Tips & Tricks
WordPress Security Hacks
Hi guys this is my first post on wpcult the great site Austin built. Hope you guys find it usefull.
If you run a blog using the wordpress software then your blog is a target to hackers. Below I will list some hacks and just how they can help you keep your business/site safe.
The following is code to Block Bad Queries and protect your blog from malicious URL Requests.
Place the following code into a text file and name it what ever you like for example blockbadqueries.php upload it to your plugin folder and activate it in your wordpress admin just as you would any other Plugin
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID; if($user_ID) {
if(!current_user_can(‘level_10’)) {
if (strlen($_SERVER[‘REQUEST_URI’]) > 255 ||
strpos($_SERVER[‘REQUEST_URI’], “eval(“) ||
strpos($_SERVER[‘REQUEST_URI’], “CONCAT”) ||
strpos($_SERVER[‘REQUEST_URI’], “UNION+SELECT”) ||
strpos($_SERVER[‘REQUEST_URI’], “base64”)) {
@header(“HTTP/1.1 414 Request-URI Too Long”);
@header(“Status: 414 Request-URI Too Long”);
@header(“Connection: Close”);
@exit;
}
}
}
?>
This Great plugin was made by Jeff Starr of Digging into WordPress
Protecting your blog with .htaccess
.htaccess files have lots of possibilities. below is some code that will help protect your wordpress from modification of _REQUEST and/or GLOBALS and scripts injection.
This is real simple just paste the following code into your .htaccess file. Always make a backup of your .htaccess before editing, better to be safe.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Thanks to Oussama for this great hack
Tips & Tricks
How to: Create a fbshare.me shortcode
Social networks are everywhere. I am sure you’re on facebook. Well why not at a facebook share script to your site?
Don’t know PHP that well?
Well here is a simple way to add a share script like fbshare.me to your site, via shortcodes.
Paste the following code in your functions.php file in order to create your shortcode:
function fbshare_script() {
return '<div class="fbshare"><script src="http://widgets.fbshare.me/files/fbshare.js"></script></div>';
}
add_shortcode( 'fbshare', 'fbshare_script' );
Once done, you can display the facebook share button anywhere on your posts. In WordPress editor, make sure you are in HTML mode and insert the following: [fbshare].
When your post will be published, the shortcode will be replaced by the fbshare.me button.
Last week I wrote how to “Use WordPress to print a RSS feed for Eventbrite attendees“. It was pretty popular, but then I found myself in a place that was more annoying. Trying to incorporate that into a blog post or page.
Without having to download a plugin that will allow PHP to be executed inside a post, I would have to create a template file and use that. Which is what I did, and it works just fine. But for some reason I forgot all about shortcodes! With a shortcode, I could generate all the PHP in the functions file and then just call the shortcode when/where I want.
Okay, so lets show the completed PHP code:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
$items = array_slice( $rss->items, 0 );
if ( empty( $items ) ) echo '<ul style="list-style-type: none; list-style-image: none; list-style-position: outside;"><li>No items</li></ul>';
else
foreach ( $items as $item ) : ?>
<ul style="list-style-type:none; list-style-image:none; list-style-position:outside; margin-bottom: 0px">
<li><!--<strong><?php echo $item[ 'title' ]; //User name ?></strong><br />-->
<?php echo $item[ 'content' ][ 'encoded' ]; ?>
<hr style="border: 1px solid #ddd; margin-bottom: 8px" />
</li>
</ul>
<?php endforeach;
}
Now, this code has to be changed for it to work as a shortcode. We’ll have to return the function and not print/echo it.
I also wanted to be able to use multiple instances of the code with different feeds. To do so I had to create a argument to extract from the completed short code. I found a demo at: Alex Mansfield’s post.
Remember this:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
We are going to update it to read as follows ( changes in bold ) :
function attendee_feed_print_2009( $rss_nbr ) {
global $wpdb;
extract( shortcode_atts( array( 'rss' => ''), $rss_nbr ) );
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( $rss );
And the final code with the fields updated to return the arguments ( put into your functions.php file ( in between <?php ?> ) ) :
function attendee_feed_print_2009( $rss_nbr ) {
global $wpdb;
extract( shortcode_atts( array( 'rss' => ''), $rss_nbr ) );
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( $rss );
$items = array_slice( $rss->items, 0 );
$rss_html = '<div id="eventbrite-attendee-list" style="clear:both;">';
if ( empty( $items ) ) $rss_html .= '<ul style="list-style:none;"><li>No attendees, yet.</li></ul>';
else
foreach ( $items as $item ) :
$rss_html .= '<ul style="background:none; list-style:none; margin:0px">';
$rss_html .= '<li style="background:none; list-style:none;">';
$rss_html .= $item[ 'content' ][ 'encoded' ];
$rss_html .= '<hr style="border: 1px solid #ddd; margin-bottom: 10px" />';
$rss_html .= '</li>';
$rss_html .= '</ul>';
endforeach;
$rss_html .= '</div>';
return $rss_html;
}
And lets not forget to add the shortcode function!
add_shortcode( 'eventbrite-attendees', 'attendee_feed_print_2009' );
Final outcome with look like this `[eventbrite-attendees rss="http://your-rss-feed.com/"]`
I’ve created this into a plugin!
Download the plugin: http://wordpress.org/extend/plugins/eventbrite-attendees-shortcode/
Today I was working on the WordCamp.LA site. I was trying to show the “attendee list” on the attendees page with out having to update the page every day.
Since I am using EventBrite to promote and sell ticket to the event I can collect info from there list. Evey one who purchases a ticket gets put into the ticketed database which you can view with either RSS or OPML.
I chose to use RSS and the WordPress core file rss.php.
In the functions.php file I’ve added this function:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
$items = array_slice( $rss->items, 0 );
Where I’ve named my function, and included the core RSS file from WordPress. I also told it to fetch the feed from the address (alternatively you can use any feed link you like).
if ( empty( $items ) ) echo '<ul style="list-style-type: none; list-style-image: none; list-style-position: outside;"><li>No items</li></ul>'; else foreach ( $items as $item ) : ?> <ul style="list-style-type:none; list-style-image:none; list-style-position:outside; margin-bottom: 0px"> <li><!--<strong><?php echo $item[ 'title' ]; //User name ?></strong><br />--> <?php echo $item[ 'content' ][ 'encoded' ]; ?> <hr style="border: 1px solid #ddd; margin-bottom: 8px" /> </li> </ul> <?php endforeach;
I then added the core style to fit this current feed.
And the final out come looks like this:
function attendee_feed_print_2009() {
global $wpdb;
include_once( ABSPATH . WPINC . '/rss.php' );
$rss = fetch_rss( 'http://www.eventbrite.com/rss/event_list_attendees/384870157' );
$items = array_slice( $rss->items, 0 );
if ( empty( $items ) ) echo '<ul style="list-style-type: none; list-style-image: none; list-style-position: outside;"><li>No items</li></ul>';
else
foreach ( $items as $item ) : ?>
<ul style="list-style-type:none; list-style-image:none; list-style-position:outside; margin-bottom: 0px">
<li><!--<strong><?php echo $item[ 'title' ]; //User name ?></strong><br />-->
<?php echo $item[ 'content' ][ 'encoded' ]; ?>
<hr style="border: 1px solid #ddd; margin-bottom: 8px" />
</li>
</ul>
<?php endforeach;
}
Don’t forget to wrap the code in <?php ?>
I want to thank John Kolbert for helping me with printing the content:encoded portion. http://pastebin.com/m1588fb30
See it in action: http://wordcamp.la/attendees/
Lost? Since You Can’t Trust Apple Maps, Check Out These 3 Apps Instead
Maybe you have the new software on your Apple device that has made headlines as not being reliable, or perhaps...
An Overview Of Business Models
Knowing Where To Start There are a number of conceptual business models that are used throughout the professional world in...
Google’s New Tool For Bad Links
Google recently announced it has launched its Disavow Tool which allows webmasters to alert Google of any backlinks they think...
5 Reasons Why You Should Or Should Not Use WordPress Plugins
Depending on your needs, WordPress plugins are the best and worst aspects of WordPress. The whole purpose of plugins should...
Lil Huddy Net Worth: How Rich is the Tik Tok Superstar Actually?
Chase Hudson, who is better known as Lil Huddy, is an American social media personality who is very popular on the musical platform called TikTok where he has amassed a massive following of over 5.2 million followers along with more than 300 million hearts. As of 2019, Lil Huddy net worth is estimated to be […]
Cynthia Frelund Net Worth: How Rich is Cynthia Frelund Actually?
Cynthia Frelund is Data Analyst Expert for the NFL Media Network where she focuses on breaking down all the numbers on the show Numbers Game. Moreover, from the perspective of the fans, she is a key influencer in their fantasy football predictions. As of 2019, Cynthia Frelund net worth is estimated to be $1 million. […]
Ron Rivera Net Worth: How Rich is the former Panthers Coach?
Ron Rivera is a retired football player and a former coach who managed Carolina Panthers in the National Football League. As of 2019, Ron Rivera net worth is estimated to be $5 million. Rivera was born on January 7, 1962, in Fort Ord, California. His father Eugenio Rivera was a military man. Due to his […]
Bianca Del Rio Net Worth: How Rich is the Drag Queen Actually?
Roy Haylock professionally known by the stage name Bianca Del Rio, is an American drag queen, comedian, actor, and costume designer. She is best known for winning the 6th season of RuPaul’s Drag Race. As of 2019, Bianca Del Rio net worth is estimated to be $2 million. Haylock was born on June 27, 1975, in Gretna, Louisiana. He […]
-
Pages3 months agoWrite For Us – Guest Post
-
Showcase3 months ago
StylizedWeb.com
-
News3 months ago
How to: Show/Hide any div box with jQuery in WordPress
-
Tips & Tricks2 months ago
Remove the title attribute using jQuery
-
Tips & Tricks5 months ago
How to: show/hide a widget in WordPress with jQuery
-
Plugins4 months agoTop Membership plugins
-
Tips & Tricks3 months ago
Limit the characters that display on the_title
-
Tips & Tricks1 month ago
Remove spaces when echoing the_title
Pink Magic
February 2, 2011 at 3:02 pm
Internet security in general is often overlooked, especially with WordPress. I’ve been the victim of two WordPress hacks through various security holes!
Henri Labelle
February 3, 2011 at 6:32 pm
Thanks for this tip, I’ll use it right now!!
Symptoms of Depression
February 7, 2011 at 8:43 pm
Yea, I know a number of people who have had their wp sites hacked. That is why I try to get everything set up properly from the very beginning to avoid any nasty surprises. I find that a couple of plugins work well, wp-security scan and wp malwatch. If you are running wp you should definitely install those.
Milwaukee SEO
February 10, 2011 at 10:02 pm
Great roundup of potential issues with WP security. Posts like these make it easy for us to identify loopholes and fix them up before our sites get hacked.
Wordpress Developer
February 15, 2011 at 3:56 am
nice post and it is very helpful for me and i have resolved my many problems of regarding to wordpress security.
thank you very much
pond filters and pumps
February 26, 2011 at 5:14 am
Hi miguel, thanks for you tips. Surely I’ll implement your tips. Last year I have 1 blog attacked by hacker. He delete my posts and take over my blog. lastly I have to delete everything and install everything again. I really hate hacker. – zack
Brand Developers
February 27, 2011 at 5:19 pm
Thank you for the help. It is always rather frightening to think that your blog could be compromised by a malicious hacker.
Thanks,
Katherine
Air Zimbabwe
March 5, 2011 at 3:55 am
Nice job , really appreciate your work and thanks for this vital piece of information
Keep up the good work !!!
xclmedia
March 6, 2011 at 3:38 pm
Ok, thanks for the information! I’ll secure my blog.
Kevin Rutter - Charity Auctioneer
March 6, 2011 at 5:23 pm
It seems Word Press is the most hacked blogs/website out there. I use Word Press and seem to always get hit by these lurkers.
Ross
March 7, 2011 at 12:15 am
Its sad to think that someone will go out of their way to hack into and mess up a website! I see this post if a year old, can I presume this is still a good and value way to keep people out? I guess theres no reason why the code needs to updated…. Cheers Ross
duka
March 10, 2011 at 9:52 am
Join to our newest gaming comunity and you can find or make tutorials for every game:
thextop.org Soon maybe we will be the best gaming tutorial comunity!!!
Fabrizio T.
March 15, 2011 at 9:24 am
Hello, very nice post with useful tricks.
I’d have a question: do you think that could be useful to use .htaccess to block hotlinking of images? I noticed on my blog that there is a lot of traffic on some images (car models) and I suspect that someone is linking those images… do you think it is possible using .htaccess?
HCG
March 17, 2011 at 8:45 am
I think you have done a great job stepping in and taking over where the other previous owner had left off. Good Job.
Toulouse webdesigner
March 18, 2011 at 7:54 am
Very useful tut, security is essential for WordPress !
jacob @ seo services
March 25, 2011 at 3:40 am
i really need this, good information about wordpress plug-ins.
thanks to share this article.
keep it up
cheers!
Kev
March 27, 2011 at 3:24 am
hi
Great post ,thanks for sharing
Arbetskläder
March 27, 2011 at 11:21 am
Many thanks for the .htaccess tips, I just implemented it. Thanks!
top 10 credit cards
March 28, 2011 at 7:39 am
Security, protecting our personal information is very important. It’s so accessible nowadays, We never know how and by whom it can be used. Thanks for the code.
Geodesic Dome GreenHouse
March 30, 2011 at 2:01 pm
For first time posting an article this is more then good! In fact I think this is great. Supplied me with some very useful information that I am going to use and that I never knew about until know! I’ve never had any of my WordPress blogs hacked before, thank god, but I have heard about many people who have had theirs hacked and now that Is something I don’t have to worry about anymore. I’m gonna apply this to all of my WordPress blogs from here on out!
Thank you
P.S. Will this work on other blogs or only on WordPress blogs?
Katie
April 2, 2011 at 6:55 am
I have no idea what a ‘malicious URL request’ is either, however I have had a wordpress blog hacked before and it was a real hassle getting it back up and running again (luckily I had recent backups). So I am installing the plugin and hoping it can stop anything like that happening in future!
I’m not confident about editing the .htaccess file, but I’ll use the plugin.
K.
Tigara electronica
April 4, 2011 at 7:21 am
Internet is not secure, if hackers managed to break into CIA and nasa accounts, be sure they can hack your blog, anyway you protect it!
chat
April 7, 2011 at 7:07 pm
thxadmins..
meter data
April 10, 2011 at 2:55 am
Problem is with the best hackers is they try to frame others
Steve
April 12, 2011 at 1:49 am
Thanks for the tips above. I really had no idea that a wp blog can be hacked this way. I am going to secure my blogs.
thanks 🙂
Steve
Rosana
April 14, 2011 at 2:44 pm
Thanks for sharing this post, but I’m not agree with you.
Franz V. Hurtado
April 19, 2011 at 9:45 am
Nice article! You can get more information about successful poet by reading about Franz V. Hurtado. He is a great poet. He know new technology about poetry.
Mark
April 19, 2011 at 8:58 pm
Great post and an excelent advices for every blogger in securities topics. Security is the key!
Thanks a lot from argentina
Sheila D. Miles
April 21, 2011 at 7:58 am
I was hacked twice, and had a hard time putting pieces back together, being a non-techie added on the grief. Very nice Info, I will definitely use the code you posted.
Justin King
April 27, 2011 at 7:57 am
I think this is very helpful article which shows from top to bottom of hacking for wordpress blogs. Very informative and useful to beginners.
Dan W
April 30, 2011 at 9:38 pm
I’m not sure I understand all of this but I will follow your instructions to get some protection. Thanks much.
jim
May 3, 2011 at 9:10 am
Thank you for this! recently came under attack and it was not fun, had to get my host involved over simple wordpress security flaw..
DrawBloodPoker
May 5, 2011 at 12:35 am
Guys like you are smart,how come WordPress does not listen to you?
buat situs gratis
May 6, 2011 at 5:10 pm
I found this information usefull, especially for my blog. Thanks
Ashley Morrison
May 18, 2011 at 12:11 pm
I’m having no end of problems with my wordpress blog I think it may have been something I’d done rather that a virus or hack. Will play with it and will let you know if I fix it
akash rana
May 20, 2011 at 6:27 pm
nice work, you work a lot on your posts!
akash rana
May 20, 2011 at 6:31 pm
nice work, you work a lot on your posts!. carry on
akash rana
May 20, 2011 at 6:36 pm
nice work, you work a lot on your posts! i hope want to more good in future
Mike Strong
May 23, 2011 at 12:33 pm
I see this post is old so not sure if this is ganna save. Quick question: was the first script a plugin? Should I follow that link and get a plugin there? And the 2nd, the .htaccess; is that an alternative – just choose one or the other?
And if I use the .htaccess, does it matter where it is in that file ; does it need to be first?
Thanks in advance.
portland acupuncture
May 23, 2011 at 3:56 pm
Thanks. I never thought of using the .htaccess in that way. That’s extremely helpful!
Gesund Abnehmen
May 25, 2011 at 1:45 am
Thanks for sharing. Nice job
Evenimente
May 26, 2011 at 1:25 am
Great first post! Congrats!
Kang Yahya
May 27, 2011 at 7:26 am
Nice tips and trick.
I like this blog.
Statecollege Computer Repair
May 28, 2011 at 6:44 am
Welcome to the site.And you are right about hacking.Mow a days hacking is becoming more and more common.
frank
May 31, 2011 at 9:35 am
Thanks for the wordpress tips. I will use these for sure!
Limo Steves
June 7, 2011 at 2:32 am
I was looking for such information for a long time and I am glad that I finally came here! Thanks for sharing the such information with us.
WordPress
June 10, 2011 at 7:57 am
It seems that I’ve already installed that plugin. By the way thanks for the info. Looking for more related posts.
Ganar Dinero
June 10, 2011 at 1:36 pm
I’ve ever commented here, but have been reading and following your posts for almost one year.
Thanks for all the valuable information you spread through your posts and hope you continue to do the great job.
Peter
June 14, 2011 at 11:31 am
Hi,
Excellent blog, congratulations.
Regards
Peter
Ralph T. Burlingame
June 19, 2011 at 11:36 am
I was hacked twice, and had a hard time putting pieces back together, being a non-techie added on the grief. Very nice Info, I will definitely use the code you posted.