Tag Archives for " WordPress "

How to exclude Digg Digg from WordPress pages & posts

I've had this issue myself and there is a simple way to do this, although it's not well documented. Simply add the following comment to the HTML of your page, post or custom post type to hide the Digg Digg floating share bar:

<!-- Digg Digg Disabled -->

Continue reading

WordPress Desktop Client for Mac

I spend a good bit of my time writing content for my various websites. Logging into each separate WordPress or Joomla instance can be time consuming and annoying - as good as web interfaces have become they are still no where near as responsive as a good desktop app.

Being a Mac user there aren’t that many fantastic options for blogging software. I’ve tried MarsEdit and a few others and was a little bit less than impressed.

One of my big requirements is the use of the WordPress Media Manager rather than having to upload images via FTP and inserting the images (even if the app does this automatically it breaks thumbnails and forces me to log in to the admin which defeats the purpose.

So what are my requirements for desktop blogging software? Here’s my short list:

  1. A decent and useable user interface.
  2. Easy image and rich media handling.
  3. WordPress integration - there is no point in writing a post then be forced to login to format, edit and tweak the post.

That’s really about all that I require. Now I’ve been using MacJournal for all of about 5 minutes here and I’m relatively impressed. I especially like the full screen edit. It removes any distractions and allows me to focus on the content I am writing rather than the Skypes, MSNs, Tweets, Emails and Facebook Updates.

I’m going to plug away with this software for a little bit and test out the image and media handling. Do you use desktop blogging software? Let me know if you have any MacJornal tips and tricks or suggestions for other desktop blogging software.

Continue reading

WordPress Backup Plugins

In the last few days the Gumblar malware injection attack has been making the rounds and hopefully you've taken preventitive measures to ensure that you are as safe as you can be from this annoying injection attack.

Just so you're aware the reason for this attack is Blackhat SEO spammers are attempting to insert a hidden link on your site for the purposes of link building. The problem is it's not only illegal, it's incredibly lame.

Here's another scenario, let's assume for a second that your site did in fact get hijacked. Likely what you will be left with is an annoying script in a tond of your WordPress site pages. Not just in your theme but in anything beneath wp-content that they could inject.

This might include:

  1. Your theme files.
  2. Your plug-ins (a very good case for limiting and auditing new plugins you add).
  3. Your wp-admin files (this is extremely annoying as well).

Your only solution at that point is to reinstall WP (thus over writing the compromised files), re uploading your theme (backup!) and reinstalling all of your plugins. That would then get every file restored.

Now that's a time consuming and lengthy pain in the ass process to be honest. So let's be a bit proactive and add some functionality to your WordPress site that will automate some of these things for you.

Here's a list of trusted management, backup and resoration plugins I use on all my sites:

  1. WP-DBManager - this is a great plugin by the prolific Lester Chan (one of my favorite plugin authors). It will let you do database work and backups directly from your WordPress Admin. Very handy.
  2. WordPress Backup - this is also a highly recommended plug in that will backup more than just your post data. Run it regularly and better yet, automate it. My rule of thumb is that if it can be forgotten it will be forgotten. I'm the worst case of that.
  3. WP-DBBackup - this will help you automate that process and keep a nice fresh copy of your database on hand for that disasterous moment.
  4. eFiles Backup - this is a good one for a smaller site. In general any injection attack won't hurt your database, just the content files. This little guy puts your files on eFiles.com - I haven't tested it but I might actually give it a whirl.
  5. WordPress Automatic Online Backup - this is another promising service which I have not tried out but am thinking of giving a whirl. Like I said automation is key.

In general people do not like to think about things like backups. It's not a very sexy subject to say the least. But from my experience there is nothing worse than having to weed through a mass of files, downtime, and just the frustration of repairing things.

These backups can make a bad experience like getting injected relatively painless. It's a bit of a "set it and forget it" scenario.

If this is your first visit here you might want to have a look at my other WordPress Security and SEO Posts

All the best,

Dan

In

Continue reading

WordPress Exploit Gumblar .cn

Looks like there is another WordPress exploit out there dubbed Gumblar .cn - I was actually made aware of it through a pingback from Growmap.com on their: Watch Out for Recent WordPress Gumblar PHP Exploit post.

These attacks are extremely time consuming to clean up, trust me I've had to do it before in the past. It's not a quick or easy thing to have to deal with at all.

There is also an excellent explanation of Gumblar here: Gumblar .cn Exploit - 12 Facts About This Injected Script

Please proactively protect yourself against this exploit!

Update: I'm quoting a bit from Scansafe's excellent Q&A about the exploit:

Is this a cross-site scripting (XSS) attack?

No. The compromises appear to be the result of stolen FTP credentials and direct manipulation of files on the Web server.

What is the intent of the malware distributed through the Gumblar compromised websites?

The malcode distributed via the compromised websites attempts to exploit PDF and Flash exploits in order to deliver malware that redirects infected users’ search engine results. In these particular attacks, the malcode appears to be targeting Internet Explorer users and Google search. In addition, the gumblar.cn malcode installs a backdoor that connects to 78.109.29.112 – an IP address of a known botnet command and control that has historically been associated with malware engaged in malicious redirections.

Reference blog post: http://blog.scansafe.com/journal/2009/5/8/google-serps-redirections-turn-to-bots.html

How do these malicious redirections work?

Similar to a man-in-the-middle attack, these redirections occur as a result of a man-in-the-browser attack. The malcode injects itself into the browser process, monitors the requests processed by the browser, and injects fraudulent traffic. In the case of the Google SERPs redirects, the malcode replaces legitimate Google SERPs results with links pointing to malicious or fraudulent websites.

Millions of websites have been compromised over the past year; what makes these particular compromises unique?

A typical series of website compromises reaches peak within the first week or so and subsequently begins declining in intensity as detection is added by signature vendors, user awareness increases, and website operators begin cleaning the affected sites. (This is why attackers are constantly pushing new waves of compromise).

In the gumblar.cn attacks, the opposite is occurring. As website operators attempt to clean up the original compromise or otherwise make changes to the original source code of the .htm, .php, and .asp pages on their sites, the gumblar.cn compromise is injected. The gumblar.cn mal-script appears to be dynamically generated and thus varies not only from site to site, but also from page to page on the same site. In addition, the resulting mal-script is heavily obfuscated, further hampering signature detection methods. As a result, the gumblar.cn compromises are increasing – up 188% from last week and a 61% increase from yesterday.

Here are some related articles I've written that might be helpful:

WordPress Injection Attack

Blocking Spam with WordPress

WordPress Security Plugins

Best of Luck,

Dan

Reblog this post [with Zemanta]

Continue reading

WordPress Security Plugins

When you use WordPress for a corporate or business website, security always comes up as an issue and for good reason. In what has turned into an ongoing series on WordPress Security I'm going to review a few very useful plugins which will add an additional layer of security to your WordPress or WordPress MU site.

In addition to this article, you might find the two other posts in this series useful:

Blocking Spam with WordPress

Recovering from a WordPress Injection (You are labeled an Attack Site)

So here is the added list of extremely useful WordPress plugins, all of them work well with both WordPress and WordPress MU (on my sites at least):

  1. http://wordpress.org/extend/plugins/restrict-login-by-ip/ - Restricts WordPress admin login by IP address. This is extremely useful since you will likely not want just anyone having access to the authentication login.
  2. http://wordpress.org/extend/plugins/limit-login-attempts/ - limit login attempts and records IP address.'Nuff said.
  3. http://wordpress.org/extend/plugins/wordpress-file-monitor/ - monitors WP file changes and notifies by email upon a change.
  4. http://wordpress.org/extend/plugins/wp-security-scan/ - scans the server for known security issues - this is a definite old standby and should be added to your WordPress site
  5. http://wordpress.org/extend/plugins/invisible-defender/ - provides protection against SpamBots
  6. http://wordpress.org/extend/plugins/audit-trail/ - tracks changes to the site by user. I find this to be less of a security issue but it is extremely useful if you've got numerous authors on your blog. At the very least you know who to smack around if they make changes to your site. 🙂

Now keep in mind that these will not ensure that you will never have a security issue on your blog or website. But as the saying goes an ounce of prevention is worth a pound of cure (Benjamin Franklin was a pretty smart guy so I'm going with it).

I hope you've found these plugins useful. Let me know if you've got any additional plugins or techniques you use to secure your sites and ensure smooth sailing!

Cheers,

Dan Nedelko

Reblog this post [with Zemanta]

Continue reading

Blocking Spam with WordPress

After my last article on Cleaning your Site after a WordPress Injection Attack I figure that it's time to take the old "an ounce of prevention us better than a pound of a cute" (or something like that). So here is a nice easy way to enhance your Akismet spam protection and quickly and easily blacklist an offending IP.

Personally I get really sick of blog spammers, especially since my blog is DoFollow. It doesn't stand for the same thing as DoSpam. Very annoying time consuming and potentially harmful - alot of these same idiots who blog spam would also be the same people who will try to inject your WordPress theme and plugins with Click Counter code.

Anyhow in this post I'm going to use the following plugins:

  1. Akismet (setup properly but that goes without saying.)
  2. WP-EasyBan
  3. WP Security Scan
  4. Secure WordPress
  5. Redirection Plugin

The first thing you need to do is install all of the above plugins and ensure each of them work. As a side note: I had trouble with WP-EasyBan on WordPress 2.7.1 but I corrected it. To be honest I am not 100% sure if it was a conflicting plugin issue or a core problem with WP-EasyBan. If you have a problem, contact me or comment here and I will share my fix (I wasn't able to see "Add Ban" in the user menu but a few changes to the plugin fixed it without any issue).

Ok moving right along.

Let's say you are getting a substantial amount of Spam in your Spam Bin in Akismet. You will easily be able to tell if it comes from one particular IP address. First go to your Spam Box and identify the IP address - see below:

One: Identfy the IP Address

Next step: Check your Security logs under "Tools -> Security Logs" - now if the person is simply annoying you can skip that step but the Security logs will identify if the user is on a blacklist:

Is the IP already on your Blacklist?

Check your Security Log and Blacklist

Once you've done that it's time to "Add Ban" provided by WP-EasyBan. It's got a great interface for you to add various options. We want to add a specific IP address (adding a block if IP's could cause you to block legit visitors to your site.

Adding an entry to your Blacklist

Adding a Banned IP through WP-EasyBan

Also as an ounce of prevention you can set a time limit and maybe you'll discourage the blog spammers after a period of time. The reason I like this method is that Spammers never give up unless they are certain that their stuff is not getting through. Blacklisting will let you send a message that there is no getting through to you.

As a last note: I like to add a personalized message to these idiots. Sometime I venture into more colourful language depending on how badly one IP is offending my site and messing with my hard work.

Then you can set another site to redirect them to as well. Get creative here you can have fun with this, there is also a sense of satisfaction to mess around with these people.

Anyone else have any tips? Let me know!

Cheers,

Dan Nedelko

Dan Nedelko

Continue reading

SEO Return On Investment

I am pretty active on LinkedIn and have been for quite some time. I really do my best to try to answer one question per week and participate heavily in that community. It’s a good way to connect with others, make contacts and also use it as a sounding board for input to my ideas and thoughts on SEO, Search Marketing, Internet Marketing and what I do for a living both with Honeypot Marketing and with my own projects.

I figure since I am posting there I should also share some that with this audience. So the question that was posed from LinkedIn was this:

“How can you calculate the ROI of further SEO Investments for online project? Is there a model that can be used?“

That is a darned fine question since typical ROI models do not stand up well when it comes to SEO and Organic Search for a couple of reasons:

  1. Investments are indirect. You invest in link programs, content etc and it doesn’t directly drive traffic. The engines drive the traffic but the investments are there to help increase your authority in those engines. It confuses alot of people as to the logic.
  2. Most companies fall flat in terms of customer acquisition models. They are not correctly tracking a converted visitor from search, which makes it impossible to optimize your converting terms from the engines. I have seen many instances where terms which you wopuld not think are big converters in fact are massive converters (especially in tail of search). If you dont know this information then throw out your ROI model, you’ll be guessing anyhow - you could lie I suppose but then again that would be even worse and since SEO’s never ever lie (I’m ducking from the lightening!) that would never be a problem. :mrgreen:

Given those two factors I’ve come up with a fairly decent model that I find works and here for your viewing pleasure is the overview. If you disagree with me or if you think I’m wrong then register and comment or email me.

One of the key things to consider is that calculating ROI on Organic Search is different than traditional media. Here is the layout I utilize:

A Total Amount of Search Traffic
B Total Amount of Converting Search
C Conversion Rate from Search
C Life Time Value of a Conversion (is it CPA or LTV)
D Converting Terms (focus on these)

Determine total Search Traffic = 1000
Determine the Converting Search Ratio: B/A (10/100) = 0.10
Use the Total Converting Search Numbers = 100
Determine the value of the Conversion: C = $200

You have profited $20,000 from organic search.

Total current budget : Link Building $1500 per month plus other monies spent (I am not sure what these are)/

[poll id="4"]

Your profit of $20,000 from all search engine optimization programs is being generated by $1500 of spend to acquire 200 customers. Your cost per customer is $7.50

Your spend is generating a 13:1 profit to cost ratio. Now you know your budget to work with and you can shift your overall tactics to increase the overall number search joins as you wish.

I’ve used this model (with much more detail) successfully in the past on numerous projects in the online gambling industry including online sportsbooks, casinos, generic ecommerce sites, online dating, lead generation and ebook marketing industries. It provides for a strong ROI model, justifies SEO budgets and keeps the business people happy since they understand what the goals of the program really are.

I would love to get your input, comments and suggestions on expanding the ROI model for Search Engine Optimization. Please comment below and let know, even if you think I'm completely wrong!

Cheers,

Dan

Continue reading

WordPress Injection Attack

March 4, 2009 Update: My plan has worked out very well and everything is back to normal without too much of an interruption. My request for Google site review took a total of 12 hours and it was completely handled through Google Webmaster Tools. Google spidered the entire site for about 6 hours checking every existing page on the site from Mountain View California. Around 6pm EST I was given a new notice in my Webmaster Control panel that the notice would be removed with the next update which took place about 90 minutes later.

I'd like to thanks a few people who gave me some good advice. If this does happen to you make sure that you:

  1. Remove any old plugins may have or update them.
  2. Ensure the source of the plugin is using best practices for PHP coding. If the plugin is not listed In the Official WordPress Plugins Directory then be careful.
  3. Add the following plugins: WP Security Scan and WordPress Firewall (Thanks to Ruud Hein for the suggestion!).
  4. Backup your content, themes, and plugins on a regular basis so a roll back is easy in the event that you are attacked again.
  5. Be careful of who you send your site to on Twitter! See the end of the post for the official Twitter email I received and this was the source of the attack.
  6. This one is obivious but make sure you WordPress version is current as many security fixes are implement in point releases (ie 2.7.1).
  7. Secure you Web Server or have your System Administrator or Web Host ensure that everything is in order.

/Update.

I woke up this morning ready to get to work and as per usual I check my sites indexes in Google, Yahoo and MSN. Even though it's a beautiful sunny day outside I was shocked to see the following:

Bad News for Tuesday MorningBad News for Tuesday Morning to be sure. So the question is what do I do and how do I get this bad message off my Search Listing?

I'm not too concerned to be honest except for the fact that my site is vulnerable to this injection attack. I would love to smack the hacker that instituted this attack.

So first things first:

What is this message all about? Well when I viewed the source of my site I saw what is called an obsfucated injection attack on the footer of every single one of my pages. This is a bit of a pain since I am using WordPress MU with a number of plugins.

That means that  the hackers could have injected their little code block into my theme, my plugins into the core WordPress MU files. Not a pretty thought to have to go through all of those areas to remove these individual code blocks. Bottom line: my site got hacked. What steps do I take to repair the damage that's been done?

[poll id="3"]

My plan to remove the PHP injection attack:

  1. Identify which files on the web server are compromised.
  2. Identify if the compromised files are plugins, comments, themes, or WordPress Core files.
  3. If the compromised file is a plugin then determine if the plugin should be removed completely (is it the source of weakness?) or simply a victim and should be reuploaded and reactivated.
  4. Upload a clean version of WordPress MU core files. This prevents me from having to wade through all of the compromised files.
  5. Go through comments and identify any potentially malicious links to malware sites. I am very lucky since I have recently moved the domain to a new server since my previous horrible host disabled access to the phpMySQL instance through the cPanel (yes EMC Web Hosting Sucks NEVER use them). This will not be a huge issue.
  6. Go through my theme which is a customized version of Revolution Theme by Brian Gardner. I frequently backup this theme since it is a a simple matter  of uploading the theme to the web server.
  7. Visit Google Webmaster Tools and submit a request for Google to audit my site to remove the malicious tagging on my site.
  8. Audit the entire site to ensure the malicious code in completely removed.
  9. Back up the theme again, ensuring I have the ability to restore clean code in the event that I am on someone's hacking list.
  10. Harden WordPress MU to ensure that this does not happen again.

That's my plan. I am about half way through it but there are some serious issues at play here since it is not only Google which is tagging my site as malicious (bad for business!). Check out the number of blocks which exist:

Google Malicious Message:

I'm not Malicious but Google thinks I am

I'm not Malicious but Google thinks I am so next step is to click on the SERP that's when Firefox jumps in:

After clicking the SERP Firefox jumps in and says I am bad too!

After clicking the SERP Firefox jumps in and says I am an attack site. How fascinating but just wait. It's not over yet when I get to the site:

Firefox toolbar warningFirefox toolbar warning

So clearly the powers that be and the tools on my computer are working hard to identify malicious sites. It is very clear that this site could be malicious and even though it was through no intent on my part the bottom line is that my site was hacked and turned into an attack site. This is a good line of warnings to any user and in the time frame that I am repairing the site and hardening my WordPress to ensure this does not happen again I don't really mind having these messages there.

They are good for users.

Update - Twitter just sent me the source of this injection attack:

Uh oh! We found a bad apple in your Twitter feed.

We detected a link in your account pointing to a phishing site or other harmful material that we identified as malware. Here's the troublesome post:

"@BlogDuJour hey there try out my blog [ your unsafe link was here ] - I am in the process of redesigning now but should be back to normal soon!"
March 02, 2009 22:07

We removed this update from Twitter. Please be mindful of others in the Twitter community, and post only safe links on Twitter.com.

Thanks! Twitter Support


Reblog this post [with Zemanta]

Continue reading

dofollow Blog

Just thought I would let you all know that I've made this blog do follow. Now remember - real comments only please but they will pass link authority.

As I am going through this resurrection of my site I've had the opportunity to rethink a few thinks in terms of categories, tags, URL structure, Sub Domain structure and in particular making all comments DoFollow.

[poll id="2"]

Having said that I installed the DoFollow plugin yesterday for a few reasons:

  1. It will incite comments - hopefully relevant comments.
  2. I want to pass link authority for those who I want to link to from this site.
  3. Defaulting as NoFollow is really the backward way to do it. WordPress by default adds the No Follow attribute, although I understand why the need for NoFollow by default.

Having said that I am curious. Is your blog a DoFollow blog?

Update:

Over the pas months I've had excellent success in building online reputation through Do Follow blogs.  Here is a fantastic list from Squidoo of categorized list of Do Follow blogs.

I'll be updating this page with more Do Follow resources.

Reblog this post [with Zemanta]

Continue reading