Posted by ljmacphee on June 8, 2008 under security, tools, wordpress | 
** 7/15/08 Turn off the security script while you do the WP 2.6 update
** 7/25/08 I added a white list how to blog entry for those of you wanting to white list some ip numbers.
This is part 2 of a 3 part security suite for WordPress. This part blocks cross-site script attempts, ip numbers of ill behaved people and bots and bans bad user agents. Since trouble is always changing this plugin allows you to adjust who you want to block. I’ve started you out with every bad bot I caught on my site this past month. You can remove bots, add bots and add and remove ips and requests.
Many internet websites list bad bots, or you can just watch your access-logs to see who is causing problems on your site. Several tools for finding weaknesses in your WP to hack are blocked and you can add more to the list as new ones appear on the net.
Cross site scripting attacks often contain .txt? .txt?? .txt??? or ?_wp_http_referer in the request. If new cross site scripts show up, you can easily add them to the list.
Anyone who’s bot or request shows up on your black list has his ip automatically added to your blacklisted ip list.
This plugin creates a page under ‘Manage’. On it you can blacklist ip numbers, user agents, and requests that you don’t want on your site.
If you have the TTC User Registration Bot Detector installed, both plugins will use the same bad ip list to make things easier for you.
The management page will also give you a list of all attempts at registration and if they were bounced and why.
Download TTC WP Security plugin
You should also add an email address to the error page. Do not use your main email address. Just set up an extra email address and change the error page like so:
print “<html>\n”;
print “<head><title>Banned</title></head>\n”;
print “<body>\n”;
print “<h2>Banned: $blacklisted: $code</h2>\n”;
print “<p> Contact: <a href=\”mailto:timestocome@gmail.com\”>timestocome@gmail.com</a> if you have questions.”;
print “<p> Be sure to include your ip number “;
print “</body>\n”;
print “</html>\n”;
Or you can just totally customize the two error pages. One starts at line 145, the second at line 171. Look for “// print error page”
If you use quotes in your page for a link you must escape them. Use \” where you would normally use a ”
Part 1 - Block bots from registering on your blog
Part III Tripwire tells you which files have been recently altered
See also:
Requests I’m blocking for a current list of things to block
Bots I’m blocking for a current list of bots we block
Per request I added directions to send an HTTP Error code instead of an error page How to send an HTTP error code with PHP
More information:
Know your enemy: Web application threats
Secunia: Wordpress security vulnerabilites
SQL Injection Cheat Sheet
Google Online Security Blog
Posted by ljmacphee on June 2, 2008 under security, tools, wordpress |
While BadBehavior and WebProfessor do very good jobs at keeping bots from registering on your WordPress site I wanted the control WebProfessor gave me and the automation that BadBehavior gave me but neither did both.
So here is a plugin to help keep bots from registering on your website. It will log all registration attempts and tell you why it bounced any bots.
You can blacklist domains, emails, and ips.
It will automatically block anyone whose ip shows up more than once, who is listed in spamhaus, or who you’ve blacklisted. If you hosting company allows ‘file_get_contents’ calls you can uncomment the StopForumSpam and check their list as well.
Anyone pretending to be a browser but whose ‘accept’ line is wrong will also get bounced.
Download
See also:
Part 2 of 3: WordPress Security Plugin to block scrapers, hackers and more
Part 3 of 3: WordPress plugin tells you which files have been altered recently
Posted by ljmacphee on May 19, 2008 under how to, tools, wordpress |
All the major blogs on blogging were urging their readers to start Twittering a few months back. I had heard of Twitter, looked Twitter, but hadn’t yet done anything with Twitter. So I signed up for an account: Twitter.com/timestocome.
There it sat with nothing but the default tweet for over a month. I then attended a garden blogger’s convention in Austin and several garden bloggers said they were using Twitter on their blogs and quite happy about it. ( And I’m thinking I’m really behind the times if my fellow garden bloggers are out teching me. )
So things have finally quieted down and I had a chance to play with Twitter again. There are several plugins for Wordpress blogs and Twitter. I started using Twitter updater to post notices to my Twitter account when I have a new blog post, but it updated Twitter every single time a file saved, even if the post date was in the future and the post wasn’t completed.
I’m trying Twitter for Wordpress to publish my most recent Twitter in my sidebar on my personal blog. So far it seems to be working well.
There is also a Twitter Tools plugin which allows you to send notices of your posts and also add tweets to your sidebar. I’m now using that to send tweets for new posts. I’ve found it also updates Twitter when you update an existing published post, but not for pages. So that was a bit of a pain. It also posted a link back to the Twitter Tools plugin page on each and every tweet.
As well as announcing new blog posts you can use Twitter from your cell phone with SMS. It is extremely simple. Go to Twitter->Settings->Devices and plug in your mobile phone number. Twitter then gives you a code, you send an sms to Twitter ( 40404 ) with the code and you’re good to go. Just sms to 40404 any thing you want posted on Twitter from then on.
Tweets are limited to 140 characters so like text messages you’ll need to be short and to the point.
Twitter might turn out to be useful for blogging, but I’ve yet to find a plugin that updates only new posts with out adding stuff to the tweet. So for now I’ll be updating Twitter manually to announce new posts. Twitter has badges for MySpace, Blogger, Facebook and TypePad. Just follow the ‘Display Twitter on your website links’ while on Twitter to build a badge.
I’m also noticing that none of the profiles on the techy forums I post at have Twitter spots in user profiles. So I’m thinking it’s not really mainstream yet. At least among the geekiest of us.
Posted by ljmacphee on March 3, 2008 under search engine, tools |
Keywords are the words that people type into search engines like Google and Yahoo when they want to find information. For instance people looking for house plant information might type ‘house plants’, ‘houseplants’, ‘house plant care’, etc.
When you write your blog entry you want to use those same keywords in your blog entry. And use them in the post title. This will give you a higher placement for those terms and make it easier for customers to find you.
There are several free sites that will help you find and choose keywords:
Overture excellent site when up.
SEO Book Keyword Suggestion Tool
Free Keyword suggestion tool