scams, for example, are one of the chief delivery vessels for malware and ransomware. What that means is that if you don’t train your employees to recognize scams and socially-engineered attacks, there’s a good chance you’ll be dealing with ransomware sooner rather than later.

Host regular training sessions and establish a knowledge base your staff can draw on to help them stay secure.

Ransom-Proof Your Systems

The most troubling fact about WannaCry is the fact that it exploited a vulnerability that was several years old. Many of the victims that were targeted by the ransomware could have prevented infection if they’d simply kept their systems up to date. To that end, you need to apply security patches and updates the moment they become available – and wherever possible, avoid using outdated operating systems.

Additionally, it’s important that you ensure all systems on your network can be air-gapped on demand. That way, if ransomware does hit your network, you can isolate it before it causes widespread damage.

Don’t Let Hackers Hold You For Ransom

Ransomware isn’t going to stop being a problem. If anything, it’s only going to get worse – more advanced and sophisticated, and available as an attack method for more hackers than ever before. Defend yourself now, instead of wishing you did something later.

Posted in:
Security

Source link

Craft CMS What It Is, How It Works, & When You Should Use It

WordPress isn’t the most popular CMS on the market without reason. It’s modular, it’s easy to use, and it’s got a fantastic plugin ecosystem. But it’s easy to forget that it also isn’t your only option when it comes to building a website.

There are plenty of content management systems in the sea, after all. Today, we’re going to discuss one of the more formidable ones. It’s called CraftCMS.

What Is It, Exactly?

Created by ExpressionEngine plugin developer Pixel & Tonic, Craft is billed as a “content-first” CMS tool. It’s created to allow for far deeper control and greater performance than other content management offerings.

Written in PHP and run on the Yii platform, it takes the ‘content’ part of content management literally. Unlike WordPress, it does not include any tools for website creation. Anyone who uses Craft will need to either build their own stuff by hand or hire someone to do it.

It also doesn’t have any sort of official theme or plugin marketplace – so again, if there’s anything you want to do in terms of customization, you’ll need to handle it yourself.

That said, it does have a thriving (and fast-growing) developer community, so you won’t be completely on your own in that department.

“Craft is for folks who like to take their time and do things right, building out their HTML, CSS, and JS by hand,” reads the documentation. “This is not a site builder or some sort of design tool. There are no themes, and you won’t find any flashy UI tools full of sliders and other gadgets that will help you “design” your website in minutes.”

The trade-off is that Craft is both extremely scalable and exceptionally customizable. If you can code it, Craft can handle it. That’s a huge plus – though some people might be turned off a bit by the fact that it’s comparatively much more difficult to use than WordPress.

Why Use It?  

The short answer is that Craft excels at managing sites with a large volume of interconnected and interrelated content. Although smaller sites can make excellent use of the content management tool, where it really shines is with massive, sprawling content bases.

Plenty of enterprises are already using the CMS, including Netflix, Emily Carr, Salesforce, Wildbit, and Oakley.

It’s important to note that although Craft takes a lot of legwork and development expertise to set up, it’s actually incredibly publisher-oriented. The backend is extremely easy to use, and provides a simple, streamlined administrative dashboard that makes content creation a breeze.

The most notable element of this backend is something called Sections and Entries. This is the primary means by which Craft organizes its content. An entry is a single piece of content like a blog post, and has an author, date, and optional timed expiration attached to it.

Sections arrange entries into categories, and can be standalone pages, related entries, or even full hierarchies. Related entries can be easily tied to one another using a built-in schema system, and

It’s actually quite sophisticated, and features like Matrix (which allow certain pieces of content to be grouped together and reused with ease), multiple authors, built-in search, automatic localization, and categories/tags makes the organization and customization of content even deeper.

This level of customization probably isn’t necessary if you’re just running a small blog with a few authors or a storefront for a small business. It’s also not meant for massive enterprises that need a laundry list of features or organizations that need to develop an SaaS applications.

If, however, you’ve a large base of contributors, a highly-trafficked site, or enough content that it would be difficult for you to keep track of it on your own, then Craft is a perfect option.

How Do I Use It?

The first thing you’ll want to do is navigate to the Craft website and download the codebase. Make sure you’ve got PHP 5.3x or above and MySQL 5.1 or above installed. You’ll also want to ensure your web host is capable of meeting Craft’s requirements (Hostdedi is, don’t worry).

Finally, you’ll also need an FTP client such as Transmit and a rich text editing tool.

Once you’ve downloaded Craft, unzip it somewhere on your computer. You’ll then be confronted with two folders, craft/ and public/. The former will need to be uploaded to your server in its entirety, above your web root. The public folder can be uploaded wherever you choose.

Next., you need to set Craft’s permissions. At minimum, you’ll need to ensure that craft/app/, craft/config/, and craft/storage/ have write permissions assigned to them. You can find recommended permission settings here.

Your third step will be to create your database, then you’ll need to ensure Craft is properly configured to connect to said database. Your host can help you with this step, and walk you through configuration. However, you may need to take care of ensuring Craft knows where that database is and how to connect to it.

With all that out of the way, all that’s left to do is run the installed and start building your website. Note that Craft uses HTML website templates constructed in Twig, so you’ll want to familiarize yourself with it. Plugins are

Get Creating

In a lot of ways, WordPress is designed to be a jack of all trades. It’s a content management system that can do just about anything you want it to. Craft isn’t like that. It’s made to do one thing, and one thing only.

But it does that extremely well. If you’re willing to look past the fact that you’ll need to design your own website and (probably) code your own plugins, Craft can excel at just about any content project you set it to. And if you need a great host to help you run things, why not give Hostdedi a try?

Posted in:
Craft CMS

Source link