Category Archives: Miscellaneous

Disabling XML-RPC in WordPress for Security and Performance

Reply

When deploying WordPress in a production environment, every enabled feature should be evaluated for its security and performance implications. By default, WordPress prioritizes backward compatibility, which often results in legacy protocols remaining active on every request.

XML-RPC is a legacy API protocol that allows external applications to interact with a WordPress installation over HTTP. Long before the integration of the modern WordPress REST API, XML-RPC was the standard method for third-party clients to execute remote commands, such as creating posts, managing comments, and uploading media.

The Impact of Disabling XML-RPC: Gains and Losses

XML-RPC is unnecessary for most modern WordPress deployments and represents an avoidable attack surface when unused. However, before disabling it, it is important to understand the trade-offs.

What is lost by disabling XML-RPC:

  • The official WordPress mobile application will not be able to connect to the site.
  • The Jetpack plugin relies heavily on XML-RPC for many of its core functionalities.
  • Legacy remote publishing tools, such as offline blog editors, will cease to function.
  • Pingbacks from other WordPress sites will be disabled.

What is gained by disabling XML-RPC:

  • Attackers can abuse WordPress XML-RPC for authentication attempts. (Note: WordPress XML-RPC was previously more vulnerable. The core team addressed brute-force amplification concerns in ticket #34336. Before that, the system.multicall method allowed multiple XML-RPC calls within a single HTTP request, which could increase the efficiency of brute-force attempts and reduce the effectiveness of per-request rate limiting.)
  • Malicious actors can exploit the pingback feature to use the server as part of a distributed denial-of-service attack against other targets. (A pingback is a WordPress mechanism that allows one website to automatically notify another website when it links to it. In the context of abuse, attackers can forge large numbers of pingback requests that appear to originate from legitimate WordPress sites, forcing the target server to process many HTTP requests. This can be amplified if multiple compromised or spoofed sites are used, turning the pingback mechanism into a vector for distributed DDoS.)
  • Automated bots frequently scan and hit the xmlrpc.php endpoint. Blocking these requests early saves PHP worker processes and keeps server logs clean.

Blocking XML-RPC at the Web Server Layer

While application-level PHP filters, such as WordPress plugins or modifying functions.php, successfully disable XML-RPC logic, they still leave the xmlrpc.php file exposed. Processing malicious requests at this layer wastes valuable PHP memory and server bandwidth. It is more effective to drop these requests directly at the web server layer, such as through Nginx or Apache, preventing them from ever reaching or taxing the PHP environment.

Apache

For Apache-based infrastructure, requests can be dropped entirely by adding the following block to the .htaccess file located in the WordPress root directory (the same directory containing wp-config.php):

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>Code language: Apache (apache)

Ensure the code snippet above is placed outside the # BEGIN WordPress and # END WordPress sections to prevent it from being overwritten by WordPress rewrite rules:

Nginx

For infrastructure using Nginx instead of Apache, requests can be dropped entirely by adding this block to the virtual host configuration:

# Deny access to xmlrpc.php
location = /xmlrpc.php {
  deny all;
  access_log off;
  log_not_found off;
}Code language: Nginx (nginx)

Disabling XML-RPC at the Application Level (PHP)

Add the following filter to the theme’s functions.php file to disable XML-RPC at the application layer:

// Disable XML-RPC
add_filter( 'xmlrpc_enabled', '__return_false' );Code language: PHP (php)

This method does not prevent HTTP requests to xmlrpc.php from reaching the server. For environments where XML-RPC is not required, a more robust mitigation is to block access at the web server level.

Upstream Blocking

It is also recommended to block XML-RPC traffic upstream. Dropping requests at the network level ensures malicious traffic never consumes origin bandwidth or compute resources. Many modern deployments already handle this via:

  • Cloudflare / CDN Edge Rules: Dropping requests at the CDN or edge WAF layer prevents them from reaching the origin, reducing bandwidth and compute usage. Many modern deployments implement this using Cloudflare or other CDN edge rules, where requests targeting xmlrpc.php can be blocked or challenged. (If you are a Cloudflare user, go to Security -> Security Rules and add
  • ModSecurity, an open-source web application firewall, can enforce rules and perform deeper HTTP request inspection than .htaccess. Unlike .htaccess, which primarily handles deterministic path, header, and access rules, ModSecurity can analyze XML-RPC bodies and detect known exploit patterns. This allows it to mitigate entire classes of application-layer attacks.

Cloudflare

If you are a Cloudflare user, implementing this block at the Cloudflare edge via Web Application Firewall (WAF) is optimal because it drops the malicious traffic before it consumes resources on your server.

The Cloudflare edge refers to edge locations, the geographically distributed network of servers that sit between end users and the origin server. These edge nodes terminate incoming HTTP(S) requests, apply security rules such as Web Application Firewall policies, rate limiting, and bot mitigation, and either serve cached content or forward allowed requests to the origin server.

Here are the steps to configure the rule:

  • Navigate to your Cloudflare dashboard and select your zone.
  • Quick Search (Ctrl-k) for Security > Security Rules in the sidebar. (or Security > WAF > Custom rules depending on the interface version.)
  • Click Create rule.
  • Set a descriptive rule name, such as “Block XML-RPC“.
  • In the expression builder, configure the condition:
    • Field: URI Path
    • Operator: equals
    • Value: /xmlrpc.php
  • Under the action section, select Block.
  • Click Deploy.

Once active, any HTTP request targeting /xmlrpc.php will be denied at the edge, typically returning an HTTP 403 response before reaching the origin server.

The final rules that will be deployed should look like:

(http.request.uri.path eq "/xmlrpc.php")Code language: plaintext (plaintext)

What is the most robust method to prevent XML-RPC abuse?

Blocking XML-RPC at the Cloudflare edge is the most effective first step because it drops malicious traffic before it can consume your origin server’s bandwidth and resources.

However, adding web server blocks via Nginx or Apache acts as a necessary secondary shield against attackers who might target your origin IP directly, preventing those requests from spawning expensive PHP workers.

Finally, disabling the protocol within the WordPress application itself provides an essential fail-safe to ensure the attack surface remains minimized even if your infrastructure rules are accidentally bypassed or misconfigured during future maintenance.

Conclusion

Prioritizing backward compatibility over security remains a major frustration in the WordPress ecosystem. Leaving a legacy protocol active by default shifts the burden of hardening onto the administrator, forcing everyone to manually secure an endpoint they do not even use.

Applying this configuration is an effective security optimization, provided the environment does not use Jetpack, mobile applications, or legacy remote publishing integrations.

How Breaking Windows 30 Years Ago Turned Me Into a Software Developer and Linux Professional

Reply

Every technology professional has an origin story. Mine began in 1995, centered around a Packard Bell corner computer running Windows 95.

This beige chassis dominating the desk instantly transports me back to the very beginning of my career. I do not just see outdated hardware; I feel a profound nostalgia for the quiet, uninterrupted hours I spent discovering the inner workings of operating systems and programming languages.

That computer was my gateway into the digital realm.

First programming language

The idea of computers controlling vehicles and medical devices remotely with artificial intelligence, as depicted in the science-fiction movies I watched on VHS at the time, encouraged me to explore programming.

As a teenager in 1995, I began learning to code using Visual Basic 4. Despite its constraints, Visual Basic 4 was an essential first step because its drag-and-drop interface and event-driven model allowed me to immediately see the results of my logic.

My first major project was a digital pet similar to a Tamagotchi, the global phenomenon of 1996. The basic mechanics functioned well, but it taught me about time-delta calculations when I tied the pet’s hunger decay to the processor speed instead of real-time intervals. During this period, I consumed my first books on programming, deepening my understanding of software development.

A significant challenge that forced me to learn the command-line…

In a misguided attempt to clear a few megabytes of disk space, I noticed a file named io.sys.

Assuming anything with such a short, cryptic name could not be important, I deleted it.

After rebooting the computer, the operating system failed to initialize. The screen displayed the error: “Non-system disk or disk error.” This was a cold-sweat lesson in operating system architecture.

MS-DOS and writing my first video game

The “Non-system disk or disk error” error forced me, for weeks, to boot the computer using a MS-DOS rescue disk. Using DOS forced me to read a book where I learned the command-line, and I soon discovered Quick Basic 4.5, which renewed my enthusiasm.

My programming journey took a significant leap forward when I discovered Quick Basic 4.5. I remember typing in a sample piece of code that switched the display mode to SCREEN 13, unlocking a specific graphical resolution in 256 colors. As simple, brightly colored circles and squares materialized on the monitor, a single thought instantly crossed my mind: “It’s great. I can make video games with this.” That exact moment is where my journey into game development started. I began with modest projects, writing small tools like an XOR encryption program to hide text files, before moving on to interactive entertainment. My very first game was a simple space evasion title where the player had to maneuver a little airplane to avoid a barrage of falling asteroids.

As my ambition grew, I realized the standard graphics commands were a bit too slow for the smooth action I wanted to achieve. This led me to discover external assembly libraries like Future Software and DirectQB, which opened the door to making Quick Basic 4.5 games that were far more complicated. With these new capabilities, I designed a full platform game built on a scrolling engine. I managed multiple visual layers drawn one behind the other to create a sense of depth. I had one layer dedicated to the static background and another for the solid level tiles. The active foreground layer contained the main character, alongside monsters, boss encounters, coins and other collectibles.

Following my time with Quick Basic, I transitioned to developing games in C using the DJGPP compiler and the Allegro library. This shift moved me closer to the hardware and introduced me to more sophisticated programming paradigms. This experience with C was important in preparing me for the rigorous demands of enterprise-level software development and Linux infrastructure management.

I switched to GNU/Linux

A key moment in my technological journey occurred in 1999 when I began using GNU/Linux, a transition that served as the natural evolution of my time with MS-DOS. My forced immersion in the DOS command line after the io.sys incident had changed how I interacted with computers, shifting my preference away from graphical interfaces and toward the precision of text-based environments.

I had grown to enjoy the granular control and the intellectual rigor of overcoming technical challenges. GNU/Linux offered the ultimate playground for this mindset, providing a transparent architecture where I could apply my growing skills in C/C++ and shell scripting to solve complex infrastructure problems.

Installing Linux in the late nineties was not for the faint of heart; it often involved, for example, manually calculating monitor refresh rates for the XFree86 configuration. My journey included experimenting with several distributions: Caldera OpenLinux, Mandrake, Debian, SuSE, Fedora, RedHat, Gentoo, Ubuntu, and Arch Linux.

I collected installation CDs like trading cards. Each version provided distinct insights, and the Linux community proved to be an invaluable resource, filled with individuals keen to share their knowledge and rescue me from my frequent configuration errors. During those early Linux days, getting hardware to work was a notorious rite of passage.

This transition shifted my entire focus toward system administration, infrastructure, and operating system development. I studied computer networking in depth, specializing in the field, which inevitably led to some memorable learning experiences. To make the machine serve my exact needs as a software developer and administrator, I wrote hundreds of C, C++, Python, Perl, PHP, Bash shell scripts, etc.

Alongside my Linux system administration and software development adventures, I fell down the rabbit hole of text editor customization. I initially used Vim, spending hours tweaking its configuration and writing my own extensions until it functioned as a complete IDE.

However, the true turning point was my eventual switch to Emacs, which stands as my favorite editor today. The learning curve was steep, especially when diving into Elisp to customize my setup. There were definitely weekends where I spent more hours tweaking my configuration file to make the syntax highlighting look absolutely perfect than I spent writing actual software. The transition from Vim to Emacs required a massive effort, as I spent countless hours diving into Elisp, another of my favorite programming languages, to reimplement in Elisp the Vim plugins and scripts I had previously developed. Learning Elisp allowed me to fully bend the editor to my will. There are many specific reasons why I ultimately left Vim behind to make Emacs my permanent digital home, but I will detail those arguments in a future article.

Professional

Following this, I spent over two decades as a software development and Linux infrastructure professional across multiple corporations. I might never have pursued this career path had it not been for the incident where I deleted io.sys! As I moved into enterprise environments, the foundational lessons learned from recovering a broken boot sequence evolved into architecting resilient Linux servers and developing software.

Conclusion

Reflecting on my shift from DOS and Windows 95, I realize the significant impact that hands-on problem-solving and continuous learning have had on my career. The technology landscape has transformed considerably over the years, yet the excitement of discovery remains the same. This journey has been about more than personal growth and technical skills; it is also about the connections I have made and the supportive community around me. My experience highlights the dynamic nature of technology, where deleting a system file is a learning opportunity, and every new interest can lead to significant discoveries.

Related links

Fixing Aqara Smart Hub M3 High Volume System Crashes and Reboots

Reply

After purchasing an Aqara Smart Hub M3 to manage my smart home ecosystem, I configured its security features, set the internal alarm volume to 100 percent, and armed the system by switching it to Away mode to test the built-in 95dB loudspeaker. The moment the alarm triggered, the hub completely crashed and rebooted. My initial thought was that I had received a defective unit. However, after extensive troubleshooting, I found the solution to this surprising behavior.

Understanding the reboot issue

When the Aqara Smart Hub M3 unexpectedly restarts the moment an alert sound is triggered at a high volume, it is not a software defect or a broken unit. Instead, it is related to how the device handles peak energy demands.

The hub’s internal loudspeaker requires a sudden, large spike in electrical current to produce loud audio. If the provided power supply is unable to deliver this surge of current instantly, the internal circuitry experiences a severe voltage drop. This momentary loss of adequate electricity causes the entire system to crash and restart.

How to fix the power supply issue

To permanently eliminate these reboots and ensure stable operation, the power delivery system must be upgraded to handle high current spikes:

  • Replace any generic, older, or low-capacity power adapters by connecting the Aqara Smart Hub M3 to a 5.0V/2.0A USB charger designed to deliver a stable and high-wattage power output. (In my case, a Samsung phone USB charger worked well.)
  • Alternatively, use Power over Ethernet (PoE). If your home network infrastructure supports PoE, you can completely remove the USB-C cable and power the Aqara Smart Hub M3 directly through its Ethernet port. This provides both excellent network stability and a highly reliable power source.

Conclusion

Providing the Aqara Smart Hub M3 with a reliable, high-wattage power source or using Power over Ethernet, you ensure that hardware demands never compromise the stability of the Aqara Smart Hub M3.

Google Home Script for announcing door open and close events using Matter door/window sensors

Reply

The Matter standard enables smart home devices from different manufacturers to work together in a reliable and secure way. One common use case is detecting when a door is opened or closed and announcing this event through Google Home speakers or sending notifications to connected devices.

This article demonstrates how to configure Google Home to announce door events using Matter-compatible sensors such as the Aqara Door and Window Sensor P2. The example uses Google Home script automations to broadcast voice announcements and trigger mobile notifications whenever the entrance door changes state.

Requirements

  • A Matter-compatible door and window sensor.
  • A Google Speaker for announcements.
  • The Google Home application with the script editor enabled, accessible via the web interface at https://home.google.com/ .

Door Closed Announcement Script

The following script broadcasts a voice message and sends a notification when the door transitions to the closed state (sensor reports openPercent = 0):

metadata:
  name: Door closed announcement
  description: Announce when the door is closed
automations:
  - starters:
      - type: device.state.OpenClose
        device: Entrance door - Entryway
        state: openPercent
        is: 0
    actions:
      - type: assistant.command.Broadcast
        message: The door was closed

      - type: home.command.Notification
        title: The door was closed
        body: The door was closedCode language: YAML (yaml)

Note: Replace "Entrance door - Entryway" in the scripts with the actual name of the Matter-compatible door and window sensor as configured in Google Home. The device name must match exactly for the automations to work correctly.

When the door closes, the Google Assistant broadcasts “The door was closed” on all Google Home devices in the household, and a push notification with the same text is sent to connected mobile devices.

Door Open Announcement Script

The following script performs the same action when the door opens (sensor reports openPercent = 100):

metadata:
  name: Door open announcement
  description: Announce when the door is open
automations:
  - starters:
      - type: device.state.OpenClose
        device: Entrance door - Entryway
        state: openPercent
        is: 100
    actions:
      - type: assistant.command.Broadcast
        message: The door was opened

      - type: home.command.Notification
        title: The door was opened
        body: The door was openedCode language: YAML (yaml)

Note: Replace "Entrance door - Entryway" in the scripts with the actual name of the Matter-compatible door and window sensor as configured in Google Home. The device name must match exactly for the automations to work correctly.

In this case, Google Assistant announces “The door was opened” and the same message is sent as a push notification.

Conclusion

Combining a Matter-compatible door sensor with Google Home scripts provides real-time feedback whenever a door is opened or closed. It delivers both audible alerts throughout the home and push notifications to mobile devices, enhancing awareness and security.

My Ergonomic Workstation: Enhancing Focus, Comfort, and Efficiency

Reply

I spend a significant portion of my professional life at a desk. Because of this, an optimized workstation isn’t just a luxury for me, it’s an absolute necessity. I’ve spent time designing a workspace that balances ergonomics, efficiency, and versatility.

I’m sharing my setup here because I’ve always found it valuable to see how other IT specialists configure their spaces, gain a little inspiration, and exchange ideas. I’d love to hear about your own workstation in the comments!

Here is a breakdown of the gear I use to support sustained focus, comfort, and productivity.

Sit-stand desk converter

The anchor of my setup is a sit-stand desk converter. Being able to transition between sitting and standing helps prevent the usual stiffness and aches that come with desk work, and I find that standing up intermittently naturally boosts my alertness. This is important when I need to lock in during heavy coding sessions or late-day system monitoring.

Split ergonomic keyboard

To protect my wrists, I use a mechanical split keyboard equipped with Cherry MX Blue switches. The tactile feedback is fantastic for heavy typing, and the split, tented design, paired with wrist rests, keeps my arms in a natural, relaxed position. It significantly cuts down on the muscular fatigue that usually sets in after a few hours.

A quick layout tip: I actually position my mouse and keypad right in the middle between the keyboard halves. It’s much easier to reach than having them off to the far right, keeping my hands centered and minimizing strain.

Vertical and trackball mice

I currently use four distinct mice on my desk. While it sounds like overkill, it’s a deliberate strategy to accommodate different workflows and prevent repetitive strain injuries.

My primary go-to devices are a vertical mouse and a trackball. The vertical mouse keeps my arm in a natural handshake position, taking the twisting stress off my forearm. The trackball, on the other hand, lets me navigate using just my fingers, giving my wrist a complete break. Switching between these input methods throughout the week does an excellent job of distributing the physical workload.

External microphone with boom arm

Clear audio is non-negotiable for virtual meetings and the occasional recordings I produce. I use an external cardioid microphone mounted on a boom arm. The arm is great because it keeps the mic off my desk, freeing up valuable real estate. It also allows me to pull the mic right up to mouth level, which captures crisp audio while rejecting background noise.

Two computers

My daily workflow is divided across two distinct machines:

  • Professional: Dedicated strictly to work responsibilities, focusing on secure infrastructure management and corporate development.
  • Personal: My sandbox for personal projects, open-source contributions, and experimenting with new software configurations without risking my work environment.

Second curved monitor

Off to the left (though not visible in the picture), I run a second, curved monitor. I dedicate this screen primarily to multimedia and secondary apps. Offloading these to a separate screen keeps my main display uncluttered, allowing for uninterrupted focus on development and administration tasks. The curve of the monitor actually makes a noticeable difference, creating a more immersive feel and reducing eye strain when I’m glancing back and forth between displays.

Conclusion

Building this workstation has been an ongoing process of finding exactly what works best for my body and my daily tasks. Every piece was chosen with a specific purpose: to minimize physical strain while keeping me productive. If you spend your days tackling cognitively demanding tasks, investing in a setup that harmonizes comfort and operational efficiency is one of the best things you can do for your focus and long-term well-being.

Productivity: Time-saving tips for the digital age

Reply

Your computer is a powerful tool for enhancing productivity at work, but it can also be a significant source of inefficiency. Your time is a valuable resource. If, after hours of working at your computer, you find yourself accomplishing little, you may be among the many individuals distracted by the lure of the internet and digital technology.

If you excel at time management, having schedules, goals, and structure in place is commendable. However, the effectiveness of time management diminishes if the time allocated is not directed toward advancing meaningful tasks.

This article does not aim to teach you how to organize your time. Instead, it provides tips to help you avoid common pitfalls that lead to wasted time.

Below, you will find practical and tested advice to help you reclaim your day and accomplish significant tasks with the same level of effort:

  1. No mobile phone: Not everyone can do this, but for those who can, it’s worth a reminder. Personal (and sometimes even professional) phones can eat up your time with long, trivial conversations or spontaneous invitations. Put it on silent, or better yet, turn it off!
  2. Disable notifications: Notifications can constantly pull your attention. Notifications are a major distraction; disable them all!
  3. Avoid temptation: If you’ve stopped notifications, don’t actively seek distractions like social media, RSS readers, or irrelevant Google searches. These create even more temptations and waste your time.
  4. Enhance your email usage: Use a single email inbox by redirecting all accounts there. Set filters for less urgent emails, such as newsletters, and check your inbox sparingly; perhaps once an hour. Aim for an empty inbox to ease mental clutter.
  5. Disconnect from the internet: If your work doesn’t require internet access, disconnect! This significantly reduces distractions.
  6. Avoid radio, TV, Youtube, etc.: Background noise from radio or TV can distract you. Instead, consider curated podcasts to enjoy during breaks or after completing critical tasks.
  7. Organize your workspace: A clutter-free desk (physical or virtual) helps your mind focus. Keep only essential items visible. Create a well-organized folder structure on your computer for easy navigation.
  8. Separate work and personal accounts: Use separate user accounts on your computer for work and personal activities. This separation reduces the temptation to engage in distractions during work hours.
  9. Focus your internet searches: Avoid straying into unrelated topics when using search engines. Postpone non-urgent research for later.
  10. Defer non-urgent tasks: Keep a notebook to record non-urgent tasks for later. This helps reduce stress by freeing you from the pressure of trying to remember everything.

By implementing at least six of these recommendations, you will observe noticeable improvements in productivity and efficiency. You will gain more time and energy to focus on tasks that hold greater significance.

Regularly take breaks to maintain optimal mental performance and enhance productivity. Scheduling tools such as Workrave, can assist in managing breaks and preventing fatigue.

It is my hope that this article enables you to optimize your time effectively. If you have additional strategies to share, consider contributing them—they could be invaluable to others!