Photo by Paolo Gadler

There have been a lot of comments surrounding the recent spate of attacks against WordPress websites. Whilst part of me thinks ‘enough said already’ another part of me wants to add my own two-penneth to the discussions by saying how I see it, and adding my own golden rules for keeping your WordPress websites safe.

Why WordPress?

WordPress has always been a popular target for hackers and spammers. Whilst a properly maintained WordPress site is no more vulnerable to attack than any other sort of website, the fact is that around 20% of all websites are now built with WordPress, making it a more lucrative platform for hackers to focus on.

Although WordPress work hard and fast to close any vulnerabilities that are found, there are many, many website owners that just don’t keep their WordPress version (and plugins) up-to-date. This leaves many websites vulnerable to attack. So, my number one golden rule for keeping your WordPress site safe is…

Followed swiftly by the number 2 rule…

Brute Force Attacks

The current threat to WordPress websites is from hackers who are attempting to log in to WordPress sites by trying thousands of combinations of usernames and passwords until they manage to log in.

These login attempts are automated, and a hacker is able to generate many thousands of attempts in a very short space of time, typically from a range of different ip addresses and locations. Even if they don’t succeed in breaking in to your site, their attempts to log in greatly add to the server load, slowing down websites.

We experienced such a problem on our own server recently, and it’s likely that this issue (or a variation) will occur more frequently in the future. This isn’t something specifically targeted at us – most website hosts are experiencing the same.

It’s possible that these hackers don’t even want to hack your site. Their ideas may be much more ambitious – for example, to use the power of you website to launch an attack on an even bigger target!

Protecting your site against brute force attacks

Your own website hosts may well have implemented measures to help protect your site against these attacks, such as adding an extra login screen in front of your actual WordPress login page. This is ok if it’s just you that logs in to your site, but if you have a number of users who need to log in this might prove confusing for them. You might want to look at a plugin such as Limit Login Attempts, that  that prevents an IP address from getting access to your website for 15 minutes if someone attempts an incorrect username / password combination 4 times, and a further lockout period of 24 hours if more unsuccessful attempts are made. This will seriously inconvenience hackers, who rely on making thousands of attempts every few minutes in order to ‘crack’ your password. However, it might not be effective if the login attempts are coming from a large range of different IP addresses.

Can you do more?

No website can be rendered 100% safe from attack. However, the more work you do to protect your website, the harder you will make it for hackers to break in, persuading them to go for the many easier targets elsewhere.

Here are a few more quick tips…

We offer a premium support service that can look after your website by keeping all of the vital components up-to-date, as well as pro-actively suggesting issues that you might have and helping you to resolve them. This service costs just £225+vat per year, and provides up to 1 hour of our support time every month. We also offer an even more comprehensive Gold Service (for those website owners who want even more).

If you are not on one of our website support schemes, and would like us to take action to protect your website, please get in touch.

Keeping your WordPress site safe from hacking attacks is another great post from: DMJ Computer Services

The post Keeping your WordPress site safe from hacking attacks appeared first on Web Design, Wordpress and Hosting Services in Swindon.

With WordPress installs pre- version 3.5, the settings were on a page of their own. You found them in ‘Settings’–>’Privacy’ (see below).

With WordPress version 3.5 and above, the search engine privacy settings are now included as part of the ‘Settings’–>’Reading’ section (see below).

Whether you need to locate these settings or not, the most important thing to do is to keep your WordPress as up-to-date as possible. Running an old version could have security implications, or it could impact performance, or it could stop one or more of your plugins from running (if the plugin makes use of something introduced in a later version of WordPress).

If you find it difficult or time consuming to keep your WordPress site and plugins up to date, why not ask us to do it for you? We can take the worry away for less than you might think.

Where have my search engine privacy settings gone in WordPress? is another great post from: DMJ Computer Services

The post Where have my search engine privacy settings gone in WordPress? appeared first on Web Design, Wordpress and Hosting Services in Swindon.

As an example, here’s some link text that BuddyPress added to my own profile on one of my websites.

After a look around BuddyPress itself, and a search on the web, I came across the ‘Custom Profile Filters for BuddyPress’ plugin. As well as allowing you to remove the random links from your profile fields, it also allows your users to put square brackets around words in their profile fields that they would like turned into links. The plugin is in the WordPress repository, although it hasn’t been maintained recently and so could have some compatibility issues. It’s worth trying though.

To use this plugin, simply install it into your site and activate it. However, to customise it to remove links from your profile fields you will need to edit one of the plugin files. The file is called custom-profile-filters-for-buddypress.php and it lives in the plugin folder. Edit the file by using FTP and add a comma-separated list of the fields that you want links removed from.

One of the downsides of using this plugin is that it does remove other formatting that users might have added to their profile fields too. For example, the line-breaks in the example above.

Buddypress WordPress plugin to remove profile links is another great post from: DMJ Computer Services

The post Buddypress WordPress plugin to remove profile links appeared first on Web Design, Wordpress and Hosting Services in Swindon.

Comment spam is content which is placed on your site that has no relevance to you or your readership and is only there to benefit the person providing it.

These comments can be added manually, but are very often automated, meaning that many such comments can be added in a very short space of time (or repeatedly over a long period of time).

Example of some WordPress comment spam

Why do people do it?

It’s mostly about links, and a little bit about traffic.

You will have noticed that most of your spam comments arrive with a couple of links (usually to a site selling Ugg boots, other forms of clothing or shoes, or other products not suitable for a family-friendly site such as this one!). The aim of the spammer is to have their comment approved on your site so that it then displays underneath your post for all to see (including search engines).

Search engines can attribute importance to a web page based on the number and quality of links coming into a page. Although there are moves afoot to lessen the value given to links (or rather to increase the value attributed to other factors such as social media engagement), comment spam is still a cheap and effective way for perpetrators to artificially boost the ranking of their websites.

If you approve these comments you are not only devaluing the readership experience and potentially reducing your own website rank (you may leak some pagerank to your spammer’s site and search engines may penalise you for linking to a spam site), but you could be improving the ranking of the spammer’s website. So, in your WordPress dashboard comments section you need to mark these comments as spam…

Marking a comment as spam in WordPress

Although I haven’t seen anything documented about this, I believe that you will increase the volume of spam comments you receive if you start to approve (and especially if you reply to) those that appear. This makes sense, because spammers are likely to double their efforts (and sell your details to other spammers) if they see their comments getting through.

How can you control comment spam?

There are some options in your WordPress settings panel that allow you to control the comments that are allowed on your site. Look for them in ‘Settings’–>’Discussion’ and check out the official WordPress page to find out what these settings mean and how to use them.

However, these settings on their own are unlikely to be enough.

In an article I wrote a few years ago I mentioned Akismet. This is a plugin written by the people that run WordPress, which is free for non-commercial use (and $5/month if you run a commercial site or blog). It is fantastic at filtering out spam before it even hits your site. If you have any budget at all for spam control I recommend using Aksimet, which is automatically installed as part of WordPress but which needs to be activated with an API key.

If you don’t have a budget (and you don’t want to turn commenting off in your site and don’t want to add a captcha to your comment forms) there are a few plugins you could take a look at to help you reduce your spam. In my opinion they are not as effective as Akismet, but they might help a bit.

One such plugin is called Comment Spam Wiper. Although there is a paid version of this plugin available to process large volumes of spam on your site, the basic version is free. You’ll need to install the plugin into your site and then go to the plugin website and get an API key. This API key should then be pasted into the settings field (as shown in the image below)…

Adding an API key to Comment Spam Wiper

You might also like to look at the following plugins. I haven’t used them all, nor am I recommending any of them in particular, but if any of them work for you please drop a comment (not a spam one) below…

Spam Free WordPress

ReCaptcha (I don’t personally like Captcha’s as I think it switches the burden of proof onto the person leaving the comment)

WP HashCash

How to manage WordPress Comment Spam is another great post from: DMJ Computer Services

The post How to manage WordPress Comment Spam appeared first on Web Design, Wordpress and Hosting Services in Swindon.

When you automatically update a component such as a plugin, or update the WordPress version on your website, WordPress places a file in your website root folder called .maintenance. This file should stay there while the update is taking place, and WordPress should remove the file for you when the update is complete.

As updates should take no more than a minute the file should not be there for long, and hence your site should be back online very quickly.

The purpose of the file is so that the following message can be displayed to anyone who tries to visit your site while the updates are taking place…

Briefly unavailable for scheduled maintenance. Check back in a minute.

This prevents anyone from seeing your site whilst these updates are mid-flight – which might mean they see a broken site.

However, sometimes WordPress fails to remove this file when it has finished updating your site, which means that although the site may well be ok nobody can access it.

How do I remove the .maintenance file in WordPress?

You’ll need FTP access to your WordPress site (or file manager access via your hosting control panel) in order to remove the .maintenance file. Once you have logged in to your site FTP, just look for the file named .maintenance in your WordPress root folder (this may well be the highest level folder you see when you log in or it will be in a sub-folder or sub-directory if you have not installed WordPress in your root folder.

Once you have found the file, just delete it and your site should be available again.

Bear in mind that there might be an underlying problem with your site that has caused the file to be left there, but if you backed up your site files and database BEFORE upgrading (you did didn’t you?) then you should be able to get back to your old version easily.

Preventing a failed WordPress upgrade

Make sure the plugins you use are ready for the latest version of WordPress. Generally, your dashboard plugins list should be telling you if any plugins need to be updated. There might still be some plugins that you’re using which haven’t yet been updated. If you’re not sure, it would be a good idea to deactivate all of your plugins before going ahead with the WordPress automatic update. Then, once the update is complete you can try activating each plugin in turn, checking the results on your website.

WordPress Maintenance Mode is another great post from: DMJ Computer Services

The post WordPress Maintenance Mode appeared first on Web Design, Wordpress and Hosting Services in Swindon.

‘Sorry, you have used all of your storage quota of 10mb’

I don’t recall ever setting a limit for my WordPress storage quota, and there was no such limit imposed by my website hosting company. So, what’s the problem?

I have exceeded my WordPress upload quota

It turns out that you can set a limit for each website within a WordPress network (a WordPress network, previously known as multi-site, allows a number of sites to use the same WordPress installation). If you have created the network yourself then you may well know this, but if you haven’t you might need some help resolving the problem.

How to increase my WordPress storage quota

1. Log in to your WordPress site and navigate to ‘My Sites’–>’Network Admin’–>’Dashboard’

2. Select ‘Settings’–>’Network Settings’

3. Find the ‘Site upload space’ field and increase the storage limit (or un-check the box to remove any limits – best done only if you have total control over all sites in your network)

4. Save changes

The storage quota field in WordPress

Have you filled up your WordPress storage quota? is another great post from: DMJ Computer Services

The post Have you filled up your WordPress storage quota? appeared first on Web Design, Wordpress and Hosting Services in Swindon.

Password protection is a great way of hiding the content of a few of your posts and pages from general view. Users don’t need to be logged in to see the content – they just need to be given a password by the website owner.

You can password protect a post or page just by editing the ‘visibility’ before publishing and choosing ‘Password Protected’ instead of ‘Public’.

How to override the default password protection form

The standard format presented to the user is pretty basic – a password field and some text inviting them to enter the password. On most professional websites you will want to customise this message, and perhaps the style of the password form too. WordPress allows you to do this by adding a function and filter to your theme functions.php file to override the default form.

Up until version 3.4 WordPress advocated this code to replace the standard protected post password form.

Password-Protection Problems since WordPress 3.4

WordPress 3.4 retired the wp-pass.php file. This was a subtle change and caught a lot of website owners out. Customised password forms that were added prior to WordPress 3.4 stopped working when the website was upgraded to 3.4, and it’s not always obvious to website owners that this is failing.

If you added your customised password form BEFORE WordPress 3.4, and you have subsequently upgraded your WordPress version, you might just want to check your password-protected pages and posts to make sure they still work. Chances are they won’t!

One solution is to change your theme functions file (/wp-content/your-theme-name/functions.php), replacing the reference to wp-pass.php with wp-login.php?action=postpass. This has worked successfully on one of the sites that I manage.

Do you password protect your WordPress posts or pages? is another great post from: DMJ Computer Services

The post Do you password protect your WordPress posts or pages? appeared first on Web Design, Wordpress and Hosting Services in Swindon.

Control your own domain

Security Vulnerability with Firefox

There has been a little publicity concerning a security breach in the very latest version of Firefox (v16). Apparently, a vulnerability has been discovered that can allow malicious users to find out what websites you have visited.

Mozilla have issued instructions on how to downgrade Firefox to V15.0.1 if you have already upgraded to version 16, although no users should have been automatically upgraded.

What’s my browser version?

Aside from this latest issue, it really is a good idea to keep your browsers (whichever ones you use – Firefox, Chrome, IE, Opera etc) as up-to-date as possible. Just in case you’re not sure how to check which version of browser you are using, here’s a quick video guide – it refers to Firefox, but the principles are similar for other browsers).

How do I know which version of Firefox I’m using? is another great post from: DMJ Computer Services

The post How do I know which version of Firefox I’m using? appeared first on Web Design, Wordpress and Hosting Services in Swindon.

iGoogle is on it’s way out

I’ve been using iGoogle as my browser home page and feed reader of choice for several years. iGoogle has been ideal for subscribing to my favourite blogs, organising my web reading list and ensuring I don’t miss any newly published content relevant to me and my business.

Why are Google closing the iGoogle service?

Google recently announced that they were closing down this service after 1st November 2013 (the mobile edition already closed in July 2012). The reason Google give for this is that the landscape has changed since they launched the product in 2005, and that it has become surpassed by other apps.

Is there an alternative to iGoogle?

I spent a bit of time looking around for something to replace iGoogle and came across another product – Google Currents. At the moment, Currents is available on Android phones and tablets, but not on desktop computers. I hope this changes soon, as Currents works well on my Android tablet and Samsung Galaxy phone.

iGoogle to be replaced by Google Currents?

Google Currents look great, and presents your subscribed content in a way that makes it more appealing to read. The ‘home’ view shows a screen split in two, with a large image slider showing in the left-hand pane showing the images associated with recent posts, whilst in the right-hand pane you have a table view of the thumbnails associated with the content you are subscribed to. Clicking on the left-hand slider image opens a specific post, whilst clicking on any of the thumbnails in the right-hand pane displays all the most recent posts from that content source (e.g. blog).

As well as being able to specify the blog feeds you want to subscribe to, Google Currents also suggests good sources from a list of various categories (e.g. News, Sport, Business etc.).

All in all it’s a really cool product, and of course it’s free. It’s a shame it is not yet available on desktop computers, but perhaps it won’t be long before there is at least a Chrome version. You can get Currents for Android at Google Play.

What do you use to keep up to date with your favourite news and blog feeds? Let us know by adding a comment below.

Goodbye iGoogle, Hello Google Currents is another great post from: DMJ Computer Services

The post Goodbye iGoogle, Hello Google Currents appeared first on Web Design, Wordpress and Hosting Services in Swindon.

Spoof Linked In invitation

It looks like website spoof / phishing attempts are on the rise again. I received 2 emails today claiming to be reminders from Linked In about some invitations to connect and to join professional groups. These invitations looked fairly genuine, except that I didn’t remember receiving the original invitations.

Hopefully, your spam program will catch these emails and deal with them in the manner they deserve, but occasionally they can get through to your inbox. So beware!

How can I spot a fake Linked In invitation?

It’s easy to click links if you’re in a hurry and if they look like they are from a site that you are a member of, but there are usually a couple of tell-tale signs that should raise alarm bells…

• If you float over the links in the email they will point to linkedin.com (or a sub-domain of linkedin.com) if they are genuine. If they point to another website then the email is probably a fake;
• If you don’t remember receiving an invitation from the person in the first place, then it is likely that this one is a fake. Indeed, if you log in to your Linked In account (not via the email) and take a look at your invitations (in your Inbox) then you should see it there;

What’s the danger if I click one of these links?

The very least that will happen is that you will deliver a little traffic and ad impressions to a website you will almost certainly have no interest in.

There might just be some tracking mechanism on the links so that if you click them the spoofer will know are likely to be a member of Linked In AND you are vulnerable – so they will try it again with something more devious.

It is possible that the spoofer becomes a phisher and presents you with a website that looks incredibly similar to the real Linked In website. They will present you with what looks like a Linked In login screen, and when you enter your username and password… bam, they have your access details!

The moral of the story

Be careful. Be suspicious. Don’t believe that everything that is sent to you.

Something similar…

I recently received an email from a client asking for advice. She had received an email from a domain registration company to say that her domain name was due for renewal very soon, and that she needed to take swift action to avoid losing the domain. The only problem with this was that they were asking $75 per year for the registration AND it wasn’t even a domain she owned in the first place. Rather cunningly, they had chosen a domain name the same as her own, but with a different tld (so she owned domainname.com, for example, and they suggested that she needed to renew domainname.fr). They had even gone to the trouble of ‘scraping’ her own website home page and setting it up to look just the same on the site they were asking her to renew. So, when she clicked the link to ‘her’ website it really did look just like her own website.

So the moral of this sub-story is to know what domain names you have registered AND know who your domains are registered with AND understand that domain names typically don’t cost $75 per year.

Don’t be fooled by fake Linked In invitations is another great post from: DMJ Computer Services

The post Don’t be fooled by fake Linked In invitations appeared first on Web Design, Wordpress and Hosting Services in Swindon.