Warnings from Envato about WordPress Hacking

Envato, the publisher of the very popular ThemeForest theme gallery, and the CodeCanyon plugins library, today sent out a dire warning about WordPress vulnerabilities.  The warning was a bit late for me because one of my client’s sites got hacked last week, even though it was fully updated.  Fortunately, I was able to use CodeGuard to reverse the hack and then I swapped out the vulnerable plugin.

Read More “Warnings from Envato about WordPress Hacking”

The Easiest Way to Upgrade Your Site to HTTPS

Google just changed their ranking algorithm to give a boost to sites that use https instead of http. Even if you have a content site or a personal website, it makes sense to take all reasonable measures to secure it from hacking, especially when Google could give your site more traffic.

The easiest way to get https is to use a paid CloudFlare account and turn on Flex HTTPS. This avoids the need to buy and install a security certificate, saving money overall. CloudFlare also helps protect your site from malicious bots, hackers, and denial of service attacks.

To configure CloudFlare for HTTPS, login, click the gear icon next to your site, and choose “CloudFlare settings”. Then set the SSL switch to Flexible SSL.  This encrypts communications between CloudFlare and users. CloudFlare still communicates with your web server via http, eliminating the need to make changes there. Most man-in-the-middle attacks happen close to where the user connects, such as an un-encrypted WiFi network vulnerable to Firesheep, or a hotel network that splices ads into web pages, not between major Internet services such as CloudFlare and your hosting provider.

Flexible SSL

After making the switch its necessary to test the site to make sure you get good lock symbols on all pages. If you have embedded assets using non-secure http protocol, you need to update those to https. Search the code for the string src=”http: to find them.

Green Lock Means Secure

To redirect http to https when using CloudFlare, add the following magic code to your .htaccess file, if you have a Linux/Unix server.

RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule ^(.*)$ https://www.yourdomainname.com/$1 [L]

Remember to update your robots.txt file and your sitemap.xml file to use your new https urls. Lastly, update Google Webmaster Tools and Google Analytics to reflect your new website URL.

Google Cracks Down on Mugshot Sites

Back on February 6, 2013 Jonah Stein and I wrote about the Mugshot Extortion Racket, and how Google needed to crack down on the problem.  Several days ago Google implemented an update that has caused mugshot sites to lose the vast majority of their search traffic, and most importantly, the mugshot sites no longer rank in Google when searching for the names of the individuals pictured.

The Mugshot Racket is a paid unpublishing scam.  Mugshot sites scour the ‘net and copy mugshot photos from law enforcement sites and databases to create search engine optimizated pages that rank well on Google for the subjects’ names.   In apparent violation of the subjects’ personality rights,  the mugshot sites offer to remove photos if a fee is paid, often amounting to hundreds of dollars.   People have reported that after paying for a photo to be removed from one site, it would often pop up on multiple other mugshot sites.

Victims of the scam have been writing to me since February, explaining how these mugshots made it hard to get a job, rent an apartment, or even get a date. In our society we have courts to determine the fair punishment for a crime. Many people arrested are found innocent, have charges dismissed, or the record may be expunged upon completion of a treatment program.  Sometimes it is in society’s interest for people to have a second chance after they’ve committed a minor crime, because we don’t want to create an underclass of unemployable people.

I’m very glad that Google did the right thing. A number of states have been trying to pass laws, and there’s at least one class action lawsuit pending.  Instead of waiting for a patchwork of laws and court rulings that might not have been very effective, in one algorithmic swoop, Google appears to have cleaned up the problem.

The New York Times has published this: Mugged by a Mug Shot Online.

An Ultimate Black Hat Script

Yesterday I received this spam. If you’ve ever wondered who bothers to hack websites and why they do it, here’s a premium explanation straight from the hackers.

Hey guys,

A true bl4ckhat system for Internet Marketers

Do you want to control other site’s traffic? Ever wanted to insert your ads, well paid CPA offers and adsense code on other site’s high traffic pages? Every wanted to place your backlinks on other’s high page ranked pages without them knowing? Ever wanted to redirect the other site’s visitors to any link you desire? Well you have finally found the secret souce, Presenting…

An Ultimate Black Hat Script

What is it exactly ?

Mass control millions of servers at a given moment with Affiliate Ad’s, Adsense, Clickjacking, Content-Locking, Redirection -The sky is the limit! These black hat methods are being utilized by the pharmas and now its your time to get hold of their secrect way of money laundering.

Control Millions of people’s servers from all over the internet.

– Redirect the traffic of the other website
– Contron their ads or inster your own ad in their website
– Initate the pop-unders
– Put backlinks on the high page rank sites
– Place any code on their sites

How to gain access to people’s servers ?

You insert a simple code within scripts, themes, or plugins…or whatever…get creative! Then distribute it.
Once they put it on their server, all sites within their IP are now under your control It’s really quite simple. the coder was able to gain over 100,000 IP’s in about 3 months. That’s not website…that’s IP. Right now, it over 8 million pages that he has full control over to redirect, post ads on, place popups, popunders, or just insert his backlink on.

Check it out:-

Click Here!!

Only few copies will be given out and than this product will be taken off the market forever! Act now!

Don’t let cybercriminals pwn your site. No matter how good your security, it will break sooner or later. When that happens, you’ll want to be informed promptly and have an easy way to put things right.

Website Speed Optimization

I recently gave a talk at SMX Advanced in Seattle about how to make websites run faster. Various statistics cited by the presenters indicated just how important site speed is. Every second of latency cuts conversion (or sales) by 10 – 17 percent. Users typically head for the back button if a page doesn’t appear within 3 seconds. Fast sites give the user a feeling that they are in control, improving trust.

Most people think a bigger server, shorter HTML code, or smaller images is the secret to speed. That’s usually not the case, according to my experiments. The main cause of latency is distance between the server and the user, and the number of http requests required to assemble the page. Server and software configurations may also be important.

Every image, CSS, and JavaScript file generates another http requests. Browsers typically process 2 – 5 requests in parallel. It is not uncommon to find pages that generate 50, 100 or even 275 requests. Processing all those requests one after another can take considerable time if the distance from user to server is a few thousand miles because information never goes faster than the speed of light, about 186,000 miles per second. A user in Amsterdam looking at a complex page with 275 requests served from San Jose will typically suffer 4.2 seconds additional latency or worse.

One secret to speed is using a smart content delivery network, such as Cloudflare, to reduce the distance information needs to travel, minimize requests, and optimize files sizes. Cloudflare caches static resources a numerouse locations around the world to serve users from a nearby data center. Another tactic is to simplify web page design to minimize the number of files called per page. CSS sprites can be a big help, as well as eliminating unnecessary objects. Careful design focuses attention on a few things that matter, and leaves out the cruft that is just a distraction and source of slowness.

My presentation below containes a bunch of case studies and identifies tools you can use to analyze and improve your site speed. Feel free to contact me with any questions. I’m @jehochman on Twitter.

Edit Websites from Your iPad with Gusto

Guest Post by Jonathan Hochman, CodeGuard co-founder and CEO of Hochman Consultants

Recently I found myself on a transcontinental flight with WiFi, and downloaded an email from a client stating that I had botched an edit to their website. Usually I can tell people to wait until I get back to the office if they need website edits, but this time I was anxious to make a quick repair. Unfortunately, I have been packing light, with just a backpack and iPad and no laptop.

My solution – I went to the App Store and found Gusto. It took about 10 minutes to download via Gogo Inflight Internet while cruising at 36,000 feet, however, if downloaded before they close the jet door, it’s much quicker. Gusto has a sleek HTML editor, and a Solid FTP/SFTP client. I connected to the server, downloaded the broken files, fixed them, uploaded, and was done with my simple edits in about three minutes.

Gusto’s features include code highlighting, preview, and preview in Safari. The user interface is also intuitive. The only drawback I found is that when renaming a file, I had to jump to a different directory and then back to get the new file name to display.


Gusto costs 9.95 and is well worth it. Lugging around a laptop is a drag. With Gusto, the iPad is a pretty good replacement device, and costs a lot less than a Mac Air. I love being able to edit web site code on airplanes, during meetings or at lunch.