Garden lockdown

It was cold yesterday. Well, cold-ish. Too cold for sitting in the garden watching the world not going by. You had to be moving.

A bit warmer today, but not much. So I kept moving. Last night Neil from Platinum Physiotherapy presented a webinar event on keeping fit mentally and physically during the current strange times. I’d planned on not doing anything much until it had all gone away, but things are looking like they could stretch out for weeks, or months, so being inactive is not a wise option.

I cleared the patio a bit. Might get the mat out. Watch a bit of pilates. Always liked pilates. I should really do more.

And I’m keeping my Garmin on all the time now. Normally I don’t get excited about step counts, sleep hours, calories burned etc, but if there was ever a time for Moving when your garmin says Move!, then this is probably it. I’m not quite sure how it works out when I should move, after how much inactivity, and how much I have to move before it thinks I’ve moved enough, and won’t pester me for a while. But it’s a good kick up the backside. Little and often. I’ll give that mantra a try.

I tried moving round the garden. I tried running round the garden. This works, after a fashion, but it’s a bit steep and windy, so I’m thinking more “obstacle course” perhaps. Rather than ignore the climbs, I can include some steps and treat them as part of a fitness circuit. My ‘lap’ of the garden works out around 45 metres. I can work with that.

When I wasn’t working where I could do a lunge or two, or perhaps even a calf-raise – I like calf-raises – I chased a bee and looked at a plant.

The geek in me loved entering my first irecord for the North East Bee Hunt, so when I saw a rather enormous bumblebee bimbling across the garden I immediately gave chase.

Bombus terrestris (Buff-tailed Bumblebee) -- Mon 30 Mar 2020 15-10-09 BST
Bombus terrestris (Buff-tailed bumblebee)

I’m pretty sure it was a buff-tailed bumblebee (Bombus terrestris), and maybe a queen. I’m still pretty clueless about bees but they’re fascinating creatures. This big bee was not looking for flowers, but instead rummaged around amongst the buttercups and cleavers as if looking for a nest site. Nest? Do bees have nests? Hive maybe.

The herb patch is a bit of a wasteland. I keep thinking about growing from seed, I try it, then remember that I have neither the patience nor interest to faff around with seeds. So it’s plug plants usually. Some with more success than others. Too cold for basil sadly, and last year’s tarragon didn’t amount to much.

But a lovage plant that we bought locally years ago absolutely loves it. Lovage is the sort of plant I like. I like Plants with Attitude, and it never fails to fascinate me the way some plants die down to invisibility over the winter, then, when the spring sunshine comes along, they go absolutely bonkers.

Levisticum officinale (Lovage) -- Mon 30 Mar 2020 09-48-41 BST
Levisticum officinale (Lovage) getting ready to grow

The North East Bee Hunt

The Natural History Society of Northumbria are currently promoting The North East Bee Hunt. I like bees, but I don’t know much about them. I especially don’t know anything about identifying them, so I like it when the introduction to the hunt includes the very unthreatening come-on-in of:

Urban or rural, beginner or expert, naturalist or nature lover, everyone can help to increase our knowledge and awareness of bees in the North East.

Well that doesn’t sound scary so I signed up, and also set myself up an account on irecord, the website where records and sightings are submitted and checked.

In these Covid-19 locked-down times, there are worse places to be than in your garden squinting at bees through your camera then trying to work out what they are. The Natural History Society provide an identification guide of the five key species that they’re interesting, although I also found the BTO guide useful too, especially as I found I had a Buff-tailed bumblebee (Bombus terrestris) in my hunt.

It’s a good feeling submitting a record. It’s an even better feeling when your ‘likely’ identification is approved with a big green tick.

I saw two species yesterday, and I think I’d probably recognise them again in an identity parade. Not the individuals, obviously, but the species I think I’d manage.

There were about half a dozen or so bumblebees buzzing around on the willow flowers, about 4 or 5 metres above my head. Zooming in on the photos I had tree bumblebees and buff-tailed bumblebees.

Bombus hypnorum (Tree bumblebee) -- Fri 27 Mar 2020 14-08-50 GMT
Bombus hypnorum (tree bumblebee)

I thought they were all tree bumblebees at first, but after submitting the record it was pointed out to me that I also had buff-tailed bumblebees.

Bombus terrestris (Buff-tailed Bumblebee) -- Fri 27 Mar 2020 14-08-13 GMT
Bombus terrestris (Buff-tailed bumblebee)

Another layer of security for WordPress

A simple way of deflecting brute-force attacks is to require an additional password to access the WordPress login screen. Lots of security plugins will do this for you, but again, sometimes it’s better to DIY.

I put a .htaccess file in the wp-admin directory and that almost completely worked, but mystifyingly, and irritatingly, there would be regular failed login attempts. Not very often. About very 20 minutes or so. But I was irked (I tell you), as I couldn’t work out why they were happening.

My .htaccess file looked a bit like this:

AuthName "my site"
AuthType Basic
AuthUserFile <myauthfile>
Require valid-user

A few searches made references to differences between apache 2.2 and 2.4, and I thought that perhaps it was a syntax thing. But that didn’t seem to be it.

I did two things in the end, so I’m not sure what fixed it.

  1. I modified the .htaccess entry to specifically reference the file wp-login.php.
  2. I moved the .htaccess file to the parent directory.

So the relevant code looks something like:

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secret stuff"
AuthUserFile <my auth file>
Require valid-user

Disable xmlrpc.php

Thanks to the Simple History plugin, the first thing I noticed on my new WordPress install was hundreds of brute-force login attempts:

Anonymous user from x.x.x.x 4:25 pm (less than a minute ago)              Failed to login with         username "dougie" (incorrect password entered) warning       Showing 212 more     

And then more alarmingly, immediately the same thing on a new test user I set up a few minutes later. Of course, just because frustratingly I can’t work out how the attacker extracts the new WP username immediately doesn’t mean it ain’t happening. But the attack vector, so to speak, was the xmlrpc.php file.

Several ways to tackle this, and initially I used a security plugin to fix it. But given the choice, I’d rather do things like this manually so I have a better idea what’s going on, and maybe learn something too.

I pasted the code suggested from into my .htaccess file:

    # Block WordPress xmlrpc.php requests
    <Files xmlrpc.php>
    order deny,allow
    deny from all
    allow from

changing the allow from to the static IP for my regular connection, although strictly speaking I don’t think I need that and will try taking it out altogether sometime.

Publishing failed – JSON error

Migrating WP blog to my VM. New install of WordPress. Test posts with Guttenberg (Block) Editor. Following error:

Publishing failed. Error message: The response is not a valid JSON response.
Publishing failed. Error message: The response is not a valid JSON response.

An interesting rabbit hole. Lots of searches rightly suggested that using the classic editor would get round the problem. Or that by changing the permalinks settings to Plain would fix it. It did, but not much help if you want your permalink settings set to something else.

Eventually I discovered that the issue for me was with the .htaccess file not being processed, which was fixed by adding something along the lines of

<Directory /var/www/html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted

to the /etc/apache2/apache2.conf file (on Debian Buster). This worked for me, but I get the impression it’s better practice to edit the files in /etc/apache2/sites-available instead for any local code in case apache2.conf gets overwritten on an upgrade. Probably also need to do a:

a2enmod rewrite
systemctl restart apache2

So for me the cause of the error message was quite obscure. Useful link: