LinkedIn vs. Spam

LinkedIn - Spam CapitalI used to have a LinkedIn profile. I even provided a link to it from this website as I viewed it as a great networking tool and means of showing my CV and experience.  At some point though I came to realize that LinkedIn had to be the source for a large amount of the spam I was getting at work, and worse yet, unsolicited sales calls.

I get it.  People need to make a living and I’ve put my experience out there for all to see, including the kinds of projects I have worked on, tools I’ve used, etc.  That’s very ripe for data mining by any sales force team and my main employer is seen as a good catch by most everyone.

But I don’t want solicitations.  Neither in email, voice mail, mailers or otherwise – not in any form.  So I deleted my profile completely.  Or have attempted to.  I still get requests each week from friends, people I have worked with and vendors who want me to join their list of LinkedIn contacts.   Unsubscribing from LinkedIn’s mailing list appears to have absolutely no effect or benefit here and so I report it as spam and do what I can to block all email from LinkedIn.

Anyone out there have a better solution to share?

iThemes Security – A must have

iTheme Security Pro Earlier I wrote about a plugin for WordPress I found to be extremely valuable – Better WP Security.  Specifically, its ability to block brute force attacks against simpler passwords and username combinations.  This was a major threat to all WordPress sites almost a year ago.

Since then, there have been many updates to the Better WP Security plugin, and the developer has also been hired by iThemes to continue his development (and monetize the plugin’s advanced features).  This is great news really as the free version of the plugin is excellent and there are now a wider range of paid advanced features many web developers and site administrators should consider using, now.  The plugin is more robust than it was even; no small task for a developer starting with what already seemed to me to be a full featured security plugin.

If you are still on the older Better WP Security plugin, before you update, deactivate the older version of the plugin.  Failing to do this can make your site inaccessible as there are conflicts in the features and the plugin’s ability to update them when active.  Once you’ve updated to the iTheme’s version, you simply need to reactivate the plugin and check to see what new options are available that you should consider including in your site’s security features.

If you failed to deactivate the plugin, you’ll need to move the plugin directory for Better WP Security out of your site’s plugin folder and perhaps remove any updates the plugin did to your htaccess file.  Once you do that, you should be able to complete the update or reinstall the plugin.

Securing Older Versions of Joomla

sheild

One reason I’ve begun to prefer WordPress over Joomla is that WordPress has made the upgrade process so much easier than Joomla. To upgrade Joomla 1.x to 1.5, you have to use special tools and again if you go from 1.5 to 2 or version 3, be prepared for a different toolset and migration path.  Ugh!  Worse still, Joomla Extensions have become very version specific due to a lack of backwards compatibility. WordPress on the other hand allows one to simply put the new code in place, and so long as there is not a conflict with a Plugin, the code takes care of everything else for you, including updating the database.

Perhaps it is only because I haven’t tried to migrate a very customized WordPress site that I feel this way, or that my more complicated older sites are nearly all in Joomla.  So long as I keep a copy of the changes I’ve made to styles or any core files, I’m able to keep things up to date really quite easily with WordPress. As noted above, sometimes an entire system isn’t easy to replace though.  There are times a client has invested heavily into very specific Joomla module or tool — only to have these items not become readily available to the newest versions of Joomla. (I am not finding this to be true of WordPress Plugins — another reason to go with WordPress today.)  So the problem to deal with is securing older versions of Joomla that have known security issues.  What exactly can one do to make an older Joomla site more secure? Let’s take a look at securing Joomla.

Read more

Brute Force Attacks? Get “Better WP Security” for WordPress Security

Over the past several days, I’ve seen a great many news articles about a bot based brute force attack on WordPress (and Joomla) based websites where the bot uses common password choices and attempts to login with the username “admin.”  Mind you, we are talking about hundreds, perhaps thousands of these common passwords and coming from tens of thousands of compromised servers.  The effort being to gain access to the server and then use the administrator site to add other files and code changes which further compromise the use of the website completely. You really need some WordPress Security.

Having already written about other hacking effort increases of late, I am bothered that yet again these content management systems are being hit with what amounts to the use of wasted talent; hackers show intelligence and problem solving skills, why not put them to use in a way that doesn’t harm others?  Thankfully, the open source community is quick to respond and build tools needed to protect websites from such harmful efforts.

Bit51 - Better WP SecurityBetter WP Security from Bit51.com is an excellent add on to your WordPress website.  It was written long before this current wave of brute force attacks, and is something I would recommend all WordPress websites use from day one.  It relies on both htaccess changes for blocking known bots and other file changes that remove vulnerabilities outright and through obfuscation.

Here is a list of some of the things this tool does:

  • Enforces stricter passwords for users at any level you determine.
  • Removes the backend file editor.
  • Scans the site for recently changed files and emails a report to you if there are such intrusions.
  • Blocks repeated login attempts.
  • Blocks SQL injection attempts.
  • Makes backups of your database and mails them to you are regular intervals

This is open source work at its finest.  It is free to use, but the developer does provide a means of paying him for his work — which I’d highly recommend doing as this tool is really quite will constructed and extremely valuable.

 

Goodbye 1and1 Email, Hello Gmail

Google MailI’ve been with 1and1.com for hosting for many years and by and large have been happy with their services.  (Note, not necessarily their service, but their services.)  One thing that 1and1 had always done well was spam filtering.  Until recently that is.

Either they  have changed their real time blacklists, had a few points of failure or spammers are simply getting better — maybe all of the above, simply put, the amount of spam I was receiving on an hourly basis was greater than my legitimate email.  I contacted 1and1’s support staff on multiple occasions, tried different settings and such, but was still getting about 20-30 spam messages in my inbox every day.  Something had to be done to keep my email clean and return it to be a useful tool.

Spam adds up to lost time very quickly for me.  I check mail often at work and like to be able to respond in a very timely fashion to requests, issues, and such.  Spam makes me not want to check my personal email but every hour instead of continuously.  So many times the email notifications would be for nothing worthwhile at all.  Worse, I was losing legit email in the midst of all of this garbage, too.

I didn’t give up on getting email under control even though 1and1 wasn’t able to resolve the issues.  Instead, I decided to use Gmail; my domain’s email is now managed via Gmail’s Business Apps program.  Given I only need about 4 email accounts, I’m also able to get by with the free version.  I know other people who use all of the Google App features, but for me, getting a handle on spam is worth it all by itself.

 

UPDATE: As of November 2012, Google has stopped offering this free version.  We were very lucky to be grandfathered into the free setup.  If you’re having trouble with spam, the $5 per box per month charge is still a great deal in our view.

WP Hashcash – Powerful Anti-Spam Plugin for WordPress

WordPress is not new to me, but I haven’t been a ‘constant user’ until recently.  My favorite content management tool and site creation software has long been Joomla! and still is for most sites I build or work on.  However, there are times that WordPress is simply the ideal choice — especially if the site’s main purpose is to be a blog, like this one is now.  Thus my switch to WordPress for my own use; I need to eat my own dog food, so to speak.

One aspect of hosting a blog site, especially one running on a popular open source platform such as WordPress, is dealing with spammers.  This isn’t because the open source software is somehow more vulnerable to such attacks, as I actually think the opposite, but more because hackers are going to develop automated scripts that will work with the largest segment that the they can.  WordPress is very popular and thus a bigger target.

Cutting down or eliminating spam can be a major chore for anyone.  Fortunately, there are several tools available that help filter out the spam from the legitimate comments submitted.  Here are two that I have found to work extremely well and am using on several websites.

  • Akismet – This is a WordPress standard and while far from perfect, a very useful tool to use.  It will help identify a great deal of the spam messages that come your way.
  • WP Hashcash – A client side JavaScript tool that does an excellent job of blocking spam bots.

It’s WP Hashcash in conjunction with Akismet that really works well.  You can have WP Hashcash kick out the obvious spam it finds and then have the rest moderated by Akismet.  WP Hashcash works on a simple principle that automated spam is not going to be entered by a human in a browser.  Most spam bots aren’t going to have JavaScript enabled, and fewer still are going to use a real form submission from a browser; their spam bot will be an automated affair.  WP Hashcash detects this and flags the comment (or trackback) as spam.  Brillent!