Juzzyfeedback welcome for you nginx users:00:29
minasotaJuzzy: you host your site using wordpress?01:09
Juzzyya this one is wordpress01:26
minasotaDo you have ssl enabled when logging into the dashboard?01:26
minasotaI just realized on mine that the username and password get sent clear text01:27
JuzzyI own the servers and the router this is behind01:27
Juzzyso yea you can deface it if you really wanted to, I'd have to restore from a backup01:27
minasotaI host from a DO droplet that has a constant vpn connection01:27
minasotabut I'm not sure if when I loggin to dashboard if that is visable. I saw it in wireshark01:28
minasotaadding   define('FORCE_SSL_ADMIN', true);  to wp-config.php doesn't seem to work unless I have a certificate01:30
Juzzyusing apache or nginx?01:31
Juzzyyou blocking php from executing in wp-content/uploads?01:31
Unit193Neither. :301:31
minasotano, it's secure, needed it enabled to install themes without sftp etc01:32
minasotaIf I'm connecting to my server thru a vpn, then technically the username and password are not getting broadcast though, right?01:33
minasotaSince the site is hosted on the same server01:33
Juzzythe vpn teminates on that server?01:33
Unit193minasota: So why not get a cert?01:34
minasotaUnit193: do want to pay01:34
Unit193minasota: I don't for mine either, Let's Encrypt or StartSSL! :D01:34
Unit193I'd recommend looking into them, these days.01:35
Juzzyvery few of the gazillion wordpress hacks are from stolen passwords01:36
Unit193Hah, yeeeeah. :P01:36
minasotawww-data breaches I assume...01:36
minasotaLesson learned from Linux Mint01:37
Juzzythere's a lot of local hax on bad plugins01:37
Juzzyand bad permissions that let key files get overwritten01:37
minasotaUnit193: would a StartSSL Class 1 cert be fine?01:38
Unit193'Tis what I use.01:38
Juzzyyou can also restrict urls based on from ip addresses too01:39
Juzzyjust use a self signed one01:39
Juzzyunless you're receiving creditcards or something01:39
Juzzyand need to build trust with customers01:40
minasotana, I just want the login to be secure01:40
Juzzyselfsign are just as secure as purchased ones01:40
Juzzyend users just can't validate it's not some hacked chinese server01:41
minasotaEven though I'm connecting thru a vpn, I still don't like the password being in plain text01:41
Juzzyif someone can steal that passwd they have hacked your local server01:41
Juzzyand you have much bigger issues01:41
minasotaJuzzy: I doubt I'll have that problem, no one seems to visit my site anyway lol01:42
Juzzythey can just inject their own l/p01:42
Juzzywho do you host with01:42
minasotaDigital Ocean droplet that I installed wordpress on.01:43
Juzzyah ok01:50
Juzzyi'd offer to scan it01:50
JuzzyDO probably has protections for you01:50
bwmakerMorning, folks.14:16
bwmakerHey, Juzzy.19:11
Juzzybeen trying to build a sysadmin style blog, i doubt I'll get anyone following me though19:12
bwmakerFor me, blogging is about thinking through things more than trying to be interesting. I don't care so much if people follow, but if I put something out there that helps someone, it's been useful for both of us.19:35
bwmakerSo keep at it. :)19:35
Juzzytrue but I want to get enough people interested so maybe I can write an ebook on topics19:42
Juzzylike how we moved out 750 servers to aws using automation19:42
Juzzythat's a $30k-50k consultant in most places19:43
bwmakerAWS will own us all one day.19:55

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!