by Ruby Paulson

“My WordPress site is blacklisted by Google!”

Getting your website blacklisted is always a bad thing. But as in any crisis, it’s always important to know what to do next, and how to remedy the situation.

 

Having search engines blacklist your site can be a harrowing experience.
Having search engines blacklist your site can be a harrowing experience.

If you’re a website owner, having your website hacked, and then blacklisted, is a horrendous thing to discover. Not only will have to deal with the consequences of the hack, but since your website is also blacklisted, Google and other search engines will stop crawling your site, and showing visitors warnings. This means you’ll be missing out on new searches, and losing your hard-earned reputation as well.

If you’re new to owning a website and the hassles that come with it, all of this might seem a little intimidating.

This is why we’ve chosen to give you most comprehensive guide to dealing with your website being blacklisted.

Here are just the basic steps if you’d rather have a quick run-through:

How to find out if your website has been blacklisted

There are a few ways to find out if your site has been blacklisted, or has been blacklisted because of malware on your site.

  • Enter the URL of your site on Clearinghouse, or sites like it: StopBadware is a site that works in association with Google to help owners of hacked sites.
    Its tool, Clearinghouse, lets you know if your site has been blacklisted or not, simply by entering the URL in its search box. Since it aggregates security information from major search engines and security companies, its list is up to date, and takes only a couple of hours to reflect new changes. Once you enter your site’s URL, Clearinghouse will check if there are records of your site being blacklisted, and will let you know accordingly:

    Checking if your site has been blacklisted is as simple with tools like StopBadware's Clearinghouse Search
    Checking if your site has been blacklisted is as simple with tools like StopBadware’s Clearinghouse Search
  • You could also enter your website’s name into Google and check the search results. If the descriptions for your website show a variant of “This site may harm your computer”, you’ve been blacklisted.
    A sample of a warning that displays when your site has been blacklisted as a result of a hack
    A sample of a warning that displays when your site has been blacklisted as a result of a hack
  • If you’ve verified your website with Google’s Search Console, they would have sent an email notification about finding malicious software (or malware) on your site, and hence blacklisting your site. Below is a sample of the email you will receive:

Dear site owner or webmaster of (site.com),

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below is an example URL on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

www. Site.com

Here is a link to a sample warning page:

http://www.google.com/interstitial?url=http%3A//site.com/

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised

2) the site doesn’t monitor for malicious user-contributed content

3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:

http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be removed by visiting

http://www.google.com/support/webmasters/bin/answer.py?answer=45432

and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,

Google Search Quality Team

Why was my website blacklisted?

When hackers infect good websites with malicious code, the infected websites might collect banking details, contact or personal information from, or launch spam mail aimed at the website’s visitors. The infected websites might also be used to infect the visitors’ computers… depending on what the malicious code on your website was written to do.

Therefore, your website might have been blacklisted because it contains malware. Security companies and search engines blacklist sites that contain malicious code, in an attempt to try and protect the sites’ visitors.

What to do about my blacklisted website?

Once you find out that your site has been blacklisted, there are a few steps to make sure that your site is listed again:

Step#1: Access Google Search Console

  • If you don’t have a Google account to use the Search Console
  1. Create a free Google Search Console account if you don’t have one.
  2. Click on the “add site” button on Google’s Search Console and follow their instructions to verify your site.
  • If you’ve already verified your website using Google’s Search Console

As mentioned previously, Google would have already notified you about your site being unsafe, via email, with the steps to be followed in case you have been blacklisted. What it doesn’t explain though, is how to go about key points such as “remove the malicious content from (your) pages” and “fix the vulnerability”.

Step#2: Take your site offline, put up a page that says “Under maintenance”

This will help keep your visitors safe, and keep the attacker from wreaking more damage to your site, while you look for the malicious files on your website. You can take your site offline by doing one of the following:

  1. Going to your WordPress file directory and renaming the index.php file to something like indexold.php
  2. Manually adding a 503 redirect to your .htaccess file
  3. Changing the Privacy mode of your site
  4. Using certain plugins
  5. Contacting your web host and asking them to temporarily suspend your site

Step#3: Look for malware and bad files on your website

Vulnerabilities on WordPress usually exist on outdated versions of themes, plugins, widgets, and in WordPress directories that you don’t usually visit. This is why it can be difficult to detect a hack.

What you can do, though, is to update every outdated component on your site, and delete components that you don’t use. However, it’s not just enough to identify hacks… you have to clean out malicious files too. This is why identifying an intelligent hack scanner and cleaner is of paramount importance. You don’t want to get alerted by false alarms, nor do you want miss getting rid of any malicious code.

Step#4: Request a review for your website

Once you remove all instances of malicious code from your website, it’s important to inform search engines about your progress.

There are two ways you could go about this:

  1. Sending a review request to Google with your Google Search Console:In general, review requests to Google depend on the type of malware detected on your site.
    • Reviews related to phishing take about a day to process
    • Reviews related to sites hacked with spam usually need a few weeks to process since spam-related- hacks are usually tricky, and require manual investigation from the search-engine’s side
    • Reviews related to other malware will need a few days to process
  2. Sending an independent review request to resources such as StopBadware: This is as simple as entering your website’s URL in their ‘Request Search’ page.

    Requesting a review from StopBadware (we entered a URL to get this result)
    Requesting a review from StopBadware (we entered a URL to get this result)

    Once all instances of malicious code on your site are removed and your site is verified to be clean, all warnings will be removed, and your site will function as usual.

Step#5: Backup your website!

Keeping a backup of your WordPress site will keep you safe in the future. You could restore an uninfected version of your site, and then request a review, which makes the whole process a little shorter.

Step#6: Always perform a forensic analysis

Performing a post-hack analysis of your site will help you see the different openings for attacks that hackers find. If you’ve used a good malware scanner and cleaner, this should be easy. Finding these vulnerable points and hardening them will make your website a little less penetrable.

 

It’s never easy knowing that your website contains malware and could be a risk to your visitors. It also results in a loss of reputation. But getting to the root of the problem and eliminating malware can help keep you, and your website’s visitors safe.

by Harini Rahul

WordPress Sitemaps and their Importance

One of the most powerful ways to make your website more search engine friendly, is to use a site map. But what are site maps, and how do you create one for your site?

What is a site map, and why is it important?

Search engines like Google, Bing, and Yahoo crawl through the contents of a WordPress site in order to index all the data present on the site. They use different mechanisms to identify different pages/URLs on the website. One of the most powerful ways for crawlers to index your WordPress site is through site maps (or sitemaps).

Having an XML site map on your WordPress site makes it easier for search engines to crawl it.
Having an XML site map on your WordPress site makes it easier for search engines to crawl it.

A site map is a document that contains a list of URLs of all the pages in your website. When you use site maps on your website, as the website owner, you’re telling search engines what content is present on your site and where to find it. This makes the job of search engines easier and ensures that they don’t miss any pages on your site, even by mistake.

Why XML site maps are important

Site maps are of different types, of which the XML site map is the one that search engines look for while crawling your site.

sitemap.xml files are polar opposites to robots.txt files. While robots.txt files are URL exclusion protocols that inform web crawlers and bots not to crawl the pages in the file, sitemap.xml files are URL inclusion protocols. An XML site map should be stored in your root WordPress directory so that search engines can locate and access it with ease.

Types of XML  site maps

There are many types of XML site maps you can create to provide search engines and users with more information about your website. Some of them are discussed below.

  • Image site maps: As the name suggests, image site maps are site maps that include a list of all the images on your website.
  • News site maps: These site maps contain a list of all the News published on your site.
  • Video site maps: Video site maps contain an index of all the videos posted on your website.
  • Mobile site maps: These site maps list only those URLs that serve mobile web content.

The format of a URL XML site map

A site map, in addition to web page URLs, contains some additional information such as the date on which a page was last modified; how frequently a page is likely to be changed, modified or updated; and how important a page is with respect to other pages on the same website. A typical URL entry in a sitemap.xml file looks like this:

 <url>
<loc>http://www.yourwebsitename.com/home/</loc>
<lastmod>yyyy-mm-dd</lastmod>
<changefreq>daily</changefreq>
<priority>0.5</priority>
</url>

Here, the <loc> attribute states the web page URL. The <lastmod> attribute states the date on which the page was last modified. The date should be mentioned in W3C Datetime format, as shown in the above example. The <changefreq> attribute states how often the page may change. The options that can be mentioned here are always, hourly, daily, weekly, monthly, yearly, or never. Lastly, the <priority> attribute states how important the page is when compared to other pages on your website. Valid options for this range from 0.0 to 1.0, the default value being 0.5.

Creating an XML site map for your WordPress Site

If you have a WordPress site with lots of web pages to index, it might seem like a daunting task to create a site map for your site. But it isn’t, so don’t you worry. You can automatically generate a site map for your WordPress site using a site map generator like XML-Sitemaps. Once a site map is generated, you can then upload it to your WordPress root directory. Else, you could also use WordPress site map plugins like WordPress SEO by Yoast and Google XML site maps to generate a site map for your website. These plugins will also notify all major search engines about new content on your site, every time you create a post.

Once you’ve generated an XML site map for your site, you can submit the sitemap.xml file directly to search engines like Google and Bing via the Google Webmaster tools and Bing Webmaster tools respectively. Alternatively, you can use the following directive to specify the path to your site map anywhere in your robots.txt file:

Sitemap: http://www.yourwebsitename.com/sitemap.xml

This is sure to have a positive impact on your search engine rankings. So what are you waiting for? Get started with your website site map already!

by Ruby Paulson

Common Attacks to Protect your WordPress Site Against

Having your very own website used to be something reserved for developers once upon a time. All that changed with WordPress, and for the better.
But it’s never over.

Whether you run a small blog with a loyal following or a big ecommerce window, your website is an integral part of your life. It represents your passions and reflects your abilities.

Maintaining a WordPress site is a lot of work
Maintaining a WordPress site involves a lot of time, and work.

Being hacked takes away from you the power to share your best with your readers or customers. In some cases, the damage to your site maybe too deep for you to get your site back up with all the data.

And the worst part is that it looks like a senseless act, especially when your website has no information worth stealing.

This is why we’ve compiled a list that we hope you, a site owner, gain some insight into:
Why hackers hack your site, how hacks cause so much damage, and some common attacks along with real-world examples of those attacks.

Why hackers hack your site

While some hacks are aimed at gaining information from your site, most attacks are to accessing your hosting and database servers. If accessed, files on your website’s server could provide to anything from yielding sensitive information, to unlimited access.

Where vulnerabilities are found and how to protect your website

Most vulnerabilities are found in plugins and themes. Keeping them up to date, or deleting ones that you don’t use, is one way you can protect your website, and server.
There are other ways you can keep your website safe though. We’ll talk about them in another post.

The types of hacks

One thing you need to know, is that by knowing the kinds of attacks out there, and parts of your site design you have to pay more attention to, you understand how to stay more secure. However, hacks happen in a number of ways and can be difficult to categorize and understand.

That’s what this two-part series is aimed at helping with. We’ve tried to present a lot of information, in a format that is easy to understand. Hopefully it helps even those of us who aren’t very fluent in code.

In this part, we’re going to talk about:

  1. Arbitrary/Remote Code Execution (one of the most powerful ways to take control of a site)
  2. File Inclusion-
    1. Remote File Inclusion
    2. Local File Inclusion
  3. Injection attacks-
    1. SQL Injection attacks
    2. Cross-Site scripting (XSS) attacks
  4. Backdoors (remember this: it’s how websites keep getting reinfected)

Now that we’ve got all of that out of the way, let’s get down to business.

  1. Arbitrary / Remote Code Execution attacks

    In an ideal scenario, only trusted code associated with your WordPress site can be run on your site/server. The Arbitrary Code Execution (or Remote Code Execution) exploit though, allows hackers to run unauthorized code on your server. Arbitrary Code Execution is dangerous because it allows attackers to take complete control over the website, or the server it’s hosted on, or both.

    How the attack works

    Attackers first need to get executable code to your website. Vulnerabilities on your website, like the ones that allow File Inclusion (more on this below) lets them do this. They then run it on your server remotely.

    A real-world example of an attack exploiting the Arbitrary / Remote Code Execution vulnerability

    Vulnerability Arbitrary Code Execution
    Locations and version(s) with vulnerability WP Super Cache: <= v 1.2
    W3 Total Cache: <= v 0.9.2.8 and below
    Current version(s) WP Super Cache: v 1.4.8
    W3 Total Cache: 0.9.4.1

    WP Super Cache and W3 Total Cache are both plugins designed to cache dynamic WordPress pages in order to reduce the sites’ load times for visitors. Plugins like these sometimes use special tags to differentiate static content from dynamic content. Dynamic content is executed on the server.
    The problem with this was that WP Super Cache, and W3 Total Cache had vulnerabilities that could be exploited when websites using them, also used comment fields. You see, these vulnerabilities allowed website’s visitors to post comments with (dynamic) PHP code inside special tags.
    Since these special tags were executable, attackers used them to run arbitrary commands, knowing that the plugins would execute them. As a result, the comments would return whatever information the attacker requested.

    Note: The next few sections will use the terms ‘remote’ and ‘local’. The best way to explain these terms, would be with reference to the hosting server.
    You see, a hosting server is a lot like your computer.

    • Anything on the computer/ hosting server is local (like a local file, folder, or drive).
    • Anything from outside the computer/ hosting server (like an external hard disk), would be remote.

    2. File Inclusion attacks

    a. Remote File Inclusion attacks

    Most of the time, attackers need to ‘include’ a hack file to your website’s hosting server before they run it. If the vulnerability on your site allows for the file to be included from a ‘remote’ location, it’s called Remote File Inclusion.

    How the attack works

    Remote File Inclusion is a type of vulnerability that allows an attacker to request your website to include a remote file, which usually consists of executable code. (PHP files are an example). Once your website processes the request and includes the file to your server, the attacker executes the code remotely. (This is why we explained Arbitrary Code Execution first).
    Once the attacker does this, depending on what the included file was created to do, it can cause data-theft, or other serious damage to your site.

    A Real-World Example of an attack exploiting the Remote File Inclusion vulnerability

    Vulnerability Remote File Inclusion
    Locations and version(s) with vulnerability TimThumb: v 1.10 to 2.0
    Current version(s) The developer of TimThumb no longer supports or maintains the plugin

    Attackers exploited a vulnerability on the TimThumb plugin to first perform Remote File Inclusion, and then Arbitrary Code Execution. And even when the vulnerability was patched in version 2.0, this plugin was so widely used,that it caused millions of sites to be hacked. Even today, we see hacks because of it.
    TimThumb let users import images from image-hosting websites (like flickr.com and imgur.com) and edit them on the fly, especially to make thumbnails. The plugin had a list of trusted websites, and only URLs that came from websites were accepted. This process of allowing access based on a list is called ‘whitelisting’.
    The problem with TimThumb though, was that it didn’t check the actual source of the file; only checked for URLs that looked like they came from a trusted website.

    Here’s a brief explanation of what the plugin did:

    How TimThumb's vulnerability was exploited and used for Arbitrary Code Execution
    How TimThumb’s vulnerability was exploited and used for Arbitrary Code Execution

    Once the plugin accepted URLs that linked to an executable PHP hackfile, the file got included remotely to the website’s server. Attackers could then run it, and cause massive damage.
    *Disclaimer: None of the URLs or file names in the example are real; they’re only used to illustrate the example.

    b.     Local File Inclusion attacks

    The Local File Inclusion vulnerability is somewhat similar to Remote File Inclusion, except that it includes ‘local’ files. Attackers could also use this kind of file inclusion as a prelude to executing Arbitrary Code.

    How the attack works

    This vulnerability allows attackers to access files on the hosting server, that aren’t typically available to the regular visitor. Such files can be used to get admin access, steal confidential data etc.

    Let’s say your site allows users to access website files through URL parameters. This is one bad way to have coded your site:

    <?php include($_GET[‘file’]); ?>

    The logic used to write this command is bad the user can enter any filename into the URL parameter. If your WordPress site has a file with this name, it’ll get executed.

    Since our bad code is including files without validation, an attacker can use it to access sensitive files (like passwd file):

    http://example.com?file=../../../../etc/passwd

    Attacks that employ exploits like these, are called Local File Inclusion attacks.

    A real-world example of attacks exploiting the Local File Inclusion vulnerability

    Vulnerability Local File Inclusion
    Location and version(s) with vulnerability Ultimate Member: < v 1.3.64
    Current version(s) Ultimate Member: v 1.3.68

    Ultimate Member is a WordPress plugin that makes it possible for visitors to your site to sign up and to create user profiles for them. The plugin exhibited a vulnerability in July this year, when it incorporated user-supplied input in the ‘page’ parameter without proper validation. This allowed for anyone who had access to the membership form to retrieve some sensitive information from local WordPress PHP files.

    3. Injection attacks

    All websites require user inputs, whether it’s for logging in, or even just to go to the next page through a click. When a website allows visitors to enter inputs, hackers can introduce code to attack the website, or its server. Exploits that follow this method, are known as Injection attacks.

    There are many different kinds of Injection attacks, but a couple of the most rampant ones include SQL injection (which allows access to your website’s database through MySQL commands or queries), and Cross-Site Scripting.

    a.     SQL Injection attacks

    This Injection attack exploits text fields that allow users’ entries. The reason this attack is so dangerous, is because SQL commands could be used to add, modify or delete data on your WordPress’ database.

    How the attack works

    Every one of us has seen the WordPress login page– you enter your username and password to access the dashboard.

    Suppose your username is ‘admin’ you enter it in the login form.

    (Just to be clear:  if your username in real life is actually ‘admin’, we recommend that you change it immediately for security reasons).

    This input is then looked up in the database to check if such a user exists. The thing is, instead of a valid username, you could also input some SQL code.

    Now if, for some reason the website directly used the dangerous SQL while looking up the user, the site could be exploited. Fortunately, core WordPress takes extreme care to make sure that user inputs are sanitized before being used while accessing the database. Various themes and plugins, however, sometimes don’t validate input, thus leading to an exploit.

    One of our favorite comic strips from xckd.com
    Image credit: https://xkcd.com/327/

    Again, the modifications that could be made to your database are innumerable, and the results depend on what is modified. Here are a couple of a generic examples of how an attacker could carry out SQL injection, and why it would be dangerous:

    SQL_2_
    Here’s another example of SQL injection (this time in code)… Suppose we input ‘admin’ in the following code:

    SQL_3_

    The following code would be executed:

    SQL_4_

    So just imagine what would happen if you entered:

    SQL_5_

    (cue: violin screech from Psycho)

    This goes to show you need to have a lot of checkpoints to make sure your plugins are safe. You can never be sure enough.

    *Disclaimer: Again, code in the example above isn’t something you could execute. It’s just there for illustrative purposes.

    A couple of real-world examples of attacks exploiting the SQL injection vulnerability:

    Vulnerability SQL Injection
    Locations and version(s) with vulnerability Booking Calendar: v 6.2
    Yoast SEO: < v 1.7.3.3
    Current version(s) Booking Calendar: v 6.2.2
    Yoast SEO 3.4.1

    1. Booking Calendar is a WordPress plugin that was used for making online reservations based on availability. Unfortunately, just a couple of days ago, an SQL injection vulnerability was discovered on this plugin. The vulnerability allowed an attacker to view data from websites’ servers’ databases. Fortunately, the vulnerability was revealed to the developers of the plugin before anyone else, and they fixed it in an update.
    Note: If you’ve got this plugin installed in a theme, or it’s on your website as a standalone plugin, we ask that you update it immediately.

    2. Yoast SEO is one of the most popular SEO plugins for WordPress with over a million installs.
    Versions before 1.7.3.3 had a SQL vulnernability issue. This issue existed in spite of the plugin actually taking measures to protect against SQL Injection. This was because the authors of the plugin made use of a WordPress function called ‘esc_sql()’, which opened a doorway for the vulnerability. So the plugin wasn’t foolproof.

    b.    Cross-Site Scripting (also known as XSS)

    Cross-site scripting usually affects web applications, when user inputs are directly included as part of web pages.

    How the attack works

    Web browsers usually have a set of rules to make sure they’re safe from attacks like Cross-Site Scripting. Those that don’t have such rules in place though, have vulnerabilities that allow hackers to inject malicious Javascript.
    This means if you’re an admin of a WordPress site, attackers could use XSS to get access to your cookies, or login information, or even just change the content on your site, without you even knowing it. Your sites’ visitors seeing that page via a vulnerable browser would get affected too.

    A real-world example of an attack exploiting the Cross-Site Scripting vulnerability

    Vulnerability Cross-Site Scripting
    Location and version(s) with vulnerability Jetpack: v 3.0
    Current version(s) Jetpack: v 4.1.1

    Jetpack, again one of the most popular WordPress plugins available, offers WordPress.org users the ease-of-use that WordPress.com users enjoy.
    Jetpack version 3.0 had a vulnerability that allowed attackers to send WordPress admins a link, that would execute malicious JavaScript.
    More recently though, the Jetpack plugin had another XSS vulnerability, that was patched in version 4.0.3.
    See, the plugin analyzed HTML code looking for things like video links that it could embed in the page automatically.
    Unfortunately, the plugin didn’t check if video links were also surrounded by malicious HTML tags. The vulnerability allowed an attacker to include executable, malicious JavaScript in the comment section. This script ran in the browsers of those visiting the site, as well as the site owners.

    4.     Backdoors

    If you’ve detected hacks on your website, and have painstakingly gotten them removed, you’d understandably be perplexed when the site is hacked again. The thing is, hackers often leave a bit of malicious code hidden in another part of your website that allows them to re-enter and reinfect your site again and again. This is obviously why it’s called a ‘backdoor’.

    How the attack works

    Backdoors are sneaky little vulnerabilities. Most of the time hackers use other vulnerabilities to try and launch one kind of attack. Once they get access to the website, they immediately put in an infected file in an inconspicuous folder completely different from where the original attack started. The file never links to any URL, whether on your website or off, or calls attention to itself. In fact, one of the only ways to find it is if the admin of the website combs through the site’s file system. This makes it extremely hard to detect, even by malware scanners. However, since the hacker knows exactly where the file is, he or she can access, and execute it to override any admin functions.

    One specific, yet highly popular backdoor, is the ‘Filesman’. Filesman is feature-rich, so it can do a variety of things, including giving complete access to  everything on your site.

    With a vulnerability like the Backdoor, it’s important to keep deleting plugins and themes that you’re not using.

    It’s easy to ignore the notification on your WordPress admin dashboard that says you have a bunch of plugins to update, but your WordPress site’s security relies heavily on it.

     

    As you can see, finding hacks and getting rid of them can be a ridiculously tedious affair. Most efficient hack-scanning and cleaning systems available require technical assistance. And if you take time-zones into consideration, removal could take about 12 hours or so.

    This is why the team behind BlogVault built an automated, one-click hack-detecting and cleaning system, that requires no technical assistance. Click here to check out the free trial!

    We hope this list of vulnerabilities and exploits helped you. Let us know what you thought of it in the comments!

by Harini Rahul

Limiting Access to WordPress Admin Directory using IP Address

In an earlier article, we spoke about password protecting wp-login.php with HTTP authentication. There, we came up with this amazing analogy that if your WordPress were a house, HTTP authentication would be a fence to it. Now, imagine deploying a guard at your fence door to further secure your house (your WordPress site). This guard would check the ID (read IP address) of every visitor and allow (or deny) a selected few.

IP address

In this article, we’ll teach you how to provide restricted access through the fence door to only select IP addresses. Of course, for this to work, your internet connection needs to have a static IP address first. If you aren’t sure what your IP address is, you can always Google ‘IP address’.

How to Restrict Access by IP to your wp-admin Directory

To begin with, download the .htaccess file from your wp-admin directory using a third-party FTP client like FileZilla. In case there isn’t already an .htaccess file in your wp-admin directory, go ahead and create a new one. Then, add the following lines at the end of your .htaccess file:

order deny,allow
allow from your.IP.address
deny from all

The above directive allows only a single IP address to access your admin dashboard. This will apply in case you solely access your WordPress dashboard from a single location. In the given example, you need to mention your IP address in place of ‘your.IP.address’.

Now, if you access your dashboard from multiple locations, you’ll need to list out all those IP addresses in the directive. For this, you’ll need to mention individual IP addresses in individual ‘allow from’ lines as shown below:

order deny,allow
allow from your.IP.address.1
allow from your.IP.address.2
allow from your.IP.address.3
deny from all

Blocking Specific IP Addresses

It has been seen that a large number of attacks come from specific regions or set of IPs. To block these culprits at the htaccess level itself, you can include the following syntax in your .htaccess file:

order deny,allow
deny from IP.address.1
deny from IP.address.2
allow from all

Mention the IP addresses you wish to blacklist in place of ‘IP.address.1’ and ‘IP.address.2’. If the blocked IP addresses try to access your dashboard, they’ll get a default ‘403 Forbidden’ error message.

403 error ip address ban

Once you’re done, save the changes and upload the .htaccess file back to the wp-admin directory. In case you make such a change to the .htaccess file in the root directory of your WordPress, all website visitors, apart from you, will receive the ‘403 Forbidden’ error message. Therefore, be sure to make the changes to the .htaccess file in the wp-admin directory of your WordPress alone.

Fixing the Admin Ajax Issue

Limiting access to WordPress wp-admin using IP address tends to break the front-end Ajax functionality. Therefore, if any of your plugins use Ajax in the front end, add the following code to the .htaccess file in your wp-admin directory for fixing the Ajax issue:

<Files admin-ajax.php>
order allow,deny
allow from all
satisfy any
</Files>

For increased security, it is always advisable to use the method discussed above for limiting access via IP address in conjunction with password protection. Also, your IP address will change if you change your internet service provider. So don’t forget to update your .htaccess file in such a case.

by Harini Rahul

Password Protecting wp-login.php with HTTP Authentication

The WordPress admin dashboard can only be accessed by entering in your username and login password. It is good practice to use a strong login password at all times, as this makes it difficult for bots and hackers to break into your admin dashboard. However, the internet has never been a very safe place, and no amount of security is ever enough. Therefore, it’s always good to have as many layers of security as (sanely) possible, to keep hackers at bay.

Password Protect

While login credentials are a robust security measure at the WordPress application level, we can add further security using HTTP Basic Authentication (BA). HTTP BA is the simplest technique for enforcing selective restriction of access to your web resources, making it a system level security. But well, enough nitty-gritty for now, lets try to understand this with a simple analogy. Imagine your WordPress site to be a house. Although the house’s main door (read login credentials) is a vital part of security, it may not be enough, and you might want to add a fence around your house as an additional security measure. HTTP authentication is one such ‘fence’ for the protection of your WordPress site. Anyone who wants to enter your admin dashboard will first need to go through the HTTP authentication (your fence) and then enter in their login credentials (your main door).

To secure your WordPress site with HTTP authentication, you need to first generate a .htpasswd file, where you’ll list all authorised usernames and their respective encrypted passwords. Following our analogy, think of this as setting up a door to your fence. One can leverage .htpasswd only on an Apache server, since .htpasswd is an Apache password file. Good news is, Apache is the most commonly used web server software worldwide. This makes it highly probable that your site is running on Apache.

Creating a .htpasswd File

You can use the htpasswd command line tool to create a new .htpasswd file. In your command line, use the following code:

htpasswd -c .htpasswd harini

Here, ‘-c’ stands for ‘create’ and should only be used while creating a new .htpasswd file. ‘harini’ is a case-sensitive username for our HTTP BA. On hitting enter, you’ll be prompted to enter the password you would like to use. By default, the htpasswd tool encrypts your password using MD5.

htpasswd 01

In the case that you already have an existing .htpasswd file, and would just like to add a new username to it, you should use the following command line:

htpasswd .htpasswd rahul

htpasswd 02

Note that you don’t have to use the ‘-c’ switch in this command, since you don’t have to create a new htpasswd file here.

A typical htpasswd file looks like this: ‘username:encrypted_password’. For instance, a sample .htpasswd file that contains users harini and rahul would look like:

sample .htpasswd file

If you aren’t able to get your hands on the htpasswd tool, you can easily generate your .htpasswd entry (username-encrypted password pair) using this htpasswd generator.

Now that you’ve successfully created the .htpasswd file, you have a lot of flexibility over where to place it, however it is advisable to store it in a directory that can’t be accessed directly through the web. One such good location would be one level above the WordPress install directory. This will ensure that your Apache password file remains secure, even if your web server software were to get corrupted.

Password Protecting wp-login.php

With the .htpasswd file ready and stored in a safe position, you can now go on to restrict access to your wp-login.php file. For this, you’ll need to specify the following things in your .htaccess file:

  • what file to restrict?
  • where to get HTTP BA credentials from?

Assuming .htaccess file is at WordPress install directory level, adding the following lines of code in the file will do this for us:

<Files wp-login.php>
AuthUserFile /path/to/.htpasswd
AuthName "Private access"
AuthType Basic
require valid-user
</Files>

Here, you need to focus on the following two lines:

AuthUserFile /path/to/.htpasswd: Make sure you provide the correct path to your .htpasswd file in place of ‘/path/to/.htpasswd’.

require valid-user: The ‘valid-user’ keyword tells Apache to provide any user mentioned in the .htpasswd file with access to the wp-login.php file. In case you want to grant selective access to the file, instead of using ‘valid-user’, you can just mention the usernames you’ll like to provide access to. For example, if there are three usernames mentioned in the .htpasswd file, out of which you want to grant access to only two users, say user01 and user02, and not to user03, you’ll use the following require directive:

require user user01 user02

Once you’re done, save the file and upload it to the directory that contains the wp-login.php file. Now, the next time you try to login to your WordPress dashboard, you will find your browser prompting for authentication even before the admin-login screen is loaded, just like the fence we discussed.

http authentication protect wp-login.php

by Harini Rahul

Setting Up Two-factor Authentication for WordPress with Google Authenticator

You know how they say that insects develop resistance to insecticides over time? Well, that’s sort of how it’s become with passwords these days. Passwords have been used to secure user accounts for such a long time now that they’ve started to lose their effectiveness. Of late, more and more hack attacks have become successful. The need of the hour, therefore, is to put to practice novel methods to strengthen existing authentication processes. In this light, the easiest and most practical thing you can do to further secure your WordPress site is to set up a two-factor authentication process for your WordPress login.

Two-factor authentication requires users to provide a code sent to them, in addition to their login credentials, in order to login to the admin dashboard. This way, an extra layer of protection is added to confirm that it’s indeed the user that’s logging into his profile and not someone else that’s gained access to his password.

The iThemes Security Pro plugin for WordPress sets up a second verification step for your WordPress login by using Google Authenticator. For using this feature, you’ll have to first install iThemes Security Pro on your WordPress and then download the free Google Authenticator app onto your smartphone. Once that’s done, you’re good to go.

Setting up Two-factor Authentication

Step 1: Enable Two-factor Authentication in iThemes Security Pro

  • Scroll to the two-factor authentication section on the ‘Pro’ tab of the plugin.
  • Here, you’ll find options for time-based OTP (one-time password), email and backup verification codes. In time-based OTP, the secondary code will be generated by an app like Google Authenticator. In the email option, the code will be sent through email once the login credentials are provided. The backup verification codes comprise a set of secondary codes that can be used in the event that access to the primary two-factor provider is lost. These codes expire after use and should be stored in a safe place.
  • It is advisable to enable more than one of these three options by checking the boxes next to them (preferably, all three).
  • Click on ‘Save All Changes’.
  • Once two-factor authentication has been enabled by admin, other users can activate it on their individual accounts by editing their profiles.

setup two factor authentication 01

Activate by Editing Individual User Profile

  • Click on the ‘Your Profile’ option found under ‘Users’ on your WordPress dashboard and scroll down to ‘Two-factor Authentication Options’.
  • Here, you’ll find the list of authentication code providers.
  • Enable ‘Time-Based One-Time Password (TOTP)’ and make it your primary provider of two-factor authentication.
  • It is advisable to enable either one or both of the remaining options for backup, in case you lose access to your primary two-factor provider.

Now all that’s left is to set up your site in the Google Authenticator app. For this, you’ll require the QR code and secret key that appear on clicking ‘View Time-Based One-Time Password Configuration Details’.

setup two factor authentication 02

Step 2: Add your WordPress Site to the Google Authenticator App

  • Open the Google Authenticator app on your phone.
  • To set up the app on your phone, click on ‘Begin setup’.
  • You’ll then be given two options regarding how you want to add your WordPress site to the app: Scan Barcode and Manual Entry.
    • If you choose ‘Scan Barcode’, a QR code scanner will appear on our screen. Remember the QR code we spoke about earlier? The one on your WordPress profile page? Scan that QR code by pointing your phone’s camera at your computer screen.
    • If you choose ‘Manual Entry’, you’ll be asked for the ‘secret key’ mentioned on your WordPress profile page. Enter the key, and you’re good to go.
  • Once the QR code or secret key is recognized by the Google Authenticator app, your WordPress site will automatically be added to the app.

The Google Authenticator app will now start to continually generate 6-digit tokens – your authentication codes. Each generated token/code will hold good for 30 seconds, until the next token/code is generated.

In case you temporarily lose access to your primary two-factor code provider – say because you  don’t have your phone with you at the moment, but want to desperately log in to your WordPress dashboard nonetheless – you can always use a backup provider to log in to your account then. However, in the event that you lose your phone or something and want to completely disable two-factor authentication, any of your WordPress administrators can do it for you. All they need to do is turn the feature off on your user profile. This will override and disable two-factor authentication for your user account. It should be noted here that administrators can only disable the feature for a user, not enable it.

Two-factor authentication can also be enabled for WordPress using other plugins like Duo Two-factor Authentication, Clef Two-factor Authentication, and Rublon. Learn more about using these other WordPress plugins here.

by Suchitra Komandur

Setting up a travel blog using WordPress

If you love to travel, you would want to have a travel blog at some point. It can help you in the following ways-

  • You can connect with like minded travellers and even find some company for the next trip
  • You can journal all your travel experiences and photographs in one place to share with family and friends
  • You can even make some extra money with your blog! Or try to find sponsors for your next trip!

These are just some of the reasons to have a travel blog, there could be endless reasons!

Here is a quick and easy guide on how to set up a travel blog using WordPress. WordPress is a powerful medium to setup your travel blog as it supports various features that enable you to seamlessly share photographs, videos and also include maps on your website. The basics of setting up a website using WordPress has been discussed in the article “Setting up a WordPress site from scratch”. Once you have your blog up and running you will need some of the following essentials to turn it into a fabulous travel blog.

Themes and other customizations – First and foremost, your blog needs to look good to attract readers. Visual appeal can be the most powerful one in generating traffic for your blog. Fortunately, you do not need to spend too much time or effort trying to do some web designing. There are various themes (both free and paid ) available in WordPress to customize for your travel blog and also improve the appearance. Themes can be accessed from the Appearance Menu of your dashboard. As a start, you can search for a travel based theme and apply it to your blog.

travel_themes

Your blog can be further customized with the various options under the “Appearances” menu. You can choose the colour scheme, header images, menu and sidebar layout etc.

Adding maps to your site or posts – Let us consider the following scenarios.

  1. You are just back from a grand tour of a major continent like USA or Europe and have covered a lot of places. Wouldnt it be great if you could mark off all these places on a map and show it in one shot to your readers ?
  2. You are trying to create a travel wish list and would like to mark places that you want to visit in the near future. A map with these markers would surely grab the attention of readers and they would want to explore your blog.

Again, adding a map to your blog either in a post, page or as a widget is very easy. There are various plugins for this purpose. A map also makes your blog instantly look better ! Lets see that below !

adding_maps

Adding photos to your blog

Once you have a nice travel story to tell, you would like to highlight it with some great pictures. A good picture can turn a ordinary blog post into an extraordinary one. Or if you just have a few words to say, you can add more pictures to your post. Or just have pictures in a post and let them do all the talking ! The choice is yours.

Photos can be added to your travel blog in several ways. The simplest thing to do is to upload the relevant photos to your post or page using the “Add Media” option on your “New Page” or “New Post”. You can upload files from your PC. This could be cumbersome if you have too many photos to upload, or if you want to showcase a gallery on your blog. Also the pictures can take up too much of storage space. An alternate solution is to add photos from your Flickr account or Google plus account onto your blog. There are several plugins for this purpose.

This is how a photo gallery would look on your blog ! The reader can see the thumbnails and even click on them for larger images. Different plugins offer different features and display options for your photos.

gallery_in_blog

Adding videos to your blog – When you have a travel blog, it would be great to add some videos as well. Imagine that you did some adrenaline rushing adventure sport like bungee jumping in New Zealand. Words cannot describe how you felt during the jump. But you have a short video clip that could do wonders to explain the adventure ! Or you just travelled through some really scenic rail route in Switzerland and you have several videos capturing the change of landscape and scenery. Your blog would be more meaningful with these video clips added to the posts in addition to photographs.

While videos can be uploaded to your blog, it is recommended that you upload your videos to one of the popular services like YouTube and embed the video on your blog.

The video can be seen on the blog post as shown in the below example.

video_embedded

Organizing your posts – You can organize your posts into Categories so that they can be browsed and indexed easily. For eg. you can have the categories of “Beaches”, “Temples”, “Mountains” for your various travel destinations and experiences.

You can add a New Category from the Categories option under the Posts menu. You can create hierarchies in the categories as well. In the following example there is a Category called Asia and then India under it. The hierarchy can be specified by choosing the Parent category option.

categories

The categories show up on the sidebar of your blog for easy browsing of posts/articles.

categories2

Some useful plugins for your travel blog

Apart from the plugins discussed above for adding photos, videos and maps on your WordPress site, here are some useful plugins for your blog.

  1. WP smush.it plugin  – This plugin can be used to compress and optimize the images without losing image quality on your WordPress site so that the page loads faster.
  2. Social media icons – There are various Social media icons plugins available from the WordPress plugins repository. They help you to add social media icons like Facebook, Twitter etc to your blog which enables the user to connect to your Social media pages with one click.
  3. WordPress related posts – This helps you to add related posts as thumbnails at the footer portion of your posts and increases your internal traffic as the readers get to see more articles of their interest.
  4. SEO by Yoast – This plugin helps to get your blog or website indexed with search engines and also rank higher in search results. This has been discussed in detailed in an earlier article – WordPress SEO by Yoast.
  5. Jetpack- This plugin provides various features for customization, traffic, mobile, content, and performance tools
  6. WP to Twitter – This plugin is useful to automatically update your twitter feed whenever there is a new post.

These are just some tips to get you started on your travel blog, and with WordPress, the options to make your blog interesting and captivating are endless. Do visit wordpress.org for more possible customizations for your purpose.

by Suchitra Komandur

Embedding YouTube Videos in WordPress

While you can upload a video and host it on your WordPress site, it is highly recommended that you do not do it. Videos can take up a lot of storage space and also providers like YouTube process the video to provide better quality.

A simpler approach would be to upload the videos to a popular video service provider like YouTube and then embed the video on your WordPress site. You can also embed existing videos in this approach. This article discusses embedding videos from YouTube, but other providers are supported as well.

Embedding YouTube Videos

The simplest way to embed a YouTube video is to paste the URL of the YouTube video onto the Visual editor of your post or page. For eg,https://www.youtube.com/watch?v=vjnaknNly8c is the URL, which needs to be pasted on a line by itself. You have to ensure that there is no other content on that line except the URL. Also you have to ensure that this line is not hyperlinked. You can now see a preview of the video in the Visual editor as follows:

adding video

You can add any other text or images and complete the post and publish it. As simple as that!

You can also add a video by using a shortcode as follows. This needs to be pasted on the text editor.

[youtube=https://www.youtube.com/watch?v=IM5geg1KWFI]

videos_shortcode

Again, you can see a preview of the video in the Visual Editor.

Customizing your video

The previous section described how you can embed a video by using a shortcode. You can customize the video display with the shortcode as well. Here are some examples:

– Customizing the size of the video

You can specify the height and/or width of the video with the “&h”=and “&w” variables. [youtube= https://www.youtube.com/watch?v=IM5geg1KWFI&w=320&h=240]

– Customizing the start and/or end time

You can specify the start and/or end time to play the video with the “start” and “end” variables and specify the time in seconds.

[youtube= https://www.youtube.com/watch?v=IM5geg1KWFIstart=75&end=85]

– To hide related videos from appearing after the video is done, use the variable “rel=0”

Videos can be added to the footer or sidebar as well, by pasting the shortcode onto a text widget.

A video can also be embedded in the comments section by simply pasting the URL.

It is also possible to stream a live broadcast using Youtube or Google hangouts air feature on your WordPress site.

 

 

 

by Suchitra Komandur

Adding Google Maps to WordPress

Why do you need a map on your site?

Just imagine the following instances where a map would add value to your website. You run a beautiful holiday home in the countryside; just a short drive from a bustling city. It’s a little into the forest will less phone connectivity! How would visitors reach your holiday home? Having the location marked out on a map on your website ensures that people reach your place will less hassles and are ready for a quiet vacation. Or you could be running a business where it’s vital for people to know how to reach your office with ease. Or you could just be having a travel blog and you want to show your readers where you have been travelling. In fact maps are a good to add feature for any kind of website, be it a business or leisure blog! Let us see some of the ways to add a map to your WordPress site.

Embedding a map to your site manually

It is fairly simple to manually embed a Google map to your website. Visit maps.google.com to open Google maps. Click on the region you want to focus on or type it on the text box to get a region of the map of your interest. Next click on the gear shaped icon on the bottom right corner of the map and select the option – “Share or embed map”.

Share or embed the map

You will then get the following window which provides the html code to embed the map on your site. You can select the size of the map to be embedded as Small, Medium, Large or Custom size.

Embed map tab selected

This html code can be used anywhere on your WordPress site to embed the map. You can embed it on a page, post or a widget. All you have to do is simply paste the code on the text portion of a page, post or widget. Here is an example of adding the map to a text widget. To add to a text widget, go to the WordPress dashboard, select the Appearances menu and add a new text widget. You can provide a title and copy the code onto the text box and save.

Adding the map to a text widget

Now your website has the map on the sidebar as below.

map_widget

This looks good, but you can further enhance your site by adding a custom map. For instance a travel blog would look good with a map having markers for all the places visited. You can even highlight a route. Let us see how we can add a custom map next.

Embed a custom map

Open maps.google.com and click on “My maps” option below the search box.

creating_maps

Next choose the option to “Create a new map”.

create_new_map

You will then get a map which can be customized as per your needs.

new_map

You can add markers by selecting the balloon icon. Add the markers you want and save the map. Click on the “Share” button to make this map’s settings Public. Only by doing this, you can embed the map onto your site.

sharing_map

Next you can click on the 3 dots near the “Share” button and select “Embed on my site” option. You will get the html code to copy and paste onto your website as described above.

embed_map

This can be pasted to a page, post or a widget. On adding it to the same text widget described above, the map looks like this now! The markers highlight the cities visited by the author of the travel blog.

map_widget

We just discussed embedding a map manually on your website. There are simpler methods to add a map to your WordPress site by installing some plugins. There are WordPress plugins like Google maps widget which allows you to add a Google map as a widget to your website or anywhere else with a short code, WP Google maps plugin which allows you to add a map and also customisation of the map. Apart from these 2 plugins mentioned, there are a host of other plugins that support adding a map.

 

by Suchitra Komandur

Backing up my first WordPress site

 

As soon as I was done creating my WordPress site from scratch and migrating my first post from blogspot to WordPress, I wanted to backup my website using our premium backup service “blogVault”.Its simple yet effective for an amateur blogger like me. This is what I did!

Sign up for an account

I first signed up for a free trial with blogVault(https://blogvault.net/). When I clicked on “Sign up for free trial” I was taken to a page which mentions the various plans available and the respective pricing. I decided to go with the “Basic” plan and got started. I was presented with the following screen to sign up for an account with blogVault.

Install the blogVault plugin

After account registration I was presented with another screen to install the blogVault plugin to my WordPress site. I had to mention the site URL and the WordPress credentials for automatic installation. There is an option for manual installation too.

Install Plugin

After a few seconds, the plugin installed successfully and I got a welcome mail from blogVault.

Hi,

Thanks for signing up for blogVault, the wordpress backup service.

Your login email id is ********@blogvault.net. You can access your account at:

blogVault Dashboard

I could now see my blogVault Dashboard which looked like this. I noticed that the first Auto Backup started running soon after successful installation!

blogvault dashboard

I also logged on to my WordPress dashboard to check if the plugin has been installed.

blogvault_plugin

Test Restore my website

After the quick setup process, I was really curious to check if my website has been backed up and the test restore feature turned out to be a quick way to do that. I clicked on Test Restore and the process started as shown below.

test restore

test restore

Well, the next logical thing to do would be to access the Test-Restore by clicking on the button and that is what I did! I was pleasantly surprised to see a replica of my website. Voila!

test_restore

As you can see, it was pretty simple and quick to setup a backup for a WordPress site using blogVault for a novice like me !