First, this is NOT a WordPress security issue. It is all about malware being inserted by third party ad services. For my fellow WordPress folks, this is not the same issue dealt with at that hosting company that will remain unnamed.

The Red Screen of Death

When Google crawls a site and detects malware, they issue a warning which results in that red screen. They also add a warning within their search results right under the link to your site that says ‘This site may harm your computer’. All pretty scary stuff for a visitor finding your site for the first time.

So,assuming at the time that it came from Google, it seemed strange to me that Google could stick a red screen on a site. How could they do that? Well, they can’t of course. So I looked into the code of the warning itself and saw that it was coming from mozilla.org, the company that makes Firefox, meaning it was something in the browser itself.

Checking the security settings, I saw a check box for ‘Block reported attack sites’. So I unchecked that and tried the site again. It loaded just fine. No warning. Same in Safari. They have a setting to block sites and send a warning. Problem was these were defaults, so essentially everyone is seeing these red screens.

Removing the Red Screen

The only way to get rid of the warning screen is to remove all the malware, and get Google to re-crawl your site. You can either wait for that or re-submit your site using Webmaster Tools Reconsideration. Even with both myself and the client submitting for reconsideration, the process took about 18 hours which I feel is pretty quick form stories I have heard. In fact we were getting ready to redirect the domain to a clean url if the warning hadn’t gone away within another hour or two.

All said, it was about 48 hours of the site being blocked with this red screen.

Then after it was fixed, we had to clear the cache in our own browsers to make the warning go away, meaning that anyone who saw the site in the last day or two was most likely STILL seeing the warning even though Google had removed the warning and the site had been totally clean for close to 24 hours. And who knows when everyone’s cache would reload the cleaned pages?

The Hypocrisy of Google

Here is the problem… The malware appeared after a third party ad service started using Adsense of all things. The stunning thing to me is the possible hypocrisy of Google Adsense sending malware and then using its malware warning to essentially shut down a site for close to 48 hours.

When you see that red screen do you ever click ignore? Probably not since it warns you that your computer may be harmed. After I fixed the problem, the warning was still there and I still felt cautious about clicking, feeling that maybe it was still detecting something I didn’t find.  This is when I figured out that it was the browser settings I described above.

So… The timeline went something like this:

• Site is infected with malware at some point. This could have gone undetected for a while. Hard to tell.
• Google detects it and adds the warning.
• Browsers see that warning and visitors get the warning screen.
• Regular readers of the site start sending emails and tweets to the client.
• About 24 hours AFTER all this, the client gets an email from Google telling them about the problem.
• Client contacts me and within a number of hours we clean the site and submit for reconsideration. This is only because I was out at the time. The actual process of fixing took about an hour.
• 18 hours later the site is recrawled and put back to normal.
• Visitors whose cache is not emptied are still receiving the warning.

So…

• 24-36 hours – site is down before being able to fix it.
• 1 hour – fixing time
• 18 hours – re-crawl and remove the warning.

Ignore Bad advice from the Hosting Company

The client’s host was saying that the process might be 2-3 weeks! Not only that… They recommended removing the URL from Google because of that little warning, suggesting that people shouldn’t see that because it made the site look bad.

Remove the URL form Google? That would lose all search ranking and everything, I have never heard of worse advice. The site was back up within an hour or tow of getting that advice and if the client had listened they could have lost all their search rankings.

How to fix it

As with any changes to a site – BACKUP EVERYTHING first.

• Export your WordPress content from the backend.
• Backup your database.
• Backup you wp-content folder

Finding the Malware

This can come in a few forms:

• It can be added to files you already have.
• It can be added as new files that were not there before.
• It can be injected into the database.

But is actually fairly easy to spot once you know what to look for. It is almost always something known as obfuscated javascript or something embedded in an iframe. Obfuscated javascript looks like a bunch of random letters, numbers and symbols, like this: ‘JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1MzsyMjQ’. It is totally meaningless until decoded. An iFrame is used to embed another page into a site. It is used by Facebook and any other number of legitmate sites, so iFrames are not by themselves bad. On the other hand any apperance of that obfuscated javascript is cause for concern, especially in an open source project like WordPress where all code must be readable.

To find the bad code:

• Search your files for the word ‘base64_decode’ where you find something like this ‘<?eval(base64_decode(“JGs9MTQzOyRtPWV4cGxvZG…’ and that string of characters will go on for a while and end with something like ‘==”));?>’
• Delete all occurances from the opening ‘<?’ to the closing ‘?>’
• Search your database for ‘base64_decode’
• Delete that same line (it will probably not have the ‘<?’ or ‘?>’, just the ‘eval(base64_decode)’
• Search all your pages for ‘iframe’
• Search the database for ‘iframe’
• Before deleting any iframes, look at the content and see if it is something you recognize. It might be fine.

Specifically in this case, there was a series of files that were somewhat easy to spot, since they were in the main directory and not part of the core WordPress files. Here are the names:

• A folder called ‘.files’ which will be hard to spot unless you are able to view hidden files because of the ‘.’ at the beginning of the folder name.
• The folder contained a huge number of files, all ending in .html, all with spammy search titles.
• A file called ‘hobard_ebeneser.php’ whose only contents were the javascript described above.
• A file called ‘spite_kerk.php’ whose only contents were the javascript described above.
• A file called ‘vhfjp.php’ whose only contents were the javascript described above.

Another post about a similar set of files they called the ‘Movie Review’ infection and how to fix it. Essentially the same as here.

After the Malware is Gone

So the malware is gone and 18 hours later Google has approved the site again. According to Webmaster Tools no malware was found.

BUT… we are still getting the warning until emptying our browser’s cache and refreshing a few times. This is a problem since most people who saw the site with the warning will still see the warning but would not bother refreshing or deleting their cache. So there needs to be a way to FORCE the visitor to load a new version of the page.

I used the php function called header() which must be called before anything is output to the screen. To make sure of this I placed it right in ‘index.php’. Not the one in the WordPress theme, the main index.php of the whole site, the one contains about 3 lines of code and opens WordPress itself. I wanted to make sure this was the very first thing a browser saw when opening the page.

Here is exactly what I used:

header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past

I pasted that right above the line:

define('WP_USE_THEMES', true);

Now eventually we will remove this. Pages are cached for a reason. It speeds up page load time, etc. So we don’t want to make everyone lodd a new version indefinitely, but for a couple days we are going to make sure everyone gets the clean version.

Final Note – AVOID AD SERVICES that use javascript

There have been a HUGE number of ad services compromised by these attacks lately. Unless you are making enough to justify going through this, I would recommend not using these ad services that place javascript on your site. The same goes for affiliate links that use javascript. Most will offer an HTML version that is just an image and a link. If you see the word ‘javascript’ in the line of code they want you to copy, I would stay away.

© marty for Marty Thornley, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: google, malware, WordPress

Feed enhanced by Better Feed from Ozh

For a new user, however, it can be a little overwhelming once they log in for the first time. The WordPress backend is a little bit heavy and offers so many tools that it can be confusing for those new to the system.

At first I was spending a lot of time on the phone talking clients through the same basic issues over and over. How do I add a new post? How do I create a new category? While these were new issues for them, I had to repeat myself over and over. So I put together a document that provides basic instructions for using WordPress and I have been providing clients with a .pdf version to help guide them through their new site.

Now I am making it available through DocStoc. Feel free to share it, embed it, pass it on, whatever you want.

Keep an eye out for my next one, a .pdf version of my Optimizing WordPress post.

Basic WordPress –

© marty for Marty Thornley, 2009. | Permalink | 3 comments | Add to del.icio.us
Post tags: custom web design, how to, Resources, web design resources, web design tips, WordPress

Feed enhanced by Better Feed from Ozh

After any WordPress installation, there is a series of steps that I take in order to optimize the site, before I even think about what it will look like.

Remove or edit the Placeholder Content

There is a placeholder post titled ‘Hello World’. DELETE that, or edit it to be your actual first post.

There is a placeholder page called ‘About’. DELETE it or edit it to say what you want it to say.

Delete the user ‘admin’

If you used a one-click installation or had someone do it for you, you might have been given the default user name of ‘admin’. The problem is that hackers know that WordPress sites tend to have a user named ‘admin’ and even worse, the password is sometimes ‘admin’.

This is a huge security risk. You can not actually edit a username, so the solution is to create a new unique username and a more secure password, then DELETE the admin user.

Check your admin Email

Navigate to settings>general. Check the email address there and make sure you enter an email address you will actually check. This is the email used to notify you of comments, problems, etc.

Install and Configure Plugins

WordPress comes with two plugins already included. One should be activated and set-up and the other is a waste of time and should be deleted.

• Askimet – This is the WordPress spam protection. Activate this immediately. Once you do, you will be asked for a WordPress ‘API KEY’. You will need to go to WordPress.com to set-up an account there. Once you do, you will be able to find the ‘API KEY’ on your profile page. Copy it, return to your new site, and paste the ‘API KEY’ into the Askimet settings. You can find the Askimet settings in the admin menu under ‘Plugins>Askimet Configuration’.
• ‘Hello Dolly’ – This is a useless waste of space. Delete it. To say anything more would waste even more space.

When it comes to finding and adding more plugins, there are countless plugins available that can add a lot of capability to your site. Some are just for fun and completely optional, but others are highly recommended for any site and there is a list of plugins that I install on almost every site.

You can see my post about plugins here.

But here are two that shouldn’t be missed:

• All in one SEO Pack
• Google XML Sitemaps

Navigate to the plugins page in the admin section. At the bottom, you will see the ‘Plugin Browser/Installer’. Click on that and you can search for plugins by type or by name. You can then install them with one click right from there.

Fix Permalinks

Each post and page that you create in WordPress has a permanent home called a ‘permalink’. This is simply a permanent (sort-of) URL that you can use to link directly to that post. When you first install and set-up WordPress, it creates URLs based on the ID number that it uses in the databse to keep track of everything. If you look at the URL, it will look something like this: ‘http://mysite.com/?p=1′.

The problem (besides being ugly – hence the name ‘ugly URL’ or ‘ugly permalink’) is that search engines use the URL as one of the most important factors for deciding what a page is about. Wouldn’t it be much better if you wrote a post about an event you just photographed and the URL could be something like ‘http://mysite.com/beverly-hills-wedding/’ instead of ‘http://mysite.com/?p=1′?

This is an easy fix in WordPress.

• In the admin area, navigate to settings>permalinks.
• Under ‘Common Settings’ you will probably see that ‘default’ is checked off.
• Under that is a series of options for more SEO friendly (and reader friendly) URLS.
• ‘Month and Name’ is best for sites with one author.
• ‘Day and Name’ would be better for a multi author site where you might expect tbe publishing a large amount of content.

The difference between ‘Day and Name’ and ‘Month and Name’ is simply that you can’t have duplicate URLS, so if you want a little  more room to allow for potential duplicate titles, use ‘Day and Name’. This would make everyday start fresh, because you are using the day, month and year as part of the URL. The odds of even a big site creating duplicate titles in one day are pretty slim.

What happen if you do create duplicate post titles? WordPress simple puts a ‘-2′, then’-3′ after the title. Nothing breaks. It’s not terrible.But we went through all of this for prettypermalinks that actually mean something and don’t have meaningless numbers. Might as well try to keep it that way.

Add Ping Services

Ping services allow different blog and RSS listing services to be notified when you post new content to your site. The idea is to help get the word out and hopefully drive some traffic to your site. By default, WordPress only lists one ping service – pingomatic. You can find this by navigating to settings>writing. Towards the bottom, you will see a textarea where you can enter ping services and only one is listed – http://rpc.pingomatic.com/. But there are many more ping services out there.

There are two lines of thought:

1. Use a small list of services that in turn ping several more.
2. Directly use the list of all services so that you are not relying on a message to be passed on.

To use a small list of services that will notify others, copy this list and paste it into the ping services area under settings>writing:

http://rpc.pingomatic.com

http://www.blogpeople.net/servlet/weblogUpdates

http://ping.myblog.jp

http://ping.bloggers.jp/rpc/

http://bblog.com/ping.php

To use a longer list of services to notify directly, copy this list and paste it into the ping services area under settings>writing:

http://api.feedster.com/ping

http://api.moreover.com/RPC2

http://api.my.yahoo.com/RPC2

http://xping.pubsub.com/ping/

http://ping.blo.gs/

http://ping.feedburner.com

http://ping.syndic8.com/xmlrpc.php

http://ping.weblogalot.com/rpc.php

http://rpc.blogrolling.com/pinger/

http://rpc.icerocket.com:10080/

http://rpc.newsgator.com/

http://rpc.technorati.com/rpc/ping

http://rpc.weblogs.com/RPC2

http://topicexchange.com/RPC2

http://www.blogdigger.com/RPC2

http://www.blogstreet.com/xrbin/xmlrpc.cgi

http://www.newsisfree.com/RPCCloud

http://ping.weblogs.se/

http://blogmatcher.com/u.php

http://coreblog.org/ping/

http://www.blogpeople.net/servlet/weblogUpdates

http://bulkfeeds.net/rpc

http://trackback.bakeinu.jp/bakeping.php

http://ping.myblog.jp

http://ping.bitacoras.com

http://ping.bloggers.jp/rpc/

http://ping.blogmura.jp/rpc/

http://xmlrpc.blogg.de

http://1470.net/api/ping

http://bblog.com/ping.php

http://blog.goo.ne.jp/XMLRPC

FURTHER READING:

• How ping services work – WordPress Ping Services. They also link to this detailed explanation of the two Ping lists.
• My post about plugins.

RECOMMENDATIONS?

I have tried to include all of the suggested steps that I have found over time. If there are any that I missed that could be added to help this be a more complete list, please leave a comment and let me know. I will try to add anything that improves the process.

This Article was written as part of the WpJumpStart System

Find Out More

© marty for Marty Thornley, 2009. | Permalink | 3 comments | Add to del.icio.us
Post tags: SEO, web design resources, website starters, WordPress, WPJumpStart

Feed enhanced by Better Feed from Ozh