Independent Digital

You’ve probably been using WordPress for a while now, you love it but every now and then something weird happens and your blog just does not perform as it should. So when a new update comes out, you’re overjoyed and eagerly update your blog, hoping all the problems will disappear. But they don’t. Maybe your blog was hacked at some stage but you found the gap and blocked it for good, or so you thought.

You keep getting hacked even though you have kept up with the latest WordPress updates so now you’re thinking of ditching Wordpress. Don’t! The solution is simple, it may take a bit of time but it will be worth it in the end.

I’ve been using Wordpress for about 2 years now and have been hacked a few times. Each time I thought I had it sorted only to be hacked again and again…Here are some of the symptoms I experienced:

• I edited posts and pages, pressed SAVE but they were deleted instead of being saved.
• I try to access my blog only to see this… database error: [User '???????' has exceeded the 'max_questions' resource (current value: 50000)]
• I started getting high volumes of spam mail (some using my address as the sender)
• I try to access my blog and all I see is a blank page
• My theme disappears
• My theme is swapped for the classic or default theme
• My database disappears
• I keep getting the installation page when trying to access my blog
• Posts and pages disappear

My final solution was to delete everything and start again. Naturally I had a backup. I first checked my server for any weird looking files and folders. I found a few and downloaded these to a safe folder. I then noted all the plugins that I had as well as the theme that I was using. I deleted all these. Then I deleted all the WordPress files and folders. I then checked the server once again for any weird folders or files (a bit difficult as I had quite a few other, non-WordPress related stuff installed, many of which I could not remember whether they were legitimate or not). So be careful, don’t delete unless you are absolutely sure that it is not supposed to be there. Try downloading to a safe folder before deleting so if it was a valuable folder or file, then you can always recover it.

Okay, once I had a “clean” server, I downloaded the latest version of WordPress, unzipped it and installed it on the server. I chose to create a new wp-config.php file rather than use the old one – I wanted a completely fresh start and didn’t want to risk carrying stuff over from that last install that may be “infected”. Once I had the basic installation working perfectly, I downloaded a new copy of my chosen theme from a legitimate site (see article on themes are a security risk) and installed this in the Themes folder.

If you can view your backup file, check out the wp_options table for any “active_plugins” and delete these, save the file and import it into your WordPress database. Try viewing your blog – it should function properly with the new theme.

I then downloaded all the latest plugins (as per the list of plugins that I had installed before the deletion) from legitimate sites. Unzipped and uploaded these to the plugins directory and activated them all. I then tried accessing the blog and found a few problems:

• The layout was not as it used to be. I then realised that I had done some editing of the theme files to suite the layout that I wanted. So back to editing the HTML to get the pages looking as before.
• Some plugins weren’t working. This was because some of them required some code to be installed within the WordPress “loop”. So a quick inspection of the installation instructions for the various plugins pointed me in the right direction. I was able to install the necessary code and get the blog working as before. I also chose to install “clean” plugins rather than use the old ones because of my fear of contamination. (see article on plugins are a security risk)

So what did I learn from all this?

1. Updates alone will not sort out a hacking problem. Previous versions of WordPress had security problems, which may have led to a security breach of my site. Similarly I may have been careless in other ways, allowing a hacker into my site. The point is that the hacker got through and was able to install code on my site. Updates from then on were useless as far as securing my site was concerned as the hacker was already on my site.
2. I expected Wordpress to take care of my security when I should have been taking care of it myself. I thought that if I updated regularly, my site would be secure. I was wrong as the hacker was already inside.
3. That I need to take security seriously. I did not believe that I would be hacked. I was, not once, not twice but many times. The time and effort that I spent trying to recover from the problems caused should rather have been spent taking preventative measures.
4. That I need to make sure that my site is free of suspicious files and code (within themes and plugins) – if hackers can get into your site, they can upload destructive files and edit your files by adding malicious code). It happened to me. One of the symptoms I noticed was the increasing amount of spam email that I was receiving. Since sorting out my site, the spam email has disappeared.
5. That I need to update my plugins and themes – from LEGITIMATE sources.
6. Increase my security by installing security plugins such as login lockDown,wp-security scan and askApache.

As of the time of writing, my site seems to be working smoothly and thankfully hacker free. If you would like to sort out your hacker problem once and for all but don’t have the time to do it, why not let us take care of the hassle and do it for you. Let us know.

Experiencing problems with a new plugin? Here’s hoping that this short post will help by ending your frustration and saving you time. I use a few plugins on this site. All of them were working perfectly before I upgraded to WordPress 2.5 then all of a sudden I couldn’t get the Subscribe2 plugin to work - or should I say that I could not activate it. Each time I tried to activate it, I would get a fatal error message.

I searched all over the place but could not find a solution, then I began reading posts elsewhere where users were having similar problems. Some mentioned that it was due to a conflict between plugins so I decided to investigate down that avenue. I have a duplicate website running on my PC so I deactivated all the plugins then activated the Subscribe2 plugin. Surprisingly it activated without a hitch, so I knew I was on the right track.

One by one I began to activate the other plugins. All but one, the Contact Form ][ plugin, activated perfectly. The familiar fatal error cropped up when I tried to activate this plugin. I then deactivated all the plugins once again and activated then deactivated only these two plugins (Contact Form ][ and Subscribe2) with the result that whichever one was activated first, worked, while the one activated second, came up with the fatal error message.

I needed both these plugins so I emailed their authors explaining the conflict. Hopefully they will be able to correct the problem. I really liked both these plugins. In the meantime I have been trying out a few of the other contact form plugins (I decided to keep the subscribe2 plugin working as I had linked a free E Book give-away to subscribers and needed this plugin to allow people to subscribe. It’s a great book on security, written by experts. So if you want a copy, subscribe! It’s FREE!).

I tried at least three other contact form plugins and they all conflicted with the Subscribe2 plugin. I did find one that did not conflict but it is not exactly what I was looking for, I may use it as a temporary measure until I find the perfect one or a solution to the conflict is found.

P.S. If you find either the contact form or subscribe option not working, please be patient and come back later as I am busy trying to sort the problem out.

Best regards

clive

?The Cult of the Dead Cow? announced last week, the release of Goolag Scanner, a free open source web-auditing tool. Goolag Scanner enables anyone to examine their website via Google for any security holes. The scanner technology is based on “Google hacking” developed by Johnny I Hack Stuff. Goolag Scanner can be used by web site owners to detect and correct any security flaws in their web site.

Johnny previously published a collection of these “Google Hacks” or “Google Dorks” on his web site, which are used by ?professional? hackers. Goolag scanner has now packaged these into a GUI automated tool that allows an unskilled hacker to use these very same techniques.

Goolag Scanner is a standalone windows GUI based application using about 1,500 pre-configured Google search queries or dorks. It searches for links to vulnerable web applications, back doors, or documents containing sensitive information. You can select individual searches or sets of them. You restrict the search to your own server, or extend it right up to an entire top-level domain. The results are displayed as a list of URLs that can be opened in the browser. However, if you use the tool too much, Google may block your IP address and there may also be legal implications so be cautious when using it.

Want to be notified when new posts are published?

WordPress themes can be dangerous as far as security is concerned so be very careful when you install any theme. Before downloading any theme consider:

1. Is the download site official, avoid 3^rd party download sites? If it is not an official site nor the authors site, then check the code carefully.
2. Is it the latest version?
3. Are you running the latest version of WordPress?
4. Do research. Check the net to see if there are any security issues concerning the theme that you want to download.

So what are the security issues when using WordPress themes? There are 2 ways that themes can become a risk:

1. The first is when someone intentionally ADDS code to the theme. This could be code which ads a link to the theme. When you display the website using that theme, links are displayed but are probably not visible (see article on spamdexing). The person that included the code is hoping to increase the number of links to his website so that his Google ranking increases. Unfortunately Google will then pick this up and remove your site from their search engine. A double whammy! Quite innovative considering the number of sites using the popular themes. They also imbed code that will allow the mailing of scripts for spam (see artcicle on spam and how to deal with it), phishing or random ads to be served.

2. The second is usually unintentional. The theme author has code in their theme which is not secure and allows a cracker (see article on Search Engine Optimization) to infiltrate the website using the theme. A common example, known as cross-site scripting (XSS) is the use of PHP_SELF without pre-pending htmlspecialchars:

form id="searchform" method="get" action=

"<?php echo $_SERVER['PHP_SELF']" ?>"

This form allows the use of HTML characters when getting the URL of the user. A secure version would include the PHP function, htmlspecialchars() as seen below:

form id="searchform" method="get" action=

"<?php echo htmlspecialchars($_SERVER['PHP_SELF'])" ?>"

This problem is usually seen in the:

• 404 page
• search page
• header page

Here are 2 good articles on cross site scripting:

• http://blog.phpdoc.info/archives/13-XSS-Woes.html
• http://www.net-security.org/dl/articles/xss_anatomy.pdf

Only download your themes from the official WordPress Theme Viewer or directly from the authors’ site.

Want to be notified of any new posts?

Be careful when installing plugins. It is a dangerous world out there with many strange people doing strange things. Now not all plugins are dangerous and neither are their authors. Some plugins, however, have simply not been tested enough with the result that malicious hackers manage to find flaws, which they can exploit to do their dirty deeds. They then search the net for WordPress sites running that plugin. When they find it, they?re in and before you know it, your WordPress blog is performing erratically or your database has been deleted.

One example of this plugin security issue is the wp-forum 1.74 plugin. According to the securityfocus website, ?it is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. (This would allow an)? attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.?

Another example is the wp-db-backup plugin, which had a serious vulnerability issue. Now I am not saying that it is the intention of the plugin author to create plugins containing devious code which allows a security breach. It is more likely that the authors themselves are unaware of the security flaw. As far as I know, there is no standardized validation of plugins to ensure that they are not a security problem. So we need to be very careful before we install any plugin. Do research, check on the web and within forums to see whether others have experienced security issues when using that plugin. If there are no known issues, make sure that you have backed up your website and database before installing the plugin. The WordPress team are continually upgrading WordPress to ensure that it is as secure as possible so remember that the most important step that you can take to secure your site, is to ensure that you are running the latest version of WordPress.

Have a look at this excellent article on plugins and security issues.

Some plugins with known issues

• WordPress BackUpWordPress plugin Php File inclusion vulnerabilities 2007-11-06

• WordPress WP Photo Album Plugin “photo” SQL Injection 2008-02-20

• WordPress Search Unleashed Plugin “s” Script Insertion Vulnerability 2008-02-5

• WordPress DMSGuestbook Plugin Multiple Vulnerabilities 2008-02-05

• Wordspew Plugin for Wordpress “id” SQL Injection Vulnerability 2008-02-04

• WordPress WP-Footnotes Plugin “admin_panel.php” Cross-Site Scripting 2008-2-04

• WordPress WassUp Plugin “to_date” SQL Injection Vulnerability 2008-01-31

• WordPress AdServe Plugin “id” SQL Injection 2008-01-30

• WordPress WP-Cal Plugin “id” SQL Injection 2008-01-29

• WordPress Permalinks Migration Plugin Cross-Site Request Forgery 008-01-24

• WordPress WP-Forum Plugin “user” SQL Injection 2008-01-21

• WordPress PictPress Plugin “path” Disclosure of Sensitive Information 2007-12-07

• WP-FeedStats Plugin for WordPress Script Insertion Vulnerabilities 2007-07-27

• WordPress AdSense-Deluxe Plugin Cross-Site Request Forgery 2007-05-22

• WordPress wp-Table Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress wordTube Plugin “wpPATH” File Inclusion 2007-05-02

• WordPress myGallery Plugin “myPath” File Inclusion 2007-04-30

• WordPress WP-DB Backup Plugin Directory Traversal Vulnerability 2006-08-15

• FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability 2007-10-04

Here?s a list of plugins that you can install to make your WordPress blog more secure.

Want to be notified when there is a new post?

Wanting to customize the look of your WordPress blog? Then look at the following articles:

• Using WordPress Themes - Themes are what gives your WordPress blog its unique (or not so unique) look. This article explains what themes are, where to get them and how to use them.
• Blog Design and Layout - More on themes plus CSS, plugins and design specifics.
• Using Pages - All you ever wanted to know about WordPress pages.

The following simple guides will help you customize your WordPress Theme:

• Lessons on designing your WordPress site ? Covers WordPress for beginners, site design, template files, website development and more.
• CSS Overview, Tips, Techniques, and Resources This article briefly describes the use of CSS in WordPress, and lists some references for further information.
• All about Template files. Template files are the building blocks of your WordPress site. Read this article to find out more about them.
• What are Template Tags ? Well, if you want to know, then read this article.
• WordPress Template Tags Template tags are used within your blog’s templates to display information dynamically. Read this and you?ll be a Template Tag specialist.
• Understanding the WordPress Loop - Crucial if you?re going to make changes within the code to customize your WordPress site.
• The WordPress Loop in Action ? More on the LOOP with a simple example.
• Editing Files in WordPress - To customize your WordPress site, you will need to edit the code. This article discusses that.
• Design help ? Some good links to information on designing your WordPress blog.
• Frequently Asked Questions about Site Layout and Design - A good starting point regarding layout and design.

Want to be notified of new posts?

Google gadgets are handy little things that you can place anywhere on your webpage with not too much hassle. WordPress makes it even easier if you use widgets. It is so easy to insert Google gadgets on your sidebar that you will wonder why you have not done so before.

Here is a quick and easy tutorial on how to do it:

1. Make sure you have the latest version of WordPress
2. Make sure that you have a widget enabled theme
3. Get into your Admin panel and select Presentation > Widgets from the options. Drag the Text widget onto the Main sidebar. Click the configuration tag (right hand side of Text widget) to open up the input window. Enter your title for this widget (the title will be displayed above the widget on the sidebar.)
4. Open the Google gadgets page in another window. Select the gadget that you want displayed on your sidebar. Configure the display settings to your liking. Press the Preview changes button to see how the gadget will look. If you are satisfied, then press the Get the code button. A window will open up with some code in it. Select and copy this code.
5. Go back to your WordPress admin window and paste the code in the large window of the Text widget. Save the changes and view your site. The gadget should be displayed in your sidebar.
6. You may need to play around with the sizing of the gadget to ensure that it fits within the sidebar.

That’s it. What could be simpler?

Want to be notified when new post appear ?

You’ve installed WordPress, set it up and now it’s running like a finely tuned Ferrari. Here are a couple of helpful articles to help you keep it that way:

? Introduction to Dealing with Comment Spam - A great intro to SPAM and what WordPress is doing about it.

? Moderating Comments - Covers the basics of how you can deal with comments.

? Using the Links Manager - Explains how you can deal with links on your WordPress blog.

WordPress in Languages Other than English ? Check this out if you want to use WordPress in another language.

Notify me of any new posts

Okay, so you have successfully installed WordPress, now it?s time to set it up. Have a look at the following for help:

• First Steps With WordPress - Takes a step-by-step tour through your WordPress site. Explaining the different functions and how to customize it.
• Administering Your Blog - This is a quick look at the various activities involved in administering your WordPress site. Have a look at the administration panel. The available options include:
  • Users > Your User Profile - set the user information you want published on your site
  • Your User Profile > Other Users - add authors and users that will be using your site, if applicable
  • Options > General - set your site name and other site information
  • Options > Writing - set the settings of your Write Post screen
  • Options > Reading - set how many posts to show on the front page and in categories and your feed requirements
  • Options > Discussion - Turn on or off comments and set how to handle them
  • Manage > Categories - add a few categories to get started from your category list
  • Manage > Posts - After you have written a few posts, this is where you will manage them by editing or deleting
  • Presentation > Themes - maybe change the look of your site?
  • Manage > Pages - add a Page or two like “About Us” or “Contact Me”
  • Write > Write Post - start adding content to your site
  • Writing Posts - step-by-step instructions on writing posts

Happy blogging!

Notify me of any new posts

Widgets are similar to plugins. They are drag-and-drop elements that you use to personalize your website without knowing any code. Also called sidebar widgets because it allows you to move things (widgets) in and out of your sidebar. Widgets are things that you can have on your sidebar, such as a category list, recent comments or a link, etc.

Using widgets

Previous versions of WordPress required that you install a widget plugin to be able to use widgets but as of version 2.2 you no longer need to install this plugin as it is now part of the WordPress core. So now all you need do is install the widget that you want.

For widgets to work, you need to have a widget ready WordPress theme. If you?re sure your theme is widget ready, then download the widget that you want. Install it as per instructions (usually there is an included readme.txt file or there are instructions on the widget author?s website). Once you have installed it, go to the WordPress Admin panel and select the Presentation > Widget option. Then all you do is drag the relevant available widget into the sidebar panel, save the changes and you?re done. View your site and you should see the new widget in the sidebar. Have a look here for a short tutorial. You can also view more installation instructions here.

Text widgets

Text Widgets can add new abilities to your sidebar. You can have more than one text widget on your sidebar (set how many in the admin panel, Presentation > Widgets). Drag the text widget into the “Available Widgets” column in Administration > Panel Presentation > Widget.

Click on the icon on the right side of the widget to customize the widget. Here you can enter a description or title for that widget as well any text or HTML for that widget. See here for more on text widgets including a list of content which will work via the text widgets, just copy their code and paste it within your widget. Their content will then be displayed on your sidebar.

RSS widgets

RSS widgets can be included to add feeds to your sidebar. You decide how many feeds you want then drag the RSS widget onto your sidebar (this is done via the Administration panel > Presentation > Widgets option.) Click on the icon on the right side of the widget to enter the URL for the feed, a description of the feed, and how many items from the feed you want displayed then save the changes. See here for more on RSS feed widgets including a list of RSS feeds that you can use in your widgets.

Creating your own widgets

You can create your own widgets. Just create a function and wrap it in a WordPress plugin.

Resources

Here?s a link to the WordPress Codex on widgets.

Documentation of the WordPress widgets API ? for those wanting to create their own widgets.

Want to update a theme so that it is widget friendly? Then have a look at this document. Also have a look at this article, which explains how to make a theme widget friendly in 3 easy steps.

Here?s the link to the WordPress Codex resource list on widgets (some of which have been included above.)