Create temporary WordPress nonce

May be the title sounds a little contradictious, as¬†WordPress nonces are not storable data, so they don’t need to be expired. They are just hashed functions which are used for anti-CSRF purposes.
But for some special cases we may need to make nonce “to be expired”.

I mean, at first request it should work, after second request it should return false. Or it should work this day, since tomorrow it should return invalid.

This operation smells anti-bruteforce attempt, rather than anti-CSRF. Because anti-CSRF technology doesn’t have any relation with time and expiration.

So, our aim is to create a form which works only one time or temporary. This solution may be useful when we do ajax requests which should run only at once via setTimeout. So after
Let’s do that. (i write sample for ajax nonces. But same method can be used with input, url nonces too.)
 

Integrate Cloudflare SSL and WordPress Website

As we know Cloudflare is a very popular CDN and web security service with millions users. It has both free and paid features. But free features of Cloudflare are just great, not just for trial purpose. Its free features are really great and useful.

Some of free features are DNS, Firewall, Caching, Network Control, Analytics, Crypto(SSL).

In this blog post i will write about Crypto-SSL option.
To install SSL(https) certificate in our website we need to buy SSL certificate first then install/configure the needed files in our Apache server.

But when we connect our website to Cloudflare DNS (it is so simple, just change domain’s nameservers to Cloudflare’s ones) it automatically gives our website SSL tunnel. Yes, without certificate installation, with just single toggle.

free wordpress ssl certificate with cloudflare

So, after changing nameservers to Cloudflare DNS-es and toggling Crypto->SSL feature to FLEXIBLE it is done, SSL for our website now works.

Now the only thing we should do is to prepare WordPress for HTTPS. Without this it just can’t work. Because it is configured to work with HTTP requests and its webserver Apache doesn’t have any configuration for 443 port, doesn’t have any certificate file in server filesystem. So there is no any information about SSL in serverside. Everything has been done in CloudFlare side.

Let’s simply solve it. After DNS changes are active (it usually takes up to 1 day) do these steps:

1. Go to wp-config.php, add these lines there before define(‘wp-debug’,’false’); line:

define('FORCE_SSL_ADMIN', true);
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) $_SERVER['HTTPS']='on';

This is for redirecting wp-admin requests to https and telling webserver to consider that the website works with https, not with http.

2. Go to wp-admin->settings and edit website addresses (change http:// to https:// ) You will be asked to login again.

3. Open .htaccess file and add this simple code there:

RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This is for redirecting all http requests to https.

That’s all. Now your WordPress website will work only with HTTPS prefix (and it will show green bar in browsers’ address bars). And this has been done without installing SSL certificates at server side.

WP-Admin “Open Sesame” or yet another magic way to protect your wp-admin from attacks

There are obviously a lot of ways to block our WordPress admin area login page from attackers, there are a lot of plugins for that.

But what if we want to build own logic – the secret key which changes itself daily, but we always know it, because we know its built logic.

For example what about if our secret key to wp-admin is today’s date + any custom string? Funny yeah? Or md5 encrypt of today’s date + any custom string – in this case nobody will recognize how this keys are generated.

Let’s write a little 2 functions which fulfill this solution.

In this sample our logic is ” secret key is current date + sesame” , so for example if today is 2016-10-10, our secret key would be 2016-10-10-sesame.
So yoursite.com/wp-admin?call=2016-10-10-sesame will work, yoursite.com/wp-admin will give 404 error.

not-found-page-wordpress

You can also build your own funny logic which changes keywords by the current date, last post name or any other dynamic data. Or to hide how your key is built you can use md5 encryption for that.

For that purpose just use $secretstring = md5(date(‘Y-m-d’) . ‘-sesame’) in the code above.

wordpress-login-screen