Two New Web Sites

I’ve finished two new web sites, and continue with updates on a few more. I am also working on a WordPress plugin to prevent spam-bots from abusing comment forms. That one is a bit more tricky, but useful knowledge.

The two new sites are WordPress-based.

John D Brown Author Site : this is the author’s official site. I found his site when I read his book “Bad Penny”. It is a thriller, with a “Jack Reacher” type character. I enjoyed it, and went to his web site to see if there were other books in a similar vein. While on his web site, I emailed him to suggest a few design changes for his site. And ended up doing a customized rewrite of his site into a ‘responsive’ site that looks good on any device – laptop, phone, desktop, etc. Along the way I increased my WordPress customization expertise, creating changes in a child theme plus adding additional customized functionality. He and I were pleased with the results. And it let him concentrate on writing the next book with the same character as “Bad Penny”.

The Hot Box Grills site is an e-commerce site that sells a nice tailgate/picnic portable grill. Well made and sturdy, and works quite well as a portable grill, according to his satisfied customers. His previous e-commerce site wasn’t working well, and was hard to manage. The new place has a responsive theme, and I am working on his SEO stuff. If you are looking for a great portable BBQ grill for picnics, camping, or sporting events, check it out.

Changing WordPress Admin Email Settings

(for my notes, but useful information)

This code block will set the email name and address that is used by WordPress admininstrative emails, like password reset requests or other notifications. Change the values as shown; the ‘notes’ explain everything.

<?php

/* 
change the from name/email on all site emails
 based on http://premium.wpmudev.org/blog/wordpress-email-settings/
        - by Rick Hellewell, Cellarweb.com, 21 Jan 2015
        - Copyright (c) 2015 by Rick Hellewell, Cellarweb.com
        
    SETUP/INSTALLATION
        - change two variables for the name and email address to be used in site/admin emails
        - place this entire code in child theme functions.php
            - we do not recommend changing the functions.php file in your theme, as a theme
                update will eliminate this additional code
                
    NOTES:
        - note that the email address should be valid and match your site domain
            or emails may end up in the recipient's spam folder
        - the 'from-email' is set in the Options, General screen, and stored in the admin_email
            row in the options table
        - there is no corresponding field in the options table for 'from_name', so we use the
            wp_mail_from_name filter to add our 'from_name' value to be used in admin email, 
            rather than the default 'WordPress' that is built into the pluggable.php core file

*/
// --------------------------------------------------------------------------------------
$from_name = 'PUT YOUR NAME HERE';
$from_email = 'PUT THE EMAIL ADDRESS HERE';

function set_email_name($from_name) {
    return $from_name;
}
function set_email_email($from_email) {
    return $from_email;
}
    
    add_filter("wp_mail_from_name", "set_email_name",9);
    add_filter("wp_mail_from", "set_email_email",9);
// --------------------------------------------------------------------------------------

	

Web Sites

With all my extra time (now that I am retired), I have been working on various web sites. Most (if not all) of the web sites are for my own amusement, but there are a couple that are more widely read. (You could count the readers of my personal blogs – or visitors to my web sites – on the thumbs of one hand.)

I helped Dr. Jerry Pournelle launch a reboot of Chaos Manor Reviews (at www.chaosmanorreviews.com). This is a continuation of the computing columns that he started at the now-defunct Byte magazine back in the 1970’s. I have enjoyed reading them over the years (yes, I am that old), and rebooting the columns into a new format was fun.

I also maintain his “View from Chaos Manor” site at www.jerrypournelle.com/chaosmanor . Both are WordPress sites, with a minor bit of customization.

I have been increasing my knowledge of WordPress theme styling with a relaunch of the “FoodieFeeds” site (at www.foodiefeeds.com). This takes RSS feeds from enrolled food blog sites, and displays excerpts of their content. I only grab the first 50-odd words from the site (along with one picture, if available), and then link back to the food blog site. The site uses the ‘masonry’ design, which is similar to what Pintrest uses, and I think it looks much nicer than the previous incarnation of the site.

The FoodieFeeds site is using a ‘child theme’, which allows me to more easily customize a theme. This is turning out to be a good thing to do on my various web sites.

I also have another site that amuses (only, apparently) me. It got a redesign also, just in time for the fall/Halloween season. It contains rules that you will need to know during the upcoming Zombie Apocalypse. The site is “Rules for Zombies” at www.rulesforzombies.com .I am amused by the content, and also the blood-splattered design.

I am also working on an update to the Form Spammer Trap (at www.formspammertrap.com), which is a form spammer bot-blocking technique that I have developed. I think it is quite successful in blocking form spam content. (It is implemented on this site.) Wherever I have put it, the form spam stops immediately.

I also modified the commenting system of the Chaos Manor Reviews site to include that Form Spammer Trap functionality. I plan on figuring out how to implement that as a WordPress plugin.

So, I am kept easily amused by the various web sites I have. Along with changes to my personal lifestyle (no, not that) due to my recent Type 2 Diabetes diagnosis. You can read all about that on my personal blog site at the Digital Choke site here http://digitalchoke.com/digitalchokeblog/ .

Gmail Password Breach? Not !

Ignore all the breathless media panic about Gmail passwords being exposed. See the Google Security Blog here: http://googleonlinesecurity.blogspot.com/2014/09/cleaning-up-after-password-dumps.html

Do follow the recommendations in the Google Blog: enable two-factor authentication, use a strong password, don’t use the same password, etc.

The only site to check if your email address has been ‘found’ is https://haveibeenpwned.com/ . This site is valid and honest.

Using INI files on PHP sites

I’ve built some personal web sites using PHP. I’ve been working on one site that I hope to bring public soon. The site will contain some personal information that must be encrypted. So I have been using code that is (hopefully) secure from potential exposure. There is data stored in a database, and some of that data will need to stay confidential to any outside hacks. The intent is to write code stores data securely, even if the source code files are compromised. Of course, it is difficult to do that level of security, but there are techniques that help with that.

One of the techniques, which I am documenting here (mostly for my own benefit), is to have some variable data used by the code pages stored in an area away from normal web access. Think of the credentials used for database access, for instance. That is data that needs to be used by the code, but should not appear in the the code files that use the data. So we need a way to store the variables data in an outside file for use by any code page that needs it.

There are several steps involved in this. First, we need to have a plain text file that contains the variables values. The data is stored in an array;in this example, the array is called ‘config’. Here is the file (parameters.txt) that defines the array that contains the variables

[config]

xProgram = “My Program Name”

xHeading1 = “The Heading 1 Text”

xHeading2 = “The Heading 2 Text”

xText = “This is the true text that belongs to the program”

Note that we have used double-quotes to surround text with space characters. That’s to ensure that there won’t be a problem (and an error) if the text string contains a reserved word (as in the xText value).

The process of reading the configuration file into a variable (let’s call it $xvariable), which will contain the arrays as defined in the configuration file. So the $xvariable array will contain those four values. We can reference each value with code similar to $xvariable[‘config’][‘xProgram’], which will contain the value of ‘My Program Name’, when you read the file contents into an array called $xvariable. You can put multiple array names within the brackets, if you need additional data arrays. And you might want to consider non-specific names for the variables, like using numbers instead of a descriptive name like we show above.

Now that we have created the parameters.txt file, we secure place to put it. Normally, you would want to place this file outside of the site root, but you may not have access outside of the site root on some shared hosting systems. So we will place it in a subfolder of the site root called ‘xini’. That makes the configuration file will be accessed as ‘./xini/parameters.txt’.

With the file in the ‘xini’ folder, we need to protect that folder (and any files within that folder) from prying eyes. This is done by putting the following commands in an ‘.htaccess’ file. These commands will prevent access to any file with a ‘txt’ extension.

<FilesMatch “\.txt$”>
Order allow, deny
Deny from all
< /FilesMatch>

There’s lots of other places that discuss .htaccess file, so go there if you need more info.

At this point, we have the configuration file built, stored in the ‘xini’ folder, and protected by the .htaccess file.

Next, we need a function to read the parameters.txt configuration file and make the ‘config’ array available to the other code pages. Here, we will use a function that we store in our functions ‘include’ file.

function show_ini() {
global $config;
// check for ini file there
if (file_exists(‘./xini/parameters.txt’)==0)  {
die (“Did not find the file.”);
}

// file found, read it into the $config array
$config = parse_ini_file(‘./xini/parameters.txt’);

return;
}

We just call the show_ini file at the top of the functions.php file (the code file that contains all of the functions used by the program). Since all pages ‘include_once’ the functions.php file, the config array will be available to all code pages.

Note that we use the ‘global’ command at the beginning of the function so that the config array will be available outside of the scope of the function. Another note: you will have to ensure that the page that calls the function can get to the file using the path you specify in the file_exists and parse_ini_file, so adjust that as needed. And some additional error trapping, or a more friendly ‘die’ process would be useful to add.

But the process allows you to store confidential information outside of the code pages. Of course, access to all of the site’s source code files will be a concern, but (hopefully) there are other protections against that exposure.

[added 3 Oct 2014]

Found that the ini file can contain ‘//’ or ‘/*’ and ‘*/’ pairs. But you can’t put any parenthesis or square bracket characters in the ini file. If you do, the parameters in the ini file won’t be read.

The Internet Never Forgets

I had someone call me about their web site ‘disappearing’. All that was there was a ‘Parked” page from the hosting place. It wasn’t a very important site, just a few pages with some pictures, and a few custom products that he sold. No blog, no custom programs, no databases, etc. And he didn’t have a backup of the pages. But he still wanted the site back. So I took a look at things.

I looked at the domain registration, and the domain name was still registered to you, with an expiration date that had not passed. The nameservers pointed to the web hosting place, which was as expected.

With the credentials for the hosting place in hand, I took a look at his hosting account. He had apparently used the hosting place’s ‘web creator’ to create his web pages. I couldn’t find any files anywhere. Apparently, the ‘web creator’ program stored them in a place I couldn’t get to. And it looked like he let the site hosting service expire. So since there was no content, the ‘parked’ page is now seen at the site.

The site would need to be rebuilt. And he didn’t have the source files for the site; but he wanted the site back up quickly.

So I turned to the Internet’s “WayBack Machine” (www.archive.org) to see if they had a cached copy of the site. They did, so I looked at the latest version they had (March 29, 2014). I opened up the main site page, grabbed the source code for each page (with a View Source), and plugged it into my HTML editor (I use Adobe Dreamweaver, but any HTML editor would have worked). I also copied the graphic images to my local computer. I did this for all of the pages that the WayBack Machine had (the entire site). Luckily, the site was not that complex (about 10 pages plus the graphics files) and a simple order form.

Then, I went into the Dreamweaver editor, adjusted the images links, rearranged the image files into a separate folder (the CF editor adjusted the HTML code for those links automatically). I then used the Dreamweaver ‘link checker’ to ensure that all links/images/etc were valid. All was well with my local copy of the site.

He wasn’t too happy with the hosting place (a small operation), so we set up an account at JustHost (disclosure: it’s what I use, and I‘ve been happy with it; that link gives me a small commission on new accounts at the same price as their main link). Since the domain name was registered somewhere else, I went through the somewhat convoluted process of transferring the domain name to the new JustHost account. I also set up the ‘nameservers’ for the domain to point to the new JustHost account. Then I transferred the files there. I then checked the pages and links at the remote (JustHost location), and the site pages worked properly.

After a short propagation delay (while all the nameservers in the world get the updated information), the site was active and visible.

The lesson here? A few points to consider:

  •  Don’t Panic
  •  If you have a web site hosted somewhere, pay attention to any notices about renewing services there (I am assuming that a notice from the hosting place may have gotten lost in his emails)
  • If the site is truly ‘gone’ from where it should be, Don’t Panic (again)
  • Use the “WayBack Machine” to find your site. It will probably be there. Perhaps not the latest version, but a place to start.
  • Use the techniques described above to rebuild your site and place it on your hosting location.
  • Backups of your site to an alternate location are always a good idea. That includes any databases used and any custom programs. For instance, I use a popular plugin to email me a daily backup this WordPress site’s database.
  • Don’t Panic

The recovery technique worked, as evidenced by the reappearance of his web site. There may be some minor adjustments needed, and perhaps some content updated, and I set up a procedure for him to store site backups at an alternate location. But the technique will work.

The Internet Never Forgets.

 

Keeping Clean

If your computer is plagued by popups and other junk, you may have wondered how it got that way. Lots of different reasons, but here is what I do to keep my computer clean.

  • Whenever you search for something with any search engine, the first few results are going to be paid ads. Those results may look like what you want, but usually aren’t. I never click on the paid results on any search. They probably aren’t what you want anyhow.
  • Many times, those paid results are going to cause problems. For instance, if you search for ‘fixing something’, the ‘fixes’ you get when you click on a paid ad are probably going to make things worse. You’ll get a pitch for a ‘easy and free’ program to help ‘fix’ your problem. Just don’t go there. Ignore the paid results, and carefully look at the non-paid results to get what you were looking for.
  • Never click on a pop-up, no matter where it is. They are just trouble. Especially the ones that claim to be updates for some program (‘click here for an updated version of whatever to view this page’). Just don’t click.
  • Now there are times when a valid popup will ask you to update things. An example is a Windows update, or maybe one from your browser. Proceed carefully, Grasshopper. Windows Updates are good, and you should do them when they ask. But make sure that the update is for something you have, or is from the actual vendor site, not one that looks like it.
  • Wherever you go, tread carefully. Even a mainstream news site might cause a popup asking you to do something. Again, just say no.
  • If you need to install a program, make sure that you install it from the vendor’s actual site, not one that looks like it. And beware of add-in programs that come with an update. Adobe is a place where you will get additional programs when you try to install an update. Watch for those pre-selected check boxes for additional browser plugins or other programs. If you need to get an Adobe update, then do it, but don’t get all the extra stuff they try to force on you.

We’ve had other posts on how to keep your computer safe. Here’s the quick list.

  • Do the Windows Updates.
  • Make sure your antivirus is current.
  • Install Windows Security Essentials anti-virus program (pre-Windows 8; it’s built into Windows 8).
  • Install the free Personal Software Inspector program from Secunia to keep your other programs current.
  • Uninstall Java (unless you are sure that you need it).
  • Don’t use the same password on multiple sites.
  • Make sure your password is complex and hard to guess.
  • Don’t do financial transactions at a public Wi-Fi spot.
  • Be careful of public WiFi spots.
  • Don’t click on popups.
  • Do backups (I use an automated backup-to-the-cloud service – Carbonite).

With a bit of effort, you can keep your computer clean. And make your browsing life much simpler.

iDevice Ransom

The reports of ‘ransom’ locking of iDevices from Australia are starting to spread to other countries, including the US. The process involves locking your phone as if you had reported it stolen. The attacker changes the access PIN on your phone, and asks for $100 (US/Euro) to unlock.

One clear explanation is here http://www.symantec.com/connect/blogs/apple-ids-compromised-iphones-ipads-and-macs-locked-held-ransom .

Any iDevice user (not just iPhone) should immediately change the password on their Apple account, and also change the access lock code on their device. The above article has good advice on what to do to prevent the attack.

Heartbleed Thoughts – and a Phishing Warning

There is lots of noise on the interwebs about the Heartbleed vulnerability. Here’s my thoughts on the whole thing, in no particular order:>

  •  This vulnerability has been around for two years, I believe. And there is no logging available that would tell you that you or a web site got attacked.
  •  The Internet Storm Center (isc.sans.org) guys did raise their alert level to yellow, and strongly encouraged all site administrators to check and fix. But that applies to site administrators, not to “Aunt Minnie”.
  •  Media reports that tell you you must change all your passwords immediately are overblown. Although a good idea to reset passwords occasionally, it might be better to wait on that for a few days. Of course, when you reset your password, don’t use the same one as on other sites.
  •  ‘Watchful Waiting’ is probably the best action for individual users to take now. People should watch their financial accounts, perhaps change their passwords in a few days (which will let sites remediate as needed). And make sure that you don’t share credentials (user/pass) between sites.
  •  it is probably good that site owners make sure their sites are not vulnerable, and patch accordingly.

But there is some excitability going on, and perhaps the risk to the user is not as great as the media would make it seem.

Here’s what I think:  *If* a site was vulnerable, and *if* you logged into that system, and *if* an evildoer did the attack after you logged in, then you *might* have your credentials stolen. And *if* you changed your password on a vulnerable site during an attack, your credentials *might* be compromised. But that is a lot of *if’s* to worry about.

Although the “Heartbleed” thing is a risk, my view is “Watchful Waiting” is a good idea, but “Don’t Panic”.

Now, you may start seeing some “Heartbleed Phishing” emails, with some dire warnings and helpful links for you to click on to ‘help’ you reset your password. In general, it is not a good idea to click on a link in an email, even if it looks legitimate. If you want to reset your password on a site, then go there by manually typing in the site link, logging in, and then change your password. Don’t click on those helpful links in any email.

In the meantime, since you are practicing Safe Computing (see here for some hints). Don’t Panic; just be careful out there.

 

Redesigning and Testing

Over the holidays, I have set up a new theme for Dr. Jerry Pournelle’s Chaos Manor blog. The new theme is now ‘responsive’, which means that his posts are going to be more readable on mobile devices.

That was not without some minor issues. There are tons of themes out there, but it is difficult to find a theme with all of the features that are needed. In addition, Dr Pournelle is somewhat set in his ways on how to write content for his site. He wants more control over the visual look of his posts, so he needs to easily see how things look before he publishes.

When we first moved him to the WordPress platform, we had to move him away from FrontPage and into a visual editor. We decided on Windows LiveWriter, which had the advantage of giving him a close approximation of the final look of his posts before he publishes. Live Writer had most of the features he needed, and those that he was used to (mostly fonts and how to get pictures in his posts) we figured out some workarounds.

With the new theme on his site, we have found that LiveWriter had some shortcomings. One in particular: fonts. LiveWriter has the fonts that are available on his computer, but those font are not necessarily the same fonts available on the web site. So things would look as he wanted them on his local system (in Live Writer), but the published post would substitute fonts away from what he had selected.

So, I’ve been spending a bunch of time trying to find the ultimate combination of responsive theme with an editor that will show posts that will look the same while editing and when it is published.

So this site is the ‘test-bed’ of that search. The current theme is “Graphene”, which has lots of customization options. I’ve also installed the TinyMCE Advanced editor plugin. The combination of the two appears to be what is needed. The TinyMCE Advanced options allow customization of the editor screen. The Graphene theme seems to support having the published posts look like the post on the editor screen. The Graphene theme options allow for the customization of theme settings. Plus it is responsive, so it should look OK on mobile devices.

So, this place has changed the look, and it will change as I tweak things to get closer to the ultimate needs. And perhaps this will provide the features that Dr. Pournelle needs for his site.