You may have noticed our site looks a bit different (click on over RSS readers!) and that’s because we are participating in Pink for October for the second year in a row!  All the participants change their site or blog to pink for the month of October to help bring attention to Breast Cancer Awareness Month.  This is a great cause for anyone to support but it’s especially important for me because my mother died from breast cancer.  Please educate yourself about this disease; if you are a woman get regular mammograms and make sure your mothers, sisters, wives or girlfriends are getting them too!

I also want to highlight the Blogger Boobie-Thon.  It runs from October 1st to October 7th so please go donate (even just a few dollars helps)!  All proceeds go directly to the Susan G. Komen (or a related charity).  You can also submit pictures of your own boobies (covered or not) for the cause!

And remember that if you want to go Pink for October, too, we’re currently having a sale on blog designs and graphics.  25% off!

For those who can’t afford a new design (or would rather spend the money on a donation!), I’ve finally gotten around to updating my most popular free WordPress theme called Pink Midnight. It’s now updated for Wordpress 2.5 and above with all recent features like tags, gravatars, image captions and widgets.  Wanna see it in action?

This WordPress theme is completely free and available for download.  Since it’s a free theme that I’ve already put a lot of time into, unpaid support or installation is not offered, but it includes a very detailed “Read Me” file with all important information and installation instructions so please refer to that.  Also, check out our Resources page which has two sections of helpful WordPress links, one specifically for Themes.

• Pink Midnight Demo
• Download Pink Midnight

Want some other pink options? Check out these:

• Making It Easy to Go Pink - WordPress and Twitter themes and backgrounds
• Free Pink for October Templates - Blogger templates (Scroll down to the bottom of the page, on the sidebar under Links)

And finally, we’ve donated a free year of hosting as a prize for Pink for October’s bi-weekly contests which will be running all month. The first contest started yesterday, so go participate for your chance to win one of the great prizes from the sponsors!

Related posts

• WordPress 2.5 RC1 available (1)
• Share This updates (0)
• WordPress 2.5 has been released! (0)
• WordPress 2.3.3 (1)
• WordPress 2.3.2 (0)

It’s actually two sales in one: Order a holiday or season themed blog design, redesign, or graphics and you’ll get 25% off the total price. If you’re not interested in a holiday design, you’ll still get 20% off a regular blog design.

The Seasonal Sale covers any holiday/season between now and February. This includes (but isn’t limited to):

• Fall
• Winter
• Pink for October - Breast Cancer Awareness Month
• Halloween
• Thanksgiving
• Christmas
• New Years
• Valentine’s Day

This sale will be active between now and February, but we recommend you contact us ASAP, especially if you wanting a Fall, Halloween, or Christmas design.  We understand that you may not want to spend the money on a completely new design, so this sale also includes redesigns or new graphics if you are just looking to give your current design a holiday/seasonal spin.

If you’re not interested in tricking out your blog for the holidays but still want a new design or redesign, then you’ll still get 20% off the total price!  However, the regular blog design sale will expire at the end of our birthday month on November 30th, so you must inquire before then to get the discount.

Contact us today!

Related posts

• Open for Business (1)
• WordPress 2.5 RC1 available (1)
• WordPress 2.5 has been released! (0)
• Try out WordPress 2.5 before it’s released (1)
• Happy Holidays! (0)

DON’T FORGET ABOUT YOUR PLUGINS! Security vulnerabilities can be just as much of an issue with plugins so they need to be updated, too. The newest version of WP makes this easier than ever. It tells you when you have a plugin that needs updating (a bubble pops up on the plugins link like it does for new comments) and all you have to do is press on “upgrade automatically”. On many servers, you don’t need to do anything it will upload and install the plugin in seconds. If your server isn’t set up that way, then you just need to put in your ftp host (in most cases, ftp.yourdomain.com), username and password. Your host would have sent all this info to you, so you should have it. If you don’t then get it, this is really important information to have.

ADD SECRET KEYS TO YOUR WP-CONFIG.PHP. As of WP 2.5 and then later in 2.6, they introduced the addition of several keys that can be added to increase security for your blog. Open up wp-config.php and find this line:

define(’DB_HOST’, ‘localhost’); // 99% chance you won’t need to change this value

Under it add these:

define(’SECRET_KEY’, ‘PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS’);

define(’AUTH_KEY’, ‘PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS’);

define(’SECURE_AUTH_KEY’, ‘PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS’);

define(’LOGGED_IN_KEY’, ‘PuT-in-A-bunCh-of-ranDom-leTTers,NumBers-and-syMbolS’);

You need to put a different random string of characters in each line. You will never have to remember these, so make them as long and as random as possible. This handy site will generate a random string for your every time you refresh the page.

EDIT UNSECURE TEMPLATE TAGS.

In search.php or searchform.php find this:

<?php echo $_SERVER ['PHP_SELF']; ?>

And replace it with this:

<?php bloginfo ('home'); ?>

That makes it so it can only search your blog and not your entire server.

Also check search.php, searchform.php or header.php for this:

<?php echo $s; ?>

This allows malicious code injection so replace it with this:

<?php echo wp_specialchars($s, 1); ?>

MAKE IT IMPOSSIBLE FOR SEARCH ENGINES TO INDEX WORDPRESS FILES. It’s not a good idea to let search engines like google index every single part of your site, specifically your WordPress files. Say that a vulnerability is discovered in one of the files in the wp-admin folder. A hacker could just google that file name and the first site at the top of the list is the one he’s going to hack today. To prevent this simply open up notepad or an HTML/text editor and add this:

User-agent: *
Disallow: /*/feed/
Disallow: /*/feed/rss/
Disallow: /*/trackback/
Disallow: /wp-
Disallow: /feed/
Disallow: /trackback/
Disallow: /tag/

Name it robots.txt and upload the file to your WordPress directory (same place where you should find wp-config.php and .htaccess). This not only disallows search engines from indexing private WP files, but also prevents them from indexing redundant files (which search engines can read as trying to spam them).

DON’T ADVERTISE WHAT VERSION YOU ARE RUNNING. If all your blog pages say “Powered by WordPress 2.5″ (when the current version is 2.6.2), then you are just asking to be hacked. Take that version out of your template. In most cases this is going to either be in the sidebar.php or footer.php files. Look for either of these template tags and delete them:

<?php get_bloginfo('version'); ?>
<?php bloginfo('version'); ?>

Also, check header.php, look for this line and delete it:

<meta name="generator" content="WordPress 2.5" />

Unfortunately, in 2.5+ WordPress has started inserting this automatically. This is bad because hackers only need to put that line into a search engine to find people using old versions of WP. If you have your robots.txt in place then this is not a major issue, because your template won’t be showing up. But if you are still uncomfortable with having your version so public (they only need to view the page source to see it), then open up notepad or an HTML/text editor and paste this in:

<?php remove_action( 'wp_head', 'wp_generator' ); ?>

Save as functions.php and upload it to your theme folder. If you have widgetized sidebars, then you probably already have a functions.php, so just edit the file and insert that code in there.

*Hat tip to Binary Moon for this.

MAKE SURE YOUR DATABASE PASSWORD IS NOT THE SAME AS ANY OTHERS. Your wp-config.php is a very easy file to find. It has your database password sitting right inside it. You absolutely must make sure that your database password is completely different from your WordPress password and your FTP/cpanel password. If you are using the same password for all, a hacker can easily find this file and get in everywhere. If it is the same, then it will probably be simpler for you to change your WP and FTP passwords. But changing your database password isn’t too hard through cpanel (click on MySQL and add a new user and password, then assign that user to your WP database, then go and update your wp-config.php file with the new user info).

DON’T USE THE DEFAULT SETTINGS. Most of the time, when you install WordPress it automatically gives you the username ‘admin’. Hackers know this, so it can be unsafe because then all they have to do to get in is guess the password. Go to Users and add a new username for yourself. For the role, choose Administrator. Once you’ve added your new username, log out and log in as the new user. It’s better to have your nickname (what is displayed publicly on your blog) be different from your username, so you might want to edit your new user profile to change that. Then check the box next to the admin username and delete it. It will ask if you want to attribute all of admin’s posts to someone else, choose your new username. This will transfer all your posts over to the new username.

CHANGE THE DATABASE PREFIX. This is really a recommendation for when you are setting up a new installation of WordPress. It’s not recommended for already installed blogs, especially for beginners as you can severely mess up your blog. But if you are setting up a new WP blog, it’s a simple thing you can do to help increase security. In the wp-config file, just look for the line that says:

// You can have multiple installations in one database if you give each a unique prefix
$table_prefix = ‘wp_’; // Only numbers, letters, and underscores please!

wp_ is the default prefix and hackers know this, so this is just another case of changing the default WP options. Change it to anything you want, though you’ll probably want to keep it short and random like kb_, cc_, ibc_, aba_, etc.

The plugin I mentioned in my previous post, WP Security Scan, will actually change the prefix for an already installed blog, but proceed with caution and make sure to backup your database before you try it.

Here are some other plugins I know of that can help make your blog more secure:

AskApache Password Protect - The author describes this plugins as creating a virtual wall around your blog to stop attackers from exploiting any kind of vulnerabilities. Has some server requirements, though, so make sure you have those before installing.

Login Lockdown - Records the IP of every failed login attempt of your blog, the IP gets locked out after a certain number of failed attempts. You can set this number and how long they get locked out, but the default is 3 failed attempts locks them out for an hour.

Stealth Login - You can customize the login and registration URLs of your blog. Just another example of changing the default options, making it harder for hackers to get in.

Secure WordPress - This plugin removes the error info on the login page (so it doesn’t say “Wrong Password” anymore when you try to log in), removes the WP version from your theme and adds an index file to your plugin directory, so it can’t be accessed directly.

Related posts

• Web 101: Fixed a hacked site and prevent it from happening again - Part 1 (0)
• Have you upgraded yet? (3)
• WP Admin Area Options (0)
• WordPress 2.6.1 (0)
• WordPress 2.5.1 (3)

I know some people were unhappy with all or some of the admin interface they introduced in 2.5, so this is a way to make your voice heard about the improvements they are trying to make to it. The navigation menu will now be vertical down the left side of the screen, with collapsible and expandable links to all the sections of the admin area. This survey lets you choose between three different options for this as well as adding your thoughts about what certain sections should be named or if they should be separate sections at all.

Take the Survey Now

Related posts

• First Look at WordPress 2.7 (0)
• WP Admin Area Options (0)
• WordPress 2.6.2 (1)
• WordPress 2.6.1 (0)
• WordPress 2.6 is out! (0)

Unfortunately, this can happen to anyone and there are a myriad of ways that a hacker can get into your site.  I believe in this instance that the hacker was able to guess her password, which was a very simple name.  So what is one to do if your site is hacked?  My client had no clue and I know that not everyone has a trusted designer or tech support that they can email with problems such as these (plus speed is key, so waiting around for help can be frustrating), so I thought I’d write up a checklist of things you should do to remove malicious code from your hacked site and prevent it from happening again (or ever if it hasn’t happened yet).  I’m specifically going to be using WordPress blogs as an example since almost my entire clientele uses WordPress, but most of these things can be applied to all content management systems.

CHANGE YOUR PASSWORDS. First things first when you discover your site has been hacked is to change your passwords FOR EVERYTHING.  You’ll absolutely want to change your blog password and your FTP/control panel passwords (if they aren’t the same).  But if you use the same or similar password for your email or anywhere else, you are going to want to change them as well.  Even if you’ve never been hacked, it’s good practice to change your passwords regularly, at the very least yearly.  Make your passwords as secure as possible and try not to use the same password for everything:

• Use a combination of letters and numbers as well as lowercase and uppercase and possibly even some symbols
• Try not to use recognizable names or dates/numbers
• 6-8 characters is a good length (though the longer the better)

Here’s a password trick I learned a while back that has been invaluable to me.  It’s a way to make every password for every site you visit different, but also something that you can remember.  First think of a good base using the rules I mentioned above, like: Xd5ye8*K

It may be hard to remember at first, but you are going to be typing it over and over so you should have no problem memorizing it eventually.  Next, you’re going to add an identifier of the site your password is for, so you need to come up with a system.  Examples of this could be the first four letters of the site name or the first two and last two.  It doesn’t really matter how you want to do it, just come up with a rule that can be applied to all sites.  Once you’ve done that add the letters to front or back of the base password you already came up with.

So for flickr, you password would be: flicXd5ye8*K.  For gmail it would be gmaiXd5ye8*K. For facebook faceXd5ye8*K, and so on.

DELETE/CHANGE YOUR USERS’ PASSWORDS. The hacker could have registered themselves as a user on you blog so that they could get in again.  Or they could have changed the password for one of your users so they could log in under that username.  Click on Users in your WP admin and look over the list of registered users.  If you have too many users and don’t want to have to change them all, you might consider deleting them all (except for yourself, of course).  People can always re-register.

Look for users with suspicious or spammy looking emails and delete them.  Many of my blogs have been getting a lot of registration spam lately.  Delete these users immediately, specifically if any of the users have an email address like xzy@mail.ru or anything else that looks random or generic.

If you don’t have a lot of users, then if may just be better in the long run to turn that option off altogether.  Go to Settings and under Membership, un-check the box next to “Anyone can register”.

SEARCH YOUR THEME FILES.  Next you’ll need to find whatever the hacker added and take it out.  The first place to look, especially if you are a WordPress user, is your template.  In your WP admin, click on Design and then Theme Editor.  A list of all your theme files will be down the right side.  The main ones you want to check are header.php, sidebar.php, footer.php and index.php, but you will want to check every single file listed for anything suspicious.

So what is suspicious code?  Look for anything that looks like a bunch of garbled text/code, or maybe a bunch of links to spammy-looking sites.  Specifically look for anything that uses the eval() command, base64_decode(), k1b0rg or keymachine.de and delete these lines of code. (You may want to back up your theme files before doing this in case you accidentally remove something important.)

UPGRADE/REPLACE YOUR WORDPRESS FILES.  If you don’t have the most recent version of WordPress, upgrade immediately.  Here’s a tutorial I wrote if you need help. Even if you are current, you should replace all your files with a fresh install in case the hacker modified any of the files or added any new files to your WP folders.  This means completely removing your wp-admin and wp-includes folders and all of the wp-something.php files that are in the main WP directory.  DO NOT remove wp-config.php or the wp-content folder. Everything else is replaceable, though.

CHECK FOR SUSPICIOUS FILES IN (AND AROUND) YOUR WORDPRESS DIRECTORY.  You can access this via FTP or through your control panel file manager.  First look at your .htaccess file, which is in the main WP directory (or root as it’s called).  If you have nice permalinks (links to posts look like http://yoursite.com/2008/09/08/post-title/) it should look like this:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

There probably won’t be much else in there unless you’ve specifically added something.  Though some plugins like WP-Super Cache or feed/site redirecting plugins do add things to this file, so just be careful about if you delete anything from this (again make sure you have a backup).

Since you didn’t delete your wp-content folder, you will need to check this for suspicious files as well.  The main place to look will be your uploads folder, where the pictures you upload to your blog are stored.  For most WP blogs this is in wp-content>uploads though some older blogs may not have the uploads folder.  They might also be separated into year and month folders.  Look through all the files and make sure they are the right file extensions.  Picture file extensions are .jpg, .gif, .png and bmp.  Delete anything that isn’t one of these extensions unless you uploaded it yourself.  Nothing with a .php file extension should be in your uploads folder.  Those kinds of files are most certainly bad.  Besides looking for weird file extensions, look for files that have strange/random names that you know you did not upload.  If you see a folder called js_cache with a file in it starting with tinymce_, that is supposed to be there, so don’t delete that.

After checking your uploads folder go through and also check your plugins and themes folders for the same kind of files.  Make sure to check the images folder in your themes.  You may want to reinstall all your plugins as well to make sure none of them had been modified either. (I’ve never seen that happen, but you never know).  I have seen and heard of files being added the cache folder if you have WP Super Cache or the image-headlines folder if you using that plugin (or ones like it), so those are definitely ones to delete and reinstall if you have them. Also, be sure to check any and all other folders and files in your root directory for anything suspicious that you know you did not put there.

Checking all these things may sound tedious, but if you know the exact day the hack happened, you can look for things that were added/modified on that day.

CHECK AGAIN. So you went through all your files and you think you got everything bad removed, but how can you be sure?  That’s where these handy plugins come in:

WordPress Exploit Scanner - This will scan your files and your database for suspicious activity.

WP Security Scan - This will scan your site and show you any vulnerabilities you have.  This is for more advanced users, as it doesn’t always tell you how to fix these vulnerabilities (it assumes you already know).  I’ll talk more in my next post about some of the simpler things that you can do to make your site more secure.

Also check out this article which goes into a bit more depth about some of the specific hacks that can happen to WordPress users and some fixes for them. (There’s some good tips in the comments as well.)

NOTIFY GOOGLE THAT YOUR SITE IS SAFE. Now that you’ve gotten everything removed and your site is safe again, how do you get google to remove that warning?  When I visited my client’s hacked site in Firefox 3, it wouldn’t let me view it.  It gave me a big red screen saying the site was dangerous.  Unfortunately, this doesn’t automatically go away once you remove the malicious files.  You need to notify google to re-scan your site and verify that it is safe again.  You can do this by putting in your URL here: http://www.google.com/safebrowsing/report_error/?tpl=mozilla

You can also request a review using Google Webmaster Tools.  You have to register and verify your site first, so it’s a little more involved, but I think you may get faster results if you go through the effort. Here’s some more info about that straight from Google.

In my next post I will talk about some of the things you can do to keep your site secure and prevent it from being hacked.

Related posts

• Web 101: Fixed a hacked site and prevent it from happening again - Part 2 (0)
• Have you upgraded yet? (3)
• WP Admin Area Options (0)
• WordPress 2.6.1 (0)
• WordPress 2.5.1 (3)

With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password.  The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit.  However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.  Stefan Esser will release details of the complete attack shortly.  The attack is difficult to accomplish,  but its mere possibility means we recommend upgrading to 2.6.2.

Download it now or check out the full list of changed files.

The WordPress Automatic Upgrade plugin is great for these kinds of releases. I’ve just upgraded this blog and it look less than a minute (I counted).

Related posts

• WordPress 2.6.1 (0)
• WordPress 2.6 is out! (0)
• WordPress 2.5.1 (3)
• WordPress 2.3.3 (1)
• What to expect in WP 2.6 (0)

The rest of us are still taking new projects for fall as well and we recommend getting in line soon if you want a project done this year since we can all only take a limited number of projects before the holiday break.

Related posts

• Open for Business (1)
• Welcome Vicki and Shaz! (0)

First Look at WordPress 2.7

WordPress 2.7 and Crazyhorse

Related posts

• WordPress 2.7 Navigation Options Survey (0)
• What to expect in WP 2.6 (0)
• WP Admin Area Options (0)
• WordPress 2.6.2 (1)
• WordPress 2.6.1 (0)

If you’re looking for a no muss, no fuss method of upgrading WP, I highly recommend the WordPress Automatic Upgrade Plugin.  It only takes minutes to upgrade WordPress on most servers.  Everything is done right from your admin area, you don’t have to bother with files or FTP or databases, the plugin does everything for you including backing up your whole site before you start.

And if you just don’t feel like taking a few minutes to upgrade your blog right now, but don’t want to have to look at that annoying upgrade notice that’s at the top of your admin pages, the Hide the Update Notice plugin is really handy.  It just hides the big notice at top, it’ll still say there’s a new version down at the bottom of the admin pages, so you’ll know when there’s an update.

Related posts

• WordPress 2.6.2 (1)
• WordPress 2.6 is out! (0)
• WordPress 2.3 released! (0)
• What to expect in WP 2.6 (0)
• Have you upgraded yet? (3)

Some of the new features of WP 2.6 include:

• Post revisions, which gives you the ability to go back and see older versions of your posts in case you make a mistake or accidentally delete something you didn’t mean to.
• Press this! which is an improvement to the old bookmarklet tool, which should make it easier to have a more tumblr like blog being able to add pictures, videos, links and anything else interesting you find on the net to your blog with the click of a button.
• Theme previews let you view a new theme (with all your current content) before you activate and make it live.
• Image uploader improvements, including easier inserting, floating, and resizing as well as drag-and-drop reordering of Galleries.
• Stronger, better, faster versions of TinyMCE, jQuery, and jQuery UI as well as support for Gears, which will speed up the load time of some of your admin area pages.
• Security improvements including cookies and support for SSL.

You can read about these and more features in detail on the dev blog.  Or you can view this handy little video for more info on this new release:

Download WordPress 2.6 today!

Related posts

• WordPress 2.6.2 (1)
• WordPress 2.6.1 (0)
• What to expect in WP 2.6 (0)
• WordPress 2.5.1 (3)
• WordPress 2.5 RC1 available (1)