Understanding and Getting Rid of the WordPress Pharma Hack

Ruby 2 years ago

Hacks catch WordPress site owners by surprise since they are carried out discreetly to exploit websites’ resources. The Pharma hack makes use of your website’s search rankings. Do you know how to get rid of it?

Over the past couple of weeks, we’ve been covering some of the ill-effects of being hacked, and how to recognise a hack. In that progression, one of the most discreet ways hackers use your site, is via Black Hat SEO techniques.  Black HAT SEO hacks make use of the legitimate links and content on your site, so cleaning them up requires expertise, and time.

What is Black Hat SEO?

In short, Black Hat SEO (also known as ‘spamdexing’) is an exploit of a vulnerability on your website where attackers target your highest-ranking pages. Hackers perform this bad SEO practice so their websites gain easy traction from your website’s search engine ranking.

Attackers first identify the high-ranking pages on your website. They then insert their links into those pages, and hence hijack these rankings to affect their websites. The malicious content isn’t seen on the front-end of the affected websites, but is visible to search engines.

However, in the long run, this poisons your site’s ranking.

The WordPress Pharma hack poisons your website search engine ranking
The WordPress Pharma hack poisons your website search engine ranking

Not only does your website rank lower… since these methods go against search engine guidelines, there is a high possibility of your website getting blacklisted too. This doesn’t matter to the hackers because they’re looking for a quick way to boost their website ranking instead of putting in the hard work for it. Once your website has been blacklisted, they’ll perform the same SEO hack on another website to maintain their ranking.

One of the most well-known ways Black Hat SEO affects WordPress sites, is via an exploit called the Pharma Hack.

What is the WordPress Pharma Hack?

The WordPress Pharma hack is an exploit of a website’s vulnerabilities to display pharmaceutical products along with the actual site’s pages or products on the search page. Since this is an exploit that uses Black Hat SEO, these pharmaceutical products don’t display on or affect the actual pages of the website. Instead, the website ranks lower on search engines’ results.

Why does it take so long to detect?

When we say that the spam links and content isn’t visible to users, we mean that it only shows up when someone looks for the site on Google. The description beneath the link to the website will show something related to the pharmaceutical products from the hacker’s site.

Even if you (the admin) of the site look through the HTML source code, you won’t find the spam links or content.

This is because the malicious content is disguised and placed in your WordPress blog’s plugin folders, and in your database.

Since the exploit only affects the highest ranking pages and not all the pages on the site, it becomes more difficult to find.

How does it work?

Most of the time, hack files (malicious code) is encoded, or named to look like legitimate WordPress files. For example, if the Akismet plugin has hack files, they could be named “akismet.cache.php” instead of “akismet.gif”, “akismet.php” or “readme.txt” (which are the only three files that an uninfected Akismet folder has). Similarly, any file outside of the default files available with your original WordPress plugin install should be looked at closely, since they could be hack files.

With the WordPress Pharma hack though, the hack files are encoded (sometimes backwards), and are injected into the plugins folder.

The malicious code pings Google with requests for the list of highest ranking pages on your website. It then stores this information in its database, and targets them when it runs.

How to clean up the WordPress Pharma Hack

  1. Go through your plugins folder using your FTP client.
  2. Make sure your viewing options are set to show hidden files.
  3. Check directories of every active plugin on your website.
  4. Look for files that have encoded names.
  5. Once you find the hack files, it is important that you delete them. This will get rid of the symptoms of the hack. However, you will have to remove the malicious files in your database too in order to get rid of the hack from the root.
  6. Before you tamper with any database file, it is recommended that you backup your WordPress site so that any change you make to your site isn’t permanent. This way, even if you make a fatal mistake, you can rollback changes and go back to a working version of your site.
  7. Deleting the rogue functions in your WordPress database will need some technical expertise: you will have to access phpMyAdmin, and delete the database entries that contain malicious code. If this step is not done, the consequences of the hack will still prevail.
    The easier option to manually looking for and deleting presumed hack files, would obviously be to use an intelligent hack scanner and cleaner that doesn’t raise false alarms, and yet doesn’t miss malicious code.

 

Black Hat SEO hacks, and other SEO spam is difficult to remove from your site. What’s worse is that if you get blacklisted by search engines like Google for it, requesting for a review, and getting reviewed for this kind of exploit takes the longest time to process, out of all the types of hack review requests. This is why time is of the essence in attacks like the WordPress Pharma Hack.
Efficient hack scanning and cleaning systems that require technical assistance, take up to 12 hours to clean up malicious code, but the question is whether you can afford that time. This is why it’s important to use an efficient, automated malware scanner and hack cleaner.

WordPress Sitemaps and their Importance

Ruby 2 years ago

One of the most powerful ways to make your website more search engine friendly, is to use a sitemap. But what are sitemaps, and how do you create one for your site?

What is a site map, and why is it important?

Search engines like Google, Bing, and Yahoo crawl through the contents of a WordPress site in order to index all the data present on the site. They use different mechanisms to identify different pages/URLs on the website. One of the most powerful ways for crawlers to index your WordPress site is through sitemaps (or sitemaps).

Having an XML site map on your WordPress site makes it easier for search engines to crawl it.
Having an XML sitemap on your WordPress site makes it easier for search engines to crawl it.

A sitemap is a document that contains a list of URLs of all the pages in your website. When you use sitemaps on your website, as the website owner, you’re telling search engines what content is present on your site and where to find it. This makes the job of search engines easier and ensures that they don’t miss any pages on your site, even by mistake.

Why XML sitemaps are important

Sitemaps are of different types, of which the XML sitemap is the one that search engines look for while crawling your site.

sitemap.xml files are polar opposites to robots.txt files. While robots.txt files are URL exclusion protocols that inform web crawlers and bots not to crawl the pages in the file, sitemap.xml files are URL inclusion protocols. An XML sitemap should be stored in your root WordPress directory so that search engines can locate and access it with ease.

Types of XML  sitemaps

There are many types of XML site maps you can create to provide search engines and users with more information about your website. Some of them are discussed below.

  • Image site maps: As the name suggests, image site maps are site maps that include a list of all the images on your website.
  • News site maps: These site maps contain a list of all the News published on your site.
  • Video site maps: Video site maps contain an index of all the videos posted on your website.
  • Mobile site maps: These site maps list only those URLs that serve mobile web content.

The format of a URL XML site map

A site map, in addition to web page URLs, contains some additional information such as the date on which a page was last modified; how frequently a page is likely to be changed, modified or updated; and how important a page is with respect to other pages on the same website. A typical URL entry in a sitemap.xml file looks like this:

 <url>
<loc>http://www.yourwebsitename.com/home/</loc>
<lastmod>yyyy-mm-dd</lastmod>
<changefreq>daily</changefreq>
<priority>0.5</priority>
</url>

Here, the <loc> attribute states the web page URL. The <lastmod> attribute states the date on which the page was last modified. The date should be mentioned in W3C Datetime format, as shown in the above example. The <changefreq> attribute states how often the page may change. The options that can be mentioned here are always, hourly, daily, weekly, monthly, yearly, or never. Lastly, the <priority> attribute states how important the page is when compared to other pages on your website. Valid options for this range from 0.0 to 1.0, the default value being 0.5.

Creating an XML site map for your WordPress Site

If you have a WordPress site with lots of web pages to index, it might seem like a daunting task to create a site map for your site. But it isn’t, so don’t you worry. You can automatically generate a site map for your WordPress site using a site map generator like XML-Sitemaps. Once a site map is generated, you can then upload it to your WordPress root directory. Else, you could also use WordPress site map plugins like WordPress SEO by Yoast and Google XML site maps to generate a site map for your website. These plugins will also notify all major search engines about new content on your site, every time you create a post.

Once you’ve generated an XML site map for your site, you can submit the sitemap.xml file directly to search engines like Google and Bing via the Google Webmaster tools and Bing Webmaster tools respectively. Alternatively, you can use the following directive to specify the path to your site map anywhere in your robots.txt file:

Sitemap: http://www.yourwebsitename.com/sitemap.xml

This is sure to have a positive impact on your search engine rankings. So what are you waiting for? Get started with your website site map already!

Do you have a disaster recovery plan for your WordPress site?

Ruby 2 years ago

Why do you need it?

Can your business continue to function if you were to lose your data? If your answer is a clear no, then having a disaster recovery plan is a must for you. At some point down the road, your data is going to be in danger. It could be a machine error. It could be a simple human error. It could be a tornado the size of Nebraska. But sooner or later, you’re going to be in a situation where you’re at risk of losing some or all of your data. Some of the common consequences of a disaster –

  • Loss of business/customers
  • Loss of credibility/goodwill
  • Cash flow problems
  • Loss of operational data
  • Financial loss

90% of businesses that lose data from a disaster are forced to shut down within 2 years of the disaster. 50% of businesses experiencing a computer outage will be forced to shut within 5 years. (Source: London Chamber of Commerce). So, having a disaster recovery plan is the best insurance for your business and entire data. But what are the possible reasons behind this ‘disaster’? And how do you deal with them?

It's wise to have a recovery plan for your website
It’s wise to have a recovery plan for your WordPress site

What Can Go Wrong?

Hardware Failure

While we’ve made huge strides in terms of technology, it’s still not perfect. There are bound to be issues now and then. Hard disks, which are the most popular form of storage media, fail more often than you think. The statistical figure indicated is by no means trivial. Other forms of hardware failure can have a similar impact on your business.

Web-hosting Failure

As every site is hosted using one of the providers, a failure on their end undoubtedly spells disaster. Any sort of networking problem can bring down your site. However, this doesn’t pose a big threat to your data. But that’s not the end of it. These hosting providers are a common target of hackers. Once the server is compromised, the hackers have access to all the data that resides on it. The hackers can thus attack 1000s of site by hacking a single provider. Sometimes, hosting providers even suspend your account without prior notice.

Natural Calamities

Natural calamities, though rare, can pose a huge threat to your data. Hurricane Sandy, which hit New York City in 2012, had companies fighting hard to keep their data centers up. It was one of the busiest days for many of them.

WordPress Issues

WordPress, though WP core is known to be stable, has its own share of problems that crop up from time to time. The most common issue that users face is that of version incompatibility. Though WordPress versions are meant to be backward compatible, quite often, a WordPress update ends up breaking a plugin or theme due to incompatibility. Underlying API changes in a new version could also result in breaking parts of your site.

Plugin/ Theme Issues

WordPress is an open platform, inviting a lot of people to develop plugins and themes. Since each plugin and theme is written independently, not all of them follow the same set of coding guidelines and standards. This makes installing new themes and plugins on your site a risky proposition. A new addition may be incompatible with the underlying WordPress version. Some of the changes made by plugins and themes are –

  • Bad database changes
  • Addition of new tables
  • Modification of standard WordPress tables
  • Changing WordPress configuration files
  • Introducing incompatible code
  • Corruption of .htaccess files

This can result in breaking parts of your site or worse, lead to a crash. Upgrading plugins and themes can also lead to similar issues.

Hacks and Vulnerabilities

WordPress core, by itself, is known to be safe and stable. However, plugins and themes added by developers hailing from diverse backgrounds have become game changers when it comes to WordPress security. Plugins and themes together make up the biggest source of  vulnerabilities found in recent times. Popular plugins like MailPoet, W3Total Cache and Super Cache have been exploited to attack thousands of sites. Similarly, themes are also vulnerable to attacks. The TimThumb library included in many themes was exploited to compromise tons of sites.

Hackers are always looking for new ways to launch attacks on WordPress sites. While most hackers look to make quick profits, some do it merely for fun. They can install malware that’s extremely hard to detect and get rid of. They can also wipe out all of your site’s data.

Human Errors

To err is human. But these errors can prove to be very costly. You can delete a single post or the entire database. Ben Congleton of Olark describes in an interview, a case where a human error nearly took down his business.

The reason behind the disaster can vary, but they will all impact you in the same way. They can all potentially take down your site, and thus your business. So what is the best possible plan to recover from a disaster?

Putting Together a Disaster Recovery Plan

Backup, Backup, Backup: the Cornerstone of a Disaster Recovery Plan

Not enough emphasis can be laid on the importance of backups. Taking regular backups of your data is critical for any business. That way if anything untoward happens, you can recover your site in a matter of few minutes. There are multiple options available from which you can choose. However, it is best to opt for a managed offsite backup service like BlogVault that can handle any situation with ease.

Plan for Extended Downtime

Your plan should cover what you will do if the downtime from the disaster is expected to last more than a few days. For instance, there may be a major outage with your hosting provider. You’ll need to identify possible alternatives to host your site.

Emergency Contact

A natural disaster or emergency could cut off all your regular avenues of communication, so adding a communications element to your plan is important as well. Notifying your customers about the downtime is extremely important. However, when you lose data, your customer information is lost too. Hence it is critical that you have a separate emergency contact list, such as all customer email IDs, stored separately in an easily accessible place.

Test the Plan

Do a test run of your disaster recovery plan to make sure that it works when needed. Also ensure that your plan is known to multiple people at your company so that they can spring into action immediately when disaster strikes.

Disasters do happen, and your company’s data is one of its most important assets. When disaster strikes, you need to be sure that you can get your data back quickly, so there is minimal impact to your business. So work on that disaster recovery plan today, in case you already haven’t. Better safe than sorry, right?

How small WordPress agencies can land big clients? Lessons from rtCamp- Asia’s first WordPress.com VIP partner agency

Suhas 2 years ago

It is no mean feat for a WordPress agency in India to have become Asia’s first WordPress.com VIP partner. The partnership means that they are in contention to land some of the biggest projects in the world. Today, as Rahul Bansal, the founder of rtCamp states that, their client list contains only ‘big clients’- enterprise level or companies which are funded.

Many young WordPress agencies might be wondering what is the road-map to achieving such a feat? No company starts out big though. Just like every other venture, rtCamp’s story too has an arc to it.

They landed their first enterprise level client, Geometric, much before they were aiming for it, or much before they were ready for it. At a time when they were very much the size of a young startup. However, their success today must mean that they did some things right along the way.

Here are some takeaways for WordPress agencies just starting out.

 

A WordPress Agency by any other name?

Absolutely not! Here’s why

The beginning is always about being in the right place at the right time. rtCamp created a company profile on LinkedIn. On the profile they identified themselves as a WordPress agency. This was the first point of contact between Geometric and rtCamp; and as it turned out a crucial one.

As Serendipitous as this find may seem, it was anything but that. Planning is key to earning any stroke of luck. When the Marketing Head of rtCamp at the time, Gajanan Sapate had suggested building a presence on LinkedIn, Bansal was not keen. The profile though, was created without Bansal’s approval and it proved to be a vital move.

Geometric had decided to use WordPress to build their site. When they were looking for a WordPress agency on LinkedIn, then they found rtCamp. Bansal suspects that the company’s search on LinkedIn for a WordPress agency yielded rtCamp as the only  result.

The conviction to clearly state their specialization meant that the agency could not go after projects based on other platforms. It also meant that it set them apart and established their expertise; this worked in their favour.

 

With Big Clients come Big Challenges for small WordPress Agencies

The beginning is just that. With enterprise level clients, come many demands. As Bansal himself admitted, the combined value of all their clients at the time was much less than that that of Geometric.

He recalls how they were required to fulfil many procedures and adapt to a long sales cycle. In this case, it was around 6 months. In the case of enterprise level clients this is not unusual; with a sales cycle lasting anywhere between 3-6 months. However, for a company which had only experienced maximum sales cycles of 2 weeks, 6 months seemed like a long, long time.

Not only did the entire process take more time than what they were used to, all the steps were new too. For example, Bansal admits that they were new to the idea of purchase orders. Apart from these challenges, they also failed many of the checks; like not having access control (such as  magnetic stripe cards and so on), which did not help either.

It was clear to Geometric that rtCamp was not familiar with enterprise level processes and practices. All these points raise the question- “how did rtCamp eventually land the project?” and “Why did both rtCamp and Geometric stick with each other?”

 

Honesty is the Best Policy

Bansal mentions instances during his freelancing days as a web developer when he readily admitted to clients that he offered WordPress as platform because he did not work any other CMS.

This policy about being upfront with the clients extends to rtCamp too. Having displayed their prowess with WordPress(more on this below), he remembers not hiding from the clients rtCamp’s need to learn about about dealing with enterprise level clients. Both these factors allowed Geometric to make a fair assessment and help rtCamp catch up with the business processes side of the deal, as a slightly amused Bansal now recalls.

 

Contribute Back To The Community

Bansal points to a combination of factors which contributed to their success. The combination of factors being, his famous blog, an extensive WP portfolio, open source projects like rtMedia, and knowledge of content, and analytics.

Among all of these factors, Bansal recognises the role his blog and rtCamp’s community contributions played, in making people aware of his agency. They also, according to Bansal, were the reasons the client was convinced regarding his agency’s prowess on WordPress. This is why he highly recommends, for those involved in open-source communities to contribute to the community.

Bansal states that these factors combined with a willingness to learn and grow along with the demands of project, has now led to a fruitful relationship with Geometric

 

Improve Before the Need Arises

Apart from all of these factors a willingness to deliver better quality now, rather than waiting for later, seems to have paid off in the case of rtCamp. A couple of years on after Geometric, rtCamp shifted its focus entirely to preparing for big clients  and becoming VIP partners.

Part of the road map to achieve their ambition of becoming VIP partners, was to deliver code which adhered to VIP standards. Implementing such quality standards when the clients were not asking for it was important. When rtCamp finally got their first enterprise client, which was to be verified by Automattic, it was approved in the first round itself recollects Bansal.

The success story of rtCamp is a good example of how positioning yourself in the right manner, willingness to learn on the go, participating in the community, and playing the game with foresight pays off.

How to be a successful freelance WordPress developer: Lessons from, Rahul Bansal, the founder of rtCamp

Suhas 2 years ago

Rahul Bansal, the founder of rtCamp; Asia’s first WordPress.com VIP partner agency, began his career as a freelance WordPress (WP) developer. The success of the company today can be traced back to ideas that were born during those days.

Being a freelance, WordPress developer in 2007-08 India is an interesting story for many reasons. Among the lot, the reason why it stands out the most is the choice of platform itself- WordPress. The platform was barely popular in the country at the time.

Asking him about the beginning of the journey and his success as a freelancer will quickly assure you that doing what you enjoy, taking up challenges and learning as you go, will take you a long way.

Right from starting a blog (after watching friend do the same), to taking up freelance projects based on WordPress for the sake of learning more on the platform; which he not only enjoyed using and but also afforded him the freedom to express himself, Rahul Bansal’s choices reflect that enjoying your work and sustaining a hunger for learning can lead to good things for WordPress freelancers.

 

http://https://youtu.be/4-aP7Od5QrM

 

Enjoy What You Do: Blogging, as the beginning of WordPress Development

The beginning was fairly innocuous. Bansal started a blog in his final year of undergrad. The idea itself emerged as a result of following the work of a friend; who he often copied. Regardless, he began to enjoy the blogging experience. The blog had thousands of subscribers and used to garner half a million page views at it peak. Safe to say Bansal was running a successful blog.

You might wonder- Why start off with the blog, when we are telling you the success story of a freelance WordPress developer?

The reason lies in an anecdote that Bansal recollects. Once, he bid on a project, and to his surprise the client awarded him the project before the details were finalized. Upon inquiring he learnt the client’s reasoning. If Bansal was running  such a successful blog, then he must be doing something right.

 

http://https://youtu.be/j3dzEm-0ufY

 

Showcase Your Work

This might be a good lesson for young WordPress freelancers, or freelancers in all fields. Create a platform to display your skills and work, and the right projects may just find you. As Bansal himself says, “It’s not your academics, [but] it’s your skills [which count] on the Internet.” The blog, which made this possible was Devil’s Workshop. Although it is no longer updated, you can still find the published works posted there.

During this period he chanced upon an opportunity to monetise the blog. This opportunity came in the form of Google AdSense. Having installed it out of curiosity, Bansal realised by the last year of post-graduation that the platform was earning him enough revenue to consider taking up blogging professionally.

However, the task of convincing parents and family members that this was a viable career choice remained.

Bansal drafted an answer for the impending questions, which was simple and for that reason brilliant- His solution was to draw an analogy between his profession and news agencies. While newspapers are distributed to the public at subsidised rates, the revenue is earned through ads. Much the same way, he explained that his blog was like an online newspaper earning revenues from ads. As convincing an answer as this might seem to us, Bansal himself believes that the point which convinced his parents was that he was earning enough from his blog to not take any money from them right from the final year of his M.Tech.

Enjoying the blogging experience led him to a revenue stream through AdSense. The desire to take it up professionally and have more control over the blog and content led him to WordPress.

 

http://https://youtu.be/iHv9LiM4nOA

 

Learn While You Earn

He had begun to customise his blog and found the coding experience on WordPress easy and enjoyable. Finding work enjoyable was again sufficient for the professional blogger to add freelance WordPress developer to his CV.

Not happy with tinkering with the CMS and learning about it on his own time and money, Bansal came up with an unique approach to help him learn and earn at the same time. He listed all the things which he wanted to learn on WordPress and signed up on sites for freelancers; like freelancers.com.

He says that he chose projects with realistic deadlines and possibilities which required him to learn and work on the list of things he wanted to know on WordPress. This approach ensured that he continued to grow more knowledgeable about the platform which he had grown to appreciate more and more. Besides the extra money didn’t hurt.

A key thing to note here is that the love for the platform led him to the job. Bansal mentions that he was already earning money from ads on his blog. “It was due WordPress that I became a web developer, not the other way around,” he says.

 

http://https://youtu.be/xgzJu0FkA5Q

 

Upfront About the Uptake: Why WordPress

If you ask Bansal why WordPress was his focus in 2008-2009 when the platform had not yet even reared its head in India, like always he has simple and convincing answer. He says that you should develop on a platform which you use. Since WordPress worked for him he worked on solely on this open-source CMS. He was always upfront to the clients about his reasons and motives.

The tactic seems to have paid off. This ensured that most of his clients returned to him. So much so that the workload was starting to expand beyond the capacity of an individual and shortly after his M.Tech, in  few months, he would register rtCamp. He didn’t know then but the agency would go on to become Asia’s first and so far only WordPress.com VIP partner agency.

However, Rahul Bansal’s choices and practices, seem to indicate that the seeds for rtCamp’s success were already sown during his freelancing days. The success story, is a tale of being guided by one’s interests, making good; but difficult, choices, and finally making the more difficult choice of sticking by one’s decisions. Freelance WordPress developers and agencies across the country would find good clues to planning their way forward from these ideas.

BlogVault makes WordPress migrations to Pantheon easy with ‘Pantheon Migrations’

Suhas 2 years ago

BlogVault has developed, and in collaboration with Pantheon created Pantheon Migrations. Pantheon is the world’s largest website management platform, delivering Drupal and WordPress as a service. Pantheon’s multi-tenant, container-based cloud platform enables web teams to build, launch, and run all of their websites from a single dashboard with ease. 

You can now migrate your WordPress sites to Pantheon with ease. Just input your SFTP credentials, email, and the destination URL, and you’re good to go. Pantheon will notify you when the migration begins and completes via email. You can also track the progress of the entire process on our website, via your BlogVault dashboard.

For us, at BlogVault this is the latest partnership for migrations. Previously we have partnered with other companies like WP Engine, Savii, & Cloudways. Now you can enjoy the convenience and expertise we strive to bring you while migrating to Pantheon as well.

easy WordPress migrations
BlogVault partners with Pantheon for easy WordPress migrations

You can always enjoy easy migrations with our backup plugin, BlogVault too. Apart from backup, and migrations, the plugin also offers, auto-restore, test-restore and security settings to improve your WordPress website security posture.

While the partnership adds an exciting page to BlogVault’s story, we’re also looking ahead. Our mission of developing the best in WordPress backup and security has led us to our next product. It’ll launch shortly and promises to change the way users deal with WordPress security issues on their sites. Until then, stay safe and don’t forget to backup!

Password Protecting wp-login.php with HTTP Authentication

Pritesh 2 years ago

The WordPress admin dashboard can only be accessed by entering in your username and login password. It is good practice to use a strong login password at all times, as this makes it difficult for bots and hackers to break into your admin dashboard. However, the internet has never been a very safe place, and no amount of security is ever enough. Therefore, it’s always good to have as many layers of security as (sanely) possible, to keep hackers at bay.

Password Protect

While login credentials are a robust security measure at the WordPress application level, we can add further security using HTTP Basic Authentication (BA). HTTP BA is the simplest technique for enforcing selective restriction of access to your web resources, making it a system level security. But well, enough nitty-gritty for now, lets try to understand this with a simple analogy. Imagine your WordPress site to be a house. Although the house’s main door (read login credentials) is a vital part of security, it may not be enough, and you might want to add a fence around your house as an additional security measure. HTTP authentication is one such ‘fence’ for the protection of your WordPress site. Anyone who wants to enter your admin dashboard will first need to go through the HTTP authentication (your fence) and then enter in their login credentials (your main door).

To secure your WordPress site with HTTP authentication, you need to first generate a .htpasswd file, where you’ll list all authorised usernames and their respective encrypted passwords. Following our analogy, think of this as setting up a door to your fence. One can leverage .htpasswd only on an Apache server, since .htpasswd is an Apache password file. Good news is, Apache is the most commonly used web server software worldwide. This makes it highly probable that your site is running on Apache.

Creating a .htpasswd File

You can use the htpasswd command line tool to create a new .htpasswd file. In your command line, use the following code:

htpasswd -c .htpasswd harini

Here, ‘-c’ stands for ‘create’ and should only be used while creating a new .htpasswd file. ‘harini’ is a case-sensitive username for our HTTP BA. On hitting enter, you’ll be prompted to enter the password you would like to use. By default, the htpasswd tool encrypts your password using MD5.

htpasswd 01

In the case that you already have an existing .htpasswd file, and would just like to add a new username to it, you should use the following command line:

htpasswd .htpasswd rahul

htpasswd 02

Note that you don’t have to use the ‘-c’ switch in this command, since you don’t have to create a new htpasswd file here.

A typical htpasswd file looks like this: ‘username:encrypted_password’. For instance, a sample .htpasswd file that contains users harini and rahul would look like:

sample .htpasswd file

If you aren’t able to get your hands on the htpasswd tool, you can easily generate your .htpasswd entry (username-encrypted password pair) using this htpasswd generator.

Now that you’ve successfully created the .htpasswd file, you have a lot of flexibility over where to place it, however it is advisable to store it in a directory that can’t be accessed directly through the web. One such good location would be one level above the WordPress install directory. This will ensure that your Apache password file remains secure, even if your web server software were to get corrupted.

Password Protecting wp-login.php

With the .htpasswd file ready and stored in a safe position, you can now go on to restrict access to your wp-login.php file. For this, you’ll need to specify the following things in your .htaccess file:

  • what file to restrict?
  • where to get HTTP BA credentials from?

Assuming .htaccess file is at WordPress install directory level, adding the following lines of code in the file will do this for us:

<Files wp-login.php>
AuthUserFile /path/to/.htpasswd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>

Here, you need to focus on the following two lines:

AuthUserFile /path/to/.htpasswd: Make sure you provide the correct path to your .htpasswd file in place of ‘/path/to/.htpasswd’.

require valid-user: The ‘valid-user’ keyword tells Apache to provide any user mentioned in the .htpasswd file with access to the wp-login.php file. In case you want to grant selective access to the file, instead of using ‘valid-user’, you can just mention the usernames you’ll like to provide access to. For example, if there are three usernames mentioned in the .htpasswd file, out of which you want to grant access to only two users, say user01 and user02, and not to user03, you’ll use the following require directive:

require user user01 user02

Once you’re done, save the file and upload it to the directory that contains the wp-login.php file. Now, the next time you try to login to your WordPress dashboard, you will find your browser prompting for authentication even before the admin-login screen is loaded, just like the fence we discussed.

http authentication protect wp-login.php

How to Block Google from Indexing your WordPress Site

Pritesh 2 years ago

So you’ve just installed WordPress on your system and are raring to go. You’re thinking of how to start and what to start with. However, before you embark on the journey of developing your website, there’s a tiny little thing you need to do – prevent Google and other search engines from crawling your site.

I know what you’re thinking. As a webmaster, one of the most important, and perhaps the most obvious thing you would want is to bring traffic to your site. And getting Google to index your site as fast as possible would surely help with that, right? Yes, it will, but you need to wait just a little longer for it. Trust me when I say that you don’t want web crawlers and robots all over your site just yet.

Blocking GoogleBot

More often than not, you would be directly working on your live site and it is only natural for things to get messy at this stage. It is for this reason that it is advisable to temporarily block search engines from crawling and indexing your site until you’re past the initial development phase.

You might also not want Google or other search engines to get their hands on your site’s content for a variety of other reasons. So the question now is, how do you stop Google from indexing your WordPress website?

Blocking Google and Other Search Engines

Using a Robots.txt File

The most basic thing to do would be to manually create and upload a simple robots.txt file to your website’s root directory, instructing all search engines to stay away from your site and not index any part of it. The text file will carry the following syntax:

User-agent: *
Disallow: /

You can also use an inbuilt feature on your WordPress dashboard to block search engines from indexing your site. For this, you need to

1. Go to ‘Settings’, select ‘Reading’.

Block indexing using WP tool Step01

2. Check the box next to ‘Search Engine Visibility’ that says ‘Discourage search engines from indexing this site’. Click on ‘Save Changes’.

Block indexing using WP tool Step02

This automatically adds the following syntax to your site’s robots.txt file:

User-agent: *
Disallow: /

It also adds the following line to your website’s header:

<meta name='robots' content='noindex,follow' />

Although this method protects you from most of the search engine crawlers and robots out there, it isn’t a hundred percent safe.

Password Protecting your Website using cPanel

Web crawlers cannot access password-protected files. Hence, if your web host provides you with cPanel access to manage your hosting account, you can password protect your website files from your cPanel dashboard. For this, you need to

1. Log in to your cPanel account and click on ‘Password Protect Directories’;

cPanel password protect directories

2. Select the document root in the pop-up window and click ‘Go’;

cPanel directory selection

3. Select the folder where your WordPress is installed;

4. Check the box next to ‘Password protect this directory’, type in a name for the protected directory, and click on ‘Save’;

5. Once you receive a success message, go back to create user;

6. Add a username and password, and click on ‘Add/modify authorized user’.

cPanel security settings

And you’re done! Your WordPress site is now password protected, and therefore, can’t be crawled upon by search engines.

Password Protecting your Website using a Plugin

Another way to password protect your site is by using any one of the various plugins available on WordPress itself.

password protect pugins

All you need to do is install a plugin (it is advisable to select one that has been updated recently) and activate it. Once it’s activated, go to ‘Settings’. Enable the plugin and set your password. Click on ‘Save Changes’, and you’re done! No search engine crawler or robot can access your website, let alone index it.

Whatever your reason may be, if you want to keep search engines from crawling on your website, you can choose any of the above mentioned methods to keep your website data safe, depending on your requirements and the resources at hand.

Why the Basics of Journalism work for Blogging

Ruby 5 years ago

From the newsroom

 

Sangeeta Cavale RK

 

There is a lot common to both the basics of writing an article and to blogging. Certain vital tools and tricks learnt during the course of one’s career as a journalist would certainly come in most handing in honing one’s blogging skills.  There are not rigid hard and fast rules here but some important guidelines and pointers that will make your blog topical, impactful, interesting, useful and with the most hits.

If you keep in mind the basic tenets of journalism, your blogs can make a lasting impression on your reader and not be just another piece of useless information on the Net.

You need to map your blog first. Don’t write a vague piece without any focus or angle. Ask yourself who your audience is going to be, their age group and demographic profile. A journalist needs to be alert, with a keen sense of observation and with a sense of curiosity. These very qualities would help a blogger too.

Says Matthew L Brennan, writer and blogger,  “Journalists are master story tellers.  They implement a little-known writing secret: people want to read about people. Journalists know that readers want a little action with their morning coffee. So, when you sit down to write a “list” blog, why not give us those tips with a little action? My initial example could easily be summed up in a short sentence on a list blog:

“To defeat writer’s block: Get up and move around. When you walk away from the computer inspiration can strike.”

Sure, this might be helpful, but seeing it in action creates a stronger mental image. I guarantee your competition will likely not write about the creative inspiration stirred up while fixing a ham and cheese sandwich at 2 a.m. A personal story shows that your tip or trick works. It shows the frustrations that come with writer’s block, and the corresponding action to battle it.”

Adds, Matthew Brennan, “Journalists can teach bloggers something when it comes to enticing a reader. A good journalist is always considering how to make their story stand out. They’re regularly competing with their counterparts from different newspapers, but also with the journalists who wrote the stories that surround theirs. They crave the attention of a reader. They act on it by capitalizing on the human element.”

Zoom in, zoom out

“Journalists give us a close-up image. Think of it like a magnifying glass on somebody performing an action. Once they have a reader hooked, they pull the magnifying glass back to give us a view of the big picture. Say, for example, you own a health club. Instead of just dully writing about the three best exercises for flatter abs, maybe you begin the blog writing about your workout, or the workout of one of the trainers. If it’s working for the poster child of the physically fit, readers will be more interested when you pull the magnifying glass back to establish the bigger picture, says Brennan.

 

Inverted pyramid

Visualise an upside down pyramid, broad at the top, narrowing towards the bottom. Imagine it filled with information with the most important facts at the broad top, supporting details in the middle and smaller bits at the bottom. This is known as inverted pyramid in the world of journalism and remains a popular way of organsing a news or feature article for more than a century. It could work well for a blog too. The opening of an article called the lead gives the reader a gist of the most urgent or vital piece of information right at the beginning. This can work wonders for a blog. If the beginning of the blog is packed with the most urgent or gripping pieces of information, the reader could be interested to read the rest of the blog as well. The lead usually contains the five Ws and one H. What, when, where, who and why. The H is how?

You can give your topic a headline so as to make it attractive and stand out. If the blog is lengthy, use sub headings to break the monotony.

 

Research and investigation

All good articles are well researched and facts investigated. News gathering is vital to ensure that the piece is genuine, true and authentic. Once you collect information, make notes you need to check and double check facts, names, quotations, numbers, spellings etc before incorporating them into your blog. A well written blog is one which has accurate facts and figures, genuine quotes from experts and therefore is one which has credibility. Name of people mentioned must be correct with the right spelling. Designations if any need to be right as well.  A good journalist will always have a thesaurus and dictionary handy. If the blog is a descriptive one like a travel blog, the description of places, sites, animals etc should be accurate and vivid.

 

Succinct style

You need to focus on good writing for a clear and appealing article, the same is the case with a blog.  Use simple and precise words, avoid jargon, slang, abusive words  and long sentences.  Tighten up flabby phrases and use succinct language.  Complex ideas, ideas and themes can be conveyed in the most basic words if those words are chosen well and organised carefully. If the blog is on a specialised or technical subject avoid  technical jargon so that even a pay person can read it and grasp what it is trying to convey.

A good writer avoids repetition of words and redundant terms as far as possible. Verbosity is a big no no in blogging too.

How to bring your point across quickly and succinctly in the few sentences of your blog is something known to journalists. Then a journalist has to be proficient in the language in which they write. Mastery over the language is an invaluable tool for bloggers as well. A blog can be descriptive, imaginative and magical with the writer’s own sense of humour thrown in. To some extent, writing feature articles too involves use of imagination, wit/humour and vivid/lucid language.

 

Plagiarism

Good journalists and bloggers have ethical standards that ensure the reliability and integrity of what they have written. Inaccurate names and addresses, poorly supported facts and figures can lead to lawsuits and complaints. This does undermine the credibility of the blogger/writer.

Says writer and blogger, Michael Poh from Singapore,“Rumors can be masqueraded as facts in the sea of information on the net, and it’s your role as a journalistic blogger to verify and confirm them. One problem with bloggers is that there’s diminished accountability for what we write when we compare with true blue journalists. Nevertheless, if we make it a habit to always verify what we post as facts, our blog will soon establishes a level of credibility. Such quality will draw in the crowd and make them stay.”

 

Libel

Slander, bias, racism, use of vulgar and obscene language are all taboos in journalism.  A good blogger keeps way from all this as well. Sensationalism might make you popular for a while but unless it is backed by some real facts, you could wind up losing readers.

Internet censorship laws are getting stricter by the day.

 

Being credible

“Journalists realize that their articles can have a substantial impact on the people who read them. They understand that their role is to be objective and be as accurate as possible in providing the information to them. Therefore, they hold honestly and accuracy  to the highest esteem and take great responsibility and pride when they write their pieces,” says Michael Poh. He adds, “Similarly, our blogs can significantly impact anyone who stumbles upon them. Do you take things out of context to skew readers to a certain personal view? Do you conceal your opinions and present them as facts? If you get sponsorship from companies to write good reviews about their products and services, will you still be truthful and objective in what you will post? These are some of the questions we have to consciously ask re, blogs may not be treated as seriously as official news sources, but remember that whatever you publish can be accessed by anyone with internet connection. This is especially so when more and more people are using social networking sites to share their links and such. You’ll never know the implication your post could potentially have. We ourselves have to ensure that we always write with the right intention. As with other great things in life, there’s always room for improvement when it comes to writing. Editing and rewriting makes for the road to perfecting your writing skills. Attaining that discipline of habitually checking your work again and again and making amendments will polish up all your final products.”

 

Comments? Email us at editor@blogvault.net

WordPress Security: Part 1 Securing wp-config.php

Akshat 6 years ago

We had earlier given an overview on How to secure your WordPress site. This post is first of a series, where in we will detail the steps needed to make your WordPress site more secure.

Every WordPress site contains a file called wp-config.php. Many of us, who work closely with WordPress would have already seen this file. When we install WordPress for the very first time, this is where we enter the database details for the site. Along with the database details, this file also contains many other configuration parameters which can lead to a much better security of your WordPress Site.

1. Change Database Prefix ($table_prefix)

The WordPress database consists of many tables to store posts, links, comments, users etc. Now these tables by default have standard names like wp_users, wp_options, wp_posts etc. Now a hacker knows that your user details are stored in the table wp_users, and will try and exploit this. We can however prevent the hacker from guessing the name of the table. To do this, while installing WordPress, we need to change the setting for $table_prefix.

In your wp-config file there will be a line:

$table_prefix  = 'wp_';

You need to change it to something random like:

$table_prefix  = 'axcsr_';

This will cause the tables in the database to become axcsr_usersaxcsr_posts etc, in turn making it harder for the hacker to guess.

2. Disable Editing of Theme/Plugin files

In the WordPress Dashboard, there is an option to edit your theme/plugin files. This option is not to be used by normal users under any circumstance. However, in the hands of a hacker it can be extremely dangerous. For example, suppose a hacker is able to login to your site using some exploit. One of easiest mechanisms for them to add malware to your site, will be by editing existing files. By disabling the option to edit these files, you take away a valuable tool from hackers. It can be done by adding the following line to your wp-config.php file:

define('DISALLOW_FILE_EDIT',true);

3. Disallowing user to install plugins, themes or doing updates.

Disallowing a user to edit plugin/theme files will only provide one level of security. However, this does not prevent the hacker from adding a new plugin or theme. Once the Admin Panel is compromised, the hacker can also install a rogue theme or a rogue plugin. If you do not install plugins on a regular basis, we suggest, that you disable this option altogether. This can be done by using the option:

define('DISALLOW_FILE_MODS',true);

In such cases, a plugin/theme can however be installed by directly copying the plugin to the site using FTP.

 4. Forcing use of FTP for all uploads, upgrades and plugin installation.

Tip #3 can be quite restrictive for many sites. An alternative in such cases could be to force users to provide FTP details whenever uploading a file, or installing a plugin/theme. Hence, even if a hacker is able to infiltrate your Admin Panel, they will not be able to install a new script without knowing your secret FTP credentials. To do this, add the following line to your wp-config.php:

define('FS_METHOD', 'ftpext');

If FTPS is supported then add the following line to the config file:

define('FTP_SSL', true);
 If your webhost or server supports SFTP you should use the following more secure option instead:
define('FS_METHOD', 'ssh2');

5. Change Security Keys

When a user logs into the Admin panel, WordPress generates cookies to keep the status of the users. To ensure that the cookies are safe and not guessable, it adds a salt while generating the cookie. This salt should ideally be long and difficult to guess. The salt is picked from 8 parameters in wp-config.php and look something like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

The above should be replaced with a new set upon installation, and WordPress provides and excellent tool to generate these randomly. You can get the same from: https://api.wordpress.org/secret-key/1.1/salt/

Also, in case your site gets hacked, it is highly advisable to change these keys with fresh ones. This will force all users to login again, and hence the hacker cannot use old cookies.

6. Move wp-config.php out of the core WordPress folder.

Typically wp-config.php is placed in the core WP folder along with other standard files like wp-settings.php, wp-login.php etc. WordPress also supports a more secure option, where in the wp-config.php can reside on the folder outside your wordpress installation. For example if your wordpress is installed in the folder /public_html/ folder, instead of having the file being present as /public_html/wp-config.php, you should store it as /wp-config.php. WordPress will intelligently pick up the configuration from this instead.

A good WordPress Backup solution like blogVault will identify that the file is present in the outer folder, and will still back it up.

 7. File Permissions of wp-config.php

Change the permissions of the file, so that only your webserver can access it. Further this file should not be modifiable/writable by anybody. Hence the preferred permission here would be to use:  400 or 440 depending on your setup. Permissions can typically be changed by using FTP or cPanel.

8. Securing the htaccess file

Apache uses htaccess to prevent unauthorized access to certain parts of the site. Since wp-config.php should never be accessed directly by anybody, and since it contains the critical database details, we should block it from htaccess file too. This can be done by adding the following lines to your htaccess file:

order allow,deny
deny from all

We will cover other mechanisms to improve the security of your site in future posts.