(Reading time: 4 – 7 minutes)

Welcome back. We’re picking up Heather’s “Silence is Golden” story from a couple of days ago. She’s played some video games, had a good night’s sleep, let’s see what she is going to do next.

An unwelcome visitor, continued

-by Heather Craik

After some thinking and a good sleep I actually started to feel pretty positive about the whole thing. My old work in its old form was gone. However, I still had all of the posts themselves in their original form. In addition, there were also time constraints on me due to college work and so on; I hadn’t had time to update as often as I liked, because I couldn’t justify creating loads of new posts in my current scrambling situation.

Then the pieces were picked up

Plus, there were other things I’d been wanting to test out on my blog that I’d been putting off; too new, too much work, not enough time. Inadvertently, what this hacking had done was give me a golden, shining opportunity to change. I had an excuse now. “Oh, I was hacked so I had to change a few things” – if the change didn’t work I could always use that.

(I never did, because that would have been wrong and highly hypocritical. Being human though, it was nice to have the illusionary safety net. I won’t tell if you won’t.)

New and improved plan in hand, I ventured forth into the decaying ruins that had been my blog. Destroy and rebuild; Change. I was excited, and possibly even happy. Here was the chance to take everything I’d done right, cull the stuff I’d done wrong, polish everything up and remake it – but better!

Plans were made…

It took me the better part of a day to get my WordPress installations up; themes, posts, comics, and so on could come later. There were all sorts of little problems that demanded attention, crying and bawling at me until they were fixed (the RSS feed was possibly the loudest). In the end, I decided that I could take time to get it right. There was no need to rush and make it all perfect all at once.

If I was going to redo it all, then by golly I was going to do it properly.

…and plans found unnecessary

Now while I was trying to fix the niggles and errors in my new blog I got a load of work moved forward a week in college; the whole site ground to a halt while I dealt with my main project. This meant that it was still broken by Saturday. (The cavalry always arrives on Saturday.)

I’m referring of course to Brian, my host/system admin/tech support. I don’t really like to bug him for normal, everyday things but in situations like this he’s great to have on board. Cutting a long story short, Brian restored my backup the correct way and everything up until the 3rd of May returned.

New ideas were spawned

“But Heather, what of your new and exciting plans to make it better? Doesn’t having it all back defeat the purpose?”

Honestly? Yes and no. Everything I’d planned to do had assumed a clean slate, where I could change categories and tags with impunity and re-write everything without risk of duplication. However, having everything back saved me from a lot of 404 errors (hadn’t even wanted to think about those before) and meant that I could look at things from a different perspective.

All was definitely not lost and large amounts were gained. With some tweaking I could still go ahead and create the blog my readers deserve. Smarter steps were needed but the direction remained the same.

And the event was reviewed

Wrong Moves:

1. I ignored that there was a problem for almost a full day before I looked at it properly.
2. I let it affect the entire rest of my day after discovery.
3. I handed the power to affect my mood over to the hacker. (cliche, maybe, but true)
4. I deleted the original files, and tried to fix everything on my own.
5. I wasn’t aware of how to restore my backup properly, which led to the assumption that it didn’t work.

Right Moves:

1. I removed myself from the situation instead of jumping in to fix it straight away.
2. I sought help from people more experienced than I was (helpful also for the side benefit of support).
3. I had a backup, however long ago it had been.
4. I planned, even when I thought all was lost.
5. I kept going.

Bringing us to the conclusion

Ultimately the whole experience was more annoying than damaging. The hacker hadn’t done anything truly horrible like remove every single file in the directory, nor had they gained access to cPanel itself (where they could have deleted the backups and left me at the mercy of whatever I had on my own hard drive). Everyone says ‘back up your blog’. They’re right to do so.

However lets amend it to ‘Back up your blog at least every week and find out how to restore them properly‘. You can bet I will be.

Another saying that’s often bandied about is ‘look before you leap’ – If you have someone you know could help you then don’t do anything drastic in the meantime. The only solution visible to you might be a complete overhaul.

However, we’re not the most objective people when it comes to our own blogs. Consulting someone more knowledgeable is definitely worth your time.

One last thought:

“If everything seems under control, you’re just not going fast enough.” – Mario Andretti.

Dave here… question for readers: If you had a major hack, would you restore everything exactly as it was before the hack? Or would you take the opportunity to do a major upgrade?

Heather writes The 3D Student providing video tutorials, reviews, and advice for 3D students. She loves working with light and texture for animation and modeling, writing, drawing, film and playing video games. Visit Heather at The 3D Student.

Post from: Website In A Weekend

After the Hack, Restore, or Start Fresh?

(Reading time: 6 – 10 minutes)

Back in the day, website hacks were either pranks, where the hacker would simply leave a calling card, or outright criminal activity targeting large corporations. We should have it so good. Nowadays, hacking seems to be just vandalism, plain and simple. Boring. And frustrating when it hits close to home. For example, Heather and I have been cooking up some web magic on the back channel over the last couple months. So when Heather Got Hacked, it messed with our collaboration timeline. And that’s… annoying.

Let’s hear what Heather has to say about it.

An unwelcome visitor

-by Heather Craik

My blog isn’t a big one. I’m not a ‘Problogger’ and I don’t have hundreds and hundreds of followers. My traffic isn’t even terribly great at the moment. One thing I do have, though, is a hacker.

As far as “perks,” having a hacker is one I could do without!

When I noticed what had happened the first thing I did was nudge Dave, who (after helping me out a little) asked if I’d come and share my story with you. Morals of the story can come later, but there’s one thing I’d like you to keep in mind as you read through. This could happen to you too.

Without further ado lets travel back a bit to the morning before I discovered my unwanted visitor… (Grab yourself a coffee or something, this is going to be a long one)

It began with a feeling…

The day started a little later than normal but not in any particularly remarkable way (unless sleeping late is considered remarkable?), and I went through normal morning routine stuff. Won’t bore you with the details there, we all have our own methods. Sat down and did some work offline; writing with actual pen and paper followed by planning my day. Checked emails, checked blogs, commented a few times.

That’s when I saw the first sign. In fact no, if I’m being totally honest, I’d wondered about this ‘first sign’ the day before as well but hadn’t had the time to check into it. CommentLuv was showing ‘No last posts to return’. To my shame, I didn’t instantly check in on my blog. I went around CommentLuv’s site first, got to the troubleshooter part, and arrived at my own blog in a very circular fashion. Now it’s worth pointing out that I’d known it was showing blank the day before since someone else had pointed it out to me. I’d dutifully gone and checked, had a look in cPanel at the files, and concluded that it was probably the server (I was very distracted at the time).

Already the dread was creeping in. I could feel there was something wrong.

Doubt had curled its insidious fingers around my brain, doubt which was only compounded when I tried to access my WordPress Dashboard and was met with the same blank page.

I looked further into my file system with my heart hammering, checked the main page (it was still working) and tried my blog again in a desperate attempt to deny what was happening to me. No dice – apparently circumstances don’t change if you deny them long enough and wish for it all to be ok. Drilled further down and was met with a very empty contents folder.

Now imagine this for a second: your blog is down, you’ve exhausted all the ‘Oh, its just the server’ excuses you could. You have even visited your host’s website to see if they were also having problems. You’ve checked further into it, and suddenly, everything you’ve been working on since the very start of your online blog life has simply disappeared.

“Sickening” doesn’t even begin to describe the feeling.

Some anonymous piece of [well, you get the idea] has come in while you weren’t looking and brutally murdered your brainchild.

Still not quite giving up hope, imagine you looked at the code in the index.php file (I’m not very code-y by the way, I just know that it’s the main file and for the purposes of this example you do too) and were met with this:

Silence is Golden hack

“Silence is Golden”

Wouldn’t you feel like someone had punched you in the gut?

I know I did. Or stabbed, or slapped, or whatever violent unpleasant reaction you want to add here. Not only did they kill off my poor, innocent little baby blog but they left a calling card stating that it wasn’t any good in the first place.

Upset? Yes. Angry? Oh you bet. Confused and Stunned? I’m sure it was in there somewhere under the angry.

And continued in confidence…

My first reaction was to pace around my room threatening random inanimate objects. My next? To play video games.

Thankfully I’d at least backed up this month; though it was 20 days ago now. However, as you just read, that didn’t occur to me at the time.

Getting hacked was the last thing I needed to be doing. This particular disaster happened to come right in the middle of a frenzy of college work. I had a full day ahead of me filled with 3D project work and editing. Discovering something like this really shouldn’t have put my whole day on hold, and it was most definitely something that would have been better happening a week or two later (or not at all for that matter). What can I say? It’s easy to get to me apparently, and I shamelessly wasted a few hours on some random fast-paced game that didn’t require me to think.

After, that is, trying to reach a few different people (Dave included) for help and finding that everyone was offline, asleep, or busy.

Video games seemed like a great idea at that point.

Eventually, I calmed down and went out to college for part of the evening to do some work. Got back home not long after since I can’t really work on much in college itself at the moment and took another look at it. Backups were downloading when Dave showed up, and between us we figured out they’d gained access through a tiny permission I had set to allow people to register with my site. Aside from not doing that again, all that remained to do was restore the backup and re-post everything since that time.

To the wrong conclusion

From here on out it looked like there would be one simple solution, after which I could spend some time re-posting a few different articles and it’d all return to normal pretty quickly. The backup was loaded; after five attempts. Thinking that was it fixed, I double checked my blog – just to see that it was there before I started restoring everything else.

Nothing. The backups I’d done through cPanel that had been labelled as ‘Full Site Backups’ were, in fact, nowhere near complete. I would have needed another, more specific, backup of my database itself. This wouldn’t have been a problem if the plug-ins I’d been using for that had worked however they’d gone on the fritz a few days ago and I hadn’t fixed it yet. Further, I still couldn’t even get into my dashboard.

In short, I had no backup.

By this point you could be forgiven for assuming I lost it completely, ran around destroying things like a crazy person, or at the very least shed a tear (earlier in the day had caused a few after all). On the contrary…

…I felt distinctly apathetic.

Sure, I had all my posts in their original form minus formatting. There was always the option to reinstall WordPress itself and build it again from the ground up.

What was the point though? All the comments and discussions we’d shared before were history, even if I were to post the same things again there wouldn’t be that level of engagement; it’s now old news. I decided to sleep on it, do something unrelated for a while.

Admit defeat for the night.

[To be continued...

Meantime, have you had the "Silence is golden" attack? Or something worse?]

Heather writes The 3D Student providing video tutorials, reviews, and advice for 3D students. She loves working with light and texture for animation and modeling, writing, drawing, film and playing video games. Visit Heather at The 3D Student.

Post from: Website In A Weekend

Silence is Golden? Not according to Heather

(Reading time: 5 – 8 minutes)

Woops. I published this piece wondering what I forgot, and it was my introduction for this article’s author, Anne Bender. Since it’s pretty late, and (contrary to popular belief) I do sleep once in a while, I’m simply going to go with “Anne is really cool and you should hang out with her at Anne On Life.”

Hacked. I Feel So Violated, Again!

-by Anne Bender

No joke: twice in two weeks I’ve been hit with malicious code on my site. The first time I rebuilt, lost stuff, moved on, fixed what I could, breathed a sigh of relief. The second time I almost cried.

I was devastated to say the least. It’s like an invasion of my home or car or … ME! Been there, done that. I carry my keys in my hand or pocket, never in my purse. Lesson learned.

February 19, 1993

There are few things we remember so clearly. For me, these things would include:

The birth of each of my children. Oh, yes, I remember all three vividly.

Being told it was not my fault I can’t cook since my mother didn’t teach me my proper role as a woman. Uh, I can cook, hole surrounded by ass!

And the day in February some stranger put a gun to me, my grandmother and my grandfather. When I was 8 months pregnant, and my grandmother holding my daughter Megan. Good thing I was poor and all he really got was my sense of security.

Seventeen years later, I still carry my keys in my hand.

And then there’s this:

Now, imagine my surprise to find my dashboard looking like that strange anomaly above. I started thinking “Oh, crap! not again!”.

See, this is how it started. The first time was my fault. I did not upgrade WordPress to its latest version. Normally I do, but I had heard rumblings of it not working quite right so I just didn’t. Mistake number one. Then, I changed themes without reading the instructions thoroughly. (Hmm, sounds like every guy I know.) Mistakes number two and three, trust me here. I didn’t backup my blog properly. Did you know there is this database file stored on your host server that you should backup? I thought something must exist, but again, I didn’t read the instructions first. Mistake, mistake, mistake.

I fixed it… no?

Step one – update WordPress. Of course, I had to update WordPress from within my site, then over on my host. This fixed my wonky dashboard.

Step two – get infected by malicious code which messes up my feed. Huh?

Never, ever, ever delete your feed. Never! Don’t do it. Don’t think it. Mistake number, oh I lost count.

Everything gets rebuilt from the bottom up!

Operation Fix Blog, take two.

First, I exported my blog using WordPress’ export feature under tools. I also noted how my site looked, widgets used, plugins I would want to reinstall, etc. Then, I moved all of my files directly from my hosting site. I was going to download them onto my computer, but my FTP program didn’t want to cooperate. Instead, I created a folder called godhelpme [no joke] and moved everything to there.

Breathe in, breathe out

Second, I reinstalled WordPress through my host. New installation, new user name, new passwords, new everything. And I waited.

After WordPress was up and ready to go I logged into my account and adjusted my settings. Here you want to change your permalinks to match your old style, re-check threaded comments if used, add profile information. At this point I stayed with the default WordPress theme. No major changes until all my information was recovered.

Here is where I ran into my first real problem.

I proceeded to import my previously exported file into my new WordPress install. My advice here would be to do a basic import and not elect to import images and such. This worked better for me, although not without its hiccups. See, not all of my posts came back.

In fact, most of my posts did not come back.

My site has posts dating back to November 2008 and through May 2010. During my first restore WordPress imported to June 2009. I hit that import button a minimum of 50 times. In the end I lost about 20 posts and had to recreate them from my feed reader and export file. I have no explanation for this as all of my posts were in that file. It could be my internet connection, my hosting provider, or just a glitch. No one could really explain this. I asked.

Time to Spruce Things Up a Bit

After everything was as close to its original state I proceeded to install my preferred theme and reinstall my most used plugins. This took the most time. Never wanting to be like everyone else, I opted to use Headway instead of Thesis.

One thing to note if you decide to go with Headway is your WordPress files must be in the parent directory. Some of you may like to use a sub-directory such as /blog. This will not work. Something to think about.

Headway installed, check. Plugins installed, check. Spackle, paint, polish, check.

Where are my images? Since my blog was originally in a sub-directory I copied my image files back into a newly formed, same name sub-directory so my old posts could find their pretty little pictures.

Then, I recreated my feed that I deleted [learn from my mistake]. I lost every single subscriber and I only had 36. So sad for various reasons. But it worked. Everything was up and running. No wonky dashboard. No malicious code. Life is good.

Until it happened again…

I was this close to deleting the whole thing. But I didn’t. This time I restored my site to a time when there was no malicious code. And I created this massively long, strange, phenomenal password. So far so good. Yet, my keys are in my hand now. I don’t feel as secure as I once did. My site has been violated not once, but twice in about a week’s time. I’ve gone through the depths of hell and come out the other side.

I lived to tell the tale: Back up, export, be vigilant.

Save your blog and your sanity.

Anne Bender resides in rural Virginia with her husband, 3 kids, 1 dog, and various chickens. She has an equal fondness for numbers and words, and a love-hate relationship with technology. Anne plans to live near the ocean, writing fun stories and really bad poetry. Visit Anne at AnneOnLife.

Post from: Website In A Weekend

Hacked. I Feel So Violated, Again!

(Reading time: 2 – 2 minutes)

Hola mijos!

Quick letter from the front lines, where Website In A Weekend is under attack by a botnet performing a distributed denial of service (DDOS) mission.

So far, the botnet scored some early victories, but we’re struggling along and gaining ground:

• Website In A Weekend is on a shared server. This means I don’t pay very much. It also means that other people with other websites are on this server. Bluehost has been very good so far, and they have told me that none of my sites are a problem.
• Every site on the web is subject to DDOS. Piss off the wrong person, they will take you down. Ask Cliff Stoll about this.
• I’d be delighted to move to a dedicated server. You can help. Send me $100 US per month, done deal!
• Guest post authors: I’ll be emailing you shortly. This condition isn’t permanent, but I don’t want to run any “real” articles until victory is achieved.
• I plan on writing one of these “Under Attacks!” daily until the DDOS is resolved.
• In related news, “Dr. WordPress” is retiring. Dave will be writing from here out. I’ll have a lot more to say about this in very near future.

Shared hosting is an incredible value, on average. It continually amazes me how much power I get for $100/yr. If you aren’t amazed, go ahead and set up your server, just to see how many moving parts you have to synchronize.

Website In A Weekend will move to dedicated server in the future, now is not quite the right time.

In the meantime, since I can’t write to my usual standard, I’m going to issue Under Attack! updates more or less daily. Don’t worry about commenting, it’s disabled…

Did I mention? My Akismet connection went bad. The spam is pouring in!

Enough for now. Surf is definitely up, and I’m off with Walter Yu to catch some waves.

Post from: Website In A Weekend

Under Attack! Freedom! (Update 2/13/2010)

(Reading time: 6 – 9 minutes)

Once you’ve been blogging a while, and your website has grown, your responsibilities start to grow. When you’re starting out, getting hacked isn’t that big of a deal: you don’t have much to lose. Once you have months or years worth of content, getting hacked turns into a Big Deal. Preventing malicious hackers from destroying your website requires understanding a bit about how WordPress works, and implementing a few more advanced security techniques.

[Updated: 1/15/2010, Bandit Defense screenshot.]

Understanding WordPress

WordPress is a little bit like an Automat diner

WordPress is a collection of PHP scripts emitting HTML web pages that are stored in a MySQL database. This sounds more complicated than it really is. You can think of the WordPress system as a sort of “automat” of information, allowing your readers to pick and choose articles according to taste and interest. The “food” is your posts and pages in the MySQL database (kitchen), and PHP corresponds to the “doors” and serving apparatus.

Diners don’t have much need to know how the automat works… but the automat owner needs to know a little bit about all the pieces fit together: how to grease the hinges, fix the locks, etc. And of course, the larger the automat, the more menu items, the more service required.

Similarly, as your WordPress-based website grows in breadth and depth, you should learn a little more about how it all works. Every capability you add to WordPress is a small increase in your security overhead.

Fortunately, WordPress is not a difficult system to understand, and all the source code is free and open, anyone can learn it and use it.

Learning to recognize fishy PHP code is not difficult, nor is watching out for database exploits. Fortunately, there are also plugins to help you with many of these more advanced security tasks.

Setting up a security system

First, if you haven’t installed your basic security apparatus, you should do that right now. Here’s “More WordPress Simple Security: 5 Plugins to help you lock out unwanted visitors.”

Second, put security on your checklist of regular WordPress maintenance tasks.

Third, do all the little things that may or may not help, but certainly don’t hurt. For example, here’s some great tips from Lost In Search:

1. Remove WordPress version information.
2. Lock down plugin directory listings using dummy index.html files or the .htaccess Apache directive Options -Indexes.
3. Add security keys to wp-config.
4. Turn off remote publishing if you aren’t using it.

You should read the article for yourself and implement these and the other suggestions.

Next, read this rest of this article…

Vetting themes and plugins

Themes and plugins are great places to hide malicious code!

Here’s the easiest way to minimize risk of malicious code in WordPress themes and plugins: delete every theme and plugin you are not actively using on your blog.

Other actions you can take to increase WordPress security:

1. Test all new themes and plugins in a sandbox installation first, before deploying to a production server. This can be a dummy blog on your hosting account, or a localhost installation. Watch for bogus network traffic. On Windows, I like to use the Fiddler HTTP debugging program, which shows me all the network traffic to and from my computer.
2. Use plugins and themes from reputable developers. Being hosted at WordPress.org is not enough. Read the comments and reviews on each plugin and theme before activating. For more information read “WordPress Plugins — How to choose plugins you need, and plugins to avoid.” Many of these considerations for choosing plugins also apply to choosing themes (watch for an upcoming article).
3. Read the source code for each theme and plugin you choose to install. Really. If you have technical inclination at all, it’s not that difficult. You don’t need to understand every line, but with a surprisingly modest amount of work, as explained below, you can easily sniff out fishy code for more thorough investigation.

When you develop enough traffic to outsource more of the maintenance work, ensure that whoever you hire has the skills to audit your theme and plugin source.

Digging really deep!

For advanced readers with a little time to dig, investigate these techniques.

How to spot malicious code in WordPress

As noted above, malicious code can be inserted into both WordPress themes and functions.

Here’s a great article on tracking down malicious code in WordPress on a Linux box. Most of this can be done on a Windows PC as well, provided you have Cygwin installed.

The upshot: look for base64 encoding in any theme or plugin you download!

Scan your WordPress directories with Google

Here’s a little tip from Bandit Defense: Scan your WordPress installation directly, using Google. The proof is in the pudding as they say, and if Google can see it, Bad Guys can see it too.

Here’s an example, do a Google search with your URL instead of website-in-a-weekend.net using the following pattern:

site:website-in-a-weekend.net  intitle:"index of" inurl:"wp-content/plugins"

I left my URL in as an example because I know you’re going to look at my installation anyway!

Bandit Defense has a Part 2 article which is worth reading as well.

[Update: 1/15/2010: Bandit Defense is down! Hat tip Average Joe.]

Ah... er... Let's focus on the message, the messenger is AWOL.

Subscribe to WordPress related blogs

Many websites and blogs are dedicated to WordPress, here’s a couple:

1. The official WordPress.org blog reports on security issues as they arise. This blog is worth following to get general WordPress updates as well.
2. The “security evangelists” at Blog Security are paying attention to WordPress security issues, so you should pay attention to them.

I went looking for dedicated WordPress security blogs on Google, didn’t find any… perhaps that’s an opportunity for a motivated reader!

Summary

Security is more properly viewed as a process, not a problem. Good security is a set of habits that let you build experience, which in turn increases your intuition when “something’s not right here.” Remember, the Bad Guys get a large charge out of compromising your web site. It’s what they live for! Good security is an arms race… you have to play whether you want to or not.

Post from: Website In A Weekend

Advanced WordPress Security Tips

(Reading time: 2 – 4 minutes)

WordPress has 5 built in Roles controlling how various aspects of the blog can be managed. The WordPress Codex has an excellent discussion of Roles and Capabilities, and you should read this very carefully.

Now, reading all this information is time consuming and confusing, and doesn’t really make much sense until you put it into practice. Knowing all the information means nothing without knowing how to use it. And personally I find it easier to learn by doing, so let’s do some learning.

First, make sure the Registration box is checked. Go to Settings >> General, your page will look something like mine in the following screenshot:

Check the box in Settings >> General to allow user registration

Now log out of your WordPress blog, and go to the login page. There will be a “Register” text link to the lower left of the login panel, click it. Register 4 users using your name and each role. For example, I registered “subscriberdave” “contributordave” “authordave” and “editordave.”

Next, log back into your WordPress blog as administrator. For each of these new user names, assign the appropriate role. Since my default role for new users is “Subscriber,” that’s already dealt with. Proceeding, “contributordave” is assigned a “Contributor” role, etc.

Now you have a collection of users with different roles. Ready to test it all out? Sure you are…

Testing is easy, if you use at least two browsers. I regularly use three browsers (Chrome, Firefox and Safari) myself, and with Internet Explorer, I could use 4. Add Opera for a 5th browser. None of these browsers need any fancy features, you just want to be able to log into your blog as each different user… all at the same time!

Once you’re logged in, under each user name, do the following and you will see very clearly which roles get which capabilities:

• Write a blog post.
• Delete a blog post.
• Install a plugin.
• Upload an image or file.
• Reader’s choice… hit the admin menu links and play around!

Once you have spent a leisurely hour or so playing around with roles, go back and reread the documentation on the WordPress Codex Roles and Capabilities. It will all make much more sense the second time around.

Post from: Website In A Weekend

Setting Up For Multiple Users On The Same WordPress Blog

(Reading time: 7 – 12 minutes)

Do a quick search on “WordPress Security Plugins” you are going to get a boatload of results, most of which aren’t going to tell you too much more than what you can read in the plugin’s documentation. Seriously, check this out: 57 security wordpress plugins. WTF? Seriously, go check that out. If it serves your needs, cool. If not, come back and we’ll dig into what, where, how, why and all that other happy horsepuckey you really need to learn at some point.

Some are complicated. Some make you jump through hoops as well. What we’re really looking for is plugins that are simple to use and understand, yet powerful enough to catch our blunders and any script kiddies who come knocking.

By the way, if you don’t already know, anyone that wants into your blog bad enough, will probably find a way in. We can’t do anything about people like that. But they’re few and far between unless you’re in the easy/fast money businesses of sex/drugs/gambling. You know, easy money stuff the state wants to tax. But you’re not… so no worries.

I’m going to take a slightly different stance here and expose myself… ah… I mean, I’m going to list and discuss only the plugins I find useful here on Website In A Weekend… which means if any of these plugins have a security flaw, Website In A Weekend goes up in smoke! Anything for my readers!

Let’s get started.

WP Security Scan

Michael Torbert’s WP Security Scan is absolutely the first security plugin you should install. Go install it right now in fact. I’ll wait.

Here’s how WP Security Scan helps protect your blog:

1. Helps prevent SQL injection attacks by warning about default WordPress database table prefix. Even if you don’t fix your database table prefix on your current blog, you will be sure to specify a custom prefix on your next WordPress installation.
2. Flags incorrect and dangerous file system permissions. Once you fix your permissions correctly, the plugin lists the corrected as well.
3. Provides a way to evaluate your password strength, and suggests very strong passwords if your imagination for random letters, numbers and punctuation runs dry.
4. Checks for appropriate .htaccess files where you need them. This is big deal, which is little discussed.

Every item in the list above is very simple. There is no reason NOT to get WP Security Scan installed immediately

BlueTrait Event Viewer

The BlueTrait Event Viewer (BTEV) implements custom login and email functions to keep track of what’s happening at a lower level on your WordPress blog. BTEV is slightly more complex than the other plugins discussed here, so you may want install it after you master the others first.

BTEV is really useful when you need to find out the following:

1. Who registered, from where, and when. If you’re getting a lot of bogus registrations, this will help.
2. Who is currently logged in, useful for checking for malicious users.
3. If you write plugins, there is an advanced feature that logs PHP events. This is fantastic, so much easier than dealing with server logs.

BETV works by monitoring all of the following WordPress actions: password_reset, delete_user, wp_login, lostpassword_post, profile_update, add_attachment, wp_logout, user_register, switch_theme, and activation/deactivation of other plugins.

Saving the best for last: BETV provides an RSS feed… subscribe to your event feed, and you’ll be on top of breaking security issues immediately. RSS feeds are critically important when you’re operating more than one WordPress installation.

Login LockDown

Login LockDown rains contempt on spammers

Then been locked out for “Too many retries.”

That’s the kind of pain and suffering you want to visit on spammers, and other jerks who rob your bandwidth with stupid linkbaiting schemes offering… well… I won’t dignify what they purport to offer by putting it into words. Let’s just say, when you’re clickthrough rates are less than 1/100,000… you have to resort to massive spam.

The WordPress Login LockDown plugin from Bad Neighborhood SEO helps rain contempt on spammers and scammers by preventing them from using brute force attacks to compromise your login security. Actually, they can still brute force attack you, but they get three tries (you set this number) before you send them off for an hour to cool their jets.

Install Login Lockdown to escalate your security quickly and easily. It’s super simple to set up and operate. Just using the default parameters should be enough for most people.

SI Captcha

SI Captcha even looks good!

But captcha is a proven technology. Users don’t mind it too much, provided the letters and numbers are easy enough to read.

And SI Captcha really nails it. Check out the screen shot. This captcha box even looks good!

Installation is simple. Operation is simple: choose whether you want captcha shown on comments, or on registration, or both. That’s about it. This captcha plugin plays well with AWeber Super Simple too, so you can ask people to sign up for your AWeber newsletter at the same time they register.

[Updated 1/17/2009] links:

• SI CAPTCHA Anti-Spam – WordPress Plugin by Mike Challis.
• SI CAPTCHA Anti-Spam on WordPress.org

Redirection and Drain Hole

Redirection and Drain Hole are incredibly useful plugins, and very powerful as well. This review is going to focus on just a couple of the capabilities of each.

Drain Hole allows you to set up your download archive outside your web directory. This means that you can provide files, movies, images, whatever you want, from a location that’s not directly accessible to your web server… which means it’s not directly accessible by casual web surfers. Once you set up a “drain hole,” you provide a link people must use to access the files, and you can monitor the traffic. Using Drain Hole is an excellent “next step” in securing your content. Read more about setting up your first Drain Hole for securing downloadable content.

Redirection is so powerful, it would require a 5000 word article to fully explain how to use all the capabilities. The compelling security reason you need Redirection is for monitoring your HTTP 404 Error logs. The HTTP 404 Error means the web server could not find the page asked for by the browser, so it returns error code 404, and possibly an explanatory web page to help the reader. Here’s a screenshot showing some of the features of Redirection:

Redirection has powerful HTTP 404 Error monitoring

The default installation of Redirection provides specific 404-related features that benefit you:

1. You can easily ban spammers because each 404 error is logged with page/url requested, domain name and IP address.
2. Redirection’s RSS feed for the 404 module allows to monitor several different blogs from the convenience of a single RSS reader, which saves you massive amounts of time.
3. You’re alerted to bad plugins because ou can see, by name, which plugins have security compromises. For example, Website In A Weekend periodically gets a string of requests for the “Wordspew” plugin. Doing a search for the Wordspew plugin led to information warning about security risks.

Redirection has more powerful features, many of which will be discussed in future articles. Make sure to subscribe so you won’t miss any information.

A message from our “Sponsor”

Long time Website In A Weekend readers know I rarely miss a chance to flog my current musical obsession or marketing book-du-jour… so you’re not done yet!

Check this out: for about a $1.35 (what it cost me), you can get a good condition, used copy of Benjamin Suarez’s 7 Steps to Freedom II: How to Escape the American Rat Race

This book is worth far, far more more than $1.35.

Put Suarez’s advice to work, it will save you time and make you money. But the key is work…

What he does is lay out the entire business operation for producing and distributing consumer products marketing by direct mail. He lays out every single procedure. All 70 procedures. It’s work.

But here’s the cool thing: you don’t have to be a direct mail marketer to benefit from this book! The principles of product selection, consumer testing, advertising, all of it translates right straight to the internet. If you wondered where all these internet “Big Boys” learned their chops, big hunks of it are right out of this book. Get your “7 Steps to Freedom” now! (For $1.35.)

Post from: Website In A Weekend

More WordPress Simple Security: 5 Plugins to help you lock out unwanted visitors

(Reading time: 3 – 4 minutes)

I’m dealing with trying to shut down a site that ripped an article off of mine. It’s tremendously discouraging when you find your own work listed #1 on Google search, linked back to someone else’s site where it’s posted with no credit to you… and your original article doesn’t even make the top 10 pages in Google search results. I found out because I backlinked to another of my articles which was already posted. The trackback showed up in my comment moderation queue.

Stop ripoffs before they start

Here’s some techniques you can implement right now that will help mitigate ripoffs:

1. Treat all articles as “chapters” in an ongoing story, and link back to at least one other article which is already posted. This way you will be able to track ping backs if your article gets ripped off and posted on another blog. Here’s an example from an article on RSS at There Is NO Box. I have several of these RSS articles chained together.
2. Put in some personal information which will be natural for you, but totally and completely out of place when read out-of-context, say on a spam blog. I do this on one of my other website on a regular basis. For example, check out this article: linking errors in Microsoft Visual Studio (There Is NO Box).
3. After you have written an article, go back to a previous article and link the old article to the new. You can see that in the RSS examples from the previous point. For another example, I’ll link my existing article on teasers to this article as a reason for why learning to write good teasers is important.
4. Move to teaser text for RSS feeds.
5. Use the RSS Footer plugin, which leaves a link back to your web site if your RSS feed gets automatically scraped.
6. Consider requiring registration for anyone to even read good content. Registration could be free. Website In A Weekend will be moving to a membership site in the near future.
7. If you can, post daily. If you post daily, Google will scrape daily. Website In A Weekend’s more-or-less weekly schedule of high quality content simply opens the door for spam bloggers to steal from your RSS feed… and get YOUR article ranked on THEIR site much faster.
8. Post the article on digg and other social media sites. If it’s posted there immediately, and someone else resubmits, they have to cross the “originality hurdle.”
9. Add a liberal sprinkling of affiliate links. If you don’t catch the spam blogger, you have a chance of at least deriving some affiliate commission from the article. This will work as long as the links aren’t stripped. If the links are all stripped, you probably aren’t going to find the article quickly anyway.

Being ripped off, if left unchecked, takes food out of my mouth. I would have to stop writing completely.

More resources

All of the above suggestions I developed independently, although I am sure some (or many) of them are not original. You can find out more about dealing with content theft by searching on Google.

Post from: Website In A Weekend

How To Make It Easy To Catch People Stealing Your Articles

(Reading time: 2 – 2 minutes)

It’s easy. Here’s how…

WP comes with a default user account named “admin” which has full administrator privileges.

Remove the “admin” account to help prevent malicious hackers from ruining your website.

NOTE: AS USUAL BACK UP EVERYTHING BEFORE PROCEEDING! (Only takes a couple of minutes!)

Here’s how.

1. Login as “Admin” user.
2. Pull down the “Users” menu in administration page.
3. Click on “Add New”
4. Add a new user, set your permissions to “Administrator”
5. Save the changes, and log out.
6. Log back in as the new user.
7. Go to “Users > Authors & Users”
8. Select “Admin” user.
9. Use the pulldown menu for Bulk Actions to select “Delete.”
10. Click on “Apply”
11. You will be taken to a page that allows you to either delete all of that users posts, comments, etc, or assign them to another user. In this case, you want to assign all your existing posts from the “Admin” user to your new user, which you can do by selecting that choice, then selecting the appropriate user.
12. Press “Confirm Deletion” and you’re done.

Now, automated hacker scripts have to figure out a user name before they can even get started on cracking your password!

This procedure takes only a few minutes, and you should do it as your first security action after installing WordPress.

Post from: Website In A Weekend

WordPress Simple Security — Replace the “admin” account