Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /homepages/2/d43022721/htdocs/clickandbuilds/twmsblog/wp-content/themes/suffusion/functions/media.php on line 666

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /homepages/2/d43022721/htdocs/clickandbuilds/twmsblog/wp-content/themes/suffusion/functions/media.php on line 671

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /homepages/2/d43022721/htdocs/clickandbuilds/twmsblog/wp-content/themes/suffusion/functions/media.php on line 684

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /homepages/2/d43022721/htdocs/clickandbuilds/twmsblog/wp-content/themes/suffusion/functions/media.php on line 689

Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in /homepages/2/d43022721/htdocs/clickandbuilds/twmsblog/wp-content/themes/suffusion/functions/media.php on line 694
blog – twm's blog

How secure is your WordPress installation?

 blog  Comments Off on How secure is your WordPress installation?
Oct 242020

I have been using WordPress for this blog for several years and always thought my setup was reasonably secure. Turns out that there is something called the WordPress REST API which allows to get quite a lot information about the installation without any security at all. E.g. https://blog.dummzeuch.de/wp-json/wp/v2/users used to show a list of all my registered users (all three of them: me, myself and I). But that’s only by coincidence because I have disabled comments. There are similar lists for all articles, all pages and – most worrying – all media contents. So, if I had ever used the upload feature of my blog to share a file with somebody else, it would have been possible for anybody who knew about this REST API to find the file name and access that file.

I read about this security or at least privacy hole in the current issue of the German c’t magazine (I am subscribed to the dead tree edition). And today I plugged it. For this particular problem, there is a simple fix: Install the Disable WP REST API plugin. It changes the API to only work when a user is logged in. Others get the error:

{"code":"rest_login_required","message":"REST API restricted to authenticated users.","data":{"status":401}}

In case you are worried: The WordPress Android App still works even if that plugin is installed.

And since I am always curious I tried some other blogs and found quite a few for which this API was open.

I also changed the WordPress login page to require basic authentication as described here (in German). Yes, that means two logins are required now, but that’s not much of an inconvenience since I am the only user.

If you want to discuss this article, go to the related post in the international DelphiPraxis forum.

 Posted by on 2020-10-24 at 18:27

Google✝ is dead

 blog, Google  Comments Off on Google✝ is dead
Feb 032019

OK, most of you already knew that. I am writing this only because I will now stop posting there. Not just the automatic posts generated by this blog, but also my personal posts.


(Picture taken from Jürgen Christoffel’s G+ post.)

I considered migrating my content from G ✝ to somewhere else (e.g. yet another WordPress blog under .dummzeuch.de, I tried it, it worked), but I decided that it isn’t worth the effort. So, bye bye Google+, it was great as long as it lasted.

If you want to continue following me, consider one of the options listed here.

And one last word to You, Google: I will remember what you did. I will never again trust you.

Btw: Did you know that they will also kill Hangouts?

 Posted by on 2019-02-03 at 12:47

You can now follow me on Diaspora

 blog, Delphi  Comments Off on You can now follow me on Diaspora
Dec 312018

I created an account on Pluspora (I’m dz@pluspora.com *1).

If the WordPress plugin I just installed works as expected, all blog posts will be available there. And if I understand correctly how Diaspora works, it should be possible to follow me on other Diaspora Pods too.

(*1 dummzeuch@pluspora.com was blocked for whatever reason, It’s quite possible that I registered it before and deleted that account later. I don’t remember doing that though.)

 Posted by on 2018-12-31 at 19:25

New blog for more personal posts

 blog  Comments Off on New blog for more personal posts
Nov 172018

I have posted only a very few personal articles here, but it always felt wrong to do that and I preferred to use Google+. Unfortunately Google decided to close down Google+, so I am forced to look for an alternative. Today I have set up a new blog for that purpose: blub.dummzeuch.de. I’ll try that for a while and and see how it works.

This blog here will stay and will be used for my “professional” posts only, so it will be mostly about programming, Delphi, Windows, Linux and, of course, GExperts.

 Posted by on 2018-11-17 at 13:05

download.dummzeuch.de now also supports https

 blog  Comments Off on download.dummzeuch.de now also supports https
Oct 272018

From now on, all *.dummzeuch.de subdomains are available via https. In particular that means download.dummzeuch.de (which contains all GExperts downloads) and my old home page www.dummzeuch.de.

I have changed the download links for the two latests GExperts releases. I will probably not bother with the older ones.

 Posted by on 2018-10-27 at 15:51

List of my open source projects

 blog  Comments Off on List of my open source projects
Oct 062018

Since I keep forgetting which project is hosted where, here is a list of all(?) my open source projects as of 2018-10-06 with links to the pages where they are being hosted.

Most of them are written in Delphi with some Lazarus (for Windows) sprinkled in.

My old homepage still lists other stuff, some of it written in Perl or even ReXX.

 Posted by on 2018-10-06 at 14:57

Impressum und Datenschutzerklärung

 blog  Comments Off on Impressum und Datenschutzerklärung
May 192018

Und damit der Amtschimmel was zum Wiehern hat, gibt es jetzt rechts oben Links zum Impressum und zur Datenschutzerklärung.

Bleibt zu hoffen, dass die jeweiligen Generatoren etwas erzeugt haben, was nicht abmahnfähig ist. Mir persönlich gefällt insbesondere die Datenschutzerklärung nicht, denn laut DSGVO soll sie leicht verständlich sein, das was da drin steht, ist es aber nicht wirklich. Aber ich werde den Teufel tun, und jetzt an einem Schriftstück herumfummeln, das von dem Generator auf der Webseite eines Rechtsanwalts erzeugt wurde.

 Posted by on 2018-05-19 at 18:06

Comments and lots of other features disabled

 blog  Comments Off on Comments and lots of other features disabled
May 192018

I have already spent too much time to make my site compliant with GDPR rules. I have disabled

  • comments on all pages (also deleted existing comments)
  • track backs
  • options to like pages
  • direct links to “social” media
  • JetPack features, including site stats

I have also tried to find and remove any requests my site sends to anywhere else but dummzeuch.de.

I’m still not done and I already hate it. Many useful features are now gone, existing comments have been deleted, I will no longer get stats on which pages have been requested.

And I might still decide to shut down the whole thing. I like publishing and interacting with my users, but I don’t want to spend the time for bullshit. So, if on 2018-05-25 you come back here and find that all the content is gone, you can thank the EU and the German government.

Welcome to #neuland.

 Posted by on 2018-05-19 at 11:30

Hello world!

 blog  Comments Off on Hello world!
Mar 122017

I managed to mess up my blog. The content is still there, but all the screenshots are missing since apparently they are not part of the export. Fortunately my hoster 1&1 makes a daily backup of my webspace which is stored for 6 days, so I could restore the pictures. (After praising them, let me add that I lost the data because their automatic conversion from managed to normal blog did not work, so I tried to revert, which deleted everything.)

 Posted by on 2017-03-12 at 13:52

WordPress update broke ssl

 blog  Comments Off on WordPress update broke ssl
Feb 032017

My hoster has updated my WordPress installation to the latest version (and broke it for several days). What they also did was disable my option to set the site address and wordpress address to https rather than http. So, now even though the site is still available through https://blog.dummzeuch.de it now longer automatically forces https connections. Thanks a lot. 🙁

What’s even worse: It reverses to plain http sometimes for no reason I can determine. e.g. I have been writing this post through http because I didn’t notice that until now. Thanks even more. :-((

 Posted by on 2017-02-03 at 21:29