Patrick Stewart as Locutus, the assimilated Jean-Luc Picard (Photo credit: Wikipedia)

notice that it’s still up and running just fine – there’s reasons for that, and I’m going to help you keep yours up and running, too.

Not familiar with the term “BotNet”? I’ll simplify a bit here: it’s a group of computers controlled by a third – usually somewhat unknown – party running a specific set of programs or scripts. What’s most important is that it’s a group of computers, not single computer you’re up against.

The disadvantage is simple: you can’t just block a single computer to solve the problem. The advantage is that the botnets aren’t super-sophisticated. They have a pre-defined set of scripts they run (though, some of them are able to be updated on the fly) looking for an easy way in most of the time.  Right now, the one that’s attacking MidnightRyder.com (and some of our customer sites) is attempting to find weak passwords – it’s looking for ways to log into the site, then, turn it into a member of the botnet.

Even if your site doesn’t become compromised and join the Borg, there’s another problem with such attacks:  if you’re on a server that isn’t particularly powerful (for instance, some share hosting environments – which means most of the $10 / mo. and less environments) the extra load could bring your server to it’s knees. At my last check, 5,000 separate machines had made at least one attempt at hitting this site.

Why do they do it?  Well, that’s well beyond the scope of this quick little article.  I may write something about it later, but, heck, you can Google information on that

We’re not going to block against JUST this botnet though – instead, let’s try and block against a wider range of threats than just the current one knocking on our door.

No one security method is perfect, so let’s steal from a concept called “Defense in Depth” – we’re not going to focus on using a single fix for the problem, instead, relying on multiple tools that do different jobs. (Quick note:  this is an article for those without much knowledge of security – you might learn something new, like the use of WordFence, if you’re already familiar with security, but this doesn’t cover extremely detailed scenarios, nor does it cover every possible scenario.)

CloudFlare For Defense & Load Reduction

First, let’s add a new tool if you’re not already using it: CloudFlare.  It’s going to do two things for us – first, if you don’t already have a good caching system (or don’t know what one is), you need CloudFlare installed.  In fact, it’s better than most of the default WordPress caching systems, because it acts as a cache outside of your hosting environment.  If you’re on a shared hosting account somewhere, then you’ll probably notice something awesome after you install it:  you’ll see a new burst of speed on your site!

Using CloudFlare with WordPress based sites is pretty simple.

• First, sign up for a free CloudFlare account
• Second, Install the CloudFlare plugin for WordPress
• Third, follow the instructions in the Plugin

On certain hosts, it’s even easier than that – no need for a WordPress plugin.  For instance, on DreamHost, go under Manage Domains, click your domain, and hit the checkbox for CloudFlare.  It handles the rest.

While CloudFlare’s primary job is to act as a cloud based content distribution network (CDN), it’s going to give us one of our first extra layers of security.  See, CloudFlare tries to act as a first line of defense by blocking known-bad stuff: bad URL’s, servers that are known to be compromised, things like that.  I said before that around 5,000 machines had attempted to attack MidnightRyder.com.  In reality, the number is almost twice that – CloudFlare has stopped 4,700+ attempts before they even got to this site!  So, in 36 hours, almost 10,000 attacks have been stopped or mitigated (but, the normal traffic for MidnightRyder.com, which is more than most small time blogs see, continues without a hiccup.)

Which means that CloudFlare helps to defend the site, reduce bad traffic, and keep our site up and running even when it’s under attack or would normally be overloaded with traffic.  Oh, and heck, let’s throw in one more thing – it also acts as a bit of a barrier against comment spammers. That’s a heck of a tool!

Server Side Protection

Now, for our next trick: some web hosting environments give you an option for “extra security”.  It’s basically just some configuration changes that are made to your site for you. I won’t dig into the nitty gritty of what it is, how it works, etc.  Instead, I’m going to tell you what to look for.  If you’re running on DreamHost, for instance, go in to the “Manage Domains” area of your control panel.  Click on your domain, and make sure the entry called “Extra Security” is checked.  Save your work, and in about 5 minutes, your server configuration will be tightened up a bit.  It’s not a huge change, but one worth making.

Now, if you’re on another hosting provider, you might wonder where it’s at.  Well… look for something similar.  Honestly, there’s no standard for it – do a little digging in their help, and you might find it

WordFence

Similar to CloudFlare, WordFence gives us a free and a pay option.  For the most part, you probably don’t need the pay option.  Install the WordFence plugin, then go to the WordFence site and create an account, and follow their instructions for getting an API key, and place that in your WordFence options.

For the most part, you’re done.  You could call it good right there, and be done with it.  But… I like to tweak this part out a little bit.  On your site, go under WordFence -> Options.  First, put an email address in the Basic Options area.  Don’t worry about the rest of the Basic Options, let’s move on to Advanced.

Here, we get some cool tools to play with.  Under Alerts, check all the boxes.  This does a couple of things.  First, if someone it attempting to login under an invalid account, the system is going to email you (and lock them out, based on configuration changes we make here shortly).  It’s going to give you a hint that something might be going on.  But the big hint is the admin login – if someone logs in as an Admin, and you’re the only person who has access to your site, but you see an email when you’re not actually logged in?  You know something just went wrong, and you can start scrambling to try and fix it.

The next section, Live Traffic View is kind of cool, but it’s a bit of a novelty, really.  You’ll probably never get to do much interesting with it, so it’s only going to take up CPU time and disk space.  I have mine turned on just because I like to watch the traffic, but acknowledge that I’m not going to do much with it.

Under Scans to Include, turn them all on (except the subscriber only one, if you are using a free account).  We’ll run a scan here in a bit, but let’s finish configuring this all first.

Under Firewall rules, hit Enable Firewall Rules and Immediately Block Fake Google Crawlers

Under Login Security, enable it.  Make sure Immediately Lock Out Invalid Users and Don’t reveal valid usernames is turned on.

Now, then, go down and hit Save Changes at the bottom of the page.

Great – now we’ve got a couple layers of defense working for us.  CloudFlare stops a portion of them, then WordFence tries to stop those that get through the front line.  Not too bad, really.  It’s not perfect, and a determined hacker could probably make his way through our defenses if 1) he’s good, and / or 2) he’s determined enough.  Some people will refute what I’m about to say, but I’m going to say it anyway:  no matter how much security we put in place, no matter how tight we wind it all down, someone can find a way around it.  Even InfoSec (Information Security) guys get owned from time to time.  We’re just trying to make it harder, and block the most prevalent threats. We’re also giving ourselves some heads up when it looks like something might be going wrong!

Updating Plugins & Themes

You notice I didn’t say to scan your site with WordFence just yet, right?  There’s a reason for that – we need to make sure all of our plugins are up to date.  This is something you should be doing anyways – all themes and plugins used in WordPress should be kept up to date at all times.  From time to time, plugin and theme authors make a mistake – they’re only human.  When it’s found, they update it, and if it’s a security issue, we need to make sure our system is updated, too.  That’s one less place someone might be able to get in.

So, under plugins, look and see if any of them say they have updates available.  If so, click update on them.  See, that was easy.  Same goes for themes.

One thing though – if you have extra themes or plugins that are installed, but aren’t currently active (and you don’t plan on making them active in the future), go ahead and delete them.  That’s one less potential point of entry, and one less headache we have to keep updating.

WordFence Scanning

OK, now that we’ve updated everything, let’s make sure our system is health.  Go to WordFence -> Scan, and click on Start A Scan.  Now, let it do it’s thing.  If you’ve got a lot of articles, or are on a slow system, this may take a bit.  Have a cup of coffee, or whatever, and relax for a bit.  ’Cause, see, WordFence does something pretty cool:  you don’t have to sit in front of the website waiting.  While It does have a display of any problems it finds, it will also email you the potential problems!  How awesome is that?

And, now that WordFence is installed and configured, once a day it’s going to scan your system for you. If anything new comes up, it’s going to email you and tell you what the problem it found is.  The most common one you’re going to see?  That you need to update plugins.  (That’s why I had you update everything first  As new updates for your installed plugins come out, WordFence is going to warn you about them, once a day.  It’s a great way to make sure you stay on top of fixing those!

Conclusion

This is by no means an industrial strength guide to security.  It’s a “Good Enough For Now” guide to securing WordPress.  But, to be honest, it’s more likely than not enough to keep your site from being borgified by the existing Botnets, protects from from some hackers, speeds up your site, and gives you a little extra protection from comment spammers.  Not bad for something that only takes 20 – 30 minutes to configure!

How do you protect against all possible threats?  Well… first, you’d have to get a pretty solid education in Information Security, and even then it’s a ever changing field as new technologies and new bad guys pop up.  And, as I’ve mentioned before, there’s no way to defend against everything.  I may write a couple more articles on how to further batten down the hatches at some point, if there’s demand for it.

Works with PhoneGap (Photo credit: Brian LeRoux)

A while back I did a little hacking on iScroll 4, which I use quite a bit for PhoneGap based applications (though, it works nice for anything mobile except Windows phones. IE doesn’t like iScroll).

iScroll is becoming a bit less necessary (particularly after iOS 5 was released, which made some changes to mobile Safari), but I still use it for a couple of nice features.  One feature I always feel is lacking – I can’t tell it to specifically scroll to an ID.  I can define an element and do it that way, but it’s not quite as convenient.  So, here’s a quick function at adds scrollToId functionality:

    scrollToId: function (el, time) {

        var that = this, pos;

        el = document.getElementById(el);

        if (!el) return;

        pos = that._offset(el);

        pos.left += that.wrapperOffsetLeft;

        pos.top += that.wrapperOffsetTop;

        pos.left = pos.left > 0 ? 0 : pos.left < that.maxScrollX ? that.maxScrollX : pos.left;

        pos.top = pos.top > that.minScrollY ? that.minScrollY : pos.top < that.maxScrollY ? that.maxScrollY : pos.top;

        time = time === undefined ? m.max(m.abs(pos.left)*2, m.abs(pos.top)*2) : time;

        that.scrollTo(pos.left, pos.top, time);

    },

Pop this between scrollToElement and scrollToPage in iscroll.js.

Yes, I could just do “myScroll.scrollToElement(document.getElementById(“top”))”, but myScroll.scrollToId(“top”) looks a little nicer when I’m whipping through a ton of code looking for something specific. Just a preference thing, really.

I post it here for a funny reason: I upgraded iScroll in a project, and then couldn’t figure out for about 30 minutes why it no longer scrolled properly. And then I had to hunt down my older version of the project… so, as not to loose it again, I popped it on here. Plus, if anyone else is wondering a good way of doing it… well, there you go

I’m sort of excited to see what the author does with iScroll 5 – I still find myself integrating it into PhoneGap / Cordova projects frequently.

DreamHost Logo (Photo credit: Wikipedia)

10 years ago I got burned by my host.  Almost without warning, they went out of business – I didn’t have a whole lot of time to evaluate who I

wanted to move to, so I did some quick Googling.  Well, actually, I didn’t Google it.  At that time Alta-Vista would have been the major search engine, and saying I Alta-Vista’ed it doesn’t sound quite right.

Anyway, a hasty selection was made, and away I went.  At this point it was the second host I had to move from – the previous one I fired due to downtime problems.  DreamHost was a bit different back then… now, $8.95 buys you unlimited everything in a shared hosting environment (cheap, but it’s still a shared hosting environment.)  Back then, $9.95 bought you 150 Mb of disk space and 20 Gb of transfer space, along with quite a few other limitations.

But, honestly, it was one of the better price -vs- performance places I had found, so I ran with it.

A bit over 10 years later, I’m glad I did.

As DreamHost grew, I managed to find a few good ways to improve my service level for next to nothing.  The $9.95 / mo., Level 1 account I had ended up upgraded to a $39.99 / mo. Level 3 “Code Monster” account for free, giving me extra goodies for the original $9.95.  I stuck with that a while, and gnashed my teeth from time to time when the server acted a little slow.  Though, DreamHost had an interesting trick – even with the free upgrade I got, ever month my account was being credited with more disk space and more transfer.  How cool – a company that rewards users for sticking with them!

When they introduced the VPS (Virtual Private Server) setups, I jumped at it, and loved the improvements.  It was faster, and had better storage and bandwidth.  Not bad, though now if you look at a shared server account it’s completely “unlimited”.

Before my next upgrade happened, DreamHost started hitting some bumps, around 2006 – 2007 range.  From time to time the mail server was down, or the webserver, or just the (incredibly important) MySQL server.  DreamHost seemed to be cracking.  I had fired one host already because of such problems, but two things happened:

1)  They rewarded customers.  That’s pretty rare, really.  Most companies might reward NEW customers, but not existing ones – once they have your money, why try and give you more stuff?

2)  Customer service was good.  They weren’t amazingly fast at answering messages (no host I’ve ever dealt with is fast with answering messages. I’ve seen some “We’ll look into that” type responses from other hosts before, but that’s just putting you off in the queue – their response time for actually fixing an issue was about the same as DreamHosts.)  But they were polite, thorough, and generally did a very effective job.

I stuck with it.  That last part about doing an effective job?  That was rare for a while with hosting companies.  Heck, POLITE was rare for quite a while!

I started telling customers about DreamHost.  I do keep my own hosting environment, but there’s a number of customers who would rather handle it themselves.  So, I give them a quick primer on how to use DreamHost’s control panel, and it was simple enough they never needed me again.  Which was a big change for some customers that were struggling with obsolete versions of CPanel (a popular control panel system for hosting environments) – they LIKED DreamHost’s panel!

Then, this last year I took the plunge:  I moved to my own dedicated server.  Best decision ever, for me, even if it did cost me quite a bit more per month than my VPS setup.  My own machine setting there, with my own resources that I didn’t have to share with other customers, and I still had their support people behind it.  Groovy.  This helped me improve my presence – see, I was always too cheep to slide the resources slider to a higher number (VPS setups let you change how much you spend per month on the fly.  Increase your resources, for instance, and a slow WordPress based site suddenly gets a serious increase in responsiveness.  But it costs money.)  With the dedicated server it cost me more, but I knew how much it would be every month, and I didn’t have to have debates with myself over if I was going to spend an extra $10 / mo. to move the slider another notch!

Around they same time they began a few projects to improve their network and uptime, plus apparently some more projects that would give DreamHost a whole lot of neat new options to much bigger developments.  I’ll get into those in a minute.

I know of a number of quality hosting companies.  RackSpace, HostGator (Hi, MadHatter McGinnis!), and quite a few others are good.  But, for me, DreamHost has been pretty good on a consistent basis over the last 10 years.  When I look at the downtime I took for a while, I’m still not happy about it, but sticking there seemed to have paid off in the end:  they’ve managed to become a very, very solid hosting company.

Then they started making things even cooler after my dedicated server.  One-click CloudFlare integration was a cool idea, and it saved me from having to jump through any hoops to setup some powerful caching for WordPress based sites.   Then Railgun implementation on top of that (Railgun is a fast way for CloudFlare CDN to get updates about dynamic content, speeding up the process of updating the cache.)

Then came DreamObjects, which might end up being the right product at the right time.  Not long after they released their cloud based storage system a company I deal with often had an idea, and pitched it to me.  I had turned them on to DreamHost in the first place, so when I did the writeup for their project that required cloud based storage (something I never thought I’d have to deal with!), I made sure they knew DreamHost was providing the server, and they were happy to hear they weren’t going to have to go anywhere else to get services! (And, when that project ships, I’ll finally write a Project Blog entry about the whole process, from the tech writeup to actual implementation.  It’s fun!)

So what takeaways are there from this article?  What is it that can keep a customer, even when things aren’t going right?

•   Good service.  Be polite.  Don’t blow people off.  Don’t let the customer tick you off.  And most of all, make it happen. (BTW:  All three of the hosting providers I have mentioned – DreamHost, RackSpace, and HostGator – are all noted for having good, polite customer service that gets the job done.)
•   Reward your customers.  A one time discount for signing up is nice, but it’s going to be forgotten.  When they were giving me extra bandwidth and storage every month for being a customer back when it was limited, that’s a great way to remind me every month that they wanted to KEEP me as a customer.
•   Have your customers do some of the marketing, and reward them.  DreamHost (and others) have a nice system of rewards – when you refer someone to them, and they sign up, you get a kickback.  And, even better, you continue to get kickbacks from the new customer as they pay their monthly bill!  I don’t get enormous kickbacks from it or anything, but it’s nice that I get to defray costs from time to time.
•   Communicate with your customers.  When DreamHost has had downtime events, they didn’t hide it.  The last one they had was rather interesting:  the building they were in lost power.  No problem, it has a UPS (Uninterruptible Power Supply) – not their UPS, but the building’s UPS.  Unfortunately, the UPS was interrupted by a bad mechanical switch.  Oh, and so was the backup UPS.  And when it did come back online, it fried both of the routers.  They ended up with a whole string of troubles in their LA hosting location (they have three locations.)  How do I know all that?  They told me, and anyone else who bothered to read their status updates.  I’ve also seen them mention their problems in their monthly newsletters, too.  They don’t hid it when they have a problem.  The previous two hosts I had did.  In fact, one would deny there had ever been a problem.
•   Keep improving.  Just because you’ve got a solid number of customers doesn’t mean you should let yourself get stagnant.  DreamHost made a lot of good decisions that helped customers have a better experience (and, some of those also came back to DreamHost – one-click CloudFlare implementations meant that their servers would take just a bit less traffic, and more of it would be sent through CloudFlare instead!)  They also have been improving their network (they just got through tonight with their final major upgrade in their current upgrade series) and providing pathways to new technologies, like cloud based storage and cloud based computing.

None of those should be a mystery for a successful business.  But, how many companies to I encounter that fail in at least one of those categories?  Way too many.  More of them fail in at least three categories than succeed in at least three categories.

If you are looking for some hosting space for a new website (or moving your old website from someplace like GoDaddy.  Please, PLEASE, if you use GoDaddy, ditch them), I do have some discount codes for ya And, yep, I get some kickbacks from them.

First, if you don’t care about any of the rewards below, you could just click here, and I get a kickback if you sign up.  Seriously though, I’m not sure why you wouldn’t rather have the freebie stuff?  Anyway, when you sign up, just use the following codes:

DAVISGIVESDOMAIN – gives you a $10 discount on one year of hosting, or $20 on two years of hosting, plus an extra free (for life) domain name

DAVISGIVES – gives you a $50 discount off of one year of hosting!

There ya go – free stuff

Davis Ray Sickmon, Jr

Midnight Ryder Technologies

In this case, I had to re-visit some old territory:  opening a link inside of a PhoneGap app inside of mobile Safari.  See, they changed things on me… again.  This is the third time now.  Bummer.

No one seemed to have a good answer for how to do it properly, but after a little digging, I found the solution.  First, we need to set up the whitelist, sort of like in previous PhoneGap version, but it now resides in a new place – look for it in AppName/config.xml.  The default basically allows you to launch any site, which is what I wanted.  Convenient!

Now for the less convenient part:  no one seemed to have an answer to how to actually launch the URL properly.  To launch a URL that exits the app and launches in the native browser, use this:

<div onClick=’window.open(“http://www.midnightryder.com”, “_system”);’>

Pretty groovy… now if it was only documented somewhere.  BTW, that _system part?  Real important.  you could use “_blank”, and you’ll end up launching the inAppBrowser plugin instead, and your destination URL will launch in your app with a “done” button at the bottom.  Which, well, is actually pretty handy – it makes the inAppBrowser plugin pretty easily accessible with no setup needed.

A perfect desktop image for CSS developers (Photo credit: Wikipedia)

I like some of the stuff that they’ve done with Jetpack plugin for WordPress – it’s definitely one of those “get a lot done, quickly” plugins that throws in quite a few of the pieces of functionality you need for a solid WordPress site.

One of those handy pieces is Sharedaddy. That’s the bit that allows you to add Twitter, Facebook, Pinterest, Google+, and a ton of other social sharing / bookmarking items to every post.

Now comes the problem: sharedaddy likes to be way too good at what it does. I don’t need it to show all the sharing links in, say, a list of all the posts in a category, or when using the MF-Timeline plugin. Unfortunately, Sharedaddy doesn’t have a way of turning it off.

Fortunately, Jetpack does have a something we can use to help fix that. Under Appearance -> Edit CSS it’s got a handy little CSS editor that lets us turn off that extra mess.  But… we’ll need to do a little bit of work to know where we need to turn it off at.

If you’re not familiar with CSS, it’s a quick way of setting a piece of code that determines behavior and characteristics for a specific HTML item, or items (or, even a class of items.)  I’m not going to give ya’ a whole CSS tutorial here – there’s better places for that, and it would take too long.  But it boils down to this:  we need to know what the name is of the area holding the post information that we want to remove the sharedaddy links from.  Um… that wasn’t confusing at all, right?

If you’re using Chrome or Safari, look up how to enable the Developer menus, and how to examine specific on-screen element (in Safari, once the developer menu is turned on, you can right-click on anything on the website and select “Inspect Element” to see all sorts of neat stuff about what’s going on behind the scenes.)

Now, once you’ve got that, here’s the quick way to make the sharedaddy stuff go away.  For instance, if you’re using the MF-Timeline plugin, you can put the following in the Edit CSS section, and it goes away:

.timeline .sharedaddy {

display: none;

}

For those who know CSS… well, you probably already got how to pull this off, and what the above statement means.  For those who don’t:  .timeline is the name of the CSS class that MF-Timeline uses to build up it’s Facebook-style display.  If we had just put .timeline and no the .sharedaddy part, it would make everything about the timeline go away (display: none; is what does that part.  It’s literally saying don’t display this information.)  Using .timeline, then .sharedaddy means anytime you encounter .sharedaddy inside of .timeline’s display, .sharedaddy shouldn’t display.

Pretty simple, once you get the hang of it.  CSS is fun stuff that can make your site look wonderful, and make you pull out your hair at the same time.

To see it in action, here’s the Timeline display on my blog site (note:  it’s slow – it’s pulling in half a million words worth of posts all the way back to 2000.  I need to write some caching into MF-Timeline someday.)

Another quick example is using one of the Category Posts plugins in a widget area.  In this case, it’s setting inside of a UberMenu 2.2 menu item.  To shut up sharedaddy on that area, it took the following:

.cat-post-item .sharedaddy {
display: none;
}

.cat-post-item was the Category Post widget’s CSS class used to display posts inside of a widget area.  You can see it in action at Bluebird Arthouse’s site by mousing over (or touching, if you’re on an iPhone or Android phone) Blogs & Links – the blog area loads in the menu.

See, piece of cake!