Category Archives: Internet Security

How to Show a Different WordPress Theme based on IP Address [SOLVED]

A colleague and I recently stumbled on a situation where we had to show one wordpress theme to the web site visitors but show a different theme to ourselves so we can develop the new theme on the live site but not showing the development theme to the web site visitors.

A search on uncle google did not yield any decent results and we did not want a bloaty third party plugin slowing things down and in the end we figured that the best way will be to filter our ip’s and switch the theme based on ip address.

So we spun up a quick, plugin and used the switch_theme function in wordpress.

BOOM! Now when we visit the clients site I can see the new theme and see how it interacts with the current content without interrupting the user experience. NICE!

Here is the code below which help us accomplish the task.

All you have to do is:

  1. Create a file inside your plugins folder called “change-the-theme.php”
  2. Drop the code below into that file
  3. Add the ip addresses to the list of developers ip’s
  4. Change the theme names

 

[solved] Gravity Forms with Javascript Validation

Gravity Forms (www.gravityforms.com), without a doubt is one of the best WordPress forms plugin out there, I have been using it since it was launched and is a brilliant tool and I have it in use on literally hundreds of web sites.

However, recently I have had the need to put javascript validation on some forms and unfortunately, Gravity forms does not natively support it.

When I contacted Gravity Support to ask about javascript validation, they basically told me its not supported and I was on my own.

So below, is some jquery code I have scrapped together to get it working.

gravity-form-javascript-validation

Just assume that the form is Form ID is 7, the rest should be self explanatory.

The code can be put anywhere you like as long as it’s before the Gravity Form function call.

<!-- For Gravity Forms Validation Top Form -->
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.4/jquery.min.js" type="text/javascript"></script>
<script>
jQuery(document).ready(function() {
jQuery("#gform_submit_button_7").click(function() {
return GravityFormValidation_7(gform_7);
});
});

function GravityFormValidation_7(Form){

if (Form.input_7_1_3.value == “”){
alert(“Please enter your Name”);
Form.input_7_1_3.focus();
return (false);
}

if (Form.input_7_2.value == “”){
alert(“Please enter your Phone Number”);
Form.input_7_2.focus();
return (false);
}

if (Form.input_7_4.value == “”){
alert(“Please enter your Email Address.”);
Form.input_7_4.focus();
return (false);
}

}
</script>

Backdoor WordPress Login Script

I have created this script to allow me to quickly login to clients wordpress installs after they have royally messed things up. For example, some clients have changed their admin password and dont know which email account they have used, so this script allows me to quickly create a new user, login and reset their details without having to muck about with mysql etc.

NOTE: to use this script you do actually need to have access to the web server and upload the file to their site and then execute it through the browser.

Instructions
================================
1. create a new file called some_file_name.php
2. copy the code below into it
3. change the settings if you need to
4. execute the script via your browser at www.some_domain.com/some_file_name.php
5. delete the file after the admin user has been created <—probably a good idea.

 

Hiding Part of a WordPress Template Based on the Type of Template Being Used

Here is a nifty piece of code you can use in the case you need to hide something or show something on a wordpress template that you have assigned to your page.

So in the instance you needed to hide the navigation menu on a certain type of page within your site you would literally add a few lines of code as the wordpress codex already provides a function for determining if the page is using a certain type of template. (see: is_page_template )

Lets assume the following.

  1. You have made a wordpress template called “template-no-nav.php” inside the theme root
  2. You have assigned your page the custom template
  3. You want to hide the navigation menu from the template

Just add the following code to the header.php file where your navigation menu would normally appear.

1
[crayon-5d10912fdcfb5866698910/]

[solved] .htaccess not working in wordpress sub directory

Today, one of my clients mentioned that his rest api was not working and was returning 404 errors and the iphone app was broken due to the 404 errors.

As he is running wordpress the immediate thought was that wordpress was overriding something and showing 404 errors inside his api directory (usually 404 errors indicate that the folder/file does not exist but we checked and the folder was there).

Here is a visual example of the issue.

When i opened up his .htaccess file in his /api/ directory I could see the following which is pretty standard .htaccess format.

1


		

I noticed that the rewrite base was not being defined and this usually occurs when you have an apache server configured for “AllowOverride None” so I added another line to his .htaccess file to get it working again (see line 4 below RewriteBase /api/).

1


		

I hope this helps those who also had this issue.

How to Secure WordPress

WordPress IS NOT SAFE…..”out of the box” and If you are willing and daring enough to DIY it, then the checklist below is  what you need to do in order to make your wordpress install more secure.

Server security will never ever be 100% bullet proof but the methods below will provide a heightened level of security for wordpress and  will deter casual hackers and their automated robots but at the same without causing too much inconvenience to the web site owners.

    1. Give wordpress its own directory
      Quite often, hackers will use automated robots to attack the default admin folders for wordpress so giving wordpress its own directory makes it a little harder for them to find it. Its very simple to do this and wordpress provides very specific instructions here

      1. create a folder in the root of your site called /mywordpress (or another familiar name).
      2. upload the latest wordpress version to that folder.
      3. make a copy of the /mywordpress/index.php file and move it to the root at /
      4. change this line from: require(‘./wp-blog-header.php’); to require(‘./mywordpress/wp-blog-header.php’);
      5. run the wordpress install and tell wordpress that the site url is: mysite.com and the wordpress url is: mysite.com/mywordpress.
    2. Install and update to latest version of wordpress
      Its very important to upgrade to the very latest version of wordpress in order to take advantage of any new security updates that wordpress has integrated since the last version.
    3. Install Login Lockdown Plugin
      This plugin will trap hackers who try and brute force the login page by only allowing 3 failed login attempts  before locking the users ip out and preventing them from accessing wordpress.
      Plugin URL: http://wordpress.org/extend/plugins/login-lockdown/
    4. Install Wordfence
      Wordfence provides an amazing array of security features. A little long winded to configure but provides ample protection for the standard wordpress user.
      Plugin URL: https://wordpress.org/plugins/wordfence/
    5. Delete akismet plugin as its not needed (if you dont accept comments)
      Unless you will be allowing users to comment and you wish to use the spam filtering from wordpress.org, then delete this plugin. Its easy to reinstall if you need it later.
    6. Delete hello dolly plugin as its not needed
      Although this plugin is totally harmless, there is no point in having plugins which have no use to wordpress.
    7. Delete any themes you are not using
      Dont think that just because a theme is not activated it cant be hacked. You should remove any theme files except for the theme you are currently using and the latest wordpress default theme. Any older wordpress themes or any themes you are not using, uninstall them. Its easy to do through the wordpress admin.
    8. Delete any plugins you are not using
      Like themes, plugins which are not activated should not be sitting on your server. Having code.
    9. Change the wordpress table database prefixes to avoid sql injection
      Using the WP Security Scan plugin installed earlier on, we just add a random prefix to the wordpress tables so in the case a hacker tries to inject data into a table, it makes it harder for them to guess the tables names. The deafult wordpress table prefix is wp_ so you will make it something like wp_xff_
    10. Delete /wp-content/uploads folder and changed upload folder to /images
      Hackers will always try and target the /wp-content/uploads folder, so moving it will bypass any robot attempts to hack it.
      a. open the wp-config.php file
      b. add this line to make wordpress store images in the root like /yourdomain.com/images:
    11. Remove admin username
      Removing the admin username eliminates a known username for hackers to target. If admin username is used, this gives the hacker an extra 50% chance of getting access as they already know the username.
    12. Add directives to robots.txt to not index wordpress files and folders.
      Hackers will use search engines to find login pages for wordpress as well as core folders so preventing them from being indexed in the first place will make it a little harder for your wordpress install to be discovered.However there is also the argument that if someone scans your robots.txt file it will show any files and folders that you dont want to show, however for me I would rather take my chances by excluding them from search engines and adding extra protection using different security layers.
    13. Add htaccess protection /.htaccess file
      This code will prevent hackers from checking to see if there is a .htaccess file on your web site or accessing it directly.
    14. Add no directory browsing to /.htaccess file
      Some hosts prevent web site visitors from browsing directories and wordpress to an extent does provide an empty index.php file in most directories but adding this code to your .htacess file will disable directory browsing across all folder on your web site.
    15. Add additional wp-config.php protection to /.htaccess file
      Although we are providing some security in an earlier step to protect the wp-config.php file, this step, like the .htaccess protection, prevents hackers from directly accessing the wp-config.php.
    16. Add some extra sql injection inside of root htaccess file
      This code will prevent various sql injection methods being passed through query strings to your wordpress files.

Additional Advanced Options

  1. Change the following files so they are read only (chmod 444) to prevent malicious users writing to them.
    Usually hackers will use robots to login with ftp and rewrite or append to your wordpress files. The 3 files below are the main ones that you need to protect so only allowing read access to them means they cannot be written to in the even that your ftp is compromised.
    /wp-config.php
    /.htaccess
    /index.php
  2. Add wp-login.php protection to /.htaccess file
    Automated scripts can attack the default wordpress login page, but by closing off the wp-login.php page and locking it down with an ip or fixed ip’s, you are in effect displaying a 404 error to attackers that are not in the list of authorised ip’s. In the RewriteCond %{REMOTE_ADDR} part of the code below, just enter your ip address parts, replacing each instance of 255.

    IMPORTANT NOTE
    : you need to have a fixed ip for this to work, if not try htpsswd method below which is more common.
  3. Add /wp-admin protection using htpsswd method file 
    Its not fun for server admins when your wordpress is getting attacked. Automated attacks can cause a kind of ddos effect and can really give a server a workout. Now, if you only use wordpress yourself or a handful of users, this method puts a layer of security on top of the /wp-admin folder, so when someone tries to access the /wp-admin folder, they will be prompted for a username and password regardless of what ip address they are using.

    Step 1: Create the Password File
    Create a empty file named .wpadmin and place it in your home directory, where visitors can’t access it. Usually this is ABOVE the public_html  directory in your account (Please note there is a period preceding the wpadmin in that file name.)EXAMPLE: /home/username/.wpadmin
    (where “username” is the cPanel username for the account.)htaccess-protection

    Step 2: Create the Encrypted Username and Password
    1. Visit: http://www.htaccesstools.com/htpasswd-generator/
    2. Use the form to create the username and password.EG. If you put the username as being john and used the password johndoe, then the page would give you a funny looking string looking something like this:  john:$apr1$NFzCXrln$LK4N5.FkrMmqYgFWn8l5E1htaccess-protection

    STEP 3. copy that string as you will now need to enter it into your .wpadmin file you created in step 1.

    htaccess-protection3

    Step 4: Update/Create the root .htaccess file
    The last step is to place the following code in the /home/username/.htaccess file. Some servers create the .htaccess file automatically so if it exists already just add the code below to it. If not then just create a new one.1. open /home/username/.htaccess (if there is not one already just create a new one)
    2. paste into the .htaccess file the following code

    Your wordpress login page should now prompt you for a username and password.

    Happy Days!

Seriously Sick Spammer Using Kids Cancer as a Guise

Well just when I thought spammers could not get any lower on the scum ladder, I have received an email to my inbox just now titled “Children’s Cancer Institute Australia – Privacy Policy”.

I have donated to some Cancer charities in the past whilst trying to do my “bit” so thought it was in relation to that, so my heart fluttered for a moment and decided to read it to see what it says.

However on closer reading, I can see that its a spammers attempt to send me email about their very own spam services, nothing to do at all with the Children’s Cancer Institute Australia.

Below is a screenshot of the email I have received and the headers are beneath that in case any of my hacking buddies fancied doing some good for once and taking these people out of business.

If Interpol is watching, please take these sick and disgusting people down.

Just click on the image below to enlarge.

Return-Path:
Delivered-To: craig@123marbella.com
Received: from smtp27.gate.ord1a (smtp27.gate.ord1a.rsapps.net [10.130.4.27])
by store170a.mail.ord1a (SMTP Server) with ESMTP id A071B2A007B
for ; Thu, 7 Jun 2012 06:17:58 -0400 (EDT)
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-MessageSniffer-Scan-Result: 0
X-MessageSniffer-Rules: 0-0-0-11518-c
X-CMAE-Scan-Result: 0
X-CNFS-Analysis: v=1.0 c=1 a=kfJZJuxRF8EA:10 a=46tWmEpMgUUA:10 a=IkcTkHD0fZMA:10 a=9IpI6odXBaEA:10 a=QfySvo-rAAAA:8 a=EmUa72ekAAAA:8 a=n4IzhgBxAAAA:8 a=Lz8LGXbsAAAA:8 a=qHWKkvlrePIQylN55w8A:9 a=QEXdDO2ut3YA:10 a=_W_S_7VecoQA:10 a=tXsnliwV7b4A:10 a=KyjqtotWpLIA:10 a=kgAGQwDXVyQELCiJ:21 a=MPbhsAD6HDM8snIW:21
X-Orig-To: craig@123marbella.com
X-Originating-Ip: [202.91.7.27]
Received: from [202.91.7.27] ([202.91.7.27:2496] helo=smtp.portplus.com)
by smtp27.gate.ord1a.rsapps.net (envelope-from )
(ecelerity 2.2.3.49 r(42060/42061)) with ESMTP
id DB/F0-07614-5DF70DF4; Thu, 07 Jun 2012 06:17:58 -0400
Received: from Tiffany2 [192.168.1.18] by smtp.portplus.com.au with ESMTP
(SMTPD-11.01) id 8b05000008914d39; Thu, 7 Jun 2012 20:02:55 +1000
Date: Thu, 7 Jun 2012 20:02:55 +1000 (EST)
From: enenlymbatulan@yahoo.com.ph
To: craig@123marbella.com
Message-ID: <827781839.129039.1339063375404.JavaMail.Administrator@Tiffany2>
Subject: Children's Cancer Institute Australia - Privacy Policy
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: ColdFusion 9 Application Server

Restrict Access to WHM by IP

Hackers are getting smarter and sneakier and with the internet just getting more and more popular this means that the software that web hosts use are going to be more and more targeted.

So today, I have decided that prevention is better than cure, and proceeded to lock down the WHM login page on all my servers and surprisingly could not find accurate information on how to do it, however, after some extensive research I have found that it is very easy to do.

This procedure is useful if you run a small VPS or dedicated server and dont have any resellers accessing WHM. Mind you if you do have resellers, you can always just tell them that WHM access is limited by fixed IP and they have to like it or lump it. After all its in the name of security.

Just do the following to lock down your WHM login page.

  1. Login to WHM
  2. Go to Main >> Security Center >> Host Access Control
  3. In the Daemon column type:  whostmgrd (this is the WHM service)
  4. In the Access List column type: your ip address
  5. In the Action column type: allow (this will allow your ip)
  6. Go to the next row to create a deny entry
  7. In the Daemon column type:  whostmgrd
  8. In the Access List column type:  ALL
  9. In the Action column type: deny (this will perform the deny action)
  10. Dont forget to click the “save host access file button.

Now your WHM will only be accessible from your fixed ip.

if you see the image below, this is what your screen will look like (click on the image to see full version)

Skype 411 Scams Be Wary

I think by now most of us that are using the internet for some time, know about the Nigerian 411 Scams. You know the ones that involve a fictitious lawyer sending you an email saying they are representing a fallen African dictator who has $10 million in their briefcase and they want to send it to you as long as you send your bank details to them etc. They then proceed to clean your account via identity theft.

Well today I just received some thing new but familar and along the lines of the above.

Its a skype invite from someone claiming to represent skype and that I have won 1,000,000 GBP.

Below is a screenshot of my skype console and whats noticeable about this scam message, apart from the fact that its too good to be true, is that a free live.com account is being used rather than a skype account which is a clear indication of a scammer.

So, if you see such requests, then simply block the request and also report it.

Never ever give your personal details to strangers, they will find a way to fleece you dry.

Froling.bee.pl Hack Warning – this can destroy your seo and credibility with out you even knowing

I am highlighting today a very naughty but very genius hack I have found on one of my clients accounts. Its genius in the fact that it totally bypasses any client side malware detection scripts and naughty in the fact that it can:

  • destroy any seo you have done on your site
  • steals your clients by sending them to a possible “drive by install” site
  • reduce your sites credibility to rubble

All of this without you or your webmaster or seo dude/dudess being aware of it.

FYI: any linux server that I run, I run linux malware detect which is without a doubt a brilliant tool for spotting hacked files and without it, I probably would have never even found this hack.

Today I received a maldet report which showed one of my clients accounts as being compromised with some base64 code. Base64 code is not necessarily malicious, but, some investigation should be merited because it can contain dodgy code with a hidden agenda.

Here is a part of the maldet report I received today.

So the first thing I did was visit the clients site by typing their domain name into my browser and then doing “view source”, in order to see within the code of the site if there was any javascript injections, which is usually a sign that the site has been hacked in some way. I did not see any malicious code at all.

I then opened up the hacked files in notepad to discover some bas64 code had been inserted into every single php file on the clients site (not only wordpress files, even non wordpress files too) and its only then the situation has unravelled itself.

Next thing I did in order to test if this hack was working/real/functional, was to type into google search bar, site:clientsdomain.com, this then brings up all the listings that google has for this web site, allowing me to test the code.

I then clicked on one of the listing and lo and behold was auto redirected to a coupon site, not my clients site. I then tried it again with a different google link and I was redirected to a bing lookalike site. This is obviously very bad in the fact that normal visitors to your site will not see anything or be affected at all but anyone coming from bing, yahoo, facebook and google will simply be redirected, meaning any seo you have done in order to boost your serps get blown out of the water…not good.

So obviously as every single php file was infected, editing each file would prove to be futile, we simply restored the site from a backup and then investigated as to how the hacker has gotten in and found it was due to some permission issues with the clients account.

It does highlight a few things though in terms of how you could unwittingly be a victim of a hack and not even know it.