All posts by Abhishek Nagekar

WordPress Security Checklist: How To Secure Your WordPress Website

Uncategorized, ,

WordPress has been powering my blog since the start of last year. In fact, migrating my Jekyll template to WordPress was one of the highlights of my new year 2021 and I’m very happy that I did, although I didn’t publish as much as I had hoped for. Fortunately, I’ve learned a lot more about WordPress over the course of a year than when I started. In this short primer, I hope to go into a bit more depth on how to securely run a self hosted WordPress website.

Prerequisites

Before we get started, there are a few things that we need to make sure we have to

  • Self hosted WordPress installation with SSH access
  • Administrator account to set up plugins

Table of contents

  1. Keep plugins to the minimum and up to date
  2. Fix file permissions
  3. Two-Factor Authentication
  4. Set up auto banning of failed logins
  5. Enable regular backups
  6. Disable XML-RPC
  7. Disable file editing in WordPress admin
  8. Use a Web Application Firewall
  9. Don’t forget the usual web security measures

1. Keep plugins to the minimum and up to date

I wish I could just sticky something like this on top of most of my articles, but most people trying to attack our websites don’t have the time or resources to develop and use 0days. They use existing exploits out in the wild and some of these exploits can be months old, if not more. WordPress core and plugin authors can only do so much more than promptly releasing patches for security vulnerabilities that they find.

So then it is up to us as site admins to make sure we patch as soon as is feasible. Having worked on many large codebases, I know automatic updating isn’t always possible or even desirable, but having an eye on the changelog can definitely help not get compromised.

I’d also recommend a web security helper plugin that sends alert emails when it detects outdated plugins / themes / core.

2. Fix file permissions

During development, many files and directories permissions are way too open to make it easy to set up the website and all plugins. In production, however, the permissions can be dialed down a notch to prevent anyone with any access on the server to take over the whole website.

Similarly, attackers typically upload shell code using the uploads functionality, and if code execution is disabled in the directory, we make it harder for this attack to succeed.

A detailed guide on setting file permissions can be found on official WordPress documentation: https://wordpress.org/support/article/changing-file-permissions/

3. Two-Factor Authentication

Administrator accounts have many powers on a WordPress website, and a compromised administrator account can lead to uploading of PHP shell code leading to command execution and server compromise.

To make sure admin accounts are extra secure, enforce 2FA on all administrator accounts. This can be done by any 2FA or login security plugin on the WordPress plugin store.

4. Set up auto banning of failed logins

Since WordPress doesn’t ship with any builtin way of auto-banning failed login attempts, we have to rely on plugins like WordFence. WordFence will need to be configured with options to block login attempts after a certain number of failed attempts.

WordFence can also help you disable execution in upload directories, block IP addresses making malicious requests and much more.

5. Enable regular backups

While we can take preventive measures against mishaps, we can never be sure. Hence it is imperative that the website is backed up regularly. Backing up can be done at multiple places. The database can be backed up separately from the static assets and files. There are many plugins, like WPVivid, that help you fine tune what gets backed up and where it gets stored. It is always nice if you can afford an external backup location, like AWS S3.

The hosting provider might also have ways of backing up the website. For example, AWS Lightsail has daily instance snapshots which backs up the entire disk.

6. Disable XML-RPC

If you don’t use plugins that rely on XML-RPC or using the WordPress mobile app, it is wise to disable XML-RPC which removes another widely used attack surface by attackers. Many plugins allow the disabling of XML-RPC, including the aforementioned WordFence.

7. Disable file editing in WordPress admin

Disable editing of files from WordPress admin as that’s almost never a good idea, especially if you can achieve the same using more secure methods like SSH. To disable file editor, simply add

define( 'DISALLOW_FILE_EDIT', true );

to your wp-config.php file.

8. Use a Web Application Firewall

A firewall plugin like Sucuri or WordFence can identify attack signatures and block malicious requests. Many also include IP address block lists that prevent known malicious IP addresses from reaching your WordPress website.

For more control, there’s ModSecurity. ModSecurity needs to be installed alongside the web server and it can detect and block known attack signatures for not just WordPress but just about any popular web framework. It does require a deeper technical know how to setup and maintain ModSecurity, and a plugin might work be a better approach for most people.

9. Don’t forget the usual web security measures

A WordPress website is, at the end of it all, a website. While there are WordPress specific ways of hardening a WordPress installation, there is also a whole plethora of best practices that apply to every website, including the WordPress ones.

  1. Use HTTPS – SSL/TLS certificates are free, and usually come by default with many hosting providers and CDNs. Don’t forget to turn it on and enforce it in strict mode.
  2. Use appropriate security headers – Headers tell the browser how to handle your website’s content. Many client side attacks can be mitigated by using the right set of headers. A detailed list of useful headers can be found on OWASP’s website: https://owasp.org/www-project-secure-headers
  3. Use CAPTCHA on login page – to prevent bot submissions and more sophisticated bruteforce attacks, enforce a CAPTCHA like reCaptcha on login page. WordFence supports this out of the box (needs an API key from Google).
  4. Handle user input with care when using a custom theme – when using a custom theme that accepts user input in the form of query parameters to show filtered content, the regular best practices around user generated input has to be followed. Embedding user input in output can lead to Cross Site Scripting, while passing it straight to the database can lead to SQL Injection.

In conclusion

I hope that was useful. If you have any questions around WordPress or suggestions to improve this article, feel free to reach out to me via email. Thank you for reading!

Perfect 100/100 PageSpeed Score With WordPress

Uncategorized,

A long time ago I worked on a theme called Elementary for my Jekyll blog. The goal was simple, to create a website that just works, and works fast. In fact, I’ll just paste the line from the readme of the GitHub repository.

This is my personal blog’s Jekyll template that I’ve been optimizing for performance, accessibility, usability, readability and simplicity in general.

I personally do not approve of personal blogs bloated with hundreds of kilobytes of trackers and analytics code, and hence, this is an attempt at creating something that I’d be comfortable with using on my website.

The goal was accomplished. I managed to get a perfect score on many of the pages. But I wanted to write more and while on the go, and plaintext editing on phones is a pain. Then the other problem was to add it to git and push it. In short, working with a static blog from an Android phone wasn’t easy.

That’s when I moved to WordPress. I ported the theme to Elementary-WordPress, which is essentially the same theme but in a WordPress shell. It worked really well, but the problem was all the bloat that WordPress sends to the frontend. For a while I didn’t care enough. I was still serving a fast website, albeit with Jquery, emojis and other code that wasn’t getting used anywhere else.

Today, that changed. I finally took some time to optimize the website and got back my perfect 100/100 PageSpeed score. Here’s how I did it.

Table of contents

  1. Disable jQuery
  2. Disable wp-embed
  3. Disable block library CSS
  4. Disable emoji
  5. Serve fonts from same domain
  6. Use font-display: optional property
  7. Use an in-memory page cache like Memcached
  8. Fix conflicting cache strategies
  9. Use a CDN for asset delivery
  10. TODO: Inline all CSS and Javascript

Disable jQuery

If your website isn’t ancient, there’s a good chance you’re not using it. If some plugin you’re using is using jQuery, consider alternatives. It will save you ~30KB and an HTTP request. Adding the following to the functions.php should do it.

function jquery_dequeue() { 
  wp_deregister_script( 'jquery' ); 
} 
add_action( 'wp_enqueue_scripts', 'jquery_dequeue' );

Disable wp-embed

The following snippet from this answer needs to be added to functions.php

function wp_embed_dequeue() {
  wp_deregister_script( 'wp-embed' );
}
add_action( 'wp_footer', 'wp_embed_dequeue' );

Disable block library CSS

*Sigh* This goes into the functions.php

function remove_wp_block_library_css(){
  wp_dequeue_style( 'wp-block-library' );
}
add_action( 'wp_enqueue_scripts', 'remove_wp_block_library_css' );

Disable emoji

I found some nice code to disable a whole bunch of unnecessary actions from this guide here: https://kinsta.com/knowledgebase/disable-emojis-wordpress/#2-disable-emojis-in-wordpress-with-code

Serve fonts from same domain

If you’re not super keen on using the smart browser detection functionality that Google Fonts offers and are happy only supporting modern browsers, simply downloading the font files and linking them with @font-face can save an additional DNS and HTTP request.

Use font-display: optional property

I’m using font-display: optional; CSS property on my @font-face and it pushed my PageSpeed score over the top. Essentially it prevents the CLS, or Cumulative Layout Shift metric of Core Web Vitals from getting affected due to page shifting due to slow loading of font files.

Read more about it here: https://developer.mozilla.org/en-US/docs/Web/CSS/@font-face/font-display

Use an in-memory page cache like Memcached

Building pages to serve the users is expensive as it involves the database, but isn’t something that needs to be done for every visitor visiting the same page. A plugin like W3 Total Cache coupled with a Memcached instance (could be running on the same server as the website) could enable caching of pages among other resources in memory, reducing the load on the server and improving performance for cache-hit pages.

memcached

Fix conflicting cache strategies

I’m using W3 Total Cache plugin that helps minify and cache CSS and JS files. But I wasn’t seeing any minification happening. Upon some reading, it turns out that CloudFlare’s minification conflicts with W3 Total Cache’s. Disabling it on CloudFlare’s side fixed the non-minification problem for me.

Use a CDN for asset delivery

Once the thing to deliver is optimized, it is a good idea to optimize the delivery pipeline as well. Since my server is in the same country as me, it is easy to make a mistake of thinking every visitor of the website is seeing a 50 milliseconds time to connect to the server. The further the user is from the origin server, the longer it could take.

Hence, an global CDN like CloudFlare should be used which can serve static content from its edge node physically closest to the visitor.

TODO: Inline all CSS and Javascript

It doesn’t go beyond 100, but I’d still like to improve it further. For one, the little bit of CSS and JS that does exist doesn’t have to need two additional HTTP requests. Inlining that bit will mean that blog posts without an image, which for me are most of them, will get served in only three HTTP requests; the document, the font file and the favicon. Pretty cool, huh?

Conclusion

I’m pretty pumped about the 100/100 score. WordPress has a reputation for being slow and bloated, but with some simple optimizations, it starts performing like how you’d expect some text on a page to perform like.

Thank you for reading!

A Primer To Slow Thinking

Uncategorized

I see that I’ve picked up this habit of keeping half finished articles in the backlog. Need to fix that. Anyway, let’s hope this article gets to see the light of day on the internet.

I wanted to write some of my current thoughts on the idea of slow thinking. I’d warn you before we start that none of what you’ll read in this article is a novel thought of my own. Rather, it is an aggregate of the various different books I read in the past three months, many of which pointed me towards this idea. It is just my interpretation of the idea, but I’d like to document it nevertheless.

What is slow thinking?

The way I understood it, slow thinking is the non-reactive way of thinking and responding to a situation. When presented with a situation that sets off strong emotions — especially negative ones like anger, fear or jealousy — the idea is to take a step back and recognize the emotion itself, thereby detaching ourselves from that emotion. It is also handy when dealing with situations that trigger an impulsive reaction, not necessarily a negative one.

From experience, I can vouch for the fact that reacting when in an emotional turmoil isn’t usually the best idea. I’d struggle to find an example of a situation in my life when bursting with anger, screaming at someone, getting violent or very negative brought me any net positive.

Similar, impulsively doing something can sometimes be beneficial, but often, and especially in the modern world we live in, impulses are unwarranted and just a reminiscent of the tribal and fight-for-survival past of humans. Being able to recognize when an impulse is justified and when not can come in handy in many life situations, and the ability to do so can be treated like a skill to hone.

Of course, none of this is to suggest we shouldn’t feel emotions. It is perfectly reasonable to feel sad about some of the world events we’re constantly made aware of, just as it is nice to feel excited about the thought of having a cake or petting a cat. I think the idea here is to recognize the complexities and different parts of the mind that are responsible for different emotions and reactions instead of abstracting it all under the one “you”. The idea is to go from “I’m angry” to “I’m feeling anger” and so on.

The following idea is from Robert Wright’s Why Buddhism Is True. Essentially, one can imagine there to be different modules that keep getting activated and deactivated as we go about our lives, and we live through those modules as long as they are active, like experiencing feelings towards the protagonist in a movie or feeling happiness upon hearing a good news. The modules may be triggered by external stimuli, and as such, we’re not really in control of the orchestration.

Since we’re not orchestrating how exactly we feel or react to a situation, it implies there’s no “you” but a lot of different parts that become “you” depending on the situation and the trigger. Lost a game, the “dejected” module activates. Had a nice time at the park with your partner, the “happiness” or “gratitude” module activates.

Yep, we’re talking in very abstract terms, but that’s okay. There’s no way to comprehend the immense complexities of the inner workings of the mind without spending a lifetime studying the subject like the people whose thoughts I’m borrowing and interpreting did. And like they say, all models are wrong. So as long as this way of thinking helps us better understand why we do what we do, it can be useful.

So how does one slow think?

I don’t think there’s one way to do it. The book I referred to earlier, Why Buddhism Is True by Robert Wright, suggests meditation techniques that can be put to use to recognize our emotions and detach ourselves from them. Thinking, Fast and Slow by Daniel Kahneman educates us about the biases that we might not recognize in our behaviors and that knowledge makes us more aware of our cognitive fallacies. Relationships by The School of Life, speaks about many of the inherent complexities in humans and human emotions and why people behave in certain ways from time to time (of course, with a focus on romantic relationships).

I think it doesn’t matter which way we choose to learn to slow think; it could be through mindfulness meditation, or educating ourselves on the topic of cognitive biases, or understanding the person we’re dealing with and recognizing them as humans and their emotions. The end goal is the same: to be less reactive, judgemental and impulsive, and more curious.

In conclusion

I hope this was a useful primer on the topic of slow thinking. I’m looking forward to putting it to use in my life and seeing how it works for me. That’s it for now. I’ll go back to getting entertained looking at all sorts of interesting people and the life happening at Catania airport.

Thank you for reading!

Learning Photography

Uncategorized,

We’ve just entered a brand new calendar year, so I’ll start with that. Happy new year everyone!

New year warrants some new learnings, I know. But I’ll start with something that I got into a couple of months ago and that has changed the way I see the world. It is digital photography.

Like probably many people at some point or other in their lives, I started getting unusually fascinated by pictures. Not just pictures for the sake of pretty pictures, but pictures as a medium to tell stories and pictures as a canvas for creativity. At this point, I know for a fact that no matter how trivial an activity looks, there’s usually a lot more than what meets the eye and surely this was the case with photography. After all, it isn’t one of the most popular professions and side hobby for no reason.

I started reading a book (Understanding Exposure by Brian Peterson) that was a gift from a friend and it got me very involved in photography. I understood the basics, and then a bit more. I put into practiced what I’d learned by taking pictures of the places I traveled to and people I met. I used photo editing tools to give extra character to my pictures. I shared them on social media as a reminder to my future self, and now I’m writing this article about how I’m feeling as a reminder to myself but also a general guide to anyone stumbling upon this from search engines.

I’ll list down some interesting avenues where I spent the most time on, and probably you will too in case you decide to take up this beautiful hobby!

Equipment

If you’re like me, this is where you’ll spend the most time in the beginning — finding the right equipment. Any seasoned professional will tell you that it doesn’t matter nearly as much as the many other things you’ll learn down this path. All I can add to that is that the most important aspect of having the right equipment is that you should be excited to use it and carry with you. It doesn’t have to be the most expensive or the most shinny, but it should bring a smile to your face when you pick it up to leave your house (you wanting to pick it up when leaving your house when you go for a walk is implicitly implied here).

If you do basic research before buying stuff online, it is hard to go wrong with your first equipment. You’ll find yourself asking questions like what size sensor the camera should have, or what lenses to go for, but if you have limited money like most people, you’ll quickly realize the best options for a given budget aren’t all that many and from among those, you’ll probably be fine with either as a beginner.

For me, apart from the happiness factor of the equipment, the other very important factor is knowing the limits of your equipment. If it is a beginner’s camera, or a used old pro piece of equipment (or any, for that matter, but especially these), it has to have some quirks that you need to be aware of. Lack of high dynamic range, poor low light performance, not weather proof camera body, lens performance quirks, lack of 4K video or image stabilization to name a few. When you know the limits, you won’t be disappointed when your equipment doesn’t perform as per your expectations. Given how good phone cameras are these days, this is especially important as your phone will most likely take better pictures (bright colors with good contrasts and HDR) than your camera right out of the box.

The last piece of equipment advice is to make it easy to take your camera with you. After the initial excitement runs out, you don’t want to just find an excuse to not have your camera with you. I read somewhere that the best camera and lens is the one you have with you.

Exposure triangle

Even after centuries after the first photograph was ever taken, some of the basics of this trade haven’t changed. At the absolute basic, a photograph is just some light projected on a light sensitive film. This opening of the light sensitive film to light is called an exposure. A good exposure has three important components, forming the exposure triangle. The exposure triangle is formed by a simple set of parameters

  1. How long do we expose the film?
  2. How sensitive the film is?
  3. What’s the size of the opening through which light falls on the light-sensitive film?

They are referred to as shutter speed, ISO and aperture respectively. All three do the same thing — control exposure or amount of light information captured by the film or sensor (in case of digital photography) — but each has its own tradeoffs. A clear understanding of the tradeoffs and when to prioritize what will help you take more controlled pictures.

Exposure triangle
WClarke and Samsara, CC BY-SA 4.0 <https://creativecommons.org/licenses/by-sa/4.0>, via Wikimedia Commons

Shutter speed refers to the amount of time the “shutter” of the camera stays open. The longer it is open, the more light the sensor (or film, but I’ll use sensor as I’m guessing the vast majority of people think of digital photography when they hear the word photography) gathers. But if the shutter speeds are too slow (as in, it stays open for longer), your picture can turn out blurred if the camera isn’t kept steady for the duration of the exposure. On the other hand, too high shutter speeds can result in darker images as there just wasn’t enough light to properly illuminate the sensor.

ISO is the sensitivity or gain of the sensor. Just like with a microphone, increasing the sensitivity or gain increases the amount of sound captured, but also the noise. Digital cameras usually have an ISO range, like 100 to 6400 that you can choose depending on the situation.

Aperture is the size of the opening of the lens that focuses the image on the sensor. Naturally, larger opening results in more light captured. But interestingly, larger openings create a narrower plane of focus (creating beautiful bokah effect) which, while beautiful for some kind of pictures, isn’t always ideal and you have to “stop down” or increase the aperture number or reduce the size of the opening to get the desired depth of field.

Lenses – Reading the specifications

If you are able to afford an interchangeable lens camera (which is quite an appropriate name for a camera that you can attach different lenses to) you’ll be presented with a wide array of lenses you can buy that have very cryptic specifications. While it gets more complicated the more you know, a lens will generally have a few key specifications

Canon 18-55mm kit lens

Focal length

Specifies how wide or zoomed the perspective of the lens is.

Wide angle lenses are useful to capture a wide exposure, like landscapes while zoom lenses are useful to get closer to the subject without getting physically close. As you can guess, zoom lenses rule in the world of animal and sports photography.

It usually is measured in millimeters, and is either one number (For example, 50mm for prime or single focal length lenses) or a range (For example, 18-55mm for zoom lenses).

(Peak) Aperture

It is the measure of how large the camera’s lens can open and as a side effect, how blurry the foreground and background of your picture can get. It is measured in f-stop numbers and just like with focal length, it is either one number (For example, f1.8 for prime lenses) or a range (For example, f3.5-5.6 for zoom lenses).

Apertures
By KoeppiK – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=78136658

Something to note is that a lens can always “stop down”, or shrink the size of its opening. The number on the lens is the maximum it can open for the focal length.

Just like with focal length, you don’t necessarily need to know what that number technically means to be able to select and operate the lens correctly. But it doesn’t hurt to know.

Image stabilization

Image stabilization is the ability of the lens (or camera) to reduce the impact of shaking on the final picture. Zoom lenses typically have image stabilization, while prime lenses typically don’t. The larger the focal length (or zoomed perspective), the more important having a stabilized lens becomes because the more “zoomed” your perspective is, the more prominent slight vibrations of your hand become.

Composition, and how it changes the way you see the world

While I can spend hours talking about topics like DSLRs vs mirrorless cameras, Sony vs Canon and the like, I think we can all agree those are better suited for Reddit and other internet forums. Here, I’d like to be a bit more personal and talk about something a bit more abstract and not technical. The experience of photography.

I’ve used smartphones with really good cameras. On multiple occasions I’ve owned a mobile phone with camera that was considered “flagship” at the time I bought it. Even then, I wasn’t exposed to the way of photography until I actually got hands on my first DSLR, my first “manual” camera.

I think I understand part of the reason. With phone cameras, you’re an operator of a blackbox. Sure, most phones take decent pictures most of the times (especially these days). They’re consistent, compact, internet enabled and always in our pockets. They’re also quick to share pictures on chat and social apps, which is arguably the end goal for many people taking pictures.

And don’t get me wrong. My phone takes wonderful pictures. Right out of the box, my iPhone 13 takes pictures that are arguably better to look at than my massive Canon 7D’s pictures with their poppy colors and HDR. But there’s no spark, no connection. When I take a good photo with my iPhone, I think the phone did a good job. When I take a bad one, I think the phone did a bad job.

That’s what makes manual photography so interesting. I own the composition and exposure. I envision the result before I take a picture and see if it worked out, and not simply like or dislike it after.

And if I fail, I know why. Or at least I know it was something that I did and I can improve upon it. This realization to see  failure, a bad photo in this case, as just another opportunity to learn something new is what’s different between taking a picture with my phone and my 12 year old Canon DSLR.

The photos themselves have character and a story to tell for they are just an extension of your imagination at this point.

In closing

Ever since I started carrying my camera around, I started seeing beautiful compositions in even the most mundane of things.

butterfly

I started noticing everything consciously for that’s where my next best picture could lie. Everyday streets had graffiti that I had never bothered to look at, or birds and animals and the detail in their creation. Even people and their faces seemed interesting — people that I’d known for years, even my parents. It filled me with gratitude for the beautiful world that we live in, and this experience of being alive.

I learned what “pause and ponder” meant and I started doing that even when I didn’t have my camera with me. Interesting what a hobby can do to you.

Thank you for reading!

 

Intentional Learning

Uncategorized

I was going through my phone’s gallery when I spotted a photo of Izma from The Emperor’s New Groove. It took me by surprise, because I discovered the movie just this year and was absolutely in love with it, especially the Izma character. But the image in my phone’s gallery was from 2018 in the form of a meme. Weird internet stuff. Anyway, I digress. So what are we talking about today.

Ah yes, intentional learning.

Growing up, we all have natural interests. Be it art, science, music or dance, or computers (sigh..). We are motivated to learn new things around our interests. And from time to time, we discover new interests. School is interesting in that regard. You’re thrown in between a bunch of other kids with completely different and random interests, and there’s osmosis of interests happening when we see that other kid in the class drawing something or reading a book about the solar system or they see us playing a new game or so.

But that diversity of interests decreases once we enter university. The people we’re with have chosen a similar course and chances are that they had a similar set of interests. There’s still a fair bit of interesting diversity, and it is still possible to meet people from courses other than ours and see what life outside is like.

But for me the biggest difference was getting out of university and starting full time work. Many small to medium sized workplaces hire people of specific types depending on their culture and/or domain, understandably so. Many are open to diversity of thoughts and ideas, but of course not too open so as to not destroy the culture that they’re trying to cultivate in the first place (which, of course, is important but to what extent is a separate discussion in itself). What happens then is that we end up in bubbles of people with similar interests as us.

Of course, like with many things, this isn’t a black or white, good or bad situation. On the bright side, our spiked growth (say a particular hard skill we’re trying to hone) in a field can really skyrocket when surrounded by the right people and mentors. That of course has a very positive impact on our careers and professional growth.

But what I found lacking was exposure to experiences, interests and hobbies that were far outside of my bubble. And since I wasn’t exposing myself to interests and hobbies outside of the ones that already existed, I was also not meeting people who had these drastically different interests or hobbies (or opinions, for that matter).

For this very reason, I am trying intentional learning. The basic premise is very simple. Find a new skill, hobby or interest and just learn to get good enough, what ever that means, but not perfect. So far this year, I’ve worked on my Chess skills, learned some German, learned a couple of songs on Ukulele, tried my hands on sketching and painting and picking up some photography basics now. Of course, the goal is not to become proficient or professional in any capacity, but just experience the joy of being a complete novice in a new field and seeing how far I can take it.

The side effect is that the curiosity and learning muscles stays in good shape for when one has to learn something new (which proved to be useful when studying for a certification exam recently). The other side effect is becoming more conversationally accessible to a wider part of the population, sharing interests with more and more people. Yet another side effect is that it makes one more empathetic and open minded. Playing chess isn’t any more worthy than making memes or playing guitar or learning programming. Sure, some skills are valued more in the world we live in due to a multitude of reasons, but it takes effort to build any skill and as such nothing can and should be dismissed as unimportant or unworthy of pursuing.

The real joy, however, is in the process of learning; going from not being able to do something to being able to, building muscle memory, watching amateur and pro videos of people doing it on YouTube and being able to talk to someone or join communities with the same interest.

And instead of looking at people who’ve honed that skill their whole life and getting sad that you’ll never reach there, find joy in the fact that you can instead get good enough at it and then move on to hundreds of new skills and hobbies, getting a taste of the different ways to be alive, to exist. You’ll also retain this phase of your interest in your memories, which will feel nostalgic when long time from today you encounter this skill or hobby in some form or the other or meet someone embarking on their journey into it.

In closing

I hope that was interesting to read and motivates a few of you to pick up some random new hobbies or learn something totally different, unrelated to your work or life and see how it goes. I am convinced it has some real merits over the demerits. From my perspective, the biggest demerit is that we end up spreading too thin over a bunch of thing, while not mastering anything. Personally, I’m okay with that right now. But depending on where you stand, it may or may not be. But having said that, it isn’t black or white and leaves a lot of room in the middle to play around and see what works best.

Thank you for reading. Following is a personal message unrelated to the article.

I took a long break from writing, but it is good to write something again. If you visited this website in the last four months anticipating a new post, apologies for the delay and thank you for being a super-reader of my blog. Until next time!

Guide To A Sane WordPress Workflow

Uncategorized,

Like most things in life, WordPress isn’t perfect. But for a publishing platform, it is quite up there with the best in the business. For writing, I haven’t had any complaints so far, but when it came to customization or workflows around maintaining a theme, I was a little lost.

To me it somehow felt very liberating and restricting at the same time. Liberating, because of the ecosystem; themes, plugins, hosting platforms, tons of helpful resources and support. Restricting, if and when you want to build a custom theme and don’t speak much PHP, general added complexity compared to a static site generator, having to deal with hosting providers, updates and added maintenance work.

But depending on the requirements, WordPress might actually make a lot of sense as a publishing platform (well, of course. It powers 40% of the web). My blog used to be hosted on Github Pages with Jekyll as the site generator until I made the switch to WordPress a couple of months ago. What I did struggle with was finding a setup that offered a smooth workflow around managing a custom theme with self hosted WordPress instance.

This article is an attempt at fixing that and aggregating some useful tips. I’ll try to cover the following:

  • A self hosted WordPress website that’s affordable yet stable
  • Continuous deployment pipeline for custom themes
  • Backups that are reliable
  • CDN and caching
  • Securing the website

Let’s get started.

Platform setup

I decided to go with AWS Lightsail one click WordPress install. You’ll find more information on the Bitnami WordPress page about the stack. It is lightweight and runs perfectly fine on a 512MB RAM / 1vCPU instance. Once behind a CDN and page cache, the website can handle a fair number of visitors.

Continuous Deployment (CD) pipeline (optional: Continuous Integration)

This step assumes you have a custom WordPress theme or source code of a theme available on a GitHub repository. You only need to follow this step if you think you’ll be making frequent changes to your theme files and would like to have a pipeline for the automatic deploy of the theme (say, for example, when you commit a change to the master branch of your repository). Alternatively, you can always create a zip file of the theme and upload it manually via the WordPress admin panel if you prefer to keep things simple.

Assuming you have a theme hosted on GitHub, you’ll need to make use of Travis CI to build your code (if there’s any CSS or JS that needs to be transpiled), test it (if there are any checks) and then upload the files to the AWS LightSail instance using secure copy (scp). Following are some resources to help you get started.

Backups

For backups, I’m using a couple of strategies but I think either one should suffice for my usecase.

AWS Lightsail snapshots

I’d recommend enabling automatic daily snapshots of your instance in AWS Lightsail. So if things go very south, you will lose 1 day’s worth of data at most. Since my blog’s content is rarely updated, this means this works near perfectly.

WPVivid WordPress plugin

WPVivid is a nice plugin that offers more precise backups, meaning you can choose to backup just your database, or files, or both. It also has cron functionality and offer 12 hourly backups (more frequent if you’re a paying customer). WPVivid allows you to transfer the backups to Google Drive, AWS S3, Dropbox among many other third party providers.

Server health monitoring and alerts

I’m using New Relic to monitor the health of the WordPress instance. It isn’t necessary as AWS Lighsail already comes with basic dashboards for monitoring CPU performance and burst usage (giving a rough idea about whether the server is sweating under load), but if you’d like to go a bit fancy with the whole monitoring thing and set up alerts for throughput, error rate etc, New Relic is quite good.

New Relic really shines at showing you the external services your instance is talking to, database operations and the CPU usage share per plugin that you have installed on your WordPress website. That information can help you debug any services / plugins that are slowing down your website or doing something strange behind your back.

AWS metrics
Metrics in AWS Lightsail

Metrics in New Relic
Metrics in New Relic

Both AWS Lightsail alerts and New Relic alerts support multiple channels, so feel free to use SMS, email, Slack or whatever your preferred way of getting alerted is.

CDN and Caching

My go-to CDN for any personal website is Cloudflare and that is what I’m using here. I didn’t have any problems with the admin interface behind the CDN and all seems to work very well. I have a page rule that overwrites cache control headers from WordPress and forces everything under /wp-content/* to be cached.

For page caching, I’m using a plugin called WP Total Cache. It was the most popular performance optimization plugin and was recommended to me. It has a “Page Cache” option which needs to be enabled and set to use disk as cache store.

Security

To secure the Lightsail instance, I’m following some basic good practices and a plugin to help me set up some blocking rules.

  1. Lightsail instance is as close to stock as possible making sure there are no random packages installed from my side on the instance.
  2. Disable port 80, and if you’re using a reverse proxy CDN like Cloudflare, only allow Cloudflare IPs to your origin server.
  3. As with Lightsail, WordPress installation should be close to stock with minimal plugins.
  4. Wordfence WordPress plugin for
    1. 2FA authentication
    2. Banning incorrect login attempts, or login attempts using generic usernames like admin, administrator or root.
    3. reCAPTCHA on the login page (you’ll need API keys from Google)
    4. Disable xmlrpc if you’re not planning on using apps. Enable 2FA on it, or disable login via xmlrpc.
    5. Go through all the options that Wordfence has to offer and use whatever makes sense for your use case. I found them to be quite useful and intuitive.
  5. In general, keep stuff up to date.

Conclusion

That’s it for this article. If you have any questions or suggestions, please feel free to write to me. Thank you for reading.

The Best Time Of Your Life Is Right Now

Uncategorized

Humans are fragile creatures. The illusion of stability and control we have in our lives is comical. Our mind seems to have mastered the art of separating itself from the world events. We almost know it. It is hard not to if you spend any time on internet social medias or any form of conventional news sources. Unfortunate things happen, lives end or get ruined for reasons so trivial that’d make you not want to believe it.

Yet, when it comes to our own lives, we’re fairly certain about our timelines. There’s career, that promotion, getting a house, getting married and so on. There’s always the end of life to be content with what we have; be grateful. Now’s the time to be at unrest, to complain and wish for more, to hustle. And not like it is our fault. The society is truly designed to make you feel exactly this way, discontent at every single stage of your life. Get good grades or you’d not get into a good university, study hard or you’d not have a good job, work harder or you’d not get that promotion, don’t plateau in your career or you’d not be able to afford a house, keep working to be able to enjoy a happy retirement and so on.

And what if you’re still not able to enjoy your life finally at 65? Oh those are just the guidelines, too bad it didn’t work out for you. Guess what, it is called 1% for a reason. Try again in the next one. And of course, thank you for your participation in the rat race.

So, what’s my point?

The point that I’m trying to make is that if something is important enough to you, do it without waiting for some special phase of life to come by. No one knows how tomorrow will look like. If this entire pandemic has taught us anything, it is that we have no control over the future, not tomorrow and much less months or years in the future. The present is the only thing we have for certain, so why not make the best of it; by treating it like it is the peak of our health, wealth, social skills and so on.

And how do we do that?

By being grateful for what we have. It is only when we consciously  recognize how lucky we are to have all the things that we do, do we start valuing it. Being able to move around on your own, see, hear, talk, travel, read, write, meet friends, drink coffee, enjoy a sunset or snow; little things that many people might not have the good fortune to experience.

The world is like a nasty slot machine. Luck plays a huge role in almost everything we do, and it starts right at the moment you’re born. We are the product of our circumstances. There’s not much we can do about that, except that we recognize our privileges and act accordingly. Have a chance to do something good for someone? Do it. Realize your actions might’ve caused hurt? Apologize. Have people that pull you back? Filter.

Time really is the only real currency that we have. While it does seem like a tragedy to not know how much more of it do we have left, I think it is a blessing in disguise. Think of the last time you had a deadline for an assignment. Did you wait for the very last moment to do it? If you’re like most people then probably yes. That’s probably what would happen if we knew exactly how long we have to live. We would procrastinate everything until the last moment, wasting away most of it. Fortunately for us, we don’t, and each day can be lived as if it is the deadline for that life’s assignment, doing the things that matter the most to us.

So to summarize, there probably will never be a better time to do certain things, and that’s if you’re lucky to live a full life without many problems. If you’re in your teenage years, you probably have the time to learn something thoroughly, spend time with friends and family, have fun, see clearly if you’re into that. If you’re in your twenties, you have the best balance between intelligence, energy, time and maybe some money too. Later in life you get better with relationships, your emotional intelligence grows and the life experiences you accumulate make you wiser while you’re getting rusty physically. Basically, we live through different interpretations of ‘peak’ throughout our lives, and there’s no one big peak that’s going to solve all your problems and make you happy.

So make the most of your now; make memes, draw comics, write code, learn music, dance, sing, make someone’s day, be vulnerable, be nice, prioritize yourself, talk to random strangers and share stories, gift without a reason, sleep, cry, hug, do whatever you have to. But make your now count.

Thank you for reading!

Life Goes Full Circle – Blog Back To WordPress

Uncategorized,

Happy new year all!

We’re finally out of 2020, yaay! It has been, for lack of a better word, an interesting year. Not intending on becoming Abhi News Network, I’ll spare you from having to read about the events of the past year for the thousandth time. Like many people, I realized my full nerd potential and learned how to live indoors for weeks at a time. I also unlocked a new hobby, Chess. Some other things like traveling and in-person events definitely took a backseat but can’t do much about that.

This short post is about moving this blog back to WordPress. I say back, but the fact is that this website was never on WordPress. I started this blog on ghost.org back in early 2014, but had to quickly move it away from there in spite of absolutely loving Ghost (mostly because of the $5/month fees). Next up was Blogger before finally settling on GitHub Pages which, by the way, if you’re just starting out with blogging and can find your way around git on a terminal, you should give a try. Now, feeling the need for a much more elaborate CMS, I’ve migrated to WordPress running on AWS Lightsail. It does cost money, but this time I can afford it.

Before this blog existed, I used to write on WordPress on an older blog. That feels like an eternity ago, which it was in internet time. I used to write about latest smartphones and compare them against each other (nothing that actually needed to be done by hand, now that I think about it; 8mp vs 5mp camera, 1gb vs 2gb ram and so on). I would walk into Samsung stores and try to make ‘hands-on’ videos of their latest phones. I can’t imagine doing that today, mostly because of how much the smartphone industry has expanded since 2012-13. Also because it doesn’t interest me anymore.

With WordPress, I hope to be able to write on the go using nothing more than just a browser. “On the go” might take some more time to become a normal everyday phrase again, but when that happens, I’ll be ready with my Thinkpad and a backpack. To not need a text editor to write Markdown/HTML, terminal to commit and push, and to see previews without a developer server would be very liberating. I’m excited about this future.

I’ll end this article with a nice picture I took today. Hope you enjoy looking at it as much as I did looking at Stitch in my house today.

Thank you for reading!

On Reaching 1500 Elo On Lichess.org!

Uncategorized

Back in May, I wrote an article on the basics of Chess. Today, I’m super excited to announce and celebrate the milestone of breaking into the 1500s on Lichess.org rapid (barely, but surely).

When I started playing chess back in late December last year, I had little idea where I stood on the chess skills ladder. I knew how the pieces moved and how a game is won, lost or drawn. I also knew castling rules and that queen is kinda important.

But alas, there was a lot more to this beautiful game than just knowing how each piece moved. So after losing a few games in a bar in Amsterdam, I created a Lichess.org account to practice with the computer and online strangers.

I quickly realized I played very bad. It came as a surprise (although in hindsight, I see why it shouldn’t have been one). To me, chess was like cycling. I learned how to play chess exactly like I learned how to ride a bike. You just learn it once (often at a young age) and that’s it, that’s all there is to it, you think.

But as with anything else, chess (or cycling) can be thought of as a skill that can be honed with training. What I think was happening was–I was in a competitive chess environment, playing with the bare minimum understanding of the game against people who treated it like a skill. I was losing most games I played, unsurprisingly. In fact, I had a losing streak of 41 games from January till March and also reached my lowest Elo rating of 863 in the same month.

That’s the 2-percentile among lichess.org users–a little embarrassing

Then came the pandemic and the whole world changed around us. Remote working, lockdown, stay at home etc meant there was a lot of time to invest in a new hobby. It could’ve been German language studies, or something useful, but no. My mind chose the game of chess to become obsessed with.

Over the course of the following months, I played hundreds of games in the evenings, watched videos on chess theory over lunch and thought about chess while in shower. Interestingly, I wasn’t alone. There’s a huge surge of people (re)discovering this game and getting into the community just like I did.


Finally, like the title says, I reached 1500 today. That’s more than 600 rating points gain since March this year. I believe it is purely a function of the time I’ve put into it and nothing else. While it remains debatable whether that’s a wise thing to do, I do recommend giving chess a shot if you’ve not played it in years, especially if you’re in some kind of lockdown or prefer staying indoors and are looking for a new hobby. It is even more fun if you can compete over Elo rating with a friend!

If there’s any general takeaway from this whole exercise, it is that with enough practice and motivation, seemingly impossible things become possible. The world is full of arbitrary things. Chess and other such games, surely, but also many more allegedly important things like career prospects or learning a new language. Just things made by us for ourselves. So it follows that mastering German or getting the dream job could be similarly approached–immersion, finding that bit of motivation, finding people to have friendly competition with and seeing the results and improvements immediately (and some of that sweet sweet luck, of course).

I leave you at that until next time. Thank you for reading!

Become A 10x <anything> [fail]

Uncategorized

Beware the barrenness of a busy life.

– Socrates (from my quotes file)

Today, we’re going to learn how to be a 10x anything. We’re going to do that by putting slack on mute. But not the simple way. That works, but don’t expect 10x results. Also, this guide assumes that the most distraction during worktime comes from Slack. If that’s not the case for you, you might end up with ~4.5x results (scientific).

What we’ll essentially be doing is:

  • Set up Pi-hole on our home network. Pi-hole is a DNS based ad blocker which sinks requests if they’re for ad network.
  • Use Pomodoro app on KDE to trigger scripts when the focus session starts and ends. If you haven’t heard about Pomodoro technique, read up more here: https://en.wikipedia.org/wiki/Pomodoro_Technique.
  • The scripts themselves will block any website / app that you don’t want distracting you when the focus time is on.

Pi-hole

Pi-hole is amazing! No, seriously. It blocks all ads and tracking, has a very good interface which supports custom rules for each device, groups and more. All of this is free, open source and pure. Did you star the repository already?

Pi hole can not only block DNS queries for ads/tracking networks, but also anything you ask it to. We’ll use it to block Slack on our network.

Raspberry Pi

We need something to run the Pi-hole, so grab a Pi zero or a normal Raspberry Pi. A virtual machine / docker would work but then you need that thing running 24/7.

Pomodoro app that supports scripts

I’m sure your operating system of choice has a Pomodoro app made for it. The trick here is to find one that supports executing scripts on certain events like focus time start and end.

As you can see, Fokus on the KDE store supports this functionality and is perfect for me since I’m already on KDE.

Router with custom DNS setting

We need to change the DNS settings in our router and point it to our Raspberry Pi’s IP address. As a backup, we still keep 1.1.1.1. Most routers support this setting. If for some reason you’re not able to do it at the router level, you can still set custom DNS on each of your device, which is a bit more work.

Ability to not overthink

Given how futile this whole exercise is, if you start questioning yourself why am I even doing any of this when you could just mute Slack?, this exercise (or this blog) is not for you.

Tutorial (kinda)

The initial setup is very standard. Install Pi-hole on your Raspberry pi by following their official guide. Get the Pomodoro app up and running.

Once that’s done, we create a directory on our computer and create two files in it: focus-start.sh and focus-end.sh and mark them executable

$ mkdir hackerman && cd hackerman
$ touch focus-start.sh focus-end.sh
$ chmod +x focus-start.sh focus-end.sh

As the file names suggest, the focus-start.sh will execute when our focus time starts and focus-end.sh executes when our focus time ends. It should look like this in Fokus, our pomodoro app.

So now that this is configured, we need to enable passwordless ssh access to our Raspberry Pi. I followed this guide here. What that enables is just typing ssh pi@raspberrypi.local will log us into the Pi without a password.

Next, we open our files and add the commands to enable and disable Slack’s domain using a wildcard blacklist/whitelist entry.

# focus-start.sh
ssh pi@raspberrypi.local "pihole --wild 'slack.com'"

# focus-start.sh
ssh pi@raspberrypi.local "pihole --wild 'slack.com' -d"

The focus-end.sh command is only different in that has the -d flag, which removes the wildcard domain from the blacklist. We can even try running that command on the terminal and verifying if it creates an entry in Pi-hole. Remember to substitute raspberrypi.local with your Raspberry Pi’s hostname / IP address.



That’s it. The other command works as expected too, removing the slack.com’s wildcard entry at our discretion.

So, how does it (not) work?

Theoretically, we’re sinking any DNS query for slack.com and any of its subdomain meaning the APIs won’t work once the blacklist entry has been created. But there are a couple of problems with our approach.

One, Slack’s messages are transferred over Websocket and once that’s established (when you open the website / app), it doesn’t need DNS to work (resolve) for sending and receiving messages.

Even if it did, DNS queries are cached (by a variety of entities like browsers, operating systems etc), so it isn’t like this is fool proof and starts working the second it is turned on.

Third, many apps use their own DNS and have little regard for your home DNS. For example, I tried to block Whatsapp this way (using this list) and it just doesn’t work, at least on Android.

A complete fail then?

Not exactly. You can still block websites that you open in browsers, like reddit.com and youtube.com if you spend too much time on those like me. In any case, it is a fun way to learn about how web apps, DNS and ad blocking work and involves a lot of trial and error to get things to work. Oh and yes, we do have a network wide ad blocker which is what Pi-hole does best, so there’s also that.

That’s it for this one. Thank you for reading.