AshesFromStars

When it gets to this time on a work night (2.41am) and I’m still awake I know there is no point trying to get some sleep in before I need to get up for work. I’ll feel worse after just 3 hours sleep than if I just stay awake and drink some coffee before heading out the door.

So, what can I do for three hours instead of sleeping? I’ve re-tagged every single music file on my computer and hard drives, I’ve synced my iPod with the updates and now I’m at a loss. There’s not much happening on the message boards that I frequent and StumbleUpon is getting a bit repeatative.

How can I have the world at my fingertips and be so damn bored?

Last night I found out the hard way why WordPress security is so important. My site got hacked/hijacked and the result was that every single internal link autoforwarded to a pornsite that tried to install toolbars, trojans..the lot.

I know that this has happened to at least one other blog that I visit, and probably lots more. The reasoning is probably down to unsecure file permissions within the wordpress files on my server. (Possibly something to do with the fact that WordPress have released version 2.5.1 with ultra important security fixes?)

So after deleting everything from the server and installing WordPress afresh (which of course came with it’s own problems of trying to remember all the plugins that I had installed etc) and importing a backup I took control of my blog again.

But it got me thinking. I’ve been online for half my life. I’ve had a website of some description for a decade. I should know about and implement security features. I shouldn’t have had to find out the hard way how important it is to keep my files safe from attack.

I’ve compiled a list of all the steps that you should take to protect your WordPress installation from malicious hijacking, after all I’ve been researching it for the past couple of hours to make sure that it never happens again.

File Permissions

Probably the biggest one on the list, and the one that can cause the most problems if you’re used to editing themes and plugins through the WordPress dashboard.

None of your files should be set to 777 (all users read, write and execute). By using the WP Security Scan plugin you can automatically see which folder do not have the correct permissions and fix them with a click. The plugin also points out any other security issues on your site. It’s an essential plugin for your site, and if you ask me it should be included with WordPress rather than Hello Dolly.

User - Admin

Your default user in WordPress is more than likely ‘Admin’. The same goes for the thousands of other WordPress blogs out there. So it’s not that difficult to guess, is it? So the obvious answer is to delete the user ‘Admin’. But WordPress won’t let you delete the default user, so what can you do about it?

This is where phpMyAdmin comes in to play. Don’t worry too much if you’ve never used it before, it’s quite simple as long as you follow these steps.

1. Log into your phpMyAdmin through your cPanel.
2. On the left hand side of the window you’ll see a list of tables like wp_options, wp_users. (the wp_prefix may be different if you’ve set this up as a different value when you installed WordPress).
3. Click on wp_users.
4. A table will load in the right hand frame, select the checkbox shown next to user_login.
5. Select ‘Browse’ from the tabs at the top of the page.
6. This then shows the table with all of your registered users details. You want to select the little pencil next to the name Admin to change this to a name of your choice.
7. Once you’ve changed the name to something else, press Go at the bottom of the screen.
8. That’s it - you’re done. The user ‘Admin’ no longer exists.

robots.txt

The robots.txt file on your server gives instructions to search engine robots (like GoogleBot). Remember that however not all search engine robots are good ones that play by the book, some will completly ignore your robots.txt file. But you can still add the following code to yours to stop all of your wp- folders being indexed by search engines.
Disallow: /wp-*

Passwords

Ok, this one’s a giver. We all know that passwords should be long and contain numbers, letters and symbols. But that’s hard to remember. But the amount of people who use the word ‘password’ as their password is incredible, and again it’s not that hard to guess, is it? Remember the MySpace password exploit? It threw up some interesting data on how people pick passwords, including the word ‘password’.

The easiest thing to remember is that you should keep your FTP and WordPress login password completely different and try and choose a password which is really hard to work out, but means something to you - like an acronym of you and your partners names plus your anniversary date. You could use a random password generator online to create a password, although you’ll probably have to get your browser to remember it for you!

WordPress version

Ok, so the geeks among us get excited when a new version of WordPress is in the pipeline and upgrade straight away, but some people wait a few weeks to ensure that any problems are ironed out amongst other reasons. It may be personal choice, but upgrading to the newest version of WordPress straight
away also protects your blog as there’s always security updates included in the upgrade. Try installing the WordPress Automatic Update Plugin to make upgrading your installation easy as pie.

Similarly, publishing what version of WordPress you are running is a danger in itself. You won’t realise that you’re letting the whole world know which version of WordPress you are running until you yourself check your page source. If there’s a Meta tag showing which version of WordPress you’re running from, remove it from your header.

Login Lockout

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Login Lockdown plugin

That says it all really, doesn’t it?

Directory Listings

By default anybody can access your plugins by going to www.yourblog.com/wp-content/plugins/ and viewing every plugin that you currently have installed. By either including a blank html file in your /plugins/ directory or switching off directory listings via your cPanel users will not be able to view these folders and files, and possibly any security risks that they have.

Don’t use FTP

Use SSH/Shell Access instead. It’s possibly not the easiest thing to do in the world but it’s one of the best moves you can make. If you can, disable FTP completely.

If you’ve got anything else to add, please feel free to leave a comment.

Earlier on I couldn’t get my wireless internet to connect for love nor money on my laptop, even although I could connect via my iPod Touch. Weird, but I managed to fix it only to find out that Virgin Media is having major outages across Glasgow concerning television accounts and internet accounts. So I keep randomly disconnecting. Not amused, but it hardly happens so I suppose I have nothing to moan about.

Since I was lacking on the internet access I thought that I’d do some work on my MTP stuff. We’re on a section just now that we’ve had a month to complete so far, and we’ve still got a month to go on this one section. It’s a huge, huge section covering loads of important stuff, more so than the last modules and sections that we’ve completed. Anyway, I opened up Word to begin writing away and decided to stick some music on and update my iPod at the same time. Uh, bad idea. I’ve sat for around the last hour renaming tracks and adding ratings / genres to hundreds upon hundreds of files - and I’m only on the letter A!

I think that I’m going to take a letter a night and ensure that each file is tagged correctly, is within the correct genre, has the correct album artwork (albumart.org is a life saver) and where possible the correct track numbers assigned. I’m not too fussy that I need to include the year - but I’ll probably go back and do that again at some point in the not-to-distant future.

And the MTP? I think I wrote about 800 words and stopped to concentrate on the music. That’s only 2 questions answered out of about 30 that I’ve still got to go…wish me luck!

Since around 9am this morning (it’s now 4pm) I’ve been sitting online, jailbreaking my iPod touch and sorting my music collection, which was a vast job. I’m still nowhere near finished. I’m pretty anal (hah, I can imagine the search referrals I’ll get with that one) about my music collection being titled and tagged correctly. And all the ‘The’ bands are sorted alphabetically, like ‘Verve, The - Bittersweet Symphony’. I don’t know what made me start doing that but I like it that way. And somewhere along the line in the past five years I decided that all the nice little album artworks that were included with albums I’d downloaded were taking up valuable space and deleted them all. Uh, what a mistake. I’m now re-downloading album artwork and manually adding them to albums in iTunes since obviously there’s lots of albums that I have that iTunes doesn’t have. I’m special that way.

Anyway, I digress. Is it so hard for people to upload files to the internet and tag them properly? It would save so much time for people like me.

Since I’ve got the week off from work I’m trying to iron out every last little irk that I have with this site, including editing the theme to this darker version. I’ve always been drawn to dark themes but never usually put them on my site, but I quite like what I’ve done with this one.

I’ve also got some content to upload that’s been sitting about on my external hard drive for months. All I need to do is update it where needed and fix any mistakes before I add them to the site.

I keep getting distracted watching The Tudor’s though, so it might take me a while to finish.

[EDIT] Added a guestbook, how retro of me!

I’m currently sitting in bed, still in my PJs, waiting for the in-laws to leave on holiday so that I can jump downstairs and make breakfast and coffee without having to make smalltalk with my hair everywhere (seriously, having short hair is murder when you wake up) and yesterday’s eyeliner still on. I could, obviously, brush my hair and take the eyeliner off but I can’t be bothered. I’d rather stay a mess until I have to get ready for work. Hey, it’s Sunday I’m allowed!

Tomorrow is my 22nd birthday. I don’t want to be 22. I think I stopped wanting to get older when I was about to turn 20 and could no longer be a teenager. Being 22 means that the next milestone in my life is 30 and that’s a scary, scary thought. And the fact that I’m 22 and still cannot drive (legally), don’t have any savings and am in debt to my mother for nearly £3000 is rubbish. I still don’t have a concept of money, it just burns a hole in my pocket. The best example being that my mum gave me £50 yesterday as part of my birthday so that I could at least go out this weekend and have money to do so. I spent £20 of it getting to and from work (taxi each way because I was feeling lazy - how stupid am I?), about £6 on lunch yesterday, £5 on cigarettes, £2 on lottery tickets, £8 on random rubbish in the shop - Lucozade for the boy because he was hungover, cakes, smoked sausages for our dinner, a kids Lucky Bag because it’s the tackiest thing that I’ve ever seen, chocolate bars. So that leaves me with £10. And I’ve nothing major to show for it. Grrrrr. I should have put the whole lot of it in my ISA that I opened up yesterday. It’s the only way that I’ll save money - direct debit straight out my account into a taxfree account that I can save up to £3600 a year in. I’m planning on sticking just £50 a month into it. But I also have a direct debit going to my mum each month for £450 to cover my phone, Council Tax, dig money and the money that I owe her. Still, it leaves me with just over £300 a month to spend as I like, or save…

I’m using an app on my iPod Touch called PocketMoney to help me understand where I’m wasting money, even though I know that all my money goes on cigarettes, taxis and lunch in the shop. I’ve cut down the amount that I smoke but it’s not making much of a difference. And every so often I take lunch with me, but I’ve usually bought the stuff that I’m taking with me so it doesn’t make much difference.

Wonder how long it will be until I’m posting that I’ve ran out of money?

I am such a bloody spoilt little brat. Yesterday at 3pm I ordered a new phone from mobiles.co.uk because the screen on my old phone is all smashed up and I’ve had it for over a year - longer than I usually keep phones for. There’s one little, little problem with ordering a phone for such websites - they’re contract phones and I have really bad history with contract phones (ending up with me owing 02 over £500 and Orange about £300 a few years ago and screwing my credit rating for a good while). But I decided that since I’m 22 on Monday it’s time to bite the bullet and act my age when it comes to money.

There was an other reason I was wanting a new phone - a free gift. In my case an Acer Aspire 5315 with 1GB DDR SDRAM and a 80GB drive. It’s widescreen and pretty.

I figured that this, plus a Nokia 5300 5300 XpressMusic with 600 cross-net minutes and unlimited free texts was more than good at £35 a month so I called up to find out the catch and couldn’t find one so I ordered it. It was delivered earlier this morning. And I love it! The laptop/notebook is awesome and exactly what I need since my Dell Inspiron’s been dead for months and I wanted a new phone.

Is it wrong to buy yourself birthday presents though? Have you ever bought yourself something for your birthday, just as a wee treat?

I’m reading journals and blogs of friends both old and new and everybody is going away on holiday somewhere utterly cool this year. New York, China, Russia, Denmark. Me? Balado. Which is in Scotland. And where the greatest music festival in the world takes place on the first weekend of July each year - T In The Park. Although so far there’s only actually a few bands that I want to see - Newton Faulkner, Primal Scream, Scouting For Girls, The Hoosiers, Reverend And The Makers. I’m a bit worried that the Sugababes and Will Young are playing, Geoff Ellis what are you thinking man?

So, the countdown begins. It’s only 11 weeks away. Well actually, it’s in 11 weeks. And I can’t wait. Question is, are any of you going to T this year? Or any other music festivals?

Jenn at kitty.nu is giving away a $15 iTunes gift card! Participating in the contest is as easy as creating a blog entry that links to the contest. For more information, see the official contest blog entry: Win an iTunes gift card!

I have had the busiest two weeks, ever. All I seem to have done is sleep for 6 hours, go to work for nearly 10, come home and watch some TV or bake a cake (more on this later) and then fall asleep again. Ugh!

I think that work has been so crazy because we’ve had visits coming up and for some reason all three of us (manager, other supervisor and me) have been in working moods - hey, anything to make sure sales are up and we get a bonus! - which doesn’t happen very often. Don’t get me wrong, we do everything that we’re meant to but usually one of us is hyper or something and starts suggesting hauling everything off shelves and washing them. Gosh, that makes the shop sound dirty and it’s not!

Typical, I’m off work for the weekend and I’m blogging about it. Must stop that.

Anyway, I have discovered that I can bake. From scratch. Using flour and eggs and butter. Seriously. I am so impressed with this considering I can burn pasta. Over the past few weeks I’ve make cupcakes, tray bakes and cakes. I’m especially good at making coffee cake. Two slabs of coffee flavoured sponge cake, one with sultanas through it and held together with cinnamon icing. If I could remember the recipe I’d post it, but I sort of just make it up as I go along!

So since I’m oh-so-good at baking I’m making the boyfriend a cake for his birthday which is next month. Anyone with any great recipes or ideas please let me know.