Skip to navigation | Skip to content

Blog

WordPress security

19th April 2008

My server was recently subject to a hack attack. In some senses it was pretty serious—many new files containing malicious code, many altered files, new bogus admin accounts in WordPress. But in the end it seems I lost no data, and none of my sites got injected with spam links (which I gather was the intent of the hack).

Needless to say, I’ve been forced to quickly learn a lot about web security, and I’ve been grateful to be forced to do so without major losses. I’ll try and document some useful things I’ve learned here.

NOTE: This post contains some good WordPress security tips, but in response to a specific hacks. For a more general, comprehensive run-down of solid WordPress security measures, see this post.

Read more »

Permalink  |  Posted in security, spam, WordPress  |  Comments closed  | 

CSS debugging in Internet Explorer

11th October 2007

I develop XHTML/CSS primarily in Firefox, followed by testing in tweaks in other browsers. Apart from Firefox being my primary browser anyway, most of the reason for this is that there are some tools for it that have become as essential to me as my text editor (these days, that’s TopStyle). This handy trio are:

  • Firebug – simply incredible
  • Web Developer Toolbar – still very valuable, with some great little features
  • ColorZilla – a good colour picker, plus some things that the others do, but slightly quicker to access

This is all great. However, more often than not, the times when you really need this sort of stuff is in Internet Explorer – especially pre-7 versions.

I’ve not had much luck in IE 6 with the Firebug Lite implementation. I have just come across a good bookmarklet called XRAY. Compared to the Swiss Army Knives above, it’s very basic, but it provides key information about page elements that can really speed debugging along.

Permalink  |  Posted in Internet Explorer, XHTML/CSS  |  Comments closed  | 

Networking problems with the Belkin Wireless G USB adapter

26th September 2007

Having just moved to London, into a flat with a wireless net connection, I needed to get my trusty desktop PC wireless-enabled.

My laptop, with its built-in wireless adapter, worked straight away. As the router here is a Belkin Wireless G, I thought I’d go for an adapter for my desktop from Belkin, too. I got an external USB one to match the “G” networking speed of the router.

The instructions for installing the adapter stress – repeatedly – that you should install the supplied software before plugging the adapter in. There’s even a sticker sealing the adapter’s little plastic bag exclaiming, “STOP: Run the installation CD-ROM FIRST” – which I dutifully did.

Read more »

Permalink  |  Posted in hardware  |  Comments closed  | 

Get rid of BR tags inserted by WordPress

28th June 2007

Even these days, WordPress will often mess with HTML code entered into posts or pages. The most persistent problem I’ve found has been its penchant for inserting <br /> tags inside forms.

No, I’ve not found a way to stop it. Just a slightly lateral workaround: create the following generic class in your stylesheet and apply it to any form (or other containing element) where unwanted <br />s are being slipped in:

.nobr br {display: none;}

If you’re using <br /> tags yourself in that bit… well, you can always use a bit of a margin, eh?

Permalink  |  Posted in WordPress  |  Comments closed  | 

Default WordPress visual editor to “off” for new users

26th June 2007

Being a die-hard hand-coder, WYSIWYG editors irk me. It’s partly an irrational “Get your mits off my code!” thing, but it’s often very practical.

Working with WordPress, many of the sites I deploy for clients need specific layout code within the editable content of WP-managed pages. The code is necessary, and the clients are savvy enough to work around my HTML when they edit their copy.

WP’s visual editor, however, isn’t. It switches any <div> for a <p>, and otherwise messes stuff up. Maybe there’s a way to coax it into being less interfering. But for now I just need to get the visual editor out the way.

In theory that’s fine – each user just has to uncheck the visual editor box on their WordPress profile. It’s set to be checked by default when a new user is created. It already happened several times that a client has forgotten to do this, gone to edit a tiny bit of copy on the delicately coded home page, only for the editor to mess it all up.

Can’t I just set visual editing to be “off” by default?

Here’s how. In the file wp-admin/admin-functions.php, change line 522 from this:

$user->rich_editing = 'true';

To (unsurprisingly) this:

$user->rich_editing = 'false';

Permalink  |  Posted in WordPress  |  Comments closed  | 

Vertically aligned content and sidebar with CSS

20th June 2007

One of the steps backwards taken with CSS is control of vertical stuff. Getting coloured sidebar and content areas to be equal height even when their contents are vertically unequal, and vertically centering something in a box are just two things that are (1) dead easy with tables, (2) quite common design requirements, and (3) a bit fiddly at best with current CSS standards.

Things may be changing with new CSS standards, and with the evolution of various hacks and workarounds. Anyway, I just found a solution for a site I’m working on which seems to work well in this instance. I may have reinvented some wheel or other, but here it is.

Read more »

Permalink  |  Posted in XHTML/CSS  |  Comments closed  | 

Spamhaus.org and SMTP authentication

11th June 2007

Just solved a pesky email problem that was really vexing.

Sending email from my localhost web server (usually via ColdFusion apps), for testing and other purposes, has always worked swimmingly. Recently, however, emails sometimes didn’t send. A glance at my ColdFusion log files showed the error “Invalid Addresses”.

Some addresses from some of my domains have started to be used extensively for sending spam (by other people!), so I wondered whether I’d got blacklisted somehow.

A blacklist was involved, but not for addresses. A closer look at the CF error logs showed this:

Invalid Addresses; nested exception is: class javax.mail.SendFailedException: 550-xx.xx.xx.xx is listed at zen.spamhaus.org (127.0.0.11: 550 http://www.spamhaus.org/query/bl?ip=xx.xx.xx.xx)

The x’d out bits are my current IP address. Spamhaus.org seems to be a large spam-fighting clearinghouse, with, among other things, IP blacklists. Looking up my IP address on their database found it listed.

The solution is to add SMTP authentication to your outgoing mail script. For ColdFusion, it looks something like this:

<cfmail to="user@domain.com" from="noreply@domain.com" subject="Message subject" server="smtp.domain.com" username="noreply" password="password">
	[message]
</cfmail>

(Obviously, with suitable bits substituted for your situation…)

Permalink  |  Posted in ColdFusion, email, spam  |  Comments closed  | 

Google, SEO & CSS image replacement

9th June 2007

I’ve just been reading about possible clashes between the CSS “image replacement” technique that I use and Google’s rules about spam techniques.

Image replacement involves using CSS to hide the text for an element (e.g. a <h1>), and setting the background-image for that element to replace it with an image. Users with visual browsers with CSS get the image; text-only browsers, bots, etc., just see plain text.

It’s not without its detractors and slight drawbacks, but it’s a widespread technique. A quick scan of big-name sites as of writing found it in evidence on stopdesign.com, mezzoblue.com and adobe.com.

Read more »

Permalink  |  Posted in search engines, XHTML/CSS  |  Comments closed  | 

IE CSS box height bug

25th April 2007

A small but infuriating CSS bug in IE… No shit.

I’m creating a box with rounded corners around some content using my usual method:

  • Place empty <div>s with ids above and below the content <div>
  • Create background images for the top and bottom of the box <div>s, and put them in (with fixed width and height for the <div>) with CSS
  • Continue the border along either side of the content <div> with CSS borders

All well and good. Only, on IE6/Win, the top <div> wouldn’t shrink to less than about 16px, leaving a gap of whitespace below the 8px high background image.

After much searching, I found a workaround buried in the life-saving Explorer Exposed pages. You can read about the ins and outs over there; here you’re just going to get a nice quick fix.

Put this in the CSS rule for the <div>:

overflow: hidden;

Permalink  |  Posted in Internet Explorer, XHTML/CSS  |  Comments closed  | 

The holding page and the 503 status code

4th April 2007

NOTE: I’ll leave the information here for reference as it’ll probably still be useful to some. But for anyone using WordPress who wants a convenient way of putting up a holding page without confusing search bots and without blocking yourself from using the site while it’s “down”, I’ve just found the very neat Maintenance Mode plugin. Seems to work like a treat. 14/2/08

Ever wanted to have a system in place that allows you to easily “switch on” a holding page for the whole of your site for when you need to do some maintenance? Well, that’s relatively easy to do; but what about bots? Even if you’re only down for 10 minutes, what if your luck is such that Googlebot makes its random rounds at precisely that time? Depending on how you’re holding page works, it might register a load of “404 – Not Found” errors, or replace your indexed content with your holding page… Who knows? Not I.

Read more »

Permalink  |  Posted in Apache, WordPress  |  Comments closed  | 

View complete archives »