Wordpress & WP Classes

Security in WordPress: Are you still showing YOUR plugins?

Posted by

Michael Kwan’s blog was recently hacked by a clever hacker who managed to hide his visit neatly. Michael will tell you all about the story at his blog. This event plus a couple of other events has got me thinking about blog security . I’ll be doing a fuller post on my own experiences, ideas and suggestions.

It’s going to be a long post, so it will take some time to put all the pieces together. In the meantime, why don’t you sign up for my feed… so you don’t miss it!

——-
For more interesting articles on running a business, making money, operating your blog, , and so on…, subscribe to the RSS feed or email newsletter. There’s a lot more in the Random Walk to Wealth on InvestorBlogger dot com.
——-

Apart from the obvious tactics of keeping your blog software, themes, and plugins uptodate, several bloggers have suggested ways to make it more difficult to find out which version of the blog platform, and which plugins, you are actually running.

The typical solution is to add a blank html file to the /wp-content/plugins/ directory which will show a blank page, or in John Cow’s case a Moo! But I was surprised to learn that this technique fails to stop an easy way around this. It is possible to discover quite easily any plugin that you can guess is installed and retrieve the directory listing for that plugin even though the higher level directory is masked. Take a gander:

johchow

(This image was taken from one of my other blogs with the WP-Cache plugin installed and active.)

I found the directory for the wp-cache folder for another blogger who had otherwised masked his plugins directory with the standard blank HTML file. Unfortunately, a determined hacker will be able to figure out which plugins you likely have, rifle your directory of files to see which files exist in the subdirectory of plugins, and perhaps hack your blog… I could see the contents of this wp-cache directory, plus all the other ones I knew this blogger to have been using. Mmm! I didn’t think that was particularly secure.

What alternatives are there?

Standard .htaccess

Yes, you could simply use an ‘htaccess’ file to secure the plugins from display but you would have to manually write and upload the file to each and every plugin directory that you already have. This could be done more than ten times on my blog, I think. It would look something like this:

Redirect 301 /index.html http://www.your-domain.com/
Redirect 301 /index.htm http://www.your-domain.com/
Redirect 301 /index.php http://www.your-domain.com/

But I realized that with the most commonly suggested solution to prevent viewing plugins, namely a 301 redirect, it is still possible to view the contents of any directory of any plugin below the directory in which the htaccess file is placed. So even if you place the htaccess in the directory of any particular plugin, some plugins also contain subdirectories (for images, etc.) that will still be visible. Tiring work…, so…

IndexIgnore

If you have a lot of directories in the plugins folder, the simple and easy solution is to create an htaccess file with the following command: “IndexIgnore *” and place it in the /wp-content/plugins folder. This should prevent anyone seeing the listing in that folder or any folders below that level. It generates an error like this:

investorblogger

It’s not very pretty but it’s effective so browsers won’t display the contents. It could also be an opportunity wasted. Why?

HTML file

The standard blank HTML file mentioned above looks something like this:

<HTML>
<HEAD>
<TITLE>Blank Page</TITLE>
<META HTTP-EQUIV=”Content-Type” CONTENT=”text/html; charset=utf-8″>
</HEAD>
<BODY>
</BODY>
</HTML>

Then Michael Kwan suggested adapting it to a page redirect in a chat we were having. He wrote: “…i’m thinking that it’s also possible to do a index.php and then put in a redirect… if you keep this file handy then you can upload it each time you install a new plug-in…” I began to think: What a good way to turn a problem into an advantage! I’m using an HTML file, though, not a PHP file.

The blank HTML file doesn’t show anything, and inadvertent visitors will not know what’s wrong. And the 404’s only show that a page was not found. So why waste the opportunity? I’ve adapted some simple code that I use, and it should work a treat. I would like to attribute this code, but I can’t remember where it came from!

Page Redirect

With this page redirect, it’s easy to redirect visitors quickly and conveniently to the most recent posting or indeed any specific page you want:

<html>
<head>
<title>Your Domain</title>
<meta name=”robots” content=”noindex,nofollow”>
<script>window.location=http://www.yourdomain.com;</script>
<meta http-equiv=”refresh” content=”1; url=http://www.yourdomain.com“>
</head>
<body>
<p align=”center”>You are going to Your Domain Name now…
<br>If the page does load after 5 seconds or if you are (like me) impatient,
<a href=”http://www.yourdomain.com“>just click here</a>.</p>
</body>
</html>

The only downside is that you’d have to add this to every plugin directory the first time. But you could easily keep a copy somewhere and copy it to any subsequent plugin directory before you upload the plugin.

Thanks to Michael Kwan, and others for providing information that helped to write this blog. I’d appreciate any updates on security, so just drop me a line, especially if I got something wrong.

(Post edited for language, clarifications, and so on.)

DashBoard Editor: Changing your Dashboard in WordPress

Posted by

2

Sometimes as a blogger, I get tired of the traditional feel and look of the Administration Panel, and the slow loading of the WordPress feeds drives me nuts. I’ve already tinkered with the Administration page before on more than one occasion, but recently, I’ve been trying two plugins that are pretty neat: DashBoard Editor (this post) and MyDashBoard (Thursday).

DashBoard Editor
The first is Dashboard Editor, which is a simple panel that adds a dashboard configuration switch under the Dashboard editor. Currently, I can’t get the website to load but you can try again later.

dashboard-clean

It’s very simple to operate. And, most importantly, it works in a non-destructive way, so you can simply disable the plugin, and everything’s back to normal.

At the top you will see a text area that you can type in. This text will appear in the dashboard. Formatting is very similar to the bb-code style of posts and pages. If you used to blog in WP1.0+, you will already be familiar with the switches.

Below that area are a number of check boxes, all of which are self explanatory. They will allow you to remove the feeds, incoming links, news and so on. Of course, you can simply clean everything and start from nothing. One of the neatest features is that you can use Plugins, too. If you look at the last switch entitled “Use Sidebar Widgets”, this will create a separate column under your Presentation >>> Widgets menu. Simply create, add or move any widgets you want to show up on the Admin panel.

There are some limitations that you may wish to consider:
1. There’s no obvious way to have a widget in two places, though, ie. in your Admin Sidebar as well as the general sidebar(s). Also, the Admin sidebar is only available to those who login.

2. If your blog has many users who can register and login, you may wish to think carefully about the information you enter. For example, putting passwords for your email account in there may not be the wisest thing to do! Currently, there is no way to change the Admin area for different levels of users.

Overall, it’s easy to implement, easy to use, and easy to remove. We are looking forward to the developer adding features in the future!

New Themes: Revolution and the Morning After

Posted by

The choice of a theme for a website using WordPress used to be: blog style theme or pay a lot of money to have your website designed professionally. But now, there is a lot of interest from publishers to use WordPress as the website, so it’s getting easier to find themes that can fit that need.

news revolution

Revolution Themes by Brian Gardner is one such set of themes which allow WordPress to appear as a magazine almost. The theme makes good use of a number of factors important to magazine sites including:

  1. front page space allowing main features to be shown,
  2. lots of links to recent articles,
  3. videos and large graphics
  4. mailing list box,
  5. 486×60 box for graphic,
  6. archives,
  7. Section Pages

There is also space for a lot of other things, too, at the bottom and in the middle. Since the quality of the design is excellent, and it would likely appeal to those creating a magazine style website, it’s not free, but at $99 for a single install, it could be a good deal! His other notable themes include the Blue Zinfandel series.

While for those on a budget, there are a couple of ‘free’ themes that work along the same line of thinking, of which the best seemed to be ‘The Morning After’ from Arun Kale.

home preview tma

To get the posts working, you’d need to create two additional categories for the blog. But it looks good and might be a good way to test out a magazine format. Other features include:

  1. A three-column home page
  2. “Featured” post highlighting
  3. Associating images/thumbnails with recent posts
  4. Customisable logo/header image
  5. Easy CSS classes for adding captions and wrapping text around images in posts
  6. Asides

Whether or not your blog is becoming a magazine, the number of links on the front page to your archives in either of these formats would be a good way to drive traffic to your older posts. You could tweak the formats even more to add extra stories, this would help your older stories be found more easily, especially if you have so much of the content that is hidden away (on my primary blog, there are now nearly 800 individual posts!).