So in the instance you needed to hide the navigation menu on a certain type of page within your site you would literally add a few lines of code as the wordpress codex already provides a function for determining if the page is using a certain type of template. (see: is_page_template )

Lets assume the following.

1. You have made a wordpress template called “template-no-nav.php” inside the theme root
2. You have assigned your page the custom template
3. You want to hide the navigation menu from the template

Just add the following code to the header.php file where your navigation menu would normally appear.

View/Hide Source Code

1 2 3 4 56

<?php     if ( is_page_template('template-no-nav.php') ) {     } else  {     ?>     <?php wp_nav_menu( array( 'theme_location' => 'primary' ) ); ?><?php } ?>

As he is running wordpress the immediate thought was that wordpress was overriding something and showing 404 errors inside his api directory (usually 404 errors indicate that the folder/file does not exist but we checked and the folder was there).

Here is a visual example of the issue.

When i opened up his .htaccess file in his /api/ directory I could see the following which is pretty standard .htaccess format.

View/Hide Source Code

1 2 3 4 56

Options +FollowSymLinks IndexIgnore */* RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-dRewriteRule . ./index.php

I noticed that the rewrite base was not being defined and this usually occurs when you have an apache server configured for “AllowOverride None” so I added another line to his .htaccess file to get it working again (see line 4 below RewriteBase /api/).

View/Hide Source Code

1 2 3 4 56 7

Options +FollowSymLinks IndexIgnore */* RewriteEngine On RewriteBase /api/ RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-d RewriteRule . ./index.php

I hope this helps those who also had this issue.

This checklist below is  what I will do for them and although its not the “military grade, bullet proof secure wordpress version”, it does provide a heightened level of security for wordpress and  will deter hackers and their automated robots but at the same without causing inconvenience to the web site owner, who, face it, are not that technical, otherwise they would not be asking someone to install and secure wordpress for them.

1. Give wordpress its own directory
   Quite often, hackers will use automated robots to attack the default admin folders for wordpress so giving wordpress its own directory makes it a little harder for them to find it. Its very simple to do this and wordpress provides very specific instructions here.
   a. create a folder in the root of your site called /mywordpress (or another familiar name)
   b. upload the latest wordpress version to that folder
   c. make a copy of the /mywordpress/index.php file and move it to the root at /
   d. change this line from: require(‘./wp-blog-header.php’); to require(‘./mywordpress/wp-blog-header.php’);
   e. run the wordpress install and tell wordpress that the site url is: mysite.com and the wordpress url is: mysite.com/mywordpress
2. Install and update to latest version of wordpress
   Its very important to upgrade to the very latest version of wordpress in order to take advantage of any new security updates that wordpress has integrated since the last version.
3. Install Login Lockdown Plugin
   This plugin will trap hackers who try and brute force the login page by only allowing 3 failed login attempts  before locking the users ip out and preventing them from accessing wordpress.
   Plugin URL: http://wordpress.org/extend/plugins/login-lockdown/
4. Install WP Security Scan Plugin
   This plugin allows you to quickly change the wordpress table prefixes and scans your wordpress install for various permissions.
   Plugin URLn: http://wordpress.org/extend/plugins/wp-security-scan/
5. Delete akismet plugin as its not needed
   Unless you will be allowing users to comment and you wish to use the spam filtering from wordpress.org, then delete this plugin. Its easy to reinstall if you need it later.
6. Delete hello dolly plugin as its not needed
   Although this plugin is totally harmless, there is no point in having plugins which have no use to wordpress.
7. Change the wordpress table database prefixes to avoid sql injection
   Using the WP Security Scan plugin installed earlier on, we just add a random prefix to the wordpress tables so in the case a hacker tries to inject data into a table, it makes it harder for them to guess the tables names. The deafult wordpress table prefix is wp_ so you will make it something like wp_xff_
8. Delete /wp-content/uploads folder and changed upload folder to /images
   Hacker will always try and target the /wp-content/uploads folder, so moving it will bypass any robot attempts to hack it.
   a. open the wp-config.php file
   b. add this line to make wordpress store images in the root like /yourdomain.com/images:
   

   View/Hide Source Code

   1	define( 'UPLOADS', ''.'images' );

9. Remove admin username
   Removing the admin username eliminates a known username for hackers to target. If admin username is used, this gives the hacker an extra 50% chance of getting access as they already know the username.
10. Add directives to robots.txt to not index wordpress files and folders.
    Hacker will use search engines to find login pages for wordpress as well as core folders so preventing them from being indexed in the first place will make it a little harder for your wordpress install to be discovered.
    

    View/Hide Source Code

    1 2 3 4 56 7 8 9 1011 12 13 14 15

    ###################################### # ROBOTS! DO NOT INDEX WORDPRESS STUFF! # added by craig@craig-edmonds.com ###################################### User-agent: *Disallow: /cgi-bin Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/Disallow: /wp-content/themes/ Disallow: */trackback/ Disallow: */feed/ Disallow: /*/feed/rss/$ Disallow: /category/*

11. Add htaccess protection /.htaccess file
    This code will prevent hackers from checking to see if there is a .htaccess file on your web site or accessing it directly.
    

    View/Hide Source Code

    1 2 3 4 56 7 8 9

    ###################################### # STRONG HTACCESS PROTECTION! # added by craig@craig-edmonds.com ###################################### <Files ~ "^.*\.([Hh][Tt][Aa])">order allow,deny deny from all satisfy all </Files>

12. Add no directory browsing to /.htaccess file
    Some hosts prevent web site visitors from browsing directories and wordpress to an extent does provide an empty index.php file in most directories but adding this code to your .htacess file will disable directory browsing across all folder on your web site.
    
    

    View/Hide Source Code

    1 2 3 4 5

    ###################################### # DISABLE DIRECTORY BROWSING! # added by craig@craig-edmonds.com ###################################### Options All -Indexes

13. Add additional wp-config.php protection to /.htaccess file
    Although we are providing some security in an earlier step to protect the wp-config.php file, this step, like the .htaccess protection, prevents hackers from directly accessing the wp-config.php.
    

    View/Hide Source Code

    1 2 3 4 56 7 8

    ###################################### # PROTECT WP-CONFIG.PHP FILE! # added by craig@craig-edmonds.com ###################################### <files wp-config.php>Order deny,allow Deny from all </files>

14. Add some extra sql injection inside of root htaccess file
    This code will prevent various sql injection methods being passed through query strings to your wordpress files.
    

    View/Hide Source Code

    1 2 3 4 56 7 8 9 10

    ###################################### # PROTECT FROM SQL INJECTION! # added by craig@craig-edmonds.com ###################################### Options +FollowSymLinksRewriteEngine On RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]

15. Change the following files so they are read only (chmod 444) to prevent malicious users writing to them.
    Usually hacker will use robots to login with ftp and rewrite or append to your wordpress files. The 3 files below are the main ones that you need to protect so only allowing read access to them means they cannot be written to in the even that your ftp is compromised
    /wp-config.php
    /.htaccess
    /index.php

I have donated to some Cancer charities in the past whilst trying to do my “bit” so thought it was in relation to that, so my heart fluttered for a moment and decided to read it to see what it says.

However on closer reading, I can see that its a spammers attempt to send me email about their very own spam services, nothing to do at all with the Children’s Cancer Institute Australia.

Below is a screenshot of the email I have received and the headers are beneath that in case any of my hacking buddies fancied doing some good for once and taking these people out of business.

If Interpol is watching, please take these sick and disgusting people down.

Just click on the image below to enlarge.

[code type=html]

Return-Path:
Delivered-To: craig@123marbella.com
Received: from smtp27.gate.ord1a (smtp27.gate.ord1a.rsapps.net [10.130.4.27])
by store170a.mail.ord1a (SMTP Server) with ESMTP id A071B2A007B
for ; Thu, 7 Jun 2012 06:17:58 -0400 (EDT)
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-11518-c
X-CMAE-Scan-Result: 0
X-CNFS-Analysis: v=1.0 c=1 a=kfJZJuxRF8EA:10 a=46tWmEpMgUUA:10 a=IkcTkHD0fZMA:10 a=9IpI6odXBaEA:10 a=QfySvo-rAAAA:8 a=EmUa72ekAAAA:8 a=n4IzhgBxAAAA:8 a=Lz8LGXbsAAAA:8 a=qHWKkvlrePIQylN55w8A:9 a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=tXsnliwV7b4A:10 a=KyjqtotWpLIA:10 a=kgAGQwDXVyQELCiJ:21 a=MPbhsAD6HDM8snIW:21
X-Orig-To: craig@123marbella.com
X-Originating-Ip: [202.91.7.27]
Received: from [202.91.7.27] ([202.91.7.27:2496] helo=smtp.portplus.com)
by smtp27.gate.ord1a.rsapps.net (envelope-from )
(ecelerity 2.2.3.49 r(42060/42061)) with ESMTP
id DB/F0-07614-5DF70DF4; Thu, 07 Jun 2012 06:17:58 -0400
Received: from Tiffany2 [192.168.1.18] by smtp.portplus.com.au with ESMTP
(SMTPD-11.01) id 8b05000008914d39; Thu, 7 Jun 2012 20:02:55 +1000
Date: Thu, 7 Jun 2012 20:02:55 +1000 (EST)
From: enenlymbatulan@yahoo.com.ph
To: craig@123marbella.com
Message-ID: <827781839.129039.1339063375404.JavaMail.Administrator@Tiffany2>
Subject: Children's Cancer Institute Australia - Privacy Policy
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: ColdFusion 9 Application Server

[/code]

So today, I have decided that prevention is better than cure, and proceeded to lock down the WHM login page on all my servers and surprisingly could not find accurate information on how to do it, however, after some extensive research I have found that it is very easy to do.

This procedure is useful if you run a small VPS or dedicated server and dont have any resellers accessing WHM. Mind you if you do have resellers, you can always just tell them that WHM access is limited by fixed IP and they have to like it or lump it. After all its in the name of security.

Just do the following to lock down your WHM login page.

1. Login to WHM
2. Go to Main >> Security Center >> Host Access Control
3. In the Daemon column type:  whostmgrd (this is the WHM service)
4. In the Access List column type: your ip address
5. In the Action column type: allow (this will allow your ip)
6. Go to the next row to create a deny entry
7. In the Daemon column type:  whostmgrd
8. In the Access List column type:  ALL
9. In the Action column type: deny (this will perform the deny action)
10. Dont forget to click the “save host access file button.

Now your WHM will only be accessible from your fixed ip.

if you see the image below, this is what your screen will look like (click on the image to see full version)

Well today I just received some thing new but familar and along the lines of the above.

Its a skype invite from someone claiming to represent skype and that I have won 1,000,000 GBP.

Below is a screenshot of my skype console and whats noticeable about this scam message, apart from the fact that its too good to be true, is that a free live.com account is being used rather than a skype account which is a clear indication of a scammer.

So, if you see such requests, then simply block the request and also report it.

Never ever give your personal details to strangers, they will find a way to fleece you dry.

• destroy any seo you have done on your site
• steals your clients by sending them to a possible “drive by install” site
• reduce your sites credibility to rubble

All of this without you or your webmaster or seo dude/dudess being aware of it.

FYI: any linux server that I run, I run linux malware detect which is without a doubt a brilliant tool for spotting hacked files and without it, I probably would have never even found this hack.

Today I received a maldet report which showed one of my clients accounts as being compromised with some base64 code. Base64 code is not necessarily malicious, but, some investigation should be merited because it can contain dodgy code with a hidden agenda.

Here is a part of the maldet report I received today.

So the first thing I did was visit the clients site by typing their domain name into my browser and then doing “view source”, in order to see within the code of the site if there was any javascript injections, which is usually a sign that the site has been hacked in some way. I did not see any malicious code at all.

I then opened up the hacked files in notepad to discover some bas64 code had been inserted into every single php file on the clients site (not only wordpress files, even non wordpress files too) and its only then the situation has unravelled itself.

Next thing I did in order to test if this hack was working/real/functional, was to type into google search bar, site:clientsdomain.com, this then brings up all the listings that google has for this web site, allowing me to test the code.

I then clicked on one of the listing and lo and behold was auto redirected to a coupon site, not my clients site. I then tried it again with a different google link and I was redirected to a bing lookalike site. This is obviously very bad in the fact that normal visitors to your site will not see anything or be affected at all but anyone coming from bing, yahoo, facebook and google will simply be redirected, meaning any seo you have done in order to boost your serps get blown out of the water…not good.

So obviously as every single php file was infected, editing each file would prove to be futile, we simply restored the site from a backup and then investigated as to how the hacker has gotten in and found it was due to some permission issues with the clients account.

It does highlight a few things though in terms of how you could unwittingly be a victim of a hack and not even know it.

The email at first glance appears to be from facebook saying that someone has commented on one of my photos, but looking closer I can see that its a total phishing/scam email.

Even me with over 15 years of using email, I nearly got caught out.

The subject of the email is:  ”Sara made a comment about your photo”… which if you receive such updates on a regular basis (remember, facebook in 2010 has 500 million members) you would not think twice about clicking on the links in the email..

So here are some basic clues on how to spot the fake facebook email.

I think my advice would be, is that if you receive ANY emails no matter where they appear to be from, just mouse over any links first and usually the real link will appear in your status bar, so if you get an email from Paypal, make sure the url really is paypal, same for facebook, moneybookers, pretty much any email with links in it.

Just by visiting a site, you can be subject to a “drive by” install of spyware or worse. Such software can steal data from your computer without you even knowing it.

I tried to explain that this is the whole point of complicated passwords is so that they cant easily be guessed and in the end he did get the point but BOY its amazing that people will still use easy to guess passwords.

So I looked around at some way to give people an idea of how to understand if their password is strong enough or not.

Below is a diagram from the nice people at cxo.eu.com which I think goes a long way to explain in visual terms how strong your passwords are.

making sure your password is strong can go a long way to protecting you from identity theft or worse

However, having the same password for all your important online accounts jacks up the risk of having them all corrupted and taken over at the same time.

Working with multiple unique passwords should be made a common practice. Below are 3 ways to help you think of different passwords and remember them without having to write them down.

1. Come up with your own password system
Password systems vary from one individual to the next. For this tip, we’ll give you an example just to illustrate a system. Later on, you can tweak certain elements of the sample system to suit the way you remember things. Remember, alpha-numeric passwords are still the best as they are tougher to crack.

Step 1: Pick a common phrase. For this example, we’ll use the cow jumps over the moon.

Step 2: Take the first letter of each word from your phrase. This leaves us with tcjotm.

Step 3: Count the number of letters that make up your host’s or service’s name. If you’re making your password for Yahoo, then you use the number 5. Put the number between the letters from your phrase. You now have tcj5otm.

Step 4: Use the consonant letters of your service’s name and attach them at the end of your password. You can choose to separate this with a slash. This leaves you with tcj5otm/ym.

2. Use a password management software
A password management software keeps a database of all your passwords and their corresponding accounts. This beats listing down your passwords on a sheet of paper that others may easily see. Loose sheets of paper are also prone to getting lost.

However, it is still wise to make sure you have multiple updated backup copies of your password database.

Hard drives may crash while laptops and portable storage devices may get lost. Backups allow you to immediately change your passwords for all your accounts in one go.

It is important that you safeguard your password database with a strong master password. Having multiple unique passwords in your database is useless if your master password is a giveaway.

3. Have your passwords randomly generated
Randomly generated passwords are almost impossible to compromise. There is no pattern and there are no personal references involved.

Random passwords may be generated by an online service, by software, or by you. Using online password generators requires skilled caution—make sure the service is credible, so as not to put your accounts at risk.

Software and self-generated passwords require a password management software because it is challenging to manually keep track of multiple unique passwords.

However, it is recommended that your master password be something that you remember. Keep in mind that your unique passwords in your database are only as strong as the master password you come up with.

Again, make sure that you regularly update your database and back it up.