URL Smashing

We run a few WordPress sites – some for us, and some for others. One of the things that we noticed on a couple of sites was that long URLs were visually irritating, at least to us. They seem to get in the way of the content, and sometimes ‘bleed over’ the content areas.

So we went looking for a solution – a plugin. And all the ones we found were not simple enough. They required you to enter special codes, or other irritating things. We wanted one that worked automatically. And we couldn’t find one that we liked.

The result – our second WordPress plugin – “URL Smasher”. It uses the goo.gl shortening service, so requires a Google API account, but those are free and easy to get. Once you set it up by adding your Google API key, and checking two boxes, any content that is saved – posts, pages, or comments – that have URLs get them automatically shortened.

It works quite well. Like the URL for the previous post. I entered the actual URL as text: http://goo.gl/zONLF7 ,  and as a link. Each is automagically shortened when I save or publish the post.

You’ll find the plugin here at https://goo.gl/uJFb67 (also shortened).

We are quite impressed with ourselves.

FormSpammerTrap for Comments WordPress Plugin

My new WordPress plugin to block form spammers/bots is now publicly visible at https://wordpress.org/plugins/formspammertrap-for-comments/ . It blocks comment spam from ‘bots’ with a simple technique. It doesn’t have captchas, hidden fields, silly questions, or other things that don’t work. It just looks for ‘human activity’ on the comment form, and if a ‘bot’ tries to submit a comment, they immediately get sent to my FormSpammerTrap web site.

It uses the same techniques that I use for comment forms (more info about that here and here and here ), but now it is a WordPress plugin, so it is quite easy to install and configure. And it is quite effective…I’ve never gotten any ‘bot’ spam on any site that I have installed it.

The whole plugin coding process was interesting, and a good learning process. I’ve already got some enhancements in mind for newer versions. But I was quite proud of myself for getting this one to work…and that it is now available among the millions of other WordPress plugins.

Two New Web Sites

I’ve finished two new web sites, and continue with updates on a few more. I am also working on a WordPress plugin to prevent spam-bots from abusing comment forms. That one is a bit more tricky, but useful knowledge.

The two new sites are WordPress-based.

John D Brown Author Site : this is the author’s official site. I found his site when I read his book “Bad Penny”. It is a thriller, with a “Jack Reacher” type character. I enjoyed it, and went to his web site to see if there were other books in a similar vein. While on his web site, I emailed him to suggest a few design changes for his site. And ended up doing a customized rewrite of his site into a ‘responsive’ site that looks good on any device – laptop, phone, desktop, etc. Along the way I increased my WordPress customization expertise, creating changes in a child theme plus adding additional customized functionality. He and I were pleased with the results. And it let him concentrate on writing the next book with the same character as “Bad Penny”.

The Hot Box Grills site is an e-commerce site that sells a nice tailgate/picnic portable grill. Well made and sturdy, and works quite well as a portable grill, according to his satisfied customers. His previous e-commerce site wasn’t working well, and was hard to manage. The new place has a responsive theme, and I am working on his SEO stuff. If you are looking for a great portable BBQ grill for picnics, camping, or sporting events, check it out.

Ultimate Form Spammer Blocking

A while back, I wrote about a technique to block form spammers. I have implemented it on several sites that I have built. In some cases, the site originally didn’t have any protection against form spammers, or used easily-bypassed techniques like hidden fields, silly questions, changing contact page names, or even captchas. Even with those techniques, form spam still arrived.

In most cases, the volume wasn’t enough for me to worry about. Sometimes, a form spammer would find one of my site forms, and start spamming it daily. At that point (when it started getting irritating), I would implement my ‘ultimate form spammer blocking’t technique.  And the form spam immediately stopped; the form spammer never was seen again on that site.

So I have put together a package of files that you can use in your site forms to get rid of your form spam. It’s all open source, and quite clever (he said with some modesty). With just a few modifications of your form, and adding one or two files to your system, you can get rid of your form spammer problem.

The package of files is written in PHP, and requires that your visitor has JavaScript running (not Java). But once you set things up, you will not be bothered by form spam again. Your form spammers will get redirected to my Form Spammer Trap site instead of sending your form spam.

The package includes support for WordPress sites, with the use of a template that you specify for your contact page. No special add-ins needed, although you may need to do some minor CSS formatting changes. Full instructions on how to implement in your site, whether PHP-based or a WordPress site, are included in the package.

So, how do you get it? Well, you use our contact form. Just fill in the form with your name, email address, and comment text of “I want your form spammer blocking package” (along with any other comments), and I’ll get the zip file out to you. Don’t use the comment form on this post, unless you really want to expose your email address.

Our Contact form uses our Ultimate Form Spammer Blocking technique. If you want to see what will happen to a form spammer, just click on the “Submit” button on the contact page (don’t click anywhere else).  We use the WordPress template version of the package, so you can see how it looks with our site theme.

And it is all free, although donations are accepted. If you don’t think you can install it yourself, contact me and we’ll arrange for some help at a nominal fee. Or if you don’t want to use our package, the technique is shown on our previous post about preventing form spam, so you can roll it yourself.

But our ‘Ultimate Form Spammer Blocking’ package will get rid of any form spam on your web site. It really works!

(Added: If you want more details, go to my Form Spammer Trap web site that uses the technique. That site is where form spammers will end up.)

A WordPress Attack

It appears there is an attack against WordPress installations that is placing a phony ‘500’ error page on the site that allows additional commands to be executed. I don’t have all the details yet, but one report indicates that there is a brute-force password guessing attack against the ‘admin’ user of a WordPress site.

The ‘admin’ user is created by default on a WordPress installation; that user has full privileges to the WordPress installation. If the owner has chosen a weak password, or ohe that is easily guessed, then the attacker would get full admin privileges to the WordPress site, including the administrative area.
WordPress login process allows for brute force attacks; an unsuccessful login will just let you try again. There might be some delays if you try brute-force logins, but it is possible to keep on trying a WP login.
The attack will put a phony ‘500.php’ file in your site root (and perhaps other places). So a search for those files might be prudent. Delete any that contain unfamiliar code.
Initially, it looks like many sites that have been successfully attacked are also not current in their WordPress version level. So, prevention would indicate these steps:
1) Create a new ‘admin-level’ user with a strong non-dictionary type password.
2) Log in as that user to ensure that all is OK
3) When logged in as the new admin-level user, demote the user ‘admin’ to the lowest level. Leave the user there just to irritate the hacker.
4) Ensure that your hosting account, and any FTP accounts, have strong passwords. Strongly consider changing FTP passwords.
5) Don’t use an FTP client that stores passwords in plain text. (WinFTP does this.). I recommend WinSCP (open source, free) which encrypts FTP credentials.
6) Ensure your WordPress installation is current. Update all themes and plugins on a regular basis.
7) Check for any rogue user accounts
And the usual precautions on your home computer: Windows updates, Application updates (Secunia Personal Software Inspector is recommended), uninstall Java (if it is not needed; Javascript is OK), don’t clck or open unfamiliar attachments, etc.
As a further protection, consider a program that monitors files for unauthorized changes. I found a concept for a program that stores file names and checksums in a database, then compares those checksums the next time you run the program. Any new or changed filenames are emailed. I am doing some final testing, but it appears to work well.
Be careful out there!