Transition Technology: Ticket Query

#457: Projects form - Enhance form entry

laura — Thu, 08 Nov 2012 18:15:44 GMT

1 - Entry Form:

Set up new fields and permissions and groupings
Enhance ‘helper’ texts and any links to other parts of TN listed on form to enhance usability and context.
CSS and potential of custom templating/panels if needed for style and layouts

#541: Documentation of the WordPress sites

chris — Wed, 01 May 2013 20:25:57 GMT

These pages have been created for the documentation of the wiki:WordPress sites running on wiki:PenguinServer:

So far they only have a listing on the plugins for each site.

Ideally they would document all the plugins, the theme and the steps that need to be taken to upgrade each site and also any other things that need documenting.

Laura is this something you might be able to help with? I'm happy doing some work on it but you know your way around these sites far better than anyone else.

#540: HTTPS for WordPress sites

chris — Wed, 01 May 2013 20:20:32 GMT

Currently the wiki:WordPress sites have have the following SSL certificates:

https://www.intransitionmovie.com/ -- Gandi commercial certificate and dedicated IP address
https://www.reconomy.org/ -- CAcert non-commercial certificate and shared IP address (SNI)
https://www.earthinheritors.net/ -- CAcert non-commercial certificate and shared IP address (SNI)
https://parrot.transitionnetwork.org/ -- Gandi TN wild card cert and shared IP address (SNI)
https://parrot.webarch.net/ -- CAcert non-commercial certificate, this is the default site for clients without SNI support

None of the site are set to enforce HTTPS for logins, this should be done ASAP for intransitionmovie.com

I think we have several options going forward, the first 3 of this are the only viable ones though, IMHO:

SNI and Seperate Certs and Shared IP

Get a Gandi SSL cert for each site and rely on SNI rather than having a dedicated IP address for each site, this is the cheapest way to solve the problem, the certs are around £15 each.

The clients that don't work with SNI are listed here: https://en.wikipedia.org/wiki/Server_Name_Indication#Client_side

Multi-domain Cert and Shared IP

Get a Gandi SSL cert with all the domains in, this is a little more expensive than seperate certs (around £20 per site) but it means that all the clients that don't work with SNI will work. One issue with this is when adding new site is that a brand new cert would be needed as additional names can't be added to multi-domain certs during their lifetime, this could be worked around by getting a single domain cert to run to the end of the life of the multi domain cert (this would use SNI).

Seperate Certs and Dedicated IPs

Getting a cert per site and a dedicated IP per site, this would cost the most as each IP address costs around the same as each cert, (so about £30 per site). It also seems like a great waste to use up a IP per site when they are so scarce and when technical workarounds to this old problem like multi-domain certs and SNI are now available. I don't favour this option.

Non-commercial CAcert Cert

This is the cheapest, it's fine if people are able to install the http://cacert.org/ root certificate but this is something that non-technical people seem to find hard and they also don't understand the security warnings that they get when the cert isn't installed. This option is the one currently in use but it's far from ideal and one of the other options needs to be adopted before enforcing HTTPS logins is deployed. I don't favour this option.

#619: Upgrade WordPress sites to 3.9.1

chris — Fri, 15 Nov 2013 14:38:05 GMT

News regarding the WordPress versions released since the sites were upgraded to 3.6.1 on ticket:594

We should consider how best to upgrade the wiki:WordPress sites running on wiki:ParrotServer and then ensure that they are upgraded.

#808: WordPress email being rejected due to From field

chris — Mon, 17 Nov 2014 19:28:23 GMT

This issues is like ticket:737 but with WordPress rather than Drupal causing the problem.

Laura has forwarded one of the returned emails which contains:

host aspmx.l.google.com [173.194.67.26]: 550-5.7.1 Unauthenticated email from yahoo.com is not accepted due to domain's 550-5.7.1 DMARC policy. Please contact administrator of yahoo.com domain if 550-5.7.1 this was a legitimate mail. Please visit 550-5.7.1 http://support.google.com/mail/answer/2451690 to learn about DMARC

#894: Brute Force Attacks Against WordPress XMLRPC

chris — Thu, 07 Jan 2016 11:23:51 GMT

For a few months I have see a lot of requests going to WordPress /xmlrpc.php and wasn't sure why, now it is clear:

Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.

https://blog.sucuri.net/2015/10/brute-force-amplification-attacks-against-wordpress-xmlrpc.html

I'd like to install Stop XML-RPC Attack on all the WordPress site we host, unless anyone has a good reason not to. This plugin simply whitelists the JetPack/Automattic's subnets and blocks all other access to /xmlrpc.php.

I started tracking the abuse a while ago and you can see it and manually address it on ParrotServer like this:

sudo -i
wp-xmlrpc-abuse
IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log:
      2 46.148.XX.XX
    733 195.62.53.243
    177 195.62.53.243
      2 66.76.XX.XX
dig -x 195.62.53.243 +short
  53-243.static.spheral.ru.
ipdrop 195.62.53.243

But we need to be more pro-active in blocking access or we are going to probably see some compromised sites.

#488: Set up Dev/Test and update CodeManagementReleaseProcess for new Aegir, Git, Drush make approach

jim — Mon, 04 Feb 2013 19:07:31 GMT

This page is now out of date... https://tech.transitionnetwork.org/trac/wiki/CodeManagementReleaseProcess

This ticket is to update this with a new version, and set up Dev and Test environments, documenting all as we go.