Trust me some people are intent on spamming donkey porn to the world!

Fear not if you do not fancy your site being used to spread mule based filth with good security practices and some simple hardening of your site.

OxOx Creative Commons

The advice given at Glyns talk covered 99% of what is required but at a whirlwind pace, if people are interested in learning more Coding Futures runs half day workshops on “brand security” for digital agencies these focus primarily on WordPress and a lesser extent general good practices in social media and brand technologies such as Twitter.

The workshop is £185+VAT and we have a few spaces available for the September workshop. For more information please check our the Brand Security Workshop site.

The workshop cover 3 key areas of brand security;

• Prevention
• Detection
• Reaction.

Using a mixture of hands on examples, case studies the workshop will focus on two of the most common platforms used by digital agencies, WordPress and Twitter. The workshop will focus on understanding threat models, hands on protection for WordPress and Twitter accounts, tools to aid in detection of hacks and perhaps most importantly dealing with the aftermath of a hacking attack to minimise damage not only on the compromised site but other accounts effected.

The Workshop is a hands on event and attendees are encouraged to work on sites. As such it is suited to people who have control of their or their clients sites (If you have FTP and WordPress admin details). No technical expertise is required though an understanding of HTML and WordPress will be advantageous to get the most from this workshop.

By the end of the seminar attendees should have a more complete understanding of WordPress security with practical advice for their own sites and a greater understanding of the Twitter platform and best security practices that can transcend social media platforms.

Basically don’t fancy donkey porn on your clients sites? might be worth coming along for more information and to register please visit the Brand Security Workshop site

In July, the BBC launched the Dr Who streaming service. For a few Facebook credits, non-UK residents can watch a select set of Dr Who episodes for up to 72 hours. (This is just one example of how the garden is changing.)

When the Beeb launched their service, Twitter and Facebook exploded. Why? It’s the BBC. Naturally. everything they touch has to be investigated in minute detail, discussed on social networks and in the wider media here in the UK. It’s also a change of direction for the BBC, which is now relying on a 3rd party. Indeed, it opened a debate on should the BBC be in part paying a third party to put content in a closed garden?

Over the weekend of the launch, I had to stifle laughs. Friends were explaining how much it cost, how they wouldn’t make their money back, and most importantly, why the BBC would give 30% of money to Facebook!

You see, as the technical director and part of the team at Coding Futures, I’ve helped several major clients launch large Facebook applications. We had also been working on a way to take that knowledge to put it into our retail software, Your Members.

The Your Members WordPress membership plugin leans heavily on developments coming from our work with enterprise clients. Over the last few months, we have been building a feature-rich Facebook addon that allows you to create applications, protect content and pay for it with multiple gateways, including Facebook credits while in Facebook.

What’s more, the same software already has a streaming addon, which allows you to securely stream video from Amazon s3 via progressive download, or create an Amazon Cloudfront distribution and do real RTMP streaming.

Now, you would expect the Beeb to use it’s massive resources to hire a development team like Coding Futures to create something unique. They didn’t. In fact, they could have created the exact same thing for less than $200 using Your Members. Which, while great they have helped prove a concept, have they really pushed the boundaries?

Now, basically anyone could create their own pay-to-view Facebook video service. If you want to give it a go, here is a step-by-step tutorial for mimicking the BBC Facebook application in Your Members.

Of course, to use Facebook, you don’t have to pay them 30% of earnings. That’s only when using Facebook credits. You don’t need to take payments at all, and for the moment, only “games” are required to sell via credits, so other applications can use different payment methods.

Which leads to one of the more interesting concepts to developing within Facebook: the “likewall”. Just like a paywall, content is protected, but it only costs the user a single click to access content rather than a financial payment. For digital brands and ad agencies, the idea of a likewall is only just taking off mainstream, and it will be interesting to see how Facebook deals with incentivize likes. Currently, their terms and conditions on the subject are woolly at best.

So, the obvious question is where to next for the BBC? Is this first foray their last? Or, will we one day see iPlayer inside Facebook? (For non-UK peeps, this isn’t some strange apple device you haven’t heard of, but rather a BBC streaming service.) Probably not. If only because the people in the BBC working with Facebook are not the corporation we know here in the UK. They belong to BBC Worldwide, which is basically the BBC’s non-UK commercial arm.

So, if not iPlayer, more classic streaming episodes, perhaps. Certainly, if you can get over that 30%, using both Facebook Credits and another payment gateway could be one way to save costs (plug: Your Members can do that ), and in turn, make this an effective medium for any company with media content.

Another interesting possibility is organisations like Open University putting their online course material on Facebook for their students. And not just big organisations. Suddenly, anyone running an online course could have them available to individual users within Facebook. How about an online course on Facebook in Facebook, very meta!

For many people today, Facebook is the web. It’s application platform looks ready for prime time, and Facebook Credits are starting to be used regularly, even by non-farming related gamers. Is this the time Facebook marketing really grows up? Is it possible to run a Facebook-only business?

Should the BBC put money into a closed garden like Facebook, given that large companies owning closed gardens tend to start imposing more restrictive rules (cough apple)? Can any business truly survive by operating solely in Facebook? While it’s certainly technically possible, do you think it’s feasible from a business perspective?

I think it is, but having watched businesses been burned by similar platforms (Twitter/Apple/Microsoft) suddenly changing the rules, it’s not there yet. I think, until the platform fully matures, people will continue to make small steps and build small corners of their sites into Facebook. And now that it has become possible to do so easily, do agencies and businesses really have an excuse to not take those steps?

Disclaimer: I work for Coding Futures, the developers of Your Members.

What is a Unconference

Last weekend I was at WordCamp UK it was described as an “unconference”, I spend most of my weekends at “unconferences” and Hackdays, I’ve helped organised them I consider myself a BarCamper though perhaps not quite to the level of my friend Alistair! In my mind WordCamp UK wasn’t an unconference the schedule was pre-determined with gaps to be made up by “adhoc” sessions.

Wikipedia described an Unconference as “An unconference is a facilitated, participant-driven conference centered on a theme or purpose.” I’m not sure I’m comfortable with that definition I like to think of them as simply attendee driven conferences. The problem is that while Attendees could start a session, they did hit a few barriers in organising them the board was hidden, and went more or less un-promoted indeed the board could best be described as…

“But the plans were on display …”

“On display? I eventually had to go down to the cellar to find them.”

“That’s the display department.”

“With a flashlight.”

“Ah, well the lights had probably gone.”

“So had the stairs.”

“But look, you found the notice didn’t you?”

“Yes,” said Arthur, “yes I did. It was on display in the bottom of a
locked filing cabinet stuck in a disused lavatory with a sign on the
door saying ‘Beware of the Leopard’.”
Hitch Hikers Guide to the Galaxy

As a Barcamper where the board is the focal point of an event and the spirit of it this was very depressing, I loved some of the talks but I couldn’t help think I would have liked to seen more then Buddypress , buddypress again etc and if the board had been the focal point I strongly believe adhoc sessions would have appeared to counter this. I went with the intention of running a session, but left having not.

This isn’t a rant about WordCampuk otherwise I would ask questions like where the money go etc, but it highlights that peoples ideas are different, I’m sure the organisers have been to a barcamp and see how “we” do it, they chose a half way house at it didn’t work.

Can Conference and Un conferences work together?

I think they can, if you have a 2 day conference, I see nothing wrong with have structured tracks on day 1 and unstructured on day 2, likewise in a 1 day conference simply run a scheduled and unscheduled tracks. The key though is treat them as different tracks, keep the focal point “the board” and don’t be afraid the community won’t deliver, I have been to barcamps where I have looked at the board and around the room, and realised there were more slots then people. Those have been some of the best camps I have been to, all the slots filled, people step up if your a traditional conference organiser its frightening to not know who speaking before the day but thats the point trust your attendees!

So about the controversy at WordCampUK

To sum up, a suggestion was made by Jane who represented both wordcamp.org and Automatic the company that the UK had reached the point where it perhaps had reach enough mass to break out into regional and city level camps much like Barcamp has and if this was to happen a central camp maybe harming this, or creating a hierarchy. I had left but it was quite disgusting watching the tweets and for Jane to describe herself as near to tears is just not acceptable. That said, let’s take a look at the Barcamp model, there have been dozen of barcamps every year here in the UK, London is the biggest, some appear, some go, but year on year they have grown both in number of camps and in number of attendees. Each barcamp is organised independently there are “campers” who will be found at most of these volunteering and helping out, but their is no formal structure organisers just pick it up and run with it.

In contrast their are lots PHP user groups, PHPLondon use to host a conference it was nice, then PHPNW ran a conference, suddenly Londons conference became PHPUK it was a mess, this year wasn’t much better. There was no need to attach the UK monkier, or try to get a larger venue, from the outside it just came across as vain and silly.

WordCamp is a great idea, what’s more there is plenty of sponsorship out there, really if someone wants to run WordCamp Leeds (and I would love to do that) I don’t think it should be looked down on, if it only gets 8 attendees (and I do believe that there are more users then many give credit for) then so what! If they learn something new, enjoy themselves and go away having had a good time what does it matter if it was small?

As for the UK one as an outsider it doesn’t appear to work it came across as having ideas of grandeur which fell flat, focused on a small organising team who have done a hard job but really saying it’s time to discuss disbanding or rebranding is not a bad thing it just proves their success.

One thing I find about a barcamp is that its a greater leveler, they work best when egos are left at the door, and you roll up your sleeves and muck in, maybe thats the lesson that needs to be learn’t to that end if their are WordPress users in Leeds and the surrounding area, let’s talk

WordPress 2.6 guess what your going to upgrade!

Yes its that time when Automatic demonstrate they truly are a useless company and once more have punched another nail into WordPress already rather stuffed coffin when it comes to enterprise deployment. Don’t know what the fuss is about well wordpress.org sums up their entire philosophy in 2 lines.

2.6 is pretty much identical to 2.5 from a plugin and theme compatibility point of view, so upgrades from 2.5 should be pretty painless. The 2.5 branch will no longer be maintain so everyone is encouraged to upgrade. source:http://wordpress.org/development/2008/07/wordpress-26-tyner/

So expect a major security bug some time this afternoon to hit 2.5 to help encourage take up after all the article goes on to say…

1,984,047 downloads of the 2.5 series, the fastest growing release we’ve ever had!

Which was not in anyway influenced by the 3 major security bug scare stories going on at all.

Good WordPress News!

In case you have been living under a rock… Your Members the WordPress Membership Plugin was launched! Cheer for joy and go buy it, preferably in that order.

Also Sean who has been so busy working on YM that he forgot to speak to his other half for a week has released a rather handy stat plugin which keeps a list of recent visitors its incredibly lightweight and while won’t replace Google Analytics any time soon is great for seeing who is on the site right now. Check it and his blog out at sean-barton.co.uk

Money.co.uk

Yes its not enough they besmirch the name of Cornwall SEO by pretending they didn’t know that cunning baiter was telling stories now they have got into the widget game… But look who’s promoting ah mr Chow how nice of him…

Just a thought though money.co.uk haven’t we been here before, with the whole viral widget thing?
Hat tip to Dark SEO Programming.

Total aside but Melanie from Pro-Webs is offering a free white paper on landing pages that convert you never know it might be of use.

Stompernet goes lazy

Oh and in exciting news Andy Jenkins is going to tell the Stomper Newsletter if Traffic Secrets 2 is any good… Yawn I will save you the suspense he will say its absolutely amazing and you must buy it because he was blown away yada yada ultimately a rather pathetic attempt at encouraging sales which is a shame because the Stompernet team are normally a lot less obvious and tend to put time or at least perceived time into their marketing and promotional efforts.

Last couple of bits for more serious reading, Yahoo Patent on Link Anchor text relevancy (SEO by Sea) while Mr Harry is doing Research into Diversity of Link Profiles .

Hopefully I will return with something more serious in a while, but I leave you with this…

If my first link is described as a fruit while the second a computer but both arrive at the same location am I a fruit, a computer, or just unclassified juice?

• Bad SEO work – hidden text etc
• Other Penalty related – a growing issue
• Hacked site

Now in 2007 the rough breakdown was 80% bad SEO work with the remaining 20% being some sort of security compromise. In 2008 these figures have changed dramatically with Bad SEO work accounting for less then 30% while other penalty (normally paid link) accounting for another 15% with the rest being hacked sites.

Disclaimer – This post is not designed to frighten merely to inform, I am not saying plugin x or y is insecure but potentially could be. Remember security is something you have to deal with you cannot put your head in the sand!

Another Disclaimer – A Hacker is not someone who breaks into systems, however for the sake of simplicity I will use the term as such. Shoot me later

Who is coming to see us?

Most of our clients have several things in common, they are normally running WordPress and the first indication they have been hacked is either a sudden loss in rankings or the stop badware notice appearing for their name.

Now WordPress is not inherently unsecure but with popularity comes greater risks, as there are more sites using WordPress it provides a greater opportunity and scope for any potential attack, WordPress simplicity and scalability through plugins make it very popular with all sorts of people. So it should be no surprise we are seeing the majority of sites through our doors which are hacked are WordPress.
Google does give warnings and notices normally of problems via Google Webmaster tools, but to be fair how many people log in to their account every day? Well you are the exception to the rule, most people do not!

How do these attacks happen?

WordPress like any modern CMS is complicated code which is bound to have bugs and holes which can be exploited. Normally these exploitation is quite minor very rarely is a hole big enough to allow a hacker to access your admin or system normally they aim to add links or files to the server (with files the goal is normally to remotely execute them) Normally Google throwing you out of the index is because of links being inserted into your pages.

The official line from Automatic (the people who write WordPress) is these hacks occur because people to fail to upgrade and their maybe some truth, most WordPress upgrades include security and bug fixes. Of course there are many reasons not to upgrade from training and compatibility issues.

What can we do to stop a visit to Tim?

So what I want to do is really open peoples eyes and stop them visiting me, by not having had their sites compromised, we are never going to stop it entirely but we can take steps to prevent it. But first I would like to tell you two stories:

One day an IT technician upgraded their software to the latest version he did it late Friday night the whole upgrade took 5 minute and went smoothly the technician went to the pub. On Monday morning he logged into the support ticket system and found literally hundreds of tickets. He was confused what went wrong the upgrade went fine? Except for the fact no one was told of the upgrade, no training was given for the new interface and several plugins no longer worked. The next Friday he is standing looking at the job board outside the Job Centre.

No IT technician would ever upgrade software without testing it first, checking it was compatible and organising training for users if they did they wouldn’t be surprised to be out of work. Most companies understand that you can’t simply upgrade software and so provide two streams of updates, updates which effect users and security patches which allow technicians to secure their software without effecting their users. Big open source projects that are geared towards Businesses like Drupal also follow this pattern, providing updates, but also making sure bug and security patches are available for previous releases.

Automatic could and should take this on board, WordPress is not suitable for business until it recognises that businesses cannot just upgrade software. Users on the other hand cannot blindly upgrade after all just look what happened to Shaun and many others who upgraded to WordPress 2.5 recently to find themselves in real issues because of an incompatible plugin. WordPress 2.5 was a major change for WordPress but it also included important security updates so now WordPress users are put between a rock and a hard place deal with the changes and upgrade or pray they don’t fall victim to the holes that had been patched.

My second tale is one designed to remind you that not everything that glitters is gold
Disclaimer – I am sure wp-scanner is highly secure and this is not meant to dissuade people from using it but it is the obvious plugin to highlight!

One of my previous places of employment had a very secure network but one day came under a very intense denial of service, the security technician was scratching his head, the target of the attack shouldn’t have been easy to find externally and the network had more obvious targets. Eventually the problem was tracked down, one member of the IT staff had downloaded a piece of software to help find a route through firewalls for P2P software the software called an external scanner and the combined information was being sent (unknown to the member of staff) to a third party and was used to attempt to breach the network.

WordPress is an amazingly powerful piece of software it has a nice API system allowing plugin designers to expand it. But this system can be easily abused, how hard would it be for me to add a simple function that when called created a user called backdoor? More importantly when plugins are calling home do you know what they are sending? Take wp-scanner imagine if it in fact makes 7 security tests not 6?

But Tim how do I secure my wordpress install!

On the whole keeping your WordPress install up to date is a good idea, however it is always good to have a test blog, always test upgrades and plugins on your test site first. Don’t rely on other people to do your testing!

Having a mirror of your current blog is very useful it not only allows you to test upgrades but also provides a safe backup should the worst occur.

User control
Roles
Even if you have only one person writing on the blog, have two accounts 1 which is set with the user role of author which you use day to day for writing posts this will be account #2 normally. While an admin account is a full administrator account which is just used for administration purposes this is normally the #1 account. You can change the default username from admin, this can be done by using PHPMyAdmin or similar the table your looking for is wp_users where wp is the prefix you selected. Change the first user from admin to something else.

Enforce Password Strength
The new WordPress 2.5 does have a password strength to indicate password strength but its education that really is needed to explain why complex passwords are required and a complex password is more then 6 characters with both alpha numeric and symbols. Df%34g8b is a secure password iamgod is not!

Security by obscurity
Not something people should rely on but did you know most WordPress blogs announce not only they run wordpress but also the version? It’s a bit like having a sign on the front of your house saying the safe inside is a “sidebox 724 9 button version”
You can remove the version number by editing your theme template pre 2.5 or using Replace Version Plugin post 2.5
Secure your admin area
If you have SSL shared or dedicated make of use it by Securing your admin login area. Given that only a few users are accessing admin area look at locking it down to a small group of IPs with Admin Protect.
General tips
Do not do mysql or wordpress backups name them backup.sql and leave them in the root folder, you laugh this is quite the norm, backups should always be out of the public_html folder. Indeed backups are really only useful if they are not in the danger area so look to keep them in a secure third place away from your server.

Look at plugin code before executing it, and read the read me files particularly if it involves changing file permissions. Make sure your wp-admin, wp-content, and nearly all the wp-includes file permissions are set to write only to user not group. This will mean you will not be able to edit the theme via the admin area but this is not a huge lose, however you may wish to make wp-content/uploads writable if you often upload images for posts.

And if it’s to late!

If the worse case happens and something goes wrong you have two choices, call in the experts (sorry shameless plug) or DIY recovery. Presuming you want to got the DIY route here is a quick checklist:

1. Take your site down, don’t delete files simply modify your htaccess to redirect to an error page.
2. Take a copy of your entire system as it is, don’t delete or modify anything
3. Repeat for mysql DB
4. Use your backup with something like winmerge to locate the physical files that have been changed.
5. Delete the files
6. Change passwords on all parts of the site
7. Use the backup to redeploy the site, take your posts from your original DB unless your backup is very new. It may seem harsh but losing comments is not as problematical as posts and indeed have to be treated as suspicious.
8. Patch your system, if a patch or upgrade is available patch it before uploading and take any steps you failed to take to harden the system.
9. Change all password again
10. Leave it a day and if no issues have occurred, apply to google via webmaster tools for reconsideration, tell them it was a hack.

Ok this is a simplified list what you shouldn’t do is leave the files up on the server and just upgrade to the latest version in a blind panic. Until you have identified how the hack was occurred you have no way of knowing the implications. Just because you can see a pile of links in your code doesn’t mean that’s all it did.

Is WordPress suitable for SEOs and Internet marketers?

This blog uses WordPress and I really like WordPress but I do not recommend it to my commercial clients we simply do not think it is compatible with modern IT solutions and until the development team leave the Update or Die philosophy it will stay inappropriate and will lose out to mature systems such as Drupal. Drupal is not more any more secure indeed there are more security bulletins for it then WordPress but it has a patch and upgrade path which provides support for earlier versions in the form of security patches. I will leave you with one final question/anecdote:

If Microsoft announced they were not going to supply security patches to XP because Vista was better on the launch day of Vista how would people react? What about the idea that security patches would not be compatible with XP sp2 users the day after a new service pack was released?

Is WordPress a mission critical system in your organisation? How do you cope with upgrading?