WP Solutions HQ – WordPress Plugins, Technical Tips & Advice

New Login Lockdown Whitelist For All In One WP Security Plugin

For those who are familiar with the All In One WP Security and Firewall plugin, you will already know about one of the existing features called Login Lockdown which is located in the User Login menu.

This feature will “lockdown” or “lock out” any IP address which attempts to login to your WordPress site but matches the criteria of the Login Lockdown settings such as exceeding the maximum failed login attempts or using a username which does not exist in any of your WordPress accounts. The feature also has a release time setting which will unlock that IP address after the configured time has elapsed.

Although the Login Lockdown feature has a configuration item which allows a user to unlock themselves, people were still having issues with the frustration of being regularly locked out because they forgot their username or password, or repeatedly miss-typed one or both of these. Therefore after some requests from people in the wordpress.org forums I have implemented a new Login Lockdown whitelist feature.

The feature is quite simple in the way it works – basically you can enter some IP addresses or address ranges into the settings of this new feature and these IP addresses will then be permanently immune from being blocked by the Login Lockdown feature. This means that even if you exceed the maximum failed login attempts or do anything else which the Lockdown feature would normally lock you out for, you will not be locked out.

Below is a summary of how to use this feature:

1) Go to the Login Lockdown settings page

2. From the Login Lockdown settings page scroll down till you see the “Login Lockdown IP Whitelist Settings” section. In this section, configure your settings and save them. (see figure below)

(NOTE: the whitelist settings described above will only work if you have enabled the Login Lockdown feature.)

And that’s it! Once you have enabled the Login Lockdown whitelist settings and configured the relevant IP addresses, you and your friends/colleagues will be immune from being locked out by the Login Lockdown feature.

This feature will be available in the next release (4.2.6) of the All In One WP Security and Firewall plugin.

Block SPAM IPs Automatically & Permanently

The upcoming update for the All In One WP Security and Firewall plugin is due any moment now and I wanted to share with you the details of a new feature I’ve been working on which will aid in greatly decreasing the number of spammers visiting your site.

The new feature is called Auto Block SPAMMER IPs and in a nutshell it allows you to automatically and permanently block IP addresses which have submitted more than a certain number of “SPAM” comments.

When an IP address has been blocked by this feature it effectively means that the visitor with that particular IP address will never be able to see the content of your site.

The beauty of this security feature is that it works in tandem with things like Akismet and any other plugin which has the ability to mark or classify a wordpress comment as “spam”.

This feature is also compatible with any server type running WordPress because it does not use .htaccess to block the IP addresses.

When activated, the Auto Block SPAMMER IPs feature will constantly monitor comments which have been marked as SPAM and it will automatically block the IP address which was used to make that comment if the number of “spam” comments exceeds the configured amount.

This feature’s settings can be found by going to WP Security->SPAM Prevention and then clicking on the tab called “Comment SPAM IP Monitoring“.

As you can see from the figure above, the settings are straightforward. All you need to do is click the check box to enable this feature and then set the minimum number of spam comments before an IP address is blocked permanently. So in the above case, I’ve got minimum number of SPAM comments set to “5” which means if a spammer leaves more than 4 spam comments their IP address will be permanently blocked from my site.

You will also note the handy summary box which shows you the current day’s number of IP addresses which were blocked by this feature and also the all-time total amount of IP addresses blocked due to spam. You can also click on the “View Blocked IPs” button to see a list of the IPs which have been permanently blocked as shown in the figure below.

Of course sometimes there may occasions where you might want to unblock an IP address or group of addresses which were permanently blocked by this feature. You can do that easily by either hovering over the ID of the blocked entry or using the checkboxes and “Bulk Actions” menu of the “Permanently Blocked IP Addresses” table. (see figure below)

The Auto Block SPAMMER IPs feature will be a useful tool for combating spammers and other pests who aim to deface your site with useless spam.

This feature will be available in the next version of the All In One WP Security and Firewall plugin which will be released very soon!

Javascript Redirect Malware – Google search results redirecting to SPAM site

Have you ever had an issue where the links in the Google or Yahoo (or other) search results redirect your visitors to some other spammy site and NOT your own site?

Well, if you do then you have malware on your site or have been hacked. The typical symptoms of this particular malware are as follows:

For example, say your site ranks well for “blueberry ice cream” search term. When someone types that search term in the Google engine they will sure enough see your site as one of the search results. But when they click on your link they get automatically redirected to someone else’s site – usually a smutty site or one selling pharma products for enlarging the male appendage or viagra or other similar sites….I’m sure you know what I mean.

However, if you were to type your website’s URL directly into the browser you would see no problem at all – ie, your site’s page will display as expected and you would not be redirected to those spammy sites.

But how is this possible I hear you ask? How can a link which you click from the Google search results and which you know has your site’s URL in it, redirect you to someone else’s site?

The first clue is to view your site’s html source:

Using your browser, type your site’s URL directly into the address bar
After your page loads, right-click on the page and select “View Page Source” (or similar depending on the browser you are using)

When viewing your page source you may see some malicious javascript code similar to the following if you have been infected with this type of malware:

Basically what the above javascript code is doing is that it is checking if the visitor was referred to your site from another location, eg, a Google search link.

If so, the code then spits out some more malicious javascript code where it pieces together a malicious URL with other query parameters. In this case the malicious URL is the one with the name “motaharico” in it and if you observe closely you’ll see that the full path goes directly to a php file on that server. The effect of the above code is that the visitor will be surprised to find that instead of landing on your site, they are redirected to a porn or other site.

In most cases, one of the ways the hackers achieve this clever little feat is by hacking your your site’s php files or you may have downloaded an infected theme or plugin. For this case the header.php of your active theme likely contains the offending code.

If this is happening to you, FTP into your server and grab your theme’s header.php file and look for malicious code similar to that shown in the above example. If you find such code it means at the very least that you have downloaded an infected theme or plugin, or, you have been hacked some other way which allowed the hackers to write code into your php files or add their own malicious files.

For those who have been infected with something like the above malware, at the very least you should do the following:

Update your wordpress version if you don’t currently have the latest release.
Deactivate and delete your plugins and re-install a clean fresh version for each one.
Deactivate and delete your active and inactive themes and re-install clean versions. (if you are not using certain themes just delete them)
Change your wordpress password (make sure that you use a strong password with 10 or more characters)
Change any passwords for your server such as FTP accounts and cpanel login
Change DB password and update the wp-config.php file with new password.

Always re-download fresh version of your plugins and themes from wordpress.org or the developer you got them from. Also, never download themes or plugins from untrusted sources such as sites claiming to offer “premium” plugins or themes for free which are normally sold on another site.

Sometimes the malware can be quite hard to find or it keeps coming back, and for cases like that you will need to carefully go through your file system and weed out any backdoor files and other infected files. (I also offer a malware cleaning service if you need help – just contact me directly)

I have cleaned my fair share of sites to get rid of malware for my clients and I’ve seen many interesting and disturbing ways hackers are trying to deface or hijack websites and this is one of many. We should all be vigilant when it comes to our websites because being hacked and then penalised or blacklisted by Google can be a painful experience especially when you’ve put so much effort in building your site up.

The most important thing is to be informed immediately as soon as you are infected so that you can take corrective action. One easy and cost-effective way to do this is to have your site automatically scanned daily by our malware site-scanners service. If the scanner finds any malware or suspicious content you will get an email immediately informing you about the problem.

New White-list Feature For Country Blocking Addon

A new version of the AIOWPS Country Blocking Addon (which I wrote about in another post) has just been released.

In case you aren’t already familiar with it, the Country blocking Addon is a Wordpress plugin which adds to the functionality of our All In One WP Security and Firewall plugin.

This latest release has a new useful feature which allows you to white-list certain IP addresses or IP address ranges even if they come from a blocked country.

The country blocking white-list feature gives you more control over who you can block and who you wish to allow through to your site by providing you with the finer granularity of white-listing certain IP addresses or whole blocks of IP ranges.

The white-list feature is also very easy to use – simply enable the feature using the checkbox and enter the IP addresses in the text box and save it. Then the plugin will take care of everything else for you automatically.

Example 1:
Let’s say you have selected to block Ukraine in the “General Settings” of the country blocking addon, but you wish to allow one IP address from this country (217.77.250.207). You would enable whitelisting and simply enter this IP address in the white list address box and save the settings.

Example 2:
Let’s say you have selected to block Ukraine in the “General Settings” of the country blocking addon, but you wish to allow a block of IP addresses from this country (217.77.250.*). You would enable whitelisting and simply enter 217.77.250.* in the white list address box and save the settings.

So if you have a website which has certain requirements such as only allowing certain countries to access it then the country blocking addon is a plugin which you will find extremely useful.

How to resize your SoundCloud widget using CSS

Since I’ve had a few requests from people who are using the SoundCloud Ultimate plugin asking how they can resize their SoundCloud player widget I thought I would write this short post explaining how you can achieve this.

Step 1:

When you are entering the SoundCloud Ultimate shortcode on your page, wrap it inside a CSS div with a classname of your choice. See the code below:

<div class="scu-player">
[soundcloud_ultimate track=https://api.soundcloud.com/tracks/your-trackname]
</div>

Note how the SCU shortcode is inside the “div” elements. Also, in this example I’ve chosen a CSS classname of “scu-player” but you can choose any name you like as long as it is unique. You will then use this CSS classname for the next step.

Step 2:

Add the following code to your theme’s CSS file:

.scu-player{
max-width: 310px;
}

.scu-player iframe{
height: 160px;
}

Alternative Tip For Step 2:

Instead of modifying your theme’s CSS file, an even better thing to do would be to go and grab the following plugin:

http://www.tipsandtricks-hq.com/wordpress-custom-css-plugin-6413

Then add the above CSS code in the settings of the custom css plugin.

The above example will resize the SoundCloud player widget to have a width of 310px and height of 160px. You can choose any values you like to suit your needs.

I hope this post was helpful.

Country Blocking WordPress Plugin

Do you have a website which gets inundated with SPAM or hacking attempts from visitors or bots originating from certain countries?

To help put a stop to this you could ordinarily use the “blacklist” feature of the All In One WP Security and Firewall plugin to block visitors via specific IP addresses or IP ranges. This is a good solution but keep in mind that you may have to repeatedly keep adding IP addresses to the blacklist as you discover more spammers and hackers using different IP addresses.

However, if you wanted more precision and control over the IP addresses you want to block, you could add further granularity by specifying the country from which you want to block the IP addresses.

To achieve this you need an accurate way to resolve an IP address to the country of origin and this is exactly what we’ve done with our latest offering.

[Read more…]

Free WordPress Photo Gallery Plugin – Simple Photo Gallery

I recently released a simple, yet reliable WordPress photo gallery plugin called Simple Photo Gallery.

The features and highlights of the plugin are summarised below:

Intuitive and easy uploading of photos and creation of galleries
A selection of stylish front-end gallery templates which display the gallery’s thumbnails
Watermarking of your photos on a per gallery basis. You can add any text of your choice and you can also adjust the opacity, font size and placement
Option to present your photos using a cool responsive slider
There is a lightbox option which you can use to display a photo to your visitor when they click the thumbnail
Easy sorting options for photos when displayed on your front-end
Ability to apply pagination for galleries which have large number of photos
Amazing support – we stand by our plugins and that is reflected in our excellent support.

An example of one of the thumbnail templates

This plugin will grow with even more useful features with every update so please stay tuned.

To learn more check out our information page.

Malware and its effects on your website

Your website is like a “virtual” version of a piece of property or business where you have invested a lot of work over the months and years, and just like any real “bricks and mortar” property and investment you should always try to protect the contents inside of it.

For example, let’s say you owned a “real” camera shop in the city. If you are a smart business person, you would do all of the necessary due diligence to protect your investment such as installing burglar alarms, locks and taking other security measures and also even getting insurance for your business.

Similar security and insurance measures should also apply to your website.

One of the most common downfalls of websites is poor security which usually results in the infection of the site contents with malware and other malicious scripts.

What is Malware?

The word malware is an abbreviation for “Malicious Software”.

In a nutshell it is basically a malicious script or piece of hostile code which is secretly injected into your site’s webpage files.

Other common security threats which can also fit under the “malware” name include things such as adware, worms, spyware, trojan horses etc.

Just as your computer can be infected by a virus, the same thing can happen to your website.

The injection of such undesirable and hostile code such as the types mentioned above, can occur in such a way that you may not notice that your precious site has been compromised until days, weeks or even months later.

When a hacker inserts their malware script into some of your files, they will usually do it in a way that is sometimes difficult to detect for the untrained eye…..and sometimes even the trained eye because new hacking techniques are being developed each day.

Hackers normally do this because they want to take advantage of your site’s real-estate and traffic by inserting links which point to their porn or pharmacy or other scam websites.

The Effects Of Malware

When a website has been infected with malware the effects can range from disastrous things like financial ruin, and secret and personal data theft, to relatively minor and annoying things such as a rogue link or popup window.

If left unresolved, the malware on your website can become a real liability no matter how benign it may seem at first. This is because big search engine companies such as Google, Bing etc and also malware watchdog sites can often detect via their web crawlers if your site is infected with malware, and they can consequently blacklist your site in order to protect their search customers.

If your site is blacklisted it can have a detrimental effect on the traffic rate coming to your site from search engines, which will in turn manifest itself into disastrous financial effects on your business. A blacklisted site usually means it will be flagged by search engines whenever a visitor tries to browse your site.

For example, if you have been blacklisted say by Google Safe Browsing, every visitor trying to reach your website will usually see a warning similar to that below.

You can minimize the damage if you act quickly

If your site does happen to be hacked and consequently infected with malware, the important thing is to take action to clean up your site as soon as possible so you can minimize the damage done – especially the negative effects to your site’s ranking, traffic rate and income generation.

An easy way to keep informed of your site’s malware status and help guard against the loss of traffic, rankings and money is to scan your site daily against malware threats and other suspicious code.

Daily Malware Scanning Of Your Website Is a Must If You Want To Protect Your Investment

Scanning your website at least once daily for malware is like having a burgler alarm for your site. Due to the fact that hackers are always coming up with new and sneaky ways to compromise websites, you need a way to quickly detect any malware intrusion which may have occurred on your site so you can address the problem quickly.

Fortunately Site Scanners provide an easy-to-use service which will scan your site every day for the latest malware threats and in addition to that it will also notify you automatically if any malware is found so that you can address the problem immediately.

All you need to do once you’ve signed up, is to log into your dashboard and enter your site’s URL. That’s it! From then on, Site Scanners will have your back as far as malware scanning and notifications go.

If after a daily scan Site Scanners find that your site is infected with malware or other malicious code, they will immediately send you an email which will looks something like the following:

A notification email will be sent to you if malware is found

You can also view more details by logging into your dashboard as shown below.

The dashboard will show you any malware infection warnings and you can also click on the details button to view specific details about the malware as shown in the example below:

As well as scanning your site for malware and suspicious software, the site scanners service will also check your site if it has been blacklisted by one of the main search engines. This will allow you to take steps to remove your site from any blacklists ASAP so that your ranking and traffic doesn’t slip too low.

Such peace of mind is worth its weight in gold as far as your website and business is concerned and the cost to you is peanuts when you think about it – less than $7 a month for a daily scan.

You can find out more about the malware scanning service by going to Site Scanners website.

Sell Photos Online With WordPress

When it comes to selling photos or prints online, it usually isn’t enough to simply use a general shopping cart plugin.
Photographers or anybody selling images or prints via their WordPress website usually require specific functionality which is unique to the field of photo selling. Most shopping cart plugins don’t cater for things like gallery creation, watermarking and specific pricing for particular photo variations. The existing plugins which do, often require you to install and integrate a third party plugin such as next-gen gallery to handle most of the image-specific tasks.

There are also other options out there such as Photocrati who offer a theme which will handle your photo eCommerce functionality, but this is rather restrictive in the sense that you are forced to install their theme and cannot use your existing one.

Luckily there is a now a shopping cart plugin which is designed specifically for photographers and which doesn’t need any third party plugins or themes in order for you to get all of the functionality you need as a photographer wanting to sell images from your WordPress site. [Read more…]

How to protect your eBook sales with WP PDF Stamper plugin

If you sell ebooks from your website you have probably wondered what is the best way to discourage the pirating and copying of your book after you’ve made some initial sales from your website.

There’s nothing more disappointing to an online business owner than seeing their ebook products and hard work and ideas be copied and propagated on torrent sites or other download directories.

eBooks as digital products are a very hard medium to maintain proprietary control over from the perspective of the writer/owner – especially when it comes to people sharing a single copy repeatedly for free. An ebook PDF file is not like a piece of software where you can build-in special license activation codes or other restrictions. [Read more…]