The WordPress Firewall plugin notification of an injection attack.

Recommended Actions

I took the following actions after receiving the first e-mail:

1. I immediately inserted the offending IP address into my list of banned IP's using the WP-Ban plugin. I did this across all my sites.
2. I then scanned my entire file system on each site for the presence of the above three files. The WordPress Firewall plugin did its job: no copy of any of the above files was found.

At The End Of The Day...

I really hate people who try to hack my sites. I'd love to see WordPress ship with WordPress Firewall and WP-Ban installed and activated at the time of installation with a listing of the known offensive sites. Yes, they can change their IP, which is why I use the combination of plugins, but I would love to make it so impossible for them to get to any WordPress site that they just give up and move elsewhere!

Why Is This Important?

For the individual blogger, this may not seem important, but to a developer it could be beneficial in several ways. You could focus on developing content without worrying about the presentation and allow the customer to scroll through the various themes available with their content at various stages of development. To make this smooth for the customer, you would want them to be relaxed and comfortable with a smooth presentation. What you do not want is a presentation full of stops and starts, trying to return to a particular theme later in your presentation by scrolling through pages, etc.

Companies may wish to use this feature to help rotate their themes seasonally. For example, they may wish to "go pink" in October in support of breast cancer research or refresh their corporate image annually. The ability to compare and contrast themes could help them determine how best to solidify their corporate identity. E-commerce sites could select different themes as different landing sites if serving different communities of interest.

This could also help theme developers gain exposure and sales by creating a new marketplace (see requirement 5 below).

Suggested Requirements

The following list of requirements are a starting point for discussion on what a new plugin could do to solve the problem of comparing the presentation of content between multiple themes:

1. The plugin needs to provide the ability to scroll through all themes available in the /wp-content/themes directory of the current WordPress installation presenting the currently selected content in the currently selected theme.
   • The presentation will default to the home page the first time the user opens the plugin but follow the currently selected content after the user navigates within the theme (i.e. open to the same page when the user navigates to a new theme).
   • Next and Previous buttons would list the themes to which the user would be taken if they selected that option.
2. The plugin needs to allow the user to compare themes side-by-side with the ability to scroll either side.
   • Next and Previous buttons would list the themes to which the user would be taken if they selected that option on that side of the comparison window (i.e. independent Next/Previous buttons for both sides).
   • A drop down list of available themes would allow the user to jump to a selected theme from either side (i.e. a drop down list on both sides of the compare window).
3. The plugin needs to present a page of thumbnails with the currently selected content in a thumbnail of each theme.
   • The plugin needs to allow the user to choose a theme from the thumbnails which will take the user to the scrolling themes in requirement 1 above.
   • The plugin needs to allow the user to choose two themes from the thumbnails which will take them to the compare window in requirement 2 above.
4. The plugin needs to allow the user to interact with the content (i.e. use the themes actions such as hyperlinks to drill down).
   • The plugin needs to remember where it is in the content when it moves from one theme to the next.
   • The plugin needs to allow the user to choose to navigate simultaneously in both themes when comparing side-by-side or navigate the themes independently of each other.
5. The plugin needs to allow the user to choose to preview the content in a theme hosted by a third-party (e.g. a theme developer).
   • This requirement assumes that theme developers would be interested in providing an API to their theme (e.g. a publicly accessible url to either this plugin or a companion plugin operating on their site).
   • This requirement assumes that the plugin at the theme developers site could accept an encrypted database name, user name and password from this plugin and connect back to the content for presentation.
   • This requirement assumes that the site hosting the plugin has a read-only user name and password for use by third-party hosted themes and that the port for their database will accept a connection from any host using that user name and password.
     • The plugin will provide the ability to generate encrypted user names and passwords for use in securing connections between the host and the third-party theme developer.
     • The plugin will provide the ability to update the database to allow the connection from any host using the generated and encrypted user name and password.

At The End Of The Day...

The above list of requirements is non-trivial, but I believe a lot of people could benefit from the features of such a plugin. If anyone decides to take on the challenge of creating a plugin that will accomplish the above, I am available for testing!

I installed a fresh WordPress 2.8.5 and copied all my plugins to it. I then activated TinyMCE first and, yes, my toolbars were there! I then activated other plugins one-by-one until the toolbars no longer appeared. The last plugin I activated before losing the TinyMCE functionality was WP-MarkItUp. I had originally thought that WP-MarkItUp would allow visitors to style their comments a bit more by providing new features to the textarea in which comments are entered. What I didn't realize at the time was that it also applies to the textarea of the post and page editors as well; there is no exemption for the admin area.

I deactivated WP-MarkItUp, but TinyMCE's functionality did not return. I then deactivated and re-activated TinyMCE, but alas I still did not have it's functionality back. I then looked into the PHP pages of WP-MarkItUp for a clue on what it was doing at the time it was activated. I found that it updates the user option for "rich_editing" to 'false'. The user options are stored in the usermeta table (i.e. wp_usermeta if your table prefix is wp_), so I selected all columns for the row whose meta_key was 'rich_editing' and user_id was mine (2 in my case). Sure enough, its value was 'false'.

I updated the value to 'true' and eureka! I have TinyMCE back.

Who's At Fault?

I thought about what it took to chase this down and fix it. Was it the fault of WP-MarkItUp not resetting the value when it was deactivated? What about the fact that TinyMCE did not set the value to true when I deactivated, then reactivated it?

I can't blame either plugin or developer. Once activated, WP-MarkItUp would have to persist the former state of rich_editing to know what to set it back to. But, how could it be certain that no other plugin had not manipulated it after it was activated? Setting it back could cause another plugin to fail just as not setting it back caused TinyMCE to fail. I'm not certain why TinyMCE did not change the value after re-activation, but if it didn't need the value in the first place, then why did it not resume display when WP-MarkItUp was deactivated? That I can't answer, but perhaps in the future it could check to see if 'rich_editing' is 'true' if it is necessary for the proper functioning of the plugin. For now, having the functionality of TinyMCE back is good enough for me, but as a bonus, I learned something new about how WordPress uses the user options! A two'fer!


/wp/index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),
666,CHAR(58))+FROM+wp_users+where+id=1/*

I have the SEO Egghead WordPress Firewall and Lester Chan's WP Ban plugin, so the notification of an attempt and the ability to block it were quick, but protection began early.

Changing the Admin User

The above SQL string attempts to gain access using the first entry (id=1) from the wp_users table. At the time of installation, WordPress adds the user "Admin" to wp_users. As the ID column is specified as "auto-increment", the first row has an ID of 1. In my WordPress installations, that ID does not exist because I have created a uniquely named user and deleted the default Admin user. But, it wouldn't take much for a hacker to write a quick loop to spin through hundreds of numbers, so additional protection is definitely necessary.

WordPress Firewall Plugin

SEO Egghead's WordPress Firewall plugin is indispensable in my opinion. I receive an e-mail alert when a suspicious event occurs such as this attack. This is the e-mail I received on this attack:

The SEO Egghead WordPress Firewall plugin will send you an e-mail alert when someone attacks your site.

The plugin will send me false alerts when Angsuman Chakraborty's Translator plugin is used by a visitor to translate a page, but I can live with that.

WP Ban Plugin

Once I have the e-mail alert, I take the IP of the attacker and insert it into the list of banned IP's using Lester Chan's WP-Ban plugin as shown below.

I've taken the IP from the WordPress Firewall e-mail alert and inserted it into the list of IP's I ban from my site.

I have a healthy list of IP's, which is unfortunate, but I also host my own WordPress and I see a lot of different attacks. I block at multiple levels, just to be sure! WP-Ban is essential despite all the other methods I have available as shown below by the number of blocks it has already done for me on one site.

After just a few months of use, WP-Ban has blocked over 200 attempts from sites known to me to have attempted at least one attack on my site.

My Recommendation

Take every step you can to protect yourself! Whether you self-host or not, I would not leave the protection of my site to others. There are just too many ways for a hacker to attack your site or blog. SEO Egghead's WordPress Firewall plugin combined with Lester Chan's WP-Ban plugin are two tools that combine to alleviate some of the work by notifying me of the first attack and protecting me from that point on. I appreciate having these tools in my toolbox!

I really enjoyed the simplicity of writing a post, pushing Publish and knowing that the insertion of the new content, site navigation and RSS announcements were taken care of for me. But keeping two separate sites for each product was not something that I wanted to continue doing for very long. While I could do the blogging with the Java Servlets, I'm not a big fan of reinventing the wheel and WordPress certainly had that well covered. But using WordPress as an e-commerce site left me concerned about the maturity of the process (not the product, but the process of transactions with third-party gateways, interfacing with customers rather than casual visitors, etc.).

After a lot of research, I chose to make the move to WordPress using a third-party premium theme (wpremix), and several plug-ins:

• Instinct's wp-eCommerce
• Fredrik Fahlstad's wp-Forum
• Andy Staines' Download Counter Lite
• Bluesome's execPHP
• Funroe's wp-SuperEdit

There were also a few utilities that I considered indispensible:

• Clicky Web 2.0 Analytics
• ClustrMaps
• HiStats
• FeedBurner

Before we get too far, you should know that I have NOT been paid by any of the third-parties referenced in this post nor am I an "affiliate" or an any other way associated with them. I am a user of the products only. I am writing this in the hopes that others will not feel the trepidation that I did in making the move to use WordPress for e-commerce. I have thought of consulting with others who are interested in using WordPress in this manner, but I have not done the market research necessary to know if this is something I will pursue. That, however, would be about the extent of any commercial interest for this post should I decide to do so.

WPREMIX Theme

I chose the WPREMIX theme from R. Bhavesh because of the many pages contained within the theme. The fact that I could rotate through a few different home pages was very attractive, but more than that, the sub-pages offered a lot of ideas. The general feel of the theme was very relaxing. I was very, very happy with the results and you can see them below.

The image on the left is the old site's home page and the image on the right is the new. Click on any image to open a lightbox showing the images in full size.

On the left is the old site and on the right is the new site using the wpremix theme in WordPress

I think you can appreciate the immediate and impressive impact! It was worth every penny of the premium theme. Why premium and not a free theme? I would have chosen a free theme if I had found one that I liked. I've reviewed hundreds of free themes, downloaded dozens, setup a test site where I tried out the theme, but never found one that could do all the things I wanted. WPREMIX provided design ideas others did not and that was the critical factor for me.

I spent quite a bit of time figuring out what templates required changing, how best (IMHO) to change them, what the styles were and how to leverage the package. After coming up with my navigation bar and general style, the second site took only hours to convert. I highly recommend the WPREMIX package for anyone looking for design ideas!

The Plug-ins

Just as important as the theme that I selected were the plug-ins - at least in my opinion. In my limited experience with WordPress, it's been obvious to me that the more plug-ins, the longer the load time. Additionally, conflicts between the plug-ins became more annoying as I tried to enhance the capabilities of the blogs. For the e-commerce sites, I wanted to limit the plug-ins as much as possible. I narrowed the list to only that functionality I felt was truly needed.

wp-eCommerce

Obviously, if I were trying to sell something, I needed the capability to handle sales transactions. The wp-eCommerce plug-in appeared to be robust, but simple. It also appeared to have a very large group of users, was well supported judging from the forums and the releases and I chose to implement it. My initial tests showed that there was an issue with transactions with PayPal when a transaction was canceled before it was completed on the PayPal site (i.e. no warning is provided that the transaction did not clear). My workaround was to ask customers to await final delivery until confirmation from PayPal was received. In the meantime, they could continue using a fully functional evaluation version, so I felt I could live with this for now.

I was very impressed with the ease of setting up products. I appreciate the widget for users to see their cart, the ease with which I could reference the products from other pages, etc. The plug-in isn't as sophisticated as the Zen Cart shopping cart in the old application, but I can live with it! I did not take a screen shot of the old site's store interface before I replaced it, but the following is the new. Personally, I like it! You'll need to click on the image to see it properly.

The new store interface is warm, simple and easy to follow.

wp-Forum

One of the features that the old site offered was forums for users to comment and exchange ideas. I didn't want users and prospective customers to have to view every post to find user comments and I certainly did not want users creating their own posts to begin discussions. Finding the wp-Forum plug-in was a very welcome discovery!

It's very easy to setup the structure of groups and forums, but the best feature was the multiple skins. The Web 2.0 skin fit in very nicely with the WPREMIX theme as shown below.

Download Counter Lite

I have numerous files that can be downloaded from one of my websites (70 at the moment). I like to know how many times each has been downloaded and the wp-downloadcounter plug-in from Andy Staines provides a very elegant and easy to implement interface that does this for me. I use the Lite version because it works with the .zip files I provide. Andy has an Advanced version which allows many, many different file types. However, it also requires a rigid structure of folders under a "downloads" directory. I was unable to get my host, LunarPages, to work with the Advanced version to password protect some of the files as I require, but fortunately the Lite version works perfectly for my needs!

execPHP

Another feature I find useful is an email notification when an event occurs on the website. This requires that I either create a static page with the appropriate php code or use embedded php code within a post. I understand there are some concerns with using the latter, but I also appreciate the ease with which I can accomplish what I need to have done. execPHP allows me to accomplish this particular task. I have to disable it to use some of the admin features of the wp-ecommerce plug-in, but as I don't anticipate making changes to the shopping cart frequently, I can live with this.

wp-SuperEdit

The built-in WordPress post editor frustrates me. I've programmed for 27+ years and when I use a div tag, I expect a div tag, not a paragraph tag substitution. I couldn't do much without the wp-superedit plug-in which allows me to use the div tag properly.

The Utilities

Clicky Web 2.0 Analytics

I'm sure most people are familiar with Google's Analytics and wondering why I'm not using them. I have used them, but then I found Clicky Web 2.0 Analytics. I like Clicky far better. For one thing, they provide RSS feeds that allow me to easily keep an eye on visitors, searches that others used to find my sites, etc. I find it not only very useful but appreciate not having to go to their site to see the details.

ClustrMaps

Seeing a map with red circles of where site visitors come from isn't too practical in terms of SEO or marketing, but it is cool to note the global reach of a simple site on the Internet. There are a number of possibilities out there, but I chose ClustrMaps because I can easily display a small map and it links back to a site that provides the larger numbers. My sense is that it makes visitors feel more comfortable knowing that a lot of others from around the globe have given the site and its products a try.

HiStats

HiStats is a new service that I've started trying out. The thing that is attractive to me is that they have a variety of charts that appear to present visitors and page views in a manner that could prove valuable.

FeedBurner

I use FeedBurner for managing subscriptions to all my RSS feeds. I appreciate their ability to provide the feed in a number of different options and their tracking of subscribers. The RSS feed that I can pull down from them for monitoring activity is appreciated as well!

Conclusion

While some of the plug-ins are still maturing, there is no doubt in my mind that WordPress can be leveraged very effectively to provide an elegant e-commerce solution for anyone doing business on the Internet.