Monday 7 October 2019

De-duplication and Opcache

As I now have a lot of Wordpress sites to look after (argh!) I wanted to see if I coiuld set them up to be a bit more efficient in memory. However due to the way Wordpress resolves the location of files, it would have required the wp-settings.php file to be almost completely replaced to set the paths in PHP. I wondered if I could use symlinks on the filesystem to achieve the same goal without hacking the code. The answer appears to be yes - here's the output from my test case:

Opcache and symlinks

This script includes the same file via different paths which use symlinks. The objective is determine whether this creates 1 or 2 entries in opcache - and hence whether I can run multiple Wordpress sites from the same files without rewriting the code

Include from linked1 : This is /var/www/html/myvhost/include/testsymlink.php
include from linked2 : This is /var/www/html/myvhost/include/testsymlink.php

/var/www/html/myvhost/include/testsymlink.php
Array
(
    [full_path] => /var/www/html/myvhost/include/testsymlink.php
    [hits] => 9
    [memory_consumption] => 736
    [last_used] => Mon Oct  7 10:31:53 2019
    [last_used_timestamp] => 1570444313
    [timestamp] => 1570443328
)

2 files included resolve to a single entry in opcache - yay!
Note that some caution is required when applying upgrades to the wordpress install!

Source code for this script


<?php
print "<h1>Opcache and symlinks</h1>";
print "<p>This script includes the same file via different paths which use symlinks. The objective is determine whether this creates 1 or 2 entries in opcache - and hence whether I can run multiple Wordpress sites from the same files without rewriting the code</p><p>\n";
print "Include from linked1 : ";
include "linked1/testsymlink.php";
print "include from linked2 : ";
include "linked2/testsymlink.php";

print "<pre>";
$data=opcache_get_status(true);
foreach ($data['scripts'] as $script=>$sd) {
   if ("testsymlink.php"==basename($script)) {
       print $script . "\n";
       print_r($sd);
   }
}
print "</pre>";

print "2 files included resolve to a single entry in opcache - yay!<br />\n";
print "Note that some caution is required when applying upgrades to the wordpress install!<br />\n";    
print "<h2>Source code for this script</h2>";
highlight_file(__FILE__);

Monday 6 May 2019

Security Fails

Worse than merely being Security Theatre, a lot of bolt-on "security" products actually undermine your data confidentiality, integrity and availibiliy.

Recently, while perusing my webstats, I noticed http://cp.mcafee.com/... appearing in the referers. The path part of the URL contained rather a lot of data. On opening the URL in a browser, I found it contained a lot of detail about an email, presumably sent to the user of the browser. This report contained a clickable link to my site (hence it appeared in my referers). This information also included the full email address of the email sender.

The technology in question is named "Click Protect" - but it exposes the details of a third party without their consent.

ClickProtect
The site below is rated as Unverified and is categorised by McAfee as XXXXXX/XXXXXXX.

The email was sent to you by XXXX.XXXXX@hotmail.co.uk.

Click the URL only if you understand the risk and wish to continue.

https://www.XXXXXXXX.com/...

Email: info.security@sainsburys.co.uk

(Original content redacted with XXXXX)

A quick look around the internet and these URLs appear in a lot of different places - there are a lot of sites which publish their stats in a form searchable by Google.

I attempted to contact both McAfee and Sainsburys.co.uk (the webmail provider) to advise them they were leaking information like this but have received no response from either.