How to protect your blog from viruses, backdoor Trojans and other nasty stuff

Posted on January 30, 2011 at 10:12 am UK

If you’ve ever been hit with a virus on your computer, you know how difficult it can be to thoroughly clean the machine, even when you have security software that does all the heavy work.

Take that picture and apply it to your blog and you have a migraine-inducing situation, precisely what I’ve experienced during this past week with an iframe virus and a malware attack involving a backdoor Trojan that temporarily created some havoc on this WordPress blog until they were eliminated.

What I learned from this experience is simple things any blogger can do to help ensure the security of your site.

I became aware that something wasn’t right when publishing a post using Windows Live Writer produced an access error. Likewise, accessing the blog via the WordPress app for Android on my phone also gave an error. I thought it might be related to a known error with XML-RPC and PHP that I encountered a few years ago. But a quick peek at the source code of the home page showed me a different likelihood.

Notice the string of text highlighted in red that starts line 1 – code to create an iframe and then access another website on every page load. Given that I hadn’t inserted that code, nor had it anything at all to do with WordPress, then the chances were pretty certain it was done by someone who had gained unauthorized access to my server.

Line 1 should start with this -

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

A simple search on Google and a chat with my hosting service, DreamHost, speedily confirmed the worst: the blog was infected. Identifying precisely with what, and fixing it, was a clear priority.

Looking around the web produced lots of helpful posts recounting the experiences of others who have addressed similar issues as mine, all of which were very useful in the actions I took to rid my site of this most unwelcome visitor.

Immediate three steps:

Change the passwords and log ins for all blogs and my hosting account.
Review list of users who have admin authority on the blog. If there are any there I don’t recognize, either delete them or at least change their access levels to one which gives no ability to write content on the site. For all others, disallow their admin rights temporarily
Change the password for my own FTP access account and cancel access of every other FTP account.

If the hacker had got in via a lax security measure – like a weak password or FTP access – then that simple route was now blocked.

Now, some detective work.

Continue reading →

FeedDemon 4: definitely worth $20

Posted on December 12, 2010 at 2:25 pm UK

The developer of one of the most useful programs I have installed on my computers just issued a major update, which I’ve gladly installed. The program is FeedDemon and version 4 has just been released.

I’ve been using FeedDemon since 2004 – about the time I really discovered the value of RSS – and consider it to be the best RSS application for Windows by far.

I’ve written a great deal in this blog (and in my now-archive blog) about FeedDemon over the past six years. I wrote about the various new versions as they came out and also about NewsGator’s acquisition of developer Nick Bradbury (well, the company that Bradbury headed, certainly) in 20o5 and its integration into NewsGator’s product line.

A lot’s happened in the intervening years including making FD a free application and then, during the version 3 developments, it becoming ad supported with an option to pay to remove the ads. Bradbury parted company with NewsGator in 2009 but he retains rights to develop FeedDemon, and that brings us up to date with the new version 4.

Here’s a summary of six features of FeedDemon:

Google Reader Synchronization - Use FeedDemon at home, your office, or anywhere you go and keep your feeds, tags and shared items synched between locations.
Sharing – FeedDemon’s simple single-click sharing lets your friends subscribe to your favourite articles.
Tagging – Assign your own keywords to items, making it easy to classify and locate articles you’ve previously read.
Watches – Tell FeedDemon to let you know when your keywords appear in any feed you’re subscribed to.
Search Feeds – Get alerted when your keywords appear in any feed, regardless of whether you’re subscribed to it.
Podcasts – Let FeedDemon automatically download audio files and copy them to your iPod or other media device.

See the FAQ for more information.

One big change with version 4 – there are now two version: FeedDemon Lite (free) and FeedDemon Pro ($19.,95 or $9 to upgrade if you already paid for version 3 ad removal). Why? Here’s Bradbury’s explanation:

[...] I had to pay the bills with whatever money FeedDemon generated, and as popular as FeedDemon is, it’s not popular enough to bring in enough cash through ads alone. And very few people were paying just to get rid of the ads (can you blame them?).

For a year I kept FeedDemon free, and I started work on FeedDemon 4.0 in the hopes I could find a way to keep it free yet still pay the bills. But eventually it was clear that the only way to keep FeedDemon (and myself) going was to start charging for it again, and I figured the best way to do that was to come out with a free ad-supported Lite version with fewer features, along with a for-pay Pro version that had all the features and no ads. That way there would still be a free version, which I knew had to exist, while at the same time there would be a way I could charge for a more feature-rich version.

I just bought a license for FeedDemon Pro. I first bought a license way back during version 1.x (when it cost almost $30). I’m more than happy to still pay for a tool that’s evolved and improved hugely over time and one I consider to be extremely useful if not indispensible, as well as support an indie software developer who makes a great product.

And $20 (about Â£12.65 or â‚¬12.15 at the moment) is amazing value for a tool that lets you do so much. If you haven’t tried it, why not give it a go?

Compelling reasons to mobilize your website

Posted on July 21, 2010 at 1:10 pm UK

A few weeks ago, I installed a new WordPress plugin on this site that would enable visitors on mobile devices to find their experience here worthwhile and make it more likely they would stick around on their visit, perhaps engage by leaving a comment, and maybe even return again.

The plugin is the WordPress Mobile Pack and it automatically knows a mobile device when it’s accessing content here.

So instead of the web pages you see on a desktop or laptop screen, you’d see content displayed in a manner far more appropriate for the small screen of your typical mobile phone, like the example you see here – what this website looks like when I access it on my HTC Desire smartphone.

You just can’t expect anyone with a screen this small to have any kind of pleasurable time on your website if what they get is a minute version of a standard web page with text looking so small that you can’t read it even with a magnifying glass. I bet a lot of people do what I do in such situations: leave.

Plugins like the WordPress Mobile Pack give you a little bit of insight into how many visitors to your site arrive via a mobile device. Handy stats but hardly exciting. But if you sign up for a free analytics account at Percentmobile via your installed plugin and get an API code you add into your blog admin, then you’ll see some metrics that are quite eye-opening.

I’ve just taken a look at mobile traffic on this blog over the past week and the richness of reporting Percentmobile gives me. Wow!

I always thought that iPhone users made up the biggest percentage of mobile visitors here, but not to the extent that nearly a quarter of all visits from mobiles are on an iPhone 3GS. And just look at the number two – the iPad at nearly 14% of all visits on mobile devices. Collectively, Apple devices account for nearly two-thirds of all mobile visits here.

Want to know where your mobile visitors are coming from? There’s a stat for that!

Such detail can be very useful in understanding what are the popular devices people use to interact with your content. It may (should) have an influence on how you present your content on the web.

There’s no doubt that more people are spending more time on the web via a mobile device of some sort. Not just reading website content but using increasingly-indispensible services like Foursquare, Facebook and Twitter. And mobile devices are certainly getting smarter, focusing far more on what you can do with it as a mobile access device than simply making and receiving phone calls. Look ahead to things like mobile CMS.

Among the many reports and forecasts out there about mobile web trends, this view from Morgan Stanley, the financial services firm, last December – contained in their Mobile Internet Report – expresses things succinctly:

Mobile ramping faster than desktop internet did and will be bigger than most think â€“ 5 trends converging (3G + social networking + video + VOIP + impressive mobile devices)

Regarding pace of change, we believe more users will likely connect to the internet via mobile devices than desktop PCs within 5 years

Enabling your website as a mobile platform is very easy if you use WordPress either as a blog or as a content management system.

What are you waiting for?

Related posts:

What is community worth to you?

Posted on July 16, 2010 at 8:46 am UK

I’ve been watching with interest, and some dismay, as a real kerfuffle has broken out in the WordPress community over the past few days surrounding the matter of copyright.

At issue is interpretation of the GNU Public License (GPL), the "copyleft" license under whose terms WordPress software is released, how developers of premium themes offer their product, and also honouring the GPL.

Among the many posts that have appeared with commentary and opinion on the issue, The Next Web summarizes the situation nicely:

[...WordPress founder Matt] Mullenweg called out developers of â€œpremiumâ€ themes for WordPress (the ones you have to pay for) that are not released under the GPL as â€˜evilâ€™. WordPress itself is released under GPLv2, and Mullenweg feels that the products developed on top of WordPress (such as those premium themes) need to be GPL as well. To Mullenweg, if you build off of free software, and depend on it, to license them under other means is a breach of ethics.

[Premium theme developer Chris] Pearson disagrees with Mullenweg, and has been having a war of words over Twitter for the past few hours to reinforce his points. In Pearsonâ€™s logic, he should be able to license his own work in whatever manner he sees fit, regardless of the platform on which it is built. However, the GPL has a specific clause (according to the Mullenweg interview) that states that anything built on a GPL licensed platform must also be under GPL licensing.

As you can imagine, supporters and detractors of both sides have been tweeting their opinions. As far as I can tell, there’s no dominant view among the thousands of tweets on what is right about GPL in this case.

A number of knowledgeable WordPress developers have posted some well thought-out commentaries on the issue, notably Drew Blas, David G. Larson and Rob Diana.

It looks like only some kind of legal involvement – ranging from the benign clarity of meaning to the aggressive filing of a lawsuit – will bring some light on interpreting the GPL.

But it seems to me this goes beyond just legal definitions of copyright. Isn’t it about doing what’s right in a community that’s founded on values of freedom of expression and open sharing of intellectual property to the benefit of many?

Does Chris Pearson’s business model, and that of other premium theme developers who don’t use the GPL, drive a huge wedge into the heart of everyone in the WordPress community who do adhere to the principles of the GPL?

I asked Chris Pearson via Twitter (and a little impolitely) what he thought of that. He said he wasn’t doing that. My reply that he should therefore support the GPL didn’t get a further response.

I use Chris’ Thesis theme in this blog (I bought a developer license in 2008). I like it a lot. I didn’t really pay much attention to GPL or any other kind of licensing until this all blew up.

Do I ditch Thesis? That question has crossed my mind. I really hope a smooth resolution will result from this kerfuffle, and soon, that will help me make up my mind.

Maybe a legal route is the only way to get that.

Related: 52-minute discussion between Matt Mullenweg and Chris Pearson on licensing, ethics and community, recorded on July 14.

[Update July 18, 10:15pm:] The kerfuffle continues although some deeper thought is emerging in some blog posts. I especially like Why WordPress Themes are Derivative of WordPress by Mark Jaquith, one of the original WordPress developers, which to my mind presents the most comprehensive and credible assessment of this situation so far.

I’ve decided that I will move away from Thesis which I will do as soon as I’ve settled on an alternative theme that supports GPL and supports the open principles of the broad WordPress community. I’m experimenting with alternatives on my Sandb0x blog which I’ve resurrected again for this purpose.

[Update July 23, 7:15am:] Chris Pearson has now decided to embrace the GPL and make Thesis part compliant with its license, sufficiently enough to satisfy Matt Mullenweg.

I say ‘part compliant’ because Thesis will now have two license conditions – one part that is the GPL and which covers WordPress’ PHP code that may be incorporated into the Thesis theme framework; the other that is proprietary and covers things like images, cascading style sheets and JavaScripts.

Pearson links to the new terms of service; these are the relevant new texts:

2. Intellectual Property License

Thesis General PHP License

The PHP code portions of Thesis are subject to the GNU General Public License, version 2. All images, cascading style sheets, and JavaScript elements are released under the Thesis Proprietary Use License below.

Thesis Proprietary Use License

The Thesis Proprietary Use License is a GPL compatible license that applies only to the images, cascading style sheets, and JavaScript files contained in Thesis. These elements are the copyrighted intellectual property of DIYthemes and cannot be redistributed or used in any fashion other than as provided in this Agreement.

This is good news although I wonder if it actually does resolve the legal questions and doubts on copyright that have arisen due to this kerfuffle, never mind the community issues.

One post I recommend reading for its deep perspective on the overall situation is I Create, Distribute & Disseminate Cracked Software by Andy Beard. Make a cup of tea or coffee, draw up your chair and settle down for a good read. That includes the comments.

For me, I’ve made my decision to switch from Thesis so I will be ploughing a new furrow, as it were, with a new theme very soon.