Misconceptions That Many People Have About WordPress

This article is contributed by Lucy Barret.

WordPress is the most prominent software platform and is used by millions of people to create and develop a professional looking website. Indeed most businesses and organizations are building their websites on WordPress. It is one of the easiest platforms that allow even a non-technical person to make changes in their site or blog without any complications. Continue reading “Misconceptions That Many People Have About WordPress”

3 Things to Consider When Choosing A Cloud Platform

Courtesy of http://pixabay.com/en/cloud-cumulus-clouds-cumulus-8075/

Cloud networking is currently taking the world by storm, but what should you be looking for in your coverage? How can you be sure you’re getting the best deal before you sign with a new company? If you’re interested in finding a good provider and making the most out of cloud, here are just a few things to keep in mind. Continue reading “3 Things to Consider When Choosing A Cloud Platform”

Opera Unite For Your Own Web Hosting

Opera Unite reinvents the Web, according to Opera who feel that cloud computing and Web-based applications will never be the same.

Seth Rosenblatt at Cnet thinks Opera may have something interesting as it tries to Unite users across browsers.

The Web server is interesting, as well. Being able to host a Web page from your desktop computer, without having to worry about paying somebody for the privilege, has the potential to usher in a new age of Web hosting where the only cost is what you pay your ISP and there’s no middle-man to go through. However, the most popular things to do online that require your own site–sharing media and writing blogs–can be done effectively and cheaply from third-party hosts. Still, Unite-based Web-serving has potential.

What as yet has not been sufficiently discussed are the security aspects of allowing others to use your computer as a server.  Some feel that Opera’s Unite Is One Incredibly Bad Idea

Then there are the security implications. Unite lets users set permission levels for who can access their files, but one of these levels appears to be "completely open." That doesn’t sound good. Ostensibly, you’re sharing files with people you know, but I could envision someone setting up a link to their Opera Unite service that leads people to a file that’s really malware.

For most of us, we will stick to traditional web hosting. There are many fine hosting services that are economical and reliable throughout North America. Even if we all become confident that Opera Unite can be the way we share some of our online properties, undoubtedly this will be complemented by a standard web hosting arrangement.

Guinness World Record Day – Nov 13th 2008

Be warned that the original title for this post was ‘Random Thoughts’.  So unless you intended to read something from me at random, then please click away.  The new title was created when, as always, I did a quick Google Search and Blogsearch, to verify that I wasn’t just regurgitating the same thoughts as everyone else.  You may feel that was a somewhat redundant exercise, but old habits die hard. 

In the list, I instantly saw – Guinness’ Most Random Records — 2009 Edition with some explanatory text:

Today is Guinness World Record Day, the annual event where people across the globe try to set records so their legacies can live forever in Guinness’ archival text.

In a post on random thoughts, the serendipity involved in such an item could not be lost so it hijacked the title.  If you were looking for the book, then click on Guinness: World Records 2009 (Guinness World Records).

Indeed it is amazing given the crowded Internet that so many people seem to want to pen their random thoughts. There are even whole websites dedicated to those who wish to just add their random thoughts.   Perhaps others visit such sites to read these random thoughts: the mind boggles.

Not surprisingly, given that elections have just taken place in both the USA and Canada, many are having random thoughts about political processes. That includes Some random bits scribbled by Jeremy Zawodny.  The title of the post was Post-Election Thoughts: Equal but Not. Apparently like many others he is not happy about the electoral college system.  However anachronistic it may seem, it seems unlikely to be changed by change.gov.

My random thoughts were not at all political.  I was thinking about the question of passwords for online sites and the security aspects involved.  Like many others, I should be using more complex ones and changing them frequently.  In searching around that topic, lo and behold I found a True Random Number Service. Not surprisingly it is located at Random.org.   If you need any encouragement to visit, here is what they offer:

What’s this fuss about true randomness?

Perhaps you have wondered how predictable machines like computers can generate randomness. In reality, most random numbers used in computer programs are pseudo-random, which means they are a generated in a predictable fashion using a mathematical formula. This is fine for many purposes, but it may not be random in the way you expect if you’re used to dice rolls and lottery draws.

RANDOM.ORG offers true random numbers to anyone on the Internet. The randomness comes from atmospheric noise, which for many purposes is better than the pseudo-random number algorithms typically used in computer programs. People use RANDOM.ORG for holding draws, lotteries and sweepstakes, to drive games and gambling sites, for scientific applications and for art and music. The service has existed since 1998 and was built and is being operated by Mads Haahr of the School of Computer Science and Statistics at Trinity College, Dublin in Ireland.

If you are someone who is attracted by randomness, it is well worth a visit. It is a fascinating place.  You can certainly get the most secure passwords possible by visiting. .. and now back to regular programming.

How WordPress Blogs Are Hacked

The previous two articles in this series have suggested ways to combat the ever-increasing hack attacks that WordPress blogs are receiving. In this final article, we will discuss some real-life examples and what can be learned from them. As a disclaimer, it should be noted that some hackers are very skilled and are continually improving their methods. These are anecdotes from the past and the future will undoubtedly be very different.

Typical Hacking Exploits

For specific details of typical hacking exploits, the following accounts are particularly good:

The methods used in these cases are probably all the work of one hacker, by nickname goro, who may well have been one of the commenters on the first of these three posts.

We will not go into the specific details here (since they will undoubtedly evolve), but rather discuss the bigger picture associated with these exploits. In the case of the hacking done on the SMM blogs, there were some clever refinements. The mechanism inserted on the domain generated hundreds of random, unique blog post web pages, which included links to online pharmaceutical web pages. Since the websites were well ranked in Google, many of these hundreds of blog posts were served to the search engine spiders as they made their visits. After a period of hours, the mechanism then stopped. This may have been to avoid a huge spike in traffic, which would have been more easily detected.

How Google May Have Rewarded Their Efforts

During the last two or three months, Google has been giving much more rapid visibility and higher ranking to blog posts in its regular web search. In the latter part of January, blog posts appropriate for particular keyword searches would appear within a small number of hours in the regular web search. The algorithm may well be using the RSS news feeds associated with the blogs. This gave particular prominence to the blog posts generated by the hacking mechanism. They would almost always appear among the top five positions on a search for particular online pharmaceuticals and often in the first position. Presumably this gave a significant economic advantage to the hacker.

Although the hacking mechanism was removed within 36 hours, the false and now non-existent blog posts still persist in the Google index over 3 weeks later. In some cases the cached versions of the false blog posts are still available.

An interesting parallel development during this time is that Google Blogsearch now has a delay of a few days in displaying new blog posts. Until recently such a new blog post might have appeared within an hour or two, since it was triggered by the pinging of the RSS news feed. Whether this is a reaction to a large volume of blog posts generated by hackers one can only surmise.

How To Repair The Damage

Hopefully this series of articles has sensitized you to the dangers of hacking. This should prompt you to maintain a constant vigil so that any hacker intrusions will be spotted rapidly. You should also as Wayne Liew suggests regard WordPress Upgrades as a Must. The continuing improvement in security may not serve to keep out hackers but at least it may encourage them to attack an easier prey.

If your WordPress blog is hacked, it can be quite a challenge to find out what has been changed. Sometimes the hacker may have modified files deep within folders that are not normally touched in upgrading, such as the images folder or the wp-content folder. Checking the size in bytes of particular files compared with versions in the most recent backup will reveal suspicious differences. Sometimes the .htaccess file may have been modified to create additional and inappropriate mechanisms. In such cases, you’ve got to make sure that you eliminate all such additions to the website. If you have backed-up a clean version of the website recently, it might be better to take down the website and replace it with a clean version.

Blogs Take Center Stage For Marketers And For Google
How to Remove WordPress.net.in Spam Injection

Previous articles in this series:
WordPress Blog Hacked
Guarding Your WordPress Blog

Guarding Your WordPress Blog

This is the second in a series of articles on how WordPress blogs may be hacked.

Unfortunately it’s becoming a more and more frequent occurrence, even though some seem unaware it has happened. If you have not yet read the first article, WordPress Blog Hacked, you may find it useful to do so before reading this follow-on article. However it is not required reading.


House on fire

You may naturally feel that calamities such as your house burning or your blog being hacked only happen to other people. It’s not true and it’s always wise to take precautions. Just imagine returning to your home one evening and finding it in flames. You close your eyes and cannot imagine it’s happening to you. You open them again and it’s all still flames.

How can you recover from such a tragic event. That is why most of us take out insurance and have security alarm systems to prevent such happenings. The more valuable your house, the more you are willing to invest in the right level of protection.


Getting your website hacked can be an equally unwelcome experience. Just see how Anita Campbell describes it in a recent article, Hacked: It Could Never Happen to My Site (Famous Last Words).

computer monitor

On Christmas morning, I tried to open this site as I normally do first thing in the morning, just to do a quick check. The home page of the site was completely blank! Nothing. Nada. I could not post anything new, either. I realized that a cracker had hacked the site. As I investigated later that day I discovered quite a bit of damage to the site.

Imagine seeing that blank screen. It’s as devastating in its own way as all those flames consuming your house. However if you think that is what happens when a site is hacked, you haven’t come up against the latest generation of skillful hackers. You won’t be aware that they have come in and taken over the attic of your house. They may create thousands of parasite webpages on your server without changing the physical appearance of your blog. That is what happened to the two SMM blogs that were hacked two weeks ago.

Eternal Vigilance

The first part of the security plan for your blog must emphasize vigilance. If you’re Al Gore or Matt Cutts, your blog is valuable real estate. Its traffic represents real economic potential to a hacker. Just as for a palatial home, you should invest in significant security systems. However for reasons we will discuss in the third article in the series, even more modest blogs are attractive to hackers. What you must do is to determine what you believe the risk of hacking to be and then invest an appropriate amount of effort in protecting against that.

If your blog is worth hacking, then likely it will be hacked so as to give the maximum time before you detect the intrusion. As will be explained in the next article in this series, hackers may only need access to your website for a few days to gain full value for their efforts. You will notice that Anita Campbell’s blog was hacked on Christmas Day. The two SMM blogs were hacked one Saturday morning. One important lesson is to never leave the blog unattended for too long.

There are two simple ways of checking whether intruders may be ‘in the house’. The first and easiest step is to check the source code of your blog. Just visit the blog and then use the View choice on your browser menu to examine the Source. With Firefox if you prefer you can use < control > U to see the source code in a different window. It may be this will show some lines of code or hyperlinks that should not be there. If you have followed the steps to be described later, then hopefully the code is as you expect it to be. A very rapid way of checking changes in source code is given in the article, Fast Alarm For Hidden WordPress Hackers.

Another way is to examine the traffic to your website. If there is an unexplained and massive increase in the volume, then this may be a sign of trouble. Similar increases in traffic may be seen in other analytic programs such as Google Analytics or SiteMeter. However depending on what hacking has been done, the increased traffic might be hidden from these tools.

To avoid these intrusions, there are certain recommended steps which are described below. As was mentioned in the previous article in this series, the best you can do is to ensure that your blog is as secure as you can make it. There are a host of other blogs that are insecure, and that may be your biggest protection.

Upgrade to the latest version

The most important recommendation that cannot be emphasized enough is to always upgrade to the most stable recent version of WordPress. The WordPress community is very active and as security holes are spotted, then as quickly as possible they are plugged. This does not guarantee that hackers will be kept out. However they may choose to attack earlier version blogs that have easier access holes.

You should also upgrade to the latest version of any plugins that you are using. A plugin may well be written by a single volunteer author so less attention may have been paid to security considerations. You should do a little research on each plugin you intend to use to make sure that others have not had security concerns about it. It is also recommended that you put an empty index.html in the plugins subfolder. This prevents anyone checking that folder and receiving a full display of all the plugins being used.

Harden Your Administration

In addition to working with the latest version of WordPress, there are a number of steps you can take to make hacker intrusions more difficult. The references below explain in greater detail what is involved. Here we summarize only the more important points.

Having user names and passwords that are not easily cracked for access to the blog administration panel is critical. In addition if you have a highly visible blog then you might wish to use the Login LockDown Plugin. This blocks access to the administration panel for a certain period after a small number of incorrect attempts.

You can also restrict access to the admin folder by having an appropriate .htaccess file there. This would specify the IP addresses for those who have rightful access to the folder. This would take the following form:

order deny,allow
deny from all
# whitelist home IP address
allow from
# whitelist office IP address
allow from

The extent to which you go beyond these steps should be based on your assessment of the risk of being hacked. The references spell out the possibilities.

Hardening WordPress – WordPress Codex
Three tips to protect your WordPress installation – Matt Cutts
5 WordPress Security Essentials – Lee Robertson
How to Protect Your WordPress Site – Anita Campbell
Protecting Your WordPress Blog – Lorelle

The final article in this series is How WordPress Blogs Are Hacked.

WordPress Blog Hacked

It’s hardly news. Hacking into blogs is far more prevalent than you may think. A Google search for ‘My Blog Was Hacked’ gives a count of over 2,770,000 web pages. I regret to say that this blog was hacked into by a real expert some 10 days ago. Since then, I’ve done a great deal of exploration and frankly it’s all very fascinating.

In this post, you will find hints on how to stay vigilant so that you will be aware if your blog is hacked. In a subsequent post, I will give some more advanced tips on how to stay vigilant and make your blog more secure. In a final post, I will describe some of the results of such hacking activities.

An underlying realisation in all that is written is that some hackers are extremely knowledgeable and skillful. The best you can do is to ensure that your blog is as secure as you can make it. It then is like the old joke about outrunning the bear. You don’t need to outrun the bear, but only your buddies who are with you. There are a host of other blogs that are insecure, and that may be your biggest protection.

Whose Blogs Get Hacked?

WordPress is quite rightly enormously popular software for writing blogs. As more and more people use it, it becomes a more interesting target for hackers who try to exploit any weaknesses in the software.

It was not surprising to see items such as WordPress 2.1.1 Dangerous, Upgrade beginning to appear early in 2007. Nor was it difficult to believe that Matt Cutts WordPress Blog had been hacked, when this appeared on April 1, 2007. That was a spoof but since then there have been many real hacking incidents. Al Gore’s blog was, according to Stuart McKeown, as was the WordPress blog of Matt Heaton (Bluehost and Hostmonster CEO). It continues unabated as Stephan Miller and members of the WordPress Support Forums can testify.

How Will You Know If Your Blog Is Hacked?

The real problem is that you may not realize your blog has been hacked. There may be no visible trace of the hacker’s work. The hacker may wish to boost the search engine visibility of online non-prescription medications or pornographic websites. It is done in such a way that it is hidden from prying eyes.

One useful test is to look at the source code for the blog. In Internet Explorer this can be seen by clicking on View > Source. In Mozilla Firefox, this can be seen via View > Page Source or from the keyboard by pressing U. Sometimes code can be found which has been inserted by the hacker. Another indicator can be very much higher levels of traffic. This will be covered more fully in the next post in this series.

Make Your Blog More Secure

Matt Cutts has given some useful tips to protect a WordPress installation. The most important of these is to ensure you always have the latest and most secure upgrade of WordPress. It is perhaps fitting that this blog post appears when WordPress version 2.3.3 has just been issued. This topic will be covered more fully in a subsequent blog post.

Further Articles in the series:
Guarding Your WordPress Blog
How WordPress Blogs Are Hacked