A lot has been written about this. Classic phishing, email from support@icloud.com to urge you to do something (stupid). Rule one with such emails, check the sender, for example on MacOS: That’s an official Apple address, WTF? The funny thing is that most blogs ignore this fact and apparently accept it as possible. Really? Apple should be in full control of this email domain. Someone suggested that it’s just a user email address, like somebody has an AppleID called “support”. Of course not. The truth is much simpler and anybody can find it. Just display the real, i.e. raw, email content with a font likeRead More →

After I decided to have my mac mini (running Catalina) to play the role of home server (with 9 Watts idle) a VPN solution to make the LAN reachable from the “outside” had to be added. The mac mini replaced a Rasp-Pi with home assistent and Wireguard in docker (5 Watts idle). Installing the Wireguard App on Catalina is tricky since the latest version (1.0.16) does not support Catalina anymore. Luckily I installed the 1.0.15 version of the App from the Appstore some time ago and I could download it again (the cloud symbol) on Catalina (the Appstore informs you that you will download aRead More →

So your site has a login page? Ever wondered how many “people” are knocking on your door? When I looked at the login attempts on my SSH front door, just shortly after new server deployment, I decided to change doors (ports..). SSH login attempts are in the logs and are fun to look at. But how about failed WordPress logins? First of all, they are not in the logs. But this can be fixed easily like this: —> create directory mu-plugins mkdir /var/www/<your site root>/wp-content/mu-plugins —> create file wp-fail2ban.php in this directory <?php function admin_login_failed_403() {     status_header( 403 ); } add_action( ‘wp_login_failed’, ‘admin_login_failed_403’Read More →

I described the installation of multi-site WordPress here with nginx webserver and php-fpm processes both running as user www-data. According to WordPress, the webserver should have read access to all data and only the WordPress user should have write access. The concept of a WordPress user relates to hosted environments. So how to implement these requirements on your own VPS? First of all, php-fpm supports the concept of pools. Each pool can run with an unique user, separate from the webserver user. So each site should run in a separate pool. This results in the following accounts: webserver: www-data user (default for nginx on debian) site 1:Read More →