Category Archives: hosting

how to secure your wordpress blog

carcassonne

WordPress is popular and as it goes with all kinds of popular software, it becomes a target for hackers trying to take over and use your site to send spam into the world, or just cause some other kind of mayhem.

To protect yourself from this kind of trouble, there are a few things you can do to prevent bad things from happening to your precious WordPress site.

  1. First of all, keep your WP software up-to-date. There are usually some security fixes in there and you do want to have those live on your public facing site. Hackers know what the vulnerabilities are in old WP versions and scan the internet automatically for unpatched sites. Don’t become an easy target by not having the latest version of WP installed. The latest version of WP (v3.7.1) is able to do security updates itself which is awesome. Be sure to check if your site supports this and activate it if it does.
  2. Keep your plugins up-to-date as well for the very same reason. Old plugins can offer a way in for hackers and we don’t want that to happen.
  3. Delete (old) plugins you don’t use anymore, or replace them with newer ones. JetPack has a lot on board out of the box now so you can probably ditch a few old plugins. The less plugins you have, the less possible vulnerabilities your site has.
  4. Take regular backups. In case something goes wrong, you can at least restore a version you know isn’t compromised.
  5. Harden your WP site by configuring your .htaccess file if your site runs on an Apache web server. It’s explained nicely how to do that in the link. It can prevent hackers that do get access through a bad plugin to do any more damage to the rest of your site.
  6. Use a long, hard to guess and preferably random password for your admin account. Using a different admin user is also a good idea. Brute force login attempts are made against the default “admin” user, so if that one has a long random password you’re pretty safe there. You can use something easier to remember for an alternative admin account if you want, but I recommend you to use something like KeePass to manage long & unguessable passwords anyway.

Here are some plugins that can help with these tips:

  • WordFence scans your site for possible vulnerabilities by checking your installed WP and plugin files with the ones from the official releases. It also helps with the first 2 tips by warning you by email if a plugin or WP itself needs an update. Quite handy.
  • WP security audit log won’t prevent anything, but it keeps track of logins, updates of plugins etc, so that if something weird happens, you can use it to figure out the “when” and “what”.
  • A backup plugin. There are plenty and you should pick one that fits your needs. I use BackUpWordPress for a DB backup only, but it can also backup the files. It sends you an email with either the zipped backup or a link to download it if it’s too big to stuff in the email. Your hoster might also have a full backup feature, which is usually the best option anyway as it will backup more than just your WP site.
  • BruteProtect protects (as it says) against brute force login attempts, a problem a lot of WP blogs had to deal with lately. Next to that you should of course make sure you have a complex password for your admin account.
  • Bad Behavior is mainly a tool to combat spam, but since it scans for incoming malicious requests it can also block the occasional bot looking for vulnerable sites.

guess who got hacked

Night Work

Let me tell you about that time my site got hacked.

Once upon a time I received this email from Google. Now when Google emails you, you usually pay attention, even it it’s a bot. Those guys know their stuff.
The email told me that my site was possibly hacked because it was suddenly feeding spam when the Google bot was passing by.
The reason why I got this email is because I use the free web master tools from the G btw. That way they know my site has behaved nicely over the years, and when it suddenly started spewing spam, they knew something bad was up.

The scary part is that this only happened when Googlebot was munching my pages. Not when I or any other human passed by with a browser. So in other words, I didn’t have a clue.
Because it was quite the mystery, I checked my web folder and found a few suspicious files and folders in there. Suspicious, because I never put them there.

I found a folder named “coockies“, an unknown common.php, session.php and coockies.txt file. My .htaccess file was also changed. All php files and the .htaccess had the same timestamp. I compared my complete WP installation with the original installation files to be sure no other files were modified, which turned out to be the case.

The folder seemed to contain files with file names resembling URIs of my blog posts. The content was unreadable and appeared garbage. I’m guessing it was an encoded version of the spam my site was feeding Google.

At first I thought my WP blog was hacked, but the entry point was simply the modified .htaccess file. It contained a few new rewrite rules which checked the user agent of the incoming request, and if that matched any of the major crawlers, it would redirect to the new php files, which would feed the spammy content.

Cleaning up turned out to be rather easy.
I deleted all the new files, restored my old .htaccess file (hurrah for backups) and changed my site passwords just to be sure.

The fishy thing about all this is that I’m still not sure how these files got on my system (hence the password changes). The timestamp on the files seemed to point to the moment I last ran a WP and plugin update on my site. Maybe it was pulled in with a compromised plugin, but there is no way to tell which one it could have been. Another option is a compromised FTP account, but that password was already random before I changed it so that seems unlikely. I still changed it to a random and longer one to be sure.

I also took some extra defensive measures to try to avoid this kind of hack in the future, but that’s for another post.

Photo by Thomas Heylen, cc-licensed.

posting content anonymously

Heroes : M

One of the cool things emerging from the gazillion web 2.0 sites that popped up like zits on an unfortunate teens face are websites where you can publish your stuff without creating accounts or registering in any way. Anonymous so to speak.

Posting a quick snapshot online? Want to share a snippet of code? A collaborative manuscript? A mini-wiki for a short-lived purpose? There’s plenty of sites that offer these kind of functions without having to register. You can sign up if you really really want to in most cases, like if you want to claim, edit or delete things afterwards. But sometimes, that stuff is just overkill and maybe you just want to slap it online in a hurry or without any ties to your persona.

Here’s some good anon-services I found:

  • imgur.com: image sharing. Quick & easy. Keeps the pics as long as they are used for a fixed period of time. If not, they are deleted. Allows you to upload an image straight from a URL, which is damn handy if you want to avoid hotlinking pics from other sites.
  • bayimg.com, hosted by the lads from The Pirate Bay. Arrr! Free speech and all, upload anything (except pr0n that is).
  • pastebay.net, another one from The Piratee Bay lads. It’s like pastebin.com, but I’m sure more anonymous and certainly uncensored. Features are syntax highlighting for code and you can create your own sub-domain if you want to separate your snippets from others.
  • pastebin.com: I bet you’ve seen this one before. Paste text/code in an online notepad, allowing comments. Great for easy & quick copy-paste sharing.
  • pastehtml.com: the same as the above, except that this one takes HTML code and saves it as a working page on the site. It’s like free and ad-hoc web hosting. Pretty darn cool. Keeps the pages forever (or as long as the hosting is payed for) according to the FAQ. Needs a Facebook account if you want to claim pages. Sort of a  big minus.
  • wrttn.in: notepad/publishing tool. Create and publish text with or without markup, embed images, videos etc. Very minimal in style, but that’s just what makes it look good. All this without branding or ads. Sounds cool doesn’t it?
  • shrib.com is another notepad service. Simple and URL based. Share your notes, back em up, keep them private.
  • Last one for the minimalistic notepad shizzle is notepad.cc. Very clean and simple layout. Makes it all about just jotting down those notes. There’s always Google if you’re looking for even more of those type of notepad services.
  • piratepad.net : online collaborative Etherpad site. Allows for anonymous online collaborative text editing with a built in chat function. There’s more Etherpad hosts out there since it’s open source software. So if you want can even host your own. Oh yeah, and Arrrrr!!! of course. I almost forgot.
  • jottit.com : create a wiki, just like that. Anyone can edit, unless you claim it with a password. Sweet for mini sites and all!

A note on the use of “anonymous” here though. If you truly want to keep your identity hidden you might want to take additional measures than to simply trust the above websites in keeping your identity safe. Using a web browser to connect to any web site will give that site data about your browser, machine and geographical location. To shield this information and protect your online identity you should look into using an anonymizer like Tor.

10 reasons why wordpress kicks ass

Chapas WordPress
  1. 5 minute install. Seriously.
  2. Install a new theme for your blog from inside WP. No need to mess with FTP clients and uploading files and stuff. Easy peasy.
  3. Tons of free and open source themes to choose from.
  4. Plugins allow endless possibilities. Whatever you are looking for probably exists already. Facebook/twitter/whatever integration, fancy widgets, syntax highlighting for code, caching, Google site map generators, you name it.
  5. Install plugins without leaving your WP admin page. No geek skills required.
  6. Comes with an automated backup plugin. Backup your database and email it to yourself daily. Do this!
  7. Upgrade your WP installation with 2 clicks. Maybe 3 (didn’t actually count, but it’s just clicking).
  8. The layout is super-flexible. 1, 2, 3 columns? None? Make your site look like less like a blog and very CMS-like? No problem. There are themes for all that.
  9. PHP & MySQL hosts are everywhere. You’ll have no trouble finding a host at all. If you don’t want to do your own hosting, you can always create your blog at wordpress.com.
  10. It’s Open Source and has a huge community. This means that WordPress will never die! *stabs and Amen break start here*

Photo by {El Gris}, cc-licensed.

cheapest online storage ever?

Data Center Storage

By chance I stumbled across the Google Docs fees to expand your free 1GB space to whatever you feel like. It turns out you can get 20 frigging Gigs of online storage at Google Docs for 5 US dollar per year. That’s right. Per year! Some of those online web space/file hosting services have you pay that same amount a month, for less.

Since you can now upload any type of file to Google Docs this seems to be the cheapest way to serve your files to the world for now. At least it’s the cheapest I’ve come across so far. I even checked the Amazone C3 (you know, the whole cloud service thing) prices and even those can’t tip this kind of cheapness. I’ve never uses the Amazone services before, but I doubt it’s as easy to upload and maintain files as it’s on Google Docs since that’s just a matter of dragging and dropping.

Host away I’d say! Host away!

how to sync or backup files easily and secure

I found out not everybody knows about Dropbox yet and isn’t using it yet. So to sort that out, I’m going to blab about it right here cause I think it’s pretty damn neat. In short Dropbox allows you to sync files from your local PC’s by installing a small client app on your machines. You get a “My Dropbox” folder in your “My Documents” folder and everything you dump in there gets uploaded to the dropbox servers, and automatically downloaded on all other PCs where the client is also running. Viola! You’re machines are now perfectly in sync!

You get 2 gigabytes of free space so you can share some pretty big files that way too, or you can use it as a small off-site backup system. There’s no size limitations so you can waste the full 2 GB on a single file if you like.

Here’s some more cool stuff you can do with your Dropbox account:

  1. Share uploaded files using direct links. No adds, no fuss, just a direct link to the file to download.
  2. Share a whole folder with someone else’s Dropbox account. Allows for easy collaboration. Neat.
  3. Dropbox keeps a 30 day delete/change history of your files. So you can download a previous version of a file, or undelete it. It’s like a mini-source control system.
  4. Access your files from the website without the need to install the Dropbox client software. Handy in case you want to access a file from a computer where you can’t or don’t want to install the client.
  5. It’s secure. You files are encrypted with your account password on the server so even the Dropbox folks can’t see what they are and uploads go over an encrypted channel so peeping Toms get no idea either.
  6. It’s multi-platform. Linux, Mac, Windows and even the bloody iPhone. Go figure.

See the full list of features if you think this sounds pretty sweet and if you join up using this referrer link you’ll be giving me an additional 250MB for my own account, which is also pretty damn sweet. Thanks!

Photo by helgasms!, cc-licensed.

more free file hosting bizznizz

ghost in the Machine / deus ex macintosh
cc-licensed photo by ehoyer

Hosting audio, video or text files publicly is what archive.org is for. But what if you want to share to a more limited audience, like a few friends, or some lad you have to send a bunch of files to so he can do some mastering on it for an awesome project you’re doing?

Well, mediafire.com is pretty damn suited for stuff like that. It’s not just a file hosting site like there are a ton out there. It looks the same at first, and you can use it for the odd anonymous upload like the others, but you can also create a free account there, and unlock some nifty new features.  Here’s what you can do with it:

  • Host files up to 100 MB. If your files are bigger (and mine where) you can use 7zip to split them up into 100MB parts, and upload those
  • Unlimited disk space. Sounds kick ass doesn’t it? Here it goes again: Unlimited disk space!! Rad.
  • With an account, you can manage your shared files. Create folders, share folders, delete files/folders etc.
  • Link and embed code is generated for you. You only have to copy paste it. There’s even a button to that just that for you. I mean, really, they can’t make it any easier than that.
  • Your files do not get deleted after a certain period of inactiviy. They simply don’t get deleted automatically, so you don’ t need to bother with links timing out after a few weeks.
  • Embed your files on your own site. If you’re short on webspace and embed some video on your blog, myspace or whatever, this might be just what you are looking for.
  • Add descriptions and tags to your files. Tags are still hip right? Well, they support it.
  • Unshare files, making them only available to yourself again. Like when you fucked up and hosted some pictures that shouldn’t have been seen by the world, and certainly not the entire internet. Whoops.
  • No obnoxious ads for your downloaders, and none for you either. Ads are there, but they are subtle. I like that. The other file hosting services screw up bigtime in that department.
  • Photo Gallery view. Now I’d recommend Flickr to host your photo’s of course, but this isn’t bad either. As I said, no limitations here, and pictures get automatically resized into thumbs and smaller views to keep it easy on the low bandwidth downloader. You can see an example here of some silly TV screenshots I took. You’ll have to click the Photo Gallery link on the top right.

So I guess mediafire doesn’t suck. Sometimes you have to upload things twice though, as it goofs up somewhere in the upload process. For small files that ain’t too bad, but for huge ones it really sucks. But hey, it’s free remember, so it’s still pretty darn cool to be able to manage and share files for free like this.