Didgeroo - New Media technology

Wordpress Security

2013-04-19T11:50:51Z

In March, Chris gave a presentation on Wordpress Security to the #WPLDN monthly meetup at Google Campus.

How do hackers gain access?

Wordpress is secure isn't it? The simple answer is yes, however in recent times Wordpress has seen massive growth and with this it has become an obvious target. Wordpress now powers a whopping 54% of all CMS websites. If you were a hacker, would you spend hours trying to find a security flaw in a CMS used by 0.2% of the web, or 54% of the web?

Thankfully, Wordpress has a very active development community that hastily responds whenever a security zero-day vulnerability is discovered. It is, however, up to website owners to update their sites with the latest security patches. Wordpress makes this simple; just one click to update, but website owners can be too busy (or just plain lazy) and this is what hackers depend on.

In addition to zero-day vulnerabilities, there are also a number of other points of entry for hackers:

Installation of compromised themes and plugins containing malicious code.
Brute force login attempts
Locally installed malware

What do hackers do with a compromised website?

Defacement is one of the most common and obvious signs a website has been hacked. This is when a page selling Viagra, for example, suddenly appears in place of the home page. However sometime defacements are not so obvious. A clever defacement will only display to certain IP address, using specific web browsers, during specific times. This way the defacement can potentially go undetected for weeks if not months.

In addition to defacements, hackers also may use a compromised website to do any of following:

Host a phishing site posing as an online bank, collecting login details. The phishing site may be buried deep within your wordpress installation in order to avoid detection.
Host a botnet agent. This a piece of code that can be remotely controlled to send spam or launch further attacks such as a DDOS.

How do I ensure my Website is secure?

Make sure that Wordpress, its themes and plugins are all kept up-to-date
Only install Wordpress extensions downloaded from reliable sources
Rename the admin account and use strong passwords
Use scanning software/plugins:
- to enhance security (brute force attack protection)
- daily scans for malicious content
Set up email notifications in Google Webmaster Tools. This will ensure you are notified if Google detects malicious code on your website.
Ensure good backups are maintained. If the site is ever hacked, often a restore is the only safe fix.

I cannot stress enough how important it is to follow these recommendations. If you are an online business, then sales will likely cease if your website is hacked. Even if your website is not your core business, potential clients will likely look elsewhere if they see your website has been defaced.

Didgeroo Managed Wordpress Hosting

To save you time, and for added peace of mind, Didgeroo has recently launched a new Managed Secure Web Hosting service. This service scans, updates and backs up your website, so you can be security reassured and can get on with your core business.

Botnet Attacks Wordpress

2013-04-19T11:40:41Z

Earlier this week a massive Botnet attack commenced targeting Wordpress websites.

The Botnet contains an estimated 90,000 bots (malicious scripts running on compromised servers) that are attempting brute-force dictionary based login attempts using the username 'admin'.

The simplest way to avoid this attack is to rename your Wordpress admin account. If your website is hosted by Didgeroo then you do not need to worry as we have already implemented this change.

This attack is a timely reminder of the importance of website security. For your peace of mind, Didgeroo is now offering a Managed Secure Hosting service that scans, updates and backs up your website.

For more information, refer here:

Wordpress Managed Hosting

2013-04-19T11:07:51Z

In the wake of recent security concerns, Didgeroo is now offering a fully managed secure Wordpress hosting service running on our High Availability Clustered servers.

This service scans, updates and backs up your website so that you can have peace of mind while getting on with your core business.

Scanning

Your website will be scanned on a daily basis, comparing all files and alerting Didgeroo whenever there is a change. In addition to file changes, the scan also checks over 44,000 know malware, trojan, virus, backdoor, dangerous URL or known vulnerabilities.

Updates

We have set up a centralised dashboard to monitor all Wordpress installations and notify us whenever there is a core or plugin update available. The dashboard also allows us to easily roll-out updates across multiple sites.

Updating sometimes goes wrong. Unfortunately things can break. Didgeroo performs thorough checks on every website after each update. Should something go wrong, then the update can be instantly rolled back and the problem investigated.

Backups

Didgeroo runs a secure backup system for it's hosted websites. Nightly backups are archived on a monthly basis. These archives are kept for 2 years, allowing us to do comprehensive investigation should a site have been compromised months in advance of it being detected.

If you are an online business, then sales will likely cease if your website is hacked. Even if your website is not your core business, potential clients will likely look elsewhere if they see your website has been defaced.

Didgeroo Managed Secure Hosting takes care of these worries for you. Please contact us if you are interested in this service.

Lunch with Prince Andrew

2013-04-18T14:44:22Z

On 15 March we attended a lunch with HRH The Duke of York.

Martin was fortunate enough to be one of five apprentices selected out of 2000 to attend an annual apprenticeship lunch with Prince Andrew at the Hackney Community College.

The Duke of York, having been an apprentice himself, is actively involved with the National Apprenticeship Service. Each year a handful of apprentices are selected to attend a special lunch. Prince Andrew is also involved with Tech City and had expressed interested in meeting a Tech City Apprentice, so Martin was selected.

Catering students at the college prepared us a delicious Beef Wellington followed by gooey Chocolate Fondants.

Together with the other invited employers and their apprentices, we each shared stories and experiences with Prince Andrew, who showed a keen interest and was able to share some of his own insights.

Coincidentally, this is now the third time Didgeroo has met the Duke of York, having attended a roundtable discussion with him back in 2011, followed by a reception at Buckingham Palace.

Right Formula

2013-03-12T14:24:32Z

Didgeroos' most recent project to go live is a website for motorsport marketing company; Right Formula.

Didgeroo created a bespoke website design based upon Right Formula's existing branding. We then built a new Wordpress theme with the following special functions:
- JQuery homepage slider
- Control of partners directory using Wordpress Custom Posts
- Custom per-page sidebar banner images

The finalised Right Formula website can be seen here - http://www.rightformula.com/

Didgeroo Newsletter Issue 5

2013-02-28T14:12:49Z

Didgeroo is finally gracing your inboxes once more with its first newsletter of the New Year!
The keen-eyed amongst you might have noticed a sprinkling of fabricated words, and we at Didgeroo can solemnly swear that no one hear drinks on the job! (except water, and sometimes coffee.) Joking aside, apologies for the inanity of the recent newsletter, but we'll use this as a learning experience (to not hit the H2o so hard).

If you want to view the latest newsletter, it can be found here - http://didge.ro/nl-5

Boris Bikes Upgrade

2013-02-28T10:31:27Z

Earlier this month Didgeroo upgraded one our favourite side-projects, http://borisbikes.org/.

This website serves as an independent community forum for the Transport for London Cycle Hire Scheme, otherwise affectionately known as Boris Bikes.

The newly upgraded Boris Bikes forums features a responsive web design and much improved spam controls.

The previous iteration of the website was not optimal. It used the outdated version of BBPress, what was then a stand alone fork of the Wordpress Open Source project.

One of the main issues with the old version of BBPress was spam, the bane of any forum. The spam controls of the old website relied heavily upon users submitting reports to the forum moderators and for these moderators to then look at the reports and manually delete the spam. The process was incredibly slow and tedious.

BBPress is no longer a Wordpress fork. It is now fully integrated into Wordpress as a plugin. This has many advantages including having all Wordpress features available and access to the massive library of themes and plugins.

Migrating Boris Bikes to the latest version of BBPress has allowed us to create a set of spam control options that work from a top-down approach, whilst also still enabling the bottom-up approach of spam reporting. Now, the first ever post by a user is sent to an email address, where a moderator can view the message and judge whether or not a post is spam. If the message is approved, all future messages from that user are posted without approval. If the message is denied, however, the following message from the user will be moderated, and so on until a message is approved.

The upgraded Boris Bikes forums is has seen such an improvement over the previous, that there is now virtually no spam on the website.

Additionally, we implemented a new responsive theme for the site. This greatly improves the user experience when viewing the websites on mobile devices. You can test the site responsiveness by viewing it with your desktop web browser and gradually resizing the window to make it smaller. You will see the forums reformat to a mobile layout.

If you would like to see the upgraded website, you can see it here: http://borisbikes.org/

Lu Oliphant

2013-02-26T16:39:19Z

Didgeroo has recently worked with design agency Sabotage PKG to develop a website for a law firm.

Sabotage PKG created the design of the website and Didgeroo built it using the Wordpress CMS.

This website required a responsive layout, whereby there would be a level of scaling to match the browser window. This is something that Didgeroo achieved via the use of CSS and javascript, which combined to create an image that scales and crops to fit within the browser window, no matter the size.

The finalised Lu Oliphant website can be seen here - http://www.luoliphant.com/

Wordpress Customiser

2013-02-26T10:47:20Z

Last week Chris and Martin attended the monthly #WPLDN meetup at Google Campus where we enjoyed pizza, beer, and the company of fellow Wordpress geeks. We also learned all about the brilliant Theme Customiser.

The Wordpress Theme Customiser was introduced in a relatively recent update to Wordpress (3.4.0). This feature allows instant live previews of template customisations via simple configurable interface, thus allowing visual testing of a live website.

Despite the Customiser being a feature released several Wordpress versions ago (currently V3.5.1), it is not necessarily a tool many people use, or even know about.

Luke Williams, Developer for Factory Media, gave a fascinating and thought provoking presentation at #WPLDN. We at Didgeroo are now quite enamoured with the prospect of instantly changing the layout and style of a page. We feel it necessary to bring to attention this great Wordpress feature.

The first thing to note is how the Customiser is itself laid out. It is divided up into Sections and Settings.

A section can be used to define an area of the webpage (such as the header, sidebars, content areas, ect.), or can be used to define a group of properties (such as for all colours, fonts, font sizes, ect.). A section can also be moved around, which will change the position of a section on the webpage if the section controls HTML elements.

A setting, on the other hand, is one of the editable properties found within a section (such as the colour of paragraphs, font size of h1, ect.). A setting can be made to display in numerous formats, and can be customised to suit the property it relates to (such as text boxes for titles, colour pickers for colour, checkboxes for display, ect.).

To actually create and define Sections and Settings, however, you need to do some custom coding to enable the level of control your Customiser can have. Setting up the Customiser can be quite time consuming, due to this manual coding, but is very rewarding when working with sites whose content, layout and style is designed to change on a regular basis.

Once you are actually up and running with the customiser, the main benefit to this feature becomes immediately apparent. The Customiser allows you to preview changes you make to the website without actually applying them. To apply the changes you have made via the Customiser, all you do is click on the "Save" button.

To learn more about the Wordpress Theme Customiser, view Lukes' presentation here.

We are really looking forward to implementing this excellent feature in some of our upcoming Wordpress projects.

Didgeroo Newsletter Issue 4

2012-12-21T13:16:27Z

Didgeroo has just posted its final newsletter of the year, and this one is Christmas themed!
If you would like to view this newsletter, please click here: // Forward Slash Issue 4