Independent Digital

You’ve probably been using WordPress for a while now, you love it but every now and then something weird happens and your blog just does not perform as it should. So when a new update comes out, you’re overjoyed and eagerly update your blog, hoping all the problems will disappear. But they don’t. Maybe your blog was hacked at some stage but you found the gap and blocked it for good, or so you thought.

You keep getting hacked even though you have kept up with the latest WordPress updates so now you’re thinking of ditching Wordpress. Don’t! The solution is simple, it may take a bit of time but it will be worth it in the end.

I’ve been using Wordpress for about 2 years now and have been hacked a few times. Each time I thought I had it sorted only to be hacked again and again…Here are some of the symptoms I experienced:

• I edited posts and pages, pressed SAVE but they were deleted instead of being saved.
• I try to access my blog only to see this… database error: [User '???????' has exceeded the 'max_questions' resource (current value: 50000)]
• I started getting high volumes of spam mail (some using my address as the sender)
• I try to access my blog and all I see is a blank page
• My theme disappears
• My theme is swapped for the classic or default theme
• My database disappears
• I keep getting the installation page when trying to access my blog
• Posts and pages disappear

My final solution was to delete everything and start again. Naturally I had a backup. I first checked my server for any weird looking files and folders. I found a few and downloaded these to a safe folder. I then noted all the plugins that I had as well as the theme that I was using. I deleted all these. Then I deleted all the WordPress files and folders. I then checked the server once again for any weird folders or files (a bit difficult as I had quite a few other, non-WordPress related stuff installed, many of which I could not remember whether they were legitimate or not). So be careful, don’t delete unless you are absolutely sure that it is not supposed to be there. Try downloading to a safe folder before deleting so if it was a valuable folder or file, then you can always recover it.

Okay, once I had a “clean” server, I downloaded the latest version of WordPress, unzipped it and installed it on the server. I chose to create a new wp-config.php file rather than use the old one – I wanted a completely fresh start and didn’t want to risk carrying stuff over from that last install that may be “infected”. Once I had the basic installation working perfectly, I downloaded a new copy of my chosen theme from a legitimate site (see article on themes are a security risk) and installed this in the Themes folder.

If you can view your backup file, check out the wp_options table for any “active_plugins” and delete these, save the file and import it into your WordPress database. Try viewing your blog – it should function properly with the new theme.

I then downloaded all the latest plugins (as per the list of plugins that I had installed before the deletion) from legitimate sites. Unzipped and uploaded these to the plugins directory and activated them all. I then tried accessing the blog and found a few problems:

• The layout was not as it used to be. I then realised that I had done some editing of the theme files to suite the layout that I wanted. So back to editing the HTML to get the pages looking as before.
• Some plugins weren’t working. This was because some of them required some code to be installed within the WordPress “loop”. So a quick inspection of the installation instructions for the various plugins pointed me in the right direction. I was able to install the necessary code and get the blog working as before. I also chose to install “clean” plugins rather than use the old ones because of my fear of contamination. (see article on plugins are a security risk)

So what did I learn from all this?

1. Updates alone will not sort out a hacking problem. Previous versions of WordPress had security problems, which may have led to a security breach of my site. Similarly I may have been careless in other ways, allowing a hacker into my site. The point is that the hacker got through and was able to install code on my site. Updates from then on were useless as far as securing my site was concerned as the hacker was already on my site.
2. I expected Wordpress to take care of my security when I should have been taking care of it myself. I thought that if I updated regularly, my site would be secure. I was wrong as the hacker was already inside.
3. That I need to take security seriously. I did not believe that I would be hacked. I was, not once, not twice but many times. The time and effort that I spent trying to recover from the problems caused should rather have been spent taking preventative measures.
4. That I need to make sure that my site is free of suspicious files and code (within themes and plugins) – if hackers can get into your site, they can upload destructive files and edit your files by adding malicious code). It happened to me. One of the symptoms I noticed was the increasing amount of spam email that I was receiving. Since sorting out my site, the spam email has disappeared.
5. That I need to update my plugins and themes – from LEGITIMATE sources.
6. Increase my security by installing security plugins such as login lockDown,wp-security scan and askApache.

As of the time of writing, my site seems to be working smoothly and thankfully hacker free. If you would like to sort out your hacker problem once and for all but don’t have the time to do it, why not let us take care of the hassle and do it for you. Let us know.

?The Cult of the Dead Cow? announced last week, the release of Goolag Scanner, a free open source web-auditing tool. Goolag Scanner enables anyone to examine their website via Google for any security holes. The scanner technology is based on “Google hacking” developed by Johnny I Hack Stuff. Goolag Scanner can be used by web site owners to detect and correct any security flaws in their web site.

Johnny previously published a collection of these “Google Hacks” or “Google Dorks” on his web site, which are used by ?professional? hackers. Goolag scanner has now packaged these into a GUI automated tool that allows an unskilled hacker to use these very same techniques.

Goolag Scanner is a standalone windows GUI based application using about 1,500 pre-configured Google search queries or dorks. It searches for links to vulnerable web applications, back doors, or documents containing sensitive information. You can select individual searches or sets of them. You restrict the search to your own server, or extend it right up to an entire top-level domain. The results are displayed as a list of URLs that can be opened in the browser. However, if you use the tool too much, Google may block your IP address and there may also be legal implications so be cautious when using it.

Want to be notified when new posts are published?

WordPress themes can be dangerous as far as security is concerned so be very careful when you install any theme. Before downloading any theme consider:

1. Is the download site official, avoid 3^rd party download sites? If it is not an official site nor the authors site, then check the code carefully.
2. Is it the latest version?
3. Are you running the latest version of WordPress?
4. Do research. Check the net to see if there are any security issues concerning the theme that you want to download.

So what are the security issues when using WordPress themes? There are 2 ways that themes can become a risk:

1. The first is when someone intentionally ADDS code to the theme. This could be code which ads a link to the theme. When you display the website using that theme, links are displayed but are probably not visible (see article on spamdexing). The person that included the code is hoping to increase the number of links to his website so that his Google ranking increases. Unfortunately Google will then pick this up and remove your site from their search engine. A double whammy! Quite innovative considering the number of sites using the popular themes. They also imbed code that will allow the mailing of scripts for spam (see artcicle on spam and how to deal with it), phishing or random ads to be served.

2. The second is usually unintentional. The theme author has code in their theme which is not secure and allows a cracker (see article on Search Engine Optimization) to infiltrate the website using the theme. A common example, known as cross-site scripting (XSS) is the use of PHP_SELF without pre-pending htmlspecialchars:

form id="searchform" method="get" action=

"<?php echo $_SERVER['PHP_SELF']" ?>"

This form allows the use of HTML characters when getting the URL of the user. A secure version would include the PHP function, htmlspecialchars() as seen below:

form id="searchform" method="get" action=

"<?php echo htmlspecialchars($_SERVER['PHP_SELF'])" ?>"

This problem is usually seen in the:

• 404 page
• search page
• header page

Here are 2 good articles on cross site scripting:

• http://blog.phpdoc.info/archives/13-XSS-Woes.html
• http://www.net-security.org/dl/articles/xss_anatomy.pdf

Only download your themes from the official WordPress Theme Viewer or directly from the authors’ site.

Want to be notified of any new posts?

Be careful when installing plugins. It is a dangerous world out there with many strange people doing strange things. Now not all plugins are dangerous and neither are their authors. Some plugins, however, have simply not been tested enough with the result that malicious hackers manage to find flaws, which they can exploit to do their dirty deeds. They then search the net for WordPress sites running that plugin. When they find it, they?re in and before you know it, your WordPress blog is performing erratically or your database has been deleted.

One example of this plugin security issue is the wp-forum 1.74 plugin. According to the securityfocus website, ?it is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. (This would allow an)? attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.?

Another example is the wp-db-backup plugin, which had a serious vulnerability issue. Now I am not saying that it is the intention of the plugin author to create plugins containing devious code which allows a security breach. It is more likely that the authors themselves are unaware of the security flaw. As far as I know, there is no standardized validation of plugins to ensure that they are not a security problem. So we need to be very careful before we install any plugin. Do research, check on the web and within forums to see whether others have experienced security issues when using that plugin. If there are no known issues, make sure that you have backed up your website and database before installing the plugin. The WordPress team are continually upgrading WordPress to ensure that it is as secure as possible so remember that the most important step that you can take to secure your site, is to ensure that you are running the latest version of WordPress.

Have a look at this excellent article on plugins and security issues.

Some plugins with known issues

• WordPress BackUpWordPress plugin Php File inclusion vulnerabilities 2007-11-06

• WordPress WP Photo Album Plugin “photo” SQL Injection 2008-02-20

• WordPress Search Unleashed Plugin “s” Script Insertion Vulnerability 2008-02-5

• WordPress DMSGuestbook Plugin Multiple Vulnerabilities 2008-02-05

• Wordspew Plugin for Wordpress “id” SQL Injection Vulnerability 2008-02-04

• WordPress WP-Footnotes Plugin “admin_panel.php” Cross-Site Scripting 2008-2-04

• WordPress WassUp Plugin “to_date” SQL Injection Vulnerability 2008-01-31

• WordPress AdServe Plugin “id” SQL Injection 2008-01-30

• WordPress WP-Cal Plugin “id” SQL Injection 2008-01-29

• WordPress Permalinks Migration Plugin Cross-Site Request Forgery 008-01-24

• WordPress WP-Forum Plugin “user” SQL Injection 2008-01-21

• WordPress PictPress Plugin “path” Disclosure of Sensitive Information 2007-12-07

• WP-FeedStats Plugin for WordPress Script Insertion Vulnerabilities 2007-07-27

• WordPress AdSense-Deluxe Plugin Cross-Site Request Forgery 2007-05-22

• WordPress wp-Table Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress wordTube Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress myGallery Plugin “myPath” File Inclusion 2007-04-30

• WordPress WP-DB Backup Plugin Directory Traversal Vulnerability 2006-08-15

• FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability 2007-10-04

Here?s a list of plugins that you can install to make your WordPress blog more secure.

Want to be notified when there is a new post?

Wanting to customize the look of your WordPress blog? Then look at the following articles:

• Using WordPress Themes - Themes are what gives your WordPress blog its unique (or not so unique) look. This article explains what themes are, where to get them and how to use them.
• Blog Design and Layout - More on themes plus CSS, plugins and design specifics.
• Using Pages - All you ever wanted to know about WordPress pages.

The following simple guides will help you customize your WordPress Theme:

• Lessons on designing your WordPress site ? Covers WordPress for beginners, site design, template files, website development and more.
• CSS Overview, Tips, Techniques, and Resources This article briefly describes the use of CSS in WordPress, and lists some references for further information.
• All about Template files. Template files are the building blocks of your WordPress site. Read this article to find out more about them.
• What are Template Tags ? Well, if you want to know, then read this article.
• WordPress Template Tags Template tags are used within your blog’s templates to display information dynamically. Read this and you?ll be a Template Tag specialist.
• Understanding the WordPress Loop - Crucial if you?re going to make changes within the code to customize your WordPress site.
• The WordPress Loop in Action ? More on the LOOP with a simple example.
• Editing Files in WordPress - To customize your WordPress site, you will need to edit the code. This article discusses that.
• Design help ? Some good links to information on designing your WordPress blog.
• Frequently Asked Questions about Site Layout and Design - A good starting point regarding layout and design.

Want to be notified of new posts?

Google gadgets are handy little things that you can place anywhere on your webpage with not too much hassle. WordPress makes it even easier if you use widgets. It is so easy to insert Google gadgets on your sidebar that you will wonder why you have not done so before.

Here is a quick and easy tutorial on how to do it:

1. Make sure you have the latest version of WordPress
2. Make sure that you have a widget enabled theme
3. Get into your Admin panel and select Presentation > Widgets from the options. Drag the Text widget onto the Main sidebar. Click the configuration tag (right hand side of Text widget) to open up the input window. Enter your title for this widget (the title will be displayed above the widget on the sidebar.)
4. Open the Google gadgets page in another window. Select the gadget that you want displayed on your sidebar. Configure the display settings to your liking. Press the Preview changes button to see how the gadget will look. If you are satisfied, then press the Get the code button. A window will open up with some code in it. Select and copy this code.
5. Go back to your WordPress admin window and paste the code in the large window of the Text widget. Save the changes and view your site. The gadget should be displayed in your sidebar.
6. You may need to play around with the sizing of the gadget to ensure that it fits within the sidebar.

That’s it. What could be simpler?

Want to be notified when new post appear ?

You’ve installed WordPress, set it up and now it’s running like a finely tuned Ferrari. Here are a couple of helpful articles to help you keep it that way:

? Introduction to Dealing with Comment Spam - A great intro to SPAM and what WordPress is doing about it.

? Moderating Comments - Covers the basics of how you can deal with comments.

? Using the Links Manager - Explains how you can deal with links on your WordPress blog.

WordPress in Languages Other than English ? Check this out if you want to use WordPress in another language.

Notify me of any new posts

Okay, so you have successfully installed WordPress, now it?s time to set it up. Have a look at the following for help:

• First Steps With WordPress - Takes a step-by-step tour through your WordPress site. Explaining the different functions and how to customize it.
• Administering Your Blog - This is a quick look at the various activities involved in administering your WordPress site. Have a look at the administration panel. The available options include:
  • Users > Your User Profile - set the user information you want published on your site
  • Your User Profile > Other Users - add authors and users that will be using your site, if applicable
  • Options > General - set your site name and other site information
  • Options > Writing - set the settings of your Write Post screen
  • Options > Reading - set how many posts to show on the front page and in categories and your feed requirements
  • Options > Discussion - Turn on or off comments and set how to handle them
  • Manage > Categories - add a few categories to get started from your category list
  • Manage > Posts - After you have written a few posts, this is where you will manage them by editing or deleting
  • Presentation > Themes - maybe change the look of your site?
  • Manage > Pages - add a Page or two like “About Us” or “Contact Me”
  • Write > Write Post - start adding content to your site
  • Writing Posts - step-by-step instructions on writing posts

Happy blogging!

Notify me of any new posts

Once you?ve planned your installation, you can now install WordPress.

• Before You Install WordPress - Lists what you need to know and what the hosting requirements are. So before you install WordPress, read this document.
• Installing WordPress ? Clear instructions on how to install WordPress faultlessly. You can even have the installation done by experts for free. See this document.
• Hosting WordPress - All the information your host needs to successfully host your WordPress blog. Includes information on PHP and MySQL requirements.
• Editing the wp-config.php file - As part of the WordPress installation, you must modify the wp-config.php file to define the WordPress configuration settings required to access your MySQL database. This document explains how.
• Frequently Asked Questions About Installing WordPress - Chances are that if you have a question concerning your WordPress installation then you will probably find the answer here.
• Using FTP Clients and Software - Great stuff to help you with FTP client software, which you will need to upload your WordPress files to your host.
• Changing File Permissions - Different files and directories have permissions that specify who and what can edit and read them. WordPress may need access to write to files in your wp-content directory to enable certain functions so it is important to know how to change file permissions. This is also crucial for the security of your site. Read this document for more information.
• Upgrading WordPress - You?re an old WordPress blogger and now you need to upgrade to the latest version. Read this helpful document on the 3-step upgrade.
• Common Installation Problems - This document covers some of the most common installation problems.
• Trouble logging into WordPress ? Check this document out if you are having trouble logging into your WordPress site.

Yes you can. There are many WordPress CMS all over the web. Here are a number of useful resources covering from ?What is it??, ?How do I do it?? to ?Show me some examples?. It?s all here:

?Webdesignerwall - In this article, I?m going to share some of my WordPress tricks with you on how to make a better WordPress theme.

?WordPress codex - WordPress article on CMS. Covers the basic and includes resource list. Changing WordPress into a CMS involves customizing the Theme and possibly the Administration Panels through the use of coding and WordPress Plugins.

?Graphicdesignblog - Short article on WordPress as a CMS with lots of useful links to examples of CMS sites as well as ?How to? articles.

?Onlamp article - This article describes how WordPress was used to replace a traditional content management system to run a community website.

?Blazenewmedia - Discusses 5 WordPress plugins to help you use WordPress as a CMS.

?Grahamazon - Article to show how Wordpress was hacked to create a CMS for the Stanford Community Health Resource Center.

?WordPress codex - Some great examples of WordPress used as a CMS.

?Bos89 - Quick and easy conversion of WordPress into a CMS in 5 easy steps. Also has links to CMS themes.

?WordPress codex on pages - WordPress article what a Page is and what it is not. It describes what a Page can do, and to gives a few examples.

?WordPress codex on pages - Some useful tips on how to use WordPress as a CMS. Includes an example site.

?Reportr - Brief article on using WordPress as a CMS for journalists.

?Semiologic - The Semiologic theme used as a CMS.

?Lorelle - A good article on why Lorelle chose to use WordPress as a CMS.

?CMS options - Good article explaining the difference between a blog and a CMS. It covers alternative free options so that you will be in a better position to choose which CMS software is good for you.

?Rimmkaufman - Another article on one company?s conversion to WordPress as a CMS. Some useful tips.