Friday, January 13, 2017

How to protect your site from hackers



Is your website need security   many of web owner not take it seriously that they need website protection. Why anyone want to hack your website and how you can protect that from hacking.


Website password 

You website need to have strong password so hacker have not easy to crack it . Only set strong password one time   and not change it regularly is not enough you need to change you web password in time interval to reduce the chances of password hack. Use  alpha numeric password  with special character  which is not  easy to guess and crack  your password strength should  be  8 character or more  for strong password .Use upper and lower case combination with all these .
In advance if you are using any CMS for you website they provide good password check and auto generate   random password combination for security reason you can use them easily.


File Uploads 

If you are providing file upload facilities for visitor or logged in users you need to take care. Add the  file type   of file you want  to allow user upload  on site  like  image file , word doc file or  any other  type   to restrict all other file type  so user unable to upload that  on server .Add  size limit  because  very large file may create issue in site  process and  take time to scan process if you are using antivirus to scan files . Try to save files outside the root directory if possible .Change the   Permission of uploaded files folder to chmod 0666 so   it can’t be executed. You can also give permission by .htaccess  for that  

   

   <Files ~ "^\w+\.(gif|jpe?g|png)$">
    order deny,allow
    allow from all
    </Files>


 You can add any file type here and add the code in .htaccess file on root to apply condition.
Other solution i have  mentioned that  to save files in private folder outside the  root  in that  way you need script to access files from that  private folder .
Most hosting provide provide facility for this  you can also set it  by setting  firewall setting  and block all non essential ports  only allow 80 and 443 for  outside  all.
If you are trying to upload files  try to upload if from secure  method like SFTP.On other way  add data base on other server  and  connect if on your server  by this way  database  server cannot be accessed directly  and you database is safe  in this way .


Use Website Security Tool 

If you want to  check  website security  you can use any third party tool to check all website  security and  they also provide you hint  how you can fix  security issues  which arises in software audit .
If  you are using  CMS like word press you can use security  plug-in like  wordfence security

All In One WP Security & Firewall  Itheme Security   there is many more option available which you can use in CMS word press for security and scanning

You can use  other     scan my server , sucuri ,Site Guarding  etc many  more   by which  you can check  you site  security  issues .
 After checking all  list you can start working on issue  which they  list to make site more  secure .


Guarding Include Files

In php we many time  include files on page  as per requirement  for our ease which contact  code  database  credential and  any other sensitive information . many developer  just include the file with  extension .inc  in that  way file  can directly accessible as text file only not php because php not parsed it directly .
If any attacker directly accesses this file then he can easily get all the database credential detail and any other sensitive information which is in that file and can attack on related database and other file easily. So always  include  your files  with the extension  .php  and keep these type of file which have  sensitive information   out site  in  a folder which is not directly  accessible   by any one .


Error handling

It’s  good to check all the  related  errors and warning  if we are developing and application  for its security  because  fixing error and warning  will secure our application lack hole .After completing  application hide all errors and warning  because live  hacker can easily  trace the vulnerable.
When  you are developing any application   configure you server as like for development and production server   in development  server  you  need to  show all the error and warning  so that  you able to fix all the issue and lack of security easily  on development server  and  when go on live server  hide all the  errors and warning  from you application so   hacker not able to see  loop hole in site if any .



Protect Session Data

You session data default save in  temp file and   on shared  hosting  it can easily  accessible by writing  script  easily .So we need to protect our sensitive information  like  credit card info password  etc  from hacker to access that  by session data .
You can protect  that by  sending  data in encrypted for  so that  its not  normal readable  for any one .You can change the  session data store location so that  hacker unable  to access that easily  from default location  you can use  session_set_save_handler()  for that  purpose by your  own way .

SQL Injection Attack

Sql injection is the process of accessing data from form input field submission and also from url 
And adding that in database and making changes based on data captured and delete table data and many other activity can b done by that way.  To fix this you need to use parameteralised query in which pass the parameter in query to access data.
Like  "SELECT * FROM table WHERE column = '" + parameter + "';"



Keep Up to date

Keep you software program up to date with the new latest versions so any issue in previous version will directly fix your site issue. If you are using any cms or software in your site   update that time to time according to latest versions.
In Hosting  company  taken care of his software’s  updates and  update theme  accordingly  security  time to time  you also need to check regularly  many  time they  provide  manually option for  updates so you need to follow their instruction and  work on that to fix any possible security  hole  if have .

Tuesday, January 10, 2017

Website Speed Optimization



Website speed is that   how fast the content load from server to your local machine to display in web browser. Page load time is the time between the clicking and loading the web page content requested browser.


There are some aspects to understand   web page speed.

To view the time taken by web server delivering HTML content to web browser.
How browser respond to page request.
End User as requested web page renders in browser this is best way to measure page speed.

 If your website speed low it impact on the  website performance  user experience   search results  web site  responsiveness and  load time  bad use  experience and  many other .So it  need that  your  page  load fast for better performance.


How To Optimize Website to Increase page Speed if its  taking long time to load 

You can check you  site speed on  Google speed test     PageSpeed Insights
Or in Pingdom Tool     there are many other available but most used these tools.


There are different Steps to Increase page load.


Image optimisation to increase site Speed 

Image   are the main key for website because all the impression by images    like “Like a picture is worth rather than one thousand words” . But if you image are bigger in size and  take  time to load  that  will give  you low page loading and site take long time  to load as soon as image load . For this you need to optimise you images according to need and quality. Images  should be in lesser  size so they  load easily  when  web browser  request info from site . You can use  Photoshop and  online tool  to optimise image  Photoshop is better  because we don’t compromise with quality of image in website .


By reducing URL Redirecting 

When  visitor  visit to web browser  then if you page redirecting  visitor need to wait for more time  to see page  because page  load again on redirection  HTTP request cycle to  complete. So by reducing page redirection we can increase web page load speed.

Leverage Browser Caching 

When your site loads in web browser it save some information on local machine like CSS HTMl files to load page easily on next visit for repeated resource. In the  leverage  browser cache you need to define the  expire time for all the downloadable data  instruct  browser for how much  long you want  to save data  so if visitor visit from same resource   can see best  fast page load  because   old resource can be used that  time and no need to download all data again . you can read more about this here Leverage Browser Caching


Server Response Time need to approve 

There  may be  slow server  response  time  due to  slow database quarries  ,Slow routing  or  lack of memory  you need to fix them to increase server speed  .Normal server response time  is  under 200ms.



Enable Compression 

You can use Gzip compression to compress CSS, JS, HTML files that  are larger in size . You do not need to compress  Image files by this  way  because that  may  reduce the  quality of image and  you site will not look good  you can use other tool Photoshop etc  for that  so you can maintain quality of image  accordingly .

Minify   Files  For site CSS JS  and HTML

You need  to  minify  you files  css js html  by removing   unnecessary data  form  files   like  comments , remove spaces   commas and  other unnecessary   characters . By this way you can increase the page load speed easily. Any tool you use like   PageSpeed Insights   which will show you necessary steps for the implementation to increase website speed.


You can use CDN Content Distribution Network

CDN is the  server  that  are used  for content  Distribution  They save the copy of your website  on different geographical  server location  take load on their server and  if any visitor visit on you site  they provide all info which load faster .


Leverage browser caching

 IF you visit some site browser will save some files   on local machine which is call browser caching.

Leverage browser cache is that  to instruct browser how to use their resources files which is downloaded  by browser on local machine .



 When visitor  visit the site  browser loads some files   on local machine  like css  images logo etc so if user visit  on other page browser use their resources  which is downloaded on local machine  so  in this  way  on first page load it take time  after that other page  will load easily because browser already loaded some  need  resource files which is repeating in site   to display that properly.


In leverage browser caching  your web page files get stored in web browser cache so your page  load  faster because other  pages share the repeated resources  which is already downloaded .



How to use Leverage Browser Caching



 First change request header of your resource to use caching .

Caching strategy need to be optimised.



To Set Difference cache time for different files resource saved on local machine.



 You need  to add some code in . htaccess to  give instruction to  web browser  which resource need to save  and for how much time it need to stored in web browser .

 You need to add code at top of your .htacess files 




##  LEAVERAGE BROWSER EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 month"
ExpiresByType image/jpeg "access 1 month"
ExpiresByType image/gif "access 1 month"
ExpiresByType image/png "access 1 month"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
## LEAVERAGE BROWSER EXPIRES CACHING ##



After adding code in . htaccess files  you need to save  it at same location on root where it is  after  that  refresh browser and  see changes .



Other Method cache-Control Method



Other cache control method is much easier to control browser cache which is  saving on your local machine . Many People fine it easier to setup.

You need to add the  given below code in your root .htaccess files  click on .htacess files edit it add code in it and save file.



# 1 Month for most static assets
<filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">
Header set Cache-Control "max-age=2592000, public" filesMatch>


It  will set up cache control according to your file type .



Explaination


# 1 Month for most static assets


 This code is comment part of htaccess  file. Because any line with # sign htaccess  ignore that  line  so we use it for commenting .




<filesMatch ".(css|jpg|jpeg|png|gif|js|ico)$">


 In the above line code will work for   any type of file which extension provided in code will follow the caching instructions. You can add more  file extension in this if you want to apply  caching instruction on them also if you want to  any type of file like png or css don’t want to  apply cache rule on file you can simply remove  them from the given line .


Header set Cache-Control "max-age=2592000, public"


Here is the real header added and time value given.  


Header set Cache-Control  is the part of  setting header .  


 max-age=2592000, public    It  is used to set the  time for how  long  it should be cached  it's in seconds  it's nearly one month.   


Public    It  show the status of cache public which is good  to use .














Thursday, January 5, 2017

Features Of new version (wordpress 4.7) of wordpress



     1.    New  Twenty Seventeen   Theme
A new theme added in New Release of wordpress  4.7  with video header  feature . Theme is mainly focus on business sites  and features  a customizable front page with multiple sections .You can use them with the help of widgets  , Navigation , Social menu , Logo , Custom  Colours  and other many  things .


     2.   No Destructive Live Previews
   
In wordpress 4.7  new feature is you can review the  live  preview of site  without saving the  actual changes to add them on site . In the customise section all the parts of site visible which you able to customize while live previewing. Click on any icon and start editing and you can customize your site in faster way.


     3. Smooth Menu Building

Lastly in many site have menu   and that links to pages of you site. But what you can do
When there is no pages yet . Now in new version you once create menu in the menu section when you publish menu section you will automatically  get new pages for site   to fill the  content in them.


      4.    Custom CSS

 Some time when you need to  make some little changes with css on your site  to make that look better  or solve little  issue to make your site perfect . Wordpress new version 4.7 help you to add custom CSS and you can check changes on frontend after saving that in backend. Also Preview with work directly without refresh pages.


     5.  PDF Thumbnail Previews  

Lastly in wordpress when you are uploading any PDF in media  section it will show you default thumbnail  there  for PDF doc. In NEW wordpress 4.7  you  will  see auto generated  PDF  thumbnail  so you can easily distinguish between different documents .


      6.  Dashboard In your Language

    One language  doest mean that  every body will  prefer same language for site . In New wordpress 4.7  you  will get  user language option to  change you language  .It will  show in wordpress user  Profiles .


      7.    Rest API End Points

New Wordpress 4.7  comes with  REST API  endpoints for posts , Comments , terms , users , meta  and settings .Content  endpoints provide machine-readable  external  access to your wordpress site .




      8.    Post Type  Templates


 New  opening for wordpress developer  is  post  type  template  like the one we are using  for  page template . You can create it easily by same way like
<?php
/*
Template Name: New Post layout
Template Post Type: post, page, product
*/

// … your code here

When At least one template exists in theme for post type   “Post attributes”  meta box will display in backend . Post attribute label can be customized    per post type using “attributes”  label when registering post type .
               

           9       Custom Bulk Actions

    In wordpress 4.7 developer can Register custom bulk action in the list table  screen in the  backend screen.

To add bulk action  email to all  you can use the  same function way  below :
add_filter( 'bulk_actions-edit-post', 'register_new_bulk_actions' );

function register_new_bulk_actions($bulk_actions) {
  $bulk_actions['email_to_all'] = __( 'Email to All', 'email_to_all');
  return $bulk_actions;
}






 Now how to handle the form submission


TO handle bulk action register a call back  handle_bulk_actions-edit-post

add_filter( 'handle_bulk_actions-edit-post', 'new_bulk_action_handler', 10, 3 ); 
function new_bulk_action_handler( $redirect_to, $doaction, $post_ids ) {
  if ( $doaction !== 'email_to_all' ) {
    return $redirect_to;
  }
  foreach ( $post_ids as $post_id ) {
    // action for each post.
  }
  $redirect_to = add_query_arg( 'bulk_emailed_posts', count( $post_ids ), $redirect_to );  return $redirect_to;  }
Show Notices

add_action( 'admin_notices', 'new_bulk_action_admin_notice' );

function new_bulk_action_admin_notice() {
  if ( ! empty( $_REQUEST['bulk_emailed_posts'] ) ) {
    $emailed_count = intval( $_REQUEST['bulk_emailed_posts'] );
    printf( '<div id="message" class="updated fade">' .
      _n( 'Emailed %s post to All.',
        'Emailed %s posts to All.',
        $emailed_count,
        'email_to_all'
      ) . '</div>', $emailed_count );
  }
}





       10.   WP_Hook
New wordpress release 4.7   introduced reworking of action and filters iteration to address bugs that arose from recursive call back and from the call back that changed  the hooked call backs on currently running actions and filters. All the  things  are  look like same for all the  developer   as expected  this shuld fix number of hard traces bugs  when different plug-in make call back .

       11.    Registration Api Settings

Register_setting()  used to include type description and rest API Visibility Its  improved enabled more information for developer  about meta .
Register_setting   now accept an array  for argument  which allow  wordpress core to know more about settings . This is usefull for REST API, where wordpress needs to know more about  type of data settings .


     12.    Customize Change sets

Changes in customizer like auto save  drafts also make  existing  new feature  like starter content  possible.