WordPress Safety Tips

Hacker_magazineSome of the sites I managed have been hacked… again.

Here are some changes I’m making to prevent future hack attempts.

1) Install the “Limit Login Attempts” plugin.

Like its name suggests, this wonderful plugin limits the number of times someone can attempt to log in. If they fail, their IP address is blocked for a set time. You can set the number of attempts to allow, how long the block lasts, and if you want to be emailed when someone is blocked. The plugin also keeps a log of IP addresses, so you can add them to your blacklist (if you use one), and logs the username of the attempted log in so you can check with that user if they need assistance.

The main benefit of the “Limit Login Attempts” plugin is if a hacker is using a brute-force method to find your password. Typically, the hacker will run a program that will repeatedly try different passwords until it is able to log in. The limit on login attempts slows the hacker down in his attempt greatly.

2) Never use “admin” as a WordPress username.

It’s temping to use “admin” as the first user since it is the default username WordPress gives you when you set up your blog.

With the “Limit Login Attempts” plugin installed, I found the hacker was repeatedly trying to log in as “admin” using a brute force method, but he was not trying the other accounts. I set up a new administrator user account for myself, logged into the new account, and deleted the “admin” account, being sure to set existing posts with my new account as the author. I think it would also be helpful to make sure your “Display Name” is not the same as your username.

3) Create a good password of 12 characters or more

Use Upper and lowercase letters, numbers and symbols. Get a password manager to keep all your logins straight.

What has not worked:

Google Authenticator Plugin. I had this installed on a blog that was previously hacked, but I did not have “Limit Login Attempts” installed at the time. The hacker still got in using what I presume to be a brute force attack. The Google Authenticator plugin just made it a pain trying to get back in, but I found deleting the plugin via FTP gave me access again.

I think Google Authenticator is still a good plugin when paired with a system the limits the number of login attempts. Even Google does this by using a captcha system.

TL;DR

To keep your WordPress blog safe from brute-force hackers, install Limit Login Attempts, never use “admin” as a username, and use a good password at least 12 characters long using upper and lowercase letters, numbers and symbols.

Adobe Acrobat Pro X CS6 won’t start: how to fix

Image representing Adobe Systems as depicted i...

Earlier today, I needed to open a PDF to be edited. I tried to launch Adobe Acrobat Pro X, which is part of my CS6 suite, and nothing happened.

Rebooted the PC and tried again. Nothing.

Opened the Adobe Application Manager, and it said it was not installed.

I knew that can’t be right, so I opened “Programs and Features” from Control Panel. Yep, Acrobat Pro X is there, so I tried reinstalling, but that did not work.

Googleing the problem revealed others had a similar problem and the solution.  Be sure to have your serial number for CS6 ready before trying this.

Hat tip to LoriAUC for her instructions at http://forums.adobe.com/message/4546952.

  1. You must be connected to the Internet.
  2. Make sure you have your CS6 serial number.
  3. Launch any CS6 application other than Acrobat or Flash Builder. I used Dreamweaver.
  4. On the menu bar of the application you opened, click “Help” then click “Deactivate”.
  5. Close the application.
  6. Open the application you just closed or any other CS6 application other than Acrobat or Flash Builder.
  7. Once the application opens, accept the EULA.
  8. Register the trial by signing in using your Adobe account credentials.
  9. After the application opens, close the application.
  10. Open the application again and wait for the user interface window to come up.
  11. Click the “License this Software” button.
  12. Click on “Sign in”
  13. Enter your CS6 serial number and click Next.
  14. Close the application, then open the application.
  15. Try to open Acrobat Pro.

 

Enhanced by Zemanta

Page Template Option Missing

On one of the sites I administer, we are using a premium theme that comes with custom page templates.

When setting up a new page on this site, I noticed the Page Template option was missing from the Edit Page page.

I knew older pages were using the same template, so I knew the file wasn’t missing. I checked anyway. Yep, it was there. Maybe there was something weird in the header that was keeping WordPress from registering it as a template.

I downloaded and opened the template file and this is what I found (I replaced the template name to protect the sloppy):

<?php /* Template Name: [redacted] */ ?>

I would not have thought the absence of newlines would have mattered, but I knew that was not like the example that WordPress gives here. So I added some newlines.

<?php 
/* 
Template Name: [redacted] 
*/ 
?>

(Make sure you replace [redacted] with your template name.)

Then I uploaded the change, refreshed my Edit Page and the template option was restored.

I’m off to fix the other pages.

Hopefully in the next update of this theme they fix the problem or I will need to update the page files again.

Random String Shortcode To Fix A PDF Caching Problem

On my church’s website, we post links to our missionaries’ newsletters as PDF files. We have a problem with browsers caching the older newsletters so even though a new file is on the server, the older file appears in the browsers. Not even clearing the cache seems to work. Adding to the problem is when Cloudflare.com caches the file, so I have to log in and delete the cache there.

One solution is to rename the PDF file and then change the link on the site every time. But we like to be lazy efficient around here, so I came up with a shortcode function that inserts a random string.

Adding a question mark and a random string to the end of the link so the browser would  fetch the latest version of the file rather than get the cached version in their browser’s history.

So for each newsletter link, I went into HTML mode and added

?[randomstring]

to the end of the link’s href attribute. So

<a href="http://domain.com/newsletter.pdf">Newsletter</a>

became

<a href="http://domain.com/newsletter.pdf?[randomstring]">Newsletter</a>

and when the post/page is rendered in a browser, [randomstring] would be replaced by a random string of 5 characters. 5 is the default, but the length can be changed by setting the “length” attribute in the shortcode like this:

[randomstring length=10]

Here is the code you need to add to your function.php file in your WordPress theme to make this work.

/*
 random string function
*/
if (!function_exists("random_string")) {
function random_string($atts, $content = null){
 extract(shortcode_atts(array(
 'length' => '5' 
 ),
 $atts));
 $l = $length;
 /*
 Credit: This section of code by "kriskra at gmail dot com"
 http://www.php.net/manual/en/ref.strings.php#84888
 */
 $c = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxwz0123456789";
 for(;$l > 0;$l--) $s .= $c{rand(0,strlen($c))};
 return str_shuffle($s);
}
}

add_shortcode('randomstring', 'random_string');

I decided to keep this simple by not letting the function add the question mark, because a need may arise where you need to use an ampersand instead or perhaps nothing at all.

 

Posted in PHP

Use get_the_title(), not $post->post_title

WordPress lesson of the day:

If you want the title of a WordPress post, use the function get_the_title($post->ID) and not $post->post_title.

Both should work, but I found when you use smart or curly quotes (both single and double) in your post titles, using $post->post_title returns an empty string. Perhaps running a filter function would help, but I have no reason to go through that trouble right now.