Internet Babel

A new WP exploit has been reported- and a new release (2.6.5) issued to address it:

“The system does not properly filter HTML code from user-supplied input in the ‘HTTP_HOST’ header parameter before displaying the input. A remote user can submit a specially value to cause arbitrary scripting code to be executed by the target user’s browser. The code will originate from the site running the WordPress software and will run in the security context of that site. As a result, the code will be able to access the target user’s cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The vulnerability resides in ‘wp-includes/feed.php’ and ‘wp-includes/version.php’.

Only systems running on IP-based virtual servers with Apache 2.x are affected.

Jeremias Reith reported this vulnerability.

Impact:  A remote user can access the target user’s cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.”

Recommend that you upgrade your installations of WP.

Time for a new approach for Internet Babel.

Look across the ‘mid-range’ MMO/IM Bloggers (and even the ‘top’ Bloggers, as I’ve mentioned before) and you see a lot of the same stuff – the latest affiliate schemes, our ‘success’ stories, competitions, so-called ‘black-hat’ rubbish and paid reviews.

IB has been as guilty of that in the past as anyone,and now is as good a time as any to give it a revamp – the Blog currently has a ‘tired’ theme that needs a re-skin, and it’s missing a couple of plugins that I consider important.

The Blog itself (like most in this niche) lacks the interactivity and value-added things that a really useful site needs – and no, comments (even threaded ones) on their own aren’t enough.

I have a full-time freelance occupation developing sites and systems for people – Blogging is a sideline and my goal is to make enough from my own sites that I don’t have to work too hard for other people. I suspect many of you are in a similar situation (or at least aim to be).

So, I’m experimenting with a number of approaches to developing my current domain and site portfolio:

• via domain/site flipping
• by taking advantage of quick-hits on hot niche areas
• by developing a wide range of content-rich sites that I can SEO into a money-earning position
• by creating new scripts and software that people will want to use (or buy)

Nothing too ground-breaking there, but by reading about my little successes AND failures in these endeavours people reading this Blog might just pick up some practical tips and save some time in achieving their own goals.

To that end Internet Babel will expand to address what I hope people really want - namely:

• straight to the point tips and news about SEO, content, development and flipping
• a Forum, to introduce much more of a community aspect, and to be able to cover other topics in more detail (coding questions and tips, template/plugin discussions etc) without cluttering up the Blog 
• Classifieds/Directory areas to make it a genuine ‘resource’ site
• updates on ‘real’ projects and experiments that might give some pointers
• useful downloads

The blog will of course remain but I want to make Internet Babel more than that. If you don’t want to come along for the ride, that’s fine – but I hope you hang on in there and see what we can make of it together.

First off – a decent theme to replace this tired old thing – what’s the best one out there at the moment? (preferably free, cos I’m a miserable git – but I do like the look of the ‘Ultimate’ Theme)

OK – here’s an idea to throw out to the masses, and something I reckon could take off quite nicely as a widget or whatever.

Could somebody please write a Spam analyzer (‘spamalyzer’/'spamalytics’ etc).

I think a little league table of hot spam topics might be a cool little tool. It should be easy enough to write something to trawl through the comments in your akismet queue and do some kind of keyword frequency breakdown.

You could extend it to geo-breakdown the originating IP to see what kind of spam comes from where, and produce daily/weekly charts of hot spam keywords, or perhaps analyse the originating email addresses and names. There’s a heap of variations out there - you might need to censor some of the keywords when outputting the information, but I reckon it’d make a cool little tool.

I could probably knock one up meself but I haven’t got the time – so if anyone out there wants to pick up on the idea and build one just let us know.

I don’t think there’s anything like it out there at the moment – I could be wrong of course but i had a quick search and couldn’t see anything that did this.

Over to you…

As you can see from my sidebar, we’ve just gone over 11,000 spam comments blocked by Aksimet (as at 20th August 2008).

I’m not sure how long Nick was running Akismet etc before I took over Internet Babel, but I’ve just read about somebody hitting the million-spams milestone on their blog. I personally block quite a few comments that are human-spam as well, but I was wondering about your experiences with blog comment spam as well. I have a couple of Blogs on the go and I notice a definite variation in the type of spam comments that are aimed at one Blog or another.

IB (at a very rough estimate) gets about 35% Viagra and related, 35% student loans, 20% looking like they lead to nasty downloads and about 10% just utter rubbish (not including the human spam that I discard by hand).

Is that the same kind of spam breakdown that you guys get? How many comments does Akismet block for you each day? According to Aksimet’s own stats, approximately 88% of all comments are spam…

Do you use other tools/plugins to check for spam? If you implemented Captcha did you find a drop in legitimate comment numbers?

I’m thinking of knocking up some PHP code myself to check for human spam, so I can block ‘at source’ things such as those useless ‘nice post’ short comments and have bad word blacklists and that kind of thing. Just wondered what your experiences are….

Introducing Prologue. This is Matt Mullenweg’s answer to a Twitter alternative. Of course Matt had some help, that’s where the clever software developers of Automattic come in.

Twitter is a self-confessed inspiration for this new semi-platform. It’s really just another WordPress installation with a new undertone.

Here’s a screenshot of Prologue:

If you click on that screenshot, you’ll be taken to a demo.

Prologue allows you to post messages, tagged n all about what you’re up to. There is RSS feeds for everything: posts, comments, tags and authors.

I have personally never used Twitter.

Not out of choice just never actually been bothered to go on there, know of it. Will check it out now I’ve seen this new launch which was inspired by it though.

Getting hacked could happen to anyone. No matter how savvy you think you are or how good you are at avoiding things, unless you actually use decent security to stop hackers getting into your WordPress database, you could be next.

You’ve seen it happen to Shoemoney. Twice.

There are some very simple steps you can take to protect your WordPress blog. Lets take a look at a few basic methods:

Back up Your Blog

King of saving yourself from a database tragedy? back-ups! make regular back-ups and you’ll always be insured of your own safety with your precious blog content and structure. Someone could blast your entire database but it doesn’t matter if you have a back-up right.

One click auto back-up: Download | Instructions

Protect Your Admin Area

A lot of amateur hackers will try to get into your Admin area simply by using a password cracker to second guess your password. These crackers go through every alphabetic combination you could use and slowly crack your password. If of course you have a very nice, complex password with letters, numbers, capital letters and other characters. These crackers won’t be able to crack it. So one way is to simply do that.

But some still can as far as I’m aware. Plus there are still other holes hackers can pick simply by getting access to this area. So how do you stop them from getting to the admin login or admin area completely?

1. Password protect your admin folder: Simple, just do this in your cPanel. Protect your WordPress admin folder with a password, there’s one layer of protection.

2. .htaccess IP restriction: You can stop any IP other than ones you define from getting to your admin login panel. To do this simply open the .htaccess file in your wp-admin folder to edit, if you don’t have one – simply create one in there.

Place in that file the following:

order deny,
allow deny from all allow from xx.xx.xx.xx
allow from xx.xx.xxx.xx

Obviously replace the x’s with what your IP is. You can specifically deny access to a single IP or multiple IP’s or, of course – only allow access to your IP.

Now if you have a dynamic IP you might not be able to do this if your ISP gives you a different IP address everytime you connect.

Luckily I have a static IP so it never changes.

In Closing…

So as you can see, protecting your blog from hackers is a very simple process but could save your archive from getting blasted, the easiest way is to simply back-up your databse. Which you should do regularly anyway incase anything unexpected happens.

Not to be ignorant though. As if a hacker is a good hacker, they will get into your database regardless of how many little obstacles you put in their way. It’s just like jumping a few hurdles to get to the finish line. You can in theory almost completely wipe out the possibility of getting hacked even by the best of the best, but it takes a lot of good php security.

That said, prevention is still a good thing. Average hackers or so called hackers, more like people who just use automatic password decryption tools to get your admin password won’t get past these preventions. So why even give them the satisfaction of doing it to begin with.

For the rest of this weekend I’ll be posting purely on WordPress. I say it ‘begins’ as in now but realistically it began with my last post – WordPress Users: Backup Your Blog.

I just decided to make it into a little event since I have some more posts to come on it.

That’s anything from cool new plugins to top themes to security leaks.

So from now until Monday, if you’re WordPress user which I imagine most of you are. Look out for some great posts on WP!

Today was the first time I’ve actually ever backed up this blog.

Backing up your blog should be done on a monthly basis, just incase anything unexpected happens to your database.

Most issues can usually be fixed anyway but imagine something drastic happened and you lost all of your posts.

All those hard written articles… gone!

I’m lazy when it comes to things like this, type of thing I can never be bothered to get round to doing. But since I also upgraded today thought I may as well get it done.

Went with the easiest possible option for backing up as couldn’t be bothered with the manual method… even though that’s easy to. Anyway…

Check out this plugin – it’s one click download backup:

Download

Clickidy Click Click!

Installation

1. Download zip folder.

2. Upload and extract in the plugins folder in your WordPress directory.

3. Activate the plugin in the plugin menu on your Admin WordPress panel.

4. Go to Manage and click Backup, then it’s just a case of a one click download.

Simple as that!

You can either download to your desktop or you can save it to your server for you to grab later.

You can also configure it to send the backup to your email address. You can have scheduled times also, so you could even have a daily backup if you’re paranoid