Dang it! – JohnnyA got me again
This time he hit two of my minor blogs, that I didn’t harden as well as my big blogs. My bigger problem is that I don’t know how he got back in. I cracked his code and read through it carefully but still don’t know what it does entirely.
There are some troubling lines of code though. For example these few lines change file permissions and edit for immediate or later code insertions. Although he’s using 0644 and not 777 which would make files wide open to public read/write/execute, which is even more curious.
if (!is_writable($b6)) @chmod($b6, 0644);$b8 = @filemtime($b6);@copy($a6,$a6.’1.php’);@touch($b6,$b8,$b8);@touch($a6.’1.php’,$b8,$b8);
$d0 = rand_checkstr();$e1 = array(“((^index.*\.|^default.*\.|^main.*\.|^.*body.*\.|^login.*\.|^.*content.*\….
My guess is that his code infiltrates and copies itself or inserts more malware into existing files using normal hooks (like </body>, </head>, and </html>. This is normal stuff… but then it lies dormant until he runs another script that uses cross-site scripting. I suspect this is a classic Trojan script written in PHP, although I’m not a hacker so how would I know.
So it’s incredibly important to run some scans through your database , use PHPMyAdmin, search for eval( and $0=. Just be careful not to delete your whole database. That’s really easy to do it you’re not familiar with using PHPMyAdmin.
It might also be good to replace all your plugins and WordPress core files with fresh copies. Also be on the lookout for new files his script might be created as future-use backdoors. I’ve not found any of these yet but he seems like a really tricky bastard and that would be an obvious feature to add to his script.
Also be sure to change your blog and FTP passwords. I don’t think it’s unthinkable that JohnnyA has found a way to crack the WP password hash. This would be very difficult to do but he’s gotten so deep into my blogs’ core code that I think it’s good prevention to change your password.
Also check the file permission on your files via FTP and triple check your .htaccess file. I use WP-Super-Cache to rewrite the .htaccess file and help speed up performance.
There are some other plugins you can install like Exploit Scanner which seem to help you explore vulnerabilities. But I’ve not found any tool that words perfectly to block this JohnnyA.
My Must Have WordPress Plugin Recommendations
I suspect everyone with some blogging experience has a list of their favorite plugins. Below is my list of must have plugins; but first I wanted to share an important reality that most pro-bloggers don’t tell you about.
Every time you add a plugin you slow down your blog and eat up server processor time. This is often not a problem for low traffic blogs but as you get more traffic you’ll grow out of your shared hosting much faster. So it is best to only run plugins you really need or that provide valuable features.
You might also notice there are no statistics plugins on my list. This is because any type of plugin that logs user activity makes heavy demands on a server. I find that it’s much better to use something like Google Analytics for logging user data than weighing your own database down with so much extra work. It can also save you a bunch of money by allowing you to stay on a shared hosting platform longer.
My Must Have WordPress Plugin Recommendations
- Akismet – Stops spammers cold.
- Contact Form 7 – Simple contact form plugin.
- Google XML Sitemaps – Automated Google sitemap generator to improve SEO (search engine optimization).
- MobilePress – Automatically generates a mobile (and iPhone) version of your blog.
- PHPEnkoder – Automatically masks email addresses that are occasionally posted.
- Search Everything – Makes the built-in search work better.
- SexyBookmarks – Elegant social media promotion plugin.
- WordPress Database Backup – Your content is your most valuable asset. Be sure to keep a backup of all your blogs.
- WP Super Cache – Reduces the load on your server, specifically MySQL (the database) and speeds page loads.
If you are using any plugins you’d like to suggest I’d love to hear about them. Please post a comment.
WP Super Cache Lowers My Hosting Cost
A couple of weeks ago I began re-testing a popular WordPress plugin called WP Super Cache. I had tried it before but had installed it incorrectly and crashed my biggest blog. This time I installed it right and it works great. It works by making flat HTML files of your blog’s web pages and moves the traffic load to Apache (the web server software) and off MySQL (the database software).
The benefit of this is that Apache can take the load and MySQL burns up the servers processor, relatively speaking. My host, Media Temple, charges more money when you use more than your fair share of your shared server’s processor. This seems fair and I like Media Temple because their system can auto scale-up to take huge traffic days, and I’ve had several on Tiny House Design.
My testing has shown that WP Super Cache does reduce my cost because it lightens the load on MySQL. It also speeds up my page loads because Apache is incredibly efficient at serving up flat HTML pages and images.
So I highly recommend WP Super Cache but will also warn you to be sure to read all the installation documentation and learn how to back it out if you experience a crash.
Here are screenshots from my GPU usage (processor use) at Media Temple and Google Analytics during the same time period. As you can see traffic was flat and GPU usage remained low.
Above: Control panel on Media Temple that shows low GPU usage.
Below: Report on Google Analytics.
How to use a custom image in the header of Basic Simplicity
I got an email from a fellow named Matt who is using Basic Simplicity, my WordPress Theme. He asked how he could use his own custom image in the header. The only caveat is that any edits made to any theme will need to be duplicated when you upload an update to the theme; so be sure to keep some notes for yourself when making changes to files. Actually that’s why I built the admin control screen for Basic Simplicity… I wanted to store the most commonly customized items in the database instead of the php files. This will make future theme updates more seemless. Here’s his question and my response.
Hi Michael
Great theme.
I would like to change the header to my own custom design. How do i do this and can it be done so the image/header is a link to my site url?I’m no coder so i hope you will go easy on me. I did look around however can’t find the answer before emailing you?
Thanks for all your help.
Matt
The admin control panel lets you swap images. Normally you’d just upload a new image to the images folder via FTP and then enter that file name into the field on the admin screen. File names should not have spaces or special characters ideally. Best to name them things like my-custom-header.jpg. The trouble is… this will make it a background image which is not click-able.
Here’s one way to make a click-able header you’ll need to edit the header.php file (appearance > editor).
Find this <div id=”header”> (you’ll see some code here) </div>
Replace the code between the <div id=”header”> and </div> with your image. Here’s some html that should work:
<a href=”<?php echo get_settings(‘home’); ?>”><img src=”<?php echo bloginfo(‘template_url’); ?>/images/my-custom-header.jpg” width=”980″ height=”120″ border=”0″ alt=”<?php bloginfo(‘name’); ?>” /></a>
Then go to the admin control panel for basic simplicity and enter the following in the custom css field at the bottom:
#header { padding: 0; }
The width of the image should be 980 pixels, the height can be whatever you want.
Basic Simplicity Theme Header Height Tip
I got an email from Jason about how to edit the header height in my WordPress theme, Basic Simplicity. I tired to reply but Jason’s email address was wrong so I thought I’d answer he question here since it could help other people control the look and feel of Basic Simplicity.
Here’s his question:
My question: I’m trying to use my own header file but want the picture to be bigger. I’ve rifled through the edit pages to see if I can change this but can’t find it.
Example: Your comment says optimal size is 1000 x 140 and I want it to be 1000 x 300. When I plug in my header picture it cuts off and remains 140.
Can you give me any tips?
The header height is actually not defined anywhere. The 140px I suggest on the admin screen is just a rough height for an image that would most likely fill the background of the header. The height is auto defined by the text that’s there. The image is a background image and is auto-positioned left and middle vertically.
To control the header height you could add this bit of custom code to your Custom CSS field on the admin form. Adjust the height with the pixel amount. The example is 80px.
#header{
min-height:80px;
height:auto !important;
height:80px;
}
Jason… I hope this helps!
I’m giving WP Super Cache another try on Tiny House Design
Tiny House Design, my busiest blog is getting more and more traffic everyday. This is a good thing for lots of reasons but I have it hosted on a shared platform at Media Temple and the cost is starting to inch upward. So far it’s very little money but I want to nip it in the bud.
I really like Media Temple and their ability to scale-up on the fly on extremely heavy traffic days but they charge more if you use more than your fair share of CPU time. They call these system resource units GPUs. This seems fair and most people won’t ever get an overage charge.
The Problem – The problem is that if you move past about 100,000 impressions a month with a WordPress blog you begin to tread into the territory of overage charges with Media Temple. The reason is that WordPress blogs uses a lot of database resources.
If you run logging and stats plug-ins on top of that you load up your database server even more which not only slows down your website but could easily drive the hosting cost up.
The Solution – To solve this problem I’m going to try using WP Super Cache again. The first time I tried it I didn’t install it correctly and it crashed my site. This time I think I have it installed right and now theoretically when visitors come to Tiny House Design the cached pages will be served up by Apache (the web server software) and not MySQL (the database software).
You see Apache is very efficient at serving up images and flat html files, which is exactly what WP Super Cache provides. The load on MySQL should now be very light and the CPU overage charges should drop.
If you want to try WP Super Cache I suggest that you keep a copy of your original wp-config.php file handy in case you miss an install step and crash your blog like I did the first time. WP Super Cache rewrites part of your config file and when you disable the plug-in you might run into trouble with that modified config file. To fix a crashed blog and remove WP Super Cache just disable the plug-in and upload your original config file.
Basic Simplicity is now in the WordPress Free Themes Directory
The other day I submitted Basic Simplicity, my new WordPress theme, to the WordPress Free Themes Directory and it got approved today. You can see it in action on all my blogs.
It features a control panel that lets you edit colors on the fly, change the banner background image, add your Google Analytics code, and a bunch of other things. If you like it please give me a good rating 
See Basic Simplicity at the Free Themes Directory
Here are a few of my blogs that use Basic Simplicity; you can see what a cameleon it can be.
- Tiny House Design (albeit somewhat modified)
- Do It Yourself Freedom
- Tiny Free House
Basic Simplicity 1.3 (new version of my WordPress theme)
I submitted my minimalist WordPress theme to the Free Theme Directory the other day and got a note back from them with a few suggestions. It didn’t take long to implement their recommended improvements and now Basic Simplicity 1.3 is available.
[download id="1"]
Theory: Uncluttered Designs Decrease Ad Revenue and Increase Readership
Recently I simplified the look & feel of my busiest blog by installing my new WordPress theme, Basic Simplicity. In the past when I’ve changed themes on Tiny House Design but I’ve never noticed so much noticeable effect in user behavior. The only real difference I’m aware of is that I’ve never used such an uncluttered design before.
Ad revenue has dropped and readership, stickiness, and total page views have increased. It’s too early to be able to provide any meaningful statistics but it seems that by focusing on content and allowing it to take center stage the ads are just getting overlooked.
Normally my knee-jerk reaction would be to move some ads back into the content itself except I like the increasing readership numbers too much so I’ll hold back and watch the trends for a while.
My suspicion is that a clean theme is better for increasing readership and cluttered designs are better for ad revenue. So if you are making a living from blogging be careful about switching to an uncluttered design, but if you’re still in traffic growing mode consider a simple theme.
In a month or two I’ll post some charts after I have some real data to prove of disprove my theory. In the mean time I’ll continue to watch and learn.
Updated WordPress Theme – Basic Simplicity Version 1.2
Over the last few nights I whipped up a simple administration screen for my free WordPress Theme. Now you can make very quick style changes right in the WordPress user interface; there’s no need to edit the stylesheet. You can also add your Google Analytics code, Google site verification code, and custom CSS.
These will be the last few edits for a while; I think I have it working well enough to start using basic simplicity on all my blogs. I have a few more features I’d like to add but I’ll hold off and give this version a careful test drive. If you give it a try too and run across any bugs please let me know. If you have any suggestions for future versions I’m all ears as well.
