Say No to Technorati’s Forced Upgrades – Bad Information Spreads Like Wildfire

Today I read an article on Sphinn that I have to strongly disagree with. (Original article source here.) According to Technorati’s official blog, they will be de-listing WordPress blogs that have not upgraded to either version 2.3.3 or version 2.5. They are issuing strong warnings to bloggers that they either upgrade or risk getting canned. I want to go on record as saying that I dislike strong-arming tactics like this, and think it’s dangerous, for several reasons. Read more on Say No to Technorati’s Forced Upgrades – Bad Information Spreads Like Wildfire…

Read more »

Improve Site Security and SEO with One Line of Code

I was recently doing research in Google for a new WordPress plugin we are developing. I was greeted with page after page of results that read like this:

Google Listings that display directory contents.

The Google results show that many sites have their directory contents being listed, and ranked. This tells me that many, many site owners are using default server settings and unwisely revealing the contents of their directories. It is extremely important to hide your directory contents for two reasons: Security and SEO. Read more on Improve Site Security and SEO with One Line of Code…

Read more »

Examining Logs and Sharing Knowledge Can Help Expose Security Flaws

Every time a new security exploit is announced, hackers program their botnets to pound sites looking for these obscure holes. By keeping a pulse on our site access logs, I can immediately tell what new security flaws are in existence because of the types of url’s that the bots hit. Normally you would want to be reading security alerts to stay on top of current security exploits, but often hackers know before the exploits get discovered by the security industry, and monitoring your logs can help you discover exploits early. Read more on Examining Logs and Sharing Knowledge Can Help Expose Security Flaws…

Read more »

Bad Behavior Behaving Badly

Tonight, I was locked out of the WordPress blogs I manage, along with most other site-owners who have the Bad Behavior plugin installed. I was greeted with a standard Bad Behavior message informing me that my IP address was blacklisted. It included a link with the usual fix-it-yourself key, and a link to my email address. On the linked fix-it-yourself page, there really was nothing you could do to fix the problem, and I was further informed that my IP address was tied to criminal activity, or possibly that there were viruses on my computer. (Wow, good to know. As soon as I finish this post, I’ll be sure to take a sledgehammer to my computer to stop all the criminal activity it’s engaged in.) Read more on Bad Behavior Behaving Badly…

Read more »

Website Security: Hackers, Botnets, and LIBWWW-PERL: Part 3

Ok, by now, you’ve read Part 1 and Part 2.

Let’s move on.

The Solution: A Few Lines of .Htaccess Code

There is a quick solution that most website owners shouldn’t have any problem implementing.

If the following is not already in your .htaccess file, then insert it near the beginning: Read more on Website Security: Hackers, Botnets, and LIBWWW-PERL: Part 3…

Read more »

Website Security: Hackers, Botnets, and LIBWWW-PERL: Part 2

Ok, by now, you’ve read Part 1 so let’s continue.

NOTES ON SECURITY:
Security is about reducing risk, and lowering the statistical probability of a successful attack. You can never eliminate risk fully, and there is no such thing as 100% impenetrable security, even with the best measures in place. By increasing the the level of security for your site or application, you are shrinking the pool of hackers that have the [skill|experience|time|resources|desire] to hack your site. In most criminal acts, it’s about following the path of least resistance — if you increase the difficulty of success (sometimes by even a small margin) then often the hacker will go somewhere else.

Think of other crimes like car theft or breaking into a house. In most cases, if a thief is checking out your car, but discovers that you have a vehicle with all the top security measures, he’ll move on to an easier one. That is, unless he has a specific reason to target your car. There are very purposeful and targeted crimes, but these are much less common than the crimes of least resistance. When hackers break into banking or large corporate web sites, they have a specific target, and incredible amounts of skill and resources. Compared to typical website hacks, the overall percentage of attacks like this is extremely low, because there aren’t many out there who could carry it out. Read more on Website Security: Hackers, Botnets, and LIBWWW-PERL: Part 2…

Read more »

Website Security: Hackers, Botnets, and LIBWWW-PERL: Part 1

Take proper security measures to protect your website.Recently, there has been a rash of automated hacker attacks, defacing websites across the globe that don’t employ adequate security measures. Earlier this week, several friends of mine had their sites hacked and defaced. Most of these attacks don’t come from experienced hackers — they come from script kiddies employing automated scripts and a network of compromised computers (botnets). Even though these junior hackers may be inexperienced, they know enough to take down your site, and I don’t need to explain how much that can cost your business in lost revenue.

Don’t worry though, there is a simple solution that will reduce your site’s susceptibility to these attacks, and buy you some time to plug security holes. It’s relatively easy to implement, even if you’re not a security expert. Read more on Website Security: Hackers, Botnets, and LIBWWW-PERL: Part 1…

Read more »

Suppress PHP Errors

The other day I was checking out some tools on a popular site and got the following PHP error in my browser:

Warning: mysql_connect() [function.mysql-connect]: Too many connections in /****/*****/***/*****.php on line ***

It is important to suppress PHP errors.I blocked out specific directories and line numbers in this post, but the real error message laid it out for all the world to see. PHP developers will be familiar with this and similar errors that PHP kicks out.

The site I visited was relatively high profile and this could be potentially embarrassing, not to mention the problems it could cause. There are many reasons you should suppress PHP errors, except when in development and testing phases. Read more on Suppress PHP Errors…

Read more »

.htaccess Reference: Part 2

In case you missed it, you can read the first part of the .htaccess Reference here.

Password unprotection

Unprotect a directory inside an otherwise protected structure:

Satisfy any

Extra secure method to force a domain to only use SSL and fix double login problem

If you really want to be sure that your server is only serving documents over an encrypted SSL channel (you wouldn’t want visitors to submit an .htaccess password prompt on an unencrypted connection) then you need to use the SSLRequireSSL directive with the +StrictRequire Option turned on. Read more on .htaccess Reference: Part 2…

Read more »

.Htaccess Reference

.htaccess is a configuration file used on Apache and other nix servers. It is one of the most configurable and powerful tools for website functionality, security, and search engine optimization. Here is a comprehensive reference.

.Htaccess
(Hypertext Access) is the default name of Apache’s directory-level configuration file. It provides the ability to customize configuration directives defined in the main configuration file. The configuration directives need to be in .htaccess context and the user needs appropriate permissions. Read more on .Htaccess Reference…

Read more »

Page 1 of 212