Herself's Webtools

Scripts, HowTos, Templates, Plugins, Widgets, Tips

Archive for the ‘things you should know’ Category

Some bot blocking htaccess hacks for WordPress

without comments

There are some great security plugins out there. But all WordPress security plugins require that the bot use the front door to the website. Otherwise the security plugin isn’t turned on.

Your .htaccess file provides better coverage and is more efficient. I realize not everyone has access to .htaccess and that is why bot blocker, security plugin and other security plugins exist. But if you have access to .htaccess that is where you should be doing your security.

This will not stop all bots but should slow them down quite a bit.

Improved .htaccess file

^ – starts with
$ – ends with

———————————————————————————
# block known trouble makers dumb enough to
# announce who they are
SetEnvIfNoCase User-Agent “^EmailSiphon” bad_bot
SetEnvIfNoCase User-Agent “^EmailWolf” bad_bot
SetEnvIfNoCase User-Agent “^ExtractorPro” bad_bot
SetEnvIfNoCase User-Agent “^CherryPicker” bad_bot
SetEnvIfNoCase User-Agent “^NICErsPRO” bad_bot
SetEnvIfNoCase User-Agent “^Teleport” bad_bot
SetEnvIfNoCase User-Agent “^EmailCollector” bad_bot
SetEnvIfNoCase User-Agent “^LinkWalker” bad_bot
SetEnvIfNoCase User-Agent “^Zeus” bad_bot
SetEnvIfNoCase User-Agent “^botpaidtoclick” bad_bot
SetEnvIfNoCase User-Agent “^Click Bot” bad_bot
SetEnvIfNoCase User-Agent “^WebRipper” bad_bot
SetEnvIfNoCase User-Agent “^Wget” bad_bot
SetEnvIfNoCase User-Agent “^Snoopy” bad_bot
SetEnvIfNoCase User-Agent “^Security Kol” bad_bot
SetEnvIfNoCase User-Agent “^libwww-perl” bad_bot
SetEnvIfNoCase User-Agent “^Java” bad_bot
SetEnvIfNoCase User-Agent “^DataCha0s” bad_bot
SetEnvIfNoCase User-Agent “^Grazer” bad_bot
SetEnvIfNoCase User-Agent “^lwp-request” bad_bot
SetEnvIfNoCase User-Agent “^lwp-trivial” bad_bot
SetEnvIfNoCase User-Agent “^Morpheus” bad_bot
SetEnvIfNoCase User-Agent “^Site Sniper” bad_bot
SetEnvIfNoCase User-Agent “^Winnie Poh” bad_bot
SetEnvIfNoCase User-Agent “^curl” bad_bot
SetEnvIfNoCase User-Agent “^Akregator” bad_bot
SetEnvIfNoCase User-Agent “^ac-baidu” bad_bot
SetEnvIfNoCase User-Agent “(Ubuntu-feisty)$” bad_bot

<Limit GET POST>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</Limit>

# block directory browsing
Options All -Indexes

# protect some files
<files wp-config.php>
order allow,deny
deny from all
</files>

<files .htaccess>
order allow,deny
deny from all
</files>

# block bot registrations and send them to the front door
# if you try to register and your accept statement only has */*
# I’ll think you’re a bot
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-login\.php*
RewriteCond %{HTTP_ACCEPT} ^\*\/\*$
RewriteRule (.*) http://yourdomain.com/ [R=301,L]
</IfModule>

———————————————————————————

Additional resources:
Perishable Press Stupid htaccess tricks
Almost Perfect htaccess File for WordPress

Written by Linda MacPhee-Cobb

December 6th, 2009 at 2:54 pm

Simple SEO hacks for WordPress

with 2 comments

Always there are trade offs. The more information you pull from your database to put in each page, the greater the drain on your server.

To do well in search engine rankings you want individual titles and meta descriptions for each individual page. To do this in WordPress you pull the information from the database in your header.php file.

When I ran into server problems I took this out and yes, it hurt my search engine rankings. Now that I’m with Media Temple and things seem to be running smooth I’m adding them back in.

Most, but not all, themes do have the title customized, few have meta tags customized and even fewer have them done properly.

To have an individual title for each separate post and page use this in place of the current title<title>…</title> in your header file.

<title><?php if (is_single() || is_page() || is_archive()) { wp_title(”,true); } else { bloginfo(‘name’); echo(‘ &#8212; ‘); bloginfo(‘description’); } ?></title>

To have a customized meta description for each page and post use this in your head.php file

<?php if (is_single() || is_page() ) : if ( have_posts() ) : while ( have_posts() ) : the_post(); ?>
<meta name=”description” content=”<?php the_excerpt_rss(); ?>” />
<?php endwhile; endif; elseif(is_home()) : ?>
<meta name=”description” content=”<?php bloginfo(‘description’); ?>” />
<?php endif; ?>

I looked at several SEO optimized themes at WordPress and very few had the custom meta tags.

To see if the meta tag is working on your site pull up an individual post:

In your browser look for view->page->source

Look through the top of the page source and you should see <meta description and specific information for that page.

To see if the custom title is working bookmark the page and see if the title defaults to your blog name or the title of that page.

How do I know Google wants this.  Google told me.  Are you using Google Webmaster Tools?

And have you read Google Search Engine Optimization Guide ( pdf )?

Written by Linda MacPhee-Cobb

November 22nd, 2009 at 11:49 am

Trackback spam and xmlrpc

without comments

One of the more fun things to do with your blog is to post to it remotely from Flickr, your cell phone, email etc. I remote post to my personal blog, the rest I sit at a computer and log in to to write posts.

If you only write posts while logged onto WordPress you don’t need xmlrpc.php. This file is included only for remote publishing. When I installed WordPress 2.7 I turned off trackbacks and xmlrpc in my settings.

Despite turning it off the non-technical sites got slammed with trackback spam and comment postings from non users. Akismet caught all of it but I’d rather not have it even hitting Akismet.

If you do not do remote publishing on your blog I strongly recommend deleting the xmlprc.php file. Many of the WordPress security updates have come from problems with this file and assuming you haven’t done anything too creative with your WordPress install it’s your weakest link in security.

If you post to your blog from Flickr, email, Google Docs or similar clients you’ll need to leave in xmlrpc.php as they need it as an interface to talk to your blog.

If you allow trackbacks on your blog you need to leave the trackback.php file in your WordPress install. If like me, you don’t allow trackbacks, go ahead and delete trackback.php. For me the spam to legit trackback ratio is just too high to be worth the trouble.

I don’t know why turning both of these off in 2.7 doesn’t work, perhaps a future patch will correct it?

More information:
How to combat WordPress trackback spam
Guide to reducing WordPress Trackback spam and comments
XML-RPC at SourceForge
XML-RPC WordPress Codex
Weblog Client (lists clients that require xmlrpc on WordPress )
XML-RPC Changes in WordPress 2.7
XML Rewriting Attacks: Existing Solutions and their Limitations

Written by Linda MacPhee-Cobb

December 30th, 2008 at 10:24 am

A quick overview of web technologies old and new

without comments

If you are new to web development or if you are debating which tools to use for your site you’ll want to give this paper a read. It covers all the main and many less common technologies. Descriptions, pros and cons of the various web technologies are covered.

Web-based application developers face a dizzying array of platforms, languages, frameworks and technical artifacts to choose from. We survey, classify, and compare technologies supporting Web application development. The classification is based on (1) foundational technologies; (2)integration with other information sources; and (3) dynamic content generation. We further survey and classify software engineering techniques and tools that have been adopted from traditional programming into Web programming. We conclude that, although the infrastructure problems of the Web have largely been solved, the cacophony of technologies for Web-based applications reflects the lack of a solid model tailored for this domain.

Download (pdf) Survey of Technologies for Web Application Development

Written by Linda MacPhee-Cobb

July 21st, 2008 at 5:00 am