One of my clients has a rather popular sports site on based on WordPress. The site is up-to-date and running on DV server. A few weeks ago malicious code starting to appear on the site setting off warnings from anti-virus programs that monitor websites.

Sometimes, entire files are uploaded that contain malicious scripts. Most of the time, however, JavaScripts are appended to existing PHP or HTML files. One of the favorite targets is the WordPress index file (index.php). A self-executing JavaScript is added after the closing ?> tag. How they append the file is a bit of a mystery as permissions are correctly set at 644. The purpose of the malicious code seems to vary. Some code attempts to spread worms/trojans, steal passwords, or re-direct to spam sites (meds).

The best defense is a good file monitoring plugin such as WordPress File Monitor. This plugin monitors the file system for added/deleted/changed files and sends you an email when a change is detected. You can exclude certain folders or files. Still, you will get notification emails when you update plugins or work on a theme. This is a small price to pay for the knowing when a file has been changed by someone else.

WordPress File Monitor will not tell you if you have infected files already. You need to use it to prevent future attacks. If your site is already infected, you can re-install WordPress. Then, replace your plugin files and possibly theme files. If your site is clean now, it’s much easier to keep it that way with WordPress File Monitor.

I recently got the nasty “XML Parsing Error: XML or text declaration not at start of entity Location” error instead of RSS feed on two client WordPress sites.

First, I tried the Fx-RSS-Feed plugin. No luck! it identified several hundred WordPress and theme files with unnecessary whitespace. Most of the files were write-protected. Way too much work for me to change all the permissions, run the plugin, and change them back.

Instead, I used the fix at Wejn’s lair. Scroll down the page and download the file “wejnswpwhitespacefix.php” or get the text version here.

Upload the PHP file to your root directory, then add this line to your index.php file: include("wejnswpwhitespacefix.php");

The only downside is that auto-upgrading your WordPress installation will overwrite the index.php file. You will need to re-insert the extra line of code. Instead, you might try the htaccess file modification described in the head of the file.

Most common internet browsers only support a limited number of fonts. A client wanted to emulate the look achieved by BBC’s Later site using WordPress. That meant using SEO unfriendly images to replace the headings or dynamic font replacement. The latter is not only SEO friendly; it is also much easier to implement.

I looked at two WordPress plugins: Facelift Image Replacement (FLIR) for WordPress and Dynamic Font Replacement DFR4WP.

“Facelift Image Replacement (FLIR) for WordPress” seemed very promising. It is easy to implement and offers a wide-range of fonts that come with the plugin files. It is limited, however, to a single font replacing one or more tags of your choice. The main reason I abandoned it though, was a strange green highlighting showing up in IE8.

The “Dynamic Font Replacement DFR4WP” plugin did what I needed it to do without any artifacts in Internet Explorer. It has the added benefit that different fonts can be assigned to different tags. It conveniently installs a separate easy-to-find menu block in your WordPress Admin Panel sidebar. The only gotcha is that fonts can’t be uploaded directly to plugin admin panel. The fonts need to be converted here first. Once you figure that out, the rest is easy!

With either plugin, you will probably need to up-size your default heading font sizes to achieve the look you want.

You can see a very clever application of dynamic font replacement on this WordPress site.

I just finished helping a friend bring back a Sports Blog after a nasty hacker attack. Luckily, we had a backup of the database. Otherwise, we had little chance to restore the site.

Here are a few tips to keep unwanted visitors from doing damage to your blog.

Set your File Permissions Properly

Use 755 for directories, 644 for plugins and core WordPress PHP files, and 666 for active theme files. You can check and change file permissions with your FTP client.

Use the Login Lockdown Plugin

Hackers know where to find your login page. The basic WordPress installation offers little protection against a brute force attack. Yes, the new WordPress revisions have started using hardened passwords. However, I still recommend giving yourself the added protection you get from the Login Lockdown Plugin. And, check your current or new password with The Password Meter.

Just upload it and activate it. The plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel.

Use a Database Backup Plugin

Manual WordPress database backups are neither easy nor convenient to do. It requires knowledge of phpMyAdmin. Fortunately, WordPress plugin writers have addressed the problem. The best known plugin for this purpose is Lester Chan’s WP-DBManager. With this plugin, you can have WordPress automatically send you backup via email or store them in a folder on your server (or both).

Turn off Registrations

Go to Settings –> General. Untick the ‘Anyone can register’ box. Save your settings. Need to allow registrations? Then, I strongly recommend using the Sabre Plugin. Sabre is an acronym for Simple Anti Bot Registration Engine. It’s a set of counter measures against spam registration on your blog.

Keep your Installation Up-to-Date

If you are not running the latest version of WordPress, then there is a higher probability that your site will be compromised. Hackers take advantage of the open-source nature of WordPress to analyze the source code and test it for potential vulnerabilities. Then, it is left up to developers and users to detect, track down, and then close off the code vulnerabilities that hackers are using.

Backup your Theme, Images, and Plugins Folders

It’s also a good idea to backup your theme, images, and plugins to your personal computer or on to a backup drive. If your host’s server completely crashes, you can restore your entire site.

eBay’s new affiliate program, eBay Partner Network, is an excellent source of income for product-related blogs and websites. It takes some skill, however, to integrate eBay links and images into content and templates. The program offers several creatives that can be pasted into sidebar widgets. However, I found them to be slow-loading as well as poorly converting (to sales).

I decided to make my own eBay Sidebar Widget. You can see an example of the widget (GPS on eBay) running in the sidebar just to the right. Does it make money? Yup, it does. That’s why it gets a prime position.

I have outlined the steps below. The WordPress PHP widget and TWP auction code are free.

Steps to make your own eBay widget

1. Download and install the WordPress PHP Code Widget.
2. Download TWP Auctions.
3. Upload the files twpauctions.php and twpfunctions.php to your root directory.
4. Go to your Widgets Page and add one PHP Code Widget.
5. Paste in the TWP code into the PHP Widget.

You will need to configure the TWP code according to the instructions in the readme file. The TWP code supports negative keywords so you can filter out cables, batteries, accessories, adapters, etc.

The final code should look something like this:

<?php
$epn_campaign_id = "0000000000"; // EPN campaign id
$customid = "Post"; // EPN custom id (optional)
$keyword = "ipod -charger -case"; // put your keyword here 
$display = "2"; // how many items to display
$country = "us"; // see country_codes.txt for info
include "twpauctions.php"; ?>

I chose to display 2 ads to emulate a 300×250 ad widget although the eBay widget height is a bit more than 250px.

Make sure to use the correct version of TWP depending on whether your server is running PHP 4 or PHP 5. And, don’t forget to put in the correct campaign ID from the eBay Partners Network. Also, it is best if you have a theme with sidebar that is about 300px wide.

You can the style the widget by adding the following classes to your stylesheet:

.execphpwidget
.execphpwidget a
.execphpwidget a:hover

The introduction of sidebar widgets in WordPress have resulted in a huge time savings. Gone are the days of pasting code into sidebar.php just see your layout go wacky. The capabilities of widgets in the basic WordPress installation are, however, very limited. By default, all widgets appear wherever the sidebar is loaded within your theme. If you are using widgets to display ads, you cannot choose on which pages the widgets appear.

Slayer’s Custom Widget Plugin solves this problem. This plugin enables you to select which widgets appear on specific posts, pages, categories, author’s posts and tag pages. You can even configure where widgets are displayed per WordPress template using conditional tags.

Installation is easy. Upload the slayer-custom-widgets directory to wp-content/plugins. Then, activate the plugin in the usual way. If you already have widgets installed, you can go directly to the Slayer’s Custom Widgets link found just under the settings section of your admin panel (WordPress 2.7). Configuring your widgets is simple and the layout is very logic. You’ll want to go back to the Appearance Menu and add more widgets once you get the hang of it.

I have already installed Slayer’s Custom Widget Plugin in two blogs. Both are working perfectly. The level of control that the plugin provides is really fantastic. Watch the short video then go to the WordPress Plugin Directory and download the plugin.

Click here to view the embedded video.

What’s up with Askimet these days? This well-known WordPress plugin has been letting foul comment spam through on two of my blogs including RL-Digital. To solve the problem, I ditched Askimet and replaced it with the Defensio plugin.

Unlike Askimet, Defensio at least has some adjustments. And, it is an adaptive filter, which will improve with time. You may need to give it a few days to learn, but quite quickly you should see spam eliminated that is sneaking by Askimet.

To help Defensio learn, restore good comments that were incorrectly marked as spam, and mark errant spams as spam. Also, if you do not agree with a comment but it is not spam, make sure to delete it instead of marking it as spam.

You will need an API Key to activate the plugin. You can get one for free by registering on the Defensio site. To see your stats, login to the Defensio site and go to ‘Statistics’. To use the plugin on multiple sites, make sure to generate a unique API key for each site.

Genkisan, the webmaster at Ericulous.com, has just released a free lightweight WordPress theme based on Google’s popular Chrome browser. There have been several Chrome themes released by other developers. However, this is the best one that I have seen so far. The combination of a full width header and fixed width body looks great without allowing page elements to re-arrange in smaller browser windows.

Features

• 2 columns fixed width
• Fast-loading
• Widgets ready
• Gravatar ready
• Works on WordPress v2.5 and above
• Tested on IE6/7, Firefox, Opera, Safari, and of course Chrome
• XHTML & CSS Validated

For more information and a download link, head over to the Chrome Theme page.

It’s not just for blogging anymore! With static frontpage options and easy-to-setup permalinks, WordPress is a great choice for CMS sites.

Watch the video, see the changes below, and then upgrade!

Version 2.6 fixes approximately 194 bugs. Plus you get:

• Word count (no need to guess how many words are in a post anymore)
• Image captions
• Bulk management of plugins
• A completely revamped image control to allow for easier inserting, floating, and resizing… fully integrated with the WYSIWYG
• Drag-and-drop reordering of Galleries
• Plugin update notification bubble
• Customizable default avatars
• You can now upload media when in full-screen mode
• Remote publishing via XML-RPC and APP is now secure (off) by default, but you can turn it on easily through the options screen
• Full SSL support in the core, and the ability to force SSL for security
• You can now have many thousands of pages or categories with no interface issues
• Ability to move your wp-config file and wp-content directories to a custom location, for “clean” SVN checkouts
• Select a range of checkboxes with “shift-click”
• You can toggle between the Flash uploader and the classic one
• A number of proactive security enhancements, including cookies and database interactions
• Stronger better faster versions of TinyMCE, jQuery, and jQuery UI

The word is out! The much anticipated book, WordPress For Dummies, will be orderable on Oct. 29th. Amazon expects to ship on or around Nov. 2nd. Simultaneous with Amazon’s release, the book with will available at Barnes and Nobel, Books-A-Million and, of course, Dummies.com and Wiley.com (publisher).

According to the author Lisa Sabin-Wilson¹, “this all-new Dummies guide delivers just what would-be bloggers need to get up and running with WordPress and start communicating with the world. WordPress For Dummies covers blogging basics, choosing a hosting solution or setting up a host, developing blog content, syndicating blog posts with RSS, launching a specialized blog (including podcasting, photoblogging, mobile blogging, and videoblogging), and even earning revenue. It includes help on every aspect of installing and using WordPress, illustrations from real-world WordPress blogs, step-by-step tutorials on key topics, and insights from bloggers who use WordPress”.

¹Lisa Sabin-Wilson operates E.Webscapes Design Studio, where she designs and develops blogs for clients large and small. She has worked with WordPress since 2003 and speaks frequently at conferences.

Resources
WordPress For Dummies at Amazon.com
Blogging For Dummies at Amazon.com
Web Analytics For Dummies at Amazon.com
YouTube For Dummies at Amazon.com

WordPress for Dummies by Lisa Sabin-wilson (2011, Paperback)

US $18.84 End Date: Saturday Feb-04-2012 9:49:35 PST Buy It Now for only: US $18.84 Buy it now | Add to watch list

---