Archive for March, 2011

Imagine the horrible feeling if one day you visited your blog and found lots of posts not written by you advertising adult products. Or suddenly your site is hosting phishing pages or trying to install viruses onto readers’ machines. What are you going to do?

The process all starts before you get hacked. If your blog is currently safe and you do not already do so, make sure that you are taking a regular backup of your work. There are plenty of available useful plugins to do this for you and if the worst happens, then you have a way out.

But, if you have been hacked then what are you going to do? If you are not hosting the blog yourself then you need to ask for a lot of help from whoever hosts the blog and they will need to clean up the hosting. However, with FTP access you should be able to sort it yourself, but you might still want to tell your hosts so they can work out what has happened and why.

And sadly, the first thing to do is to close the blog down. If you can move it to a different host then great, but that is not an option for most people. Run an immediate backup of your blog and store the files produced somewhere safe, but it is likely that you are going to just be deleting them anyway.

If you have been uploading images and videos to your blog then you really need to get your hands on copies of these. If you have the originals then great, else download them back off your server. But virus scan each and every one of them and make sure they are all what you expect them to be. In all honesty, if you can do without them then just delete them.

Next, delete the entire database (hence taking a copy earlier) and delete all of the files on your server. Delete everything, don’t leave a single file there as you do not know what the hackers have done.

Now, reinstall the blog from a safe copy of the files. Download the latest WordPress files or whatever you are using and install the blog again. Finally, look through your recent backups of your blog and find one that is from before the hacker gained entry. Use that to rebuild your blog.Yes, recent posts will be missing but the risk of using the most recent backups is that you do not know what back doors the hacker has left here and there.

To complete the task you now nee to prove that the version of the blog you have restored to is ‘safe’. Look through your settings. Are there any strange permalinks lieing around? What about extra user ids that you don’t recognise, or posts and pages that have been written that don’t belong. Don’t forget that you, or a hacker, could add a post with an old date so that it does not appear at the top of the list. The easiest way to find these is to look through the updated date on the database, just to make sure nothing devious is there.

And once you are back up and running, make sure that you have a strong password, use a good user id, that you are blocking brute force hacking attempts and that your computer is secured. Stop the hacker from coming back in!

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

A big conundrum here – if you already run a website, should a new blog be a part of the website, or completely stand alone? There are a lot of different theories about, but what is best? Let’s have a look at the options.

There are basically three different ways of hosting a blog if you are already running a website. They are:

1) A sub directory, for example mysite.com/blog
2) A sub domain, for example blog.mysite.com
3) Another domain totally

So, what are the reasons behind each of these differences? Well to start at the end of the list, a lot of people think that a stand alone domain is the best way to run a new blog. If you register the new blog and host it with different hosts to the main website, then it is not associated with the main website, has a different C-Class ip address and so on.

The theory continues then that because it is a stand alone website, Google will rank heavily all links that you add from your blog to your main site, believing that they are independent sites. However, I do not believe this to be the case purely because if you get carried away and link too often to your main site, especially if you are not linking to other sites, then the search engines will easily pick up on the fact that the blog is just promoting your main website.

What about hosting your blog on your main website then? This actually does have many advantages, on top of maybe not requiring additional hosting. For a start, by hosting the blog within your main site it will be recognised as part of your site by the search engines. Now, when you start to post to your blog the search engines will see a wealth of fresh content building up and know that the website is being kept up to date. These are both good reasons for them to be sending you more visitors.

Also, if you build a good blog that is being read often by readers, the search engines can use a variety of methods to track the number of visitors to your website. And it has been shown that websites that get more visitors through various methods then also perform better with the search engines.

Lastly, if your blog is an integrated part of your website then as visitors go from website to blog and back, they do not notice a swapping about of domains, styles and so on. This can make them more comfortable about staying on your blog.

But out of a sub domain and a sub directory, which is better? Well a sub directory is more interlinked and gives the full advantages, but some times it is easier to host on a sub domain. This means that it all really boils down to your circumstances.

But if I am creating a blog for an existing website, my preference is first for a sub directory and then for a sub domain. Never a new domain.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

The big problem with Google’s Adsense is that quite often website owners think that more is better. More adsense means more chances of clicks. How very wrong this is!

If you read the Adsense guidelines you will read that you can put 3 content blocks, search blocks and more all onto one page. And you are encouraged to put on as many locks of different varieties as you can fit. But, this can be a massive disaster! It is not true that by putting more Adsense blocks around your blog that you will automatically be able to earn more income. In fact, the opposite can become true.

One great big advert
What happens is that if your blog contains too much advertising it will look like a huge advert. Blogs depend on readers for their lifeline and need plenty of them. And this means that readers need to be reading multiple pages, subscribing to newsletters and RSS feeds and coming back time and time again. And a visitor will only become a regular reader of you blog if they like it and trust it.

And that is the problem of a blog that is a huge advert – you instantly lose the trust of the people who are visiting it and they might never come back.

What is the answer?
In fact, with careful planning you can really make a huge blogging income from Adsense with just a single block of adverts. Place a single block of adverts well and you can really make the most of the adverts that Google displays for you, without having to look like a huge advertising board.

The rule of thumb
A good rule of thumb to work to is to have no more than two areas of advertising on your website, Each can contain a few adverts, maybe a mixture of Adsense and affiliate banners, but do not dedicate more than this to advertising. This will leave your visitors feeling comfortable with your website.

Make the most of the space you have
But this will only work best with a litle care and attention. I know from experience that when I moved my adverts from the right hand column to across the top my click through rate increased drastically. So you need to put your main adverts where people will see them. That varies depending on your layout, but will typically include:

• in or next to main navigation
• across the top and left of the screen
• sometimes, within the content of your posts

Make it work for you
What will work the best for you? Unfortunately, there is no clear and sharp rule as to what will work best. However, there is plenty of evidence that too much will scare off visitors and reduce your click through rate.

The only way to see what works for you is to give it a go. Change your blog about and try different combinations, whilst watching your click through rate and how many pages visitors are reading on average.

Don’t let too much Adsense ruin your blog!

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

I am sure that plenty of people, like me, want to move the wp-config folder to a more secure and private directory to keep it out of the way of prying eyes.

And here it is not just hackers – maybe it would be best that other users with FTP access and so on should not see the contents and be able to change them.

However, all that WordPress allows you to do is to shove the config file up one level, e.g. from mysite.com/blog to mysite.com. Yes, it hides it, but does it really help?

So I have developed a little script here that can sort out the problem. For example, in my hosting there is a public directory into which the files are stored and a private directory that can only be accessed by FTP or from a call within a script from a relative path.

Now normally I’d call it simple by ‘../private/myscript.php’, however with WordPress we don’t know whether we are in the blog or deep in some convoluted file structure, for example /2011/march/28/ etc. So we have to work out how many directories into the site we are to give a relative path to the private directory.

So here’s what I did. I moved wp-config.php to my private directory and replaced it with this code. Just check your permissions to make sure that only you can read / write the file and everyone else can only execute it. There is also a check towards the end that the wp-config is being called from only our site, just in case a hacker gets clever there…

<?php
$found = substr_count($_SERVER['SCRIPT_NAME'],’/');
$i=0;
$myroot = ”;
while ($i {$myroot .= ‘../’; $i++;}
$togo = array (‘http:’, ‘/’, ‘www.’);
$thisserver = str_replace($togo, ”, strtolower($_SERVER['SERVER_NAME']) ) ;
if ($thisserver == ‘howtostartmyblog.com’)
{require_once($myroot.”private/wp-config.php”);}
?>

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

It is not big secret that article marketing is great for SEO and traffic. However, if you have to keep writing a post for your blog and a post each for 20 article directories, can you really get through the writing?

The answer is to ‘repurpose’ content. In short, write a post, publish it to your blog and then syndicate it to various article websites, making changes as required so that it becomes a stand alone piece.

However, with talk of Google duplicate content filters in the past many people are frightened of this. But they shouldn’t be! Late in 2010 Google updated this filter and it now works properly.

It used to be that Google would gather together all websites with the same article / post and only include the highest PageRank website in the results. This was their arbitrary way of reducing loads of very similar content to just the one result. A great idea for people searching for content, but blatantly often unfair on the original source.

But with the death of PageRank (how else do you explain 1 PageRank update in the last year?) and Google moving onwards to a fairer system, it seems they have hit upon a method that works.

What seems to happen now is that they are paying more attention to links. If the same content appears on 10 websites and they all link to the same website, which is also displaying that content, then it is the 11th website that appears above the rest!

So if you re-purpose content and include a link back n your biography, you are forming this web of links and should be credited as the original source.

If you want to know more about this, have a read through the set of posts I wrote about duplicate content over on my web design blog. It follows an experiment I ran last November and my own page is still the first result of almost 100 results returned.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Blog Protection From Hackers

If you are writing a blog then you have to be aware that you could be the target for hackers that want to take over your work. Whatever their motive, a successful attack could destroy your blog. So, what steps can you take to protect yourself?

Hackers could attack your blog for a multitude of reasons. Maybe they think it is fun, or they could want to use your blog to give themselves plenty of links in, or maybe they want to use your blog to install viruses on your readers’ computers. The list of what they could do if they gained access just goes on and on.

But there is one thing in common with all of these attacks and that is that they need access to the admin side of your blog. Whether that is through your FTP or your admin screens does not matter. Once in they are there and can do almost what they like.

Protecting your FTP details should be relatively easy. Pick a secure password, change it often and don’t tell anyone what the password is. Don’t use your FTP from unsecured machines and you should be safe.

However, most hacking attempts are likely to take place via your admin screens. The first line of attack might be “injecting” sql into your queries. This is where using a platform such as WordPress is essential, rather than writing your own tool. With the experience behind the team of writers involved, sql injection should not be a problem.

This leaves hackers trying to guess your admin userid and password. Trying to guess both is quite difficult, especially if the password is tough to break. However, sometimes the userid is far too easy to guess and you might even be giving it to hackers on a plate. Look at your blog posts and do you say who wrote them? If so, does that match your user id? This is very easy to fix – just give yourself a nickname and display that on the site on posts and comments.

Another easy to fall for trick is to use the username ‘admin’. So difficult to guess that one! Easy enough to change this by altering the data in the tables if you are happy doing that, else sign on, create a new administrator level user id and then logoff and back on as the new administrator. Give it a totally different nickname and then go to the users screen and set admin to not be an administrator any more. Just give them the lowest level of permissions. That way, if someone does get on using that user there is nothing they can do.

With these steps in place a determined hacker has only two methods of accessing your blog. The first is getting the information off you – either through phishing or a key logger on your machine. So make sure you are always on safe connections when you sign on. After that it is a brute force attempt of trying loads of combinations. A plugin such as Login Lockdown will stop them in their tracks here and is well worth using.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

If you want to keep your content fresh and topical, but haven’t got the time to write daily, then RSS Feeds can be a great second option. Why might you use them and why might they cause you problems?

Displaying RSS Feeds (Really Simple Syndication) on your website or blog allows you to take the content from another website or blog and display it on your own website. It gives you additional content that you might not otherwise have the time, and maybe not the skill, to put together. However, there are pros and cons.

The problems
I used RSS Feeds on a couple of financial sites a few years ago. My intention was that (as I will discuss in a moment) the feeds would keep the pages fresh and up to date. Good idea, however you are dependent on the quality of the RSS Feed, its speed and its bandwidth. Quite often I would be testing the site only to find the pages weren’t loading as the RSS Feed was struggling to provide data. And this was from a big, well known, provider. So you must choose a good source and keep testing it.

The other problem is that search engines are not stupid and see the duplicate content appearing on your website. Worse still, the RSS Feed will no doubt link to the providing site for full stories, showing exactly where the content is being taken from. So if you think that an RSS Feed will give you search engine benefits, think again.

The benefits
A well chosen RSS Feed can be interesting to your readers. But I repeat – it must be well chosen. A general news feed on a blog about a specific subject or niche is probably not going to see any particular benefits to its readers. What you are hoping to do is to provide some extra information to them whilst they are visiting, for example latest golf scores on a golfing blog.

However, unless you find a particularly good source that your readers can’t easily get at themselves, they are more likely to be going direct, unless you have a very loyal readership.

However, there are exceptions where feeds are very useful. As a reseller of hosting I can take my host’s RSS Feed and display a white label page of the latest status updates. As this does not link to the host’s website, my customers get easy access to the information without knowing the source.

How do you do it?
For many blogs there are simple plugins to use to add the feeds into your side bar. For websites you are likely to have to use PHP or ASP to break down the feed and format it to suit your page.

Either is easily done, with a little care!

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

If you are running a blog that has much of a presence on the search engines then you will almost certainly be popular with spammers. And with loads of automated comment spam hitting you, what can you do to protect your blog?

The onion approach
As with any form of computer security I like to approach spam filters like an onion. You peel your way through one layer of protection only to find another layer protecting the insides. And that is how my spam protection works on my blogs – the spammer might get through one layer of protection, but then has to get through the next level.

How spammers work
To best protect ourselves from spammers we must understand how spammers work. Some will go around different blogs manually submitting comments. However, a lot of these will be quite good comments and useful to your blog. There is a very fine line here between good comments and spam.

Then there are the robot spammers. These trawl the internet looking for blogs to comment on. They grab your comment form and start automatically submitting automated rubbish to your blog. Because they are automated they can submit thousands of worthless comments, but they are the easiest to trap.

Level 1 – stop them at source
Stopping spammers with a Captcha form can be an effective tool, however it is a distraction to genuine comment leavers and some spammers can now beat Captcha forms. So for my blogs I have installed WP Captcha Free. It is a great little plugin, with a hidden effect. Rather than offering a Captcha it puts an encoded timestamp on the comment submission form. When the form is submitted the timestamp is checked. If the form is too old, the comment is ignored.

Implementing this plugin drastically reduced the automated comment spam in many of my blogs, it really does work a treat!

Level 2 – stop those that are submitted
Where would we be without Akismet? It is so good that it is included now as part of WordPress. Those automated spam robots on their first visit (which will get through WP Captcha Free) and manually submitted spam should be caught on this level. Without it, our blogs would be full of comment spam.

Level 3 – a manual check
The reason I looked at WP Captcha Free is that Akismet is not 100% reliable. Spam is missed and allowed through, whilst good comments risk being accidentally marked as spam. So our third and final level of spam protection is just a quick manual check. Look through your Pending and Spam comments lists and confirm each comment is where it should be. Make any corrections (after all, marking a Pending comment as Spam can help teach Akismet more tricks) and then empty the spam folder.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

How often should you be blogging? What does it matter whether you write today or not? What factors determine your blogging frequency?

I suppose that blogging updates actually break down into two parts – updating your blog with new posts and updating your blog as part of its general maintenance. Whilst the second part is probably the one that is most forgotten, it is the easiest to talk about and can be very beneficial, so I’ll start there.

Maintenance Updates
Running some simple maintenance updates on your blog can be highly beneficial. By doing so you can maintain more of your visitors for longer, which increases your page hits and your overall visitor levels and experience.

So it is well worth looking at some of your most popular posts at least once per month. Just go over them and make sure that they are linking out to other relevant posts. Keep an eye on the new posts – can they linked to from the most posts? By concentrating on the popular posts and working through the list you hit the posts most likely to make an impact. As you become happy with all of them work through the list.

New Posts
For some blogs how often you are posting is dictated by the content. If you are blogging about news or current affairs, then as and when things happen you will be posting. But, what about informational blogs?

Many of these will not actually have a great wealth of new information coming up once they have existed for years and it might be tempting to leave them static, but that is a big mistake for two reasons – first, the search engines get fed up of your blog not producing new material and second, your readers do not have an incentive to keep coming back.

The Plan Is Formed
So that is our plan – we want to update our blogs often enough to interest both our visitors and search engines. At the very least this generally means a weekly update. This is frequent enough to keep the search engines interested and readers will see a slow stream of new materials.

On the other hand, we could update several times every day. Is that a good idea? I actually think that unless your blog is aimed at news and events that are appearing daily, this could be information overload. You might notice that Google will appear as soon as you first post each day, then not come running for every additional post, not until the next day.

This is a sign that Google seems to like at most daily updates, unless you have a very popular website. So somewhere between a low of weekly updates and a high of daily updates is about right. Exactly where that is lies is up to you and how much you can handle.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)

Protecting your blog with a strong password is essential. How can you create a strong password and what else can you do? And what can happen if you don’t?

If a hacker was to get hold of your blog’s main admin password then they could take control of your blog. From simply adding posts that link to their own website, to loading virus software onto your readers’ computers and even getting you to unintentionally host phishing pages, there are loads of prizes a hacker can take if they access your blog.

And for you – well if a hacker gains access to your blog you can lose all of your hard work!

How a hacker gains entry
A hacker will gain entry to your blog in a couple of ways. First, they might use key logging software to ‘watch’ you type in your password. You protect yourself here by anti virus software and secure connections. But, this is a difficult way to get access to your blog.

The other way is to simply ‘guess’ your password. A hacker will use a program to constantly try different possible passwords to log on to your admin – known as a brute force attack. A simple password will not take long to guess and that is why a strong password is essential.

‘Simple’ passwords
Using something as simple as ‘pass1′ is very insecure. Why? Well if the hacker starts at a, the aa, then ab and so on it will not take them long to get to your password. However, even ‘Pass1′ is harder to guess as the attack needs to look at upper and lower case letters.

Stronger passwords
But even both of these examples are very weak. The longer the password is the longer it will take to go through all of the combinations required to guess it. Stick to lower case letters and numbers and there are 36 characters per position. Include upper case characters and unusual characters and that can jump to 70 or 80 combinations. Expand that to an 8 character long password and the combinations possible becomes 80 * 80 * 80 * 80 * 80 * 80 * 80 * 80! Trying to go through these combinations becomes a lengthy process, during which hopefully the attacker gives up and tries elsewhere.

Send the hacker elsewhere
There are two further tricks to make sure the attacker moves elsewhere. First of all do not use a simple to guess user id. For example, in WordPress, do not use ‘admin’, which is the default. Now the hacker has not just to guess the password but also the user name.

The second security trick is to install a plugin that will block out a hacker from attempting new passwords, such as Limit Login Attempts. This detects a brute force attack and locks out the hacker for a period of time. Suddenly, not only are they trying a lot of combinations but also taking days between guesses.

Digg This
Reddit This
Stumble Now!
Buzz This
Vote on DZone
Share on Facebook
Bookmark this on Delicious
Kick It on DotNetKicks.com
Shout it
Share on LinkedIn
Bookmark this on Technorati
Post on Twitter
Google Buzz (aka. Google Reader)