Author Archives: jehochman

Warnings from Envato about WordPress Hacking

Twitter Facebook

Envato, the publisher of the very popular ThemeForest theme gallery, and the CodeCanyon plugins library, today sent out a dire warning about WordPress vulnerabilities.  The warning was a bit late for me because one of my client’s sites got hacked last week, even though it was fully updated.  Fortunately, I was able to use CodeGuard to reverse the hack and then I swapped out the vulnerable plugin.

Here’s the letter.

Hello Jonathan Hochman,

This is a general community announcement for all buyers of WordPress items to bring your attention to an XSS vulnerability affecting multiple WordPress plugins and themes. The vulnerability is caused by a common code pattern used in WordPress plugins and themes available from ThemeForest and CodeCanyon, thewordpress.org website and other sources.

This issue is not limited to themes and plugins purchased from ThemeForest or CodeCanyon. Anyone using a WordPress website, regardless of where the theme or plugin was sourced, needs to be aware of this and take immediate action to ensure it is secure.

What should I do?

As there is no simple way of knowing exactly which plugins or themes are affected, and the issue is widespread, our best advice is to periodically check for updates to any WordPress themes or plugins you are using and apply those available as soon as possible.

Envato is actively working with all ThemeForest and CodeCanyon authors, explaining the issue and asking them to check that their items are secure and to update them if necessary.

We expect ThemeForest and CodeCanyon items to be continuously updated over the coming weeks, with the majority updated in the next few days. Updates may be downloaded from the Downloads page as they become available. If you would like to be automatically notified about new updates, please activate “Item update notifications” in your email settings.

For updates to items obtained from other sources, please check the Plugins and Themes pages in the WordPress Admin area or contact the source of the product.

We strongly recommend continuing to check for updates, especially over the next few weeks, but also on an ongoing basis. It is important to always keep your WordPress installation and associated plugins and themes up to date. If you still have concerns, we suggest engaging an experienced WordPress developer to check whether your site is affected.

More details are available via the following links:

Kind Regards,

Envato Support

Keeping WordPress updated is pretty easy using Advanced Automatic Updates.  Though that helps, it isn’t 100% proof, and there’s also a small risk that an automatic update could break a site.  That’s why CodeGuard comes in so handy.  Whether there’s a hack, or a failed update, I feel confident that I can promptly fix any site.

The Easiest Way to Upgrade Your Site to HTTPS

Twitter Facebook

Google just changed their ranking algorithm to give a boost to sites that use https instead of http. Even if you have a content site or a personal website, it makes sense to take all reasonable measures to secure it from hacking, especially when Google could give your site more traffic.

The easiest way to get https is to use a paid CloudFlare account and turn on Flex HTTPS. This avoids the need to buy and install a security certificate, saving money overall. CloudFlare also helps protect your site from malicious bots, hackers, and denial of service attacks.

To configure CloudFlare for HTTPS, login, click the gear icon next to your site, and choose “CloudFlare settings”. Then set the SSL switch to Flexible SSL.  This encrypts communications between CloudFlare and users. CloudFlare still communicates with your web server via http, eliminating the need to make changes there. Most man-in-the-middle attacks happen close to where the user connects, such as an un-encrypted WiFi network vulnerable to Firesheep, or a hotel network that splices ads into web pages, not between major Internet services such as CloudFlare and your hosting provider.

Flexible SSL

After making the switch its necessary to test the site to make sure you get good lock symbols on all pages. If you have embedded assets using non-secure http protocol, you need to update those to https. Search the code for the string src=”http: to find them.

Green Lock Means Secure
lock-icon

To redirect http to https when using CloudFlare, add the following magic code to your .htaccess file, if you have a Linux/Unix server.

RewriteCond %{HTTP:CF-Visitor} '"scheme":"http"'
RewriteRule ^(.*)$ https://www.yourdomainname.com/$1 [L]

Remember to update your robots.txt file and your sitemap.xml file to use your new https urls. Lastly, update Google Webmaster Tools and Google Analytics to reflect your new website URL.

Google Cracks Down on Mugshot Sites

Twitter Facebook

Back on February 6, 2013 Jonah Stein and I wrote about the Mugshot Extortion Racket, and how Google needed to crack down on the problem.  Several days ago Google implemented an update that has caused mugshot sites to lose the vast majority of their search traffic, and most importantly, the mugshot sites no longer rank in Google when searching for the names of the individuals pictured.

The Mugshot Racket is a paid unpublishing scam.  Mugshot sites scour the ‘net and copy mugshot photos from law enforcement sites and databases to create search engine optimizated pages that rank well on Google for the subjects’ names.   In apparent violation of the subjects’ personality rights,  the mugshot sites offer to remove photos if a fee is paid, often amounting to hundreds of dollars.   People have reported that after paying for a photo to be removed from one site, it would often pop up on multiple other mugshot sites.

Victims of the scam have been writing to me since February, explaining how these mugshots made it hard to get a job, rent an apartment, or even get a date. In our society we have courts to determine the fair punishment for a crime. Many people arrested are found innocent, have charges dismissed, or the record may be expunged upon completion of a treatment program.  Sometimes it is in society’s interest for people to have a second chance after they’ve committed a minor crime, because we don’t want to create an underclass of unemployable people.

I’m very glad that Google did the right thing. A number of states have been trying to pass laws, and there’s at least one class action lawsuit pending.  Instead of waiting for a patchwork of laws and court rulings that might not have been very effective, in one algorithmic swoop, Google appears to have cleaned up the problem.

The New York Times has published this: Mugged by a Mug Shot Online.

An Ultimate Black Hat Script

Twitter Facebook

Yesterday I received this spam. If you’ve ever wondered who bothers to hack websites and why they do it, here’s a premium explanation straight from the hackers.

Hey guys,

A true bl4ckhat system for Internet Marketers

Do you want to control other site’s traffic? Ever wanted to insert your ads, well paid CPA offers and adsense code on other site’s high traffic pages? Every wanted to place your backlinks on other’s high page ranked pages without them knowing? Ever wanted to redirect the other site’s visitors to any link you desire? Well you have finally found the secret souce, Presenting…

An Ultimate Black Hat Script

What is it exactly ?

Mass control millions of servers at a given moment with Affiliate Ad’s, Adsense, Clickjacking, Content-Locking, Redirection -The sky is the limit! These black hat methods are being utilized by the pharmas and now its your time to get hold of their secrect way of money laundering.

Control Millions of people’s servers from all over the internet.

– Redirect the traffic of the other website
– Contron their ads or inster your own ad in their website
– Initate the pop-unders
– Put backlinks on the high page rank sites
– Place any code on their sites

———————————-
How to gain access to people’s servers ?

You insert a simple code within scripts, themes, or plugins…or whatever…get creative! Then distribute it.
Once they put it on their server, all sites within their IP are now under your control It’s really quite simple. the coder was able to gain over 100,000 IP’s in about 3 months. That’s not website…that’s IP. Right now, it over 8 million pages that he has full control over to redirect, post ads on, place popups, popunders, or just insert his backlink on.

Check it out:-

Click Here!!

Only few copies will be given out and than this product will be taken off the market forever! Act now!

Don’t let cybercriminals pwn your site. No matter how good your security, it will break sooner or later. When that happens, you’ll want to be informed promptly and have an easy way to put things right.

Website Speed Optimization

Twitter Facebook

I recently gave a talk at SMX Advanced in Seattle about how to make websites run faster. Various statistics cited by the presenters indicated just how important site speed is. Every second of latency cuts conversion (or sales) by 10 – 17 percent. Users typically head for the back button if a page doesn’t appear within 3 seconds. Fast sites give the user a feeling that they are in control, improving trust.

Most people think a bigger server, shorter HTML code, or smaller images is the secret to speed. That’s usually not the case, according to my experiments. The main cause of latency is distance between the server and the user, and the number of http requests required to assemble the page. Server and software configurations may also be important.

Every image, CSS, and JavaScript file generates another http requests. Browsers typically process 2 – 5 requests in parallel. It is not uncommon to find pages that generate 50, 100 or even 275 requests. Processing all those requests one after another can take considerable time if the distance from user to server is a few thousand miles because information never goes faster than the speed of light, about 186,000 miles per second. A user in Amsterdam looking at a complex page with 275 requests served from San Jose will typically suffer 4.2 seconds additional latency or worse.

One secret to speed is using a smart content delivery network, such as Cloudflare, to reduce the distance information needs to travel, minimize requests, and optimize files sizes. Cloudflare caches static resources a numerouse locations around the world to serve users from a nearby data center. Another tactic is to simplify web page design to minimize the number of files called per page. CSS sprites can be a big help, as well as eliminating unnecessary objects. Careful design focuses attention on a few things that matter, and leaves out the cruft that is just a distraction and source of slowness.

My presentation below containes a bunch of case studies and identifies tools you can use to analyze and improve your site speed. Feel free to contact me with any questions. I’m @jehochman on Twitter.