WordPress is under attack! Watch it! Password Protect it!

What? What do you mean? There’s already a password. Yes, you need to log in when you want to put up a new blog post or do maintenance of some sort. However, that doesn’t mean that you can’t have an additional layer of protection. Not only can you have it, WordPress actually recommends it here: https://codex.wordpress.org/Brute_Force_Attacks

I looked in my nginx access log and I saw a bunch of messages that looked like this:

95.219.148.136 - - [16/Nov/2017:06:34:33 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
95.219.148.136 - - [16/Nov/2017:06:34:34 -0800] "GET / HTTP/1.1" 200 21587 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:48 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:49 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

After doing some investigation, it appeard to be the sathurbot attacking my blogsite. It’s some sort of distributed piece of malware that attacks poorly maintained or blogs with weak passwords. The malware tries to attack the wp-login and something else. You can read more about it here: https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/.

The first thing I did to counter this issue was configure Cloudflare to under attack mode. This gives the client a short delay when connecting to your site so that can’t get to the file. This should stop the entries in the log completely, immediately. Since I don’t want users to see the delay all of the time, I decided after the attacks slowed to have nginx password protect the file so that when trying to request it, nginx will ask for a password as well. This way, you’ll need to authenticate twice to get into WordPress, but it’s okay. The extra trouble gives me peace of mind that I’ll less likely be attacked.

With nginx, I did it this way:

location ^~ /wp-login.php {
 auth_basic "Administrator Login";
 auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
 include fastcgi.conf;
 fastcgi_intercept_errors on;
 fastcgi_pass php-wphandler;
 fastcgi_buffers 16 16k;
 fastcgi_buffer_size 32k;
}

The .htpasswd is a hashed file. You can create it with the htpasswd command that comes with the apache2-utils package. The file would look something like this:

alton:$@AFSADF$SDFapr1$yDoxiXVW$aFe

Now in my logs, I get 401 messages instead of 402 messages.

172.68.242.50 - - [29/Nov/2017:09:36:50 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "134.196.23.66"
172.68.246.96 - - [29/Nov/2017:09:45:48 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "193.93.187.11"
162.158.91.51 - - [29/Nov/2017:09:49:22 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "93.172.55.76"
141.101.77.120 - - [29/Nov/2017:10:08:03 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "41.100.125.248"

I also know that they’re less likely to hack my site. 🙂

Happy blogging!

Read this before changing the iPhone screen yourself to save $50 or more.

Don’t be afraid to change your cracked iPhone screen yourself. Here are some caveats before you do.

You can get the screen for pretty cheap. Just about $20. What you do NOT want, is to get just the glass. Replacing just the glass is way more difficult. The LCD and the touch digitizer is glued onto the glass, so removed those pieces and gluing them back onto the new one is extremely difficult and not worth the $10 in savings.

Don’t freak out if your new screen and old one don’t look exactly alike. The left is my phone. The right is the screen replacement. There’s a piece rubber that needs to be removed. They’re the same screen.

Consider getting a magnetic mat. I didn’t have one when I replaced mine, but fI can see the value. A couple of alternatives to doing this is to create your own place where you’re putting your screws, like using some double-sided tape on the table or packing tape, upside down, so that you can stick your screws to it. I used a white bowl, where I put a magnet inside. I have a little spinning toy that’s stuck to my fridge that I took off. I used the different spaces at the edge of the toy as a divider and put the screws in order so that I would put them back in the same order. Here’s a picture:

Consider getting some spare screws. They are very easy to lose. They only cost about $2.

You might need another metal shield plate. I broke mine. The ribbon is glued onto the glass screen and I just yanked it off with the tweezers. Be careful and you might not need it, but know that if you do break it, it’s only $4. I’ve circled where I broke it.

Lastly, just be careful when taking your phone apart and putting it back together. It could take from 15 minutes to an hour.

Here’s a nice video that shows the process:

Here’s a guide from iFixit that shows you how to do the replacement step by step: https://www.ifixit.com/Guide/iPhone+6+Plus+Display+Assembly+Replacement/30265Good luck!

3 Steps to shop for the best deals and get the maximum amount of points online!

While shopping this holiday season, don’t leave travel points or rebates on the table! A lot of people, myself included, often will just go straight to Amazon or eBay for certain things without even thinking about shopping around for the best deal or what rewards they can get for a purchase. I must admit that I’ve bought things countless times off of those sites either going directly or using a link off of a deal site.

Shopping online is almost always better than shopping at a brick and mortar. It’s almost always cheaper at least. One thing about shopping online though is that you can’t touch the product, smell it, etc. That said, you can always use the store as a showroom – go to a store and do that and then order online.

Decide what you want to buy: If you’re just looking for a deal and not looking for something specific, some of my favorite deal sites are: slickdeals.net, bensbargains.com, and spoofee.com. When you’re looking for something specific, you should search the forums on slickdeals.net to see what others say as well. For some tips on saving money from Amazon, check out thebabbleout.com.

At the point where you’ve decided on what you’re going to buy, do NOT just add to cart and buy. That won’t give you all the discounts or points you want.

Use Gift cards: First off, do you have any gift cards? If not, would it be worthwhile to buy one and get some points off of it? The best way to acquire gift cards is by seeing if there’s one you can get at a significant discount. A couple of ways to do this is via eBay or Gift Card Granny. Another one of my favorite ways to acquire gift cards is at 5% off. When the Chase Freedom card has 5x points on stores that sell gift cards, that’s when I go out and buy them. I bought a few thousand dollars worth of gift cards at Safeway the last quarter they had 5x points on grocery stores. That’s about 5% off right there. Another way I like to acquire gift cards is through Mileage Plus X. With it, you can get one or more United Airline miles for every dollar you spend on a gift card. I have learned whenever going to a chain store to check the app to see if I can buy a gift card for use.

Use shopping portals: When you’ve decided for certain what you’re buying and which store you’re buying from, if you’re buying online, you want to see if the store can be access via a  shopping portal for additional rewards. The site I like to use is evreward.com. It’s generally up to date, but sometimes, other shopping portals can run special promotions so that you might not want to miss. Also factor in bonuses. Sometimes, the shopping portals can run bonuses so you might want to buy from the same one, like if you spend X amount of $ using the portal, they can give you Y amount of points. The various shopping portals can give you points from a plethora of different loyalty programs, including cash back. Here are some of my favorites: Ebates.com for cash back, American Airlines AAdvantage eShopping for AA miles – they’re generally more than United miles. There are other shopping portals, but those are my favorites. It just depends on which airlines you like to fly, hotels you like to stay at, or if you would just prefer cash.

Buy with the credit card that gives you rewards. Lastly, use the credit card that gives you the rewards you want. This could be the Target card that gives you 5% off, your favorite airline card or your favorite cash back card. Just remember that when you spend cash, you lose cash.

So, here are some examples:

Last year, on Black Friday, I foolishly went into Target and bought an iPad. It was a great deal. I think it was $400 for a 64 or 128gb. I tried my Target card, but forgot the pin. I didn’t want to get back into line again, so I just bought it with my regular card that probably gave me 1% back. That’s only about $4. Had I been able to use the Target card, I would’ve gotten about $20. That’s a significant difference, but had I bought online, where I didn’t need to even leave the house, I could’ve used the AA portal, at the time that was giving 3 points per dollar, and gotten my 5% + about 1200 AA points. 1200 AA miles is a mid distance flight! There aren’t too many discounts for Target gift cards, so I’m going to leave that to another example.

I was in need of a laser printer and for some reason, after perusing deal sites, I decided on a Dell. There weren’t a ton of deals at the time, but then I decided to use gift card granny, that sent me to buy a gift card from Raise.com. The printer cost about $100, 108 with tax. I paid $96 for the gift card, giving me $4 off. The credit card I used to buy the card gave me 2% cash back, so I took another $2 back on top of that. I again used the AA portal to give me 3 AA miles per dollar and got just over 300 points.

There’s a local banya that I like to visit for hot tubbing and sauna. The typical entrance fee is about $50 for a 1/2 day. The place also sells a Groupon for about the same price for a full day. I never go for more than a 1/2 day anyway. Why would I buy a Groupon when there’s an expiration date and it’s no cheaper than going direct? Again, gift cards and shopping portal. I don’t remember what % off I got from Gift card granny. I might have bought it from Safeway @ 5% off. Then I took 3 AA miles/dollar @ the AA shopping portal. I’ve had up to 10 miles/dollar for Groupon via the United portal.

My last example is an interesting one. Capital One gives you a credit card number instantly after you’re approved when signing up for a new card. For this reason, I was able to use it immediately and knock out about $500 of spend before I even received my credit card in the mail. I keep a list of all of the automatic payments I made and when I get a new credit card number, I change them all immediately. I did this immediately after I applied and was approved for the Capital One Spark card. I then put the number into Mileage Plus X and went to the mall. There, we ate at Red Robin, Cold Stone Creamery, bought gifts and Hollister and Bed Bath and Beyond. For all of those things, I bought gift cards with the Mileage Plus X card. Spent all this money without even getting the credit card yet.

Happy Spending! Hope this read saves you some money! 🙂

Please share any of your tips down below. 🙂

Remember to upgrade Virtualbox Guest Additions when you upgrade Virtualbox!

If you’re wondering why you might not be getting access to your shared folders in your guest OS after upgrading Virtualbox, this could be the reason. Virtualbox Guest Additionals (like VMware tools for Virtualbox) might need to be upgraded as well.

You can expect a system error 53, network path not found if the Guest Additions is not installed. When in the UI, it will say something like this: “Windows cannot access \\vboxsvr error code: 0x80070035 The network path was not found.”

Hope this help!