WordPress All In One Wp Security (AIOS) locking cloudflare out

I’m going on a trip tomorrow and not gonna bring my computer, so I decided to take one last check at my WordPress site making sure everything is doing fine. Then I saw recently all the bot like high count visitors are from a narrow range of IP from Singapore. I thought it’s just some good old crawler draining up my server, so I casually added the range to All In One Wp Security (AIOS)’s blacklist manager.

Then, without refreshing, I realized I recently setup cloudflare for all my site cuz my other site was DDoS’ed the other day. Couldn’t this happen to be cloudflare’s proxy server right? So I hit refresh. 403. At the same time, my Better Uptime incident alert came.

Bummed by my own stupidity, I think I should just be able to ssh into the server, disable all the plugins as usual, and back to the game. Well, after renaming both all-in-one-wp-security-and-firewall and all plugins at /var/www/html/wp-content/plugins/, I’m still getting 403. Usually all the plugin related issue got solved at this step without needing to restart service, I’m not sure why this time it didn’t work.

So I start to Google something like AIOS self lockout, trying to find where does it store the blacklist that I can quickly manually edit by command line. No luck.

I tried to disable cloudflare proxy at cloudflare dashboard, no luck. And I’m too lazy to switch DNS provider back to where I was using before.

I started to poke around more in the plugin’s folder, and eventually found the file that did the trick: /var/www/html/wp-content/plugins/all-in-one-wp-security-and-firewall/admin/wp-security-list-locked-ip.php.Seems like the IPs are stored at a table called AIOWPSEC_TBL_PERM_BLOCK. I just commented out the entire line here in the prepare_items() function. Refresh, back online, removed the IP range from blacklist, uncomment the line.

So, that was just a small stupid incident on a random Thursday night 9pm before a trip. 乁། * ❛ ͟ʖ ❛ * །ㄏ


If you find this blog useful and want to support my blog, feel free to:

Become a Patron!

如何制作一款简单的 chrome 插件

短短几年时间,Chrome 作为一款在主流桌面操作系统(Windows,Mac)不内置的第三方浏览器,短短几年时间击败了所有竞争对手,以压倒性优势 67% 的市场份额稳居桌面端浏览器头把交椅。虽然近年来对其隐私方面顾虑层出不穷,一些 power user 也会试图寻找替代品(Brave,Duckduckgo 之类),但对于绝大多数网民来说还是浏览器的默认选择。

在前端技术越来强大的今天,普通 desktop 用户很多客户端操作都能被网页版替代。拥有庞大的潜在客户群,javascript 上手难度低,浏览器作为运行环境无需担心与系统交互与测试,有 chrome store 管理分发,安装过程也比客户端简单很多,chrome extension(插件)就成了一个对开发者和使用者都轻量、便捷的实用平台。

与此同时,chrome 插件的使用门槛也比让看到代码就头大的用户自己安装油猴 script 低很多,就像跟人安利 app 直接甩 play store 链接肯定比让人下载 apk 容易一样。还有同步的便利(我收到过好几次“为什么不写成油猴 script”的评论……代码就开源在那里,不想走 chrome store 且会用 script 的自然可以去用 script 嘛,反之 store 用户又不能从油猴 script 里轻易变出一个能同步的插件)。

这是拖后了半个月的作业六月 patreon 博客票选胜出的命题(说实话我完全没想到会有这么多人想看开发相关,论我的读者到底有多少码农)。欢迎金主们去七月的投票选出接下来的命题:

  • 我的信息摄取探索 2.0
  • 老年码农合理摸鱼经验总结
  • 非程序员掌握了也很有用的小 hack
  • 美国码农前半段职业发展道路(career ladder)

其实我不知道为什么大家会选这个主题,因为 Chrome 官方的 Developer Guide 写的还蛮清楚的,也给了现成的例子可以抄。不过既然金主们投了,我就来试图给平时不那么经常写程序,但是对自己开发插件有点兴趣的朋友们 TLDR 一下,用我写过的一个简单插件做为例子手把手走一遍开发简单 chrome 插件的过程。

Continue Reading

How to setup RSS for notion blog using Zapier

RSS has became an almost obsolete concept that most of my friends nowadays never heard of, which is a shame. It’s simple, clean, accessible with correct setup, and most importantly, a highly productive system for information consumption.

Why do you need RSS

Compared to other information consumption form like feed from certain platforms (e.g. Instagram, Twitter) or newsletter, RSS (or atom) has a few clear advantages for consumers:

  1. No sponsored content inserted and pretending to normal content in your feed.
  2. You choose when to read rather getting newsletter pushed to a folder that you never get back to.
  3. No personal information is collected when subscribing. Like receiving broadcast, publisher has no way to trace receiver.
  4. No self-righteous algorithm telling you what order you should be reading your feed and making you miss the content you’re interested.
  5. User friendly interface provided by Modern RSS clients like Inoreader or Feedly making subscribe and manage feed really easy.

As a content creator, making your site available through RSS means that:

  1. More users will know when you have new content, no matter what platforms they usually use. Indie blogs are hard to keep track of without a universal feed, you can’t expect your readers to bookmark your website among tons of other blogs they’re interested in and check all of them everyday.
  2. Less readers miss your content because they happen to not scrolling the social platform you’re on the exactly the moment you post.
  3. Better performance on reader side and less stress on your server. RSS consuming platforms pull your content once and store on their platform, instead of your server feeding each individual visitor.

While popular blog/news website still generate RSS feed and are easy to subscribe, some of the content creators in this new era choose to publish their blog on non-conventional platform, like notion.

Notion blog is easy to setup and much more flexible than some simple article posting platform like telegra.ph or medium. Thanks to notion’s database system, content creators can customize their page with various views, filters and templates. Also it’s free for personal use. The only downside is, it doesn’t come with RSS feed.

Fortunately, automation workflow platform like Zapier provides an easy and free (for now) solution so that your notion blog (or frankly, any notion database) can generate RSS feed.

Continue Reading

长毛象主页“只看原创嘟文”Chrome Extension

我把前两天做的能快速在长毛象主页“只看原创嘟文”的小代码转成一个 Chrome extension 啦。Google 居然一天就审核通过了!点击这里安装 chrome 插件

使用方法:

  1. 进入 mastodon 主页(1.1.0 版本新增)或者别人在别人实例上的主页(URL 例如: douchi.space/@mtfront 这种格式的,一般点别人用户名/头像两次可以打开的那个)
  2. 点本 extension 打开界面,然后点 Hide/Show 按钮
  3. 如果对方转嘟过多,你可能需要手动载入更多嘟文再点本按钮,因为是前端 hack 只能 filter 已经载入的嘟嘟。

v1.1.0 版本已添加 timeline filter 更新,Chrome store 审核通过后会自动更新。

timeline filter 的话因为动态载入和所用 class 不大一样需要稍微修改而且不能取消 hide(除非刷新页面),所以我昨天犹豫了一下没加这个功能,大家想要的话可以跟我说。油猴插件同理。

以 Google 审核的尿性 估计还要一周左右才会上架,想要尝鲜的话可以直接下载代码安装.

不用 git 的话直接下载这个 zip 然后解压缩.

load unpacked extension 方法.

想更无缝/在 Chrome 账户上多器材同步的话就等 chrome store 上架版本吧,到时候我会再来吆喝一声的。

迁移 Object Storage 时候发生的一些愚蠢事件以及解决方案

TL;DR: 我用 rclone 迁移 object storage 的时候脑一残就把目的 bucket access 设成了 private,导致迁移之后长毛象无法访问新的 bucket 所有媒体文件都无法显示,最后只好使用 s3cmd recursively set public acl 了一遍所有媒体文件。

对事情经过不感兴趣想直接看的请点此直接跳转到 Debug 步骤解决方案部分。

Continue Reading