Configure U2F in Joomla and WordPress [VIDEOS]

User accounts. Without them, the back-end of your WordPress or Joomla site would be a barren wasteland. And, well, there would be no point in having a back-end.

However, with user accounts comes great responsibility not to get them hacked, as anyone with enough credentials can turn your website in a pile of spam for enhancement pills, Eastern offers and other unpleasantries.

Two-factor authentication is all the rage right now. I wouldn’t say it’s mainstream, per sé as many users still think that their “kittykat01” password will protect them from evil. But it’s now available on pretty much every big site. It comes in a lot of forms and shapes. Mostly in the form of OTP (and Android Authenticator.)

U2F is one of those “universal” two-factor solutions. It’s backed (and implemented) by Google, Github and quite a few others. It’s also pretty easy to use. And, as of now, you can setup U2F in both Joomla and WordPress.

Now, I know we usually spell things out for you. However, we decided to switch things up a bit. We made two videos in cooperation with Ciptor Benelux, a small but fierce startup with a focus on authentication that’s hoping to take the Benelux (and then the world?!) by storm.

The videos should give you a good idea on how to setup U2F. The WordPress video is about five minutes long. The Joomla video is a bit longer, because we dove into Akeeba LoginGuard as well. It’s part “How to”, part “This component is pretty cool.

How to setup U2F in WordPress

How to setup U2F in Joomla (Using Akeeba LoginGuard)

Advertisements

Automattic brings free themes to Jetpack, WordPress Premium

Automattic, the company behind WordPress.com, WooCommerce, Jetpack and others has been betting hard on services lately. To add more value to users of their existing services, they’re now bringing a big seelction of themes to them, for free.

Jetpack brings a little more .com to your blog

Automattics’ plugin WordPress tries to bring WordPress.com features to your blog. Options like social sharing, simple forms, sitemaps and others are a few clicks away if you install Jetpack and connect your website to WordPress.com. And now, Jetpack users get another “WordPress.com” perk: access to the WordPress.com themes. Users of Jetpack can now install templates that were previously made available to WordPress.com users, which comes down to 150+ free themes that can be installed within a few clicks. There’s some pretty interesting templates in there. They might not all be “commercially” interesting for business sites but a lot of them definitely have their uses.

WordPress Premium now includes… Premium Themes

WordPress Premium is a service that adds new features to your WordPress.com blog, like a custom domain name, more storage, more design options and VideoPress. As of this month, a new option has been added.

Premium users now have access to all “Premium Themes.” These are WordPress.com themes that you could unlock by purchasing them (for an average price of €80). Now, you can use these themes for free when you’re a WordPress Premium user. Which is is a great deal, considering a Premium plan costs you €99 a year. You do the math.

Error decoding JSON data: Syntax error – One Possible Fix

All right, all right. We’re mighty late with a ‘fix’ for this problem. But that’s because we haven’t run into it either. Let’s get to it.

After upgrading Joomla to Joomla 3.6.3 you might see the following error when trying to edit an article (and possibly modules, …):

Error decoding JSON data: Syntax error

I am not going to pretend to speak developer all of a sudden, but this error means that something’s wrong with one of the ‘settings’ for your article / module. Somewhere in your database, a mistake was made.

One “popular” fix back in the days was to partially roll back to Joomla 3.6.2. That’s the wrong approach for two reasons:

  1. THAT VERSION WAS PATCHED FOR A REASON.
  2. You’re not fixing the problem. You’re just killing the messenger and burying the body.

Instead, you could look into the database itself. When I read from Michael Babker (I hope I wrote that right) that it could be as simple as a { too little in one of the ‘settings’ fields I went to research.

So, here’s what you can do to try and solve the problem.

  1. Note the ID of the article / module
  2. Open PHPMyAdmin / your MySQL workbench of your choice.
  3. Lookup the item in com_content, com_modules or com_whateveryourelooking for. Joomla is fairly good at naming databases after what they contain. (No offense, Magento. You suck.)
  4. Compare the column values to those of articles / modules that work just fine, and focus at the start / stop. Do you see any extra / missing symbols?

When I tried this on my article, I stumbled upon the following:

JoomlaMySQLJSON

Pay close attention to what’s going on in the attribs column. Something went wrong, and there’s an extra {“ that shouldn’t be there.

After removing these extra characters, the article opened again.

So, if you are confronted by a JSON error, check your data. And make a back-up first.

Fun Story Time: As it turns out, this wasn’t even the article the client needed to edit and it only said “test”. 

My iPhone “Coding” Setup

Us IT guys, we all have our preferred setups. Software, tools, operating systems, keyboards, prefered browsers… We could fight unholy wars about them.

I consider myself to be a pretty flexible guy, myself. I don’t really worry about IDE’s, mostly because I can’t remember what IDE stands for and because I use Coda 2 for 90% of the things I do.

Coda 2 is a Mac app, and while I’m a Mac user at work my Mac(s) aren’t always in use. I usually use my Windows 10 laptop, but that means I’m struggling when the time comes to write some code or SSH into a server.

In that case, I could whip out my Macbook and find a way to make it work on my desk, or I could whip out my iPad / iPhone. They both also have a version of Coda installed. It’s a bit more limited in its features but it can access the credentials Coda2 stores in the cloud, and it’s got an easy to use SSH client. The only downside is that you’d be typing on an on-screen keyboard.

But today, I found what might be the ideal setup when I’m in a literal tight spot and need to use Coda for a bit. I present to you, my iPhone-As-A-Coding-Device setup

SetupIPhone

This setup leaves me with plenty of room for my notebooks and the likes, while still giving me a good programming experience. Here’s what my setup looks like:

  • iPhone 6 Plus with Coda installed
  • Apple keyboard, connected through bluetooth

That’s pretty basic so far. But take a look at my screen. I am streaming my iPhone to my PC, so I’m able to work in a big, easy to use window!

That’s because I’ve got 5kplayer installed, a tool that allows you to use Airplay to stream your iPad / iPhone to your Windows machine (if they’re on the same network). The configuration couldn’t be easier. Just install the software, and your iDevice will recognize the PC and it’ll be able to stream both sound and video.

You can resize the window, and up until 1920×1080 and even a bit higher, the content looks pretty great. Perfect when you need to do 15-20 minutes of programming. Or, in my case, when I need to stream a video from my iPhone to my Windows PC because my PC refuses to play the file. Long story, don’t ask.

How about you guys? Do any of you have particular or unusual setups or hacks? Let us know in the comments!

 

My WordPress Test Site Got Hacked

I am sure you’ve heard about the “scandal” in which millions of WordPress sites got “defaced” by those pesky hackers. As it turns out, according to reports from leading security companies, it wasn’t particularly hard to pull off either.

WordPress introduces a REST API which allows you (and others) to do all kinds of wizardry remotely. Apparently, that included the option to edit all your posts and pages without providing any kind of credentials. Great job, WordPress!

With millions of people being “hacked”, of course my test website couldn’t miss out. You see, I have WordPress sites in all sorts and shapes that I keep up to date. Personal blog. Work websites. Fun blogs. However, there are also my “test blogs”, which I use to test plugins for WordPress. I also have those kind of sites for Joomla, but that’s another story.

Most of those sites are hosted on Siteground, but one is hosted on a server I shall not name. One where updates don’t happen automatically, and WAF’s are non-existent.

Well, my friends, that website got “hacked”. The reason I keep writing “hacked” is because alledgedly it takes nearly zero knowledge or effort to pull it off. You just need to know about the exploit, do two minutes of work and you can go crazy.

Which they did. The nice Syrian Peshmerga message left a message stating that ISIS sucks and that they’re going to do stuff. I’m guessing it’s related to shooting them. There was also the online pharmacy that wanted to promote some sort of products.

In my case, no damage was done. This is a test site. I don’t update it, because the site is a “throwaway” site. If something is broken, I’ll just start over. There’s the fair expectation that something WILL go wrong. Seeing the REST API hack in action on that site wasn’t scary, it was more of a “Ahah, it’s that easty?” moment.

However, can the same be said about those other sites? How about your sites? Can you afford to have your website defaced? Probably not. It would be bad for business.

That’s why you need to make sure your websites are up to date. And educate yourself on what to do when you DO get hacked. To help you with that, here’s a short and sweet strategy guide.

How not to get hacked

  1. Keep Your WordPress site up to date. Or, have someone else do it for you. Our friends over at Siteground allow you to enable automatic updates. If I’m not wrong – and I often am – they offer to enable this by default. The feature is super easy – once a new version is released Siteground will roll it out for you. Alternatively, some “Installers” like Installatron also roll out automatic updates. Of course, you could do it all manually. Assuming you’ve picked up on the news that an update is released. Unlike Joomla, WordPress doesn’t send reminders that a new version is available.
  2. Make sure you’re using quality web hosting. It’ll prevent you from most server side exploits. And if your hosting company is *really* good they’ll have rules and checks in place to prevent common exploits, like (again) our friends over at Siteground have in place.
  3. Don’t install shady plugins. Or themes. That’s an open invitation to be hacked. And those “cracked” versions of ExpensivePlugin? Yeah, that’s not a good idea either.
  4. If your website is technically sound, make sure that *you* aren’t the weakness. If your password is easy to crack, change it. Websites like HaveIBeenPwned can tell you if you’ve been part of security breaches. That can lead to a big “Oh, shit” moment when you were using the same password everywhere. Also, make sure to enable two-factor authentication.

How to recover from being hacked

  1. Restore your back-ups. What’s that? You didn’t make any, and assume your host is making them for you? While that might be true in some cases, that is NOT a safe bet to make. Setup your own backup tool, like Akeeba Backup or Vaultpress, an configure it. Make backups to more than one location. AND TEST YOUR BACKUPS
  2. Audit your website. Do you know how they got in your website? Then you probably have no idea how big the damage really is. If your website is used professionally, and your income depends on it, consider hiring an expert who knows what he’s doing. Unfortunately, that excludes  most of the $5 freelancers from a certain continent that “claim to be expert in Joomla, WordPress, Drupal, Magento, Grav, Prestashop, OsCommerce, Ghost, Facebook and Microsoft Word.”

    If you are using Joomla, a tool like MyJoomla can help you audit your website. I’m sure similar websites for WordPress exist as well.

  3. Patch your security holes. Don’t just restore your website, and assume you’re not going to get hacked again. You’d be wrong, and stupid to assume that you were just unlucky.

Of course, some people would suggest that my list is missing “Migrate away from WordPress, lol.” I mean, yes. That can be an option if the security holes in WordPress concern you. Just keep in mind that no CMS is perfect, and prone to security problems. Yes, even the one you built yourself. Especially the one you built yourself.

Do you have tips or suggestions to update our list? Questions and being hacked? Use the comments below to be heard. Please keep the “WordPress sucks lol get gud noob” jokes to a minimum.

 

Advertisements

Offering solutions for Joomla!® and more

%d bloggers like this: