Aethra Botnet Attacks WordPress Sites

According to an announcement from Wordfence on December 23, 2015 there is a a botnet that is exploiting a vulnerability on Aethra modem/routers to do brute force password guesses on WordPress sites. For more information see their blog post: Aethra Botnet Attacks WordPress Sites. The researcher “discovered that all the Aethra devices involved in the attack were using default login credentials (blank/blank).” So, this is a reminder to change all your default passwords on your devices.

WordPress Development Tidbits

WordPress has Theme Unit Test data that contains all the different type of post/page data as long as quite a number of posts (39 published posts, and in total, has installed 41 posts) and pages (something like 10 or 15). There is a Monster Widget plugin that will allow you to place one widget that contains all the widgets that are available from WordPress (archives, categories, pages, etc). There is also another plugin that will help in development to sync the sites: WP Migrate DB Pro and is covered in the “WordPress Plugins, Moving WordPress with WP Migrate DB” course.

Theme Accessibility

Accessibility for WordPress with Joe Dolson

Joe talks about a cool Chrome plugin (NoCoffe) that can be used to simulate multiple vision disabilities. Joe uses a free screen reader called NVAD for testing. Using fancy JavaScript to add something to the page will not trigger a screen reader, I may need to test my AJAX enabled plugins. :-( Never use a div for an element such as the search since it isn’t typically a event trigger and will not be picked up by screen readers and you can’t tab to it.

Color contrast is important for showing links in text if you don’t want to underline the link text. You need a 4.5:1 contrast between the link and background and a 3:1 contrast between the link and surrounding text. There is a plugin called Access Monitor that you can use to schedule accessibility tests for your site.

There are a lot of considerations for accessibility that I am sure that our site does not meet. For example, I am sure that not all of out images have alt text. Nor do our videos have transcripts. The way that our sliders for posts and SELCOtv work I am pretty sure that they would not be screen reader friendly either.

Security Plugins

Added the Wordfence Security plugin that I heard about on an episode of WPwatercooler back in December, 2013. It is a very comprehensive security plugin that covers a lot of real-time things. It works in conjunction with Acunetix Secure WordPress.

The Secure WordPress plugin removes an number of things that give hackers more information about the WordPress install than they should have. It can also provides a tool change the database prefix and scans for file permissions as well as adds index.php files to prevent users from seeing directory contents.

The Wordfence plugin allows you to scan files vs their copies of the originals to see if they have been modified and shows you how they have been modified.  It checks for many backdoors and allows blocking of incoming traffic. Another feature is that you can have email notification sent for a variety of triggers. If you have the premium version you can schedule scans.

Brute Force Attack

Based on an email that I received yesterday from Wordfence I have decided to install Wordfence WordPress security plugin on all WordPress sites. The email stated that they have detected a large distributed brute force attack that was underway on Monday. After checking some other security sites this looks legitimate so I am going to install the plugin on all our sites.

I chose Wordfence as a on of my standard security plugins because it was the first to spot and warn their users about the brute force attack and their 4.9 out of 5 stars rating in the repository. The fact that they had 1100 5 star ratings and 1,380,924 downloads icing on the cake.

Cookies and Google Docs

I ran into an interesting problem where someone was not able to open up a Google Doc without having to log in. I was not able to recreate the problem with any of my browsers in or out of “private” mode. I did some searches and I found that there was a similar problem back in 8/2011, on the Google forums one guy said:

Oh no! This is still ongoing. The post by Bas Braams explains why it’s not universal: if I try to access the documents in Chrome, Firefox, or Safari, I’m required to sign in first. Unless, that is, I delete cookies. Then it works the way it’s supposed to.

I had her try in a “private” window so that it shouldn’t look at her cookies. That worked perfectly. I then had her delete all the Google cookies, close, and reopen the browser; the document worked fine. We cleared the cookies on Safari on her iPad and that worked as well.

So it seems that there are still issues with Google Docs and cookies. Try to open the doc in a private or incognito window to see if that works before clearing out all Google related cookies.

Required Whois Data Verification

This morning I received an email from WinHost talking about a new verification of Whois data being required:

We are writing to you today to let you know about some important changes to domain name registration procedures that could potentially affect every one of us. This applies to all gTLD domains (that is any domain whose extension is NOT a country code, such as .cc or .uk), and affects you whether you registered the domain through us or another registrar (though some details may be different elsewhere – check with your registrar to be sure).

On January 8, 2014, the domain registry authority ICANN introduced a new policy requiring that domain owners validate the WHOIS information after registering, transferring or modifying information for a domain.

FAILURE TO COMPLETE THE VALIDATION PROCESS WILL LEAD TO THE SUSPENSION OF YOUR DOMAIN NAME. So it’s important that you complete the validation process as soon as you receive the email notice.

When I searched the for any other information there was only one other hosting company that had this information posted as well. At the bottom of the email there was a “read more about the ICANN validation requirement” link. When I went to the ICANN site I didn’t see anything about suspending the domain. Not sure if this is just an interpretation that is unique to a few hosting/registrars or the wave of things to come.

No More Menu Items

Today we ran into an issue where we couldn’t add any more menu items to a WordPress site. I found a post from a year ago where someone was having the same issue; they increased the max_input_var and max_memory values in the php.ini file to get it to work. I tried 2000 and that didn’t seem to work, but when I set it to 3000 that did.

2013 WordCamp Chicago Slides Up

WordCamp Chicago 2014 has slides up for the presentations from earlier this year. Checked the schedule for next year and it looks like it is over a time where I will be on vacation.

While looking for when the Milwaukee WordCamp would be for 2014 I came across the Milwaukee group’s video MeetUp archives. There was a great video by Mika Epstein, WordPress Support Specialist and Community Manager (aka ‘WordPress Guru’) at Dreamhost called Troubleshooting a Hacked Site with Mika Epstein. This is an excellent session. She mentions that she has a site to help educate WordPress folks on how to know what is going on. The site is called Break/Fix WordPress.

Special Character Issue

I was working on some code that would build an XML list of books. I noticed that the plugin that parsed the XML wasn’t printing the title. While debugging the issue I found it was because the book title had the ° sign in the title. This was causing the XML parser to error out and skip the rest of the title. I had to use the iconv() to account for the special characters in the title. When I used the //TRANSLIT switch I only ended up with 180, which is still better than a blank title. So I tried the //IGNORE switch and that just dropped the ° sign and gave the rest of the title.

The Title Attribute

So you don’t want to take up page real estate to actually display the description of a product when you can just have the description display as a “tool tip” when the user hovers over the image of the item. That is a good idea if your users only access your web site from a computer with a mouse. After a little research I found this note on the W3Schools page about using the Title attribute:

Relying on the title attribute is currently discouraged as many user agents do not expose the attribute in an accessible manner as required by this specification (e.g. requiring a pointing device such as a mouse to cause a tooltip to apear, which excludes keyboard-only users and touch-only users, such as anyone with a modern phone or tablet).

With the rise in web usage from devices without a pointing device such as cell phones and tablets, it isn’t wise to hide essential information from a fast growing part of your potential visitors.