Install Wordfence Plugin

Installing Wordfence is Both Quick and Simple

With little more than the click of a few buttons, you will have Wordfence up, running and proactively securing your WP site. Once Wordfence is active, it will begin your first security scan and cleanup. You will be able to quash any current threats and begin to prevent future site breaches, too.

Get started with Enterprise-Class Security now, You can install Wordfence with these four best-practice steps:

  1. Sign into your own WordPress website. You’ll usually go to something like www.example.com/wp-admin/ and sign-in

2. Replace example.com with
your own website’s URL

3. Now that you’re signed in and ready to administer your own site, go to Plugins, Add New and do a search for ‘wordfence’ without quotes

5. Click the “Install Now” link and
Wordfence will be installed


When you decide to upgrade to the best WordPress Security
out there, simply upgrade to Wordfence Premium.

Install and Configure Django on a Linux Shared Hosting

Django is a high-level Python Web framework that encourages rapid development and clean, pragmatic design. Built by experienced developers, it takes care of much of the hassle of Web development, so you can focus on writing your app without needing to reinvent the wheel. It’s free and open source.

  • Ridiculously fast – Django was designed to help developers take applications from concept to completion as quickly as possible.
  • Fully loaded – Django includes dozens of extras you can use to handle common Web development tasks. Django takes care of user authentication, content administration, site maps, RSS feeds, and many more tasks — right out of the box.
  • Reassuringly secure – Django takes security seriously and helps developers avoid many common security mistakes, such as SQL injection, cross-site scripting, cross-site request forgery and clickjacking. Its user authentication system provides a secure way to manage user accounts and passwords.
  • Exceedingly scalable – Some of the busiest sites on the planet use Django’s ability to quickly and flexibly scale to meet the heaviest traffic demands.
  • Incredibly versatile – Companies, organizations and governments have used Django to build all sorts of things — from content management systems to social networks to scientific computing platforms.

You will have a functioning Django site on your account that:

  • Loads a static homepage for the domain.
  • Loads the Django administration interface.
  • Uses a SQLite database.

Create A Python Application In cPanel

The Setup Python App feature allows you to deploy Python applications on your cPanel while running the Apache web server.

You can check the functionality by visiting the cPanel, Setup Python App.

Install and Configure Django

On the next page, you will be able to Create Application and check existing Web applications.

Install and Configure Django

After clicking Create Application you will be presented with the app creation menu:

If you wish to create a new Python application, you must specify the Python version, fill in the Application root, and the Application URL. Then click Create.

Optionally, you can also set up Application startup fileApplication Entry point and Passenger log file.

As soon as the environment is set, you can upload your application files to the application root directory.

When the application is created, you will be able to see the next page:

At the very start, you have the command necessary to enter your virtual environment. This is useful when you need to manually execute some commands either via SSH or with the terminal menu in cPanel.

To be able to do this, you need to enable Shell access as in this guide.

How to Configure the Django project

1) Login to cPanel.

2) You can see the option Terminal under the “ADVANCED” menu. Click the option to open the terminal.

3) If you are accessing the terminal for the first time, a screen will appear with a warning message. Please click on the button proceed.

4) This interface provides command line access to your account on the server. You can now manage the account using CLI

5) Use the command you noted in the above step to activate the virtual environment. For example:

# source /home/username/virtualenv/myapp/3.6/bin/activate

You need to replace username with your cPanel username

The command prompt now starts with (myapp:3.6) to indicate that you are working in the myapp virtual environment with Python 3.6. All of the following commands in this article assume that you are working in the Python virtual environment.

6) Type the below command to install Django:

# cd ~pip

# install django==2.1.8

You can verify the version of Django installed, with the following command:

# django-admin --version

7) Type the below command for creating a Django project:

# django-admin startproject myapp ~/myapp

8) To create directories for the static project files, type the following commands:

# mkdir -p ~/myapp/templates/static_pages 
# mkdir ~/myapp/static_files 
# mkdir ~/myapp/static_media

a. Find the ALLOWED_HOSTS line and then modify it as below. Replace example.com with your own domain name:

ALLOWED_HOSTS = [‘example.com’]

b. Find the TEMPLATES block, and then modify it as below:

TEMPLATES = [
{
‘BACKEND’: ‘django.template.backends.django.DjangoTemplates’,
‘DIRS’: [os.path.join(BASE_DIR,’templates’)],
‘APP_DIRS’: True,
‘OPTIONS’: {
‘context_processors’: [
‘django.template.context_processors.debug’,
‘django.template.context_processors.request’,
‘django.contrib.auth.context_processors.auth’,
‘django.contrib.messages.context_processors.messages’,
],
},
},
]

c. Locate the STATIC_URL line, and then add the below lines beneath it:

MEDIA_URL = ‘/media/’
MEDIA_ROOT = os.path.join(BASE_DIR, “static_media”)

STATIC_URL = ‘/static/’
STATIC_ROOT = os.path.join(BASE_DIR, ‘static_files’)

9) Open the ~/myapp/myapp/urls.py file using the text editor. Delete the existing text and copy the below text into the file:

from django.contrib import admin
from django.urls import path, include
from django.conf import settings
from django.conf.urls.static import static
from django.conf.urls import url
from django.views.generic.base import TemplateView

urlpatterns = [
path(‘admin/’, admin.site.urls),
url(r’^$’, TemplateView.as_view(template_name=’static_pages/index.html’), name=’home’),
] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)

10) Open the ~/myapp/passenger_wsgi.py file and do the following changes. Replace username with your own account username:

import myapp.wsgi
SCRIPT_NAME = '/home/username/myapp'

class PassengerPathInfoFix(object):
    """
    Sets PATH_INFO from REQUEST_URI because Passenger doesn't provide it.
    """
    def __init__(self, app):
        self.app = app

    def __call__(self, environ, start_response):
        from urllib.parse import unquote
        environ['SCRIPT_NAME'] = SCRIPT_NAME

        request_uri = unquote(environ['REQUEST_URI'])
        script_name = unquote(environ.get('SCRIPT_NAME', ''))
        offset = request_uri.startswith(script_name) and len(environ['SCRIPT_NAME']) or 0
        environ['PATH_INFO'] = request_uri[offset:].split('?', 1)[0]
        return self.app(environ, start_response)

application = myapp.wsgi.application
application = PassengerPathInfoFix(application)

11) Use a text editor to create a basic index.html file in the ~/myapp/templates/static_pages directory.

The file can be as simple as a text file that says Hello world.

12) Type the following command:

# python ~/myapp/manage.py migrate

13) Create and set up the superuser account:

  • For this, type the below command:

# python ~/myapp/manage.py createsuperuser

  • Type the administrator username at the Username prompt and then press Enter.
  • Type the administrator e-mail address at the Email address prompt and then press Enter.
  • Type the administrator password at the Password prompt and then press Enter.

14) To collect the static files, type the below commands:

# python ~/myapp/manage.py collectstatic

In case you are asked for overwriting existing files, type yes and then press Enter.

15) Restart the Python application in cPanel:

  • Log in to cPanel.
  • Click Setup Python App in the SOFTWARE section of the cPanel home screen.
  • Locate the correct application under the Existing applications and then click Restart.

16) Test the Django site:

  • Go to http://www.example.com, where example.com represents your domain name. The index.html file should load.
  • Go to http://www.example.com/admin, where example.com represents your domain name. The Django administration login page should be displayed. Use the superuser credentials that you created earlier to log in.

If there a problem for the website to appear in your browser, run the passenger_wsgi.py file manually. For this, type the below command:

# python ~/myapp/passenger_wsgi.py

When you run this file, you should get any text output to the console. In case there are any errors, check the syntax in the configuration files.

That’s all! Now, you can easily install and configure Django on a Linux shared hosting account.

Setup Python App

The Setup Python App feature allows you to deploy Python applications on your cPanel while running the Apache web server.

You can check the functionality by visiting the cPanel, Setup Python App.

Install and Configure Django

On the next page, you will be able to Create Application and check existing Web applications.

Install and Configure Django

After clicking Create Application you will be presented with the app creation menu:

If you wish to create a new Python application, you must specify the Python version, fill in the Application root, and the Application URL. Then click Create.

Optionally, you can also set up Application startup fileApplication Entry point and Passenger log file.

As soon as the environment is set, you can upload your application files to the application root directory.

When the application is created, you will be able to see the next page:

At the very start, you have the command necessary to enter your virtual environment. This is useful when you need to manually execute some commands either via SSH or with the terminal menu in cPanel.

To be able to do this, you need to enable Shell access as in this guide.

You can change options like Python version, Application root, Application URL, Application startup file, Application Entry point and Passenger log file here.
After changing such options, please make sure to click the Save button on the upper right.

The Python versions available are 2.7 and 3.3, 3.4, 3.5, 3.6 and 3.7.

PLEASE NOTE: Python version switch can take up to 5 minutes.

The Application startup file is to specify the Python WSGI application entry point. It must be specified as a filename.
Application Entry point is there to set up a WSGI callable object for the previously specified startup file.

With the help of the Configuration files field you can install various modules through Pip. Under the Add another file… field you can enter the name of the given module and click Add.

If you click Delete, the corresponding module entry will disappear. If you click Edit, you can change the module in question.

Once you have added the module, you can click Run Pip Install and install the module in question from the drop-down.

You can also execute pip install commands directly under the virtual environment via SSH.

Also, you can execute python script commands from the web interface (e.g. you can install packages from specific repositories or control web applications by means of django-admin).

You can additionally set up Environment variables:

Click Add Variable and you will be able to set up Name and Value of the variable in question. After you have entered the correct data, click Done to create the variable.

NOTE: Changes will not be applied to the application environment until the Update button is clicked. All changes can be reverted by clicking the Reset button.

You also have the options to Stop App and Restart the application.

To delete the application, click Destroy. The application folder itself will remain unmoved.

Dealing with WSGI application issues

In some cases, apps may not run properly when the main application variable is called app. This is because WSGI software that we use to run Python on our servers requires the main application variable to be called application.

We will use the Flask application as an example here to make the application work:

1. Install Flask and all the other modules required for the app. It can be done in many ways:

  • Install modules manually one by one over SSH

This can be done using the standard Run Pip Install button described in this guide, or via SSH using pip install module command.

  • Install all the modules at a time with a requirements.txt file.

It can be done with the following type of command via SSH:pip install -r requirements.txt

  • Install all the modules with a setup.py file via SSH, if it is created for the application,. The usage of this option depends on the app in question.

2. Remove the default passenger_wsgi.py file under the application root folder.
3. Find the main script of the application in the application root folder. Search for the following line to find it:
from app import app
(it can be from src import app or from app import application, however from app import app is the most common way to write it). The main script is usually called app.py, main.py, index.py, or init.py.
4. Rename this script to passenger_wsgi.py or set it in the Application startup file field within the Python App interface in cPanel.
5. Right below the import line (from app import app), insert this line:
application = app

The described actions should help fix an application that was not written with WSGI software in mind.

High Severity Vulnerability Patched in Ninja Forms

On April 27, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery(CSRF) vulnerability in Ninja Forms, a WordPress plugin with over 1 million installations. This vulnerability could allow an attacker to trick an administrator into importing a contact form containing malicious JavaScript and replace any existing contact form with the malicious version.

We reached out to Ninja Form’s security team according to their Responsible Disclosure Guidelines and they replied within a few hours. The plugin was patched less than 24 hours after our initial contact, on April 28, 2020.

All Wordfence users, including both Wordfence Premium and free Wordfence users, are protected from XSS attempts against this vulnerability by the Wordfence Firewall’s built-in XSS protection.

Description: Cross-Site Request Forgery to Stored Cross-Site Scripting
Affected Plugin: Ninja Forms
Plugin Slug: ninja-forms
Affected Versions: < 3.4.24.2
CVE ID: CVE-2020-12462
CVSS Score: 8.8 (High)
CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version: 3.4.24.2

The Ninja Forms plugin features a “legacy” mode which allows users to revert its styling and features to those of the plugin’s final 2.9.x version. As part of this feature, it adds several AJAX functions which appear to be intended to import forms and fields between the “legacy” mode and the default mode. While all of these functions used capability checks, two of the functions failed to check nonces, which are used to verify that a request was intentionally sent by a legitimate user. One function in particular, ninja_forms_ajax_import_form, allowed importing forms containing custom HTML:

add_action( 'wp_ajax_ninja_forms_ajax_import_form', 'ninja_forms_ajax_import_form');functionninja_forms_ajax_import_form(){if( ! current_user_can( apply_filters( 'ninja_forms_admin_upgrade_import_form_capabilities', 'manage_options') ) ) return;$import= stripslashes( $_POST[ 'import'] );$form_id= ( isset( $_POST[ 'formID'] ) ) ? absint( $_POST[ 'formID'] ) : '';WPN_Helper::delete_nf_cache( $form_id); // Bust the cache.Ninja_Forms()->form()->import_form( $import, TRUE, $form_id, TRUE );if( isset( $_POST[ 'flagged'] ) && $_POST[ 'flagged'] ){$form= Ninja_Forms()->form( $form_id)->get();$form->update_setting( 'lock', TRUE );$form->save();}echojson_encode( array( 'export'=> WPN_Helper::esc_html($_POST['import']), 'import'=> $import) );wp_die();}

As such, if an attacker was able to trick an administrator into clicking a crafted link, they could spoof a request using that administrator’s session and import a form containing malicious JavaScript into the site. Worse yet, it was possible to replace any existing form on the site with one of these imported forms by setting the formID $_POST parameter to the ID of an existing form.

Depending on where the JavaScript was placed in the imported form, it could be executed in a victim’s browser whenever they visited a page containing the form, whenever an Administrator visited the plugin’s Import/Export page, or whenever an Administrator attempted to edit any of the form’s fields. As is typical with Cross-Site Scripting (XSS) attacks, a malicious script executed in an Administrator’s browser could be used to add new administrative accounts, leading to complete site takeover, while a malicious script executed in a visitor’s browser could be used to redirect that visitor to a malicious site.

Vulnerability Disclosure Policies are Important

One of the reasons this plugin was patched so quickly was because the plugin’s team maintains a Responsible Security Disclosure Policy, often referred to as a Vulnerability Disclosure Policy. This allowed us to contact them directly with our full disclosure rather than spending days trying to find or verify the appropriate contact channel. While we have occasionally seen plugins patched in less than 24 hours in the past, responses like this are exceptional and indicate a serious dedication to security.

If you are responsible for any kind of software product or service, having a Vulnerability Disclosure Policy (VDP) not only improves your chances of being alerted to serious security issues, but also allows you to set expectations for your response. Most importantly, it reduces the risk of vulnerabilities in your products being prematurely or irresponsibly disclosed and attacked by bad actors before you have a chance to fix them. For these reasons, we strongly recommend implementing a VDP to improve not only the efficiency of your response to specific flaws, but also the general security of your product.

Timeline

April 27, 2020 19:00 UTC – Our Threat Intelligence Team discovers and analyzes the vulnerability and verifies that our existing Firewall Rules provide sufficient protection against XSS.
April 27, 2020 19:24 UTC – We provide full disclosure to the plugin’s developer as per their Responsible Security Disclosure Policy.
April 27, 2020 20:27 UTC – We receive a response that a patch should be available the next day.
April 28, 2020 19:00 UTC – Patched version of the plugin released.

Network Optimizer – Railgun

Optimized partners can reach international customers faster with Railgun

Railgun ensures that the connection between your origin server and the Cloudflare network is as fast as possible.

Railgun compresses previously unreachable web objects by leveraging techniques similar to those used in the compression of high-quality video. This can result in additional performance increase.

railgun
www.cloudflare.com/en-gb/website-optimization/railgun/

What Railgun Does

Railgun accelerates the connection between each Cloudflare data center and an origin server so that requests that cannot be served from the Cloudflare cache are nevertheless served very fast.

Approximately 2/3 of requests to sites on Cloudflare are served directly from cache from the data center that is physically closest to the person surfing the web. Because Cloudflare has data centers around the world this means that whether you are in Bangalore, Brisbane, Birmingham or Boston web pages are delivered quickly even when the real, origin web server is thousands of miles away.

Cloudflare’s ability to make a web site appear to be hosted close to web surfers is key in accelerating web surfing. A web site might be hosted in the US, but accessed mainly by web surfers in the UK. With Cloudflare the site will be served from a UK data center eliminating the costly delay caused by the speed of light.

But the other 1/3 of requests made to Cloudflare have to be sent to the origin server for processing. This happens because many web pages are not cacheable. This can be because of a misconfiguration, or, more commonly, because the web page changes frequently or is personalized.

For example, it’s hard to cache the New York Times home page for any length of time because the news changes and being up to date is essential to their business. And for a personalized web site like Facebook each user sees a different page even though the URL may be the same for different users.

Railgun uses a collection of techniques to accelerate and cache these previously uncacheable web pages so that even when the origin server must be consulted web pages are delivered quickly. And that even works for rapidly changing pages like news sites, or for personalized content.

Cloudflare research showed that even though many sites cannot be cached they actually change very slowly. For example, the New York Times home page changes throughout the day as news stories are written, but the boilerplate HTML of the page mostly stays the same and many stories stay on the front page all day.

For personalized sites the boilerplate HTML is the same with only small pieces of content (such as a person’s Twitter timeline or Facebook news feed) changing. This means there’s a huge opportunity to compress web pages for transmission if the unchanging parts of a page can be detected and only the differences transmitted.

How It Works

When a request is made to a Cloudflare server for a web page that is not in cache Cloudflare makes an HTTP connection to the origin server to request the page. It’s that HTTP connection that Railgun accelerates and secures.

www.cloudflare.com/en-gb/website-optimization/railgun/

Railgun consists of two software components: the Listener and Sender. The Railgun Listener is installed at your web host on an origin server. It’s a small piece of software that runs on a standard server and services requests from Cloudflare using the encrypted, binary Railgun protocol.

The Railgun Sender is installed in all Cloudflare data centers around the world and maintains connections with Railgun Listeners.

When an HTTP request comes in that must be handled by an origin server, Cloudflare determines whether it is destined for a Railgun-enabled website. If not, standard HTTP is used, but if so the HTTP request is routed to the Railgun Sender for handling.

The Railgun Sender turns the request into a compressed, binary chunk that’s transmitted to the corresponding Railgun Listener. The Railgun Listener handles the request and performs an HTTP request to the origin server. From the origin server’s perspective it’s as if the HTTP connection came directly from Cloudflare, but because it comes from inside the hosting partner’s infrastructure the request suffers no latency related delay.

Railgun uses a new caching mechanism based on comparing page versions to determine what needs to be transmitted across the Internet to the Railgun Sender. Using this mechanism Cloudflare is able to achieve typical 99.6% compression (taking, for example, a 100k web page down to 400 bytes) and a speedup of over 700%. In fact, the compressed data is often so small that using the binary Railgun protocol the entire response fits inside a single TCP packet.

Railgun connections are secured by TLS so that requests sent across them cannot be eavesdropped upon. The connection is secured by certificates so that a man-in-the-middle attack is not possible. The TCP connection between Cloudflare and the origin server is kept alive so that it can be reused for subsequent requests eliminating the slow start up of a TCP connection.

Railgun requests are multiplexed onto the same connection and can be handled asynchronously. This means that Railgun is able to handle many, simultaneous requests without blocking and maximizing the use of the TCP connection.

What is QUIC.cloud

QUIC.cloud

Introduction

QUIC.cloud is the first and only content delivery network with the ability to cache dynamic WordPress pages. Using QUIC as the transfer protocol, QUIC.cloud will make your website faster and more secure than the competition.

Litespeed’s QUIC.cloud is a new way to supercharge your website.

QUIC.cloud CDN, an intelligent cache CDN based on LiteSpeed Cache, is the only CDN service that can accurately cache dynamic pages (pages that can change frequently).

LSCache for WordPress knows when to automatically purge and sync data in QUIC.cloud CDN, giving it the upper-hand on all other CDN providers. Users can now provide anyone across the globe access to their sites in less than 100ms!

Also, new to QUIC.cloud is image optimization, critical CSS, and LQIP. With these new services readily available, QUIC.cloud is more customizable and efficient than ever before.

After reading through this guide, if there is something you do not understand, please let us know by sending an email to support[at]quic.cloud.

Requirements

Before you can utilize QUIC.cloud, you should refresh your LiteSpeed Cache for WordPress module to in any event v3.0.

Ths guide also assumes you already have a domain setup with WordPress. If you do not yet, please check out WordPress’ Domains guide.

Matching WordPress and QUIC.cloud

To begin, sign into your WordPress dashboard for the domain you’d like to use with QUIC.cloud.

QUIC.cloud
QUIC.cloud

At that point explore to the menu bar on the left half of the site, and float over LiteSpeed Cache.

QUIC.cloud
QUIC.cloud

Then, select General.

On that page there will be a box for a Domain key; click the link Apply Domain Key, on the right side of the box.

Pairing WordPress and QUIC.cloud
Pairing WordPress and QUIC.cloud

You will see a bar at the top saying you applied successfully and to wait for the result. Please refresh the page.

After refreshing, the box should be automatically filled with the key. Next click Save Changes in the right corner.

This image has an empty alt attribute; its file name is image-34.png

Once you save, click Link to QUIC.cloud.

Next you will be redirected to QUIC.cloud to sign up/login.

If you login, you will be redirected back to your WordPress dashboard.

If you sign up, you will be asked to fill in your desired password and to agree to the QUIC.cloud terms and conditions. Then click Register.

Check your emails for a message from QUIC.cloud and confirm your account.

!Activate Account Link

Once you click the activation link, a new tab will open saying the activation was successful.

!Activation Complete

Click My Dashboard and you will be redirected back to the WordPress dashboard.

Back on the WordPress dashboard, there is a button that will direct you to your QUIC.cloud dashboard.

!Visit Dashboar

Once on the QUIC.cloud dashboard, you will see the new domain listed.

When you click into the domain, you should see a list including our CDN and the services offered.

If you’d like to use the CDN, please continue on to the next section of this document. If you are not interested in using the CDN, however, then you have successfully finished your setup. Congratulations and welcome to QUIC.cloud!

Setting up the CDN

Before a domain can use QUIC.cloud CDN, the DNS for that domain must be properly set up. Please follow the instructions below to set up your DNS.

DNS Setup

If you are not sure about how the DNS works, check out our DNS Primer. You will need to be logged into your WordPress admin and your DNS management page.

Note -  The base domain, e.g. example.com is known as the Root or Apex Domain. All other usages of this domain such as sub.example.com or www.example.com are subdomains.

If you are adding the root domain to QUIC.cloud, refer to the following section. If you are adding a subdomain, refer to the subsequent section.

Adding the Root(Apex) Domain

QUIC.cloud requires that your DNS maps your domain to a domain provided during setup. This means that your DNS provider must support domain to domain mapping for the Root domain.

The following instructions have screenshots from the CloudFlare DNS manager.

  1. Take a screenshot of your current configurations. Keep this as a reference in case things go wrong, so you have something to go back to.
  2. Check what your TTL value is and adjust it to the smallest value possible (if not already). You will need to wait until the old DNS records expire before you can use QUIC.cloud. After the old value expires, every record should be using the new value. Example: previous value: 1 hour, new value: 2 minutes. If it is 3pm when you change the value to 2 minutes, you must wait until 4pm to be sure that all the records now use the 2 minute value.
  3. (Optional) If you wish to use both the root domain and the www. subdomain: Create a CNAME record pointing www. to your Root domain:

If you have a www. record already, edit that to look like the above screenshot. The net result is that www.example.com will target the same server as example.com. 

4. Create an A record for a random subdomain that points to your origin IP. For example, origin.example.com.

1.Convert your current record for @ to a CNAME record targeting the subdomain you created in step 4.

Deleting the root domain record:

Note – The below screenshots are for deleting an A record and adding a CNAME record. If your current record is a CNAME record or your DNS Manager allows changing record types, you can just edit the record.

Setting the CNAME record for the root domain:

Make sure that your site is still accessible as is. Here are some ways to test.

Note – If you are using CloudFlare DNS, ensure that the cloud is set to “Grey” (this means you are not actually using Cloudflare for anything other than the DNS).

After performing the above steps, the following should be true: * Your site is still accessible. Nothing should have changed. * If you performed step 3, your www. subdomain should also point to your current IP. Refer to how to check the DNS. * The random subdomain should also target the same IP.

If any of the above are not true, review your DNS configurations and run through the steps again. One possible reason that the above are not true is that the TTL for the old configuration has not expired yet. Make sure that the time has elapsed.

Adding the Subdomain

The following instructions have screenshots from the Digital Ocean DNS manager. The steps should be similar for your DNS provider.

  1. Take a screenshot of your current configurations. Keep this as a reference in case things go wrong, so you have something to go back to.
  2. Check what your TTL value is and adjust it to the smallest value possible (if not already). You will need to wait until the old DNS records expire before you can use QUIC.cloud. After the old value expires, every record should be using the new value. Example: previous value: 1 hour, new value: 2 minutes. If it is 3pm when you change the value to 2 minutes, you must wait until 4pm to be sure that all the records now use the 2 minute value.
  3. If the subdomain points to the same origin server as the Root domain, this step is not required. Create an A record for a random subdomain that points to your origin IP. For example, origin.example.com.
  1. Convert your current record for the subdomain to a CNAME record targeting the subdomain you created in step 3. If you are using the root domain as the base, target that instead.The below screenshots are for deleting an A record and adding a CNAME record. If your current record is a CNAME record or your DNS Manager allows changing record types, you can just edit the record.

Deleting the old record:

  1. Make sure that your site is still accessible as is. Here are some ways to test. If you are using CloudFlare DNS, ensure that the cloud is set to “Grey” (this means you are not actually using Cloudflare for anything other than the DNS).

After performing the above steps, the following should be true: * Your site is still accessible. Nothing should have changed. * The random subdomain should also target the same IP.

If either of the above are not true, review your DNS configurations and run through the steps again. One possible reason that the above are not true is that the TTL for the old configuration has not expired yet. Make sure that the time has elapsed.

Enable CDN

When on your QUIC.cloud dashboard, click on the domain you’d like to enable the QUIC.cloud CDN service for.

Note – Domains can be listed in QUIC.cloud and use the QUIC.cloud services, without using the CDN.

Next, under the services list, click CDN.

Note - If the status of the CDN says ‘OK’, then your CDN is already enabled for that site and you do not need to continue with this guide.

On the following screen, click Enable CDN.

Next we will discuss the DNS records and verification.

Configure DNS Records and Verify

Update the DNS Manager

Note the CNAME record that we created for you, as below:

In your DNS Manager, change the CNAME you set up to point to this CNAME domain.

CloudFlare DNS Example:

At this point, nothing should have changed. Your site should still target your server. Here are some ways to test.

Configure Access for your site (Optional)

On the CDN page, under Setting -> Connection, there are three options that configure how the browser connects to QUIC.cloud and how QUIC.cloud connects to your origin server. Select the appropriate option.

Connection Type to Origin: This option specifies the connection type between QUIC.cloud and your origin server. The available options are: match the connection type from the browser to QUIC.cloud or use HTTP Only.

Frontend Force HTTPS: This option specifies the connection type between the browser and QUIC.cloud servers. If set to ON, HTTP requests to QUIC.cloud are redirected to HTTPS automatically. Otherwise, both request types are forwarded to your backend server (depending on how Connection Type to Origin is configured).

Enable QUIC Backend: If your site offers QUIC and/or HTTP/3, you can try this option. This will let QUIC.cloud servers attempt to connect to your origin server using QUIC and/or HTTP/3.

Configure your Firewall

When your site goes through QUIC.cloud servers, all the requests will appear via QUIC.cloud IPs. This will likely trigger some firewall rules. Make sure to whitelist QUIC.cloud IPs so that the requests do not trigger the firewall.

Verify Your Website is Using QUIC

You must have a valid SSL Certificate set up on QUIC.cloud to use QUIC.

If QUIC.cloud is working properly, your site should be using QUIC. You can use a browser extension to verify this, such as this for Google Chrome. It will show a Green lightning bolt indicator, if your website is using QUIC.

Alternatively, you could use HTTP/3 Check to test it out.

That’s it. QUIC.cloud CDN should now be set up. If you have any questions or issues, please contact us at support[at]quic.cloud.


What is Entry Process Limit – Shared Hosting

An Entry Process is the number of PHP scripts you can run at a time. Our Shared Hosting and WordPress hosting plans have limitation of entry process at a time.

Number of visitors on website – An Entry Process should not be confused with the number of visitors you can have on your website as it takes just fractions of a second to complete. 

For Eg. if we have restrict 25 entry processes that doesn’t mean that only 25 people can visit your website at a time. It’s because there is very rare possibility of 25 people browsing your website at the same fraction of a second.

When a visitor browses any web page of your website, the web server would start serving the request. While this request is being served, it will use one entry process.

Once this request has been served, the web server would no longer use an entry process and the entry process count would get decreased by 1.

Please note that cron jobs, shell scripts and other commands also use entry process for the duration of the time they are running.

Why such restrictions – Entry process limitations to ensure that no single user consumes all server resources and to prevent DDoS attacks against the web server.

Entry process will limit the number of concurrent connections to web server, thus preventing our server against malicious traffic.

When you use all allotted entry processes (25), new visitors would experience a 508 error.

4020 : INVALID : Information received from an Invalid IP address.

Error number: 4020Error message: 4020 : INVALID : Information received from an Invalid IP address.

Explanation:  If your website is integrated with Sage Pay using either the Server or Direct method we must have a valid IP address from your platform or web hosting company in order to accept transactions.

The 4020 error message indicates that the transactional post that is coming from your site/hosting company is not being made using the valid IP addresses that you have entered into your Sage Pay account – via MySagePay.

All transactions that are posted from your website/server MUST be sent via one of the IP addresses that you have provided to Sage Pay. If your IP address is not entered within MySagePay, or is coming from a dynamic IP range then you will always encounter this error.

Solution:  The 4020 error message is an easy fix, the first thing you will need to do to prevent this error is obtain the IP address that is being used to post the information through to Sage Pay.

You are able to locate the IP address that you are using by –

  • Process a transaction using the Sage Pay Simulator – you can then obtain the IP address that is being used for the transaction.
  • Contact your Server administrator – if your Server is being hosted internally – they will then be able to provide you with the IP directly.
  • Contact your Hosting Company – if your site is being externally hosted by a 3rd party – they will be able to provide you with the IP directly.
  • Perform a “Ping” test – open your start menu, type “CMD”, this will then load up the DOS screen where you can then type “PING” followed by the URL you are trying to reach – your own website – this will then provide you with the IP address of the site that is making the post to Sage Pay.

Once you have the IP address you will then be able to enter this into your MySagePay admin account, to do this see our Adding IP article here. 

https://www.sagepay.co.uk/support/error-codes/4020-invalid-information-received-invalid-ip-address

Types of Malware

1. Hacker Scripts

Very often during an attack there are a number of files of a certain type uploaded onto a victim’s system. These may be web shells (e.g. c99.php), backdoors, file uploaders, spam mailers, phishing pages, doorways (web pages that are created for the deliberate manipulation of search engine indexes), or defacement content (for example, the hacker’s logo, obscene messages, links, etc.). In some cases you can simply search the name of the suspicious file on the web to find out what it does—script kiddies usually do not bother modifying files much so it will probably turn up in search results.

2. Code Injection

Code injection: A popular method of malware deployment onto a target system is via injections: malicious code can be injected into the .htaccess file to create SEO and mobile redirections; PHP or Perl script injections can be used to create backdoors; malvertising scripts can be injected into static .js (JavaScript) and .html files; and, very often, it can be a combination of injection into an existing file together with the uploading of a command and control script. For example, malicious code can be injected into the exif-header of a .jpg file, and the code can be triggered and executed by some other benign-looking file uploaded in another part of the website.

3. SQL Injection

Database entries are a frequent target for hacker attacks. Static HTML content injections are possible using tags such as <script>, <iframe>, <embed>, or <object>. Such unauthorized code insertions can redirect visitors to related but unaffiliated sites, embed advertisements from which the site owner does not profit, embed mining trojans (e.g. CoinHive JavaScript miner), or spy on users and infect their computers using drive-by attacks. Besides this, many modern CMSs (e.g. IPB, vBulletin, modx and others) use template processors that allow the execution of PHP code, and the templates themselves are stored in the database. This gives attackers the opportunity to add backdoors and webshells to the website template directly in the database itself.

4. Cache Injections

Due to insecure settings of a caching server, for example, when using memcached, some injections can be done on cached data on the fly. In some cases, spam can be injected into website pages without actually hacking the core functionality of a website.

If hackers are able to get privileged (root) access to a server, they can replace some web server components or caching server components with infected versions. Such a web server can then be controlled via remote commands, and it can add dynamic redirects and malicious code to different website pages. As with cache injections, a webmaster is usually not able to spot the infection because all user files and databases appear unaffected. This is the most difficult case, and in some situations it is easier to rebuild the server and migrate user data rather than try to detect all the malware.

5. System components replacement​

By now, I’ll assume that you’ve already checked the files and database dump with AV scanners and that they have not identified anything malicious. If the malicious redirect or script (embedded in the <script> tag) is still somewhere on the pages of your website, redirects will continue sending users to malicious websites.

 Linux and some Unix-like systems, it is hard to find more useful commands for searching files than find and grep. 

This command will look for all files that were modified in the past week.

find . -name '*.ph*' -mtime -7

Sometimes, attackers change file modification dates to avoid detection. In this case, you can use the following command to look for .php and .phtml files that have had their attributes changed.

find . -name '*.ph*' -ctime -7

If you need to look for file changes in a certain time frame, you can also use this find command.

find . -name '*.ph*' -newermt 2015-01-25 ! -newermt 2015-01-30 -ls 

And let’s not underestimate the grep command as well. This command can recursively search for certain patterns in the files, drilling down through all folders and files. Here is an example.

grep -ril 'example.com/google-analytics/jquery-1.6.5.min.js' * 

When your web server is compromised, it is good practice to check files with the guid/suid flag, just to be safe.

sudo find / -perm -4000 -o -perm -2000 

Finally, you can use a command like this to identify what PHP scripts are currently running in the background and possibly impacting website performance.

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk '{ if(!str) { str=$1 } else { str=str","}} END{print str}'` | grep vhosts | grep php 

Malicious code analysis

Now that we know how to search for possibly malicious files, let’s dive a bit deeper and list what exactly we are looking for and where.

1. Check the upload, cache, tmp, backup, log, and images directories.

You need to check all directories that are used for file uploading. For example, with Joomla you should look for .php files in the ./images folder. There is a high chance that if you find something, it will be malicious. For WordPress it is worth checking the wp-content/uploads, backup and theme cache directories.

find ./images -name '*.ph*'

2. Looking for files with weird names

Here are examples of strange file names to look out for: php, fyi.php, n2fd2.php. You should also look for unusual patterns in file names. For example:

  • File names comprising an odd and unreadable mixture of letters, numbers and symbols, e.g. srrfwz.php, ath.php, kirill.php, b374k.php.php, tryag.php.
  • ​Because many users rename files by appending the digit ‘1’, look out for normal-looking file names that append numbers other than 1 to filename parts, e.g. index9.php, wp3-login.php.

3. Looking for files with unusual extensions.

Let’s suppose you have a website based on the WordPress CMS. Files with extensions such as .py, .rb, .pl, .cgi, .so, .c, .phtml, or .php3 would be unusual for such types of websites. If scripts or files with these extensions are found, most probably these are hacker tools. There is a chance of a false alarm, but it is low.​

4. Looking for files with non-standard attributes or creation dates.

As mentioned above, files with modified attributes are suspicious. For example, if all the .php files that were uploaded to the server via FTP/SFTP have the owner file attribute set to ‘user’, and you also see a number of files having this attribute set to ‘www-data’, then it is worth checking the latter. Also, check if the script creation date is earlier than the website creation date. You can use the command templates from the cookbook section to bake up your own search queries, and speed up or optimize them.​

5. Looking for doorways using a large number of .html or .php files.​

If a directory contains a few thousand .php or .html files, there is a high chance that this is a doorway. You can use the following command to find the top 50 directories with the highest file counts (if you have many hosting accounts and files on the server, it is better to use this command in the specific folder/home directory you would like to check to save some execution time):​

find ./ -xdev -type d -print0 | while IFS= read -d '' dir; do echo "$(find "$dir" -maxdepth 1 -print0 | grep -zc .) $dir"; done | sort -rn | head -50

 (Check this thread to find more details on the commands for checking directory file counts.)

Server logs can help​

  • Dependent relations between the date and time when an email was sent (using details in the mail log and email message header), and access_log entries, help to determine how mail spam was sent out, and find the mailer script on the server.
  • FTP xferlog analysis helps to identify which files were uploaded or changed during the attack and by whom.
  • If your mail server and PHP settings are correctly configured you can find the name of the sender PHP script and the full path to it in your mail log or in the full email message header. This helps to quickly find and eliminate the source of spammy deliveries.
  • Some modern CMSs and plugins have more advanced defense techniques to proactively detect cyber attacks. Their logs might show if there was any attack and whether the CMS or plugin was able to protect itself or not.
  • The access_log and error_log files also allow you to track a hacker’s actions, if you were able to identify the script names that were used, the IP address or the HTTP user agent (User-Agent). You can also check the POST request on the day the attack happened. Often, such checks allow you to find which malicious files were uploaded and which were already present before the attack.

Integrity checks

It is much easier to analyze attack vectors and look for malware scripts on websites if some security precautions were already made beforehand. Integrity checks help to identify the changes on the file system in a timely manner, and detect malicious activities quickly. The easiest and most effective way to perform such checks is by using version control systems such as git, SVN, or CVS. For example, with git, if you correctly configure the .gitignore file, the process of integrity checking comes down to executing two commands:

git status # check all changed files
git diff # find malicious code

This guarantees that you have a backup copy of your files, and allows you to quickly restore the website to a previous state. Experienced server administrators can also use inotifytripwireauditd and similar tools to track file and folder access and changes.

Unfortunately, it is not always possible to configure the version control system or any site integrity check services on a server. In the case of shared hosting, it is not possible to use a version control system or system services. To overcome this problem you can use CMS extensions, in the form of a plugin or a stand-alone script, to track file changes. Some CMSs (e.g. Bitrix or DLE) already have built-in integrity checks.

If the website is using custom scripts or is built with static HTML files, you can use the following shell command to make a snapshot of currently stored files:

ls -lahR > original_file.txt

If any malware threats occur you can create another snapshot and then compare them using any comparison software you like, for example, WinDiff, AraxisMerge Tool, BeyondCompare, the diff command (on Linux) or even compare snapshots online.

Thanks – https://www.imunify360.com/blog/how-to-remove-malware-from-a-website-manually