Contact

Contact Us

Please use this form if you wish to contact us for more information about anything on this site.

All boxes must be filled in. We need your email address to reply to you. It is never given out to anybody else.

You can enlarge the Message box by dragging on the bottom right hand corner, in the shaded area.

Security

Security Tips

We are trying to make the code as safe as possible, but some of the security related aspects are up to the site owner. This page lists some tips for you to read.

Always use HTTPS instead of HTTP
The main advantage of using HTTPS is that all the requests which are sent from the browser to the server are encrypted. This might not be very important for the random user reading the content of the site, but it is very important for logged in users, as each request carries the user’s login information in a cookie.

If not encrypted, as happens while using HTTP, anyone that controls equipment through which the request is delivered can read (and manipulate) that information. For example, the owner of the coffee shop is able to see your authentication cookies, and use them to “hijack” your site.

It used to be that the certificates required to be installed at the server to enable the usage of HTTPS cost money, but nowadays shared hosting providers are likely to offer this service for free, and if you are using your own VPS to host your calmPress you can use let’s encrypt to get one for free. If it is not clear how to use it, you should ask your hosting provider about that (most of them probably have documentation which explains it).

Why do we keep the option of running calmPress on HTTP?

  • On local host setups, which many developers use for their development environment, it is almost impossible to get and configure a proper certificate.
  • Less friction for people that want to migrate HTTP based sites from WordPress to calmPress.

Use your own VPS (Virtual Private Server)
We do not have anything specific against shared hosting, but the security risk when you are hosting on a machine to which many other people, who you know nothing about, have access to is by definition higher.

With your own VPS you are assured that the only people that have access to your server are you, people you approved, and the hosting stuff and no one else. It used to be that VPS was expensive, but for a long time basic setups are not much more expensive than basic shared hosting plans.

The main cost in a VPS is setting it up and doing anything which relates to administering the VPS. With shared hosting you are likely to just ask the support if you fail to understand how to do things by yourself, but with a VPS you will either need to learn it, or hire someone. Some VPS providers offer the administration support for extra cost.

Use one site per VPS
The reason is that a security breach on one of the sites might cause the “infection” of another. From a security point of view it is better to have unrelated sites on a different VPS.

Directory permission
It is unfortunately common in WordPress setups to have all the directories writable by the user associated with the web server (many times www-data). This way it is easier to make modifications to the .htaccess and wp-config.php files from the admin, and easier to install and upgrades plugins and themes.

The problem is that with this kind of setup, any “bad” php file can modify all the other files in the system, and in case of a security breach, it is much harder to hunt down all the changes which were done by the malware.

In this context “bad” php does not mean that the file was explicitly designed for hacking the site, but any file which has security weaknesses which can be used in such a way.

The additional effort of entering the FTP credentials when doing plugin and theme install/upgrade is nothing compared to the effort of recovering a hack site.

What does it mean in technical terms
All directories, except for the uploads one, should be associated with the user you are using for FTP. The uploads directory should be associated with the web server user.

If you are hosting more than one site on a VPS it is also wise to use a configuration in which the web server uses different users when handling different sites.

If you are using a VPS, and properly upload files only via SFTP, you should consider running an FTP server which is limited to handling only requests from the local machine and local users for the use case  of installing plugins and themes from the admin.

Always have backups
Restoring from a known good backup is the only sure way to recover from a hack. Sophisticated malware is going to leave extra files, or newly created admin users which it can use in the future to reestablish itself even after you have “cleaned” it, and you can never be 100% sure that you found and removed it from all the places that it was hiding.

Migration

Migrating to calmPress

Migrating from WordPress to calmPress can be achieved without any content or functionality loss.

Before starting a migration, you should ensure that there is a backup of the current database and the files in the uploads directory,  and if not, create one (use a plugin if your host do not provide other options).

For the migration you must use the “upgrade” version of the desired release listed at the release download page.

Using the “full” zip file will cause you to lose all your content!

Migrating using FTP simply involves unzipping the file and uploading the contents to your website.

The following are the steps to follow when migrating using command line interface via SSH access:

  1. Use wget to get the files of the upgrade to the server. You can use the URL specified in the upgrade page or the one you locate at the release download page.
    Important, do not get the files directly into the folder in which you have your current WordPress files, use some temporary folder instead.
  2. gunzip the file you got in step 1.
  3. Put WordPress into maintenance mode by adding a file named .maintenance into the root directory of your WordPress install.
  4. Remove (or change the name of) the wp-includes directory which is in the root directory of your WordPress install (this is done this way to make sure that there are no leftover files).
  5. Copy or move the wp-includes directory from your temporary directory into the WordPress root directory.
  6. Repeat steps 4 and 5 for the wp-admin directory.
  7. Copy the wp-*.php files from your temporary directory into the WordPress root directory.
  8. Some wp-*.php files might be removed in calmPress, so make sure there are no wp-*.php files in the WordPress root directory which are not in the temporary directory. The only exception is the wp-config.php file.
  9. Remove the .maintenance file created at step 3.
  10. You are done, and should be able to login. Might need to complete the database upgrade if it is required for the release you are upgrading into.
  11. Enjoy using calmPress!

Upgrading

Upgrading calmPress

One important distinction between the WordPress upgrade process and the calmPress one is, that in WordPress you will be pushed into upgrading to the latest version, while calmPress will present options to upgrade to any available version which is newer than the one being currently used, letting you decide what is best for your specific situation.

You are going to be notified about the existence of new versions by the upgrade count indicator in the admin panel, and an admin notice.

In the upgrade page in the admin panel, you are going to be presented with a list of available versions. By default the list will only show published releases, but if the system detects that you are in a development mode (have the WP_DEBUG constant set to true) it will offer upgrades to the latest development versions as well.

Before starting an upgrade you should ensure that there is a backup of the current database and the files in the uploads directory,  and if not, create one (use a plugin if your host does not provide other options).

The easiest, and recommended  way to perform an upgrade is to use the upgrade admin page, select a version you wish to upgrade to, insert FTP credentials if needed, and let the system handle it in a way which will ensure the minimal probability of unrecoverable data loss and minimize down time.

The other alternative is to use the “upgrade” version of the desired release listed at the release download page.

It is easy to make mistakes while doing such an upgrade, so please don’t do it, unless you have a very good idea what is involved in this.

It is possible to do the upgrade without having SSH access to the server, but this is not recommended as it has even more possibilities of failures.

The following are the steps to follow when upgrading using command line interface via SSH access:

  1. Use wget to get the files of the upgrade to the server. You can use the URL specified in the upgrade page or the one you locate at the release download page. Important, do not get the files directly into the folder in which you have your current calmPress files, use some temporary folder instead.
  2. gunzip the file you got in step 1
  3. Put calmPress into maintenance mode by adding a file named .maintenance into the root directory of your calmPress install.
  4. Remove (or change the name of) the wp-includes directory which is in the root directory of your calmPress install (this is done this way to make sure that there are no leftover files).
  5. Copy or move the wp-includes directory from your temporary directory into the calmPress root directory.
  6. Repeat steps 4 and 5 for the wp-admin directory.
  7. Copy the wp-*.php files from your temporary directory into the calmPress root directory.
  8. It is rare, but a wp-*.php file might be removed in newer releases, so make sure there are no wp-*.php files in the calmPress root directory which are not in the temporary directory. The only exception is the wp-config.php file
  9. Remove the .maintenance file created at step 3.
  10. You are done, and should be able to login. Might need to complete the database upgrade if it is required for the release you are upgrading into

Installation

Installing calmPress

In general, the installation process is not much different to the WordPress “famous 5 minutes installer”. If you are not familiar with it, it is worth taking a look at the installation page of the WordPress codex.

The following reiterates the longer, complete version of a WordPress installation process with some adaptations:

  1. Check that your host satisfies the minimal requirements for the release (check the specific minimal requirements for the specific version you want to install).
  2. Using the hosting control panel create a MySQL or MariaDB database to host your site’s data. You will also need to create a user who has permissions to create tables in the DB (If you are using Cpanel, or some other hosting control panel software, they will probably suggest it as part of creating the DB).If you do not have a control panel (usually this happen when you have your own VPS), you will need to connect to the server with SSH and consult the relevant documentation on how to use the command line utilities to create the DB and the user.It is essential that at this stage you write down the names of the DB and user you have created, and the user’s password.
  3. Decide what URL you want your home page to have. If you want it in the root of the domain, make sure you know its path. If it is a sub-domain or directory you might need to create the relevant directory first and keep its path.
  4. Follow steps 5 – 9 if you do not have SSH access to the server (or just prefer to do installs via FTP). If you prefer to use SSH, go to step 10
  5. Download calmPress from the release download page. The current release is listed there, and you should select the “full” download of the release you are interested in.
  6. Unzip the downloaded file into a directory on your local machine.
  7. Make sure you have the details for FTP or SFTP (preferred) access to your server. If not, go back to the control panel, find the FTP section, and create an account.
  8. Use an FTP software such as Filezilla (there are many of them. I personally use winscp, but don’t take it as any kind of endorsement), to upload the content of the local directory from step 6 into the directory identified at step 3
  9. Cool, you should have all the files on your server, and next step for you is step 12
  10. Go the release download page.The current release is listed there, and you should select the “full” download of the release you are interested in and copy the URL the link point to.
  11. Start an SSH session, navigate to the directory from step 3 and issue
    wget <the URL from step 10>
    gunzip <the file created by wget>
  12. Now that all the files are in place, use your browser to navigate to the URL in which you want your site to be, and a screen asking for database related details should be displayed.
  13. Fill the information about the database (database name, user name, and password) you got in step 2
  14. In the “Database host” field you should enter the IP address or domain of the server on which the database software is installed. Most of the time, the database is installed on the same sever as where your site is, and you should use a value of “localhost”, but some shared hosting companies use a dedicate server for  the database software and you will need to find out on which one your database was create at step 2, information that will probably be displayed at the same place where you can manage you databases in your control panel.
  15. The “Table Prefix” field is meant to be used in case you want to have more than one site using the same database, which is a not recommended configuration if it can be avoided due to security concerns. Most likely you will want to leave the field with the default value of “cp_”
  16. Once completed, you will be transferred to a screen on which you can fill some basic information about your site. You will be able to change all the information given here later, from the calmPress admin interface, but you should use a valid email address which you actually monitor.
  17. Login to the site and start creating content!