We just got a new workstation in the office. After getting it out of the box we were happy to realize that it already comes with a much better configuration for php 5.3 than the old 5.2 of OS X Leopard. Leopard only came with a very few and basic configuration and libraries, that were only fit to new web designer. Apparently they noticed this at Apple and this new version comes with a much better library set.

In general we have more than once person developing a site. So we use mysql databases that are hosted in a server that anyone can access, that way when someone makes a change to the databases it is immediately propagated to all developers, since we use something similar to a “networked drive.”

However, MySQL is still not included, but the folks at mysql have created a dmg that allows you to easily install mysql into your computer. You just need to download it, double click, and follow the prompt. The problem is that php comes with a strange version of mysqli. We were all exited and ready to go when:

Warning: mysqli::mysqli() [mysqli.mysqli] OK packet 6 bytes shorter than expected in /path/to/file on line…

mysqlidev won't let you connect to remote servers

This happens because the mysqli API library that php is using is the one that comes by default, not the one from the mysql version we just installed. Shoots, we need to recompile, and since we are at it, we will also recomplile with the new version of jpeglib.

Now it makes sense just to grab the configure options shown by phpinfo, but for some reason it references some locations that do not exists for jpeglib and libpng. So we will need to compile those too. Also make sure to remove your dir path from pcre otherwise it will also trow you and error.

Okay, let’s do this. First we download our source for PHP, LibJPEG, LibPNG

Lets compile libjpeg first: Once you have uncompressed the source, just go into the directory and type in the following

export MACOSX_DEPLOYMENT_TARGET=10.6
 
CFLAGS="-arch x86_64 -Os -pipe -m64" CXXFLAGS="-arch x86_64 -Os -pipe -m64" LDFLAGS="-arch x86_64 -Os -pipe -m64" ./configure --enable-shared

That should finish without problems, now go to your libpng folder and type the following

./configure --enable-shared

Again, it should finish without problems. Do the same for libPNG, and

Now, it would make sense to compile php now, but there are some know bugs in php when compiling on a mac so lets get those corrected first, before we continue.

Fist you will need to modify the file ext/gd/libgd/gd_png.c, so open it with your favorite text editor and look for the following string:



if (!png_check_sig (sig, 8)) { /* bad signature */

and replace it for this other line:



if (!png_sig_cmp (sig, 0, 8) == 0) { /* bad signature */

Now, using your favorite text editor go to the following file within your php source code ext/libiconv/libiconv.c
and look for



#ifdef HAVE_LIBICONV
#define iconv libiconv
#endif

and replace the libconv of the second line for just iconv

Okay, now we are ready to compile php, so go to the the root of your php source code and type in (copy & paste) the following

CGLAGS="-arch x86_64 -Os -pipe -m64" CXXFLAGS="-arch x86_64 -Os -pipe -m64" LDFLAGS="-arch x86_64 -Os -pipe -m64" ./configure '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-dependency-tracking' '--sysconfdir=/private/etc' '--with-apxs2=/usr/sbin/apxs' '--enable-cli' '--with-config-file-path=/etc' '--with-libxml-dir=/usr' '--with-openssl=/usr' '--with-kerberos=/usr' '--with-zlib=/usr' '--enable-bcmath' '--with-bz2=/usr' '--enable-calendar' '--with-curl=/usr' '--enable-exif' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/user/local' '--with-png-dir=/usr/local' '--enable-gd-native-ttf' '--with-ldap=/usr' '--with-ldap-sasl=/usr' '--enable-mbstring' '--enable-mbregex' '--with-mysql=mysqlnd' '--with-mysqli=/usr/local/mysql/bin/mysql_config' '--with-pdo-mysql=mysqlnd' '--with-mysql-sock=/var/mysql/mysql.sock' '--with-iodbc=/usr' '--enable-shmop' '--with-snmp=/usr' '--enable-soap' '--enable-sockets' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--with-xmlrpc' '--with-iconv-dir=/usr' '--with-xsl=/usr' '--with-pcre-regex'

Life is good

Now, go and grab yourself a cup of coffee, this is going to take a while. After that you should be able to connect to any remote mysql server that you have access to.

If you share your workstation with someone else, then it may be a good idea to secure your mysql installation.

Now, in order to make your .htaccess files to work, you need to change your apache user settings. For that you need to go to /etc/apache2/users/USERNAME.conf and make sure it reads something like this
Options Indexes -MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all

You will also need to change the second AllowOverride that you find in your /etc/apache2/httpd.conf

Well, that should do it. So good luck and let us know if you run into any problem.

Your wordpress installation may not be secure

Once an open source system becomes so popular as wordpress very often it becomes vulnerable to attacks. I wonder why the folks at wordpress have not done anything to enhance the security of the admin site, which, by default, you can access by going to /wp-admin.

The problem is that if you rename the directory then your wordpress installation becomes broken. I’ve looked and I could not find a plug-in that would let you change the wp-admin folder to something else, or at least conceal it. The only result that I found about how to do this is by Michi Kono. However the solution proposed has a few drawbacks like some links no longer working. Of course you have the option of restricting access to selected IP addresses via .htaccess but if you are like most non-commercial internet subscribers you don’t have a static IP, which makes things more complicated.

So here is another solution to make wordpress more secure while keeping all wordpress functionality.

The first thing we need to do is to pick what “name” we want for your admin section. For purposes of this “tutorial” we will call it “secure-login”.

Note: You are about to modify crucial files in your wordpress installation. So do this at your own risk, and please, please backup your files before you do this.

Now, open your .htaccess file and add the following line after the “RewriteBase ” line.

RewriteRule ^secure-login$     wp-login.php [L,NC,QSA]

so your .htaccess should look something like this.

# BEGIN WordPress
<IfModule mod_rewrite.c>

RewriteEngine On
RewriteBase /
RewriteRule ^secure-login$ wp-login.php [L,NC,QSA]

RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . /index.php [L]

</IfModule>

# END WordPress

This tells your server that when you ask for “secure-login” you should be taken to wp-login.php

Now we need to edit wp-login.php which is located at the root of your installation. Add this before anything else.

 session_start();
 
//See what file is being requested by the web client, also store the arguments just in case.
list($file,$arguments) = explode("?", $_SERVER['REQUEST_URI']);
 
//if the user just logged out, destroy this session and redirect them to root
if("/wp-login.php?loggedout=true" == $file ."?" .$arguments || "action=logout" == substr($arguments, 0, 13))
{ session_destroy(); header("location: /"); }
 
//If our sentinel variable is set and true do nothing, allow normal script execution
if(isset($_SESSION['valid_entrance']) && $_SESSION['valid_entrance'] == true) { /* As they say, "Silence is golden" */ }
 
//Now if the user is requesting wp-login.php and our sentinel is not true, redirect the "attacker" to root.
elseif(stripos($file, 'wp-login') && !isset($_SESSION['valid_entrance']))
{  header("Location: /"); exit(); }
 
//If the user is requesting the right login entrance set the sentinel to true
elseif ($file == "/secure-login")
{  $_SESSION['valid_entrance'] = true; }

That’s all you need to do. Your wordpress installation just became more secure. Don’t forget to upload your updated files to your server.

I may do a plug-in whenever I find the time.

I would also recommend using Login Lockdown by Michael VanDeMar.

Let me know if you have any questions or recommendations for this