The WordPress Firewall plugin notification of an injection attack.

Recommended Actions

I took the following actions after receiving the first e-mail:

1. I immediately inserted the offending IP address into my list of banned IP’s using the WP-Ban plugin. I did this across all my sites.
2. I then scanned my entire file system on each site for the presence of the above three files. The WordPress Firewall plugin did its job: no copy of any of the above files was found.

At The End Of The Day…

I really hate people who try to hack my sites. I’d love to see WordPress ship with WordPress Firewall and WP-Ban installed and activated at the time of installation with a listing of the known offensive sites. Yes, they can change their IP, which is why I use the combination of plugins, but I would love to make it so impossible for them to get to any WordPress site that they just give up and move elsewhere!

Why Is This Important?

For the individual blogger, this may not seem important, but to a developer it could be beneficial in several ways. You could focus on developing content without worrying about the presentation and allow the customer to scroll through the various themes available with their content at various stages of development. To make this smooth for the customer, you would want them to be relaxed and comfortable with a smooth presentation. What you do not want is a presentation full of stops and starts, trying to return to a particular theme later in your presentation by scrolling through pages, etc.

Companies may wish to use this feature to help rotate their themes seasonally. For example, they may wish to “go pink” in October in support of breast cancer research or refresh their corporate image annually. The ability to compare and contrast themes could help them determine how best to solidify their corporate identity. E-commerce sites could select different themes as different landing sites if serving different communities of interest.

This could also help theme developers gain exposure and sales by creating a new marketplace (see requirement 5 below).

Suggested Requirements

The following list of requirements are a starting point for discussion on what a new plugin could do to solve the problem of comparing the presentation of content between multiple themes:

1. The plugin needs to provide the ability to scroll through all themes available in the /wp-content/themes directory of the current WordPress installation presenting the currently selected content in the currently selected theme.
   • The presentation will default to the home page the first time the user opens the plugin but follow the currently selected content after the user navigates within the theme (i.e. open to the same page when the user navigates to a new theme).
   • Next and Previous buttons would list the themes to which the user would be taken if they selected that option.
2. The plugin needs to allow the user to compare themes side-by-side with the ability to scroll either side.
   • Next and Previous buttons would list the themes to which the user would be taken if they selected that option on that side of the comparison window (i.e. independent Next/Previous buttons for both sides).
   • A drop down list of available themes would allow the user to jump to a selected theme from either side (i.e. a drop down list on both sides of the compare window).
3. The plugin needs to present a page of thumbnails with the currently selected content in a thumbnail of each theme.
   • The plugin needs to allow the user to choose a theme from the thumbnails which will take the user to the scrolling themes in requirement 1 above.
   • The plugin needs to allow the user to choose two themes from the thumbnails which will take them to the compare window in requirement 2 above.
4. The plugin needs to allow the user to interact with the content (i.e. use the themes actions such as hyperlinks to drill down).
   • The plugin needs to remember where it is in the content when it moves from one theme to the next.
   • The plugin needs to allow the user to choose to navigate simultaneously in both themes when comparing side-by-side or navigate the themes independently of each other.
5. The plugin needs to allow the user to choose to preview the content in a theme hosted by a third-party (e.g. a theme developer).
   • This requirement assumes that theme developers would be interested in providing an API to their theme (e.g. a publicly accessible url to either this plugin or a companion plugin operating on their site).
   • This requirement assumes that the plugin at the theme developers site could accept an encrypted database name, user name and password from this plugin and connect back to the content for presentation.
   • This requirement assumes that the site hosting the plugin has a read-only user name and password for use by third-party hosted themes and that the port for their database will accept a connection from any host using that user name and password.
     • The plugin will provide the ability to generate encrypted user names and passwords for use in securing connections between the host and the third-party theme developer.
     • The plugin will provide the ability to update the database to allow the connection from any host using the generated and encrypted user name and password.

At The End Of The Day…

The above list of requirements is non-trivial, but I believe a lot of people could benefit from the features of such a plugin. If anyone decides to take on the challenge of creating a plugin that will accomplish the above, I am available for testing!

I installed a fresh WordPress 2.8.5 and copied all my plugins to it. I then activated TinyMCE first and, yes, my toolbars were there! I then activated other plugins one-by-one until the toolbars no longer appeared. The last plugin I activated before losing the TinyMCE functionality was WP-MarkItUp. I had originally thought that WP-MarkItUp would allow visitors to style their comments a bit more by providing new features to the textarea in which comments are entered. What I didn’t realize at the time was that it also applies to the textarea of the post and page editors as well; there is no exemption for the admin area.

I deactivated WP-MarkItUp, but TinyMCE’s functionality did not return. I then deactivated and re-activated TinyMCE, but alas I still did not have it’s functionality back. I then looked into the PHP pages of WP-MarkItUp for a clue on what it was doing at the time it was activated. I found that it updates the user option for “rich_editing” to ‘false’. The user options are stored in the usermeta table (i.e. wp_usermeta if your table prefix is wp_), so I selected all columns for the row whose meta_key was ‘rich_editing’ and user_id was mine (2 in my case). Sure enough, its value was ‘false’.

I updated the value to ‘true’ and eureka! I have TinyMCE back.

Who’s At Fault?

I thought about what it took to chase this down and fix it. Was it the fault of WP-MarkItUp not resetting the value when it was deactivated? What about the fact that TinyMCE did not set the value to true when I deactivated, then reactivated it?

I can’t blame either plugin or developer. Once activated, WP-MarkItUp would have to persist the former state of rich_editing to know what to set it back to. But, how could it be certain that no other plugin had not manipulated it after it was activated? Setting it back could cause another plugin to fail just as not setting it back caused TinyMCE to fail. I’m not certain why TinyMCE did not change the value after re-activation, but if it didn’t need the value in the first place, then why did it not resume display when WP-MarkItUp was deactivated? That I can’t answer, but perhaps in the future it could check to see if ‘rich_editing’ is ‘true’ if it is necessary for the proper functioning of the plugin. For now, having the functionality of TinyMCE back is good enough for me, but as a bonus, I learned something new about how WordPress uses the user options! A two’fer!


/wp/index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),
666,CHAR(58))+FROM+wp_users+where+id=1/*

I have the SEO Egghead WordPress Firewall and Lester Chan’s WP Ban plugin, so the notification of an attempt and the ability to block it were quick, but protection began early.

Changing the Admin User

The above SQL string attempts to gain access using the first entry (id=1) from the wp_users table. At the time of installation, WordPress adds the user “Admin” to wp_users. As the ID column is specified as “auto-increment”, the first row has an ID of 1. In my WordPress installations, that ID does not exist because I have created a uniquely named user and deleted the default Admin user. But, it wouldn’t take much for a hacker to write a quick loop to spin through hundreds of numbers, so additional protection is definitely necessary.

WordPress Firewall Plugin

SEO Egghead’s WordPress Firewall plugin is indispensable in my opinion. I receive an e-mail alert when a suspicious event occurs such as this attack. This is the e-mail I received on this attack:

The SEO Egghead WordPress Firewall plugin will send you an e-mail alert when someone attacks your site.

The plugin will send me false alerts when Angsuman Chakraborty’s Translator plugin is used by a visitor to translate a page, but I can live with that.

WP Ban Plugin

Once I have the e-mail alert, I take the IP of the attacker and insert it into the list of banned IP’s using Lester Chan’s WP-Ban plugin as shown below.

I've taken the IP from the WordPress Firewall e-mail alert and inserted it into the list of IP's I ban from my site.

I have a healthy list of IP’s, which is unfortunate, but I also host my own WordPress and I see a lot of different attacks. I block at multiple levels, just to be sure! WP-Ban is essential despite all the other methods I have available as shown below by the number of blocks it has already done for me on one site.

After just a few months of use, WP-Ban has blocked over 200 attempts from sites known to me to have attempted at least one attack on my site.

My Recommendation

Take every step you can to protect yourself! Whether you self-host or not, I would not leave the protection of my site to others. There are just too many ways for a hacker to attack your site or blog. SEO Egghead’s WordPress Firewall plugin combined with Lester Chan’s WP-Ban plugin are two tools that combine to alleviate some of the work by notifying me of the first attack and protecting me from that point on. I appreciate having these tools in my toolbox!

Security Concerns Lead To New Forum Plugin

I had originally implemented Fredrik Fahlstad’s wp-Forum plugin to manage my forums. Shortly after implementation, a security alert was issued. I waited a few days to see if an update were forthcoming, but after receiving no news, I determined that my best course of action was to replace the plugin.

Fortunately, a very worthy forum plugin was readily available – Yellow Swordfish’s Simple Forum by Andy Staines. Besides being an elegant solution for providing a forum from within WordPress, Andy has been very active in supporting the plugin. Security alerts are immediately addressed, the feature set continues to evolve, the application has an incredible amount of control from the administrative pages, updates are easy to perform (single click), and the administrative pages are as elegant as the end-user interface. I think I would have changed anyway!

WordPress 2.5 Update Leads To New Visual Editor

When WordPress 2.5 came out, I tested it on my development box. The only plugin which did not work with it was wp-SuperEdit. I loved that tool, but the author stated that it was quite possible there would be no further updates due to the significant changes in 2.5. I therefore switched to the TinyMCEAdvanced plugin….at least temporarily. The good news is that Jess Planck has been working on a rewrite to wp-superEdit for 2.5! I can do my work with the TinyMCEAdvanced plugin, but it has this annoying problem of showing the text box as too wide and sliding behind the WordPress controls on the page. I’m looking forward to going back to wp-superEdit in the near future!

NextGEN Gallery – Slideshows!

I had created what I thought was a very attractive, functional home page using one of the WPRemix templates as shown below.

While helping a friend put together a WordPress site for Women’s Motocross Racing, I researched plugins to provide a slideshow in their header.

The best I found, in terms of compatibility and performance, was the NextGEN Gallery from Alex Rabe. After following David Potter’s excellent tutorial, we had it functioning in the header of their site. I then turned to one of my commercial sites with the intent of replacing my own home page (see above). What I came up with was a new look entirely:

The new home page uses eight images in a slideshow administered by the NextGEN gallery and slideshow plugin (required for a slideshow). The new home page is clean, simple and direct. It was easy to take another of the WPRemix templates, fill in the three blocks at the bottom and replace the body with the NextGEN code. It will be interesting to see how prospective customers greet the new format!

iBeginShare

I personally dislike seeing a lot of icons for social bookmarks at the end of each post, but I do like to offer alternatives for the end-user, such as e-mailing the post to a friend. I wanted a plugin that would allow me to do everything I wanted from one control and I found it in David Cramer’s iBeginShare.

iBeginShare puts a button at the end of each post.

This button is unobtrusive, does not detract from the post or the page and hides a lot of functionality. When a user clicks on it, a dialog is drawn over the post. Initially, the end-user is presented with options for social networking sites.

Notice the tabs across the top. To me, this was a simple, elegant solution to offer the end-user with options for each post. If they so desire, they may e-mail the post to a friend or colleague.

iBeginShare satisfied my requirements with nothing more than the first two tabs, but installation brought additional welcome features. The user can click the MyComputer tab and download the post in Word or Adobe’s PDF.

Finally, and quite unexpectedly, iBeginShare allows the user to print the post.

At the End of the Day…

It’s time to put my feet up and count my blessings again. I plan on two more posts on the subject of upgrading my WordPress e-commerce site. The first will detail the remainder of the plugins I’m employing which are visible to the end-user. The second will detail the plugins I have found useful for administering the site. Until then, I hope you can put your feet up and count your blessings too!

1. You want to make a living from your online sales, not just a hobby that brings in some additional money (although much of this still applies)
2. You are establishing your first online store using WordPress

Hits != $$$

Many people looking to WordPress as their e-commerce platform do so because it blends the capability of selling with that of blogging. Blogging can be an effective means of promoting your product and should be a tool in any entrepreneur’s toolbox. WordPress’ flexibility with the multitude of free themes and plugins makes it perfect for blending the activities of promoting, selling, and supporting products. However, there is a fundamental difference between blogging (or promoting) and selling – the metric by which success is measured is not the same for both!

When blogging, you’re looking to build an audience. You want to see stats with lots of unique visitors, a high number of page views, and an rss feed with thousands (or tens of thousands) of subscribers. On an e-commerce site, promoting your product, that won’t pay the bills! You can try to sell ad space, but that can dilute your message, detract from your product, and confuse your potential customers.

Hits Are Not Equal To Sales

When selling through a WordPress platform, the metric used to measure success is the same as every other business; money. You can talk all you want about hits, visitors, page views, and conversion rates, but only the latter matters. You may be capable of presenting an online store front for basically no cost through free WordPress themes and plugins, but you still must pay for Internet access and bandwidth, domain names, hosting (be it self where you pay for electricity, hardware, licenses, etc. or remote), etc. The bottom line truly is the bottom line – revenue derived from your sales is the only thing that counts. It alone will keep you from eating buttered macaroni.

The advice here is to pay more attention to your prospective customer base than your fan base. The trick here is to know when you’re moving fans to customers and not simply educating the world (which isn’t a bad thing, but also isn’t your goal here). The information you need will be in your website access logs and that will require you to do more than install the WordPress stats plugin. Woopra has a sexy interface, but you may need to go even deeper. If your site is hosted, see if AWStats or any other analytical tool is available to you. You will also need to gather information from your visitors in the form of polls, forms, etc. If visitors aren’t buying, you need to figure out why – as fast as you can. Blogging more may actually hurt more at that point by adding to the confusion. If your hits (page views or visitors) are high but your sales are low, stop doing what you’re doing. Listen to your stats and your visitors, then refine your approach until the $$$ are soaring as much as the hits!

WordPress != Guaranteed E-commerce Success

There is no magical combination of theme + plugins that will guarantee the success of your online store. You must market and sell your product. It’s hard work! You will need to be flexible, try new plugins, perhaps change up your theme. After six months of using the default WPRemix Home Page #1 template, I just changed up the format by introducing the NextGEN Gallery plugin and a slideshow on the home page. I’ve gone from presenting a lot of information, to a far simpler home page. I have also changed up the plugins (and will write about the changes soon). Some of the changes were done because of security concerns, others because of a lack of support, and still others because they offered a solution to an emerging need.

The advice here is to be prepared to nurture your entire site, not just your blog. That takes time, effort and money (you do donate to the authors gracious enough to provide their themes and plugins, don’t you?!). While WordPress is a great platform for e-commerce, it’s just that – a platform. It’s up to you to put in the effort to make your store a living, growing concern. WordPress and the careful selection of plugins can work to make your efforts to earn your living from the Internet easier in many ways, but it doesn’t eliminate all the work. Come prepared to do what is necessary, make certain you have the time to contribute to the effort, use care in choosing your theme and in particular your plugins, and be flexible; listen to your prospective customers (separated from your fans), tweak your offering, rinse and repeat.

Go for it != Don’t quit your day job

I’m not one to tell people, “Go for it!” without the word of caution, “Don’t quit your day job yet!”. It is certainly possible to make a living offering the right services or products via the Internet, but the babies need food, Momma needs new shoes, and then there’s the cost of living. The advice here is to proceed with caution. Know your “tipping point” before you reach it.

At the End of the Day…

At the end of the day, when you have a chance to catch your breath, count your blessings not your money! Count your money during the “work day” – which leads me to a very important point; with the allure of global reach from your desktop, the ease of implementing WordPress, and the potential for riches, it’s very, very easy to lose track of time and your work-life balance. Don’t.

You should have several “tipping points”; the point at which it’s ok to slow down because the sales sustain the business, the point at which it’s ok to take the vacation – to be absent for more than a few hours or days, etc. At the end of the day, what matters most is your health and your relationship with others. Give it your best, then give it a rest!

I really enjoyed the simplicity of writing a post, pushing Publish and knowing that the insertion of the new content, site navigation and RSS announcements were taken care of for me. But keeping two separate sites for each product was not something that I wanted to continue doing for very long. While I could do the blogging with the Java Servlets, I’m not a big fan of reinventing the wheel and WordPress certainly had that well covered. But using WordPress as an e-commerce site left me concerned about the maturity of the process (not the product, but the process of transactions with third-party gateways, interfacing with customers rather than casual visitors, etc.).

After a lot of research, I chose to make the move to WordPress using a third-party premium theme (wpremix), and several plug-ins:

• Instinct’s wp-eCommerce
• Fredrik Fahlstad’s wp-Forum
• Andy Staines’ Download Counter Lite
• Bluesome’s execPHP
• Funroe’s wp-SuperEdit

There were also a few utilities that I considered indispensible:

• Clicky Web 2.0 Analytics
• ClustrMaps
• HiStats
• FeedBurner

Before we get too far, you should know that I have NOT been paid by any of the third-parties referenced in this post nor am I an “affiliate” or an any other way associated with them. I am a user of the products only. I am writing this in the hopes that others will not feel the trepidation that I did in making the move to use WordPress for e-commerce. I have thought of consulting with others who are interested in using WordPress in this manner, but I have not done the market research necessary to know if this is something I will pursue. That, however, would be about the extent of any commercial interest for this post should I decide to do so.

WPREMIX Theme

I chose the WPREMIX theme from R. Bhavesh because of the many pages contained within the theme. The fact that I could rotate through a few different home pages was very attractive, but more than that, the sub-pages offered a lot of ideas. The general feel of the theme was very relaxing. I was very, very happy with the results and you can see them below.

The image on the left is the old site’s home page and the image on the right is the new. Click on any image to open a lightbox showing the images in full size.

On the left is the old site and on the right is the new site using the wpremix theme in WordPress

I think you can appreciate the immediate and impressive impact! It was worth every penny of the premium theme. Why premium and not a free theme? I would have chosen a free theme if I had found one that I liked. I’ve reviewed hundreds of free themes, downloaded dozens, setup a test site where I tried out the theme, but never found one that could do all the things I wanted. WPREMIX provided design ideas others did not and that was the critical factor for me.

I spent quite a bit of time figuring out what templates required changing, how best (IMHO) to change them, what the styles were and how to leverage the package. After coming up with my navigation bar and general style, the second site took only hours to convert. I highly recommend the WPREMIX package for anyone looking for design ideas!

The Plug-ins

Just as important as the theme that I selected were the plug-ins – at least in my opinion. In my limited experience with WordPress, it’s been obvious to me that the more plug-ins, the longer the load time. Additionally, conflicts between the plug-ins became more annoying as I tried to enhance the capabilities of the blogs. For the e-commerce sites, I wanted to limit the plug-ins as much as possible. I narrowed the list to only that functionality I felt was truly needed.

wp-eCommerce

Obviously, if I were trying to sell something, I needed the capability to handle sales transactions. The wp-eCommerce plug-in appeared to be robust, but simple. It also appeared to have a very large group of users, was well supported judging from the forums and the releases and I chose to implement it. My initial tests showed that there was an issue with transactions with PayPal when a transaction was canceled before it was completed on the PayPal site (i.e. no warning is provided that the transaction did not clear). My workaround was to ask customers to await final delivery until confirmation from PayPal was received. In the meantime, they could continue using a fully functional evaluation version, so I felt I could live with this for now.

I was very impressed with the ease of setting up products. I appreciate the widget for users to see their cart, the ease with which I could reference the products from other pages, etc. The plug-in isn’t as sophisticated as the Zen Cart shopping cart in the old application, but I can live with it! I did not take a screen shot of the old site’s store interface before I replaced it, but the following is the new. Personally, I like it! You’ll need to click on the image to see it properly.

The new store interface is warm, simple and easy to follow.

wp-Forum

One of the features that the old site offered was forums for users to comment and exchange ideas. I didn’t want users and prospective customers to have to view every post to find user comments and I certainly did not want users creating their own posts to begin discussions. Finding the wp-Forum plug-in was a very welcome discovery!

It’s very easy to setup the structure of groups and forums, but the best feature was the multiple skins. The Web 2.0 skin fit in very nicely with the WPREMIX theme as shown below.

Download Counter Lite

I have numerous files that can be downloaded from one of my websites (70 at the moment). I like to know how many times each has been downloaded and the wp-downloadcounter plug-in from Andy Staines provides a very elegant and easy to implement interface that does this for me. I use the Lite version because it works with the .zip files I provide. Andy has an Advanced version which allows many, many different file types. However, it also requires a rigid structure of folders under a “downloads” directory. I was unable to get my host, LunarPages, to work with the Advanced version to password protect some of the files as I require, but fortunately the Lite version works perfectly for my needs!

execPHP

Another feature I find useful is an email notification when an event occurs on the website. This requires that I either create a static page with the appropriate php code or use embedded php code within a post. I understand there are some concerns with using the latter, but I also appreciate the ease with which I can accomplish what I need to have done. execPHP allows me to accomplish this particular task. I have to disable it to use some of the admin features of the wp-ecommerce plug-in, but as I don’t anticipate making changes to the shopping cart frequently, I can live with this.

wp-SuperEdit

The built-in WordPress post editor frustrates me. I’ve programmed for 27+ years and when I use a div tag, I expect a div tag, not a paragraph tag substitution. I couldn’t do much without the wp-superedit plug-in which allows me to use the div tag properly.

The Utilities

Clicky Web 2.0 Analytics

I’m sure most people are familiar with Google’s Analytics and wondering why I’m not using them. I have used them, but then I found Clicky Web 2.0 Analytics. I like Clicky far better. For one thing, they provide RSS feeds that allow me to easily keep an eye on visitors, searches that others used to find my sites, etc. I find it not only very useful but appreciate not having to go to their site to see the details.

ClustrMaps

Seeing a map with red circles of where site visitors come from isn’t too practical in terms of SEO or marketing, but it is cool to note the global reach of a simple site on the Internet. There are a number of possibilities out there, but I chose ClustrMaps because I can easily display a small map and it links back to a site that provides the larger numbers. My sense is that it makes visitors feel more comfortable knowing that a lot of others from around the globe have given the site and its products a try.

HiStats

HiStats is a new service that I’ve started trying out. The thing that is attractive to me is that they have a variety of charts that appear to present visitors and page views in a manner that could prove valuable.

FeedBurner

I use FeedBurner for managing subscriptions to all my RSS feeds. I appreciate their ability to provide the feed in a number of different options and their tracking of subscribers. The RSS feed that I can pull down from them for monitoring activity is appreciated as well!

Conclusion

While some of the plug-ins are still maturing, there is no doubt in my mind that WordPress can be leveraged very effectively to provide an elegant e-commerce solution for anyone doing business on the Internet.