Tag Archives: web hosting

WordPress File Permissions: Always Check and Reset

You’d think after over a decade of troubleshooting WordPress permission issues that I’d have learned my lesson by now.

I’ve been diagnosing site performance issues with my garden blog (the Site Health tool was complaining). One of the issues that constantly kept coming up was a REST API error that reported cURL timeout issues. This usually manifested itself in agonizingly slow page load times. I went through the plugin/theme deactivation dance to hone in on the culprit: Fast Secure plugins that had been defunct for several years but still useful for buffering brute force attempts. I finally decided to move on to a different ReCaptcha solution and retire Fast Secure. Oddly enough, my primary site had the identical plugins installed but never encountered the same issues.

Moving on, I noticed that the Media Library thumbnails never displayed and that I had issues uploading/adding new media (cannot create directory). Now ordinarily my main media storage is in an S3 bucket, but I sometimes might need to make local posts unique to the garden theme of the site.

I spent hours and days researching this issue, thinking it had to be some kind of ownership issue. I kept flipping user and group ownership on files and directories, only to break ownership of other WordPress files and directories. I poured over logs looking for some indication of access errors.

Ultimately, I just had to reset all the file and directory permissions in my WordPress wp-content folder to get things working again:

$sudo find /path/to/website/wp-content -type f -exec chmod 644 {} \;
$sudo find /path/to/website/wp-content -type d -exec chmod 755 {} \;

Then I reset ownership of wp-content to my wp-user:

$sudo chown wp-user:wp-user -R wp-content/

Then finally, to make sure media uploads and thumbnails worked again:

$sudo chown www-data:www-data -R wp-content/uploads/

Of course while I was resetting file/directory permissions, it was worth reading the updated Permissions topic over at WordPress codex. Turns out I could have a functional site even with wp-config.php set to 440/400.

Last issue that drove me a little crazy. View Details on the Plugin page always resulted in an error: refused to connect. I was so sure that my restrictive firewall settings needed to open an IP block to the WordPress plugin repository. But it turned out to be an SSL issue. Because the details page was in an iFrame, an SSL setting needed to be set to permit this. In my case, I change this setting in the appropriate ssl parameter .conf file:

Header always set X-Frame-Options sameorigin

Then restarted Apache for settings to take effect. Now…does this toggling the option make my site less secure? I’m assuming that if the request came directly from localhost that the traffic should be permitted. I just have to ensure my servers are sufficiently secure against being hacked, a lesson I learned earlier this year, and a story for another day.

oEmbeds Stopped Working: adapting to the new Instagram/Facebook API

What a mess. Just found out that WordPress no longer supports Facebook Instagram oEmbeds, which essentially breaks the format of single Instagram posts on my other sites.

Unfortunately using a plug-in such as Smash Balloon Social Photo Feeds is causing me some grief due to a reliance on Facebook’s API. Already Facebook, unknown to me, locked my account for suspicious activity. (I have a 30 day old account, to use on Messenger and one group.) Then when I finally resolved that issue, Smash Balloon still insists on setting up a Facebook business page to allow for unlimited tokens. So much for staying off Facebook.

Finally, once I took care of the token I just had to repost some of the Instagram posts that were affected; Smash Balloon took care of the rest.

On a side note can you believe WordPress is on version 5.x? It’s come a long way since I first started using it over a decade ago. Also PHP just released version 8, but I guess WordPress is not ready for it yet…so for now, my sites are/will be running 7.4.

I still have to troubleshoot site health issues with my garden blog. I thought hosting on Linode would improve my site’s performance. I’m not sure sharing a database on AWS with my main site is causing the problem. More on that later.

Oh and another inconvenience is using the WordPress app on my my phone. I have to turn off Google VPN to access my self-hosted WordPress sites. It’s becoming quite a chore to disable it while trying to write a post.

Content and hosting update

I realize that new content has been relatively non-existent on this blog due to life and technical considerations. Life has been busy, occasionally fulfilling and oft times challenging, so much so that I’ve been neglecting the written word. On the other hand, my virtual life is somewhat active, whether that be in-game or in-Insta.

On the technical side of things, I’ve been deeply dissatisfied with my web host performance, so I’ve been tweaking things under the hood. I’ve moved away from Google Cloud for my web host VM since it just wasn’t priced competitively against AWS. I am sticking to Lightsail and their S3 storage service, and WordPress.com. Plus I’m dabbling in other services. Linode is my current favorite with their budget friendly yet robust Nanode plan. With a datacenter hosted out of Dallas, TX, I get speedy connections to my VM.

Winter indoors means nesting opportunities and more compute time. I hope to plan/execute home improvement projects and catch up on hobbies such as comic book collection, starting seeds and propagating new plants (big maybe this year), and cleaning up my online databases serving as backend to my social media content.

Year 2020 is just around the corner, and this is also a good time to reflect on new year resolutions. What lies ahead is a future full of opportunities and possibilities, but my foremost need is to keep oneself present and mindful to meet them. Learn, change, evolve.

Lose weight, get fit, eat healthy, expand knowledge. Spend more time with furdad and furkids. Get outdoors more often. Maybe smile more. Participate or volunteer outside my social circle. (That last one is scariest of all.)

Adventures in cloud hosting

Free hosting drama has brought my site postings to a virtual standstill in the last 6-8 months. It took me a long time to decide on a new home for my websites, which is why there haven’t been too many entries on subjects such as gardening or cooking.

But I think I’ve found at semi-permanent home at cloud hosts Amazon Web Services (AWS) and Google Cloud Platform (GCP). Both cloud services offered a free tier on which I could flex my Linux muscle and try self-hosting WordPress remotely.

After several weeks of experimentation and false starts (notably a Bitnami solution that was a headache to learn on top of all the other things I need to be familiar with), I can report that my sites are back up and running. At least temporarily. If administration doesn’t suck up too much of time, I hope to catch up on all the posts from the past year, which I will likely compress in weekly or monthly summaries.

Suffice it to say, my current hosting set up consists of Ubuntu 16.04 running Apache/PHP/MariaDB, with Webmin control panel for client administration. There’s obviously more under the hood, but these are the major aspects.

Let the blogging continue…or restart.

Automation challenges: troubleshooting and fixing my own problems with a paid WP plugin

Published content has been sparse lately due to an issue I faced with a premium plugin that assisted automating feeds to multiple social networking platforms, aka NextScripts Social Network Auto Poster. The issue came to my attention in late October, early November, when I resumed tinkering around with my main (source) site. WordPress, of course, had released upgrades since I last posted in September, which also prompted a slew of plugin updates. Bizarrely, only self-hosted WP cross-posting was affected; other networks such as Instagram, Blogger/Google, and WordPress.com were not experiencing the issue. Thinking the plugin might be at fault (specifically the WP code/api), I opened a ticket at NextScripts for support on November 1.

Well, it’s 6 weeks later and NOT A SINGLE RESPONSE FROM DEV about my still-open ticket. The only feedback I had was from a forum participant who suggested my SNAP woes (parse error not well formed) were due to an encoding issue. A few Google searches seemed to agree with this diagnosis.

So I checked and cleaned up databases at my source and target self-hosted WP sites–it was remotely possible that interim WP updates might have “corrupted” my databases. But quick peeks under the db hoods seem to suggest nothing fishy with the collation or character sets–and I had seen no evidence of junk characters appearing in my blog. Just to be certain, I exported all my data, recreated databases and users anew, deleted stale data leftover from bygone plugins and past WP iterations, and uploaded data into the new tables. To no avail!

I implemented WP hardening, thanks to a bit of paranoia that suggested a compromised install. To make sure that my WP install wasn’t corrupted, hacked or even hijacked, I checked file permissions on the source host, downloaded fresh copies of WordPress core, and uploaded them to the host. I ran Wordfence security scans to ensure I wasn’t missing an errant bit of code or a hole I missed. I looked over every line in wp_config.php to make sure the options were correct and even enabled/disabled WP debugging to see if I could find the issue. I changed my WP passwords to ensure that non-alphanumerics weren’t the cause of the problem. And just to test my PHP coding knowledge, I started looking over the WP code for XMLRPC until I went bleary eyed with all lines I had to sift through. I went so far as to sign up for WordPress beta testing in case some outdated WP code might not be passing muster with the host configs. No dice!

At this point, I concluded that it wasn’t the things I had complete control over that were the source of the problems. With plugin help visibly MIA/unavailable, it was time to investigate the hosted environments. What was so different with my self-hosted servers from the WordPress.com sites? Shared web hosting plans can be notoriously unreliable depending on the nature of your website, even if they aggressively advertise how “WordPress-friendly” they are. Usage limits, content restrictions, and hosting configurations can confound even the most basic vanilla WP installs.

While Google-shooting my plugin issue, I found similar complaints with the Jetpack plugin and other remote publishing apps, so I followed the technical support proffered for the competing product. Varnish Cache issues? Varnish validation seem to suggest otherwise. Problem .htaccess permission issues? Generated a new file, remarked out unneeded lines. PHP versions and missing libraries? Tried all the different flavors and checked configuration pages to make sure the appropriate extensions were loaded. Ran some cURL tests to validate this as well.

A noticeable difference among the hosts I worked on to serve my sites were in the database and web hosting software used. Some deployed Apache/MySQL in a traditional LAMP (Linux-Apache-MySQL-PHP) stack. Some hosts used Nginx, some used MariaDB. After researching MariaDB and confirming that hosts were using the latest stable build, I decided that the Apache/Nginx difference was key in trying to work around the issue. This explained why some .htaccess rules were being honored like the snippets below.

# Disable modsecurity filter for xmlrpc
<Files xmlrpc.php>
SecFilterInheritance Off
</Files>

<FilesMatch "xmlrpc\.php$">
Satisfy Any
#Allow from yourdomain.com
#Allow from yourdomainip
Require host yourdomain.com
Require ip yourdomainip
#Deny from all
</FilesMatch>

Nginx doesn’t allow user-level control in an .htaccess file; server blocks are implemented in server-level configs. It seemed likely that the Nginx environment was set up to block XMLRPC calls, and if Varnish/Nginx were conspiring in tandem, then there was no way I could implement a fix myself. My only recourse to solve the issue was to move my sites off the Nginx hosts. Once that happened, automation started working again.

What was most frustrating about all this is the utter lack of feedback from the plugin developer. There was nothing in the online FAQs that helped me research this problem, no activity on the ticket I raised, and zero leads in the plugin community. Even a reply as simple as “check your host” or “will get back to you” would have been appreciated, though not necessarily the premium support one would expect after weeks of no comment. A premium plugin would not be a good investment if my site had more than one user or more bandwidth to support (but silly me, I paid for the thing anyway). I wouldn’t recommend business-critical or high-traffic sites subscribing to this plugin unless it’s tested to work in their hosted environment. Of course, you get what you pay for in some hosting environments, particularly shared or free ones.