Some notes from last night’s MWUG meeting. Something I don’t get along to often enough, as Mike has mentioned on occasion. :)

Mike’s intro…

4.1 is out:

  • New default theme: TwentyFifteen, but watch out for the lack of a default menu
  • New template tags, e.g. get_the_archive_description
  • Taxonomy, date, comment and meta queries improved (including meta now taking nested queries)
  • Revamped Distraction Free Writing (DFW) mode

Security issues around:

  • RevSlider plugin vulnerability… code from this plugin was included in many many themes, check your theme code, documentation, and settings for this, and if it’s there you may well be compromised, so seek advice
  • InfiniteWP Client security issues

General news:


Plugins which caught people’s eye:

Moving into the second, more technical half of the evening…

Technical News

Main technical talk: Hosting Sites on Nginx by Mike

Mike’s going to be posting his Nginx config files, but I’m not sure if it’ll be on his blog or the MWUG site.

Nginx is a lighter weight, faster alternative to Apache as a web server. Switching to Nginx in a high intensity situation allowed Mike to half the processors on a server, some code optimisation too but the main difference was using Nginx rather than Apache.

Mike uses a Vultr VPS, 100% SSD VMs. Lower tier is adequate for many types of sites.

First thing Mike does is install an open source web admin control panel called Virtualmin, which even handles the installation of the web stack for you. Some manual setup needed with Nginx, but it mostly does it for you. There are some docs on Nginx setup on Virtualmin. Mike likes to setup the files as owned by root, so unwritable by PHP, meaning even if something does “get in” it can’t write code.

Virtualmin allows you to set up a new virtual server to contain your user, first step being to set up with just Nginx and MySQL (turning everything else off). From this point, WordPress will run fine (but without pretty permalinks).

Some good tutorials for WordPress on Nginx at RT Camp, but they do assume one site on one server. Here you can grab the equiavalent of the WordPress .htaccess rewrite rules.

Mike’s not logging robots.txt, favicon.ico access to avoid logging information he’s not interested in. He’s also banning access to debug logs, and specific locatoins where WooCommerce adds log files (so these aren’t publicly accessible).

RT Camp have a tutorial to create a rule to block certain types of BruteForce attacks on your WordPress login.

Virtualmin sets up a unique socket for each site, and assigns a unique set of PHP threads to that site, to avoid rogue code altering other sites.

Mike pronounces “dir” as “dear”, which makes his explanations nice to listen to (I always say “durr”, which is much less kind on the ears).

Join the Conversation

1 Comment

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.